Saturday, December 22, 2007

Upgrade Adobe Flash Player 

You almost certainly have it installed as a browser plugin: it's what makes those animated ads work.

It also has serious security vulnerabilities that could allow your computer to be taken over if you visit the wrong web site (or if a legitimate web site displays the wrong ads).

See Adobe's instructions for installing the Flash patch.


Friday, December 21, 2007

The best things in life are free 

My colleague Peter Gregory has a list of good free security tools. Enjoy.


Trends in the virus/antivirus arms race 

Your antivirus software works two different ways. It checks things against a list of known viruses, like a police officer scanning people's faces against the wanted list. It also looks for suspicious behavior, like a police officer stopping someone who is acting strangely.

Lots of new viruses come out every day. That's why it's so important to keep up with the automatic updates for your antivirus software. That also tells you that there are always viruses that are too new for your antivirus software to know about, so it's really important that it be able to recognize virus-like behavior.

Unfortunately today's crop of viruses is pretty good at evading suspicion. A recent German study of antivirus software found that most antivirus products could detect only 20-30% of viruses not already on their watch lists. Even the most successful one, NOD32 from eSet, only caught 68%.

Your best defense is to be careful what you download.

English article about the German study


The Wall Street Journal reviews small shredders 

Anjali Athavaley has a review of 5 home paper shredders on page D3 of the Thursday Wall Street Journal.

The cheapest one that will eat CDs is the Royal Desktop Crosscut Shredder, $50 from As with most of them, the opening is small enough that you have to fold paper to fit before you shred it. The cheapest that will take a full size piece of paper unfolded is the Staples Mailmate M3, for $80.

Is it pure paranoia to worry about whether someone might rifle through your recycling bins looking for sensitive information? Well, my neighborhood has been hit by mail thefts, presumably by identity thieves, and someone who steals your recyclables instead of your mail can get almost as much information without risking a Federal prosecution.


Saturday, December 15, 2007

Ohio finishes study of voting machines 

“All of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election,” said the study team.

Article with responses by voting machine vendors.
Text of the voting machine study.


Friday, December 14, 2007

Mac video users, an update you should get right away 

Apple's Quicktime media player has some security problems. Apple's finally released a fix. You'll be asked to install it within a week anyway, but if you play lots of video from the net I'd suggest doing the upgrade right away.

Go to System Preferences, the one with the icon like a light switch. Under System, choose Software Update. Click Update Software, and Check Now. Accept the Quicktime update.

Security firm Symantec reports that bad guys are using the Quicktime vulnerabilities today.


Thursday, December 13, 2007

Good article about how to spot dangerous e-cards


Wednesday, December 12, 2007

HP laptops this time 

Have you ever wondered why security people start making pained faces whenever they hear about some cool-sounding useful feature?

It's because they've seen too many things that looked good go horribly wrong.

via The Register, there's a report that the "HP Info Center" on HP laptops, which does several useful and powerful things, can be triggered to do them by a web page, and can do some powerful things that are useful to an attacker.

Technical details of the HP laptop vulnerability for your technical friends.

Pending a fix from HP, the best way to avoid this is not to use Internet Explorer.


Wednesday, December 05, 2007

Does it seem hard to keep your PC secure? 

My favorite security writer says it's not your fault, that Computers are just too hard for normal people to use securely.

I'm not sure it's that bad. A lot of computer security is just a matter of applying your normal street smarts to your online world. You know that someone who appears out of nowhere trying to sell you drugs does not have your best interests at heart, whether he whispers out of an alley or sends you spam.


Curious about the details of password guessing programs? 

This is for people who like to look under the hood.

My favorite security writer discusses how password cracking programs make their guesses and how fast they work. He uses that information to explain how to choose a good password.


This is interesting - Rohrschach passwords 

Use inkblots as a password hint.

It's down as I write this, but the idea Microsoft Research came up with was to present you with a series of inkblots. What you do is think of a word for what the inkblot looks like to you, which is presumably different from what someone else would think of, and then you use the first and last letter of that word as part of a password.

So if you saw a butterfly, a train, a chimney and Madonna, you'd pick a password of "bytncyMa", but you'd be able to remember it by association with the pictures. Someone else looking at the same inkblots might see a flower, a sausage, a box and Cher, so they'd pick "frsebxCr".

It's still a research project. There are lots of open questions, and the privacy statement tells you right up front that they're recording everybody's word choices. In other words, it's not for serious passwords yet. One issue I thought of immediately is that most people aren't going to think of words outside a set of a few tens of thousands at most. Most of the words you know, for example "knowledge" or "abstraction", are not going to be words you'd use to label a picture. The password therefore won't be as strong as a truly random one, and should be made longer to compensate. At an uninformed guess I'd recommend six pictures: in a little while Microsoft Research will know for sure.

This gives me an idea: your employer may forbid you to write down your password, but I bet they don't have any rules about making cryptic doodles that look like something from your preschooler. You could use a password reminder that looks like refrigerator art and as long as you put in a number and a special character you could have a strong password without having to memorize it.

Infoworld article about inkblot passwords


This page is powered by Blogger. Isn't yours?