November 22, 2005
New 'sploit for IE
A new security vulnerability in Internet Explorer has now been successfully exploited. SANS recommends a switch to Firefox or Opera... and so do we.
Posted by Matt at 10:19 AM | Comments (0)
May 06, 2005
66 percent would choose to give up their passwords for a Starbucks coffee
Security vendor VeriSign found 66 percent would choose to give up their passwords for a Starbucks coffee, during an informal on-the-street survey conducted Thursday in San Francisco.
(even though the chain is banning the new Springsteen album . . .)
Good thing I get free coffee at work.
Posted by opperman at 12:48 PM | Comments (0)
April 28, 2005
Fingerprint Faking HOWTO
Every day, I'm amazed by at least one thing I discover online. Today, it happens to be a brief guide to creating fake fingerprints from the Chaos Computer Club in Germany.
Why do this? According to BoingBoing, biometrics are required at Disneyworld, the Statue of Liberty, and even tanning salons in Arkansas. How effective is this technology? Should its users be concerned over privacy and identity theft issues? Absolutely.
Read the guide—in ten years, perhaps everyone will wear protective sheaths over their identifiable digits.
Posted by Matt at 11:46 PM | Comments (0)
March 30, 2005
Blaster scapegoat convicted
The Star Tribune reported today that Jeffrey Parson, (the Blaster virus scapegoat,) has been convicted and will serve prison time, 100 hours of community service, and three years of "supervised" release, (during which time, he'll be forbidden from using a computer for anything other than work or school). His crime was modifying the original blaster virus, which is estimated to have caused more than $525 million in damages.
In contrast, Parson's variant of the virus (which he created in less than two days from the original) is estimated to have caused $1.22 million. Perhaps ironically, it was Microsoft that claimed the most damages in the suit, at somewhere around $600 thousand. Of course, the virus only affected computers running Windows software. The 19 year old Parson, a native of Hopkins MN, was tried and convicted in Seattle, Washington, home of Microsoft's corporate headquarters.
Posted by Martin at 11:56 PM | Comments (0)
March 15, 2005
Research: Web Sites Crippled By Consumers Deleting Cookies
Consumer fear of online risks will force businesses using cookies to take any of these actions: find replacement technology to gather data, better explain the harmless nature of most cookies, work with spyware vendors, and/or ask for permission to deposit cookies.Entire Article - Information Week
Posted by Scott at 03:01 PM | Comments (1)
March 08, 2005
Cell Phone Virus
Cell phones are are one of the few emergent technologies that have become so prevalent in society that I often can't imagine life without them. I got rid of my "home" phone over three years ago, and never looked back.
Today I found that in recent news security experts have confirmed the existance of the first cell phone virus. As cell phones become more and more sophisticated, this type of risk will grow proportionally.
But don't panic! It's reported that not only is this specific virus written poorly, it only works with one type of cell phone operating system. (The Symbian60, the same one that happens to power my phone.)
Posted by Martin at 06:40 PM | Comments (0)
February 25, 2005
Thousands of SSNs exposed by programmer error
Think Computer just released an article describing a major software flaw that possibly exposed thousands of social security numbers. A full paper on the matter is also available.
Essentially, PayMaxx, an online payroll services company, neglected to fully secure their W-2 generation program. Anyone with minimal access to their system could examine the HTML and change and ID number in one of the links. However, the system does not check if the logged in user is authorized to view that ID's W-2—in fact, all W-2s are accessible, containing SSNs, gross salary information, home address, and more. Since the IDs in question are sequential, it is a trivial matter to scan through them all and harvest vital information about thousands of people. How could something like this happen?
Programmer error. The biggest danger for a software development company is the assumption that "someone else will catch it." Laziness, lack of process, gaps in the test plan—each one is a possible explanation. None of these excuses will assuage the fears of PayMaxx's clients.
Good code takes longer to produce, but it is worth it.
