Friday, October 29, 2010

Firesheep (from Firefox) refines our understanding of "HTTPS Everywhere" and what sites should do

Electronic Frontier Foundation has an important piece by Seth Schoen, “The Message of Firesheep: Implement Sitewide HTTPS Now”, link here, dated Oct. 29.

According to the story, Firefox’s Firesheep extension demonstrates that an attacker can shiff packets from a target’s network and copy cookies, sometimes stealing logon information. The https logon might not be effective if the site does not properly encrypt user-related information. (This isn’t an issue for a flat website or blog that does not accept visitors; it probably isn’t an issue for interacting with blogs hosted by reputable service providers including Blogger, Wordpress, and most well-established shared hosting ISP’s; I’m a little bemused by the observation that others on a network could sniff Facebook or Twitter logons, unless they are talking about Facebook and Twitter plugins on other sites, and I would wonder about “wardriving” and wireless issues.) One of the features of https is that, when implemented properly, it allows a site to verify that you are who you say you are; but some sites don’t use https for all phases of this verification. Recent hardware and software advances show that this would not slow down processing. EFF says that “https everywhere” may not fully protect the visitor on websites that haven’t implemented encryption for all phases of their logon verification.

Wednesday, October 27, 2010

Conservative DC paper reports that Iran-associated hackers have exploited a WordPress flaw on some sites

The “conservative” newspaper “The Washington Times”, in a front page story by Shaun Waterman Thursday, warned that hackers in Iran seem to have exploited some reported vulnerabilities in Wordpress, and planted botnet Trojans that can sometimes take control of computers of visitors to these sites. The hackers may be playing pranks or trying to attack enemies of Shiite Islam, but there is no evidence that they are connected to the government in Tehran.

It was not reported here whether standard anti-virus software actively protects visitors to infected sites and prevents their computers from becoming compromised or commandeered. Presumably major antivirus companies would detect them readily. Since WordPress is so popular with "amateur" bloggers (even in comparison to Blogger), especially sites mapped to separate domains, the report could be alarming, although the number or frequency of such sites is not known. WordPress is considered superior in some ways by many bloggers. 

Some connected vulnerabilities appear in Adobe PDF, java, and Microsoft Internet Explorer. (The safety of java and applets would deserve a discussion some other day; in the late 1990s the relatively safety of it was touted in java training classes.)

The link to the Washington Times (“TWT”) story is here.

Possibly in response to the stories about WordPress (and there have been earlier reports of vulnerabilities), competitor Google tweeted and published a "Blogger Buzz" story about "Safe Browsing on Blogger" here (Blogger is "its" product).

Thursday, October 21, 2010

More advice on password changes; how Cloud security is a group experience

The latest on password security has been floating around on Twitter, with a lot of it referring to an Oct. 15 New York Times article by Robert McMillan of IDG News Service, “Google: Change Your Password Twice a Year to Stay Safe”, link here.

One problem is that scammers often save passwords and so another technique is to never use the same or closely related passwords on different accounts that you consider critical.  I would think at least 4 to 6 times a year would be more appropriate. At work back in 2001, in a Unix environment, we had to change it once a month and go through password cracker.

Google has an article by Priya Nayak on Oct 15 on its own corporate blog, “Protecting your data in the Cloud”, link here The company points out that since your account is considered trustworthy, scammers might be tempted to sift from other people you know supposedly to “help you out”. Such schemes, to be sure, generally do not foot tech savvy people or people who must know how to network online properly to generate legitimate business for themselves (including, for example, filmmakers and musicians).

Wednesday, October 20, 2010

Internet cafe displays spyware warnings on the fly, but in IE only, not Mozilla

Yesterday (Oct. 19) I went into a full service Internet cafĂ© in Greenwich Village and noticed while testing a few of my blogs that “Real Threat” would identify a few spy cookies with a popup square at the lower right side of the web page, in Internet Explorer only. The same blog would not bring up the warning consistently, and it appeared at least once on Yahoo! too. The warning did not appear with Mozilla. I also sometimes got C++ runtime errors with an invitation to debug from a few sites that displayed this warning, but in Internet Explorer only.

Webroot does not show these to me on any site or browser, and neither does McAfee or Kaspersky. However, batch screens with Webroot usually do identify and (upon request) quarantine a number of common cookies, including realmedia, tripod, doubleclick, overture, adbureau. Many of these sound familiar. They are identified by repeated scans so they appear to be commonly used, and probably harmless.

Monday, October 18, 2010

Australia will start program where ISP's notify, cut off users with infected PC's; US studying plan

Lolita C. Baldor has an Associated Press story Monday Oct. 17, “U.S. Studying Australian Internet Security Program”, link here. In Australia, starting in December 2010, ISP’s will notify users whose computers are infected (particularly when taken over by botnets) and may disconnect them until fixed.

Microsoft has been urging such a measure worldwide. The Obama Administration is looking at the program for the US, but there is a general impression that in the US ISPO’s won’t be encouraged to cut off consumers immediately. But Comcast will soon start a pilot program in December of alerting infected consumers. Probably security companies will offer for-fee services to clean up computers and bring them to ISP standards.

