Sunday, May 23, 2010

Mozilla offers "Web of Trust" add-on; NYTimes report warns of increase in infected websites

Yahoo! reproduced a May 19 New York Times article “Five ways to keep online criminals at bay” here.

The article relates a recent Google scan that found over 300,000 sites on the Web that had been infected by hackers, often with multiple files on the site, for infecting computers with malware to make them zombies or botnets, or, more often, to offer fake anti-virus software. (I encountered one such site last fall, which was caught immediately by Spysweeper; a scan however found four interrelated anti-virus software kernels and quarantined them all.). 

The number of infected sites has tripled since 2007. It’s important that web hosting companies have good anti-virus and firewall protection. (I’ve had only one such incident that I know of; two files on one site were overlaid with jibberish in April 2002; the point of overlay was a discussion of small nuclear weapons.)  Up until about 2000 or so, it was generally safe to surf sites (outside of porn, that is, that got dangerous pretty early).

The article also mentions the Web of Trust (MyWOT) add on for Firefox, which I just installed and tried. After installation, it shows a colored ring (green for OK) in the toolbar to the left of the domain name. Here is the link for the Mozillar ad-on. 

Friday, May 21, 2010

AOL offers advice on spam that comes from your own email address (sender spoofing)

AOL has an interesting post on sender-id spoofing with email, “Why am I getting spam from myself?”, link here. It's on the "AOL Mail Blog."

AOL recommends checking the sent folder, and changing a password immediately if you see emails you did not send.

On the other hand, well known loopholes in the SMTP protocol allow spoofing of sender addresses, which is often done innocently and deliberately by many websites that invite you to send an email to yourself.

Users could be concerned if they could get into legal trouble over emails that they did not send. If the email address was really spoofed, probably not; but if the password was compromised and used, it sounds conceivable that a person could be held responsible; the burden of proof might fall more on the “sender.”

AOL also recommends removing email from your address book if you get spam from yourself.

If you have other domains, you probably have email addresses with them. It’s a good idea to monitor them even if you don’t usually use them. Offering so many email addresses with a domain by an ISP may not be a good thing. Some ISP’s offer a “delete null” mechanism to keep you from getting bouncebacks from spoofed emails. If you forward bouncebacks to a main email address you would need to make sure that the mail box doesn’t fill out; some ISP’s will close accounts if email forwarding addresses don’t work, even if caused by a spammer.

Tuesday, May 18, 2010

Wardriving and wireless security: are we making security too complicated?

WUSA9 (the CNS affiliate) in Washington DC today (May 18) aired a story about wardriving, partly related to a Google survey in San Francisco mapping the location of wireless routers while inadvertently picking up some personal information.

The story by Lindsey Mastis about “Airpatrol” and wardriving on WUSA9 is titled “Hackers Target Open Access Point”. The story recommends reading your wireless router manual to secure it, and if using a public access hotspot, use “WiFi security software”. The list is [web url] here. The television report at noon today in Washington said to turn “broadcast” off on your wireless settings.

I connected my laptop to Verizon (just as well, as Comcast broadband was slow and unreliable today for some reason) and could find no such settings in Windows Vista on my laptop.

There are some tips on the posting from WiFi Alliance (the source webpage is [web url] here ).

But there is also a comment by “DrBZen” that reads prosaically “Your best bet is to always use secure functional protocols. For example, your web credit card purchases are protected by encryption when your web browser shows a "lock" icon and the URL you are accessing is "https" (secure HTTP) rather than the usual "http:" Depending on your email server, you may have access to secure version of the email protocols IMAP, POP, and SMTP.” It sounds pretty simple, doesn’t it.

ABC Good Morning America has an article by Beckey Worley "How to Protect Your Digital Privacy: Tips to Help You and Your Family Stay Safe Online", link here.  Note that she assumes you have a wireless writer and that your lapop won't have Internet access during some of the procedure. But as the commenter on WUSA9 said above, it may not be that complicated.

