The Security Mentor

Flash, AGAIN

2008-05-29T00:21:00.000-07:00

Youtube videos, and a lot of those annoying flashing ads, come to you courtesy of a third-party plugin ("Flash") in your browser. Sometimes it has security vulnerabilities that let the files it shows take over your computer. It's got one now, and last I heard there was no patch available. Meantime bad guys are taking over legitimate web sites and using them to send you hostile Flash files.

You're fairly well protected if you're a Firefox user and have the NoScript extension installed.

If you run Internet Explorer, you can either temporarily disable or uninstall Flash. I recommend uninstalling it and then, if you want, reinstalling it later after there's a fix for the current problem. Here are instructions for uninstalling the Flash plugin. Youtube, a number of games, and a lot of annoying ads will stop working until you reinstall.

If you're not doing anything wrong, why worry about privacy?

2008-05-05T22:58:00.000-07:00

One answer to that question is that you might have just broken up with someone who has access to a government database. Information Week reports on a Federal agent indicted for stalking an ex-girlfriend using a government database.

What we have to insist on as citizens is accountability. That case could have been much worse if it had happened in secret.

Voting machines! Sequoia in New Jersey this time

2008-04-29T14:45:00.000-07:00

A Princeton professor, Ed Felten, has been unofficially studying the Sequoia voting machines used in NJ.

He's been finding problems, such as more votes being recorded in the Republican primary than were recorded for Republican turnout.

If you like details, he's got a highly readable blog. Some relevant posts in it are the ones about The first report of discrepancies, the response to Sequoia's explanation, and data that contradict Sequoia's explanation.

You don't need details to figure this one out, though. First you check whether Dr. Felten is a level-headed guy who just reports what he sees. Here's one quote:

...this doesn’t look like fraud, only error. A malicious attacker who had access to a machine would have had much more powerful, and much less detectable, options at his disposal.

Second you look at Sequoia's response. How confident do you feel with elections in the hands of a company that responds to bug reports with thinly veiled legal threats against Dr. Felten?

Great article about malicious software

2008-04-24T18:00:00.000-07:00

Ars Technica explains malicious software.

This is good because it explains the "why" of software that does bad things on your computer, explains the different ways it can get installed, warns you of the bait that some of it uses to persuade you to run it, and names names.

It's almost completely nontechnical.

It's time to update Flash Player again

2008-04-18T16:22:00.000-07:00

See previous article about how to uninstall and update Adobe Flash Player.

A researcher found a very clever way to use a Flash vulnerability to take over a computer. Adobe's issued a fix.

To find out what version of Flash you have and what version you need, visit Adobe's Flash version check page. If you're running NoScript, choose "temporarily allow Adobe" to allow the page to work properly.

Another scary article about attacking the power grid

2008-04-12T10:50:00.000-07:00

Network World says "Experts hack power grid in no time".

I've been to some talks about this issue. In some ways it's not as bad as it sounds. If you got into the control network, you'd still have to figure out what labels like "Relay 1225-A" meant. Disgruntled former insiders teamed with network intruders could be a dangerous combination, and so could infiltrators: but someone who got a job at a power company wouldn't need to break into the network.

Utilities definitely need to segregate their control networks from the wild Internet, though.

Here's how sophisticated the attacks are getting

2008-04-12T10:30:00.000-07:00

Business Week article alleging that attacks on government and contractors are from foreign spies.

A vice president at a defense contractor got email carefully customized to him to trick him into opening it. It seemed to come from one of his regular correpondents. It discussed a subject he was likely to be interested in. It used the jargon and acronyms that are standard in his industry. But it also contained a toxic payload, one which recorded all his keystrokes.

Business Week doesn't say whether the payload was an attachment or some kind of security exploit that depends on a bug in your system.

It's getting hard to protect yourself. Antivirus is getting less reliable over time, and if someone writes custom malware for espionage purposes then antivirus software may not recognize it. Being suspicious of attachments is still good, but that email looked exactly like expected correspondence. Patching is still a good idea and there's research that shows it's effective at least against malicious web sites.

