26 July, 2006

Recap PC World's -- 10 Biggest Security Risks

PC World’s August 2006 issue has a great article on “The 10 Biggest Security Risks You Don’t Know About,” http://www.pcworld.com/reviews/article/0,aid,126083,00.asp. This is a comprehensive article that should scare you enough to ensure your PC is up-to-date with fixes and you have all the necessary protections.

The article begins with describing zombie PC attacks. These are unknowing PCs taken over and being used for various crimes, including simply logging your keystrokes to learn your usernames and passwords. They offer the usual tips to avoid this threat: avoid unknown sites and email, be suspicious of email attachments, and use any browser except Internet Explorer.

The second risk discussed is having your own sensitive, stolen data available for free on the web. This is really a result of the first issue, with the hackers not securing what they have stolen. Why should they? Additional ways to avoid the original problem includes having a personal firewall such as Zone Alarm – a product I have been using and pushing for years, and the product PC World recommends. With Zone Alarm, you can prevent outgoing connections to the Internet without your approval. For example, if a hacker gets a keylogger installed on your machine, Zone Alarm should prevent it from sending the captured data from your machine to the hacker.

The third risk discussed in phishing – the process of fooling you to use a site different than what you think it is. For example, you receive an email that appears to be from your bank, you click on a link and login as normal. Unfortunately, the email’s URL actually takes you to a hackers website designed to look like your bank’s website – and when you login, they get your username and password. This is getting more and more difficult to detect – recommendations include installing a phishing toolbar to warn you.

The next risk discussed is the human factor, and the article discusses more phishing-like traps. I can add another that I have heard – someone leave a few flash memory sticks lying around with various virus and/or malware programs installed on them. When “lucky” people find them, they plug them into their computers to use. Upon plugging them into their computers, the malware transfers to the person’s computer, infecting it. The particular example I had recently heard was about how these were dropped in a bank parking lot and the employees tried them in their business PCs. Fortunately this was a test to illustrate to the employees after the fact how they were no security conscious enough when it came to their computers.

The fifth example again is related to phishing. This particular exploit takes advantage of the company DNS server which looks up URLs in your browser and points them to the appropriate website. This vulnerability is up to your company IT organization or ISP to protect you against.

The sixth security issue discussed in the PC World article is that of root kits. These are software programs that run on your PC without your PC knowing. We never heard about root kits until recently when it was discovered that Sony was installing root kits through music CDs to learn more about their customers. This may be the most troubling problem, because security vendors are having difficulty developing software to detect root kits. PC World is not able to offer too much help – they recommend a few companies that are leading the industry in detecting root kits.

The first six issues were primarily directed toward windows users and definitely computer users. The seventh risk talks about a security issue with your cell phone – viruses on your cell phone. I have not heard of anyone myself who has had a cell phone virus, but I am sure it is just a matter of time. Recommendations include turning off Bluetooth when you are not using it and monitoring your bill for any unusual charges.

So how about your passport? The government is testing passports with RFID tags, with the intent of using them soon. So far, research has proved that RFID tags can be crashed; and it is expected that before too long we will find the first privacy violation.

The ninth security risk is about holding your data for ransom. A hacker gets access to your machine and instead of using it as a zombie; he encrypts your data and will not unencrypt it unless you pay him off. Of course PC World suggests not paying and go to the police. I would recommend you start with the same protections as mentioned for zombies, including not using Internet Explorer.

And the tenth security risk mentioned is the cross-platform virus or malware. As the adoption of popularity of the Mac and Linux OSs rise, we are seeing more vulnerabilities that occur on those platforms or that can be spread through those platforms. If you are using one of those OSs, it is recommended you also protect it with appropriate virus protection, personal firewall, and spyware applications.

That concludes my recap of the PC World article. An interesting read to say the least. If you are not protected today, it may be to late, a criminal could already hold your data. Whether it is or not, it is not too late to start now and prevent any further issues. If you are unsure of how to verify you have done all the appropriate prevenetative measures,ask someone.

Firefox: Have you switched yet?

If you have not replaced Internet Explorer (IE) with Firefox, you are really leaving yourself open to security threats plus missing out on an improved browsing experience. In addition to not supporting ActiveX, which will solve most of your security concerns, Firefox offers hundreds of extensions to improve your security and enhance your browsing experience.

Take for example the extension, No Script. With No Script, I specify which domains, if any, can run JavaScript the web page I am viewing. In most cases, I always accept the local domain, but no others. For example, if I visit Pogo.com, which has a lot of free games, I allow Pogo to run JavaScript, but I miss all their ads because I do not allow DoubleClick.com and other domains from running JavaScript.

Another great extension is SiteAdvisor, which is now owned by McAfee. Site Advisor displays a green, yellow, or red indicator on search results, as well as on the bottom of my browser window to indicate their rating of the site. In most cases, I wont follow any red, and only if really important will I click on a yellow designated link. I can even easily visit the SiteAdvisor site before I follow the link, so I can learn why the site was given the particular rating. For example, recently I was doing some research, but a promising site had a red rating. What I learned was the site I wanted to visit linked to one unsafe site. So, I visited the site I wanted, but was sure I never followed a link from their to the real unsafe site. Note that I believe SiteAdvisor is also available for IE, though I have not tested it.

