Thursday, September 25, 2008

ISP's should allow users to specify their own security question (Sarah Palin incident on Yahoo!)

Computer security experts recommend that users with email and any online accounts use more caution with typical security questions. The recent incident where Republican Vice Presidential nominee Sarah Palin’s Yahoo! email account was compromised generates a flaw in the security question system. If the user has posted the answer to the question before somewhere or if it is generally known by others, someone could guess the information and get into the account. Security experts say that ISP’s like Yahoo! and many others should begin allowing users to specify their own security questions.

In the mean time, users should code answers that they do not believe others know (particularly, don’t use an answer that you’ve posted on the web previously). Don’t use the real name of your “Iams” cat; make up one, or, better yet, user letters and numbers in a nonsense combination. That is, make the answers to the security questions like strong passwords. They also say you can link your account to another one where you could have your account information emailed. Many people keep their access information on hard drives on files not made public, but it is conceivable that in some cases this information could be compromised, particularly on a laptop that could be lost physically.

Matthew Sheffield as a detailed Analysis/Opinion pages on the Palin incident (“…how easy it is”) on p A4 in the Nation Section of the Washington Times, Sept. 25, link here.

In the past, it was common for companies, especially in sensitive jobs, to warn employees about keeping their mainframe passwords secret, and in some cases, not to leave themselves signed on when away from their desks.

Wednesday, September 24, 2008

Technical publisher issues warning on rootkits

Michael Kassner has an article in the Tech Republic blogs, “10 Things” series that affects Internet safety mainly in the workplace or especially for small businesses with home networks, especially Unix or (more likely) Linux machines.

The article is “10+ Things You Should Know About Rootkits,” link here.

The term refers to programs that allow one to get to the root or admin (or kernel) layer on a Unix or Linux server and execute malware without knowledge of system administrators. Generally they get loaded by users clicking on email links or sometimes through IM. One particularly disturbing feature is polymorphism, which might change internal operating system machine code and make normal security or anti-virus software inoperable. There are also firmware rootkits.

I had an earlier domain on a friend’s webhosting from 1997 to late 2001. Over the fourth of July in 2001 (before 9/11), while the friend was away, the kernel of his Unix machine was infected by a rootkit. Fortunately, a rackspace cohost was able to get his sites back up in about four hours while he was gone, but he had to do a complete rebuild of his Unix system. It would appear that a direct Internet connection could cause an incident like this if a machine is not adequately protected. Another problem that small business webhosting ISP servers had in the late 90s and early 2000’s was a tendency to be vulnerable to prankish DOS attacks, which were met by slowing down and bouncing the incoming packets. Since about 2000, there has been a tendency for small hosts to be absorbed by larger companies, as they have trouble competing with them, particularly in terms of maintaining stability.

Thursday, September 18, 2008

WOT offers a new video on fake anti-virus software

“Web of Trust” has issued a newer version of its video regarding fake anti-virus software. The video is called “An Epidemic: Fake Anti-Malware Products” and the link for direct viewing (5 minutes) is here.

This video starts with a fictitious search, and clicking on a link that, instead of bringing up an html or asp type web page, starts a windows-like application to scan your system, and then goads you into giving your credit card number to purchase the product. The name of the product is likely to change every few days to make it impossible for credit card companies to help you with refunds.

The links wind up in search engines very quickly, before they can be evaluated by WOT or McCafee. Many of them may have overseas domain names, but not necessarily. Many may give legitimate sounding excerpts of text that are unrelated to the virus search. (Unauthorized celebrity sites may be prone to such abuse, which would give celebrities legal resource on the grounds of trademark infringement or “right of publicity” actions if they chose.)

Web of Trust also has a Press Release dated Sept. 17 on this problem, here. Web of Trust, like McAfee, offers a pop-up report on search engines, which may something like “Site Has Been Infected” for fake anti-virus sites. The main practical problem is finding the abusing site in time.

Because search engines now very quickly index new sites, it is difficult for them to address this problem. Search engine companies will remove such links when requested, following their own procedures.