Army tests troops with phishing email

2008-04-12T10:25:00.000-07:00

The US Army sent out forged email offering free event tickets if the recipients went to a fake web site that collected personal information

There's a right way and a wrong way to do this, and the article doesn't way which it was. The right way is to use an exercise like this to measure and to educate. The wrong way is to punish people for getting fooled.

But tentatively, I say "good for them".

The criminal economy is big and sophisticated

2008-04-12T10:18:00.000-07:00

Attacks are big business:

Information Week article about the cybercrime economy.

Do you have an ATT 2Wire DSL modem ("Home Portal")?

2008-04-08T15:10:00.000-07:00

They have a security problem. To make a long story short, they made several mistakes and as a result someone can reprogram your modem by getting you to visit a malicious web page. In particular they can change where you go when you try to visit a particular site, for example your bank.

Worse yet, bad guys are taking advantage of this now.

I've heard conflicting stories about whether there's a fix yet. Email support@2wire.com and ask whether there's a firmware update that fixes "CVE-2007-4389".

There are ways to protect yourself in the absence of a fix, but but they're too complicated for normal people.

How a street-smart user handles a suspicious situation

2008-04-07T21:42:00.000-07:00

I needed some information from my bank about an outstanding loan, clicked the relevant link, and wound up at a page telling me I needed to re-establish my online account.

This made me wonder "where am I"? I checked my anti-phishing Firefox extension and found that I was on a site I'd never been to before.

At this point, two of my suspicion flags had been triggered. First, someone was asking for credentials after I'd already logged in, second, I wasn't on my bank's web site any more.

I was at .loanadministration.com. I wondered whether that was legitimate. Some phishing sites have had names like that.

Phishing sites pop up and disappear in a matter of days, so I figured I'd check whether it had been around for a while. There are several ways to check that, but I simply Googled it and found plenty of references, including one that included a company name I recognized as my bank's outsourced loan processor.

So it was all right after all, but if you ever see a situation like that one you should check it out before you type sensitive information.

If your online banking account gets cleaned out, will your bank cover it?

2008-04-07T21:33:00.001-07:00

That depends on where you live. In the UK, "The banking industry has re-affirmed a policy that makes online banking customers responsible for losses if they have out of date anti-virus or anti-phishing protection."

I wonder if that means they require Mac users to install anti-virus software.

Voting machines again

2008-04-07T21:23:00.000-07:00

What makes me mad about this next story is that it's not even a security issue, it's an issue of prudent shopping. When you buy something big or important you should have the opportunity to get an independent evaluation of it.

But if you're New Jersey, and you want to use voting machines from Sequoia, Sequoia will threaten to sue if you hire an outside expert to examine their voting machines. The outside expert reported finding cases where the machines, without being hacked, were adding up votes wrong.

Meanwhile, voting machines are more expensive than advertised.

"And a function that tracked changes to the machines was purposely turned off."

2008-03-19T23:04:00.000-07:00

Ohio investigates reported voting machine irregularities.

A candidate's name was grayed out on some ballots but not on others. Local authorities had turned off the automatic logging of software changes.

This may turn out to be a legitimate error of some kind, but it's a great illustration of one of the major problems with electronic voting machines. If someone wants to tamper with them, it may not be possible to track that person or even to tell that the tampering happened.

In a discussion about this on the nerd forum Slashdot, a user called TripMasterMonkey pointed out a story about negligent exposure of voter registration records in Pennsylvania. That was the result of an elementary programming error. The important lesson there is that the people running your elections department may not be the experts you would hope for.

I'm really starting to like this Rich Mogull guy

2008-03-18T22:10:00.000-07:00

Mac users, I highly recommend this article about OS X 10.5 Leopard security features. It's clear, informed, and does well at the really hard problem of being both accurate and understandable.

And you thought zip files were boring

2008-03-18T21:41:00.000-07:00

.ZIP files are only one of a whole class of files used to compress and package groups of other files. Antivirus programs need to understand how to look inside such things, otherwise viruses could escape detection by hiding inside .ZIP or other files.

So far, so good.

But what if the software that looks inside those files can be crashed by badly or maliciously formed input? Remember that if you can crash a program you're only one step from taking it over. And remember that your antivirus software has lots of privileges on your computer.

Researchers in Finland wrote a program to make random changes to a wide range of packed file formats and tested several products that read the files. Quite a few crashed.

