Tuesday, May 30, 2006

Backups are a kind of security too 

Forbes has an overview of backup options.

They're way too kind to tape. A cheap tape drive will cause you almost as much grief as a bad marriage, and the trustworthy tape drives aren't cost effective unless you're backing up a lot of data.

They should have said more about over-the-Internet offsite backup services. The questions you should ask about those include


Monday, May 29, 2006

Beware email from "patch@microsoft.com" 

There's spam going around that pretends to be from Microsoft and pretends to include a patch for a "WinLogon Service" vulnerability. Don't touch it, it's not from Microsoft and it's evil.

The "From" address in email is as easy to fake as the return address on a physical letter, and that's why Microsoft has decided and promised that they will never send out security pathes by email. Some things might be forged: email claiming to have a security fix from Microsoft is certain to be forged


Sunday, May 28, 2006

No honor among thieves, a funny look at the underworld 

Washington Post, via Techdirt:
credit card fraudsters prey on counterfeit goods fraudsters by impersonating spammers

When you get an ad in your email for magic pills, there are two crooks involved. One is the person who sweeps up garbage (literally -- the pills have been analyzed and they're worse than inert) and presses it into pills. The email comes from a specialized spammer who takes a cut of the sales in return for using an army of taken-over computers to send out the spam.

It starts getting funny when the credit card crooks come into the picture. They've taken to stealing credit cards and approaching scammers. They pretend that their crime of choice is spamming but they're actually out to defraud the scammer. They pretend they're going to send out spam, then they don't, but they do use stolen credit cards to buy the "enhancement" products, so the credit card thieves get a cut of the fake sales of fake products which were supposed to defraud a consumer but actually defrauded the credit card company.

Couldn't happen to more deserving people.

What does this mean for you, except as entertainment? A side effect of all this is pill bottles full of compressed garbage showing up in innocent people's physical mailboxes. Check your credit card statement online right away, and if you see unexpected charges call your bank and report fraud.


Saturday, May 27, 2006

Blood donor? Midwest? Check your credit report 

via the Emergent Chaos blog, news of up to 1 million blood donor records stolen from the Red Cross.

Name, phone number, date of birth and social security number. No mention of the medical information being compromised, but it was bad enough: the clerk responsible opened up several credit card accounts with the stolen information.

You may not get notified directly.


Friday, May 26, 2006

Dismayingly vague report of a Symantec vulnerability 

According to an annoucement from security firm eEye, some versions of Symantec's antivirus and security products have a "remote vulnerability",

Unfortunately they don't say how it's triggered, whether a firewall would prevent the whole issue, or whether any version other than Symantec Antivirus 10.x and Symantec Client Security 3 are vulnerable.

The good news is that nobody's using this opening to hurt other people's machines. That we know of.

I'm not sure what to recommend. Runnning without antivirus on a Windows machine is not a good idea for most people. Certainly keep an eye on Symantec's news page, which I think is for the same issue. If you were thinking of switching antivirus products this is as good a time as any, but don't expect too much in the way of security improvements: even the antivirus program I use had a security problem just a year and a half ago.

UPDATE 5/28:

Symantec has released fixes.


Thursday, May 25, 2006

The Consumer Reports folks and others tackle bad software 

Brace yourself for another new term. The new project to study and rate software for whether it harms the computer, steals user data, resists being uninstalled, or generally acts like spyware, adware, or other malware has invented the term "badware". Don't ask why. It seems to mean exactly the same thing as "malware", which is short for "malicious software" and which covers the whole range of viruses, worms, adware, spyware, etc.

This is a really good idea, from people in a position to fight nuisance suits from the scum who peddle spyware. I hope they share information with Ben Edelman and Eric Howes, who have both been researching spyware for a while.

So far their list of rated programs is short. They say they're examining programs carefully, which will slow things down, but there's so much garbage out there that they can add names as fast as they can do examinations.


