Saturday, March 31, 2007

Can you spot a scam email? 

Test yourself with a phishing quiz, or view a Watchguard video dissection of one phishing email that impersonated US Bank.

I'd actually take a different angle and suggest not even trying to tell whether an email is just a scam to get your banking password. They're getting harder to recognize all the time. Assume the worst. If your bank wants you to do something, go to their site from your own bookmark, or heck, just phone them.

One more thing you can check, above and beyond what's on the video: if you're really on a "secure" connection, which just means one protected against eavesdroppers and with partial verification of who you're talking to, Firefox will turn the address bar yellow. Easier than checking for the difference between "http" and "https". You are using Firefox, right?


Friday, March 30, 2007

Worst-case Windows vulnerability 

Once again, there's a Windows bug that allows bad guys to take over your computer if you just visit the wrong web page or open the wrong email.

The bad guys found the problem first and they're using it right now.

The problem is in the handling of animated cursors, the files that turn your mouse pointer into a moving cartoon. If you supervise programmers, remember this the next time you ask them to put in a low-priority feature. That feature is probably not worth the risk. This one sure wasn't.

You avoid this issue using exactly the same steps I've been recommending all along. Read your email as plain text, not formatted like a web page. Don't use Internet Explorer: Firefox isn't vulnerable to this bug. Minimize the time you spend in sleazy web sites, though even an honest one might have been taken over by an intruder.

Microsoft's security efforts have been paying off. The very latest Internet Explorer version, if it's running under Vista, and using a few feature called "protected mode", is also safe.


There's an unofficial patch for the animated cursor problem from security firm eEye. I don't know whether to recommend it. The downside is that the only way to beat Microsoft to the punch on something they care about is to do less testing. On the other hand you may not be able to afford to wait for the Microsoft solution (next Patchday is April 10).

Continue to beware of email: simply previewing a toxic email can infect you if you have HTML email turned on.


Microsoft is supposed to release a patch tomorrow, Tuesday, a week before the regularly scheduled Patchday. Run Windows Update if you don't have automatic updates turned on. Remember, Microsoft only does this for a small fraction of the most serious security bugs. If they take it this gravely you should too. The unofficial patch is designed to uninstall itself in favor of the real patch -- that's a risk you'll have to size up for yourself.


Monday, March 26, 2007

Voting machines: one way Diebold influences purchasers 

There are all sorts of laws about government purchasing contracts. Bidding has to be open, there may be preferences for veterans or minorities, and losers can contest the contract award if it didn't follow procedures.

Diebold lost a voting machine contract in Massachussetts. They're suing.

Do they allege impropriety? No, actually. The Boston Globe reports that Diebold "said the company is not alleging any improprieties by the secretary of state's office. Instead, it is saying the office acted in good faith but made a mistake in the selection."

Diebold is asking a judge to halt the deployment of the competitor's machine even though elections are coming up soon.

Boston Globe article about Diebold suing Massachussetts


Sunday, March 25, 2007

More things to read about voting machines 

via Techdirt:

The Government Accountability Office reviews (harshly) voting machine testing.

Remember the Florida election decided by 392 votes where 18,000 votes mysteriously went missing? Turns out the voting machine vendor tried to warn the election officials that there was a bug which made the machines really slow about storing a vote. Somehow the company and the officials failed to mention this when the election made it to court. Jennings/Buchanan race in Sarasota County.


Saturday, March 24, 2007

How safe is your smartphone/Blackberry/whatever? 

You need to think of them as computers, not as appliances. They're running general purpose operating systems. They have more storage and computer power than NASA had on the ground to support the moon landing, and are not far from a 1990s desktop computer.

Seattle-area security consultant Jon Espenschied writes in Computerworld about the dangers of malware, eavesdropping, and just plain bugs on smart phones and "converged devices". He gives well-researched detail about which cellular networks permit eavesdropping using gear that a private eye could afford, has good information about how hard it is to delete information from your phone so that it stays deleted, and outlines a few ways to mitigate the risks.


Wednesday, March 14, 2007

The problem is, information sticks everywhere it goes 

The latest illustration is Security problems with photocopiers.

The manufacturers apparently decided that if the copier needs to crop, blow up, or make a bazillion copies of a document, it should scan it in and store it digitally. Makes perfect sense. If there is a need for any noticeable amount of storage, the cheap way to do it is to use a hard disk. That's the kind of machine you'll find in places like Kinko's.

