The Security Mentor

Don't worry yet about the iPhone news

noreply@blogger.com (Frederick) — Tue, 16 Jun 2009 18:09:00 +0000

What do the scary headlines about the latest iPhone security issue mean for you?

Not much.

There are several obstacles in the way of taking over an iPhone remotely. What security researchers discovered is a way past one of those obstacles, but not a way to take over an iPhone.

Right now the prudent thing to do is stay current with software updates and not worry until something else goes wrong.

What do criminals want with your PC, anyway?

noreply@blogger.com (Frederick) — Sun, 14 Jun 2009 01:17:00 +0000

I like Brian Krebs's security column in the Washington Post, and he wrote a good one a while back about criminal uses for a compromised home computer.

There are dozens of ways your computer could be misused, some of them quite embarrassing. For example, there's a scam in which the intruder sends email in your name to everyone in your address book claiming to be stranded overseas and in desperate need of having money wired. Then the criminal picks up the wired funds, and Western Union transfers are irreversible.

I'm back!

noreply@blogger.com (Frederick) — Sun, 14 Jun 2009 01:14:00 +0000

For a long time it seemed like there was nothing new to say, but lately I've been finding things I'd like to pass along.

How to protect your children online

noreply@blogger.com (Frederick) — Sat, 17 Jan 2009 04:56:00 +0000

Step one is to know what the dangers are, and sensational TV shows turn out to be a bad guide.

A large government-industry-academic team has released a report on dangers to minors online and especially at social networking sites.

You can figure out just about all their conclusions in advance by just thinking about the fact that social networking sites have people on them who do people-type things.

With that thought in mind, you won't be surprised by

Bullying and harassment, most often by peers, are the most frequent threats that minors face, both online and offline.

or by

Social network sites are not the most common space for solicitation and unwanted exposure to problematic content, but are frequently used in peer-to-peer harassment, most likely
because they are broadly adopted by minors and are used primarily to reinforce pre-existing social relations.

or by

Minors are not equally at risk online. Those who are most at risk often engage in risky behaviors and have difficulties in other parts of their lives. The psychosocial makeup of
and family dynamics surrounding particular minors are better predictors of risk than the use of specific media or technologies.

One member of the task force maintains a database of sex offenders, and even he said "This shows that social networks are not these horribly bad neighborhoods on the Internet ...Social networks are very much like real-world communities that are comprised mostly of good people who are there for the right reasons.".

So teach your children to take the same precautions they would in the offline world.

Things to know about the "Conficker" or "Downadup" worm

noreply@blogger.com (Frederick) — Sat, 17 Jan 2009 03:56:00 +0000

The extensive publicity about this piece of malware, which has infected millions of Windows PCs, usually leaves out some things you'd want to know.

For example, you might wonder how to tell if you've been infected. Symptoms include being locked out of accounts, being unable to connect to the websites of security companies, and some more technical symptoms.

Or you might wonder what to do if you are already infected. That's a problem because the worm tries to defend itself against antivirus software. The latest edition of Microsoft's Malicious Software Removal Tool is said to be able to delete the worm.

As for protecting yourself, you're safe if you've been taking normal precautions. It won't go through a firewall, and it can only spread to computers that aren't up to date on Microsoft's security fixes.

In fact, if you'll pardon me a little flame, the fact is that Microsoft released a fix that protects against this worm back in October. They even made it one of their emergency unscheduled patches. When they do that they really mean it. Some companies do need to delay installing patches while they test them for compatibility, but come on, three months? And for home users I recommend turning on automatic updates.

What does the latest attack on WiFi mean to you?

noreply@blogger.com (Frederick) — Tue, 25 Nov 2008 04:18:00 +0000

The headlines were scary, talking about WiFi security being broken. How bad is it?

Not very. The new attack, clever though it is, doesn't allow someone to get onto your network or to read any of your data. It's important, because it means the security mechanisms weren't doing what they were supposed to, but it's not an operational concern yet.

If you like to stay ahead of the game, you can always poke through your wireless settings and make sure you're not using "TKIP", but you'll be OK if you don't.

Reading PDFs can be dangerous

noreply@blogger.com (Frederick) — Tue, 25 Nov 2008 03:40:00 +0000

Adobe has patched multiple problems in their software and browser plugin for reading .PDF documents. You want to be running version 9, which fixes all the problems I've heard of.

ComputerWorld article
A smaller, faster PDF reader with fewer and faster-patched security holes

Voting machines roundup

noreply@blogger.com (Frederick) — Tue, 25 Nov 2008 02:39:00 +0000

Here are some more university studies of voting machine security. The key quote, more important than the fact that they demonstrated a virus copying itself from one voting machine to another and therefore making it possible to compromise several machines by infecting just one, is

While most critical systems are continuously scrutinized and evaluated for safety and correctness, electronic voting systems are not subject to the same level of scrutiny. A number of recent studies have shown that most (if not all) of the electronic voting systems being used today are fatally flawed, and that their quality does not match the importance of the task that they are supposed to carry out.

