Monday, January 29, 2007

Run a network? Considering NAC? 

Network Access Control promises to keep computers off your network if they might endanger it, for example by being virus-infected or simply out of date on virus protection.

A cautios article about NAC in Network World points out that the technology is still maturing and that you may have an especially hard time making it work in a mixed network.


Sunday, January 28, 2007

How not to make money at home 

Once a crook steals banking passwords and uses them to steal money, the crook has the same problem that drug dealers have -- where do you put the money? And how do you get it to a country where you have an under$standing with law enforcement?

Well, you launder it, for example through a network of random people who won't arouse suspicion if they wire money to Elbonia.

The random people may not even know they're doing something illegal. F-Secure's blog has a sample recruiting email for money launderers which makes it sound like you're getting a cut to work around a legitimate company's banking problems.

If you get email like that treat it like you'd treat email from the nice man in Nigeria who also wants your help with a money transfer.


Saturday, January 27, 2007

Great quote from MIT's network administrator 

This is a guy who keeps one of the biggest and most chaotic networks on the planet running. He understands security.

MIT has been hunting down and eliminating places that store Social Security numbers.

Here's my favorite part of the Network World interview:
The fundamental problem behind all of this is that the SSN can be so easily abused. It’s easy to learn someone’s SSN yet it is viewed as a secret by many institutions so it can be used as an authenticator. This is broken. We need legislation that says anybody who makes decisions based on authentication, which is knowledge of an SSN and a home address, they’re taking the risk in the transaction, not the consumer.


Thursday, January 25, 2007

How secure is your front door? 

It's funny how the news can be informative and still miss the real story.

In case you missed it, there was news coverage last year about low-tech, relatively unskilled lock picking using "bump keys". Basically, anyone with a metal file and a collection of key blanks can waltz through most residential locks.

Quite a few expensive locks are bumping-proof. Your locksmith is likely to recommend the well-engineered and heavily marketed Medeco locks. Ask whether there's anything just as good but cheaper.

Where the news reports missed the real story is that there's no need for a burglar to spend a few seconds picking a lock when they can get in even faster. The place where the deadbolt goes into the doorframe is usually so weak that a single good kick will tear the bolt out of the frame. Before you even investigate new locks, buy and install a reinforced "strike plate". Expect to spend at most $15 for each one, and some time with a chisel and a drill. The single most important thing to look for is long screws, at least three inches and preferably four, which will transfer the force of a kick to the framing lumber around the door. The ones I have on my doors use four screws. Predrill the screw holes.


Wednesday, January 24, 2007

How well does e-voting work in other countries? 

Every now and then there's a story which reports that all-electronic voting has worked fine in India or in Brazil, and that it's just plain weird that the US should have any objections.

via Techdirt, here's a story about massive election fraud in Brazil. When you see "DRE", it stands for "Direct Recording Electronic". Direct recording means that the machine counts the votes as well as collecting them.

Apparently the Brazilian system doesn't keep an independent record of each vote that can be used as a crosscheck.


Monday, January 22, 2007

Advice for police officers 

The DOJ has put together an advisory document for local law enforcement about dealing with computer crimes and evidence on a computer.

How good is it?

It's got errors. It says that the message id in email is useful for investigators. Actually it's one of the first things that gets forged. Their list of instant messaging services mixes up providers, protocols, and client programs.

It's got omissions. There's a real easy way to trace anonymous Hotmail accounts that they don't mention. They leave out the most effective method someone could use to conceal their identity (which means they don't explain the investigative countermeasure). They mention WEP as something to look for in wireless networks, but not WPA.

Speaking as a citizen, it bugs the hell out of me that their list of criminal activities includes "Sharing hate-motivated writings". If you're a police officer, please remember the difference between incitement or conspiracy on the one hand and being a loud-mouthed racist jerk on the other.

Almost all the information is solid, though. They did a great job at the tough job of translating from geekspeak to what an officer would need to know while keeping it reasonably accurate. They give useful, detailed examples. They mention investigative techniques that are not widely known at all. Each chapter has a summary that's a great start for people in a hurry.

