Friday, September 29, 2006

What are privacy advocates talking about anyway? 

A lot of them would say privacy is about control over, or ownership of, information about you. In the world that privacy advocates want, you could challenge any misinformation about you just as you could challenge an incorrect credit report.

In a way, that's what the centuries-old idea of a criminal trial is about. In an emergency, like after you're arrested, you can force a review of the evidence the prosecutor has against you and get errors thrown out.

Which is what was missing in the case of the innocent man tortured for a year in Syria due to bogus intelligence records. He's an illustration of the point that "civil liberties" are not a privilege but a security measure.


Friday, September 22, 2006

Top 5 causes of data compromises 

The credit card industry's security folks just published their list of top 5 security problems. The ones that apply to home users are


Maryland, where computers never fail 

Maryland's election supervisor says that computers never break.


Repost: upcoming election 

I published this on the 3-year anniversary of 9/11. It's still apropos.

If you're one of my American readers, you too felt the need to do something, anything, to respond to the shock and horror of September 11.

I'd like to offer two ideas, one conventional and one quirky. Both involve some work.

Set aside some time today to dust off your tire gauge and check the air in your tires. When you discover that they're underinflated, head to the gas station and fill them up to the pressure listed on the plate on the driver's side door jamb.

That will add several miles per gallon without replacing your vehicle. The money you don't spend on gas is money that doesn't go to "religious" schools that teach bigotry and hate. It's money that doesn't go to allow sick societies to put off reforms.

When you get home from that, read about the election. You get to choose who will command American power for the next four years. That's a huge responsibility which you cannot exercise wisely by trusting campaign ads, Michael Moore, or Fox News. All of those are trying to manipulate your emotions. Hit the library or the bookstore and get facts for yourself. Read Woodward's book. Compare General Franks's book with Richard Clarke's, make up your own mind about who's right. Research what anti-terrorism experts have to say about how the current Administration is doing.

Does that seem dull? Hitting tire gauges and books while soldiers are taking hostile fire? Both are ways of fighting terrorism, using the American strengths of individual responsibility and democracy. If you wait until you can make a dramatic contribution, like running into a collapsing building to save lives, then it's too late.


Cop grabs gun when man questions Diebold 

This speaks for itself:


Thursday, September 21, 2006

Change the freaking default password 

Almost any gadget you buy today has a computer in it and probably some kind of password control. Even answering machines have remote control modes protected by some numeric sequence.

They all come from the factory with some predefined setting that's the same for all the devices. Be certain, be very certain, that all of those default passwords have been collected and published. There is nothing secret about a password that's been told to thousands of customers.

Here's the latest Horrible Example. One gadget could be reprogrammed by anyone who had the correct password. Most buyers of the gadget never changed the password. The default master password was in the gadget's service manual, which was of course available on the web.

The gadget was a cash machine. A crook reprogrammed it to dispense ten $20 bills if you asked for ten $5 bills. That's the Virgina Beach ATM case.


Wednesday, September 20, 2006

New book about electronic voting 

This is from computer science professor and security researcher Avi Rubin:
I've read so much of Dr. Rubin's work that I'll recommend this book before even reading it.


Would you believe another IE bug? 

This is another where you visit the wrong web site and it takes over your computer.

The good news is that Windows XP Service Pack 2, which is what you should be running anyway, is safe. Microsoft's hard work to make SP2 more secure paid off in that they prevented this bug from happening there.

Microsoft's security update

Details for your technical friends


A second critical bug in Internet Explorer 

Do you know the difference between "nelgigent" and "reckless"? Ask a lawyer if you need to know for sure, but basically "negligent" is when you don't shovel the snow off your front walk and someone slips and gets hurt. "Reckless" is when you still don't shovel it after the first person got hurt.

By now my opinion is that running the "blue E" is reckless. I'll tell you the smae thing if you pay for for a security evaluation. The version that will ship with Vista is supposed to be better: let's see how it holds up in the field.

Microsoft suggests workarounds for the new problem, which is yet another where someone can take over your machne if you simply visit their web site.


Monday, September 18, 2006

Tamper-proofing on Diebold voting machines 

The memory card that holds the votes is protected by a lock and key. Open that lock, and you could replace the memory card or inject a virus. Fortunately, you need special tools to bypass the tamper-proofing on a Diebold machines, for example a hotel mini-bar key.

You may have a compatible key on your keyring now. It's the same kind as many filing cabinet locks. That's right, you could open up a voting machine.


"But nobody would want to read my email" 

Spying has become so easy now that it's worthwhile for advertisers to plant spyware on your computer just to get a few cents worth of marketing information.

But wait, there's more. If you're a reporter then someone may be targeting you directly. You don't need medication if you suspect someone's spying on you. The ?HP boardroom spying scandal turns out to include private investigators following a journalist and trying to plant surveillance software on another's computer.