.

The 2008 election went mostly OK, with only scattered reports of problems. Dr. Barbara Simons of the Federal Election Advisory Council still advocates manual audits, pointing to apparent problems that have come up even with optical-scan systems. Her interview is long but well worth the read. Activists worry that there were again discrepancies between exit poll results and the ballot counts, but I don't see how they can rule out bias in the exit polls (one Democratic analyst pointed out that young people are more likely to talk to exit pollers than older people are, and this time there was a big difference between the youth vote and the elderly vote).

Touch screen machines lost ground in this election, especially in the swing states of Ohio and Florida. They were still being used in West Virginia: people in multiple counties there reported their votes being flipped from the candidate they picked to the other one, but that's more likely to be the result of an out-of-alignment touch screen than anything else.

Comments on the news, this one's NOT overblown

noreply@blogger.com (Frederick) — Sat, 25 Oct 2008 03:54:00 +0000

Run Windows Update.

Microsoft released a "Critical" security patch to fix a problem in which any computer running Windows file sharing can be completely taken over with no action on your part.

It's less of a worry if you're running Vista, and normal firewalling will stop the attack. But it's still a big concern.

When the news broke, I advised clients that before long there would be automated attack programs that unskilled attackers could use, and that attackers would use the new attack to spread infections after getting a toehold by other means.

Both have already happened. There's already a self-reproducing "worm" program taking advantage of the security weakness. It's being introduced behind people's firewalls by the usual sort of trickery, but then once it's on one machine it copies itself to the others on the network.

It's a little more complicated than that, but now you have the gist.

If you use a laptop on the road, make sure you've got a firewall program running on it and that it's set to block Windows file sharing, or turn off file sharing altogether in the Control Panel.

Comments on the news: this is overblown

noreply@blogger.com (Frederick) — Sat, 25 Oct 2008 03:41:00 +0000

The headlines said that wireless networking security is now a thing of the past, due to a clever company finding a way to program graphics cards to crack security codes.

In a word, no.

What they did was speed up existing password-guessing attacks on one flavor of Wi-Fi security, by a factor of 25-100. If you've chosen a good password in the first place, it's not going to be so close to guessable that it matters if someone can guess 25 times faster.

And you can really go to town picking a hard password for your Wi-Fi setup, because you only have to type it in when you're installing things. You can use something long and obscure. You can make it up to 63 characters long!

I recommend a passphrase, something with multiple words instead of an incomprehensible set of letters and numbers. Visit http://www.diceware.com for a system that lets you roll dice to pick short words from a big list. As long as you've chosen them randomly, a passphrase with as few as four words will defy any feasible attack.

But are voting machines really dangerous in practice?

noreply@blogger.com (Frederick) — Sat, 06 Sep 2008 23:21:00 +0000

Spokesmen for the voting machine manufacturers like to say that the reported vulnerabilities are unrealistic in the context of an actual election, with all its tests and security procedures.

This is plausible. There are lots of cases in security work where it's OK to work around a problem with a cross-check instead of eliminating the problem altogether.

Are they right?

Princeton researcher Dan Wallach rebuts vendor claims in detail. He explains how an attacker or a corrupt official could do the same things his team did, and throw an election without getting caught.

View your online banking records without your password

noreply@blogger.com (Frederick) — Sat, 06 Sep 2008 22:57:00 +0000

This is a good example of how a simple feature change can create a security issue, and why security features that seem unnecessary can be important in practice.

Google's Chrome browser has a feature I've dreamed of for a long time. You can search the text of pages you've visited before. If you remember that you looked at a great recipe using arugula but can't remember where you found it, you can type "arugula" into Chrome's do-everything bar and it will find the page in your history with the word "arugula" in it. Nifty. Useful.

OK, but what about your online banking activity? It turns out that if you search for words like "balance" or "Visa" you'll bring up copies of pages that your online bank showed you, with potentially sensitive information on them. Humphrey Cheung reports on Chrome indexing banking records. You can't transfer money or anything like that, but it's an information leak.

If you want your banking activity to be confidential from other users of your computer, there is an answer. Use Chrome's "incognito" window, which turns off storing pages into your history. This is a good idea for any security-sensitive activity.

Also, turn off Chrome's autosuggest feature if you don't want Google to know everything you type into the do-everything bar.

Alarming security bug in Google Chrome

noreply@blogger.com (Frederick) — Sat, 06 Sep 2008 00:13:00 +0000

Some security experts, whose names I can't find offhand, have discovered a bug in Google's new "Chrome" browser that could sidestep all of Chrome's security measures and take over your computer.