They even explain how to read email and Usenet headers. Better yet, there are phone numbers and procedures for coordinating an investigation across national boundaries!

They're really up front about situations where an investigator would need specialized technical assistance and explain what information to collect for the specialized technical assistant.

Read it. It's good.


Sunday, January 21, 2007

Shop at T.J. Maxx? Marshall's? Watch your credit card bil. 

They had a security breach and an unknown number of credit card numbers got exposed. In the worst case it was about 40 million.

I hope the press coverage I'm reading is scrambled like it usually is. According to the International Herald Tribune,
One likely entry point may have been through checkout terminals, which are typically connected to the Internet.
There are so few good reasons for putting a point of sale terminal on the Internet, and so many security risks, that it's hard to imagine anyone doing that.


Saturday, January 20, 2007

Security lessons of the evil overlords 

Supervillains seem to have lousy security. Their worst enemies sneak around their castles undetected and eventually blow up everything the villains have worked for.

This sad state of affairs moved technical people to try to help. Many people around the net contributed to a handbook for evil overlords. Quite a few of the lessons learned apply to non-evil people as well.

It's in the form of a list of things that any budding evil overlord should promise himself never to do. Here are excerpts with a discussion of the security principles behind them.

# My Legions of Terror will have helmets with clear plexiglass visors, not
face-concealing ones.

Here, the fundamental mistake was to use uniforms as a means of
identification and authorization.
One of the oldest scams that intruders like to use is to dress up like a
phone company technician, walk in, and say "I got a call that you've been
having some trouble with the network. Where's the wiring closet?"
Either be able to recognize everybody's face (which is great for a small
organization) or challenge everyone who doesn't have a photo-ID badge.
Get positive identification before you let someone into your server room
who's wearing stormtrooper armor.

# The artifact which is the source of my power will not be kept on the
Mountain of Despair beyond the River of Fire guarded by the Dragons of
Eternity. It will be in my safe-deposit box. The same applies to the object
which is my one weakness.

That must have been one great sales presentation by Mountain of Despair
Secure Storage, Inc. Salesmen are not on your side. Don't shell out huge
amounts of money unless people that you're paying think it's a good idea.

And shiny high tech may not be best.

# One of my advisors will be an average five-year-old child. Any flaws in my
plan that he is able to spot will be corrected before implementation.

This can work. Imagine a five-year-old's questions; "Why?", "What if?", "How
does that work?", and so on. Those questions will cut through technobabble and expose snake oil.

# When I employ people as advisors, I will occasionally listen to their

Something I hear over and over from IT staff is that their bosses don't pay
enough attention when they want budget for tape backups or for upgrades.

# I will keep a special cache of low-tech weapons and train my troops in
their use. That way -- even if the heroes manage to neutralize my power
generator and/or render the standard-issue energy weapons useless -- my
troops will not be overrun by a handful of savages armed with spears and

There's one horror story about a company that invested in shiny electronic
locks everywhere. When the power went out, the doors wouldn't open. All the
operators were locked out of the server room watching the battery backups
run down and all the machines turning off without a chance to save anything.

Also make sure you have a list of phone numbers handy so you can get hold of
people when email goes down.

# I will maintain a realistic assessment of my strengths and weaknesses.
Even though this takes some of the fun out of the job, at least I will never
utter the line "No, this cannot be! I AM INVINCIBLE!!!" (After that, death
is usually instantaneous.)

Similarly, never assume that any one security measure is immune to all

# No matter how well it would perform, I will never construct any sort of
machinery which is completely indestructible except for one small and
virtually inaccessible vulnerable spot.

Attackers will attack at the weakest point, and the first one to find it
will share it with all his friends on the Internet. Concentrate on upgrading
weak points, no matter how boring, instead of trying to decide on the
perfect encryption algorithm.

# I will never build only one of anything important. All important systems
will have redundant control panels and power supplies. For the same reason I
will always carry at least two fully loaded weapons at all times.

Very few places can afford that, but spare batteries and extra backups are a
really good idea.

# I will not fly into a rage and kill a messenger who brings me bad news
just to illustrate how evil I really am. Good messengers are hard to come

This is one of the most important lessons.

