Thursday, April 26, 2007

A wireless network hazard 

When you're on the road and get your Internet fix at a coffee shop, how do you know it's really the coffee shop's network?

It matters because it's easy for a crook to set up a hotspot and give it the same name as the coffee shop's, or a confusingly similar name. Once the crook does that, all your Internet traffic is flowing over the crook's machine, where the crook can eavesdrop on email passwords.

The security world has an annoying habit of coming up with cutesy and less than informative names for attacks. This one is called an evil twin attack.

It's so easy to eavesdrop on wireless signals that I'm not sure why a crook would go to the trouble, unless the network you think you're talking to is encrypted. Then the crook needs to impersonate the network to find out what you're saying to it.

There have been some real-life reports of this attack being used in areas where rich people are likely to be.

The article I linked to says that consumers don't have a way to protect themselves. They must not know about Hotspotvpn, a service that provides you with an encrypted tunnel to the real Internet so that even if you're wireless connection is to a crook the crook won't be able to read anything.


Diebold voting machines in Ohio 

The problems found in an audit of Diebold voting machines in Cuyahoga County, Ohio sound more like the result of poor design than of anything more sinister. Though it's really poor design, since the machines use a database back end that Microsoft explicitly says not to use in an environment where a lot of simultaneous changes are happening.

Still, Diebold's reported attitude is inexcusable:
Election Director Michael Vu initially denied the audit team access to the raw vote data to examine because he said Diebold had asserted trade secrets protection over the data. By vote data, they're referring to the vote totals and election reports, not the machine source code.

Claiming that election results are a trade secret is an outrage.


You wouldn't eat a sandwich someone left on the sidewalk 

Not long ago, someone with non-criminal intentions tried an experiment. They gave away free CDs in the London financial district. The CDs contained software that started automatically when the recipients put their CDs into their computers. The software phoned home to report that it had gotten run, but didn't do anything malicious.

Nick Lowe, an employee of CheckPoint, said at a trade show that criminals have now pulled a similar trick leaving USB nerdsticks around containing malicious software. The software stole online banking credentials.


Tuesday, April 24, 2007

There's a Mac problem of some kind 

Useful details are thin on the ground, but there's some kind of remote takeover problem that apparently depends on playing Quicktime videos from the web with Java enabled.

"What?!", you might well ask.

You and me both. Until some useful information gets published, prudent avoidance would be to go to Firefox Preferences, choose Content, and turn off Enable Java if you spend a lot of time watching Quicktime videos from strangers.

There's no word about whether bad guys are doing anything to take advantage of the problem, or about whether Apple has a fix.


Apple has released a patch, run Software Update soon. There are also updates you need to get if you run WinAmp, Trillian, or Photoshop.


What are the bad neighborhoods on the web? 

"Stay out of bad neighborhoods" is good security advice anywhere, but it's easier to follow that advice in the physical world. In real life you can stay miles away from bad neighborhoods but online they're always a click or two away. In real life you can tell pretty quickly if a neighborhood is dangerous. Online, there may not be broken windows and knots of idle disreputable-looking people.

The conventional wisdom is to steer clear of porn and gambling sites. Not bad advice, but those aren't the worst places.

Researchers who want to collect samples of spyware to study, and maybe samples of worse things, like to start in places that distribute pirated copies of commercial software (or activation codes for them, same thing really). Places like that aren't even semi-legitimate businesses. Porn and gambling sites have addresses and bank accounts and can be sued, in theory, if they stay around long enough. That's not true of software pirates.

Any place that wants to set a hook in you has to start with bait. Some of the malicious emails offer you compromising pictures of celebrities: treat them like you would treat a guy beckoning you into an alley. Not all bait is as obviously bad, though. Studies came up with a surprise about who's dangerous: one of the top sources of spyware is sites offering free games.


Do you use credit cards? 

How safe is your credit card information in the hands of all the companies you buy things from?

The government doesn't have much in the way of regulation. Some states such as California require merchants to warn you if a crook steals your credit card information from them. Since that law passed there have been a lot of published warnings.

The credit card industry is trying self-regulation. They've issued standards for merchants to follow. My personal opinion is that the standards were put together by a committee on which some people were much better than others. Near as I can tell, most merchants aren't complying yet.

