Wednesday, August 29, 2007

Beware of MSN Messenger webcam invites 

If you run MSN Messenger version 7.mumble or earlier, someone can reportedly take over your machine if you accept a webcam invite.

The good news is that I haven't seen reports of bad guys taking advantage of this yet. On the other hand, there's sample code out there already to do it, so it's just a matter of time.

Don't accept webcam invites until you upgrade to version 8.1.


Monday, August 27, 2007

Run out of things to worry about? 

Your cell phone, depending on the brand, can be turned into a bug that will transmit everything that goes on within range of its microphone.

This depends on installing software that changes the way the phone works, for example to turn off the ringer and automatically answer when the attacker calls so that the attacker can listen over the phone.

In the real-life examples I've read about, this has required cooperation from the phone company, so it's not exactly an everyday threat. But if you're a political dissident in a repressive country with a government-owned phone company, either don't carry a cell phone or take out the battery (don't just turn it off) when you're having a sensitive conversation.


How a security-minded person handles her laptop 

"C.J. Kelly" is a pseudonymous columnist at Computerworld. Recently she wrote about how to keep sensitive information secure when it's on a laptop. Full article at

I am one of those people with a laptop, and I take it everywhere. But I am extremely cautious. I never use Wi-Fi. Instead, I have a broadband wireless card, which eliminates the risk of a hacker sniffing my wireless traffic or hijacking my wireless session. My laptop has host-based intrusion prevention and a firewall, and it is set up for automatic patches and updates.

When I travel, my eyes never leave my laptop. At airports, I have a set order for putting my belongings on the conveyer belt so that when my laptop emerges, I am already at the other end to retrieve it. Even my purse is a lower priority. I use a small laptop case that slides under the seat ­— no overhead compartments. I try not to leave it in a hotel room, but if I must, I hang out a “Do Not Disturb” sign and put the laptop in the room safe. I refuse housekeeping services. Someone from the hotel could still enter my room, but I eliminate as much risk as possible

I would have put "encrypt the disk" in there somewhere.


Thursday, August 23, 2007

Car security 

At the Crypto 2007 conference, a team of five researchers reported that they can crack the cipher in a remote-entry system used by many car manufacturers including GM and Toyota.

The attack requires that the attacker have some middling expensive machinery and about an hour of access to the transmitter. Think organized crime here.

Getting your car stolen this way could be even more unpleasant than you think, because your insurance company may be unwilling to believe that the computerized security could be broken. Insurance companies have refused to pay claims on stolen cars that had cryptographic security.


Wednesday, August 22, 2007

A stranger is still a stranger, even on Facebook 

Security firm Sophos ran an experiment. They created a Facebook account and sent 200 people friend requests.

82 responded and gave away personal information. 78% gave their current physical address, 82% their full date of birth, something my bank uses as an identifier. One even gave away his mother's maiden name.

Techworld story about Facebook and the risk of ID theft from carelessness


Tuesday, August 21, 2007

A cool-sounding secure nerdstick 

I got tired of hearing one term after another for those handy USB flash drives: "thumb drives", "pen drives", "travel drives", "jump drives", ad nauseam. So I just call them "nerdsticks". The name is starting to catch on.

There are some nerdsticks marketed as being password protected. The ones I've read up on are not really secure: they just try to hide one partition, the one with your secret data, from casual examination. Others rely on custom software which can be compromised and which is always a pain to some degree.

A company called Corsair advertises a nerdstick with a physical interface on the device itself for entering a PIN up to 10 numbers long. In other words, no custom software.

OK, here's a drawback: if I read their literature correctly, it has its own battery on board, so there's one thing to go wrong. And I could sure use more detail about how it actually works, security people always get nervous when information is sketchy.

I may buy one. The cost is roughly twice that of a regular nerdstick, which is well worth it if you have to worry about confidential information getting stolen. The largest size seems to be 2 GB, regular ones are up to 4 now.

Network World coverage of the Corsair "Flash Padlock" drive
Flash Padlock manufacturer's web site with a picture.

UPDATE 8/22:

I just read in their support forum that the battery is not user replaceable.

UPDATE 8/23:

Correction on regular nerdsticks, they're now available in sizes up to 16 GB.

UPDATE 3/16/2008:

The Flash Padlock can be bypassed if you open the case and do some minor tweaking. See the sidebar in this Computerword review of secure nerdsticks.


Electronic voting and unintended consequences 

One of the safeguards that activists and security professionals want to see on electronic voting machines is a paper trail that the voter can see and verify before it gets stored. But you need to look at the details of how it gets implemented.

You see, in Ohio and probably some other places, the poll workers keep records of who's voted in order as they come in. The paper trail from machines by Election Systems and Software has time stamps on the records. Put those together and unless a lot of people come in at the same time, it's a pretty good guess that the Nth person to come in cast the Nth vote. It's not provable, but it's evidence enough to satisfy an abusive spouse, a vote buyer, or almost anyone else with an interest in undoing the secrecy of a secret ballot. The poll records and the paper trail are both public records in Ohio.