Other useful extensions include links for posting to Digg and Del.icio.us – these are social voting and bookmark sites that are quite informative and fun. I have also included the Google toolbar so I can take advantage of their anti-phishing tool. Of course Firefox includes Google search as a default feature, but now I can change that default to my second favorite search engine, so now I have easy access to two search engines.

For more information on extensions available for Firefox, try reading the following articles. Information Week published 5 Tools to Bullet Proofing Firefox on July 14th. The article discusses some of the extensions I already covered, including SiteAdvisor and NoScript, as well as some additional information. Leslie Franke has an extensive site covering Firefox (54 entries as of this time), including a great article about Firefox extensions, Mozilla Firefox – Have It Your Way! So if you don’t believe me, learn from Leslie and switch to Firefox.

July 29th -- I found another good resource that reviews some Firefox extensions: 13 Great Firefox Extensions for Web Professionals from Adam McFarland. If you do any sort of web work, Adam reviews some extensions that can be of benefit to you.

03 July, 2006

Follow-up to IE Causing Problems with Project 2003

I had posted on June 5th my experience with how Microsoft project 2003 had problems with certain functions due to the security setting in Internet Explorer, My Computer domain begin set to High.

On June 14th, Microsoft finally conceded that there is no fix expect to lower the security settings. I can either change the default setting to Medium or Enable five settings, which for all intents and purposes is the same as changing the security to Medium.

Here's the response attempting to describe why it's okay that Microsoft has impeded IE into Project:
There is a reason we don'’t expose that functionality in IE by default. It used to be there in Windows 2000 Server and Pro, but it serves little purpose, provides no protection against the outside world, and generally only breaks things. Worse, since its set on a per user level, it doesn'’t prevent OTHER users or the system security context from running something '‘bad'’ on the local machine, only the logged in user.

By modifying this, we are disabling core OS functionality, and Project uses IE. We do not test Project in this kind of environment. We can log it as a bug, maybe in the future they will sign those controls, so they can work in this environment, and that'’s about as far as we can go. Also, I confirmed that we are not intended or supposed to work with High Security.

The function being referred to is the Security for the My Computer domain. To expose that function, you have to make a change in the Registry. To avoid breaking things, Microsoft set it to High and then hid it from the users. This is supposed to protect the user from ActiveX code running locally among other things -- the same thing that caused HTML code on CDs to quit executing. So I had exposed it myself in troubleshooting why local CD code would no longer execute. My point here is the same as my original post: Microsoft integrated IE into Project, and then when they changed the default security settings, it broke their own application -- an application that they charge $600 for.

On to the second paragraph, if we are diabling core OS functionality, then Microsoft still has the the IE browser integrated to the OS. I had asked in a conversation whether I could remove IE and use Proejct. I was told that I could, but the same features would not work as I was trying to get working. And yet again, here's another example of poor QA from Microsoft.

TWiT Discusses Net Nuetraility

This Week in Tech (TWiT), hosted by Leo Laporte, had a great discussion on Net Nuetrality during show 60, posted July 2nd. Of particular interest was the playing of part of a speech from Senator Ted Stevens [transcript] [audio] (R - Alaska). According to Mr. Stevens, he wants business to pay data providers a tax based on savings throught the use of the Internet. His example was services such as NetFlix, and that if movies are to be delivered via the Internet instead of mail, that an additional fee should be charged (above the bandwidth fee already being paid to deliver the movie).

Here are the comments I posted on the TWiT website:
It was great that you gave so much time to Net Neutrality -- you really helped me gain additional clarity on the real issue, and I have been following it for several months now. I beleive the goal of the data providers is to tax content providers, it was never about the home user. The data providers see all the revenue being generated using their pipes, and they want part of it. This is like the water and electrical utilities asking for an additional tax of every business they provide services to.

We should also consider businesses that have remote employees. Will there be an additional tax to the data providers so that you can have employees work from home? If you listened to Ted Stevens, since your business has traditionally paid for office space for you, and now you work at home, the data providers deserve a share of the savings. (This is the same as the data providers wanting part of your savings if you deliver movies over the Internet instead of the current method through the mail service.)

Has anyone considered the implications to businesses in general? Today my company provides a rich web site for support. As consumers, we rely highly on vendor websites for downloads and help. My point is that we hear about Microsoft, Yahoo!, and Google having to pay a higher fee, but every company will potentially suffer from this. The very thing that the Internet offered, lower cost to do business, is going to be impacted by this. (Remember, if your start up business can run more effeciently using the Internet than traditional bricks and mortar and postal service, then the data providers want a piece of your savings.)

For the argument over speed to the home, and the claim that the network can no longer support the number of users, the data providers should have never sold the service if they cannot deliver. I'm with John, we need a class action suit against these guys.