Thursday, August 28, 2008
Earlier this week Firefox prompted me to download and install browser 3.0.1
I thought I would note a few behaviors. If I happen to be in a site requiring login and I simply click out, the next time I start Firefox 3.0.1 it comes back on at that page instead of a default page. Maybe I have to play with it to change that (I didn’t see an obvious solution in the toolbar). But that could pose a problem for some users if they don’t fully log out of a site when finished (especially if multiple people can use the computer, as in a family room).
Some cookies are lost, others are not. Some passwords on some sites do not save, and in one case a cookie remembered an out-of-date password. I don't know why the new Mozilla behaves this way.
McAfee SiteAdvisor also prompted me to download an update for its communication with the new Firefox. By the way, McAfee SiteAdvisor is very strict, giving some professional news sites (like a Jacksonville, FL newspaper now and previously TV station WJLA in Washington DC) yellow ratings for sending too many emails; news organizations should work with McAfee and WOT for ratings policies on this issue promptly!
There is some discussion of the extra warnings that Firefox 3.0 gives when a site’s secure connection (https) has expired or not been properly issued by a third party. However Mozilla offers an add-on from Carnegie-Mellon to bypass this. The news story is on Networkworld, “Mozilla garners praise over Firefox security feature, Carnegie Mellon Firefox add-on aimed at avoiding user confusion, hacker attacks”, Aug. 26, 2008. by John Fontana, link here.
I also downloaded and installed Google Chrome. It is very fast with Google products. When browsing, it does not connect with McAfee SiteAdvisor.
Friday, August 22, 2008
The September 2008 issue of Consumer Reports has some valuable perspectives and tips on home consumer security. The basic TOC link is this.
On p 23 there is a report on a survey in the article called “Protect Yourself Online: The Biggest Threats & The Best Solutions.”
The overall picture of home computer security is improving. CR seems to believe that Windows Vista represents an improvement and is likely, over time, to result in fewer serious problems for home users than has XP (or previous operating systems). It may be worth considering an upgrade even for current XP users. MacIntosh users tend to report few infections, although the general view is not to be complacent.
One particularly disturbing problem is “news spam” where spammers design fake stories intended to get quick search engine rankings, and actually may be infected with malware or fake antivirus downloaders. Some of these sites are overseas (particularly Romania) and may not get filtered out quickly enough by search engines and by safety products like McAfee Site Advisor or Web of Trust. It’s a good idea to click on news stories from sites from known companies (and glance at the mouse preview first to make sure they match). The article also mentions a disturbing router vulnerability that could allow whole domain names to be spoofed, a problem mentioned at the Black Hat convention (by a Russian physicist) and difficult for ISP’s to fix completely without a lot of investment. (See my “consumer identity security” blog on Aug. 9.) The hope is that security companies and Vista can develop sophisticated screening for this specific problem.
On p 26 CR presents an article “7 Online Blunders.” The first is not to keep tabs on whether your anti-virus and firewall program subscriptions are up to date and whether the packages are working and loading updates. The article feels that major virus programs do work if properly installed and maintained. On p 34 CR compares a number of anti-virus packages, including Bitdefender (one of the best), McAfee, Norton, F-Secure, Microsoft’s own, and a free package including Avira. CR feels free packages (or bundled) may be good enough; I might wonder about liability concerns (previous post) if a regular subscription were not used. Child filters are mentioned.
CR also warns about clicking on email links (especially in phishing situations), about strong and varied passwords, and particularly about the recent epidemic of fake anti-virus software offers (3% of the time, they have created detectable infections, even if accidentally launched and then canceled).
CR recommends using a separate credit card for Internet shopping (unless you really watch your cards online – I do) and don’t use debit cards. https links are safer, but in rare cases even these had had problems. The more often you check bank information or any accounts you are responsible for (like publishing sites) the safer you are. Unused accounts that are not often checked can represent a risk..
Thursday, August 21, 2008
Recently I found a white paper by Robert B. Standler dating back to 2004, “Possible vicarious liability for computer users in the U.S.A.?”, link here.
