Saturday, January 26, 2008

You can't rely on avoiding bad neighborhoods any more 

According to one security firm, Finjan, 80% of the web sites carrying malicious code are legitimate sites taken over by criminals: http://www.securityfocus.com/columnists/463/1

|

Tuesday, January 22, 2008

Change the password on your router 

Where your home network meets the outside network, you've got a box of some sort: a wireless access point, a cable modem, or something. It's got a little web page of its own where you can control it. Which you haven't needed to look at since you first set it up, in all probability.

It's time to go back there again, because a theoretical threat has just become a real one, and you need to change the box's password to counter the threat.

Simply by getting you to visit a maliciously coded web page, an attacker can reconfigure your router to redirect connections to your bank over to a phishing site. They have to know the password to make that work, but unless you changed it during setup it's still at a factory default that anyone can look up on the web.

|

Tuesday, January 15, 2008

Macs are getting targeted more and more 

One of the problems that's plagued people on Windows machines is that criminals peddle fake security software. The phony software may simply induce you to buy it by always "finding" problems when you do a "free" scan. In extreme cases it may even compromise your system.

Now that Macs are more common and are a more tempting target, that particular scourge is starting to arrive for the Mac platform. According to security firm F-Secure, a Mac spyware scanner is so bogus that if you run it on a Windows machine it reports "finding" problems in places that only exist on Macs.

Buy only from places with names you recognize, or that your technical friends or your security consultant recommends.

|

Friday, January 11, 2008

You keep your operating system up to date, but what about everything else? 

There have been security problems with media players, PDF readers, VOIP software, and probably some other things I've forgotten about. These programs don't necessarily have an easy way to check for updates and install them. But if you run old versions they can be a security risk.

Security firm Secunia has released a tool called the Personal Software Inspector which you can download and run to get an inventory of what software you have installed and whether it's up to date with patches. It's only licensed for use on non-business machines, so I haven't been able to test it for you.

One of the questions I would ask if I were testing it would be whether it gives flase alarms. Not every old version is an insecure version.

Secunia is a reputable company, so don't be afraid of downloading software from them.

|

Do you watch videos with Quicktime? 

There's a new security bug in Apple's Quicktime media software which could allow your computer to get taken over. This is not the same Quicktime security bug that Apple fixed on December 13. Someone announced details of it without telling Apple first, so it will be a while before we get a fixed version of Quicktime. Meanwhile the bad guys know about it.

If I'm reading this right, all you have to do is click on a link to be affected.

If you uninstall Quicktime and reinstall it when the fix comes out, you should be OK.

UPDATE 1/15/2008:

Apple has released a fix. When Software Update offers to install it, remember that it's important and that you want it.

|

Thursday, January 10, 2008

SecurityFocus reports on a new thing to worry about 

Digital picture frames and other devices may hold malicious software.

These days practically everything that uses electricity has a computer in it, and if not at least some memory.

I'm not sure what to tell you about protecting yourself. Anti-virus software is better than nothing.

|

Tuesday, January 08, 2008

Happy patchday! There's a critical one this time 

Critical vulnerability in Windows networking.

This is like something from years and years ago. Someone can simply send network traffic to your computer and take it over completely.

If I'm reading right, a hardware firewall will prevent this attack, but what if you're on the road?

If you don't have automatic updates turned on, or if you're not sure, then update manually. This is one the bad guys will definitely want to take advantage of.

|

Another hazard of traveling with a laptop 

If you cross an international border, Customs may ask to go through the contents of your laptop. Not only could that be fairly personal, it could compromise business secrets or worse. Imagine an attorney traveling with confidential client information. Or, for that matter, a security consultant like me.

You could encrypt the data, but the officer you're talking to could always demand the key. There are court cases in the US that might allow you to argue that handing over a key was self-incrimination and to refuse on that ground. Trying that at the border strikes me as a lousy idea guaranteed to raise suspicion and start a confrontation in which you'd be at a disadvantage. Not to mention being completely irrelevant in every country of the world except the US.

For now the options I see are Article about the legal issues of border laptop searches in the US.

|

Monday, January 07, 2008

Heads up for AdAware users 

I've recommended LavaSoft's Ad-Aware anti-spyware program before. If you're using the free version, you need to know that there's a new version of Ad-Aware and that unless you got a paid version of the old package you'll no longer receive updates.

More information in Brian Krebs's column.

|

Your personal information gets compromised. Does it matter? 

After the UK government lost disks with 25 million people's personal information, TV host Jeremy Clarkson raised the question of how much risk there actually was. It's a good kind of question to ask, but it's not so good to leap to conclusions, as Clarkson did when he said "Honestly, I've never known such a palaver about nothing".

He was so sure that the release of personal information couldn't make anything bad happen, to dramatize his point Clarkson published his bank account details.

Only one person took the bait, oddly enough, and stopped short of cleaning out the account. The thief "donated" 500 pounds from Clarkson's account to a charity.

Clarkson has admitted he was wrong.

|

Saturday, January 05, 2008

How to update Flash Player (you need to) 

Blogger Michael Horowitz explains how to fix security problems caused by buggy versions of Adobe Flash Player, and even explains some of the Flash player update problems he had and how to fix them.