It is important to note that the phrase “web of trust” has also been used in the media to described a “darknet”, a limited P2P (peer-to-peer) network of anonymous users seeking to escape attention from authorities. John Markoff has a story in the New York Times back on Aug. 1, 2005, “New File Sharing Techniques Are Likely to Test Court Decision,” here. The Court case here was MGM v Grokster, concerning business models based on copyright infringement. The article discusses the efforts of a Scottish programmer named Ian Clarke.

This blog had discussed an earlier video by WOT on Aug. 19 2008.

Wednesday, September 17, 2008

Be careful when visiting "unauthorized" celebrity websites

The NBC Today show this morning noted that a lot of web surfers are getting infected by “unauthorized” celebrity fan sites, that apparent offer a lot of dangerous free stuff for download. Last year the biggest problem was Paris Hilton; now it seems to be Brad Pitt. Reuters has a blog entry this morning “Don’t Mess With Brad Pitt in Cyberspace” by Belinda Goldsmith, link here.

The safest place to learn about celebrities (including photos, videos, and message boards) is probably Wikipedia has interesting articles about many celebrities, who automatically meet the site's "notability" requirements.

But, of course, many visitors want to see a lot more and use search engines to look up celebrities (as they would their own friends). One good idea is to look at the search engine results with McAfee Site Advisor or Web of Trust turned on. Most of the sites are probably merely silly and harmless. There are questions about the legality of unauthorized sites created by others and the celebrity’s “right of publicity”. Celebrities generally don’t create their own sites to promote themselves, but they often create sites for charities they support or political causes they work on (Leonardo Di Carpio and global warming is a good example, link here), or for specific television shows that they run or movies they are in (which are generally set up by networks, studios and distribution companies, not the celebrities themselves). If the site is flagged, read the report first before visiting it. Rarely, it’s possible to get infected by visiting such a site at all (this has been a problem with fake anti-virus downloads that had false domain names and then start a Windows box application to either a download or invite the visitor to download. I’m not sure why a browser gets fooled by a file marked .html and still runs an exe file; it would seem that browser security updates should prevent that. In a few cases, such sites have been created before McAfee gets around to rating them, or before their viruses are logged in DAT files. Generally search engine companies remove them when they learn about them.

A few people have been infected by fake anti-virus software which even without prompting a download. Sometimes an infection might be discovered by a running of a virus scan with an updated DAT file.

It's important to remember that McAfee will downgrade some sites for being linked to too many yellow or red sites. Bloggers should keep this in mind. There have been some problems with McAfee incorrectly flagging links ("false positives") in emails on AOL when read by Mozilla browsers.

Always stay alert online. If you bank or do brokerage online, always watch your numbers frequently and make sure nothing unusual has happened.

Tuesday, September 09, 2008

Employers and small businesses need to beware of legal pitfalls with their computing and Internet practices

Bill Detwiler offers a video on the Tech Republic blogs, “Three Ways You Might Be Breaking the Law with Your Computer, the video belonging to the “IT Dojo” series. The primary link, which plays the 7-minute video, is here.

He also gives a secondary link, on the same blog, of a list of “ten things” written by Debra Littlejohn Shinder.

Detwiler takes the caution to note that he is not a lawyer and is not giving legal advice.

Detwiler’s main concern is for employees of a business, which could be a small business, making violations of the law for which an employer could be held legally responsible.

One concern is well known, the Digital Millennium Copyright Act, or DMCA. He warns that the ownership of circumvention tools is itself a violation, and the presence of such tools on an employee's computer or on the employer's premises could cause liability for the boss. The US Copyright Office Summary is here.

