Monday, July 24, 2006

"if something doesn't change, another 9/11 is very possible." 

That's what a Federal air marshal told reporters. He's not alone. He and his colleagues are fed up with nonsense policies that management refuses to change, policies which make it trivially easy for a terrorist to tell which passenger is the air marshal.

Denver's Channel 7 reports

Federal air marshals across the country are telling 7NEWS that airline passengers' safety has been compromised and managers lied to Congress to cover it up.

Have the marshals tried to work within the system?
"We're standing on top of the mountains and we're screaming at the top of our lungs to change these things, and our agency isn't listening," said a federal air marshal.
Their management hasn't even responded to criticism from a Congressional report.

Via the Stupid Security blog, another article from the same people describes what TSA management is doing.

When an air marshal sees someone who might be a terrorist spying on a potential target, the air marshal is supposed to file a Surveillance Detection Report (SDR). These reports go into our national intelligence stream. The SDRs might get someone on a no-fly list or even a list of suspected terrorists. So filling out these reports must be taken really seriously, right?

7News found differently:
...several air marshals object to a July 2004 memo from top management in the Las Vegas office, a memo that reminded air marshals of the SDR requirement.

The body of the memo said, "Each federal air marshal is now expected to generate at least one SDR per month."

How are the marshals responding to the quota?
"To meet this quota, to get their raises, do you think federal air marshals in Las Vegas are making some of this stuff up?" Kovaleski asked.

"I know they are. It's a joke," an air marshal replied.
Do these reports just gather dust?
What kind of impact would it have for a flying individual to be named in an SDR?

"That could have serious impact ... They could be placed on a watch list. They could wind up on databases that identify them as potential terrorists or a threat to an aircraft. It could be very serious," said Don Strange, a former agent in charge of air marshals in Atlanta. He lost his job attempting to change policies inside the agency.

|

D-Link security vulnerability -- are you affected? 

First, there's the scary headline, that wireless routers from D-Link have a security hole that could allow someone to take them over and do bad things to your network.

It also seems bad that security firm eEye first told D-Link about the problem in February and it's only now been fixed. That's way too slow a response time. (See the link for a list of affected products).

Get past the headlines, though, and it turns out that the problem doesn't apply to strangers coming in over the Internet. It's only a problem if you have someone malicious on your local network. That's easy to have happen on a wireless network, since anyone within range can connect, but it changes the odds.

Are you safe if you've locked down your network so random people can't connect? Nobody's giving enough detail to tell. If you're a coffee shop, you certainly need to worry.

D-Link has updates on their website which you can download and use to reprogram your D-Link device to patch the problem. Good luck finding out where on the website those updates live. I would have given you a link if I'd been able to find them.

|

Sunday, July 23, 2006

Traceable voting gets some attention 

Protestors in favor of auditable elections show up at a Congressional hearing:
http://www.salon.com/news/feature/2006/07/20/voting/index_np.html?source=rss

|

Friday, July 21, 2006

A Windows fan explains WGA (Windows Genuine Advantage) 

The name is confusing enough, the actual workings are murky, the accusations are hard to judge, but Windows advocate Paul Thurrott has a short and readable recap of what WGA does and what it's supposed to do.
UPDATE 8/18/2006:
It turns out that WGA was working exactly the way it's supposed to: Paul Thurrott had, in good faith, bought a copy of Windows from a shop that was pirating them. His apparent problems came from WGA detecting that the copy he'd paid for was actually unauthorized.

|

Thursday, July 20, 2006

Details matter: how to let the whole world into your building 

You know those ATMs that are behind glass enclosures for security? You have to swipe your ATM card through a reader at the door in order to get to the ATM.

So far so good. What if you are using an ATM that belongs to a different bank than yours? The keycard system makers have an answer for that. If you buy one of their systems, you can set it up so that any magnetic stripe card will work. Then customers of other banks can get in, use the ATM, and the bank collects a service fee.

If you set up that feature without meaning to then you've got a problem. One hospital did just that and a team of security testers got into the hospital with a shopper's club card. Once inside they plugged into the network, read passwords off the Post-It(tm) notes on people's monitors, and they could have done a lot more.

|

Tuesday, July 18, 2006

Yet another warning about USB drives 

Carole Longendyke, a partner in a computer forensics firm and a better salesperson than I am, told the World Conference on Disaster Management that employees downloading confidential information to USB drives are a serious threat.

The flip response is that if you have untrustworthy employees on the inside, nothing you do matters anyway. That's not the answer it used to be. Your employees may think of themselves as employees of the temp firm or of the firm they're interviewing with because they know layoffs are coming.

Ms. Longendyke recommends telling your employees what you expect of them when they handle confidential information. She also recommmends starting an investigation at the first sign of trouble. Think twice about that one. Doing those investigations so the result can hold up in court requires that the investigators work carefully and methodically. They are highly skilled people. You'll be paying highly skilled people by the hour to work slowly and carefully. That's not expensive, that's %$#@! expensive.

Lots of places are happy to sell you tools for spying on your employees. Here are some wise comments about that from Bell Canada chief strategist Mike Gurski:
Gurski also said care must be taken to make sure "policies and practices do not intrude on worker privacy."

