Thursday, March 31, 2011

More experts say that US, West are vulnerable to cyberattack: workplace computer policy is part of problem

Ken Dilanian has an article in the Tennessean (Gannett) describing concerns about vulnerabilities of major public utilities and infrastructures to cyberattack, link here

One major problem is that employees can log on to work computers at utilities from home computers, rather than properly secured and separate corporate laptops.  Other vulnerabilities could exist from employees’ use of their own cell phones or Internet connections.  Generally, of course, utility infrastructures are not supposed to be accessible from the public Internet.

This is also true overseas. The end result is a kind of vulnerability not encountered even during the Cold War. 

Sunday, March 27, 2011

MSN publishes table on how long automated password cracking really takes: with 8 character "random" pw's of all possible chars, you're pretty safe

MSN, in a series of stories about home and computer security, offers a chart on how long it would take a hacker to crack a password of any given length and all possible upper and lower case letters, numbers, and special characters.  The link is here

Passwords that appear totally random and that are not reused anywhere else are stronger. Strings that help a user remember the complete password should be significant (as code words for things) only to the user and not be published or discussed with others. 

With only lowercase characters, for an 8-character password, it’s about 2 days; but with all possible characters, it’s about 200 years.

Friday, March 25, 2011

TOR and EFF report major breach with https CA's, possibly linked to Iran

Electronic Frontier Foundation has a story this morning about how a HTTPS/TLS certifying authority (CA) got duped into issuing phony certificates recently, apparently by hackers in Iran (probably connected to its government), which EFF warns threatened an “internet-wide security meltdown”, in a story March 23 by Peter Eckersley here

The TOR Project also has a blog entry story about this here

EFF goes on to give some discussion of DNSSEC-PKI (link), and refers to questions about the underlying security of the domain name system, which erupted in a major security crisis in the middle of 2008.

It’s still very much an open subject. 

HTTPS is absolutely essential to surfing and entering any passwords or personal information in a wireless environment.

Curiously,this morning, on my Windows 7 Pro machine, I had trouble getting to EFF from Google Chrome, but it worked in Mozilla, and on a nearby XP machine in Chrome.  There could be a subtle issue with https,  Windows 7 and Chrome together in some circumstances.  

Wednesday, March 23, 2011

Another list of common ways PC's get infected

Here’s another list of “10 Common Ways your PC Gets Infected with Viruses” at the “Internet Service Guy” site, link

The most important may be not activating anti-virus protection on a new computer, or letting subscriptions expire (they get confusing and some antivirus companies have trouble billing properly after the “free” period), or not getting updates run properly, which may be more of a problem on older backup PC’s not used all the time.

It’s disturbing to see the comment that small business or personal sites may be more dangerous because they don’t have the high level of security. This may be less the case if they are hosted by a reputable share hosting provider (which you can look up under “WhoIs” as technical contact). I generally don’t use my credit cards except on large well-established sites (Amazon) or when redirected to them by smaller sites (as for fundraiser chargers).  

Tuesday, March 22, 2011

A number of nasty shakedown malware threats: to computers, mobile phones and cars (Webroot tweets)

Webroot  has tweeted three particularly scary stories.

One concerns a man in Los Angeles who was convicted of hacking into computers through P2P, and trying to extort users into sending him porn after finding it on their computers. Imagine how this could go into the area of frivolous prosecution. The CBS LA station story is (website url) here. A variation of this theme would be a kind of ransomware or shakedown,  locking files on your computer until you log on and pay a hacker, or even threatening to do so if you don’t download something illegal.

Then All Voices reported a story from Russia about malware, somethimes spread through Bluetooth, which could disable a car’s antitheft system and that thieves can even “trade” among themselves, (website url) here

AOL  also offered an article “Celebrity Phone Hacking 101”, with mention of Bluetooth to place spyware on the mobile devices, link (website url) here. One point to remember is GPS; someone could follow someone else’s location for targeting reasons.

Monday, March 21, 2011

Washington Post reviews "do not track" and Adobe security updates of major browsers

Rob Pegoraro has a “Fast Forward” story in the Washington Post Sunday March 20, in which he compares the security aspects of Internet Explorer 9, Mozilla Firefox 4, and Google Chrome, “Internet Explorer, Firefox updates offer more with less, “ link here

He does explain the two separate “do not track” features of IE9: the “blacklist” (or “tracking protection list”) which actually stops sites from using cookies (especially spy cookies) to track you. But it also has a “last minute” ability to tell every site you visit not to track you, which he says is similar to the touted option of Firefox 4.  Since this latter feature is “voluntary”, it will work only as sites feel “political pressure” to honor it, or know that Website safety rating programs like McAfee SiteAdvisor and MYWOT are likely to follow this behavior and score it separately.

Pegoraro prefers Google Chrome for security in that it automatically installs security updates to the Adobe Flash Player and PDF reader, whereas, he says, IE doesn’t warn you you’re out of date, and Mozilla makes you read it.

I find when I boot up, Adobe often offers updates right away, but that may be because I use Chrome a lot.  

Friday, March 18, 2011

Webroot flags and "antenna" javascript element on a newspaper page

Today, while visiting a web page of a well-known newspaper, Webroot, in Firefox, warned me that it had blocked “”.  This occurred on a Windows 7 machine.  An XP machine protected with Kaspersky did not give the warning, although Firefox blocked a popup.

I could not find much on this javascript element, although it appears from the name that it would be trying to capture consumer or visitor IP information for adware. 

The only analysis I could find was at “Malware-Control Analysis”, for example, here.

(Note: next sign on, Blogger has disabled my cookies, which a repeat sign-on has restored. Might have happened because I accessed the script in Chrome where Webroot didn't catch it.) 