You want to hear about security problems, so you can fix them. Too many
companies treat people who report security issues as though they were
criminals. Those companies remain vulnerable.

# I won't require high-ranking female members of my organization to wear a
stainless-steel bustier. Morale is better with a more casual dress-code.
Similarly, outfits made entirely from black leather will be reserved for
formal occasions.

Employee morale matters more to security than most people think. Your sexual harassment policy is a security measure.

# If my trusted lieutenant tells me my Legions of Terror are losing a
battle, I will believe him. After all, he's my trusted lieutenant.

Again, bad news is one of the best services someone can give you. Good news
doesn't improve your security. If you don't trust your people enough to
listen to them, why did you hire them?

# I will only employ bounty hunters who work for money. Those who work for
the pleasure of the hunt tend to do dumb things like even the odds to give
the other guy a sporting chance.

Did you really think that hiring a "reformed hacker" was a good idea?

# I will make sure I have a clear understanding of who is responsible for
what in my organization. For example, if my general screws up I will not
draw my weapon, point it at him, say "And here is the price for failure,"
then suddenly turn and kill some random underling.

Punishing the innocent devastates morale. So does the sight of executives
who never get held accountable. See the comments about morale above.

# I will treat any beast which I control through magic or technology with
respect and kindness. Thus if the control is ever broken, it will not
immediately come after me for revenge.

The beasts you control through paychecks are in a position to do you a lot
of damage if you mistreat them. You can be tough without being abusive.

# My main computers will have their own special operating system that will
be completely incompatible with standard IBM and Macintosh powerbooks.

Well, hmm. That special operating system won't have had as much debugging
and security enhancements as a standard one. It's more cost effective to be

On the other hand, there are advantages to being in the minority. The Opera
web browser works great and few if any people bother attacking it.

# I will hire a team of board-certified architects and surveyors to examine
my castle and inform me of any secret passages and abandoned tunnels that I
might not know about.

When your security consultant says boring things like "inventory" instead of
selling you shiny equipment, pay attention. That older stuff that nobody
knows about will not have had security patches installed. Old equipment is
like abandoned tunnels.

# I will not strike a bargain with a demonic being then attempt to
double-cross it simply because I feel like being contrary.

Don't cheat on software licenses from a demonic software company.

# My Legions of Terror will be trained in basic marksmanship. Any who cannot learn to hit a man-sized target at 10 meters will be used for target practice.

What sort of training program do you have? Are your employees missing basic

# Before employing any captured artifacts or machinery, I will carefully
read the owner's manual.

Change the password from the factory default while you're at it.

# My five-year-old child advisor will also be asked to decipher any code I
am thinking of using. If he breaks the code in under 30 seconds, it will not
be used. Note: this also applies to passwords.

The password-guessing programs and codebreakers out there are better than
you think. Pick well-tested systems and don't try to invent your own.

# If my advisors ask "Why are you risking everything on such a mad scheme?",
I will not proceed until I have a response that satisfies them.

You appointed them advisors for a reason. They may be wrong, they may be
missing something that only you know (but why didn't you tell them so they
could give you good advice?), but if you have a good reason to overrule them
you should be able to explain it.

# I will design fortress hallways with no alcoves or protruding structural
supports which intruders could use for cover in a firefight.

Ask your local police department about "crime prevention through
environmental design".

# Bulk trash will be disposed of in incinerators, not compactors. And they
will be kept hot, with none of that nonsense about flames going through
accessible tunnels at predictable intervals.

At least get a shredder. Make sure that discarded disks, tapes, and memory cards really are unreadable.

# My security keypad will actually be a fingerprint scanner. Anyone who
watches someone press a sequence of buttons or dusts the pad for
fingerprints then subsequently tries to enter by repeating that sequence
will trigger the alarm system.

You'd be surprised how many ways there are to find the four-digit sequence
on a cipherlock.

# No matter how many shorts we have in the system, my guards will be
instructed to treat every surveillance camera malfunction as a full-scale

Fix the false alarm problem instead.

