Wednesday, December 20, 2006

Hard disks are smart these days 

There's a full computer built into drives these days, and a standard set of useful commands that almost nobody takes advantage of. One of those is a command to do a secure erase, one which doesn't leave embarrassing data behind the way a simple deletion or reformat would.

Computerworld points out a free utility program that takes advantage of a disk drive's ability to erase itself. The program, logically enough, is called Secure Erase. It's a little awkward, unfortunately, requiring a DOS boot floppy.


There's a security lesson here 

A man climbed an airport fence and walked right onto a jetliner at Raleigh-Durham. He sat down calmly and said he was there to take a flight. Besides everything else, there's a drugs charge against him now.

The lesson is to keep an eye on all of your security and not to get tunnel vision. A camera on the fence would have been more useful than putting everyone's toothpaste into 1-quart ziplocks.

The equivalent in computer security might be installing the latest expensive enterprise antivirus package while letting employees travel with laptops.


Security news can hype problems 

Scare headlines warned of a security problem in Skype, the instant messenger and voice chat product.

Looking at the detailed reports at security companies, though, it turned out the only thing going on was that somebody was sending executable files via Skype. The urge to shout "Duh" is hard to resist. Don't open programs unless you know exactly what they do. The odds of something safe and useful showing up in a chat are fairly low. Nothing to do with Skype.

At first report, the file was named "sp.exe", but this could change instantly.


Tuesday, December 19, 2006

Phishing: some places respond faster than others 

Somebody tried to alert their bank to a scam in progress that was impersonating the bank.

I will be out of the office starting 05/10/2006 and will not return until 17/07/2050.


Monday, December 18, 2006

Monitoring honest people to catch terrorists doesn't work 

It's actively harmful.

A student got his study grant deposited into his bank account and got a notice that his acccount would be closed for "suspicious" activity. His phone calls weren't answered, his in-person visits got no information, nobody ever explained what he had supposedly done wrong.

Successful anti-terrorist surveillance starts with known or rationally suspected terrorists and traces their contacts. Mass eavesdropping and data mining will find terrorists only by incredible luck if at all, and will put many more innocent people through experiences like that student's.

We should not be patterning our security measures after Franz Kafka.


Saturday, December 16, 2006

Here's some sound advice 

Ars Technica recommends what they call "skeptical computing" and gives examples. They know what they're talking about, and the article should be readable by someone with middling computer knowledge.


Exactly how dangerous is the web, really? 

That's a tough question to answer because you have to figure out what you mean by "the web". Is it every site out there, or just the ones people visit most? Which people?

Spyware research Ben Edelman took 2500 of the top search terms and ran them through search engines. It's as good a way as any to sample what surfers expose themselves to.

Nerd site Ars Technica reports on Ben Edelman's survey of malware on the web. Cutting straight to the bottom line, 3.1% of the links led to places that one security tool considers dangerous. 8.5% of the ads did.

You're probably wondering if all searches are equally dangerous or if some, maybe porn related, are more likely to take you to a bad neighborhood. The most dangerous search was actually "free screensavers". The next big set was mostly music downloads. If you're curious, here's the list of search keywords that lead to dangerous malware sites.


Thursday, December 14, 2006

A study of real-life passwords 

We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?

From security guru Bruce Schneier. He does go on to analyze the rest of the passwords, many of which were halfway decent.

I like to fill in the holes in other people's work or point out errors when I cite them. Can't do that here. It's too good an analysis.

In case you were wondering, though, the reason he points out the fraction that consisted of dictionary words plus one number ("cookie2" for example) is that the automated password guessing programs run through every word in the dictionary plus small changes to every word in the dictionary. They check for dictionary words with single numbers at the end. It's only ten times as many things to try. A password like that will fall before the password guessing program has finished its first second of rumtime.

Were you wondering where all the passwords came from? They were the 100,000 MySpace passwords captured by someone who put up a fake login dialog. There's a lesson there.

It doesn't matter how good your password is if you type it in to the wrong place.


Tuesday, December 12, 2006

This is an important Microsoft Patchday, not to be missed 

The latest patches fix bugs, bugs serious enough to allow takeover of your computer, in Internet Explorer, Outlook Express, and a few others (but they might not affect a home user).

Install them promptly.

I haven't heard when Microsoft will fix the recently discovered security bugs in Word, but we can all hope htey won't wait until next month. Keep an eye out for announcements.


Monday, December 11, 2006

Article about bad passwords has bad advice 

If you have flimsy passwords, other people have bad passwords that are easy to guess as well.

