Tuesday, October 31, 2006

Rather watch a video about e-voting? 

HBO is about to air "Hacking Democracy", a documentary about electronic voting vulnerabilities. This coming Thursday, November 2. Previews available at the link.


A new way to let bad guys run programs on your computer 

Microsoft says, in their "Ten immutable laws of security", that once you let a bad guy run software on your computer you have given away your computer to the bad guy.

Problem is, there are lots of things floating around that are actually programs but aren't called that.

The example that's biting people now is spyware in plugins required to view online video. They may be called "codecs", or something else. They're supposed to understand compressed video and display it for you. But they are programs and there's nothing to stop them from doing other things, like recording all your keystrokes including your passwords. Antivirus software might help, but of course the bad guys know about antivirus software and may make their wares look innocent and then, once on your system, download the poison from the web and run it.

So the usual advice is only to download codecs from a trustworthy source. Nobody ever explains what a "trustworthy source" is. Geek community word of mouth points to the Combined Community Codec Pack as an example of something that lets you play a wide variety of videos and that's free of malicious software.


Can you shut down a Windows firewall from outside? 

Reports are mixed right now, but it is definitely possible to shut down Internet Connection Sharing by sending it bad data over the network. Some reports are that it takes the firewall down with it. Other reports are that the bad data can bring it down even from outside the firewall.

Buy and install one of those $30 firewall boxes from Circuit City or your office supply store and you won't have to worry about this. If you're already running behind a firewall appliance like that, you can safely ignore the entire story.

Semi-technical details at Network World and a volunteer security organization


Monday, October 30, 2006

What would make a good voting machine? 

Or, what should you look for when your local government selects electronic voting equipment?

Princeton research Ed Felten and David Wagner list requirements for a secure voting machine.

Today's voting machines are regular Windows PCs running some voting software. Think about the reliability and security problems on your home machine. Then think about what a crook would do to win a national election.

The high points of their recommendations are:

My analysis? I agree with every word.

Just one thing, though, there's a weird problem with some touch screens where you press the button for one candidate and get a different one. Apparently accidental: the machines need to be reset to know how to line up touches on the screen with what they're displaying.


Sunday, October 29, 2006

Are anti-phishing tools safe? 

Microsoft's Internet Explorer, version 7, and version 2.0 of Firefox, both have features to warn you if you go to a web site that impersonates your financial institution so as to steal passwords.

Which makes us ask, how do they know that you're going to a fake site?

They try to keep a list of web sites being used to impersonate other sites. There's a problem. Phishing sites get shut down pretty quickly. Usually they're up for a few days at the outside. So that list is always changing, changing fast, and it's lamentably big.

So technically, the answer is to keep the list of crooked web sites someplace central, and then have your browser check in at that central place and ask whether the site it's about to visit is on the blacklist.

That's right. All the places you visit, the central site hears about. Do they keep records? If they promise not to, could they change their minds later?

Microsoft has a clear discussion of privacy in IE7's anti-phishing feature. They do some good things. For example, they don't look at the entire string your browser is sending. For example, if you make a Google query then your search is stuck at the end of http://www.google.com after a question mark. If you search for something embarrassing, your browser might ask Microsoft whether "http://www.google.com?q=aardvarks+on+spring+break" is safe. Microsoft promises that they'll only look at the "google.com" part. [Actually it won't even get that far because there will be a list of known good websites stored on your machine, so that one would never go to Microsoft to be checked]. However, Microsoft will hear about it if you go to http://www.aardvarksonspringbreak.com. If that's a real web site, please don't tell me about it, I don't want to know.

Here's what the anti-phishing feature of IE7 looks like.

Firefox 2.0, if you don't do anything to change it, works off a local list of dangerous web sites. That doesn't protect you against new phishing sites that have only just appeared. You can turn on real time checking, which uses some programming donated by Google and checks your destinations against Google's real time list of crooks. Unfortunately, according to one respectable source, Firefox sends the entire browser request to Google. The privacy implications are worse than for the Microsoft product. Not only does it report what web site you were on, it reports which page of the site you were looking at, and any searches you make there.