Monday, May 22, 2006

Voting machines: breathtaking Diebold quote 

Found at security guru Bruce Schneier's blog.

What does it mean for a voting machine to be secure? Well, it has to resist tampering by the people who have access to it, right? You need to resist problems like election workers stealing paper ballots or official talliers monkeying with the tallying.

So what is Diebold's take on the design criteria for the machines that will count our votes?
"For there to be a problem here, you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software," [Diebold spokesman David Bear] said. "I don't believe these evil elections people exist."

This is exactly like designing a bank's cash handling system on the assumption that every teller will always be honest, except that it's stupider and more dangerous.


How common are zombie home PCs? 

I just read a note from someone who's been tracking the Internet addresses of the machines that are sending him spam. There have been 1.5 million different addresses this year, with 30,000 new ones appearing every week.

There must be millions of home PCs that are now "owned" by criminals and not by the people who paid for them.


Sunday, May 21, 2006

Do you run Skype? Important upgrade 

Skype has already fixed a security bug in their VOIP software which allowed unrequested file transfers. I recommend downloading the fixed version promptly.


If someone tries to sell your business RFID tags 

and if you need any security, read this article about stupid RFID implementations so you know what tough questions you should be asking the salesentity.


Saturday, May 20, 2006

Open a Word document, lose control of your computer 

The Basics

Bad guys have discovered a security flaw in Microsoft Word 2003 that nobody else knew about. They are sending out Word documents which, when you open them, install remote control software that allows the bad guys to do all sorts of things. So far no antivirus software knows what to look for to detect this one, and it hides itself once it's in place. Because this is so new, you can install all existing security patches and still be at risk.

The Bad

There are no technical measures you can take to protect yourself, except maybe set up your firewall to block outgoing traffic to localhost.3322.org. That's where the remote control software "phones hone" to.

Nontechnical measures are also difficult. Booby-trapped Word documents are hitting people's inboxes attached to mail apparently from people they know, even with appropriate signatures.

It looks like a corporate espionage tool, which makes it more damaging than the everyday malware which "only" steals control of your computer.

The Good

The attack crashes Word 2000 but doesn't take over your computer. All you people who didn't want to upgrade are (everyone thinks) safe from this one.

This attack does not seem to be spreading all over. It looks like targeted espionage so far. If that's right, and if you're not a target (I don't expect small business and home users to be targets), then you're unlikely to be attacked.

The known features of the remote control software don't include sending email. If that gets confirmed it means that this won't embarrass you by turning your computer into a spambot.

What to do

The old advice "Don't open unexpected attachments" works for this threat. That includes unexpected attachments from people you know, attached to plausible-looking email. That's what all the security people will tell you, at least the ones who never got email from their boss ordering them to look at an attached Word document.

UPDATE 5/21:

Similar things have been going on stealthily, targeting government offices around the world. According to anti-virus firm F-Secure, there have been targeted Word attacks since 2005.

UPDATE 5/25:

I suspect this isn't worth the hassle unless we begin seeing widespread attacks, but Microsoft has published detailed instructions for a workaround.


Thursday, May 18, 2006

Do you think spammers are just a nuisance? 

An Israeli firm called Blue Security had interesting spam-fighting techniques, until spammers shut it down with illegal attacks.

The spammers sent floods of data to overload Blue Security's computers. The spammers also caused some collateral damage to bystanders.

Spammers are not pests like telemarketers. Spammers are criminals willing to disable parts of the Internet. If you buy anything from a spammer you are supporting crime and giving spammers the means to threaten everyone's security further.

Don't buy from spammers. Always remember the old saying (hey, it's old by Internet standards): "If it's spam, it's a scam"


Wednesday, May 17, 2006

"Doctor, it hurts when I do this": paid ads in search 

When you search for something on the web you get a list of matches and you also get a list of paid ads from companies that put up money to get listed whenever someone typed in your particular search. If you use Google, those are the ads off to the right.