Employees, he said, should be educated about these policies and a mechanism for them to ask questions and get answers should be created to keep the communication lines open.

Gurski also advised companies to consult with their unions and keep tabs of "best practices" being adopted by other firms in similar industries.

Above all he said the policies should not be used to target low productivity or performance, organizations or "subsets" within the company. "The last thing you want is to develop draconian policies that sap morale."
Exactly right. Wreck morale and you can create just the kind of problem you were trying to avoid.

None of them hit the most important point. Don't be like the man who prompted Frederick the Great to say "In trying to defend everything he defended nothing". Decide what fraction of you corporate information is really confidential. Then limit access to it to people who have a business reason.

|

They are everywhere 

You thought you had a problem with telemarketers?

State governors have emergency hotlines on their desks to the Department of Homeland Security. It turns out these are ringing continuously. When governors pick up the phone to find out what the national emergency is, they find out that the national emergency is whether they are satisified with their long distance service.

The numbers for these hotlines are on the Do Not Call list.

(via Techdirt, which got it from BoingBoing)

|

Is "cyber-terrorism" for real? 

Mostly, the talk about terrorists blacking out whole regions from a computer is hot air. But there are some worrisome vulnerabilities and bits of cluelessness among the operators of equipment control systems.

"These are what you would consider, in the IT world, critical enterprise applications," [security firm CEO]Peterson said. "But the companies don't act like these are critical enterprise applications."

and
Consultants who have done penetration testing and security audits of real-time process control systems tell grim stories about the lack of security in the systems.

One major problem is that control systems are really hard to update. It's not like your home PC where you can get the latest fixes from Microsoft in a matter of minutes.

Another big problem is that the operators think they're secure because their control systems are so arcane that nobody will know what to do even after they break in. That attitude might have made a little sense long ago. In the age of Google, as soon as an operating manual touches the web anywhere, the whole world can find it.

The operators need to harden their systems, a slow and painful process, but the first and most imporant thing they need to do is to guarantee nobody can reach them from the Internet.

|

Friday, July 14, 2006

Now Powerpoint documents can (reportedly) carry poison 

The folks at Watchguard mention a reported vulnerability in Powerpoint via which a maiiciously built Powerpoint document could take over your system. Supposedly there's already an exploit circulating, which antivirus products should catch by now.

|

Wednesday, July 12, 2006

Happy Patchday! 

Microsoft's security fixes are available as of today, and they include repairs to some dangerous problems both in Windows and in Office. Update both. The bugs being fixed are the scary kind that allow bad guys to take over your computer completely.

The Office vulnerabilities show up when a bad guy feeds toxic input to an Office app, for example by emailing you a spreadsheet which he's boobytrapped. Something as simple as pasting in a picture could also trigger the bugs.

|

Tuesday, July 11, 2006

What your company's computer admins are reading 

Columnist Roger Grimes lays out a simple security policy. When you hear something from your IT department that seems unreasonable, it's because they're following the same reasoning that's in the column.

Will his program really provide security? I thought of five ways around it in a few minutes (make that six, now)(seven)(eight, but it's really just a variation on seven).

What his program would provide is strong defense against all kinds of malware, better defense than you'd get from antivirus and antispyware programs.(nine)(ten). To make the malware protection truly solid you'd need to replace Internet Explorer.(eleven)(twelve)

Combine measures like his with other security measures, the sort from the motherhood and apple pie category, and you should have a pretty smoooth-running organization.(thirteen, but that's mostly science fiction)

|

Monday, July 10, 2006

League of Women Voters endorse verifiable voting machines 

For some reason the national organization hasn't acknowledged this yet. Their convention of local and regional organizations passed a resolution calling for voting machines to meet some standards of trustworthiness.

Details in the League of Women Voters post on security guru Bruce Schneier's blog.

The word to remember from the resolution is "SARA": "Secure, Accurate, Recountable, and Accessible". "Accessible" means the disabled can use the system -- this is, in fact, a big advantage of electronic voting machines. "Secure" and "Accurate" you don't need me to explain, but "Recountable" deserves a comment. Suppose a question comes up about whether a voting machine is malfunctioning, buggy, or even tampered with. How do you do a recount? Run the machine again to get the same wrong answer? "Recountable" means there has to be an indepedent record that you can use to check the machine's answers if there's ever a question. Paper is great for that.

|

Many a true word is spoken in jest 

A comic strip explains why computer security is so bad:
http://www.comics.com/comics/hedge/archive/hedge-20060704.html

|

Saturday, July 08, 2006

Confused about Windows Genuine Advantage? 

About what it is? What it does? About why someone's suing over it?

I found a good explanation of Windows Genuine Advantage by Mark Rasch, a security columnist with a law degree.

|

Friday, July 07, 2006

You need to update something you've never heard of 

Some of those annoying animated ads, a few online games, and a very few legitimate uses involve a program called Shockwave that helps out your browser by interpreting what are called Flash files downloaded from the web. If you're missing the Shockwave player, you see a little box urging you to install a "plugin" instead of seeing an obnoxious ad.