Unless you lead a very boring life and never research embarrassing medical problems online, I'd suggest turning off the real time anti-phishing features and relying on street smarts instead.


Friday, October 27, 2006

If you don't know how to check a voting machine, 

then you can still look at some other clues, like how well the vendor responds to normal bugs.

Diebold voting machines had an unfortunate tendency to freeze up min the middle of voting, leaving voters unsure whether they'd actually put their vote in or not.

That wasn't a security problem, really. It didn't affect the vote count. But it offers a chance to see how responsive Diebold is when a serious bug shows up.

How long would you consider reasonable? A week? A month? Remember that the company has to test to make sure they're not accidentally breaking something else when they make a change to fix the problem. Two months, maybe?

Via SecurityFocus, the story of freezing screens in Diebold voting machines.


Thursday, October 26, 2006

Why would someone want your brokerage account 

Washington Post, via geek message board Technocrat.net:
Stock manipulators use compromised brokerage accounts to ramp up penny stocks.

Those spams you get about stocks that are about to take off? They're from people who already own the stock. It will be so obscure that just a few trades will push up the price, the crooks will sell out at the higher price, and everyone else will be left holding the bag. If they can break into your brokerage account and have it buy the stock without having to sucker you in first, all the easier for them.

The SEC says the problem is getting worse. One way crooks get into your brokerage account is by putting password-stealing programs on public computers. Don't put important passwords into a machine at Kinko's or a cyber cafe.

On your own computer, use antispyware software and the usual rules of good hygiene.


All in one place, the problems with electronic voting 

From Jon Stokes at the respected Ars Technica site:
What if I told you that it would take only one person—one highly motivated, but only moderately skilled bad apple, with either authorized or unauthorized access to the right company's internal computer network—to steal a statewide election?
He goes on:
In all this time, I've yet to find a good way to convey to the non-technical public how well and truly screwed up we presently are, six years after the Florida recount. So now it's time to hit the panic button: In this article, I'm going to show you how to steal an election.

He starts slow, with an overview of what kinds of voting machines are out in the field. Then it gets chilling. He explains all the places crooks could undetectably change election results and links to examples where security researchers have proven the attacks are possible.
The article is readable by anyone, not just security specialists. If you're in a hurry, the single most important sentence is
The only real protection against wholesale election fraud is genuine auditability, and that's a feature that paperless DREs[Direct Recording Equipment, the kind that count your vote as well as help you cast it] lack by design.

One way to look at the problem is to use what you already know. The voting machines are computers. In fact, they're standard PCs running standard Windows software. How reliable and secure do you think they will be?
Here's an even simpler explanation from user truesaer on Slashdot, the nerd message board. All you need to know is that the person sitting at the central counting machine can edit the results.


Tuesday, October 24, 2006

So, what about no-contact credit cards? 

Instead of swiping a magnetic strip through a reader, you simply hold one of these up to a point of sale machine. You may not even have to take it out of your wallet.

Vendors say contactless payment cards are safe. There are two key things they have to get right for safety. One, the card shouldn't talk to anything but a genuine merchant terminal, so bad guys can't start asking it what your credit card number is. Second, once the card is talking to a payment terminal, your credit card number should be scrambled.

They claim to be doing both.

Security researchers from RSA Security (established firm) and others have found that the cards will talk to anybody and disclose your name, full account number, and expiration date.

Readers don't have to be close to the card if someone who knows a little about radio builds the readers. You could have your credit card "read" by someone you can't see.

For once, ignoring the whole problem isn't crazy. There are already so many ways to steal your credit card information that one more hardly matters, there's no evidence the bad guys are using this method yet, and if your credit card info gets stolen the bank eats the loss. You just get a hassle and some lost time. (Don't get a contactless debit card though).

If you're worried enough to protect yourself, but not worried enough to give up your no-contact credit card (?!), you can buy a shielded wallet, but that shielding is harder to get right than you might think. I'd want to see test results.