Sometimes these companies are crooked. Sometimes they're more likely to be crooked than the ones who show up in the unpaid search results. Sometimes they try to put malicious software onto your computer.

Siteadvisor just tested how many advertised websites install malware or are scams. It's kind of interesting that their results varied from one search engine to the next. MSN turns down business from crooked advertsers better than the others: only 3% of their paid search results were toxic. On the other hand that's a percentage that guarantees you'll run into something dangerous if you're reasonably active on the web.

What's more interesting is the search terms they used to run their tests. The articles says
The most dangerous keywords include "free screensavers," "bearshare," "kazaa," "download music" and "free games."

If it hurts when you search for a notorious piece of spyware, well, as the doctor said, "Stop doing that".


National security, personal privacy: NSA analyst speaks 

Opinion piece from a former NSA analyst. Read the whole thing, it's worth your time and is important.

This is a man who proudly supported many NSA missions and who knows how the agency works. He writes about the recently revealed mass surveillance program.

He argues that it hurts security:
I know of at least two [FBI] agents who were pulled from their duties tracking down child abusers to investigate everyone who called the same pizza parlor as a person who received a call from a person who received an overseas call. There are plenty of similar examples.

He reminds us that our government is not giving us the whole story:
So, besides knowing that it's illegal, that is provides useless information, that it takes law enforcement agents away from investigating and preventing crimes actually being committed, and that it erodes civil liberties, we have no clue how bad it really is.

He shares his professional knowledge about the impact of "but we're not listening to the calls" spying:
And so what if the NSA isn't listening to the calls themselves? An intelligence agency doesn’t need to hear your chatter to invade your privacy. By simply tying numbers together -- an intelligence discipline of traffic analysis -- I assure you I can put together a portrait of your life. I'll know your friends, your hobbies, where your children go to school, if you’re having an affair, whether you plan to take a trip, and even when you're awake or asleep. Give me a list of whom you’re calling and I can tell most of the critical things I need to know about you.

Why should you care if you have "nothing to hide"? (If you have nothing to hide, why are they spying on you?).
NSA has more than its share of bitter, vindictive mid- and senior-level bureaucrats. I would not trust my personal information with these people as I have personally seen them use internal information against their enemies.

But we're chasing terrorists, right? Doesn't that make it necessary?
...the enemy numbers in the hundreds at best. NSA is collecting data on hundreds of millions of people who are clearly not the enemy. These numbers speak for themselves.

UPDATE 5/17:

Someone else has worked the numbers. Jonathan David Farley knows about the "data mining" techniques the NSA uses. Those techniques aren't going to keep us safe. They try to see who's called whom in the hope of finding who's connected to terrorism. First, that wastes everyone's time with bogus results: for example one of Osama's brothers invested in a company that George W. Bush ran. Second, it completely misses sleeper cells where the members aren't calling each other.


Fascinating. The Baltimore Sun reports that in 1999 the NSA was working on a project ("ThinThread") that would sift data for relevancy, and protect Americans by auditing for abuse and by encrypting personal data until its release was authorized.

The NSA scrapped it in favor of the current program which doesn't do the same quality control on the data and which has none of the protections against abuse. In other words, they reduced national security in order to have a system open to be abused.
Without ThinThread's data-sifting assets, the warrantless surveillance program was left with a sub-par tool for sniffing out information

How subpar?
The mass collection of relatively unsorted data, combined with system flaws that sources say erroneously flag people as suspect, has produced numerous false leads, draining analyst resources, according to two intelligence officials.


Tuesday, May 16, 2006

Talk about misleading reporting! 

There's a piece of malicious software making the rounds that goes into your file sharing directory and wipes out multimedia files. It also shuts down your security. If you're running antivirus, it turns it off. If you're running antispyware, ditto. If you're running a software firewall like Zonealarm, this Trojan will leave you exposed to the Internet unprotected. Details here for your technical friends.

PC World reports this as a vigilante program guarding PCs against malicious software from file sharing systems.