The “obvious” question is whether home or small business users could or should be held liable if their computers are hacked and used as “zombies” in botnet “denial of service” (DOS) attacks. A more remote possibility is whether they could be held (in civil or criminal circumstances) responsible for crimes committed with their computers without their knowledge, or for illegal content on it. Sometimes the law regards certain matters as “strict liability offenses” although most of the time, in actual practice, it seems the law takes into consideration whether the computer owner knew or could or should have known about the illegal activity.
Standler makes some interesting analogies. The first comparison is to state laws holding automobile owners responsible if they leave keys in the car, and the cars are stolen and someone is injured. Not all states do this, but some states regard an improperly secured vehicle as an “attractive nuisance.” Car rental companies are especially vigorous in warning customers about this possibility. Similar liability may exist with cars not in safe condition. He goes on to discuss the public health concept of “herd immunity” with respect to vaccinations (a real controversy now, possibly complicated by the autism debate) and even makes some comparison to agricultural and ranching issues known in the 19th Century (and inspiring the plots of some western movies).
In April 2008, Wired published an article “Zombie Computers Decried as Imminent National Threat” here.
And in June 2007 Wired has also published “Desperate Botnet Battlers Call for an Internet Driver’s License” here.
Okay, I could carry the rhetoric further. I’ve heard a couple people say that no one should be allowed on broadband, at least, until they can cleanse a harddrive and rebuild their machine themselves from installation discs. It can happen to anybody, they say. Usually this kind of talk comes from super-techies, the kind who got in to the business of open systems in the early and mid 1990s.
Personally, I think that the comparison between cars (and motor vehicle licenses) and computers with broadband connections (and “Internet licenses?”) is a bit incomplete. Standards for the safe operation of automobiles have long been known and in legal practice, even if the media often reports new safety issues in that area. With open-system computers (mainly Microsoft and Apple, and perhaps Linux) the actual “rules” of best practice, to be expected of “average” home users, are still a bit murkier.
It is true, if you buy a modern computer from a reputable source, receive all the recommended operating system security updates, and purchase a subscription anti-virus program from a reputable vendor (most likely McAfee or Norton or one of a few others), and practice common sense in computing (don’t fall for phishing, don’t open unknown attachments, and don’t visit the porn sites) you’ll probably be all right. By and large, security updates and anti-virus software and firewalls do work pretty well (actually amazingly well) with little effort by computer users, and at only modest cost. One problem, however, is that if there is a problem, getting customer support for mail-order vendors or from anti-virus companies can be challenging, more so than in the automobile world.
Companies that hire people to work from home as customer service agents have to become concerned with home computer safety. Some of them require that the employees purchase windows machines used for work only, and monitor the computers themselves from central servers, perhaps adding an element of safety.
Still, there are a lot of “controversies” about which there are legitimate differences in opinion. Is McIntosh really “safer” than the Microsoft PC? Is Mozilla safer than Internet Explorer? Is it safer to turn off your computer or Internet connection when you’re not home, or let the security updates load all the time (it’s probably easier on your hard drive to leave it on, and only slightly more expensive as to power use)? Or can you count on properly installed security software.
There’s another area, too. Our culture allows, even encourages, people to promote themselves in public on the Web, when people have little or no legal training as to the risks with copyright, libel, etc. This cultural change would have been unimaginable in the publication world before the Internet, where due diligence was part of publication. True, the actual incidence of litigation is extremely low compared to the volume of users and “self-publishers.” But insurance companies scratch their heads, as they have no idea how to assess this new kind of “risk.” And, true, the “reputation defense” business has more recently encouraged “ordinary people” to pull back a bit from self-promotion outside of an income-paying job.
It's well to remember that there are some downstream liability protections in the law, such as the 1996 Telecommunications Act "Section 230" (when "hosting" material "published") by others. From a federal and constitutional perspective, the Supreme Court (with MGM v Grokster) seems to be heading toward a doctrine where downstream liability exists when a party's "business model" or purpose seems predicated on attracting legal infringement; but at a conceptual level, such a legal standard could become ambiguous.