Is Internet Explorer 7 safe? 

We don't know yet. Microsoft has done a lot of things right but we haven't seen what the people who love to break things will do with it.

Meantime, for a huge chunk of people, it doesn't matter at all. If you're on Windows 2000 or any earlier version, IE7 isn't supported. All such people need to be using Firefox or Opera for web surfing.


Monday, October 23, 2006

Disposing of hard drives with confidential information 

If anyone's motivated enough to pay professionals with lab equipment, burning your hard drive won't get rid of the data.


Good perspective on the Powerpoint risk 

Sometimes, but not always, if you find a way to crash a program you can subtly turn that into a way to take it over.

It's possible to crash Powerpoint. I don't know if you can take it over.

I can't explain the situation any better than Watchguard's risk assessment of the Powerpoint vulnerability.


People are writing down their passwords! 

The folks at Watchguard(*)criticize a recent "survey" about people writing down passwords and offer some advice.

I endorse half their advice.

One recommendation was to make passwords longer instead of making them more complex. The math agrees with them: I was just working through it for some security awareness training materials. You get more bang for your agony if you memorize a few extra characters than if you make the password look like comic strip profanity.

IF you have really random passwords. There's no real improvement in going from a password of "These are not the droids you're looking" to "These are not the droids you're looking for". Password strength comes from being unpredictable, so I have to argue with their example password of "The force is strong with this one". I've seen reports that the bad guys have added all the Star Wars scripts to their lists of passwords to try.

Then they proceed to recommend that you have a company policy forbidding people to write down their passwords. You know your employess will anyway. Besides, you need some of the key passwords in a vault for disaster management when the phone lines are down, the people who know the server password can't come in, and you need to shut it down cleanly before the UPS fails.

I've argued before that if you can safeguard the paper (not under the keyboard, please!) and know the worth of the password, then you actually should write down your passwords. It's not the conventional wisdom, but then this is hardly the first time that conventional wisdom failed to hold up to analysis.

(*)Disclosure: they bought an article from me once.


Are your election officials better than Virginia's? 

Princeton researchers put together a video showing security problems with the Diebold machines. Here's a report from Jeremy Epstein in Virginia:
I'm on the Virginia state commission charged with making
recommendations around voting systems, and we watched the Princeton video as part of our most recent meeting. The reaction from the election officials was amusing and scary: "if this is so real, why don't you hack a real election instead of this pretend stuff in the lab". Pointing out that it would (most likely) be a felony, and people like Rubin, Felten, and others are trying to help security not go to jail didn't seem to impress them.

Their attitude is supplemented by outright ignorance:
P.S. One of the elected officials on the commision insisted that Felten
couldn't possibly have done his demo exploit without source code, because
"everyone" knows you can't do an exploit without the source.

That's proven wrong every day, and every time there's a security problem in a Microsoft product.


Web surfing on the road 

Ever wondered how safe it is to plug into a strange network at the hotel or coffee shop?

There's a recent article in the New York Times about web surfing security for road warriors. It has a lot of bad advice.

For one thing, it doesn't matter if you use a credit card number on an untrusted network. It's scrambled before it leaves your computer. The big problem is protecting your email password, since most mail programs use stupid and obsolete login procedures that don't protect your password.

They're right that VPN ("Virtual Private Network") security protects you comprehensively. IF you're using your own machine. Never trust a rental computer. There's already been a case of someone installing spyware on a Kinko's computer that recorded people's passwords. Their suggestion to use a program like Roboform that answers password prompts without using the keyboard is dumb: spyware on the computer you're using could still intercept your passwords.

And don't trust a laptop cable lock unless you bought it from a clued-in locksmith. The ones that can't be picked with a Bic pen may tear out of the laptop when someone pulls hard.


Sunday, October 15, 2006

Email tracking is a business 

If you have an email program that doesn't restrict incoming email to plain text, and if it doesn't have tight security controls, or if you open Office documents from email, then you can reveal more information than you expected.