Saturday, October 16, 2010

Search engines ponder encrypting results, and looking for encrypted versions of sites

Electronic Frontier Foundation has an important analysis by Seth Schoen, “Search Engines Protect Privacy with Outbound HTTPS links”, link here.

The main point is that while searching itself can be encrypted, and engine can return an unencrypted version of a site, particularly if an encrypted one is available. (The article discusses Wikipedia, and I wasn’t aware it could be encrypted.) It also proposes that all browsers offer automatic encryption, which now only Firefox can do. (Some wireless servers, as at universities, may be starting to do this.)

I wonder if this could become an issue for webmasters who offer information only (as with my doaskdotell.com site) and don’t offer logons or expose visitors to revealing PII at all.   Would search engines stop indexing us?  What about simple blogs?  Will we all be expected to encrypt our sites, no matter what?

Friday, October 15, 2010

Firefox offers bloggers a tool to block litigious sources

Here’s an odd topic for a blog on Internet safety. If you blog and don’t want to use content from sources known to be litigious, you can install a plugin tool into Firefox to block access from those sources. Then you won’t inadvertently use it and possibly face a copyright lawsuit, a topic I have covered on my “BillBoushka” blog (esp. to Sept 8 posting).

Clayton Cramer has a blunt blogger entry titled “How to make sure you don’t accidentally visit organizations that don’t want you”, on a posting Aug. 18, 2010, about the Righthaven mass litigation, here.

A blog devoted to “Righthaven victims” offers detailed instructions on how to use the Firefox tool here.

Both list and show how to block sites from Stephens Media. WEHCO Media could probably be added to the list.

One could use this technique with sources known to file SLAPP lawsuits, too.

Tuesday, October 12, 2010

Trend Micro uses "cloud computing" rather than data file downloads to keep its security protection up-to-date

Time Magazine carried (on p. 64) a full-page paid advertisement in the Oct. 18, 2010 issue for Trend Micro Titanium Security Suite, with the website here.  Trend’s tagline is “Internet Security that won’t slow you down”, and the printed ad reads “Securing your PC from cybercrime; Protect PC’s against insidious attacks without the endless security file downloads that cripple productivity”. The technique?  Cloud computing. You have to have a high quality high speed Internet connection where their server will continually check your PC.  One would have to be sure that one wouldn’t want to run into those notorious ISP broadband limits.  
"Titanium" happens to be the name of one of my screenplays (UFO's land).

Saturday, October 09, 2010

Firefox trojan sets up automatic password saving and keylogging without user's knowledge

Webroot and InfoSecurity are reporting a Trojan that can inject a keylogger and also cause Firefox to store passwords automatically without the user’s direction. On some computers, this could also cause passwords accessed through IE or Chrome to be compromised, too.

The InfoSecurity story is here.  Andrew Brandt, of the Denver security company, has a blog posting in which he says that Firefox will “forego forgetting passwords”, as here.

He recommends downloading the latest Firefox installer from here . It’s interesting that this trojan targeted Firefox first, since Firefox has been considered safer than IE.

Webroot tracked the virus hacker to Iran, and it is not clear that any use has been made of any stolen passwords. However, conceivably an enemy could use a device like this against an institution’s critical systems. It may be a good idea for home users with Firefox to run a scan against the latest definition file soon, before reloading Firefox.

Wednesday, October 06, 2010

Microsoft wants to quarantine infected PC's from web, require PC health certificates

Microsoft has published a position paper calling for a mechanism to identify infected computers and having ISP’s disconnect them from the Internet until they get “health certificates”. The paper is titled “Collective Defense: Applying Public Health Models to the Internet”, by Scott Chaney, Corporate Vice President, Trustworthy Computing.

A certificate would require freedom from malware and properly configured security software. I suppose Geek Squad and similar companies would have a business model bringing home computers up to standard. Question could occur with home networks and routers, as to proper configurations if different computers had different vendors, or whether a given computer could or should have more than one vendor, or whether Microsoft Windows Firewall is sufficient (or whether Microsoft can beef it up). Another important issue would be the application of automated security updates. Computers or laptops that had not been used in a long time could also present issues.

Emma Woollacott has the story on TGDaily, here (included a download of the Microsoft paper, which is dynamic PDF will need to be saved on your computer). The title is "Microsoft wants 'sick' PC's banned from the Internet".

Saturday, October 02, 2010

Stuxnet worm reminds us of the need to keep work computers quarantined from home computers

Ellen Nakashima has a major article on the Stuxnet worm in the Washington Post om Saturday, Oct. 2, especially about the danger to U.S. power plants and other infrastructure. The link is here.

Apparently the worm can live on home computers with windows systems, probably without symptoms (rather like hidden "bedbugs"), but it could make home computers into “typhoid mary’s”. If some one uses a flash drive at home and then at work on certain machines in a power plant, the possibility of infection could exist, even though the power plant should not normally be accessible through the Internet. Government agencies and companies will have to be even stricter about keeping work and personal computers separate than in the past.

Because so many people use home routers and may bring wireless laptops home from work, there might also exist other ways of “cross contamination”. This is sounding like health department regulations for commercial kitchens.

I expect that Webroot and McAfee will be publishing blog articles about Stuxnet soon, as will companies in the process control software business.