We’ve come a long way from the mid or late 90s, when most security hazards were spread with floppy diskettes or by email attachments. Continuous broadband is almost a necessary utility now, just to receive the massively large security updates (often while you sleep). But broadband itself was rocky for the first couple or years it was in frequent use, and the security issues really didn’t start to get a lot of press until, say, 2003. So the issues simply haven’t been around long enough for society, through democratic political institutions, to develop reliable standards. Libertarians want a free marketplace, and let the tort law fall where it may. Okay, then you risk frivolous litigation over “downstream liability” issues and maybe even wrongful seizures or prosecutions. Furthermore, you may risk arbitrary behavior by "private" ISP's if you depend on them to pull the plug on individual users who allow their machines to become infected (and you might run into other issues brought up in the network neutrality debate, as with recent concerns over ISP monitoring for excessive P2P use). We do, as a culture, need to sit down and sort this out. We need to present it to kids in public schools, too. But only the big players in the industry (the big telecommunications companies, the software vendors like Microsoft and Apple, the open source people like Linux, and search engine and news companies like Google, Yahoo!. etc,, as long as the standards people like ICANN and W3C) can provide the guidance that political institutions – and schools – need. We do need a culture of “communications citizenship.” Most of us just don’t know enough, yet, to define it. Even other social issues and presence (or absence) of family ties and environments come into play.
Tuesday, August 19, 2008
Web of Trust is producing a series of videos about how some “computer cleansing” products, advertised with search engines, seem to be fraudulent.
One such product is PC Doc Pro. WOT loaded a machine with Windows Vista Ultimate with no other programs except the regular Microsoft updates and Internet connection. PC Doc Pro found over 500 “problems”, some of which it would fix “free,” the rest for a “trial” for $29.95. The video (about 5 minutes) shows how WOT works with search engines, in a manner comparable to McAfee SiteAdvisor. The filmmaking technique itself is interesting, making computer application sequences visually interesting enough to be suitable for a short documentary film festival entry. The link for this first WOT video is here. When I viewed it, it loaded a little slower than YouTube usually does.
WOT president Deborah Salmi gives these networking contacts:
I've written before on this blog about "fake anti-virus" programs, such as XPAntivirus. Some of them may appear as links to legitimate searches, often on overseas sites of sites not yet reviewed by SiteAdvisor, WOT, or any similar service. Some security advisors recommend doing a ctl-atl-del (not even "canceling" the application) to look at all running processes and not using the computer until it is thoroughly checked. This has happened twice to me, and I have never found that anything was downloaded or any registry key added or changed, and have found no problems with subsequent McAfee scans, since I did not allow the operation to continue. Fake sites (those that appear to have legitimate URL's ending in "html" but intending to load malware) may become a more serious problem, as demonstrated with the domain name controversy at the recent Las Vegas Black Hat convention.
Monday, August 18, 2008
We’ve gotten used (and desensitized) to warnings about emails seeking personal information, such as phishing attacks from banks or brokerages, and also from companies like paypal, Ebay, and ISP’s. And we’ve been warned responding to emails proposing getting something for nothing (“Nigerian scams”) and offering frivolous entertainment like greeting cards. Another variation is phony communication about tax liabilities or refunds, purporting to come from the IRS, which does not contact people by email for legal purposes.
In the 1990s the most common risk from email came from downloading an opening an attachment. Now, merely clicking on an attachment could start a malware application (such as a fake anti-virus script). In rarer cases, merely previewing or opening the email itself could start a malware application. (One of the first of these was “Bubble Boy” back around 1999, as I recall.) Modern email programs offered by larger ISP’s (which screen for viruses), in combination with anti-virus packages (like McAfee or Norton) running on a system properly maintained with operating system updates (as from Microsoft) generally offers reasonably effective protection from these possibilities. One problem in practice is that downloading these updates requires a stable broadband connection or a secure subscription wireless connection (don’t use a restaurant “hot spot’), that not everyone has access to. Making sure that this capability is routinely available to everyone like other basic utilities (electricity) is becoming a major national infrastructure issue, requiring investment and public policy decisions, connected to the “network neutrality” debate.
It’s important to realize that the range of subject matter in virus or worm attacks may expand. Recently there was a malware item purporting to come from CNN. “News spam” could become a threat in the future, and has occurred before. In 2007, there was a trojan that tried to solicit personal information by pretending to offer detailed information about a Brazilian plane crash (and its victims). The link in NetworkWorld is here.