# When I create a multimedia presentation of my plan designed so that my
five-year-old advisor can easily understand the details, I will not label
the disk "Project Overlord" and leave it lying on top of my desk.

Or on a laptop on the back seat of your car.

# If the hero runs up to my roof, I will not run up after him and struggle
with him in an attempt to push him over the edge. I will also not engage him
at the edge of a cliff. (In the middle of a rope-bridge over a river of
molten lava is not even worth considering.)

If your security situation turns into drama then you've already lost.

# If my weakest troops fail to eliminate a hero, I will send out my best
troops instead of wasting time with progressively stronger ones as he gets
closer and closer to my fortress.

Security measures that are too weak are counterproductive because they're a training system for opponents. Satellite TV providers made this mistake. A generation of people who wanted free TV gradually learned to crack tougher security measures.

# I will not use any plan in which the final step is horribly complicated,
e.g. "Align the 12 Stones of Power on the sacred altar then activate the
medallion at the moment of total eclipse." Instead it will be more along the
lines of "Push the button."

Usability is good security.

# I will make sure that my doomsday device is up to code and properly

And that you have enough fire extinguishers.

# After I captures the hero's superweapon, I will not immediately disband my
legions and relax my guard because I believe whoever holds the weapon is
unstoppable. After all, the hero held the weapon and I took it from him.

Superweapons are not a substitute for a proven system.

# I will not ignore the messenger that stumbles in exhausted and obviously
agitated until my personal grooming or current entertainment is finished. It
might actually be important.

Lines of communication matter.

# I will not turn into a snake. It never helps.

There's no security lesson to that one. I just left it in because it's funny.


Friday, January 19, 2007

Why it's important to protect your home computer 

A Swedish bank lost the equivalent of a million dollars when it reimbursed victims of an online scam.

It was a pretty boring scam. People got email, forged to appear like it came from the bank, urging them to install software. The software was malicious, of course. It recorded all the users's keystrokes, including passwords, and sent them off to the criminals who then logged into people's accounts and cleaned them out.

Do you trust your bank to make you whole after an incident like that?

The two ideas this should reinforce are
o Never install software unless you know where it's from
o If something comes in email, you don't know where it's from.


Thursday, January 18, 2007

Instructions for disabling HTML email 

There are a zillion security reasons for reading email in plain text. Brian Krebs at the Washington Post explains how to disable HTML email in common email programs.


Wednesday, January 17, 2007

How to break into a top security data center 

Someone nicknamed "The Mayor", on the geek forum Slashdot, wrote about working as an authorized user in a secure data center. I don't mean "secure" like a bank vault, I mean like something out of a James Bond movie. Passwords, palm readers, retina scanners, two separate smart cards required for entry, that kind of thing. He didn't mention any sharks with laser beams attached to their foreheads, but it was the kind of place that might have invested in them.

After all that expense and inconvenience, the guards started buzzing him through and letting him skip most of the security measures. Some others had stopped working and nobody had noticed. He was able to get all the way into the data center with no security check except for the guards recognizing him. Would the guards have known if he'd just gotten fired? Probably not. A vindictive fired employee in his position could have done literally millions of dollars of damage and quite possibly caused a major Internet outage.

It was also equally easy to work around the security checks on software changes. He said of one change:
So, basically, if I had wanted, I could have installed a bit of code that would have decrypted all of the credit cards of users of our software and emailed them to a third party. I could not believe it. It's a good thing I have what I consider to be high moral and ethical standards.

Shiny gadgets won't keep you safe. They need to be checked periodically. The guards need to be in the loop for HR events. When someone like me starts to bore you to tears talking about "audits" and "processes" and "periodic reviews", this kind of thing is what we're talking about. It's worth paying attention.


Monday, January 15, 2007

Airport security 

I don't know whether to laugh or cry:
Another airport security story.
A passenger looking for a lost wallet went back onto a plane after it had been cleaned and put behind a closed door. Closed, not locked. Nobody paid any attention to the alarm as she spent several minutes alone on the airplane looking for her wallet.

This was at Newark International. For those who have already forgotten, one of the 9/11 flights took off from Newark.