Well, I wouldn't be much use to you if I didn't recommend some useful action you could take.

You could try asking the people you do business with whether they comply with "PCI/DSS". I'll save you the trouble: the response will be a blank stare and a "Huhh?".

The best you can do is check your credit card balance online (don't wait for the monthly statement) and report anomalies fast.


Do you take credit cards? 

If you haven't already heard of something called "PCI" or "PCI/DSS", you will before long.

Visa and the other major companies got together and created a detailed list of information security rules that are a contractual obligation for anyone who handled credit card information.

They've failed miserably at getting the word out, but the standards are already in effect, and if you don't comply then the banks can use that as an excuse to leave you holding the bag for fraud losses.

The Payment Card Industry Data Security Standard is a long checklist, but there's one clear top priority. More than anything else, the banks demand that you never store the three- or four-digit code from the back of the card, or the complete contents of the magnetic stripe on the back. They're not going to be forgiving or let you use workarounds on that.

The rest of the list is things you should be doing anyway, but you're also supposed to generate paperwork to prove you're doing it. You're also supposed to get periodic security checks. If you're small, you don't have to produce quite as much paperwork as Amazon would have to, but you have to live up to the same standards. Worse, if there's ever a breach at your shop, Visa can put you under the microscope like they would Amazon.

You can hire somebody like me to help, but unless you're midsized you should give serious thought to outsourcing your credit card handling.


Tuesday, April 17, 2007

Is your network blinking "12:00"? 

This is for people who run a network and need to be able to troubleshoot a breakin.

It's vital to do one of the most boring things imaginable, which is to make sure all the clocks on your network are set correctly. You need to be able to know what order things happened in and what things happened at the same time. You can only do that if all the clocks agree.

Want a real life illustration? Teen spends 12 days in jail because school didn't adjust for daylight saving time. They nailed him for a bomb threat that happened an hour away from the time that he called.


Friday, April 13, 2007

Security book: "Always Use Protection" 

It is dedicated to helping teens (and anyone else for that matter) to secure their system, protect their privacy, and find again enjoyment in using their computers without having to battle endless popups, mysterious crashes, and spontaneous combustion. There's fairly sound advice at the web site.


Wednesday, April 11, 2007

The Internet is a bad neighborhood 

More precisely, since everything is a click away you're always next to the bad neighborhood even if you're visiting museums and banks.

Security people sometimes mope and lapse into despair (occupational hazard), and I'll briefly indulge myself.

A friend announced plans to have two computers, one for network connectivity, and a separate one that would never be net-connected which would store financial and other important data. I couldn't tell him that it was overkill, not in today's environment.


Happy PatchDay 

Microsoft released some important security fixes in today's batch. If for some reason you don't run automatic updates, make sure you install the fixes soon.


Doing your taxes online? 

As simple as anything involving taxes, and you can be sure you're using the most up-to-date tax software if you do your taxes on the Turbotax web site. And of course, they wouldn't put up the web site without checking carefully to make sure your information was protected, right?

Not carefully enough. A customer found out by accident that she could see other Turbo Tax customers's bank routing information.

Intuit did two things right. They accepted the good-faith bug report and didn't blame her. Then they fixed the problem. So you're safe now, if no bad guys stumbled across it first, and if Intuit fixed it correctly.

But we don't know whether they did, since they chose not to explain what happened. With the problem already fixed, most security people would like to see an accident report so that other web sites could check whether they made the same mistake.


Sunday, April 01, 2007

How good is your password? 

A blogger has contributed yet another article to the long list of articles about choosing good passwords. It's a good one. It's easy to follow, explains the recommendations, and has sound advice.

Sample tip: Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack. The point of that advice is to make the password something you'll actually remember but that isn't a cliche. Whatever it is, modify the spelling so it's not a dictionary word or even a pair of dictionary words. Don't pick "startrek" as a password.

My favorite remains the randomly generated password which you memorize by making up a story to go with it. Imagine creating a password like "2bcm47h" and realizing it's short for "2 bananas chased me for 7 hours". The randomness gives you a provable amount of security, and the story makes it stick in your mind.


This page is powered by Blogger. Isn't yours?