Another possibility is that a spammer could claim to have a “tip” about an impending incident, or about the location of a terrorist like Osama bin Laden (seeking to exploit potential public interest in the government’s announcement of a reward for capture). This possibility is complicated by an additional hypothetical scenario of the Tom Clancy or Jeffrey Deaver spy-fiction world. Someone has a real tip, and uses spam to communicate it. It's not clear whether this has ever really happened, but I can imagine (as someone with a new novel on his own hard drive) why it might. What did the CIA admit after 9/11: “we had a failure of imagination”. And, we all know the truism for the gullible, “I read it on the Internet.”
I have received a few possible “tips” in my eleven years of being visible online, and four or five times I have contacted the FBI. I don’t claim “reporter shield” with something like this, particularly as an amateur. I’ve had a least one extended telephone conversation in 2005 about one of the emails that I got. The government, when receiving something like this, is supposed to match it to other tips from unrelated sources to determine credibility, since most of these items are probably hoaxes or just spam items. An issue after 9/11 was the inadequate communication among government agencies about the random information it receives. At the same time, the Administration promoted measures (like the Patriot Act) that compromise privacy and civil liberties while being slow at improving its own inter-department communication and on upgrading the skill level of its own information technology people.
Recently I got a bizarre email from France that appeared to suggest the ability to compromise oil production in Nigeria. There was a link in the email. I typed in the URL rather than clicking and found that the site was legitimate (and checked out as green with McAfee). Further, I found that an earlier National Geographic issue (that is, a clearly credible and neutral mainstream journalistic source) had backed up the “complaints” on the site. I wrote the email up on my international issues blog Aug. 15 (link). but I also sent it to NBC news with some explanation, figuring that a major news organization (that once employed me) could investigate and corroborate to determine credibility and notability for being on the air. So, some emails like this may actually be legitimate, may communicate real perils, and need serious attention from authorities (especially overseas) and major news organizations. On the other hand, disgruntled overseas parties may want to use "amateurs" as well as regular news organizations to broadcast their causes and grievances.
McAfee has a list of (news-related) “hoaxes” that may be useful, here. I didn’t see last week’s incident there, at least yet.
Friday, August 15, 2008
Recently, emails that I have received from some other AOL addresses and that I view when I send them (from the Sent queue) show a red “x” with “McAfee SiteAdvisor Warning: this email contains potentially unsafe links to these sites” and the site is aol.com!, when I view them on my Dell desktop with XP Home Edition (Service Pack 3).
Then, below the email text an appended link to shopping.aol.com, with a specific sublink for some product (like auto sales). Whatever that sublink, McAfee generates the red-level warning. This happens on my XP Home Edition machine.
On another machine, an XP Professional Inspiron laptop, McAfee does not generate the warnings on these links, even if they were generated on the Home edition machine. It does not generate the warning when the links are visited on the Inspiron even if the email was generated on the Home Edition machine.
It appears that AOL is always generating some sort of shopping link at the bottom of the emails these days, wherever the mail comes from (dialup or web-embedded). But in some operating environments but not others, McCaffee interprets these links as being from phishing sites. In these same environments, the shopping.aol.com link by itself (without a sublink) does not generate the warning and register Green.
It does seem that McAfee Site Advisor sometimes performs inconsistently, and sometimes is down altogether.
One other AOL complaint: I wish it would not let you send an email with "No Subject." See the comment in my next post about Blogger entries with "no title."
Wednesday, August 13, 2008
Monday night, I noticed a large download from Microsoft on the yellow triangle while working on my desktop, which has the XP Home Edition. (I havent' gotten Vista yet, but that is coming down the pike.) It stalled after slowing down the computer. So I checked for updates, and first got a new download verification patch, and then was asked to go ahead an install Service Pack 3.
A writeup of the fixes available is here. It seems as though it has been available since May.
The information seemed to suggest that the new version was rather urgent. It does look as though most of the patches are rather insignificant, other than some potential buffer overflow fixes.
The whole process took about an hour and 45 minutes. The Microsoft “progress report” behaved in an interesting fashion. The first 33% was “preparing to download.” The file was 66 meg but did not take long itself, probably because it had been downloading automatically before. Then there was another phase, “verifying download.”
