Monday, March 29, 2010

Washington Post, Media Planet offer insert on cybersecurity; playing devil's advocate on how to meet cyberbullying

Helen A.S. Popkin has an interesting perspective on MSNBC way back on May 15, 2009, “Cyberbullying laws won’t save your children; Luddite lawmakers continue to confuse their principles with the mediu,” link here. People have a right to be mean (or live out an inborn "mean streak", maybe), as long as they don’t cross the line, and there have always been plenty of ways to do it. She makes a lot of points about Columbine and similar tragedies in the piece.

The Washington Post today (Monday March 29) has a special insert booklet, an Independent Supplement from Media Planet, “Cybersecurity: Your Guide to Protecting Yourself Online”. I could not find the insert online. Sometimes you really need to buy a paper copy of something.

Most of the articles were very high level and follow the tone of advice often given before. On p. 8 there was a brief article on how social networking sites can attract crime.

Sunday, March 28, 2010

Do family Internet security recommendations go too far?

MSN Lifestyle has its own page “Web Security 101” by Lori Telles, “A parents’ guide to Internet safety”, web link here.

It’s the pretty standard set of recommendations. But what keeps striking me is the need to remain privacy, and how dangerous security authorities believe it is for kids to let the public world know that they even exist – and possibly dangerous for their families, too. It’s as if fame were to be earned be competing the old-fashioned way.

It’s also striking to make recommendations about keeping the computer in a public area in the house. Older kids would have a legitimate need to use the Internet for homework or college applications. Can’t they be trusted to have a laptop or separate computer in their rooms when they are mature enough? Learning to use the Internet safely is like learning to drive a car.

Friday, March 26, 2010

Giving away whereabouts on social media can present a home security problem

An Indiana woman posted the fact that she was leaving for a concert on Facebook, only to come home and find her home burglarized. Investigation, including the home security cameras, showed that a Facebook “friend” whom she hadn’t seen in 20 years is implicated.

Moral: don’t overdo it with posting details of your life on Twitter or social media. And be careful who you admit as “friends”. (For followers on blogs or Twitter, there is less that can be done.)

The AP story, from New Albany Indiana, is here.

Remember the song "Indiana wants me!" with the police sirens?

Monday, March 22, 2010

A user's guide to firewalls (no hitchhikers through the Galaxy please); how good is Windows Firewall on its own?

Terrence O’Brien has an important high-level article on firewalls on “Switched”, offered to AOL subscribers Sunday, “Erect a firewall to protect your PC”, with an amusing illustration, link here.

He makes an interesting analogy between IP addresses and long distance telephone numbers (country code included), and port numbers on your computer as direct-dial extensions.

He also advises that, while operating systems normally offer their own firewalls, users with Windows XP need a third party firewall for sufficient security functionality. The firewalls that come with Windows Vista and Windows 7 are, he says, far more sufficient. Other writers have criticized Vista’s firewall as not being adequate in a wireless environment with outgoing packets, possibly inviting drive-by hacks.

Sunday, March 21, 2010

Too many people use crackable passwords -- a downstream liability issue for home users?

AOL offered its subscribers an article today “Top 10 Passwords you should never use,” link here.

Believe or not, some people have used “1” as a password.

The article also discusses what hackers typically do when they get access to a home personal computer (or a work computer for that matter). Most often that is to configure the computer for back-door entry later for use in botnet (often distributed denial of service) attacks. Other more sinister uses can be imagined, such as c.p.

Generally, the literature says that home users are not liable (at least criminally) for misuse of their machines by hackers, but the law could change in the future and more responsibility could be placed on users (such as an “Internet driver’s license”). Conceivably (as has happened a few times discussed on this blog) charges could be brought and the victim could, in a practical sense, be viewed as guilty until proven innocent and incur huge legal defense expenses.

At work, employers often hold associates and contractors responsible for misuse of their computers by outside forces (or even other employees – I remember an employer in the 80s with a strict “log off” policy on the mainframe). Employers often force associated to change passwords periodically and test them with password crackers.

Friday, March 19, 2010

"New" Facebook phishing scam reported by media

Media outlets, including eCanada, are warning of a “new” Facebook phishing scam. Users get an email that appears to be generated from their Facebook account asking the recipient to change a password. It seems that a chain reaction takes place that can give the attacker access to other cookies and passwords on the user’s computer, including bank account information.

The eCanada story is here.

Media outlets also report that Facebook says it has trapped and shut down this scam.

An earlier scam in the sprint of 2009 had involved a fake Facebook login page, as explained here on CNN by Elinor Mills.

