Thursday, May 24, 2007

What's the best antivirus? 

There's a university that does some usually underreported studies of how effective different antivirus products are.

Their latest antivirus test results are out, and my old favorite has slipped several places down the list.

As a practical matter, any of the top five or ten should do just fine for you. The difference between the best and the fifth best is nothing compared to the difference you get by staying out of bad neighborhoods and subscribing to regular updates.


And so it begins -- mobile phone malware 

Up to now, whenever I've read about something that was supposed to be malicious software for a cell phone, it's seemed like a non-issue.

But now there's a real Trojan Horse program for Symbian phones. It does real damage, sending text messages to numbers that impose extra charges, it does it without giving you a chance to stop it, and worst of all it's "real", it has happened in the wild and not as part of a demonstration or a test.

There will be more like this one. Be careful what you download.


Saturday, May 19, 2007

"MIssing five years's worth of security updates" 

The havoc brought the county's network -- and the electronic voting system which relies on it -- to its knees as Internet access was all but lost at voting locations for two hours that afternoon. Voters in one of the nation's most hotly contested Congressional elections were unable to cast ballots during the outage, since officials were unable to verify registration data.

From Computerworld's report on The 2006 electronic vote in Sarasota County, Florida

Voting should not depend on timely access to the public Internet. Also, any systems near the voting machinery should be better maintained than these were.


Monday, May 14, 2007

Do you have trouble following security news? 

Part of the problem may be the industry's penchant for creating oh-so-cute names for simple concepts.

It's reasonable to call a malicious program that pretends to be something useful a "Trojan Horse". But really, do we need to refer to copying confidential data onto a nerdstick "thumb sucking"? (The idea is that it's a "thumb drive", and you're "sucking" data into it).

I've watched experienced industry people get actively misled by some of the cutesy names. "Drive-by pharming" is an example that led a lot of people to think they knew what it was, even though it was something different.

Some people don't mind. Here's an article about wacky names in the security industry that doesn't object as much as I do. They even provide a dictionary, though it's way too short.


Friday, May 11, 2007

Is 10% of the web really dangerous? 

A study by Google of 4.5 million web pages found 450,000 which try to do "drive-by downloads", unauthorized installation of software on your machine.

This tells you much less than you might think.

First, how did they pick the pages to investigate? At random, or at random among frequently visited places, or what?

Second, just because it tries to do something malicious, that doesn't mean it will succeed. You improve your odds a lot by keeping up to date with security patches and running Firefox or Opera as your web browser. Antivirus software may help too.

Third, those pages aren't spread out evenly. They're concentrated in bad neighborhoods. Sites with illegal copies of copyrighted software are notorious, and a lot of "free games" are bait for malicious web pages.

The most interesting thing to me was that it's often not the fault of the people who put up the web page. The malicious content may be in ads, or visit counters, or other things that they don't directly control. The Firefox extensions AdBlock and NoScript make it harder for things like that to make it into your web browser.


Thursday, May 10, 2007

Credit card breaches, what do you do? 

So you get a notice in the mail that a bunch of people's personal information got exposed, like Social Security numbers or credit card data, and that you might be affected.

Just what do you do with something like that?

Well, if you live in the right place you can ask that nobody be allowed to extend credit in your name without your permission. Consumers Union list of state "credit freeze" laws.

The list isn't perfect. The link for my state is broken, for example.


Wednesday, May 09, 2007

Medal of Cluefulness -- the state of California 

California is demanding that voting machine vendors submit to a detailed technical review. They're bringing in some famous security people and insisting that the vendors not hide the workings behind claims of trade secrets.

If your area is considering electronic voting machines, this is a good example for them.

You could also ask exactly what kind of machine they'd be getting. There are several sorts with different security risks.

Printing a guaranteed-valid ballot based on your touch-screen choices is almost safe. In tests, not enough people check their paper ballots, but if you do then it's a good system that can make elections more reliable.

Machines that count the ballots need more supervision. There has to be a law that the paper has to be preserved and that paper wins if there's a difference on a recount.

Machines that store the election results are an engraved invitation to fraudsters. These are the ones called DRE, for Direct Recording Electronic, getting them right requires lots of money and oversight, and neither one has been happening.

Remember, too, that security begins before the vendors bid on the contract. Who do you have supervising your elections? Pay attention when you vote for that person. Is s/he honest, or a party hack?


Tuesday, May 08, 2007

Guide to today's Microsoft Patchday 

They're all rated "Critical". Don't delay installing them.


Sunday, May 06, 2007

Do you use AOL? 

There's a recent report in the Washington Post that AOL ignores anything past the first 8 characters of your password and ignores all the non-alphabetic characters that everyone tells you to include in your password.

The truth seems to be more subtle (details for your technical friends) but the lesson is the same. Put the randomness at the beginning of your password and don't count on the difference between uppercase and lowercase letters. "pAsSWoRd123"is almost as bad as "password" as a password.

Don't get too worried.


Saturday, May 05, 2007

Here's what happened at TJ Maxx/Marshall's 

There was an enormous data breach that exposed millions of credit card numbers, and up to now all the explanations were so vague and made so little sense that security professionals were irritated by them.

The TJX breach started with an insecure wireless network. They had storewide wireless networks protected only with an obsolete standard called WEP, which was cracked in 2001. Since first being cracked, it has been broken, then smashed, and by now has been reduced to powder.

The intruders, using some widely available software, were then able to eavesdrop on all the credit card information flying around the store. But wait, there's more.

The TJX intruders got access to the chain's central database. Apparently people were logging into the central database over the insecure wireless network. The thieves then had passwords to the central database.

The intruders then had the keys to the kingdom and made themselves at home for a year and a half.

TJX made a lot of serious mistakes but they deserve credit for doing the investigation and publishing the results. Bismarck said that the wise man doesn't learn from his mistakes, but instead learns from other people's mistakes. The only way we can have wise security is if other people publish their mistakes so we can learn from them.

If you've shopped at T.J. Maxx, Marshalls, HomeGoods or A.J. Wright, it's not overkill to cancel your credit card. Stolen ones have already been used for fraudulent charges, often to buy gift cards. Don't assume you're safe just because nothing's happened to you yet: smart crooks may delay using a credit card to throw off investigators.

Oh, and wherever you shop, credit cards are safer than debit cards.


Thursday, May 03, 2007

WPS: you want it but you'll have to wait 

WPS stands for "Wi-Fi Protected Setup", and it's a standard for simplifying the unnecessary hassles of setting up a wireless network with security. Instead of typing ridiculous long numbers or passwords into each device, they'll figure out on their own who they're supposed to talk to, and pass the long numbers around by themselves like computers are supposed to do.

WPS devices are due out next month, later than expected, according to Glenn Fleishman's wonderful newsletter about all things Wi-Fi.

It's worth waiting for.


This page is powered by Blogger. Isn't yours?