Friday, January 12, 2007

Be careful out there. Stop using Internet Explorer. 

It's well established that spyware/adware/whatever-you-call-it can popup porn sites and advertising. The adware supplier gets a commission for referring traffic to the sites and/or gets advertising revenue. Security holes in Internet Explorer allow crooked adware suppliers to download their garbage automatically without you doing anything. That's called a "drive-by download".

The popups are often programmed so that if you try to get rid of them you just see more of them.

Maybe you don't mind porn popups, but you sure wouldn't want them showing up if you were in a seventh-grade classroom.

That's what happened to schoolteacher Julie Amero, according to her defense attorney and according to an expert witness. That's right, criminal charges got filed.

If that's not enough to screw up your life by itself, reflect that you might wind up in front of a jury blinded by "Dear God, think of the children!" and an elected judge who is terrified of appearing "soft on crime". I don't know if that's what happened in the Amero case. I don't know if this (anonymous) comment on the newspaper's web site is accurate:
[defense expert witness]Mr. Horner a 40 year computer veteran was not allowed to present all of his company's research and examination of the computer hard drive from the school.

The reason: The prosecutor did not see the presentation before hand. Therefore, the judge did not allow it to be presented.

Yet, the police officer was recalled to counter Mr. Horner's conclusions. But, the defense was not allowed to recall Mr. Horner to counter the police officer's claims.

The amazing thing is that the judge was not fair and balanced. She was on the prosecution's side all the way.

She got convicted. Sentence could be up to 40 years. End of her career no matter how the appeal turns out.

The new version of Internet Explorer, version 7, has a lot of improvements. Until it proves itself, use Firefox or Opera. I have gone so far as to set Zone Alarm to warn me if Internet Explorer gets triggered by another program.

UPDATE 1/13:

This story is getting a lot of attention. Here's a quote from the geek forum Slashdot, from a user nicknamed a_nonamiss:
As someone who regularly uses a computer in front of children as an educational tool, and as an IT professional, this story scares the hell out of me. Although I know how to keep my computer free of spyware, there isn't one person on /. that hasn't been stuck in a random porn loop that they themselves didn't cause. I don't visit bad sites, and I don't open up bad emails, but more than once I have had a porn loop pop up on my PC. Now, after this story, I am seriously faced with the prospect of never using the computer as an educational tool again.

Another Slashdotter, "Bananatree3", points out two related stories:
16-year-old forced into plea bargain after infected computer had child porn images, required to avoid contact with minors
Another man cleared but only after losing custody of his children


Computer forensics experts are pitching in to show the problems with the Amero verdict. Here's a quote from one of them (emphasis added):
“ This was a Windows 98 SE machine with IE 5 and an expired antivirus subscription. It hadn't been update since August, and there was no anti-spyware, no pop-up protection, no firewall and no content filters. Regardless of whatever happened, this machine was a machine that should not have been on the Internet. ”

Alexander Eckelberry, president, Sunbelt Software

That's putting it mildly. Any single one of those eight points, by itself, would almost guarantee a problem. Survival time for a machine like that would be measured in minutes. Being on the Internet with that little protection is like living in a rain forest without a roof.


According to a new Computerworld column by Steve Bass, the Amero defense expert witness found 27 spyware/adware programs that were already in place before Amero had access to the computer. Mr,Bass links to the public comments of defense witness Herbert Horner. Among those:
This was one of the most frustrating experiences of my career, knowing full well that the person is innocent and not being allowed to provide logical proof.
The aforementioned situation can happen to anyone without fail and without notice if there is not adequate firewall, antispyware, antiadware and antivirus protection.

UPDATE 2/26:

The local newspaper, the Norwich Bulletin, has published the trial transcript in the Amero case. Look at the sidebar on the right for links to the sections of the 346-page document.


Thursday, January 11, 2007

Do hotel networks track your surfing? 

Software developer Michael Herf was staying at a hotel and noticed that the hotel network was inserting ads and apparently tracking which web pages were viewed.

This could be bad. Imagine that you were on a business trip and someone noticed that you'd looked up a company's financials and then gone to a site about merger and acquisition law.

