Sunday, July 29, 2007

I have some good news and some bad news (voting machines) 

California's Secretary of State, in a move that earns her a Medal of Cluefulness, ordered voting machine vendors to submit to a security review by outside consultants.

What made the papers, of course, was that the consultants succeeded in breaking into all or almost all of the machines.

The good news, buried several paragraphs down, is that they found no evidence of hidden features in the programming for the voting machines.

People are making a big deal of the fact that the security testers had access to "source code" for the machines. That simply means the program as the programmers wrote it, which should not be kept secret, not for a voting machine. Other critics point out that the testers had full documentation for the machines, which is another non-issue because it's right at impossible to keep information like that secret.

The bad news is that the security testers had less time and less incentive than a crooked politician's employees would have. The problem is actually worse than it appears.

San Francisco Chronicle report on voting machine testing
Computerworld has a more technical report about the California voting machine security tests


Mail filtering for small-to-medium businesses 

Virus and malware filtering on incoming email, for 5-250 employee shops, about $35/user/year.

From Cheryl England at PC World.

This is an outsourced service, no gadgets to install and maintain on your premises.


Thursday, July 26, 2007

Top secret Israeli army documents 

A reserve officer in the Israeli Defense Forces found top secret documents available to anyone on the network. He found them by searching for the words "top secret".

Officials say this is the fault of individuals who make top secret information available over the network in violation of regulations.

This is what security people mean when they say that security is a people problem.


Should your business prepare for a bird flu epidemic? 

My favorite security writer, Bruce Schneier, argues in an article about disaster planning that you shouldn't.

His reasoning is kind of like the old Zen proverb, "where there is no solution there is no problem". Disaster planning, in his view, is for disasters you can do something about. If you're the government, you can prepare for widespread natural disasters. If you're a business, you can prepare for having your data center flooded. But you can't meaningfully prepare for having a third of the population sick and the rest quarantined on the level of one business.


Monday, July 23, 2007

iPhone security again 

The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages — including one that had been sent to the reporter’s cellphone moments before — as well as telephone contacts and e-mail addresses.

From the New York Times article about the newest reported iPhone security vulnerability.

Dr. Charles A. Miller, of the firm Independent Security Evaluators, reports that a malicious web page or a WiFi network run by somebody hostile can completely take over an iPhone. Full details haven't been published yet but well-regarded security people have reviewed his findings and say it's for real.

Technical details of the iPhone security vulnerability.

It's hard to protect yourself, but it looks like the good guys found out about this first. Apple's been notified and ought to release a patch soon. iPhone updates will come through iTunes.

Meanwhile do the standard things: stay out of bad neighborhoods on the web and don't click on links if you don't know where they go.

What nobody's saying is that Apple made a bad design decision. Once the bad guys have taken over the browser, they shouldn't have complete run of the machine. But they do. According to the ISE report, the browser is running with the privileges of a system administrator. Apple made a mistake by making that possible. Web browsers are complicated and have to deal with uncontrolled, often hostile input: it's wrong to trust them with the master keys to your computer.

UPDATE 7/26:

There's a video of the iPhone security hole.


Friday, July 20, 2007

Why you want a master password in Firefox 

Firefox offers to remember passwords for you. It's a handy feature, and makes it easier to manage having a lot of strong passwords.

Unless you set up a master password, it will automatically fill in a password when a login page asks for it.

You'll ask "what is a login page?" if you're a paranoid security person. For Firefox, it's anything under the same top level domain. For example, if Firefox has stored your password for, it will fill it in for If Jennifer has uploaded something that looks like a login form to Firefox, Firefox will give Jennifer your password. Myspace prevents this now, but other services that allow users to upload content could have a problem.

The fix I recommend is to go into your Firefox preferences, click Security, and click the checkbox "Use a master password". That way, Firefox will ask for your master password before it gives away your site-specific passwords, and you can tell it not to if you know you've already logged in, or if you know that you're looking at a user's page and not at a real login page.