The install phase supplied a second pop-up, which was unnecessary and confusing, as the original update mechanism reports everything. That went away, but then another window appeared, and gave more progress as to the details, including what files were backed up and re-installed, as well as a notation of registry update. The process was lengthy.
Then I was prompted to restart. The first time, a protected mode screen came up briefly and executed. Then the usual Windows start up process executed, but took much longer than usual. Then two command prompt boxes appeared, and one of them gave some security access errors. Finally, McAfee restarted (it showed two registry updates on the event log) and, last but not least, the Internet connection got re-established. I rebooted again, and the process was faster, with no command prompts. But since the install, the Internet connection (from Comcast) has taken longer than usual, up to about 90 seconds. Now it seems that McAfee always starts first before the connection is made; maybe that is part of the fix.
Microsoft already had 16 more updates today. They seem to be the same as what my XP Pro laptop received, and that machine still does not have SP3 yet.
Note: the internal blogger link for this post starts with the first sentence. That's because I published it and forgot to enter a Title. I wish Blogger would make the publisher enter a title. But it is NOT a problem otherwise!
Tuesday, August 12, 2008
A new plan in the UK and in Ireland has been announced whereby parents of kids involved in illegal downloading could be blacklisted, or could have their Internet speeds slowed down to prevent large downloads. Apparently the blacklist would be available to all ISPs. It’s logical that the same idea could be tried in the US, although the FCC has recently clamped down on ISP's that manipulate user speeds for legal purposes, at least, just to control traffic.
The news story appeared in the Belfast Telegraph, authored by Claire McNeilly, here. Washington DC television station NBC4 provided a link to this story tonight to warn US viewers.
So far, these ISP’s have signed up for the plan: BT, Virgin Media, Orange, Tiscali, BSkyB and Carphone Warehouse
In the United States there have been cases where parents have been sued for copyright infringement of their kids that they were unaware of, and sometimes it may have occurred with guests. Usually parents learn of the suits by sudden phone calls from “settlement centers” from the music industry and feel that they are being shaken down or extorted.
Monday, August 11, 2008
CERT, at Carnegie Mellon in Pittsburgh, offers a valuable document, “Securing your Web Browser,” by Will Dormann and Jason Rafail. The URL for the simple HTML document is here.
One valuable feature of the document is a long list of visual “filmstrip” pictures of how to set various security settings in Internet Explorer to minimize your exposure to risks relative to your actual expected daily use. CERT compares Mozilla to IE, with the major differences being that Mozilla does not have a graphical interface for its settings. Mozilla has CAPS (configurable security policies) which are supposed to compare “more or less” to Internet Explorer’s Security Zone.
CERT recognizes that Internet Explorer has become a favorite mark of virus writers, but maintains that removal from a Microsoft Windows or Vista environment is “not practical.”
There is also a useful discussion of Apple Safari for the Mac.
CERT describes a “principle of least privilege” – that is, “don’t enable it if you don’t use it.”
CERT also offers a "vulnerability remediation" guide aimed for corporate or organizational (or government) network administrators, here. CERT says that it is careful about how it makes some recommendations public, inasmuch as they could tip off the potential of future problems to hostile parties.
Sunday, August 10, 2008
Brian Krebs added a column on wireless security to his “Security Fix” collection on The Washington Post online, based on another presentation at the Las Vegas “Black Hat” conference. His column is called “Wireless Awareness: Don’t Be a Sheep”. It’s getting to be a sin to access personal information or use important passwords in an unsecured wireless environment without a secure connection. That is, “https” rather than “http”.
His column is here.
He also reports that a number of security professionals at the conference didn’t “walk their own walk.” (my paraphrase – I could add “with the Lord”).
I’ve noticed that Microsoft Front Page 2003 gives me a warning about lack of encryption when I sign on to it. It probably doesn’t matter at home over land broadband with a McAfee (and Windows) firewall (and all the XP fixes), but it would in a motel wireless network. Soon, I’ll have to find out how Expression Web handles this.
Ah, motel wireless. It reminds me of the 1980 horror film "Motel Hell." I just have to quote the tagline, it's such a fond memory: "It takes all kinds of critters to make Farmer Vincent fritters." Maybe it takes all kinds of sheep.