...the detectives e-mailed a document to a CNET reporter, according to those briefed on the review. The e-mail was embedded with software that was supposed to trace who the document was forwarded to
says the article. I know two ways to do that(*). It's good to protect youself against both even if you're never a target, because when you protect against those you protect against many other threats. Check your mail program's documentation for how to disable "HTML email" and "Javascript".

(*) One of which also sends back the text of any comments that people add when the email gets forwarded.


Sunday, September 17, 2006

How much to worry about latest IE bug 

Your friends who still run Internet Explorer are at risk from a newly disclosed security hole. It's the worst kind, the kind where simply visiting a malicious web site can end with your computer taken over.

This is at the stage of development where someone has found the problem and has published an example program to take advantage of it. The next step will be that bad guys will start using it against you. That hasn't happened yet, apparently, but it will soon.

Your options are to try to avoid sleazy web sites and hope that nobody takes over a legitimate one that you visit until Microsoft releases a fix (second Tuesday of October), or follow the advice of the Department of Homeland Security and use another browser.

UPDATE 9/20:

Antivirus firm F-Secure suggests a workaround
. It involves disabling a feature that you've probably never heard of ("VML") and almost certainly don't need.

UPDATE 9/20:

Worry more. There are now malicious web sites using this attack in real life.

UPDATE 9/23:

It's getting worse. Bad guys are now breaking into normal web sites and changing them to include the code that takes over your computer. Apply the workaround, or better yet don't click on the blue E.


Microsoft has released a patch ahead of schedule. Run Windows Update.


Friday, September 15, 2006

How to defeat terrorism 

You may not know the name "Bruce Schneier". He wrote one of the classic textbooks on cryptography, entered a finalist into the national competition for a new cipher, and also knows how to step back and look at the bigger picture of security.

His latest free newsletter talks about how to prevent another 9/11 and how to defeat the aims of the terrorists. He points out that (duh) they mean to create terror, which means
Our politicians help the terrorists every time they use fear as a campaign tactic.
However serious the threat, he says
But our job is to remain steadfast in the face of terror, to refuse to be terrorized.

Read the whole things. It's worthwhile just for the discussion of what works and what doesn't.

Oh, before I forget, there was a post on a geek forum from someone with chemical warfare training about What could happen if terrorists got chemical weapons


Thursday, September 14, 2006

"steal votes undetectably" 

"Undetectably" is the scary part.

Princeton researchers analyze Diebold voting machines with demonstration videos.
We found that the machine is vulnerable to a number of extremely serious attacks that undermine the accuracy and credibility of the vote counts it produces.
Remember that the machines will be attacked. Crooked elections have been happening for as long as there have been elections. If the machines can be rigged then they will be.

Are the vulnerabilities just theoretical, academic vaporing, nitpicking?
We have constructed a demonstration virus that spreads in this way, installing our demonstration vote-stealing program on every machine it infects.


Wednesday, September 13, 2006

"...there is no way to know for sure. We cannot do recounts." 

Computer Science professor Avi Rubin worked as an election judge in the Maryland primary.

If you're in too much of a hurry to read his whole post, here are some high points:
Throughout the early part of the day, there was a Diebold representative at our precinct. When I was setting up the poll books, he came over to "help", and I ended up explaining to him why I had to hook the ethernet cables into a hub instead of directly into all the machines...After a while, I asked him how long he had been working for Diebold because he didn't seem to know anything about the equipment, and he said, "one day."


...if the tamper tape had been peeled off and put back on, nobody except a very well trained professional would notice it.

I believe that fully electronic systems, such as the precinct we had today, are too fragile. The smallest thing can lead to a disaster.

to the extent that he
worried that the election process would completely fail.

Imagine a corrupt election official looking at a fragile systme like this and realizing that he could sabotage the opposition's strongest precincts and make it look like an accident.


Tuesday, September 12, 2006

Maryland voting machines and why you should care 

Poll workers found that screens on new electronic poll books froze or shut down as they tried to record arriving voters.
"What's the problem? Machines break all the time. Just swap in a working machine and go", a hardheaded realist might say.

The problem is that reliable systems are easier to build than secure systems. If the vendors can't even get the machines to run, the chances that they'll resist tampering are nil. And in fact, one voter found
When she got to the section of the ballot listing candidates for the Democratic central committee, it was already filled out. Bradley said she had to remove the computer's choices and insert her own.

The other problem is that officials trusted the machines so much that they ran short on paper backups:
"They don't have a printed list" of eligible voters, "they don't have a backup," Wuethrich said. "So when the computer goes down, they can't even look at a list to see who's eligible to vote."


Monday, September 11, 2006

Running Windows 2000 w/ Aug. patches? Avoid compression for now 

If you have compressed folders (you would have had to turn it on explicitly), then you may get files damaged if you create them in the compressed folder after installing one of the August security updates. There's no clear diagnosis yet, but a lot of consistent reports from the field. Confusingly, it doesn't happen to all files, just some of them.

The cleanest way to avoid this is to turn off compression on your folders for now. Some people have uninstalled the patch for security bulletin MS06-049 but I don't recommend that.


