Tuesday, April 29, 2008

Voting machines! Sequoia in New Jersey this time 

A Princeton professor, Ed Felten, has been unofficially studying the Sequoia voting machines used in NJ.

He's been finding problems, such as more votes being recorded in the Republican primary than were recorded for Republican turnout.

If you like details, he's got a highly readable blog. Some relevant posts in it are the ones about The first report of discrepancies, the response to Sequoia's explanation, and data that contradict Sequoia's explanation.

You don't need details to figure this one out, though. First you check whether Dr. Felten is a level-headed guy who just reports what he sees. Here's one quote:
...this doesn’t look like fraud, only error. A malicious attacker who had access to a machine would have had much more powerful, and much less detectable, options at his disposal.

Second you look at Sequoia's response. How confident do you feel with elections in the hands of a company that responds to bug reports with thinly veiled legal threats against Dr. Felten?


Thursday, April 24, 2008

Great article about malicious software 

Ars Technica explains malicious software.

This is good because it explains the "why" of software that does bad things on your computer, explains the different ways it can get installed, warns you of the bait that some of it uses to persuade you to run it, and names names.

It's almost completely nontechnical.


Friday, April 18, 2008

It's time to update Flash Player again 

See previous article about how to uninstall and update Adobe Flash Player.

A researcher found a very clever way to use a Flash vulnerability to take over a computer. Adobe's issued a fix.

To find out what version of Flash you have and what version you need, visit Adobe's Flash version check page. If you're running NoScript, choose "temporarily allow Adobe" to allow the page to work properly.


Saturday, April 12, 2008

Another scary article about attacking the power grid 

Network World says "Experts hack power grid in no time".

I've been to some talks about this issue. In some ways it's not as bad as it sounds. If you got into the control network, you'd still have to figure out what labels like "Relay 1225-A" meant. Disgruntled former insiders teamed with network intruders could be a dangerous combination, and so could infiltrators: but someone who got a job at a power company wouldn't need to break into the network.

Utilities definitely need to segregate their control networks from the wild Internet, though.


Here's how sophisticated the attacks are getting 

Business Week article alleging that attacks on government and contractors are from foreign spies.

A vice president at a defense contractor got email carefully customized to him to trick him into opening it. It seemed to come from one of his regular correpondents. It discussed a subject he was likely to be interested in. It used the jargon and acronyms that are standard in his industry. But it also contained a toxic payload, one which recorded all his keystrokes.

Business Week doesn't say whether the payload was an attachment or some kind of security exploit that depends on a bug in your system.

It's getting hard to protect yourself. Antivirus is getting less reliable over time, and if someone writes custom malware for espionage purposes then antivirus software may not recognize it. Being suspicious of attachments is still good, but that email looked exactly like expected correspondence. Patching is still a good idea and there's research that shows it's effective at least against malicious web sites.


Army tests troops with phishing email 

The US Army sent out forged email offering free event tickets if the recipients went to a fake web site that collected personal information

There's a right way and a wrong way to do this, and the article doesn't way which it was. The right way is to use an exercise like this to measure and to educate. The wrong way is to punish people for getting fooled.

But tentatively, I say "good for them".


The criminal economy is big and sophisticated 

Attacks are big business:

Information Week article about the cybercrime economy.


Tuesday, April 08, 2008

Do you have an ATT 2Wire DSL modem ("Home Portal")? 

They have a security problem. To make a long story short, they made several mistakes and as a result someone can reprogram your modem by getting you to visit a malicious web page. In particular they can change where you go when you try to visit a particular site, for example your bank.

Worse yet, bad guys are taking advantage of this now.

I've heard conflicting stories about whether there's a fix yet. Email support@2wire.com and ask whether there's a firmware update that fixes "CVE-2007-4389".

There are ways to protect yourself in the absence of a fix, but but they're too complicated for normal people.


Monday, April 07, 2008

How a street-smart user handles a suspicious situation 

I needed some information from my bank about an outstanding loan, clicked the relevant link, and wound up at a page telling me I needed to re-establish my online account.

This made me wonder "where am I"? I checked my anti-phishing Firefox extension and found that I was on a site I'd never been to before.

At this point, two of my suspicion flags had been triggered. First, someone was asking for credentials after I'd already logged in, second, I wasn't on my bank's web site any more.

I was at .loanadministration.com. I wondered whether that was legitimate. Some phishing sites have had names like that.

Phishing sites pop up and disappear in a matter of days, so I figured I'd check whether it had been around for a while. There are several ways to check that, but I simply Googled it and found plenty of references, including one that included a company name I recognized as my bank's outsourced loan processor.

So it was all right after all, but if you ever see a situation like that one you should check it out before you type sensitive information.


If your online banking account gets cleaned out, will your bank cover it? 

That depends on where you live. In the UK, "The banking industry has re-affirmed a policy that makes online banking customers responsible for losses if they have out of date anti-virus or anti-phishing protection."

I wonder if that means they require Mac users to install anti-virus software.


Voting machines again 

What makes me mad about this next story is that it's not even a security issue, it's an issue of prudent shopping. When you buy something big or important you should have the opportunity to get an independent evaluation of it.

But if you're New Jersey, and you want to use voting machines from Sequoia, Sequoia will threaten to sue if you hire an outside expert to examine their voting machines. The outside expert reported finding cases where the machines, without being hacked, were adding up votes wrong.

Meanwhile, voting machines are more expensive than advertised.


This page is powered by Blogger. Isn't yours?