Via Slashdot Article, "100,000 More Social Security Numbers Exposed"
Posted by Matt at 04:49 PM | Comments (0)
February 15, 2005
Passwords and the Web
Virtually every web site that has a "profile" of sorts requires a password as some form of authorization. For most internet users, the password has become a necessary evil. However, poor or duplicated passwords can be broken or stolen—how can a user safeguard against such things?
There are a few simple rules for choosing passwords:
- A password should be difficult to guess.
- Never duplicate passwords between sites.
- Circumvent password reminder features.
- Choose a security level appropriate for what you are protecting.
- Never use public terminals to view or transmit sensitive information.
Gone are the days when an anniversary date or a birthday sufficed for protection. Passwords should be at minimum six characters, preferably longer. A mixture of upper and lower case is essential, as well as a special character or two.
Of course, these qualities make for a difficult to remember password as well. I suggest using a cryptographically strong method of securing your passwords such as Bruce Schneier's Password Safe, a freely downloadable, open-source utility for Windows XP. The program allows for storage of many passwords, protected by a single master password.
This is similar in function to the keyring available on Mac OS X, but not quite as well integrated into the OS. With the aid of technology, you can make life much more difficult for the would-be cracker.
This is a tough one to follow if you rely on memory. However, it poses a great danger. For example, suppose you fall victim to a phishing scam, in which you are fooled into entering login information to a rouge web site. If your passwords are all the same, you've just unwittingly given access to all your online information to some malicious cracker.
With multiple passwords, you are limiting your liability. After all, you don't share your bank account's PIN with your telephone company—why should the accounts share the same secret?
Many online login services require you to choose a so-called "secret question" and answer in order to retrieve your password. This is probably the most unsecure thing possible. The common options (place of birth, pet's name, mother's maiden name) are all over various public records.
Do not use this feature. Choose a random question and fill the answer field with unguessable gibberish. Worst-case scenario, you'll need to interact with technical support if you truly forget the password.
A password for Slashdot or another forum is clearly not as important as one protecting online access to your credit card. Low-security passwords are expected for mundane things like forums, newspapers that require registration, etc.
Bonus Tip: Many web site that require registration for registration's sake can still be used via BugMeNot. BugMeNot is a repository of disposable logins for various web sites. If you visit a page and don't want to bother disclosing information, visit BugMeNot and search for the URL—it's probably in there.
Suppose you are on a business trip attending a large convention. A presentation has just triggered a flash of insight on a very important client, and you walk downstairs to the hotel's business office to send an e-mail. Days later, your company loses the client to a rival firm. What happened?
From your perspective, nothing. However, it's very easy to compromise public hardware, and by doing so, obtain secret information. Hardware keyloggers exist that can be plugged between a keyboard and the back of a computer. The device is capable of capturing 64,000 keystrokes and playing them back. E-mails, passwords, URLs are all entered via keyboard. Bear this in mind the next time you check your bank account balance from a public terminal.
I've presented a few tips for the security-conscious; additional suggestions welcomed!
Posted by Matt at 10:23 PM | Comments (1)
February 10, 2005
Security Blogs
I regularly read two security blogs.
One is Schneier on Security. Bruce Schneier is a security guy who wrote one of the main crypto texts, Applied Cryptography, and a lot of other good books. He has a monthly email newsletter but he has transitioned to blogging, which I like.
The other is Edgeos. The RSS feed at the above link gives one an easy way to scan for new vulnerabilities and see if any of them apply.
Any know of any other good ones? Please comment.
Posted by Michael at 03:49 PM | Comments (0)
February 04, 2005
Sssh! They can hear you!
The internet has become a wild place. Viruses and worms are common, hackers routinely crack websites, e-mail, and credit card transactions. However, most internet users suffer from a fundamental lack of education on basic computer security. Many common computer-related trouble can be avoided by following simple guidelines when online.