Drivel. It's not going to protect anything except by an unlikely accident. First, it doesn't delete executable files, the most dangerous kind. It leaves them alone while it deletes multimedia files. It deletes all multimedia files without virus scanning them. And of course, let's use some common sense, vigilantes don't kill police officers and a "vigilante" program doesn't turn off legitimate security software.

It's not even an illegal antipiracy program. It doesn't have a list of files that the copyright holders want to keep off filesharing networks. It deletes everything: open source software, free samples of music and video, and independent works.

A Taste of the Future

Not long ago, Utah Senator Orrin Hatch was trying to make this sort of crime legal, proposing to allow computer breakins to search for and delete materials which (in someone's opinion, anyway) infringed copyright. He hasn't gotten his way yet but this program is his vision made real.


Monday, May 15, 2006

How a bank interferes with security 

A columnist finds scary security deficiencies at his bank.

The first incident was when the bank's call center let him "prove" his identity using only readily available information like his account number. That sort of careless procedure is one of the reasons "identity theft" works.

The second was really scary. The bank did something indistinguishable from what criminals do. They called him, said there was a problem, and asked him for some sensitive information. People like me have been talking ourselves hoarse explaining that criminals send emails and make calls like that to steal personal information, and that legitimate institutions never operate like that. Well, at least the clueful ones don't. Remember: if the other party places the call, you don't know who they are, and if they start asking for secret information you're entitled to consider it a scam. It's the modern version of the "we're-bank-examiners-and-we-need-you-to-make-a-cash-withdrawal" scam from your grandmother's day. If your bank does it on purpose, they deserve to get hung up on.


Are secret prisons a matter of national security? 

Remember the revelation that the CIA was running secret prisons in Eastern Europe? The reporters who broke that story now believe, based on an anonymous source, "phone calls and contacts by reporters for ABC News, along with the New York Times and the Washington Post, are being examined as part of a widespread CIA leak investigation".

Quite a few people are terrified of public oversight. One person in the comments section on that story said
"And any reporter publishing known classified secret information should be shot"

What makes you feel safest?


Sunday, May 14, 2006

"The owls are not what they seem" 

This is just plain funny but it carries some lessons.

An unnamed company had a piece of unwanted software spread through their network and -- you won't guess this -- print out pictures of owls.

In the mother of mixed metaphors, Network World calls this "fishy".

After we get finished with "where's my mouse?" and the Harry Potter jokes, there are some useful lessons from this one.

This was targeted to a single company. That's happening more and more. Virus construction kits are downloadable: stop and think what could happen if one of those were combined with the inside knowledge of a disgruntled employee. Try keeping the employees gruntled.

Printers are no longer big heavy typewriters. They have processors and memory, and network connections. They are networked computers. Networked computers need to be part of your security plans.


"Some guys might come knocking on your door" 

All security systems, cyber or physical, automatic or human, need one thing. It's conspicuously missing in the following incidents.

The TSA has treated an 82-year-old veteran as a potential terrorist. They've done the same to a government employee with the kind of security clearance you can't even mention the name of. Even an airline flight crew member flying as a passenger! Come on, he's being trusted a lot more than the passengers are.

Any large program will foul up spectacularly sometimes. But what happens when you try to fix a problem? What happens when you call them up?

According to the Wired News report on the TSA watch list, this is what happens:
An employee ... advised her to watch what she was saying since the call was recorded and "some guys might come knocking on your door"

Another person caught in the watch list had only praise for the individual employees he deal with, but still hated being caught in what a lawyer told him was a "Constitution-free zone".

Every security system needs some kind of checks and balances, some way to halt its mistakes before they grow out of control. A criminal justice system without defense lawyers turns into a police state. A door lock that a locksmith can't pick could deny you the use of your house every time you forget your keys. A stupid computer security policy forces everyone to work around it or to quit conducting business.


Saturday, May 13, 2006

Mac users, upgrade, now 

Apple has a security patch that fixes some really serious security problems. Open software update. You need these.