You're starting to see the problem now. When does that scanned copy get overwritten? When the copier needs the space for something else? That could take a while. I don't even know where to look for a new hard disk under 40 gigabytes. That's room for a whole lot of tax returns before the first one needs to get overwritten.

So then you've got your tax return stored on a copier in a public location.

It's not the easiest way for an identity thief to get your personal information, but you do have to wonder what happens to those hard disks when someone buys the copier secondhand.


Tuesday, March 13, 2007

Anonymous web browsing: why and how 

Antivirus companies try to keep up with new threats by visiting the web sites of virus writers. The virus writers block them. The only way a virus company can learn how to counter a fresh, not yet released virus, and the only way an anti-spam campaigner can study the latest software for spamming, is to come to the bad guys's web sites anonymously.

A less dramatic reason would be checking out a competitor's web site.

Or maybe you just want other people to mind their own business. There are lots of reasons to surf anonymously.

There's a sorta-OK Computerworld article about anonymous web surfing. It exaggerates what some of the anonymizing solutions can do. No, Computerworld, even the best out there doesn't make it "impossible" for someone to find out where you're visiting. There isn't enough discussion, to my taste, of the hazards of sites that take your web requests and redirect them so they appear to be coming from the proxy site. You've got no reason to trust a random stranger running an anonymizing proxy. A few years back there was a case where the German police forced a system like that to start monitoring its users.

But it does give good background and points to some respected resources. Worth reading.


Sunday, March 11, 2007

Still on dialup? You can have a firewall anyway. 

Everyone says to get a firewall, they usually mean a box that sits between your computer and the wild Internet, and when you go to The Store you discover that all such boxes expect you to have a broadband connection.

One option would be to install software on your computer, such as Zone Alarm or Kerio, which tries to regulate your network connection. This kind of software is for some reason called "personal firewall", it does work, but I prefer to stop attacks before they're clawing at my computer.

There is a way, which I discovered while doing free (gag) research (it was for a nonprofit and my wife belongs to it). Turns out that some products called "routers", which give you a bare-bones kind of firewall, have a feature that sends your connection over a backup modem if your real, high speed Internet connection fails.

Your dialup firewall, or modem firewall, or whatever you call it consists of taking such a box, hooking up an external modem to it, entering your ISP's phone number in setup, and then letting the box think you're a broadband customer whose normal connection just happens to be down a lot, like 100% of the time.

You probably don't have an external modem unless you're really old, but someone you know may have one in a closet, and sometimes they show up used. A fair price is $5-10.

An example of a router with dialup backup is the US Robotics USR8001. Some resellers don't even list the dialup capability as a feature. It's there anyway.

So here's what your dialup firewall setup will look like. There will be an Ethernet cable from your computer to the router, a serial cable (should come with the modem) to the modem, two more power cords with wall warts that each cover up the outlet next to the one they're using (grr), and your phone cord plugs into the external modem like it plugged into your computer before.

Incidentally, you can limit the nuisance of those wall-warts by using a one-foot-long extension cord to keep them away from the power strip.

Disclosure section: I'm a customer of all the companies mentioned here except Kerio, but have no other business relationship with them.


Windows Live OneCare and your mailbox 

Most people I know use their email program as an archive or a database, so they can search for that one piece of information from a year and a half ago.

Which means that when spam comes in with a toxic attachment, you want your antivirus software to react against that one message and not the entire email storage.

According to several reports including one from a Microsoft MVP, Windows Live OneCare has placed entire mailboxes into quarantine when an infected message comes in. It can take some hunting to retrieve the email. Some people claimed that years of their email had been deleted, but it seems possible that they simply couldn't find the quarantine area (some people said it's in a hidden directory).

You can exclude your Outlook (.PST) or Outlook Express (.DBX) files from antivirus scanning, which strikes me as a lousy idea but might be safer.

Offhand I didn't see a mention of Microsoft fixing this, though by now they certainly might have.

UPDATE 3/16:

Microsoft has issued a fix, and their European business security manager has said of OneCare "...they shouldn't have rolled it out when they did".


Friday, March 09, 2007

How good are off-the-shelf security products? 