A couple of companies sell a serivce where you can tell whether and where a recipient has opened or forwarded your email. The software that makes it happen can lurk in the deails of a web-formatted email message, or inside an attached Office document.

Well, I could talk about ways to prevent the tracking, but let's be real. You can't do business without accepting attached Office documents. I don't know any antivirus that will detect the tracking features, which are often just a surprising and creative abuse of some perfectly legitimate feature of Office.

Closest thing to a solution is to block HTML email or at least (for Microsoft users) make sure it's running in the Restricted Sites zone, and then run a product like Zone Alarm that will alert you if Microsoft Word suddenly begins trying to talk to strangers over the network.


Saturday, October 14, 2006

The next wave: attacks on specific targets 

Antivirus software works, to the extent it does work, because viruses spread all over and the antivirus companies can change their software to recognize the new ones.

That wouldn't work if someone wrote a malicicous piece of software just for you. If you were the only victim, the antivirus company would never know.

In real life, just that is starting to happen. It's still small. Security firm Messagelabs says that out of the last three million malicious pieces of email they caught, only seven were one-offs aimed at particular organizations. But the number will grow.

Targeted attacks can be especially dangerous because the attacker can make them look more plausible than the average spam. Someone after your secrets in particular could forge email to look like it came from one of your business partners. Such an attacker could choose a subject likely to appeal to you in particular. In the HP boardroom spying scandal, reporters were hit with fake email from the private investigators pretending to be from someone with confidential information to share. The email was of course boobytrapped.

The attacker will be trying to get you to install software that will steal ifnormation from your computer. The most dangerous sort records every keystroke you type, including all your passwords. This may or may not involve tricking you. Sometimes the attacker will use a security hole to install nasty software. That's what happened in a clever targeted attack against a major financial institution. It tricked people into visiting a web site that installed a keystroke recorder.

Defend yourself by


Voting machines and fence posts 

For a 100 foot fence, with posts 2 feet apart, how many fence posts do you need?

Most people would say 50. It's actually 51 because of the first fence post in the row. It's easier to see if you think about a 2 foot fence with posts 2 feet apart. Of course you need more than one.

That shows you how easy it is to be off by one when you count things. "Off by one errors" are a really common bug in computer programs, because programmers can make the same mistakes as fence builders.

This also means that if someone wants a computer program to give the wrong answer, they can put in a bug to make it happen that's hard to detect and that looks like an accident.

What can happen if you change the vote count by a single vote in every precinct? Yale University researchers asked that question. Their answer appeared in Commnunications of the Associating for Computing Machinery. Changing a single vote per precinct can swing an election as close as some we've had in real life. In particular, a change of one vote per machine could have changed who became President in 2000.


How the Dutch handled voting machine problems 

The US isn't the only country to have insecure and unreliable electronic voting machines. In the US, elections officials have responded by accusing a critic of "undermining democracy" and by firing employees who found problems.

Head across the Atlantic and see how people who care about democracy handled it. The Dutch government, after a citizen's group reported what the problems were,
Is your jurisdiction doing the same? Ask them why not.


Sunday, October 01, 2006

Firefox security news 

First off, it's a good idea no matter what to run the NoScript extension to Firefox.

There was a recent study about browser security bugs. Firefox has been having a lot of bugs found lately. Firefox hasn't changed that much, the rate of bug discovery has, so it must be that more people are looking.

How much does that affect your security? Not very much, since the average time from discovery of a Firefox security problem to release of a fix is one day. That's not much window of vulnerability. But do be sure to accept updates when Firefox tells you they're available.

Now there's a report that some people at a conference announced that Firefox is "critically flawed" and that they've found a way to take over a machine running Firefox if it visits the wrong Web page. Unfortunately they didn't see fit to describe the problem, report it to anyone who might fix it, or even demonstrate it -- they just showed a video. Could be real, I'll update you if anything comes of it.
UPDATE 10/3:
One of those people is back-pedalling, saying that their announcement was "meant to be humorous". The security world is not amused.


This page is powered by Blogger. Isn't yours?