A second act is the No Electronic Theft (or NET) act, which makes electronic theft a crime regardless of whether done for monetary gain. This refers to 17 and 18 USC. The Department of Justice has a link here. This law makes making and keeping illegal copies of copyrighted material a violation even if not posted on the Internet or offered commercially. The typical example is making illegal copies of DVD’s in violation of the FBI warning on most DVD’s. Theoretically it’s illegal to make a copy on your computer of a copyrighted story even if you don’t post it. A better known example is making illegal copies of software, which in the early 1990s was often done just with floppies. (“Microsoft often writes on its software CD’s: do not make copies of this CD”.) For example, it’s at least technically illegal to make a copy of connectivity software to give to an employee to take home to be on call. (This would happen even in my own office in the early 1990s until it caused controversy and the practice was stopped by management.) You have to purchase a properly licensed copy. I know from some personal circumstances there could be a legal issue in some cases over who owns the computer from which the oncall support is done (and now that becomes a relevant question in protecting the privacy of the employer’s consumers – does the employee have a working firewall at home, etc.).

In general these are concerns for employers and businesses. They could be concerns for very small businesses or perhaps even solo individuals (especially self-employed contractors who work from home). So far we haven’t heard of the Software Publisher’s Association auditing the computers of for-pay bloggers, but I suppose it could happen. More likely, a software vendor can detect the use of a pirated copy of software with various centralized detection tools.

Another warning in the video concerns the legal right of Homeland Security of customs to search and even seize laptops, cell phones and similar devices at border crossings.

Finally, the video warns about a bill in Congress, HR 4279 “Enforcement of Intellectual Property Rights Act of 2008,” also called “Prioritizing Resources and Organization for Intellectual Property Act of 2008” link here on govtrack.

I note that as far back as 1985, when I worked for Chilton (a credit reporting company in Dallas) we were warned about the Texas computer crimes law whenever we signed on to the mainframe.

Also: Advisory about New Scam by email:

In an unrelated story, the NBC Today show today reported a scam whereby phishers offer rental keys to people, desperate affordable housing, for who send them money, for houses not even on the rental market.

Friday, September 05, 2008

Some Dell laptops have wireless vulnerability; fix offered by Dell

Dell has advised users of a potential vulnerability in its wireless network adapter cards. It may affect some but not all laptops.

Select Dell™ Wireless cards offered on Latitude™, Dell Precision™ Mobile, Inspiron™ and XPS™ laptops could have a security vulnerability that would let a hacker manipulate the data packets received by the laptop and trigger an error condition. This could allow a hacker to obtain privileges access any files on an affected laptop in some cases. Apparently the vulnerability could exist even when the user is not connected to a wireless network.

Earlier this week I got prompted to install Microsoft Service Pack 3 on an XP Pro Inspiron Laptop. In my first regular book, I got an “8021x” error from Dell. Wikipedia indicated that the error has to do with IEEE wireless connections. However, I reported the error through Microsoft and I immediately got a supplementary update from Microsoft. I installed, and the next book the error went away. I did not use a wireless connection and worked using a broadband cable connection instead. But theoretically, I could have been exposed. McAfee scans have not found any problems. I will look into this further soon, and report. The laptop machine is left turned off most of the time.

The Dell link is here. Dell will assign a Journal ID for each visit by a registered Dell customer. The advisory gives details as to how to download a security fix to the wireless handlers in the operating system from Dell.

This advisory was emailed today by Arlington County (VA)’s cyber-alert system, which also gets some advisories from CERT.

It would be interesting to see if Microsoft (XP and Vista) can somehow address this vulnerability separately with further security updates (without needing to go to Dell), with a generic fix that could prevent similar problems with any vendor. I would think this would be a very high priority.

Thursday, September 04, 2008

McAfee publishes family Internet security guide

McAfee has published a spiffy “10-Step Internet Safety Flan for Your Family”, a PDF document at this link.

McAfee says that the chance of any one person becoming a victim of a cybercrime is about 25%.

It recommends placement of a family compute in high-traffic areas. There is some emphasis on family teamwork, and on careful education as soon as a child (a tween) is old enough to begin to use the Internet.

The computer is seen as a family asset, not as property of an individual member. Obviously, older teens who are responsible enough will have goon reason to have more independence in their use, especially for school work.

One could think of learning to use a computer and especially the Internet as a bit like learning to drive a car.

The paper warns about strangers on the Internet, with all the well known dangers.

It also recommends strong passwords and systematic checks that security software and firewalls work.

The paper doesn’t say this, but other security experts have said that normally there is no legitimate reason for a minor to own a webcam.