Heise security has technical details.

UPDATE 7/23:

I may have spoken too soon about Myspace, many people are reporting that it still allows people to upload active content.

There's another way to protect yourself, which is a Firefox extension called Secure Login. Instead of entering your password for you automatically, you have to click first, and it generally gives you more control about when your password goes out to web sites that ask for it.


Wednesday, July 18, 2007

iPhone: how safe is your data at a hot spot? 

Pull out your iPhone at a coffee shop and start using the coffee shop's wireless network. How well protected are the data and passwords you send and receive?

Check out the excellent-as-usual article by Glenn Fleishman article about iPhone WiFi security at Macworld. If you're in a hurry, check out the short version at Glenn Fleishman's blog.

It's a mixed bag. Apple did some things right, some things wrong, and some things incompletely or buggily.

The most elegant and effective way to protect yourself from eavesdroppers at a hot spot is to use a "VPN", in which all your data is encrypted (scrambled) as it flies through the air. If your company provides a VPN for road warriors, the iPhone may not work with it depending on the details of how you log in.


Firefox should soon ask you to update 

Go to "About Firefox" and check the version number. You want to be running version, which fixes some important security problems.

As long as you're thinking about it, make sure you have automatic updates turned on. In preferences, click Advanced and choose the Update tab, then check the box for "Automatically check for updates". If it's already checked then you're fine. (Actually there are three checkboxes, I recommend checking all three, but the important one is the one for Firefox. The ones for addons and search engines are less important).

Technical details.

Until you get the update, run the NoScript extension to protect yourself. Most of the bugs are related to Javascript.


Tuesday, July 17, 2007

iPhone security warning 

The iPhone has a feature that lets you dial a phone number that appears on a web page by simply tapping it.

Security firm SPI Labs warns iPhone users not to use the feature until Apple fixes a bug. They don't give details, but apparently if you're on a malicious web site, or a legit one that's been successfully attacked, bad guys could redirect your call to a 900 number.

Unfortunately their advisory doesn't make it clear exactly what you need to avoid doing. It sounds like they're saying not to tap on phone numbers.

That may be overcautious since they don't report any cases in the wild of bad guys using this bug to attack people.


Saturday, July 14, 2007

More than one kind of security 

This post isn't about computer security.

Have you ever thought of buying a Toyota Prius as being a safety measure?

It turned out that way for people evacuating from Hurricane Rita. In the long stop-and-go traffic of the evacuation, people with hybrids could keep their engines off most of the time. The result is that they kept going while others ran out of gas, gas that wasn't available at the sold-out gas stations.

Short story about hybrids in the Rita evacuation
Long story from a Rita evacuee who needed his Prius's efficiency and GPS system to escape

Whatever car you drive, fill up when you're down to a quarter tank (you know, like that advice in driver ed that nobody paid attention to). In a disaster, by the time you think of filling up, everyone else will have drained the gas stations dry. Keeping at least a quarter tank at all times guarantees you some mobility.


Friday, July 13, 2007

Visit the wrong web site, lose control of your computer 

The latest security bug that allows a bad guy to take over your computer if you visit his web site is worse than usual. It affects almost any browser program, because it's a bug in a helper program that every browser uses. It's called Flash Player, from Adobe (click the link to download the fix). It's the program that makes some of those animated ads work.

At last report, bad guys were not yet attacking using this technique. That can change immediately of course.

Meanwhile, people using the NoScript extension to Firefox are protected because by default it blocks Flash animations unless you decide to allow them.


Thursday, July 12, 2007

What do professionals do to protect themselves? 

Web security expert Jeremiah Grossman uses two completely different browser programs, one for general surfing and another for use with security-critical sites such as his bank. This protects against a whole family of attacks, but not against some of the worst ones.