Thursday, September 07, 2006

Spyware on your phone? 

A cellular phone is of course just a computer with a radio attached. You may have some sensitive information on it, especially if you're in business.

How many of the problems we have with desktop computers will show up on cell phones?

According to F-Secure, which just happens to sell security software for phones, they're already seeing spyware for cell phones. It sounds like these are way different from the common and easily contracted infections that hit desktops. Apparently these programs have to be installed deliberately by someone with access to the phone. For example, some such programs are sold as a way to catch a cheating spouse.


A clever trick you can't depend on any more 

How do you know you're really at your bank's web site when you type in your banking password? How do you know it's not a fake site set up by a crook to trick you into giving the crook your password?

One idea was always to enter an incorrect password first. Only your bank can tell whether the password is real, so the idea was that if you got an apparently successful login you would know you were on a fake site.

Unfortunately there's nothing to stop crooks from opening their own connection to your bank and sending along your password to see if it works. Even more unfortunately, they're already doing it, according to antivirus firm F-Secure. They found a real-life PayPal impersonation that required a genuine password.


Review of a Firefox security article 

Information Week recommends five things to make Firefox "bulletproof".

They're debatable. They suggest protecting yourself against phishing by installing a helpful toolbar from Netcraft. OK, but last I heard, that toolbar sent some information about what you're doing back to Netcraft. All aboveboard and disclosed, but make sure you're comfortable with that before you install their toolbar.

They point out the Clear Private Data feature which erases some of the records of what you've been doing online. First, that doesn't have much to do with making Firefox "bulletproof", second, it's barely going to slow down an investigator who knows what s/he is doing.

They recommend an optional extension to Firefox called Password Maker to create and manage strong passwords and avoid the problem of memorizing them all. There's more than one extention to do the same job. See my previous overview of Password Maker and others.

Where they are absolutely right is where they recommend that you download and install a Firefox extension called Noscript. Seriously, this one is close to being a must-have. It lets you decide exactly which websites you trust to do potentially dangerous things (specifically "Javascript", a legitimate but infinitely abused way for web sites to control what your browser does). It even lets you give a temporary pass to a web site if you want to. Be alert for loss of functionality: some web sites will mysteriously do nothing on mouse clicks and not tell you why. You may need to enable scripting to get them to work, or you can take your business somewhere else. Only a few sites, for example Gmail, have a legitimate need to require Javascript and none have any excuse for failing to work without telling you why.


Wednesday, September 06, 2006

If it talks to the network, and you can't remember when you last updated it, 

then update it.

Programs that talk to anything as wild as the Internet have security bugs unless they're very simple programs.

This came to mind while reading about security bugs in the impressively solid Opera browser. The interesting thing is that the bugs are gone in version 9. There were also a couple of serious Firefox security bugs, also fixed in the current edition.

Think about updates with any program that touches the public Internet. That means instant messengers, file sharing programs, VOIP programs, just plain anything.


Firefox security: is the fun over? 

The niftiest things you can do with Firefox are supplied by "extensions", little programs that you add in to your Firefox installation and that work with Firefox to do various cool things.

I'd been kind of surprised that the world wasn't full of maliciously written Firefox extensions. Partly that's because the folks who developed Firefox saw the potential problem and made sure you'd have to go out of your way to install extensions from random and potentially evil places. Another part of the reason is probably that there weren't enough Firefox users to be worth a crook's time.

Scary headlines are popping up now about a rogue extension called FormSpy, which forwards things you type (passwords, for example) to machines controlled by crooks. The scary headlines say that it installs silently, without you having a chance to say no. That's a key point: that would make Firefox as dangerous as Internet Explorer. So, is that the real story?

The computer industry press has let us down again. You can't just get FormSpy from visiting the wrong place. For it to install silently, you first have to be infected with another malicious program ("Downloader-AXM") which is designed to sneak things onto your computer without your knowledge. And how do people get hit with "Downloader-AXM"?

By opening an attachment from spam. An executable attachment.

Not much of a news story, is it? But it does give my an excuse to remind you that Firefox extensions are programs, you're trusting them with your security when you install them, and you should only download one if you hear good things about it from people who know what they're talking about. An example of something you do want to download and install is NoScript.


How hard is it to steal an identity? 

You can get an idea by looking at the black market price for information a crook can use to impersonate you. That price will have something to do with supply and demand.

The BBC reports that the going rate per ID is 20 pounds sterling in "West Africa". That's about US$40.

The bad news is that identity theft is clearly cheap and easy. The good news is that it makes no sense for a crook to spend more than $40 to perpetrate it.


The latest in potentially poisonous input 

Details are scarce, but there's some sort of bug in Microsoft Word 2000 which a carefully modified Word document can use to take over your computer.

This is happening in the wild, according to antivirus firm Symantec. Fortunately it doesn't seem to be spreading fast.

Up to date antivirus software may spot this. Get back in the habit of virus-scanning Word documents.


This page is powered by Blogger. Isn't yours?