The answer is to use a VPN (Virtual Private Network) back to your home office.


More on the Acer laptop scandal 

Acer had not responded to requests for comment the last time I checked. So they haven't explained why they sold computers with software installed that allows any web page you visit to completely control the computer.

There is a broader lesson here.

When you buy software or anything that has software in it, how do you know there isn't a stupid or deliberate security hole? Lots of technies advocate using only "free" or "open source" software for which you can examine the source code (the way you get a copy of the blueprints when you pay for a building). Even that's only a partial answer. Even if you know how to read computer programs or can afford someone who does, it's a huge and error-prone effort to audit something as big as today's software packages.

The best a normal person can do for now is to include security in purchasing decisions. Avoid companies which have a record of abusing their customers.


Summarizing an excellent piece about passwords 

From my favorite security writer, Bruce Schneier, comes a detailed discussion of password guessing programs, other threats, and what makes a good password.

Some key points:

There are several suggestions about how to create a password in the article. I still recommend a mathematically random password. Either make up a story based on it so you can memorize it, or write it down and keep it someplace safe like your wallet, a locked cabinet at work, a safe depoit box, in a cave at the Mountains of Eternity guarded by the Dragons of Doom, depending on how secure it needs to be.


Wednesday, January 10, 2007

Two news items that go together 

PayPal passwords get stolen all the time by crooks who set up fake Paypal login screens.

So PayPal, to their credit, is testing a new system to be rolled out to customers later in which a customer can set their account to require both a password and a constantly changing number from a small hardware device in order to log in.

The advantage is that even if someone does steal your password, and even if they record the number from your small hardware device, within 30 seconds the number will no longer be valid and the stolen password alone won't let the crook log in.

Sounds great, right?

Unless the crook uses the stolen password and the perishable number immediately. A computer can do that. For crooks who don't know how to program, there's a ready-made kit to let them set up a fake site that passes requests through to the real site while recording credentials and maybe adding some new transactions.

The arms race between crooks and good guys is fun to watch but what you need to do remains the same: always go to finance sites from your own bookmark.

Secure Computing has an article about the "Universal Phishing Kit".


Review of an article about passwords 

There's mostly good advice in an article by Nick Gibson about choosing good passwords. His advice won't hurt you, and he does a good job explaining what the threats are. It's much better than the usual password article.

Well, of course I have quibbles.

Don't take him literally when he's explaining how weak a four-character PIN is and says "a cracker will need only 5000 attempts [on average] per password, which a computer can run through in a matter of seconds". In "seconds", any computer outside a museum can go through millions of attempts.

He offers the advice of taking the first letters of each word in lyrics of a song or something like that. Ennh. That works until password crackers start browsing sites with song lyrics and adding those to their collection of things to try. It's safer to start with a string of unrelated letters and numbers from a random number generator or a string of unrelated words from Diceware and make up a story to help memorize them.


Deploying wireless? Wait a few months and look for "WPS" 

A lot of people run insecure wireless networks because they've tried to set up security and failed. Equipment today forces humans to do things like copying long numbers that computers could and should do instead.

Glenn Fleishman's blog reports that WPS (Wi-Fi Protected Setup) is going to hit the market in 2007. This system, just ratified by the equipment makers in the Wi-Fi Alliance, offers several straightforward ways for telling multiple pieces of equipment that they'll be part of the same secure network.

A Medal of Cluefulness to them all.


Tuesday, January 09, 2007

One reason security matters 

No matter how obscure you are, your computer might be valuable to a crook. It's kind of like how bank robbers might steal a car to use in their getaway, no matter how everyday or boring it is.

Crooks use computers like yours to send out spam, attack other computers, and worse:
Serry Winkler, a sales representative in Denver, said that she had turned off the network-security software provided by her Internet service provider because it slowed performance to a crawl on her PC, which was running Windows 98. A few months ago four sheriff’s deputies pounded on her apartment door to confiscate the PC, which they said was being used to order goods from Sears with a stolen credit card. The computer, it turned out, had been commandeered by an intruder who was using it remotely.
From a New York Times article about how bad guys use computers they've taken over.