The good news is that it can only happen while you're saving a web page, there's no evidence of bad guys trying this in the wild, and it's unlikely that they will given how few Chrome installations there are.

What's alarming is that it's a kind of bug ("stack based buffer overflow") that can usually be avoided by checking a program with well-known tools, and which can usually be blocked from taking over your computer if the programmers use appropriate options when they translate the program from a human-readable computer language into an executable program.

Without the details, it's impossible to tell whether this is just the kind of accident that could happen to anybody, or whether Google has been overlooking precautions that should be standard procedure these days. If the latter, we'll know because there will be a flood of security bug reports in short order.

More thoughts about Google Chrome

noreply@blogger.com (Frederick) — Fri, 05 Sep 2008 03:42:00 +0000

Chrome will save passwords for you, but unlike Firefox it doesn't let you define a master password that protects all your stored website passwords.

This could be OK. I worry about future occurrences of a problem that happened in 2006, in which malicious code could put up a login form and fool a browser into entering a saved password silently without asking you first. With a master password in place, you'd get a reminder that your browser was about to retrieve and send a password. A master password also makes password storage more secure.

I've been reluctantly coming to the conclusion that the AdBlock Firefox extension is a security measure. Bad guys have figured out that they can expose zillions of people to malicious code by putting that code into an ad. Don't expect to see anything like AdBlock for a browser that comes from an advertising company.

My other favorite way to reduce my exposure, which is to minimize the number of pages I allow to run Javascript, isn't likely to find a home in Chrome. One of Chrome's main design goals is to have a better, stronger, faster Javascript engine.

This could all work out OK. Google has taken steps to limit the harm that web-based malware can do to you. If Google's paid enough attention in the right places, they might be producing a browser with fewer security bugs for bad web pages to exploit.

Latest word about Google's "Chrome" browser

noreply@blogger.com (Frederick) — Wed, 03 Sep 2008 17:31:00 +0000

Someone's already found the first security bug! It was a researcher named Aviv Raff, and it's not a biggy, but it sure is embarrassing. It's a bug in code that Google reused for their browser, that had already gotten fixed elsewhere. It allows a bad site to fill up your desktop with icons for potentially unwanted software.

Chrome will be both good and bad for your privacy. It has a mode where it stops logging your history on your local machine. On the other hand, and Google is commendably up-front about this, in order to generate suggested sites and searches, it's constantly sending information about every place you visit to Google. You can turn this off, but how many people will?

What you're up against

noreply@blogger.com (Frederick) — Tue, 02 Sep 2008 06:32:00 +0000

A software developer's blog has an example of a malicious web page displaying fake buttons and controls that look like part of Windows to trick you into downloading what they claim is an antivirus program.

It all started from a legitimate web site, too, which apparently got taken over somehow by scammers.

I'm not completely happy with the suggestions the blogger and the people in the comments had to offer. They suggest changing the way your real Windows interface looks so that imitations will look strange. Instead I'd suggest NoScript, which would have halted the example attack in its tracks, and one other thing. The point of all the deception was to trick you into downloading an executable file. You get a real warning at that point, which asks if you really want to save and run a file from the Internet. Say "no" to those unless you set out to download something that you have some reason to trust.

First reaction to Google's browser announcement

noreply@blogger.com (Frederick) — Tue, 02 Sep 2008 06:14:00 +0000

Google accidentally pre-announced a Google-brand web browser. It's not available to try out yet.

It's going to do some encouraging things about security. Google plans to "sandbox" the web applications running in their new browser, so that even if/when you browse to a malicious page it won't be able to do widespread damage to your computer. If I'm reading their claims correctly, they say they can stop keystroke loggers from working (not sure how that's possible).

Popups will be tied to the tab they came from and can't cover up other tabs.

There will be a few problems to watch out for, and things they can't possibly prevent and still be useful. The big issue is that they want their browser to be a place where sophisticated web apps can run. That means the browser has to be able to do all the sophisticated things the web app is supposed to do. Google tries to make sure the browser can't overwrite things on your hard disk, but by definition it has to be able to overwrite your Google Docs.

"Sandboxes" have been used before. What usually happens is that when they're new, clever people find a few ways that bad code can escape from them and do bad things that the sandbox was supposed to prevent. Then after a little while the holes in the sandbox get fixed and it works as designed.

Plugins are the area most likely to cause security problems for Google's browser. Plugins like Flash are designed to do a wide range of things, wider than the browser's normal security policy would permit. Plugins like Flash have had security problems time and again.

How to recognize an attack

noreply@blogger.com (Frederick) — Tue, 02 Sep 2008 05:48:00 +0000

I ran into a suspicious web page the other day.