They let the software makers know. A lot of the open source products are already fixed. On the commercial side, F-Secure has already rolled out fixes and Symantec, who makes the Norton products, was already OK.

Details for your technical friends:
Test results for "fuzzing" of archive file formats.
CERT advisory on archive format vulnerabilties

Good advice for Mac users

2008-03-18T20:56:00.000-07:00

I agree with almost everything in Mac security expert Rich Mogull's article about security precautions for Mac users. I'd add being cautious about downloaded software. Also be careful with Microsoft Office documents: macro viruses will spread just fine between Mac and Windows systems.

But don't expect too much from a fingerprint-controlled nerdstick

2008-03-16T22:56:00.000-07:00

Some of them will just roll over and give you acess if you tickle them with a free tool. Technical details of the vulnerability of fingerprint-based USB drives.
.

Roundup of secure nerdsticks at Computerworld

2008-03-16T22:49:00.000-07:00

Summary of Computerworld's review of secure flash drives.

In real life, I'd suggest choosing on the basis of ease of use. If it's too hard to use, you won't use it, and then when you lose your tiny little nerdstick you'll lose control of all the data on it.

Would you trade privacy for increased security?

2008-02-01T19:40:00.000-08:00

My favorite security writer, Bruce Schneier, writes about the tradeoff between security and privacy.

UPDATE 2/3:
A cartoon about the security and privacy tradeoff

You can't rely on avoiding bad neighborhoods any more

2008-01-26T16:19:00.000-08:00

According to one security firm, Finjan, 80% of the web sites carrying malicious code are legitimate sites taken over by criminals: http://www.securityfocus.com/columnists/463/1

Change the password on your router

2008-01-22T20:20:00.000-08:00

Where your home network meets the outside network, you've got a box of some sort: a wireless access point, a cable modem, or something. It's got a little web page of its own where you can control it. Which you haven't needed to look at since you first set it up, in all probability.

It's time to go back there again, because a theoretical threat has just become a real one, and you need to change the box's password to counter the threat.

Simply by getting you to visit a maliciously coded web page, an attacker can reconfigure your router to redirect connections to your bank over to a phishing site. They have to know the password to make that work, but unless you changed it during setup it's still at a factory default that anyone can look up on the web.

Macs are getting targeted more and more

2008-01-15T23:57:00.000-08:00

One of the problems that's plagued people on Windows machines is that criminals peddle fake security software. The phony software may simply induce you to buy it by always "finding" problems when you do a "free" scan. In extreme cases it may even compromise your system.

Now that Macs are more common and are a more tempting target, that particular scourge is starting to arrive for the Mac platform. According to security firm F-Secure, a Mac spyware scanner is so bogus that if you run it on a Windows machine it reports "finding" problems in places that only exist on Macs.

Buy only from places with names you recognize, or that your technical friends or your security consultant recommends.

You keep your operating system up to date, but what about everything else?

2008-01-11T20:51:00.000-08:00

There have been security problems with media players, PDF readers, VOIP software, and probably some other things I've forgotten about. These programs don't necessarily have an easy way to check for updates and install them. But if you run old versions they can be a security risk.

Security firm Secunia has released a tool called the Personal Software Inspector which you can download and run to get an inventory of what software you have installed and whether it's up to date with patches. It's only licensed for use on non-business machines, so I haven't been able to test it for you.

One of the questions I would ask if I were testing it would be whether it gives flase alarms. Not every old version is an insecure version.

Secunia is a reputable company, so don't be afraid of downloading software from them.

Do you watch videos with Quicktime?

2008-01-11T00:33:00.001-08:00

There's a new security bug in Apple's Quicktime media software which could allow your computer to get taken over. This is not the same Quicktime security bug that Apple fixed on December 13. Someone announced details of it without telling Apple first, so it will be a while before we get a fixed version of Quicktime. Meanwhile the bad guys know about it.

If I'm reading this right, all you have to do is click on a link to be affected.

If you uninstall Quicktime and reinstall it when the fix comes out, you should be OK.

UPDATE 1/15/2008:

Apple has released a fix. When Software Update offers to install it, remember that it's important and that you want it.