Thursday, August 24, 2006

I'd forgotten about the ATM playing music 

Diebold's voting machines attract a lot of criticism, but at least their cash machines are secure, right?

From 2004, a Diebold ATM crashed and rebooted into Windows allowing passersby to play pranks like making it say "What, do you think I'm made of money?" over its speakers.


Diebold voting machines fail in Alaska 

Diebold voting machines in Alaska fail to transmit votes.

"[Division of Elections Director]Brewster said the slowdown has nothing to do with fraud concerns"

Yes, but.

Secure software is harder to write than bug-free software, which you may have noticed is already too difficult for most companies. Reliable software is software that can stand up to accidents, but secure software has to resist deliberate and clever attacks. If software is unreliable, you can assume it's insecure and usually be right.

This incident gives you a new way to approach your local election officials. Alaska had to spend extra money, you see, to hand-count ballots. Your local authorities may have closed their ears to talk about security issues but they may still understand money, especially if it comes out of their budget.


Tuesday, August 22, 2006

Credit card numbers over the phone 

You already knew not to give your credit card number to someone who called you.

Now it's not safe to give your credit card number to somebody you call. Criminals are now tricking phone companies into forwarding calls away from legitimate businesses and to the fraudster's phone number. [iva Bruce Schneier's blog].

Closest you can come to protecting yourself is to check your credit card statements and complain quickly if there's anything weird.


Sigh. New bug, Powerpoint files, bad guys using it 

Open a .PPT file prepared by a malicious person, and they can take over your computer.

Until Microsoft fixes Powerpoint and until you install the fix, avoid Powerpoint files from unknown sources and scan others with your antivirus program: it may detect boobytrapped files.
According to one source this problem doesn't affect the Powerpoint Viewer program. If you don't need to edit the file then a great workaround is just not to open it in Powerpoint (which unfortunately is what will happen if you double-click it).


Fine print on the latest security scare 

Microsoft released their usual monthly round of security fixes on August 8th. People quickly noticed that Internet Explorer crashed when they visited certain web sites that use particular modern technologies.

Next, independent security people reported that the bug that causes the crash is the kind of bug that creates a security vulnerability. Once again, you could lose control of your computer just by visiting a web site.

So, the headlines say that if you got the latest security fixes you now have a new vulnerability. Not so fast.

This only affects people who still run Windows 2000 or who run XP with Service Pack 1 (you should be on Service Pack 2) and it only affects people who are ignoring Internet Explorer's security problems and running it anyway. Stop. Just stop. Running Internet Explorer is the computer security equivalent of smoking cigarettes. You can dodge this problem by disabling support for HTTP 1.1 but that won't help with the next bug.


Sunday, August 20, 2006

When soneone advertises "encryption" 

I'll let you in on a bit of wisdom from the security world. When someone says their product supports "encryption", they are guilty until proven innocent. It takes a lot of care to use even good ciphers correctly, there are lots of bad ciphers out there, and there are a lot of people who do some trivial rearrangement of protected data and call it "encryption".

You know those small cigar-shaped USB storage devices called "flash drives", "jump drives", "pen drives" and who knows what else? I call them "nerdsticks", but that's beside the point. There's software called U3 that's supposed to make them more useful by making it easier to run programs from them, plus some other benefits. One of these beenfits is encrypting your data. Their web site says "these solutions include encrypted files and folders".

I haven't checked this myself, but one person has reported looking at a passowrd-protected U3 drive with some tools that look at the drive directly, no middlemen in between. He found all the data, all completely readable. All the password did was make it harder for Windows to show the drive on the desktop.

If he's right this could still be an honest mistake. Imagine, for example, a feature that got cut at the last minute after the marketing materials got typed up. But it does illustrate that you shouldn't expect advertising that says "encryption" to mean anything.

Crypto programs that are well regarded include TrueCrypt and the battle-hardened veteran PGP.


Friday, August 18, 2006

Wi-Fi security should get easier now 

It's insane the way you have to set up a secure wireless network now. You have to type in long strings without error to tell the devices things they could figure out among themselves, and there's not enough standardization between vendors.

A few companies like Buffalo have put good solutions into their equipment but others haven't followed along, and when's the last time you saw a Buffalo access point on the shelf at Electrode Hut?

The indispensable Glenn Fleishmann reports that the trade group which forced everybody to communicate with other devices in the first place is working on security (finally).

Keep an eye out (no word on schedule yet) for equipment labeled "WPS", for Wi-fi Protected Setup. It's supposed to be standard across manufacturers. Windows Vista is supposed to support it. It's supposed to have a sane kind of setup where you simply introduce two devices to each other and tell them to communicate securely.


Do you need to fear printers on the network you manage? 

The weird thing about computer security is that everything is a computer these days.

A networked printer has a computer inside, often a full-scale one. If you could hook up a display and a keyboard to it you could use it as a low-end desktop machine. These computers can have security holes, bad guys can reprogram them to attack the rest of your network, and most people don't think about protecting their printers.

There's lots of information about this issue out there by now. I recommend this article about networked printer security.

So should be be afraid? Don't. Take the advice a New Yorker got from her mother: "Be alert, be aware, but never afraid". Just add yet one more chore to your list, to check every now and then whether your printer vendor has some updated software.


Video about browser safety 

(Disclosure: there's a business relationship between me and Watchguard: they bought an article from me once).

You know not to download software from places you don't trust, kind of like you don't eat sandwiches you find in the street. Unfortunately, sometimes a security bug will result in your downloading software without meaning to simply by visiting a bad web site, or a good web site taken over by bad people, or a good web site running ads from bad people.

That's the subject of the Watchguard video about drive-by downloads. It's pretty good, but assumes you know some technical terms. For example, their narrator Corey Nachreiner talks about using a packet sniffer to watch what was going on between the computer he sacrificed and the attacking web site. A "packet sniffer" is just a program that watches and reports what traffic is going over the network.

How is it for accuracy? Great. I didn't find a single nitpick about points of fact. That's impressive. I'm a master nitpicker.

How's their advice? Pretty good. They advise using some of Internet Explorer's settings to block common avenues of attack. When they say "white list", they're talking about the "Trusted Sites" zone in IE's security settings. Their advice is what I used to do before realizing that nobody security-conscious can use IE for general web browsing.

The video is part of a service they offer their customers, so of course it also explains how you can use their equipment to block some attacks from nasty web sites.

Worth checking out, especially if you have a learning style that works better with video than with text.


This page is powered by Blogger. Isn't yours?