Friday, May 14, 2010

Automotive computer systems could become targets for hackers as they are connected more to wireless

Two teams of computer scientists, under sponsorship of the National Science Foundation, will present a paper next week at a security conference in Oakland, CA, showing that automobile computer systems could become vulnerable to hackers in the future as more of a car’s diagnostic and control systems become (sometimes inadvertently) accessible to the Internet, especially wireless functions. The article by John Markoff on p A14 of the May 14 New York Times is titled “Cars’ computer systems called at risk to hackers” with link here.

With personal computers, major security risks did not materialize until machines were networked and made available globally. The same principle could apply to automotive systems, such as those that control brakes or ignition or acceleration. The article did not specifically connect the concerns to Toyota’s problems. However, someone with malicious intent could cause accidents or mass events.

Richard Clarke discussed this kind of problem in his book “Cyber War” with respect to other infrastructure, such as the power grid; I reviewed it on my books blog on May 1.

Sunday, May 09, 2010

Webroot's renewal cycle

Well, I’m a little confused about Webroot Spysweeper’s renewals. I got six months free from Best Buy, and had to start paying in January 2010. That’s OK, but then I had to renew again today, four months later ($29). I would think one renewal for a year should have been enough. I’ll have to call and check into all this. (When I boot up, the Webroot panel still says that the product doesn't expire until Jan. 2011.)

Also, the renewal order comes with instructions to reload a new engine. The website references look legitimate when checked, but I would think it would push updated engines automatically when ready.

Also, the backup stopped working in April, as I have written before; it keeps saying my backup set is too big when it's much less than the 50 G allowance.  Maybe there is a connection.

I’ll check all this out this week and report back. But a four month renewal seems odd.

Update: May 11

I reached Webroot billing support (Boulder CO) today quickly (options 2, 1) and it seems I had duplicate billing records. So they deleted one of them and made a refund.  They transferred me to tech (opt 4) for the Backup space problem, and the wait was 25 minutes (mid day). I'll try that again.

Tuesday, May 04, 2010

Recent tragedy with school principal in DC area highlights multiple Internet safety concerns

The slaying of a popular middle school principal (Brian Betts) in the Washington DC school system on April 14 by someone he had admitted into his Maryland home reiterates another basic “people skills” issue with Internet safety. There is a comprehensive story (May 5 Metro) in the Washington Post by David Nakamura and Paul Schwartzman about the dangers of "cybersocializing" here on the Post's "Breaking News Blog"; that story links to other Post stories on the detailed police facts of the case.

The general spin is this: Be careful with meeting people in chat rooms (phone or Internet), and especially with “friends” on social networking sites. It’s not possible to know 1000 friends well, and to determine if each and every one of them is trustworthy. Property insurance companies have recently noted a concern over this issue (especially when people announce their plans or movements on social media or display unusual items of personal wealth in the media), as noted in a posting on my “BillBoushka” blog on April 20, 2010.

Chat rooms have been known to provide another danger: being set up by police for illegal activities. Just consider Chris Hansen’s somewhat notorious Dateline series a couple years ago.

Then you consider the recent comments by a middle school principal in New Jersey (discussed on my main blog April 29), young teens are not mature enough to deal with the teasing and taunts that occur online, nor are they mature enough to understand the risks of unsupervised Internet use. Being online is like driving a car. It requires some training and practice.

Some of these dangers existed in the physical world long before the Internet. Women and gay men have always borne a certain risk in allowing “strangers” into their homes, and in the old days marriage and family tended to provide a measure of security. Call social security a pun if you like.

Update: May 6

Check the ABC "Good Morning America" story by Neal Karlinsky, Shade Miller, and Lee Ferran: :"Craigslist Diamond Murder: How to Protect Yourself: Jim Sanders, 43, Was Killed in Home Invasion After Listing a Diamond Ring on Craigslist", link here.  This happened in Tacoma, WA.  However remember the series of slayings and assaults by a supposed medical student in Massachusetts and Rhode Island last year, also associated with Craigslist, some of whose ad services have become controversial with law enforcement. On the other hand, much or most of the business is perfectly legitimate and safe.