Where to look for malware traces in Windows 

Roger Grimes, the Foundstone guy, put up a table from his upcoming book listing places malware can modify to hide itself or to do damage.

There are more than 180 of them.

Think that through. Suppose you're doing thorough incident response. Suppose you are so good that you can display, read, check, and correct every single one of those places in ten seconds (hah). Then an incident response would take 30 hours.

One feasible approach is to delete the malware's executables and fix problems like web search redirection which can keep going after removal, when you find symptoms of them.

The second approach, which Microsft now recommends, is the same advice Ripley had in _Aliens_: "I say we take off and nuke the entire site from orbit. It's the only way to be sure." Wipe the hard disk and reinstall from scratch.


Friday, May 12, 2006

How real are the voting machine issues anyway? 

Is all the talk just a bunch of what-ifs and sensationalism? Are the machines working OK in spite of what a few loud people are claiming?


The worst problem in my opinion was in Fairfax County, Virginia. Under test, the machines turned out to be subtracting a vote for one of the candidates every hundred votes or so. It was a close race, too. That's the kind of problem that could go undetected and swing an election.

Worse, how is anyone who's not a specialist with too much free time going to be able to tell whether a voting machine failure is a bug or a deliberate attempt to steal an election? ("Remember, make it look like an accident"). Programmers have contests to see who can write the best program that looks OK but does something malicious. And the voting machine vendors aren't even letting people see the programming that counts those people's votes.


Thursday, May 11, 2006

Windows users, you want to upgrade today 

If you're not getting updates automatically, click Start/Windows Update and follow directions. One of the security problems that this month's patches will fix is one that allows sommepne to take over your computer, due to a bug in the Flash ploayer. The Flash player is the software that displays those maddening animated ads on web pages. Firefox users could also install the FlashBlock extension, but really you want the permanent fix from Microsoft.


Wednesday, May 10, 2006

Guess what? MORE voting machine problems! 

Is anyone starting to sense a trend here?

Pennslvania discovered a serious security flaw in their touch-screen voting machines. Diebold says they're the ones who found the problem and notified their customer. Not so, according to one blogger quoting anonymous sources. I don't know enough about him to judge his credibility.

Best you can do is to look up your state legislator's phone number and make a quick call asking what kind of security checking is being done on your state's voting equipment

UPDATE 5/15:

Here's the Diebold machine security report. There's also an article about How the Pennsylvania Diebold flaw was found, what computer scientists think about it, and how a Utah county clerk who found and investigated some voting machine discrepancies was "asked" to resign and publicly accused of "compromising the integrity" of the election system.


Sunday, May 07, 2006

What Apple is doing wrong on security 

Apple is running TV ads that show a virus-infected PC next to a problem-free Mac user. This is bad.

I don't mean they're jinxing it. The problem is that they're raising their profile and taunting the creators of malicious software. If you're in a biker bar, would you mind your own business, or would you bellow "NOBODY IN THIS JOINT CAN LAY A FINGER ON ME!"?

Here's a post on the Emergent Chaos blog that makes the same point more vividly:
How Apple is asking for it


Great quote about why security is hard 

Top networking engineer Radia Perlman, quoted in Network World:

The things that seem absolutely unsolvable but that we have to solve is the user interface stuff. Everything is so complicated. People tell you to turn off cookies because they are dangerous, but you can't talk to anything on the Web without using them. People build this horribly complicated software, put up all these mysterious pop-up boxes and then blame the users when things don't go right. I keep hearing people say, like with distributed denial of service, that there are all these grandmothers out there who don’t know how to maintain their systems. Don't blame the grandmothers; blame the vendors.


Saturday, May 06, 2006

There's always two ways of lookng at something 

Adware gets onto your computer because some scumbag gets money for it. An alleged scumbag just got arrested for breaking in to many computers to install adware. He's supposed to have collected $100,000 in commissions.