Picture: All of Arlington's fire trucks are red now, not yellow any more.
Saturday, August 09, 2008
Washington Post technology writer Brian Krebs, reporting from a computer security convention in Las Vegas (the BlackHat “hacker” convention), warns that social networking sites, especially Myspace, Facebook, and LinkedIn, are becoming major sources of malware.
Many of the items are user-defined applications and widgets of various natures.
At the same time, the convention points out with some irony, it can be risky to avoide social networking sites if others couple mimick you and set up fake profiles to take awat business or harm your online reputation. If you don’t want to use them, it may be safer to set up a shell profile and then use it relatively little. This point could be important to employers in some industries, where the "reputations" of professional employees or contractors is an issue of legitimate concern.
In fact, I have shell profiles on Myspace and Facebook with very little material. But I may start using Facebook soon for networking my screenplays.
The story runs in print in the Business Section of The Washington Post today Aug. 9. The story is titled “Hackers’ Latest Target: Social Networking Sites” with link here.
Krebs discusses the Koobface worm, which McAfee describes here. Facebook users who have loaded infected plugins receives links to download the worm from linked infected videos (which apparently could come from either Myspace or Facebook).
In all cases, loading malware would violate “terms of service” but social networking and blogging companies are having extreme difficulty detecting malware and violations by automated scripts without impacting innocent users with “false positives.” The risk appears to be much less with conventionally (dedicated or shared) hosted web sites.
There is another story today coming from the Las Vegas "Black Hat" conference on DNS security on my consumer id security blog, here.
Wednesday, August 06, 2008
Web Hosting News has advised users of a new virus that purports to offer a news feed from CNN, with items particularly related to the upcoming Olympics. It would be called “CNN.com daily top 10” or some similar variation. Arlington County VA today included this warning to its emergency notification email list, indicating that the cyber alert is taken unusually seriously. The article (by David Hamilton) has the following link.
The email encourages the viewer to view a video that in fact downloads malware.
Media companies and organizations like the Associated Press have complained that “news scraping” services amount to copyright infringement and may encourage the propagation of malware. But the CNN item is the first that I have heard of based on a major media news service.
Other phishing attacks typically involve mimicking financial institutions, scams (like the Nigerian scam), Ebay, Paypal, or ISP’s (especially AOL, which seems unable to detect these attacks with its own spam filter). Some attacks pretend to be bounced email with Mailer daemons.
There is some indication in web security literature (especially McAfee Avert labs) now that spammers are infecting unsuspecting user machines with trojans to overcome captchas and start splogs. The general problem is well covered in Wikipedia. Anti-virus software and firewalls should be catching these if properly used.
Monday, August 04, 2008
There is a new warning about a spam email circulating that tries to get the visitor to click on a link to a web page describing an investigation of Facebook by the FBI (specifically called “F.B.I. vs. Facebook”). The webpage loads a virus that connects the user to a Storm Worm botnet that causes the visitor to download the worm, likely spreading the email to other users as well as allowing information on the computer, such as passwords and customer information, to be stolen. An earlier version of the worm had spread a holiday greeting E-card.
The FBI has a user-language discussing of how botnet worms and “botherders” work here in a June 13 2007 press release.
The news story about the recent virus attack, "Storm Worm appears in Computer World," is authored by Todd R. Weiss, is titled “FBI Warns of New Storm Worm Attacks,” July 30, 2008, link here
SC Magazine has a story by Sue Marquette Poremba, "Storm Worm leverages FBI and Facebook in new attack," link here.
Hopefully ISPs like AOL are detecting this email now as spam.
It is particularly scary that visiting a website can download a virus. This is a problem unknown until about 1999 (at one time, all viruses had come from email attachments and diskettes). This issue has been seen with “fake anti-virus” software which sometimes appears on foreign servers with fake story names that show up in search engines. Web surging tools like McAfee SiteAdvisor and “Web of Trust” should be able to flag these web sites with warnings on search engines. McAfee Site Advisor will intercept a web visit to a site rated yellow or red and allow the visitor to check a suspicion report before visiting the site.
Visitors should use site advisers or at least preview the embedded links in emails before clicking on them, particularly those from unfamiliar sources.