"Flash Player" is something you almost certainly have. It makes Youtube possible, but is also what enables a lot of those annoying ads. You care because it regularly has security bugs that allow a hostile web page to take over your computer, and a recent update fixes the known security bugs.

Follow Horowitz's detailed and hard-learned instructions to find out what version you have installed, how to remove it (which is more difficult than I'd expect), and if you have some reason, how to install the new improved version.

In addition, I recommend some form of blocking Flash content to protect you from the unknown security bugs (want to bet there aren't any?). My favorite Firefox extension, NoScript, does this.

|

Physical security: aviation 

The February 2008 Consumer Reports, just mailed out to subscribers, has a disturbing article about aviation security with a really disturbing quote.

Retired TSA officer Larry Tortorich is quoted saying
There was a facade of security. There were numerous security flaws and vulnerabilities that I identified. The response was, it wasn't apparent to the public, so there would not be any corrective action
In other words, what counts is what the public thinks, not whether flying is safe.

Another TSA officer, Bogdan Dzakovic, had this to say about reinforced cockpit doors:
People have this illusion hardened cockpit doors work, and they don't...If you want to have a secure door, you need to have a double-hulled door
El Al has double barriers to the cockpit. We don't.

Consumer Reports found lots of other breakdowns, too. People can get on airplanes with dangerous items. There aren't enough air marshals. And so on.

|

What is a trustworthy web site, part 3 

This one is just disgusting.

In at least one case, criminals have steered traffic to a web site with malicious software by setting up a fake video memorial web site for an accident victim.

Visitors to the site were told that they needed software to view the video (alarm bells should be going off in your head at this point) and were given a link to click to download it. The software was spyware of course.

You can't ever let your guard down.

|

What is a trustworthy web site, part 2 

Via Bruce Schneier's blog, well-known firm CA Security reports that Sears installs spyware on the machines of people who join the "Sears Community".

If the allegations are true, the tracking software
Monitors secure sessions (websites beginning with ‘https'), which may include shopping or banking sites.


The signup includes your name and email address, which means that any information collected isn't anonymous, but tied directly to you.

UPDATE: this is a separate issue from Sears disclosing your purchase history to third parties.

UPDATE 1/8:

Response from Sears
Further study from spyware researcher Ben Edelman

|

What is a trustworthy web site, part 1 

Web browsers routinely have bugs that allow malicious web pages to take over your computer. If you fall behind on installing security patches, then you're at risk from any web page that includes evil software.

The old advice used to be to avoid porn, gambling, and pirated software web sites.

Unfortunately, criminals have figured out that they can pretend to be a legitimate company that advertises on the Web, buy ad space, put a toxic payload into their ads, and then have an ad broker display malicious content for them on zillions of legitimate web pages. Brian Krebs of the Washington Post writes that high-profile sites such as MySpace and Excite were infected by malicious advertising.

Your defenses start with keeping up with security patches. After that you might consider installing the AdBlock Firefox extension into your copy of Firefox. You can use it to block almost all online advertising if you download a list of advertisers to block like Filterset.G.

I've been reluctant to block all ads, since I can put up with the non-obnoxious ones and they help keep web sites I like in business. But I may soon conclude "safety first".

|

Want to read more about voting machines? 

The New York Times magazine writes about touch-screen voting machines.

It's a well researched article full of facts, even if it dismisses early critics of electronic voting machines as "fringe" and "scared senseless computer geeks". Security people argue about most things but I've never seen one defend electronic voting machines in their current form.

So the article is not too concerned about security, but gives a long list of reliability problems that e-voting systems have had. I mean a long list. Notice that this is a security problem in itself: imagine a partisan election official allocating the least reliable machinery to opposition precincts.

One lesson from recent changes in Ohio is that many problems can be avoided by thoughtful, careful election administration (a "model of professionalism", the article says). Do you know who's supervising your elections? Is he or she doing a good job?

It's worth reading. Remember that being an informed citizen is good for security.

|

Wednesday, January 02, 2008

What kind of year will 2008 be in security? 

It will be average.

You know, average. Not as good as 2007, but better than 2009.

The people I know who administer large networks are starting to base their policies on assuming they've already been broken into.

Malware is apparently running ahead of anti-virus software, and the remote control software that enslaves your PC to criminals is getting sophisticated and hard to detect.

You can keep yourself better off than others by being street smart. These days the two most important things I can recommend are to keep your software up to date and to be really really careful about what software you download.

|

What kind of year will 2008 be in security? 

It will be average.

You know, average. Not as good as 2007, but better than 2009.

The people I know who administer large networks are starting to base their policies on assuming they've already been broken into.

Malware is apparently running ahead of anti-virus software, and the remote control software that enslaves your PC to criminals is getting sophisticated and hard to detect.

You can keep yourself better off than others by being street smart. These days the two most important things I can recommend are to keep your software up to date and to be really really careful about what software you download.

|

This page is powered by Blogger. Isn't yours?