Whether that guy's guily or not, somebody attacked a whole bunch of computers, including some belonging to the Department of Defense and others on the internal network of a hospital. According to the Seattle Post-Intelligencer report about the Northwest Hospital computer breakin, the damage included interference with operating room doors opening and closing, inoperative pagers, and shutdowns of computers in the intensive care unit.

It's perfectly right to look at this as a crime. But there's another question if the press got the events right.

Why in the name of the Flying Spaghetti Monster were systems that important exposed to the Internet?


Friday, May 05, 2006

Great article explaining viruses and antivirus 

Did you know that antivirus companies see hundreds of new viruses every day and can barely keep up?

Do you know the places to for for real, technical lab tests of how well antivirus products catch viruses?

Have you ever wondered why there are so many viruses out there and who's writing them?

People have urged me to write about questions like those but it's just been done better, in an article about trends in computer viruses and the antivirus industry by Eugene Kaspersky, head of the respected Kaspersky Lab Virus Research.

It's kinda scary that he lists some serious problems but doesn't mention any solutions.


Thursday, May 04, 2006

Why physical security should fascinate you 

Last year, a bank in London let some crooks come in at night impersonating janitors.

The crooks unplugged the keyboards on the help desk computers and plugged them back in with a device added that records keystrokes (they're cheap and unobtrusive). That let them steal the helpdesk passwords. This included passwords for remote administration of other machines in the bank.

With that power they installed software keyloggers on a carefully selected set of other machines at the bank. This allowed them to steal all passwords typed into those machines. This included the passwords used for funds transfers.

Not just any funds transfers, either, but the international wholesale funds transfer network. When I say "wholesale", that means it handles about USD six trillion every day.

Their planned theft of 220 million pounds would have been utterly lost in the noise. The police stopped them, nobody's saying how. Had they succeeded, the bank would have lost almost half a billion dollars. Maybe they could have made it back by selling a diet book, "How I Lost 220 Million Pounds".

Physical security may seem boring because everything on TV is about network intrusions. If you've got money, enemies, or disgruntled former employees, physical security is very interesting.


The big picture: public policy: whose computer is it? 

One of my favorite security writers and experts is Bruce Schneier, who has a gift for both getting complex issues right and for explaining them clearly. Doing both of those at the same time is not easy.

He's got an important essay about the large trends in the computer industry and how they affect who owns your computer. Some key quotes:
There are all sorts of interests vying for control of your computer. There are media companies that want to control what you can do with the music and videos they sell you. There are companies that use software as a conduit to collect marketing information, deliver advertising or do whatever it is their real owners require.

and even if you're content to have, say, Sony controlling your computer, it's a security risk:
There is an inherent insecurity to technologies that try to own people's computers: They allow individuals other than the computers' legitimate owners to enforce policy on those machines. These systems invite attackers to assume the role of the third party and turn a user's device against him.

With the ultimate risk being:
If left to grow, these external control systems will fundamentally change your relationship with your computer. They will make your computer much less useful by letting corporations limit what you can do with it. They will make your computer much less reliable because you will no longer have control of what is running on your machine, what it does, and how the various software components interact. At the extreme, they will transform your computer into a glorified boob tube.

Read the whole essay. It's informative, readable, and enlightening.


Wednesday, May 03, 2006

Mac users, want to read one more security article? 


There's something in the wild, allegedly. No evidence of widespread attacks or infection.

Today's state of Mac security is kind of like a cloudy day when you're not sure but you think you felt a raindrop. Roll up the windows, put the top back on the car, and proceed normally.


Monday, May 01, 2006

Web site review: browsehappy.com 

browsehappy: list of popular alternative web browsers and how to get them.

Do you prefer testimonials and stories from real people over technical advice and analysis? If you want to skip comparison charts and detailed reviews, browsehappy is the place for you 'cause it doesn't have any. It has the stories of people who've switched to different browsers, then maybe a paragraph of information and download instructions.

All the browsers they list are reputable.


This page is powered by Blogger. Isn't yours?