Sunday, January 07, 2007

Got an Acer laptop? You may have a problem. 

This one's so blatant that I keep thinking it must be a mistaken report.

Microsoft years ago created a system to allow web pages to run software on your machine. The software was called "ActiveX controls", and there were standards for classifying them as safe or unsafe, to prevent web pages from doing damage by running unsafe software.

According to a report by Tan Chew Keong, the TravelMate 4150 and Aspire 5600, maybe others for all we know, shipped from Acer with an ActiveX control installed that lets any web page run any software on your computer with any parameters the web page chooses.

That would allow a hostile web site to tell your machine to download hostile programs and run them. After that, it stops being your machine.

There's no convenient way to tell if you're affected, unless you have a place where you can upload HTML for experiments.

Easy protective measures include not running Internet Explorer. Other browsers don't support ActiveX so you can't be affected if you don't run IE. It's possible to disable the rogue ActiveX control, but until I find out what it's supposed to be doing I hesitate to recommend that. It's not a process for a non-technical person to attempt anyway.

Turn off "Active Scripting" in Tools/Options/Security except for sites that really need it and that you think aren't controlled by crooks.

This is just too bizarre to be right: it's like a car maker selling a car with spare keys taped to the outside.

Details for your technical friends:

UPDATE 1/16:

Acer has released a security fix. Download and install it quickly, the bad guys know all about this one and it's drop-dead easy for them to use.


Backups are security too 

The geek forum Slashdot just had a discussion about tape backup software for a small office.

I didn't see anyone make the key point. A small office should think twice or maybe three times before using a tape drive at all. The good ones cost more than a computer, a lot more. The cheap ones are not worth what they cost.

Backup software seems to be the problem child of the industry. The closest anyone came to endorsing any backup software was someone who'd used EMC Networker® backup software. One participant listed Acronis TrueImage as the best in the small business area and then immediately listed half a dozen crippling flaws.

Some computer magazines have endorsed Novastor and Retrospect.


Saturday, January 06, 2007

Another excerpt from security analysis of Hogwarts School of Magic 

This report is copyright in the year MXIV from the founding of Hogwarts. Unauthorized distribution may result in small aches and pains, loss of hair after age 30, acne before age 20, and unwanted weight gain.


Executive summary

Physical security is adequate but needs regular review for protection against Muggles, may be inadequate against dark wizards, and is rated Not Acceptable against internal threats. Protection against Muggles will ultimately fail and Hogwarts must prepare for the failure.


The purpose of physical security measures is to prevent the school from being discovered by the outside world, to allow the school to remain in operation, and to preserve the school's essential form and function.

Section A: Muggles.

Confidentiality is preserved by confusion spells which prevent Muggles who enter the area from seeing the school and by the Unplottable Charm which prevents the school from showing on a map. Muggle artifacts which augment their senses don't work close to Hogwarts. The Ministry of Magic maintains a department which handles any failures of this protection by erasing the memories of the Muggles involved.

These measures were complete and adequate when Hogwarts was founded and for centuries thereafter. They need to be updated to counter the many new capabilities Muggles have developed (for example, for a century now Muggles have been able to fly). The updates will have to be redone and redone as Muggle capabilities grow.

The Ministry of Magic, working with the research faculty at Hogwarts, must develop spells to counter the following Muggle artifacts:

A security system is only as good as its backup measures in case it fails. The Ministry has an effective program to trace the contacts of Muggles who have too much information and to erase their memories. In the days of Hufflepuff, Gryffendore, Ravenclaw, and Slytherin, this worked well because wizards could send warnings to each other faster than Muggles could spread news.

Muggle communications today are so effective that few wizards can understand or believe how effective they are. In a heartbeat, they could send news of Hogwarts to billions around the world. Even if Ministry operatives erased the memories of Muggle reporters, a Muggle invention from around the time of the Tri-Wizard Tournament would allow any Muggle with information to publish it.


Section B: Dark Wizards

Hogwarts has measures in place to limit access to the grounds, including a block on Apparating and the ability to monitor the Floo network. There is no effective control over access by broom or flying car, and the Hogwarts Express seems to be unsupervised.

