Tuesday, June 26, 2007

Keeping track of all your passwords 

I've recommended a program called Password Safe, and if you'd like to know more about it net-security.org has screen shots of Password Safe.


Thursday, June 21, 2007

Does it feel like you're always hearing about software vulnerabilities? 

One day it's a news story about a bug in a Microsoft product, then there's a breaking news item about how your instant messenger program can let a bad guy take over your computer, then the next day it's something else.

You're not imagining it, the situation really is bad. There's very little software that can resist all the attacks that clever people are inventing.

In this kind of world I recommend that if you've got a program that talks to the network, and you haven't used it in a while, always check for upgrades or fixes before you use it again. Otherwise there's too much chance that while it was sitting unused someone found and started exploiting a security hole in it.


Wednesday, June 20, 2007

What a real attack looks like 

Anti-virus firm Trend Micro describes malicious software on Italian web sites. They have more technical detail than you want, but the important point is that the bad guys are taking over legitimate web sites and using them to take over visitors's machines.

This is scary because you can't protect yourself by staying out of the "bad neighborhoods" of the web. They took over a bunch of perfectly normal web pages.

The attack was sophisticated. The malicious software checked what kind of web browser was connecting to it and looked up security holes to use against it based on what version it was.

You can defend yourself by


Saturday, June 16, 2007

I'll try to explain "cross-site scripting" 

I'm taking this on as a challenge. It's an important concept, it affects your security on the Web all the time, but even a lot of programmers get it wrong.

When you look at a web page, it sends a description of what your browser should show, and it often sends little programs that control what your browser does. That's where those obnoxious unclosable popup windows come from. The little programs ("scripts", in a computer language called Javascript) also have legitimate uses. For example, Gmail uses Javascript to do work on your computer instead of making long round trips to Google's web servers.

Microsoft's First Immutable Law of Security says that once you let a bad guy run a program on your computer, from then on it's the bad guy's computer and not yours any more.

Scripts can't completely take over your computer but they can control your web browser. They can log in to web sites where you've clicked "Remember me". They can do pretty much whatever you could do from your browser program.

So you shouldn't let scripts run from places you don't have a reason to trust. That's why one of my first lines of defense on my own computer is to run Firefox with an add-on called NoScript. NoScript lets me automatically block scripts from sites I don't know but allow them from places like Yahoo!

So far so good, but what if a site you trust, like Yahoo!, allows people to contribute content, like in a message board? Or do something else that changes the web page you see? Could those people put in a malicious script? They can, and they do. Just a couple of days ago Yahoo! fixed a problem that would have allowed bad guys to take over all your Yahoo! email and other accounts.

The bad guy attacks by giving you a complicated link to click which, if you click it, takes you to a rewritten Yahoo! page with a script that does something the bad guy wants but that you don't.

This is tough to defend against if you want to get full value out of the web. You could refuse to click strange links, which is a good idea anyway, but you can't always recognize them as attacks. You can keep scripts turned off, but you'll have to turn them back on for a few valuable sites, and if any of those have a security hole that lets a bad guy upload scripts, you're hosed.


Sunday, June 03, 2007

What is Google going to do about security? 

They just did something interesting. They bought a security company called GreenBorder, which wraps your web browser in a sort of cocoon or sandbox so that if something goes wrong , like visiting a malicious web site, the damage can't spread to your computer.

My first reaction to seeing GreenBorder, by the way, was to say "Whether they know it or not, Microsoft needs to buy you".

I don't know what Google has in mind, but it would make sense if they're planning more and richer desktop applications and want to contain the security risks up front. Smart.


Do you like learning by analogy? 

My colleague Scott Granneman talks about security analogies and gives some good ones. He's found them such a good way to teach security concepts that he has started a whole web site, http://www.securityanalogies.com, where people can contribute analogies about security.

He admits to the hazards of obscuring how things really work, bringing up one of my alltime favorite quotes:
Chandler Howell put this best when he said "Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven't previously considered and accounted for."


This page is powered by Blogger. Isn't yours?