Facebook members should be wary of unusual "business opportunities" posted on their Walls.

Likewise, blog visitors should be wary of "opportunities" offered in comments on blog posts. Acceptance of a comments does not imply endorsement of what is there.

Thursday, March 18, 2010

TX man arrested for tampering with cars from Internet (repo technology only, however)

A man fired from a car dealership near Austin TX used the Internet to disable ignition systems and sound car horns for more than one hundred vehicles. The systems that he hacked are used by “repo men” (as in the upcoming movie from Universal). There is no indication that the automobile diagnostic code systems (the OBD or onboard diagonis codes, as discussed here) were compromised. Nevertheless, that idea would come to mind as a future target of criminal activity, especially in light of recent problems with cars being stuck in acceleration mode, and the possibility that these problems result from faults in wireless electronics. If so, grave public safety issues could ensue.

The man was arrested and apparently is being held for violating Texas computer crimes acts. Texas passed a computer crime law in 1985, when I was working for a credit reporting company (Chilton, now Experian) and mainframe security was just starting to get public attention.

The news story appeared March 18 on AOL here.

Thursday, March 11, 2010

Windows Vista restart procedure for automatic updates can consume time

I noticed today, after Microsoft Vista prompted me to restart to complete the installation of (mostly security) updates, that the “shutting down” process, after “configuring the updates”, can take unusually long, perhaps three minutes or so. After Restart, the “step 3” of configuration runs. It does seem that the lengthened times for shutdown and service restart is normal.

Before the system advised me that it wanted to apply updates, I also noticed that the “Dell Support Center” (this is an XPS laptop) desk tray option appeared, but was unresponsive. Interesting.

Monday, March 08, 2010

Cell phone spying reported on ABC GMA

Lisa Fletcher and Cole Kazdin have an important story on ABC Good Morning America on Monday March 8 about cell phone spyware, “Cell Phone Spying Nightmare: 'You're Never the Same': Woman's Ex-Boyfriend Stalked Her for Years Using Software on Her Cell Phone”, link here.

The problem occurs when another person has physical access to your cell phone and installs the spyware, which can watch you even when the cell phone is turned off.

I wondered if computer spyware detectors (like Webroot spysweeper) could detect if if the cell phone is connected to the computer. I also wondered if a similar risk exists for the Blackberry.

The only “cure” is a new cell phone, which can be expensive while under an old contract, or calling your provider and having the cell phone operating system reinstalled, which would cost money if the provider did it

Surprisingly, it’s apaprently not illegal to sell the spyware devices on the web (say to parents who want to watch their kids), but it might or would be to actually install them on a person’s phone, as many states have anti-stalking laws.

Thursday, March 04, 2010

Windows Vista can become unresponsive during Webroot definition reload

I’ve noticed that Windows Vista can become responsive sometimes while Webroot Spysweeper’s virus definition file reloads if the visitor goes to a website that displays complicated ads (probably with sky cookies). I had that problem this morning when I went to a story on AOL. When I closed Interet Explorer, the computer became responsive after about a minute when the definition file had reloaded. The only prevention seems to be to wait about five minutes after boot-up before displaying sites with complicated ads. I haven’t noticed this with McAfee or Kaspersky. But there could be a small bug introduced in one of Microsoft’s automated updates to Vista.

On one or two occasions in the past, I had to turn the machine off with the power button, and go through safe mode to get it to come back up.

Picture: From US Army Ordnance museum, Aberdeen. There is a saying in the Army, "never call attention in the latrine!"

Wednesday, March 03, 2010

The ten top spam botnets now control 5 million computers worldwide

Michael Kassner published an interesting annotated list “The top 10 spam botnets, new and improved” on Tech Republic this morning, an interesting piece to pass along. Here’s the blog link. The sneakiest and largest right now is Grum (or Tedroo), and it infects files used by Autorun registries, making it automatically activated, with 600000 infections around the world. Maazben is “proxy-based” or “template-based”. Donbot (or Buzus) uses url-shortening or tiny url’s (popular with tweets) discussed heavily in the March 2010 PCWorld. Gheg (or Tofsee/Mondera – sounds like it comes form Avatar) encrypts traffic. According to Kassner, the top 10 botnets own 5 million computers and sent out 125 billion spam messages (including Nigerian scams and phishing) a day.

The visitor can review Symantec’s message labs report here.

Picture: ENIAC computer, WWII, at Aberdeen Proving Grounds, Army Ordnance Museum.