Most of the article talks about tactics for creating passwords, but they aren't safe, and the article even explains why:
"These days hackers have massive dictionaries, all English words and common names. They will include popular fictional characters as well," [computer science professor John Black] says. "The programs not only try all these passwords, they try putting a little punctuation around it."

Randomness is your best friend when you make a strong password. If you open the dictionary at random three times and pick a word at random each time, you'll have a decent password, certainly good enough to make a crook try elsewhere. Make up a story to go with your random words. For example, if you picked "inside", "abyss", and "fugacious", you could create a mental picture of being inside an ocean bottom that was running away. A punctuation character or two might fit your surreal story and would make a password guessing program work even harder. If you don't have a dictionary but do have dice, roll the dice and pick corresponding words from the lists at Diceware.

Size does matter. If you're using letters and numbers chosen at random (no, patterns on the keyboard are not random) then you need 9 of them for solid security though 8 might work for less important passwords. Again, you can start with randomness and make up a story to memorize it: "bmR2Xeka" you could turn into a sentence whose first letters come from the password. It's easier to memorize "be my Rolex. 2 Xeroxes eat kangaroo aortas".


Sunday, December 10, 2006

Passwords: longer, or more complicated? 

Everyone tells you to put funny characters into your password, and a lot of places require it, but how much good does it do?

That question is harder than it sounds. But it's just high school math, and Excel will handle it easily.

As long as the password is randomly generated or otherwise completely unpredictable, a 10-character password drawn from just the lower-case letters beats a 7-character password jumbled with numbers, mixed case letters and punctuation.

Adding two letters to the length generally does as much or more good than making the password look like comic book profanity.

This means you can use a password that is easier on the eyes, easier to memorize, and easier to type on a foreign keyboard as long as you make it at least 9 characters long and include both upper and lower case.

But really, the best compromise between something you can memorize and something that's provably safe is a multiple-word "passphrase" you generate at random from a word list like the one at Diceware. A four-word passphrase is enough for almost all purposes, and a six-word passphrase is not feasible to guess. The cool thing is that you can usually make up a silly, picturesque story to go with the string of random words to help you remember it.


Saturday, December 09, 2006

Verizon will backup your files online 

It could be a really good idea. You get a backup that will survive fire or theft on your premises, presumably stored in a professionally managed data center. Is it a good deal?

Verizon Online Backup
costs $40 a month for 50 GB of storage. For three months of that you could buy a friend a disk much bigger than 50GB and back up to your friend's disk over the net.

I like to look for the word "encrypted" in connection with online backup. It's the only way to keep your data from being read. Verizon only says "password protected".

My conversations with Verizon "tech support" have consistently been bizarre and infuriating.

So, good idea, but my advice would be to look elsewhere. Fortunately there are a lot of alternatives for free or almost free online backup.


Tuesday, December 05, 2006

Funny story about why you should clear your computer before you sell it 

A famous blonde European TV show hostess sold a computer with compromising photos and videos still on it.

Fortunately, it wound up in the hands of someone who simply amused himself and bragged about it anonymously. If he'd chosen to sell the material to his country's tabloids...

Read the link if you just have to know what kind of activities she recorded herself doing.


Word documents can take over your computer 

Here's the Microsoft advisory. Basically, until a patch comes out, don't open Word documents unless you have a good reason to think a human wrote them and a virus didn't.

Finding a Word document attached to unexpected email that says "sending this to seek your advice" isn't a good reason.

Antivirus signatures weren't yet out the last time I checked so at the moment there's no defense.

UPDATE 12/8:

Bad guys who want to take advantage of this now have example attack files that they can work from.

That's a key difference between this and another widely reported but less important problem which affects Windows Media Player. Nobody's proven that you even can take over a computer via the Media Player problem, let alone published details about how to do it.

Always look for that point when you read security news. If you see the phrase "sample exploit code", then the problem is more pressing than it would be otherwise. If you see an article that doesn't mention whether there are sample attacks yet, then the article is clueless.

UPDATE 12/11:

Now there's another, separate, Word bug with the same effects. And according to antivirus firm McAfee, criminals are already using infected Word files to steal passwords. This is just going to get worse, and Microsoft won't have a patch ready for tomorrow's monthly patch batch.

UPDATE 12/14:

Would you believe this is getting worse? There's supposedly a third security hole, according to Network World, who already report that the Word security hole is being used in narrowly targeted attacks. Those are harder to detect and block than mass attacks.

UPDATE 1/9/2007:

Microsoft's patches today do not fix these security holes. You are still at risk from boobytrapped Word document

UPDATE 1/26/2007:

There another Word security problem now. That makes four, with no patches available yet.


This page is powered by Blogger. Isn't yours?