This is one more problem you should be on the alert for if your jurisdiction tries electronic voting. Notice, too, how it's a problem that only shows up if you put two features of the voting system together. Problems like that are hard to spot, which is why professional security people are so important to assessing a voting system.


Thursday, August 16, 2007

Medal of cluefulness: the people who make Firefox 

Firefox 3.0 is going to have security improvements under the hood where nobody will see them.

The developers have put together tools for testing the security of the code they write, have already found and fixed problems before anyone else discovered them, and they're even planning to release those tools for use by other projects.

Computerworld reports on the Mozilla Foundation's security plans.


Wednesday, August 15, 2007

How safe is your data at the IRS? 

The Treasury Department's Inspector General set out to find out how security-conscious IRS employees are.

They phoned 102 IRS employees and pretended to be from the help desk. They asked the employees to change their passwords to one that they supplied. A real attacker would then have had all the access the employee had -- controlling someone's password is as good as knowing it.

61 employees complied with a request from a stranger to change their passwords according to the stranger's instructions.

The IRS has been running security awareness programs, too. I bet you'd see similar numbers in most organizations.

More info at Network World's article about the IRS security problems.


This time it's Firefox that had the security bugs 

Make sure you're running version (choose About Firefox from the menu). The problems were nasty, including some that allowed bad guys to take over your computer.


Don't skip the Microsoft patchday bug fixes 

Several of the security problems Microsoft has fixed were rated "Critical". That means no fooling. If you don't have automatic updates turned on, run Windows Update to install the fixes.


Saturday, August 11, 2007

High security locks can be picked. Time to worry? 

A researcher named Marc Webber Tobias has shown a way to pick Medeco high security locks.

I was skeptical because Medeco locks have a design feature to prevent the kind of attack he used.

It turns out that if you make a small collection of what are called "bump keys" you can work around the security feature and open any Medeco lock. Making them would require skill, computation and maybe some special equipment. Using them would take some practice but would not be rocket science.

Time to worry? Maybe not. The average residential burglar is going to kick the door in or come in through a window anyway. The issue is that if someone does pick a lock, you can't show your insurance company evidence of forced entry.

Medeco has already made a design change to prevent the attack and is about to start manufacturing locks with the new design. I'm going to wait and see. The world is full of quick security fixes that turned out not to fix the problem permanently.


Understanding the news about RFID passports 

The new US passports have chips in them which can be read by a computer at customs. The chips are not too hard to duplicate. Someone willing to forge a passport can put their own data onto one of the chips.

It's a computer that reads the chips, and if a computer is reading something that the attacker controls then security people start worrying.

A curious person named Lukas Grunwald set out to discover whether there was a security issue and found that by putting the right kind of bogus data onto a passport chip he could crash the passport reader.

That's a potential security issue all by itself, but it's more important because of What Happens Next. If you can make a computer run off the rails enough to crash, it's often possible to grab the steering wheel and control where it goes. If you find a crash, you may have found a takeover.

In other words, it may be possible for someone of ill intent to create a passport which will reprogram the passport reader.

This isn't something you can protect against, except that in general you should insist that the government not push "security measures" that security people disagree with.


Friday, August 10, 2007

The best things in life are free 

One of the secrets of the security industry is that a lot of great tools don't cost money. It's a secret because nobody pays for advertising for free tools.

via Watchguard, Tech Republic lists ten free security tools. They must have put in some real research, since they came up with some I hadn't heard of.

They list the NoScript extension for Firefox, which just gets more necessary every day. Another highlight is Secunia's Personal Software Inspector, which does an inventory and tells you what needs updating.


Sorry for the lack of posts 

A client had a Situation which took a lot of time and attention. I should be catching up soon.


Sunday, August 05, 2007

The iPhone has security design errors 

From SecurityFocus:
In addition, both the iPhone's stack and heap are executable and the layout of programs in memory are not randomized -- two factors that make exploitation of any vulnerabilities much easier, he [Mikko Hyppönen] said.

If you don't know what that means, that's OK: you pay people like me to understand things like that. What's important to understand is that Apple left out some security features that are in Windows, which are considered normal good practice these days, and which would complicate the lives of bad guys who find a crack in an iPhone application if only Apple used them.


More information about the voting machine review in CA 

My favorite security writer, Bruce Schneier, has a writeup on the California voting machine security review. It's medium long. The highlights:.
Some good quotes:
From respected security expert Matt Blaze,
We found significant, deeply-rooted security weaknesses in all three vendors' software. ... It should now be clear that the red teams were successful not because they somehow "cheated," but rather because the built-in security mechanisms they were up against simply don't work properly. Reliably protecting these systems under operational conditions will likely be very hard.

Even with California breathing down their necks the vendors were less than cooperative. From Matt Bishop:
The second problem was lack of information. In particular, various documents did not become available until July 13, too late to be of any value to the red teams, and the red teams did not have several security-related documents. Furthr, some software that would have materially helped the study was never made available.


This page is powered by Blogger. Isn't yours?