There is no effective protection against a dark wizard entering the grounds by possessing a student, for example with an enchanted diary.

The castle and grounds have a record of hidden features and back doors. Some have proven dangerous, for example the Chamber of Secrets.


Section C: Internal threats

In one notorious incident, an undergraduate was able to turn part of the castle into a swamp. A full remediation is outside the scope of this engagement, but Hogwarts must immediately implement the recommendations of our report about password security.

Our rating of the current state of security against internal threats is Not Acceptable.


Friday, January 05, 2007

Excerpt from security analysis of Hogwarts School of Magic 

This report is for the exclusive use of Hogwarts and no other party is entitled to rely on it. Violators of any part of the legal boilerplate will be subject to the Various Curses.


Physical security: offices and dormitories

The current password-based access system is inconvenient (blocking legitimate users who have arrived after begining of term), thoroughly insecure, and is being breached almost routinely, placing confidential data at risk up to and including private thoughts of the Headmaster stored in his Pensieve.

The gargoyles which guard the Headmaster's office, and the portraits which control access to the dormitories, do not maintain a list of authorized personnel. Instead they allow anyone who knows the current password to enter.

Passwords are easy for an intruder to obtain. Possible password compromises include, but are not limited to:



Set aside time on January 9 

That's when the Microsoft security patches come out, and Microsoft has announced that they've found and fixed critically important issues. "Critical" is Microsoft's word, not mine.

You need to install these right away. Here's why. As soon as the fixes are out, the bad guys will start looking at them to see what Microsoft changed. Then they have a good chance of finding out exactly what the problem was. Then they can write attacks that work against machines that don't have the fix yet.


Mobile phone viruses: time to worry? 

In 1997, if you had a computer with as much processor speed and memory as a modern smart phone, it would have been a desktop computer and a fairly high end one at that.

The more complicated something is, the more ways there are to attack it. You can protect a desktop computer by unplugging it from the network, but the whole point of a mobile phone is to live on a network.

So how dangerous are things right now?

Not very.

The devastating self-spreading infections we saw on desktop machines haven't happened yet. What's been happening, and only at a really small scale, are so-called viruses that you have to install yourself. You get a message, it has an attachment, the attachment is a file that installs software (.SIS on phones like the Nokia), and well of course bad things can happen. Don't install software unless you have some reason to trust the source.

How bad might things get later?

Awful. People outside the US are already using their mobile phones to pay for things. There's money in breaking mobile phone security, lots of it. Attackers today are motivated by money.

For now, the best thing you can do is watch and wait, and avoid the same things you would avoid on your desktop computer.


Thursday, January 04, 2007

Voting machines and how they're certified 

I complained before that the "certification" labs that test voting machines operate in secret and are paid by the voting machine manufacturers.

It turns out that in one case the lab can't even prove that it did the tests. The New York Times reports that Voting machine tester Ciber Inc. is no longer allowed to certify voting machines after quality control problems turned up.


Internet Explorer's record for 2006 

This isn't the only way to measure security and all the ways are infinitely arguable, but The Security Fix column added up how much time Internet Explorer suffered security bugs which attackers were using but which Microsoft hadn't patched. Those were days when IE users were helpless against attacks that bad guys were actively using.

284 days out of 365. The same number for Firefox was 9, mostly because of faster bug fixes as opposed to fewer bugs.

It's too early to tell how the new version of Internet Explorer will do, but Microsoft has made fundamental changes in many good ways. If you run IE, run IE 7.


What do you do with old memory cards from cameras? 

Just like disks, they may have recoverable data even after you tell your camera to "delete" a photo.

There are some useful tips about how to really get rid of old photos in an article about recovering data from memory cards found on eBay


Wednesday, January 03, 2007

What kind of year will 2007 be in security? 


You know, average. Like in the old joke about the Soviet economic forecast, "It will be an average year, Comissioner. Not as good as last year, but better than next year".

Spam is getting almost impossible to block reliably, there are lots of wicked witches on the web handing out shiny red apples full of poison, and organized crime is fully involved.


This page is powered by Blogger. Isn't yours?