Wednesday, March 16, 2011

Twitter says it now offers automatic https (Ashton Kutcher tweet!)

Yesterday, Ashton Kutcher (the champions Twitter-master) sent a tweet (“aplusk”) advising everyone about the availability of https on Twitter.  The Twitter blog entry is here

To set it, go to your profile and then Edit (on the left). I had to try twice to get in.  It will ask for your password.  But afterward it didn’t automatically change me to https; it did work it I keyed https.   By comparison, Facebook always takes me to https now. 

Tuesday, March 15, 2011

McAfee SiteAdvisor restores green status to many "smaller" sites

McAfee Site Advisor has restored “green” status to many smaller sites marked “gray” for the past few weeks.  I’m not quite sure what had caused the gap; maybe it was a concern about links from sites, which would be very hard to monitor from “amateur” sites since they are likely to vary widely and go to less “reputable” places. The green ratings also appear on Firefox Google searches.  

The MYWOT (Web of Trust) reports, even in detail, seem to remain the same over time. 

Picture: very much from the "real world"

Sunday, March 13, 2011

School systems push up efforts to intervene against cyberbullying

The Sunday Washington Examiner has an important story by Emily Babay, “Officials push to combat cyberbullying”, link here.

The story refers to the president’s own admission that he was once a victim of the playground-recess kind because of his big ears.

But the big question is how well school districts can educate kids to stop this and take action for bullying that takes place online from home. 

One school in New Jersey asked all parents to ban kids of middle school age from having social networking accounts.  Even Michelle Obama says that online social networking is not needed at this age, as she forbids her own two daughters from it yet, 

Wednesday, March 09, 2011

Home routers not protected by passwords could be hijacked for criminal purposes: downsteam liability question?

NBC today had a story about a man in Sarasota, FL who was briefly and falsely accused of distributing c.p. (the FBI came to his home pounding on the door) when his wireless signal was used from a building hundreds of feet away, possibly with a Pringles device.  He had not password-protected his home wireless signal.

Wireless routers generally provide a step for a user to supply a password as part of setup. If you have to use such a password to add additional (laptop) computers to your router home network, it is protected (although the password ought to be strong).

This is not the same issue as Firewall protection of outbound wireless protection from your laptop, especially in a public place. This is the router itself. 

Home users could face considerable expense in defending themselves if their wireless router signals were borrowed for any illegal purpose.  Whether  a home router owner could face civil risks for negligence for not protecting  a router if it were hijacked could be an interesting question.  It’s not necessarily true that your ISP is involved, because this just about the router itself, which does not need to use the ISP’s Internet connection. If it were involved, there could be a TOS issue with not protecting a router.

Tuesday, March 08, 2011

Firewalls will become much more heuristic; NBC reports on attack by Anonymous on HBGaryFederal

Webroot tweeted today a major PCWorld  article on “new Firewalls” and their use of heuristic analysis of application behavior to improve protection, by Mathias Thurman, link here

I don’t see an obvious connection to the Firewall issue in my previous post, or maybe I do.  Maybe the Webroot firewall doesn’t like my “behavior” with Internet requests, and I need to set up a new user. Haven’t tried it.  But it could be a “heuristic” false positive.  The other possibility that it could excluding a particular exe necessary for Internet access.

The buzzword here is “United Threat Management”, as in a linked Computer World article here

NBC tonight reported on the hactivist group “Anonymous”, with the attack on “HBGary” (basic link)  (try the url for “hbgaryfederal”).   The story indicates how dangerous collective indignation can become. Come on Barrett Brown, don’t smoke im your interviews with reporters; that’s depressing.  The group’s latest cause is to come to the “aid” of PFC Bradley Manning.    

There's a great line spoken by actor Jesse Eisenberg early in "The Social Network": "Let the hacking begin."

Tuesday, March 01, 2011

Webroot shuts down firewall if you work "too fast", and then won't let you work at all without "allowing all"

Here’s the next problem!  AOL mail is notoriously slow in displaying contents (maybe because I haven’t deleted them), so I tend to run through them and not wait for it to display half-junky emails. I’ve used AOL since 1994, so I have been reluctant to change an email address.

Tonight, I was doing that and suddenly my Internet access failed on my home router. First I thought it was Comcast, but my older computer right next door was still up on the Web. Windows 7 diagnostics told me to restart the Comcast modem and Netgear router in that significance. But my MiFi hotspot from Verizon also had no access.  (There was an old saying at work “The Merge-Purge has no urge”.  Maybe that’s “Eliminating Desire.”)

I tried my little Toshiba notebook, also Windows 7, and Internet access worked both ways. I ran Webroot virus scan, nothing found. But then I checked the Firewall. 

By setting Webroot firewall to “allow” from “filter”, Internet access worked both ways (Comcast broadband with Netgear and Verizon MiFi).

Windows 7 says that it’s Firewall is working properly, but the Microsoft (or “Microslop”) firewall is weaker than that from other vendors, so they say.

I guess Webroot “learns” from what happens. If too much suspicious behavior occurs, it will not allow any traffic again. I’ll have to log a problem tomorrow. But I suspect they will tell me to uninstall and reinstall the product so it unlearns my behavior.

Moral of the story?  Maybe don’t use AOL.  Maybe don’t work too fast with commercial Firewalls, or bypass loading pages, or the Firewall will assume you’re a hacker.  At least Webroot does. It’s interesting that Windows 7 doesn’t understand what Webroot does, since it gives wrong solutions from troubleshooting.

It's fun to "QA test" Facebook, Twitter, and your computer security packages at home, for free, when you have your own work to do (make a movie about "don't ask don't tell"), isn't it. Back to the IT workplace!

First picture: "Dirty dancing", with mannequins, Funktown MD (near Hagerstown)