In this article, I will outline a few common mistakes and myths discuss e-mail privacy, attempting to demystify one aspect of computer security. Michael touched on this in his previous post about Mozilla Thunderbird and GPG. Don't worry, I've checked my heavy-duty tech jargon at the door. We will explore the workings of e-mail in minimum detail, and discuss how to secure this ubiquitous mode of communication. Ready for more?
HTML Aside
If you are using a modern browser, note that the acronym 'SMTP' is underlined. Move your mouse over 'SMTP' and wait a few moments—you should see the acronym spelled out in a tooltip.
Tooltips like these can be used throughout websites to provide more information on a certain bit of text, or even a link. This is a useful feature to keep in mind when drafting copy for the web.
Myth: E-mail is private.
I will qualify my response by mentioning that I'm a privacy advocate. That said, e-mail is not private. The best analogy I have heard likens sending e-mail to writing a postcard. Imagine the contents of your message travelling through the postal system, visible to any and all that come into contact with the postcard. This is how e-mail works.
When you send an e-mail message, a connection is established between your computer and a mail server. The language spoken over this connection is called SMTP. The `Simple' in SMTP makes sense---a typical session is fully comprehensible to the human eye:
220 carfax ESMTP Exim 4.34 Fri, 04 Feb 2005 22:30:00 -0600 HELO example.com 250 carfax Hello matt at localhost.visi.com [127.0.0.1] MAIL FROM: test@example.com 250 OK RCPT TO: another.test@example.com 250 Accepted DATA 354 Enter message, ending with "." on a line by itself To: another.test@example.com Subject: This is a test message. Hello Matt, This is a test message to illustrate the SMTP protocol. Enjoy! -- test@example.com . 250 OK id=1CxHah-0000g6-5W QUIT 221 carfax closing connection
Simple, right? Perhaps not, but notice how clear and easy to read the e-mail is. This "conversation" between computers typically takes place over an unsecured connection, meaning it is entirely possible to eavesdrop on this transmission. Therefore, never place anything confidential in an e-mail message if possible. Unfortunately, e-mail has all but replaced the letter as a form of business communication. What can we do?
The answer: strong encryption.
Here's where the rabbit-hole begins to deepen. I can discuss the hows and whys of encryption tech, but instead I will focus on one of its purposes: to secure a communication channel.
Encryption works around the idea of a secret. Provided your single secret remains secure, every single message encoded with said secret remains unreadable. Here is how that same transmission would look encrypted:
220 carfax ESMTP Exim 4.34 Fri, 04 Feb 2005 22:30:00 -0600 HELO example.com 250 carfax Hello matt at localhost.visi.com [127.0.0.1] MAIL FROM: test@example.com 250 OK RCPT TO: another.test@example.com 250 Accepted DATA 354 Enter message, ending with "." on a line by itself To: another.test@example.com Subject: This is a test message. -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.5 (GNU/Linux) hQQOA7gWjBHDw3d7EBAAsT1WuuIbVaUupKC36Qhs5TVkILQWl7v9ZvZL6DCOv3dv cb8Qvd0JsMlthooBpiU0xk4sVIi+hfmVInKkiZyRsQEO228+WDrpPgIZqZdYszF7 R1X23+5HCbFzHNFWtbAykFAoI90sRCSKTgXdtnVn2tT0+9F5geSA9g4fN92dLpl+ Y65KIjL7B9WSPfJCSscqlfMShz3s5ywcK3Q6EcpNQIXtK2ZvHlgfCqEdboYTqEY5 VRmigGd8rPlVHoe0+R+M50NW9u9310EcWMfvOd+Tl2J6my6kKZ7o3FGvc0tjAB1q E+C2sJx7y7gy6aeelqXkTbspmu+8jDHMCYqWM1UPis9Cxw40cIGeyAjBxe2rN9nu 6T+7SV24NZj8fj0YEqTE6dXfHhqWdlMcRw/7imQl/fMSuVCfmDJ5g0DJ2lxeJGu6 4LsLdOQk6d7GPevfLo3ybQsqT8B+mOqtD9O17Rbo5EjTahzT7oMBr0abz/o6upOe BpM2cxxKwIel58Ed2mPhzo5vgnWca7p1C3pgpGsu0bsfVd/vpHIHM4glZ6LCQk2F Hx9SShaiif2s9T2P2sJrwKRK6k8sA0tLemVjkdrYlhDFM2Bj2T1AwVYJM57GqIqG G/NYAA0K47LyzVTmMCpSI2oWP93IEkDxjuyO5azgtJdix2RNrX9GWPIugcHRxkQQ AMALBpKf1Dw6cEPeKE71A0u/mLISEbbDo2rAV5G5eknZrYqWE0iOrxoz189zNy0X 7HKrubH1/6q9cL7x2v72TdA4iOhztYC+BplXxrsc54llmGFiXf9YwfHh9bVCL60h JfXmbBS9+Ea3HmljitZNWXj1N3/kWX+nXevXzCLF1a4qcHPqoBwGacNUg5mqc2al PO8ETisWx/yDdImKXDo++5PppdaOa07OTvzpVsjLMyDqJAaIQZSf30/TotH6wqBi EBPekqKu86h5PrDbz7LI+ntUw7MMerutLRCas9qVCHDxj+thvSDLETIEW8b5mVo8 i0+I7X1Sl8KDRIqBBosV/bPbuYa7MreFBDatX20JzBF2I7mTne7loGtaH9O5Ipn/ GrMUsh86Ftc0S233LnAlNzUevt7YwWtonkn3Fza3MticL5TvwEqXKgKdzHahHThe IqCY8gTKY5JS0TpZJkDtILD4tEBkdiXSbk4QcK+riMatnP27EvpTI0dj1IvN0X2B hgPh8bpZwD4wFzKgnFhe1bakVcQX/NXiywgXOKguK/k+Rlrzxeg4DNkskijVePov jPZwF0Yi7zl1BDb63OGP2psA26Z15wzh5p1QP7s0wY5DTFiPeGUUKMcfeh+GpshD nt7RqBqbGYLBS8n9kZ8yGnfwNjMHBA5qNvryXHf1WfIP0pcBCraAlbf35VQ3Z4lx mwdnD5s/RxTdHEDgvOE6E78s/iM6Weo5Nxv80jMUQxXe2pOsicFP21cjrxRou9vW RArKxQottRKweqYml8flZUCsOXHgS05wMRmjJKKcPzT6JQNVMQyiMXvkQ9VroL2k O7iP20nIZ1Cwr7v3D6wINc1tW+k6An99i7Q3GAbbL3fLxHf9xsO/4rmc =xBV1 . 250 OK id=1CxHah-0000g6-5W QUIT 221 carfax closing connection -----END PGP MESSAGE-----
Pretty daunting, eh? Encryption's "magic" lies in the ability to recover the original message—provided you know the secret. Encryption can thus serve the purpose of a traditional envelope, blocking your message's content from casual spies. However, encryption is much, much better than an envelope. Freely available encryption software will give large governments reasonable amounts of trouble, let alone a nosy cracker.
Early Adoption
Unfortunately, there is a major catch: both the sender and receiver must install and properly configure encryption software. No major e-mail program includes decent encryption by default. This is currently a problem, but it is getting better. Plug-ins have been developed to add strong encryption capability to most mailers, and some standards (such as S/MIME) are in place. Most importantly, people must realize e-mail privacy can only be achieved through encryption.
Once the ball gets rolling, users will adopt encryption as an everyday privacy tool. The trick is getting the software installed and learning how to use it. I will explore freely available encryption software in a follow-up article. For now, I will merely re-iterate: don't put anything sensitive in a plain e-mail!
More to come...
I will end my entry here and continue another day. The content above can be difficult to digest, and I will happily answer any questions—just post a comment.
Posted by Matt at 10:17 PM | Comments (1) | TrackBack