Security people may seem cynical sometimes. There's a reason.

A Connecticut man bought a computer with Compaq's "DriveLock" utility, and set Internet Explorer to delete his browsing history after five days. He apparently thought his activities were private.

Then he got arrested for selling a rifle with a silencer.

The post-arrest search of his computer turned up several embarrassing things, including his favorite porn sites and homemade Paris Hilton-style videos of him and his girlfriend.

Michael Alan Crooker then sued Microsoft and Compaq and Circuit City for selling defective security software.

It's easy to get distracted by the technical side of this. Distracted, that is, from one key point which is that a good way to protect your privacy is to be honest enough that you're less likely to get arrested.

The other thing to notice is that most off-the-shelf solutions for protecting your privacy are near-fraudulent junk. The only things a professional will trust are time-tested products from places that care, such as PGP and TrueCrypt. And I wouldn't depend on those if I were doing something illegal.

Circuit City and Compaq's parent company, HP, have already settled. The outcome of the suit against Microsoft will be very interesting.


Some downtime may be coming up 

The blogging service I'm using is about to force me into an "upgrade". If you don't hear from me for a while, that's the reason.


When technical security doesn't help 

Suppose your marriage counselor has truly first-rate computer security, or better yet keeps everything on paper. Are your records secure?

Under the USAPATRIOT act, the FBI can demand those records by printing out and showing the counselor something called a "National Security Letter", without ever making a case to a judge that there was cause for breaching your privacy.

Let's say you trust the FBI to refrain from the systematic abuses they did in the 1960s. There's still a lot of room in between being abusive and being squeaky clean.

What about agent error, and shoddy record-keeping? Those turned up in a recent DoJ audit of the FBI's use of National Security Letters. Some were issued without approval even from the FBI managers who would normally sign them. Some were issued when there wasn't an investigation going on. Some weren't included in the reported totals of how many were issued. Emergency powers were used in non-emergency situations.

It could have been a lot worse, and I feared it would be. There were only 56,000 National Security Letters during the busiest year. The audit found only a small fraction in violation of the existing regulations.


Monday, March 05, 2007

That "Linux" thing your technical friend nags you about 

With the fervor of a religious convert, your technical friend has been telling you that Linux will solve your security problems, run perfectly, and save your soul from the evil clutches of the Prince of Darkness.

It won't solve your security problems, of course, but Linux users are having a better experience than Windows users by leaps and bounds. Linux did avoid some of Microsoft's design choices that look bad in hindsight. Meanwhile the progress Microsoft is making looks real to me.

Linux will not run perfectly. When I find the operating system that does, I will switch to it.

What Linux will do today, which you could not take for granted even a few years ago, is run normal desktop computing. The remaining places where there are genuine weak spots are games and (in my experience) printing.

When your technical friend goes religious on you, refocus him with some down-to-earth questions like "Does this have something to do with why I can't fast-forward through the 'FBI Warning' on my DVDs?", "Can any of these evil things prevent me from viewing my own documents if I don't pay my bills?", and "Does this affect things that really matter, like historical footage and whistleblowers?"

Then do your own research with articles like the 30-day trial of Linux and weigh the level of hassle against what you would go through with Vista. (If you get tired of clicking through that article, skip straight to Brian Boyko's conclusions.


Sunday, March 04, 2007

Who's reading your mail and why should you care 

Former Department of Justice attorney Paul Ohm says the FBI is recording Internet activity wholesale and then searching the result for activities of particular suspects. The DoJ takes issue with that description.

That's a big difference from getting a warrant and listening to a mobster. What Ohm is describing is listening in on thousands of people to catch communications from one suspect.

But you have nothing to hide, so it doesn't matter. Unless you're gay in Tennessee and the wrong officer is looking through the mass of wiretap data. Unless the FBI decides to reuse the data for other purposes, and discovers that you were buying halide lamps. Tropical fish enthusiasts use them to keep the fish happy, but that purchase will make you an instant drug suspect. Or what if you're plannning a political demonstration?

That's only the things that can go wrong with honest law enforcement. Imagine an FBI agent who's sure his best friend is getting mistreated by his ex-wife and who decides to help the friend.

Limits on government are a security measure.


Saturday, March 03, 2007

What version of Firefox are you running? 