The Shockwave player has a disgusting history of security bugs that could let bad guys compromise your computer by putting toxic Flash files on a web site you visit. It just had two more.

Security writer Brian Krebs has a good article about the latest Shockwave bugs. His article explains how to tell what version you have and where to download the fix.

Or you could just uninstall the [censored] thing altogether. If you keep it, you can save a lot of annoyance and security risk by installing the Flashblock extension to Firefox. I don't know if there's anything comparable for Opera. Flashblock prevents automatic loading and playing of the Flash files. If you really want to see one, you can click on the blank box where it would normally go, and it will start.

|

Thursday, July 06, 2006

Comments on the FBI case 

You must already have read about how a consultant for the FBI compromised 38,00 FBI passwords.

The technical details are not very interesting. A senior researcher for security firm LURHQ, Joe Stewart, said "It was pretty run-of-the-mill stuff five years ago". Actually, over ten years ago. I know of a high-profile case like this from 1994 and it wasn't a new thing then.

This was possible because of two inexcusable blunders by the FBI:Make that three inexcusable blunders if the consultant is telling the truth about FBI management encouraging him to do all this so he could bypass bureaucratic obstacles.

One report says he got access to the files of the Witness Protection Program. Fortunately he wasn't malicious. What about the next intruder? How much would organized crime pay for that information?

|

Wednesday, July 05, 2006

Keno, voting, and untrustworthy software 

Casino owner Manitoba Lotteries Corp. is refusing to pay up to a CN$209,000 winner because they say the win was a "software malfunction".

Of course they shouldn't have had the machine on the floor if they didn't trust the software enough to stand behind it. And of course they trusted the software as long as it reported customers losing.

The implications are fascinating. Don't know about Canada, but in Nevada gambling machines are tested and certified to standards stricter than those used for voting machines (think about that for a while).

If someone can get away with canceling a transaction and blaming it on software because they don't like the result, can the same thing happen with voting machines? Especially since the software in voting machines has been through less inspection?

Nobody in the US seems to care, but in at least two cases a candidate's campaign manager has been allowed to supervise an election. Suppose such a person is running elections in a state with electronic voting machines. Suppose the vote is really close, like Ohio in 2004 or Florida in 2000. Suppose the vote went against that person's candidate. Anyone slimy enough to referee an election while campaigning for one candidate is slimy enough to follow the casino's example and say "The apparent election result was due to a software error, so we'll just record it the opposite way".

Without real machine certification, auditing, and the ability to recount there will be no bulletproof way to stop such a person.

|

Identity theft, described by a perpetrator 

Identity theft is easy and lucrative.

The prisoner the New York Times interviewed mostly worked over the Internet, tricking AOL users into giving away personal information. He relied heavily on phishing scams.

|

Tuesday, July 04, 2006

Other kinds of security: bin Laden hunters disbanded 

The CIA unit established under the Clinton administration to track down Osama bin Laden has been abolished.

Happy Independence Day, and remember the people who knew that freedom was more important than safety.

|

What's a data broker and why should you care? 

Bill collectors, police officers, and sometimes stalkers can buy your bank statements, phone records, and other information from specialty firms that collect private data.

The industry is largely unregulated.

How do they get their data? Executives from 11 such firms got a grilling on that question last week in Congressional committee hearings. In particular, the Congresspeople "asked whether they sold 'personal, non-public information' that had been obtained by lying or impersonating someone."

All eleven of them took the Fifth. Every single one of them.

|

Monday, July 03, 2006

More problems with Excel 

http://www.watchguard.com/RSS/showarticle.aspx?pack=RSS.ExcelTriumvir

Excel spreadsheets from people you don't know can carry toxic payloads. I've reported thsi previously but it's getting worse.

|

Sunday, July 02, 2006

Beware spam about laptop prices 

Antivirus firm Sophos reports that over a third of current malware reports are coming from a single spam campaign with an attached Word document about laptop prices.

Word documents are not always safe. As usual, don't open attachments from people you don't know, especially spammers. You should treat spammers as criminals until proven otherwise.

|

Saturday, July 01, 2006

The next version of Internet Explorer reviewed 

Microsoft is offering test versions of the next version of Internet Explorer, the web browser you get when you click the blue "E" icon.

Columnist Paul Thurott has a review of IE7 beta version 3.

Some quotes:
"most users would be better off with a more feature-packed browser like Firefox"
"it's no longer an object of ridicule"

IE7 will have a bucketfull of worthwhile security features, including greater ability to restrict web sites from installing and running programs on your computer, and even better some improved user interfaces for understanding and managing the security configuration.

|

Organizational security: keep your ears open 

You've got security problems. Everyone does. The ones you don't know about are the most dangerous. Hire me, and I'll tell you at length just how to set up a reporting program so that you have a fighting chance of finding out about the unknown problems before the bad guys do.

Or you can clap your hands over your ears, shout "LA LA LA, I CAN'T HEAR YOU!!", and treat the person trying to help you by bringing up a problem as an enemy:
http://techdirt.com/articles/20060622/1647210.shtml

|

This page is powered by Blogger. Isn't yours?