It opened from an unrelated search result. That's not a sign of a legitimate web page. What really gave it away was that it claimed to offer an antivirus product. Legitimate companies do legitimate advertising. If you see something unexpected suddenly offering you security software, be suspicious: it's like someone walking into your store off the street and offering you "protection".

A really good scam would have shown a web page that looked like a real business. This one didn't even have that much, not that there was any way to trust it at that point.

I looked at the page's inner workings briefly. It looked like it was set up to display all kinds of scary warnings and trick me into downloading a program from them. I didn't even see the scary fake warnings, because I'm running the NoScript extension to Firefox.

Rent "Hacking Democracy", the 2006 HBO documentary

noreply@blogger.com (Frederick) — Sun, 31 Aug 2008 06:13:00 +0000

It's a good introduction for a non-specialist. It leaves some things out, and I spotted one really minor error, but it's worth your time.

If you have nothing to hide, you have nothing to fear?

noreply@blogger.com (Frederick) — Sat, 30 Aug 2008 01:35:00 +0000

A three-year-old in Dorset, England, is having trouble sleeping at night. She's afraid there's a man outside watching her.

There's a reason. Government employees were following her family to and from school for three weeks, making records such as "female and three children enter target vehicle and drive off" and "curtains open and all lights on in premises".

But, we are told, we have to trade some privacy for security. Let's take a look at the public safety implications, and see if they justify following kids to school and scaring a three-year-old.

The surveillance was to assess whether the family really lived in the coverage area of the school they applied to. (They did, by the way).

The Poole borough spying case.

Ask tough questions if your government tells you they need to invade your privacy in the name of security.

"[T]he case could be treated as terrorism"

noreply@blogger.com (Frederick) — Sat, 30 Aug 2008 01:12:00 +0000

Gary McKinnon admits that he went into US government computers without permission.

He was sitting at home in his bathrobe looking around for evidence that the US government had secret alien technology taken from UFOs.

He got into many machines, working alone and without being particularly sophisticated. If you're a US taxpayer, take that as a sign that the computers you're paying for are being badly administered. If a computer is important enough to prosecute someone over, it's important enough to protect well enough that a random eccentric can't get in.

BBC profile of Gary McKinnon
The authorities have warned that without his co-operation and a guilty plea the case could be treated as terrorism and he could face a long jail sentence. "

How are voting machines tested?

noreply@blogger.com (Frederick) — Fri, 29 Aug 2008 23:47:00 +0000

I've written before about the limitations on the "certification" of voting machines.

There's been more talk about it recently. Wired magazine's criticism of voting machine testing notes that problems go years without being fixed, and that the testing consists of going down a checklist that often has nothing to do with reliability or security. Worse, the software running in your election may be different from the software that got certified. University of Iowa computer science professor Douglas Jones proposes testing procedures for voting machines including election-day tests aimed at catching malicious software that gives the right answers until it sees it's in a real election.

Nobody in those discussions mentions a key point. If you could make software reliable by testing it, we'd see a lot fewer bugs in our daily live. Security is even harder to test for than reliability. A program can run just fine and be insecure.

The way to get secure software is to start at the design stage and build it from the ground up to resist or detect attack. For example, the software that adds up the vote totals from the precincts shouldn't allow the machine operator to change the totals without even creating a record of the change. One widely used design did allow that.

The next step in improving software security is to let qualified people, lots of them, look for hidden flaws. That includes cryptographers, but also the kinds of sideways-thinking people who like solving puzzles and doing things that are supposed to be impossible.

Security can backfire

noreply@blogger.com (Frederick) — Fri, 29 Aug 2008 07:55:00 +0000

TSA inspector damages multiple aircraft.

Mechanics caught the problem in time. The part damaged was important enough that flights had to be delayed while it was fixed.

One aviation industry newsletter had a truly sulfurous comment.

Privacy and "I've got nothing to hide"

noreply@blogger.com (Frederick) — Fri, 29 Aug 2008 07:43:00 +0000

Earlier this month, the news came out that Best Western exposed the records of 8 million customers.

The information that got out included credit card numbers, which are of obvious interest to criminals, and maybe worse, information about future bookings. That's right, it's possible that crooks now know when people are going to be out of town and where they live.

Privacy contributes to safety and the rule of law.

Voting machines! Again!

noreply@blogger.com (Frederick) — Fri, 29 Aug 2008 07:15:00 +0000

Premier Election Solutions (formerly Diebold) machines in Ohio fail to count votes. As far as anyone knows it's just a normal bug.

Premier Election Solutions started off by blaming the problem on a conflict with anti-virus software. I was trying to find a way to explain why that sounds wrong to a security person, but someone beat me to it. My favorite nerdy cartoon about antivirus on voting machines.

It's a bad sign when a system has a bug that mission-critical that didn't get caught in testing. Ohio's Secretary of State is suing.