Go to Help/About Mozilla Firefox and check the version number. If it's 1.5.x, upgrade soon. It's an older version and security upgrades for it will stop in April.

That's a pretty serious incentive, since much of the security advantage of Firefox comes from rapid availability of security bug fixes.


Friday, March 02, 2007

Which antivirus do you want? 

There's a new Study of antivirus software detection rates.

The results are on a par with other studies I've seen.

Kaspersky ranks at or near the top in several categories. Against the most difficult viruses, the ones that change themselves to avoid detection, the winners were my favorite, Nod32, and Symantec's Norton Antivirus. I can't account for the difference between Norton's high score in many studies and the many complaints I've heard about it from IT workers.


Are you handling health information or credit cards? 

Government and private-sector regulations are pushing people to encrypt sensitive data.

I've been saying for a while that encryption doesn't solve a single problem. It simply changes the problem, ideally to one that's easier to manage. The problem of keeping data confidential changes to the problem of keeping crypto keys confidential.

Simply keeping that in mind will help you avoid several of crypto expert Anton Chuvakin's five mistakes of data encryption.

His other points have to do with the "build or buy" decision. For crypto, the answer is "buy" (or, in the case of free software, "reuse". Plenty of superb crypto software is available at no charge ("free as in free beer") on openhanded license terms ("free as in free speech")). You don't want to roll your own because crypto is the easiest thing in the world to mess up without knowing that you've goofed. Use something that someone else has tested, preferably for years and with many outside reviewers.


Thursday, March 01, 2007

Words to beware of: "Trust" 

A good rule of thumb when you see the word "trusted" in security literature is to assume it either means nothing or else means "in a position to betray you".

It's a vague word that is often misused in places where people need to be precise instead.

If you ever experiment with PGP to encrypt your communications or files, you'll find that their use of the word "trust" has so little in common with its everyday use that it will simply confuse you.

The Emergent Chaos blog has a good flame about abuse of the word "Trust" in security literature.


Study of FL voting machines that lost 18,000 votes 

in a race that was decided by a few hundred. Someone actually succeeded in getting a study done.

Security expert and Princeton professor Ed Felten refused to participate in the study of what happened because he thought the scope was too restricted. Within that scope, the team didn't find maliciously written software, but remarkably bad software nonetheless. For example, there was a master password with only 256 possible values.

TechDirt has details


If one corrupt employee can break the system it's bad 

The US Transportation Safety Administration inspects some checked baggage for dangerous items. The airlines, meanwhile, have spent generations urging people to lock their checked luggage to discourage theft (which makes me wonder -- wouldn't it be easier, with less chance of getting noticed, for a thief to grab the whole suitcase and go through it someplace away from the airport, instead of opening the bag on site?)

One solution is to lock your luggage with locks that can be opened with a master key that all TSA inspectors have a copy of.

How many employees does the TSA have, what fraction of a percent are dishonest, and how much money would there be in selling a copy of the master key to baggage thieves?

It might not be that bad. Unless there are well organized crime families of baggage thieves, the crooks can't raise enough money to tempt a TSA inspector. Even then, the damage would probably be contained. A baggage thief isn't likely to share the key with competing baggage thieves.

If your security consultant bills your for time spent deciding that something is low risk, it's because he/she needed time to analyze the situation like I did above to see how serious the threat is.

Don't be afraid to question your security consultant, either, because it's easy to overlook something. Can you spot the hole in the analysis above?

There are organized criminals, with boatfulls of money, who have an interest in getting access to checked baggage. You could call this the Midnight Express scenario. Baggage handlers have helped smuggle drugs. Allegedly, in the case of Schapelle Corby, corrupt baggage handlers have planted drugs in innocent people's luggage and if their confederates at the destination fail to retrieve the drugs, guess who's left holding the bag? Just guess how impressed the police will be when you tell them that someone must have planted the drugs on you. They probably hear that on every arrest they make.

YOu can't buy a luggage lock that will stop someone determined, but you can get one that (unlike a TSA lock) has to be cut in order to open your suitcase. Petty thieves and drug smugglers will probably pick one of the thousands of easier targets instead.

Or just FedEx your luggage to your destination and eliminate the wait at the carousel, the uncertainty that it will arrive, and the huffing and puffing at both ends of the trip.


This page is powered by Blogger. Isn't yours?