Other people he knows go further, running their general web surfing in a "virtual machine", a simulated PC that hopefully can't affect the real one. That way even if there's a browser bug that allows a bad web site to take over your computer, it only takes over the simulated one. That's more trouble than you want to go to, but it's not crazy.

Personally I've done OK with the Firefox/NoScript combination on a Mac.


Tuesday, July 10, 2007

Highly critical browser bug with a confusing description 

"...involving both Internet Explorer and Firefox", says one writeup.

What's happening is that if you have both installed, then visiting the wrong place with Internet Explorer can trick Firefox into doing the wrong thing.

While geeks argue about whose fault this is, you still need to protect yourself. Stay out of bad neighborhoods for one thing. Antivirus firm Symantec says "Disable the "Firefox URL" URI handler" but doesn't explain how. Slashdot user mario_grgic gives step-by-step instructions:
Open Windows Exporer (not Internet Explorer) and from the Tools menu select "Folder Options" menu. On the dialog that appears select the "File Types" tab.

Now in the list of registered file types find the one that says:

"(NONE)" for extension and "Firefox URL" for file type

Select it and click on delete button to delete it.
Click on "OK" to close the "Folder Options" dialog.

If you do that, the only change will be that some web sites will no longer be able to force themselves to open in Firefox. This is not a serious loss.

UPDATE 7/11:

You're already protected against this if you have installed the Firefox extension NoScript, according to NoScript's author.


Sunday, July 08, 2007

Run a web site? 

You may someday get an alarming message from someone who says they've found a security problem on your site. Don't panic, it's almost certainly not somebody malicious.

Web security expert Jeremiah Grossman talks about what to do with an unsolicited web site vulnerability report.


Important news from Watchguard 

I hadn't heard about this before: RTF files are being used to distribute malware. RTF stands for Rich Text Format, and it used to be considered one of the safe file types that only carried data and couldn't carry a program.

You do get some warning that something strange is happening. If you open an infected document, you see an icon that you have to double-click to get the toxic payload. Don't do that, certainly not with a document you didn't expect.


Friday, July 06, 2007

What your bank won't tell you about online security 

Not for any sinister reason, but because they don't know, at least not the call center employees.

Your bank should, and probably does, have some sort of backup check of who you are so that if someone steals your password they can't necessarily clean out your account. The cleanest way to do this technically is called "two factor authentication", where your password is one "factor" and the other might be a random number from a pad or a small device that you have with you but that a password thief wouldn't have. Many banks also have extra security questions that they may ask if you're logging in from a different computer from your usual one.

Can you get a bank employee to explain this to you? Sarah Scalet of CIO.COM called several banks about their online banking security features. Bank of America gave her a good explanation, but the rest were dismal.

Which means that if you sign up for online banking, you'll have a hard time judging the security features ahead of time. Don't let that stop you, though: paper banking has hazards too, and many people in my area have had to get locking mailboxes to combat mail theft.


Thursday, July 05, 2007

iPhone security: put a password on your voice mail 

According to Nitesh Dhanjani, anyone can listen to your voicemail as long as they can send false Caller ID information, which is not hard at all. If you add a password to your voice mail then you're safe.


Wednesday, July 04, 2007

Now I get to write about the iPhone! 

There's already some security news about Apple's iPhone.

Don't worry about most of what you read. Almost all the news and effort is about people trying to "break into" their own telephones to install new software or to avoid the need for an ATT contract (that last they've partly succeeded at. You can use the non-phone features without a contract using a recently released hack). That doesn't affect your security using the phone, at least not directly.

A company called Errata Security reported finding a bug in the Safari web browser that could allow a malicious web page to take over the phone. This may already have been fixed, and I question whether there's enough known about the inner workings of the iPhone that someone could do an actual takeover yet.

Remember, though, it's a computer that makes phone calls. Treat it with respect, especially if Apple changes their mind and starts letting you install new software on it.


This page is powered by Blogger. Isn't yours?