iWay-Safety.com: Computer Security / Asset Protection News & Views

Anti-virus software isn't the only computer security tool

Fri, 13 Jun 2008 01:37:58 GMT

... get in the habit of quickly installing all software program updates ... beyond that also consider:

Certified e-mail [?? Seems off the point since these services are directed at businesses not individuals]

Web page scanners ... tools using varying technologies to gauge the reputation of most Web pages. EG AVG's LinkScanner, ScanSafe's Scandoo, Trend Micro's TrendProtect, McAfee's SiteAdvisor [which I use] and Finjan's SecureBrowsing grade Web pages as safe, unsafe or questionable.

Browser security tools ... anti phishing filters

[In other words a toolbox instead of a tool.]

SANS OUCH! Newsletter - Volume 5, Number 5 May 2008

Thu, 12 Jun 2008 21:30:35 GMT

OUCH!

SANS Institute Security Newsletter for Computer Users

Volume 5, Number 5 May 2008

************************************************************************

In This Issue

1. Eight Surefire Ways to Become an Identity Theft Victim - 2. Malware

- - 3. Scams and Hoaxes - 4. Microsoft and Apple Security Updates - 5.

Security Newsbytes

************************************************************************

A formatted version of the OUCH newsletter can be found at https://www.sans.org/newsletters/ouch.

You can subscribe to OUCH on the same site. Send your comments to OUCH@sans.org.

************************************************************************

1. Eight Surefire Ways to Become an Identity Theft Victim

- --Practice unsafe surfing. When you purchase a new computer, go online without activating the firewall, or purchasing protective software.

Further expose yourself digitally by sharing a wireless connection with the entire neighborhood. Without digital encryption, you can share the contents of your hard drive with anyone on the street. For maximum risk, do some online banking on a public computer -- like the one at the library or a public cafe. Bonus points are added if your Social Security number is your user ID for any transactions.

- --Skimp on anti-virus and anti-spyware protection. Courting disaster online is easy. Invite malicious code to attack your computer simply by doing nothing. Antivirus programs can be pricey, and the maintenance of constantly downloading updates is time-consuming. Combine that with the security updates from Microsoft or Apple and it's enough to seriously annoy anyone.

- --Passwords are a pain! Make life easy for yourself by using the same password for EVERYTHING, and make it something easy to remember, like your first name or 'password'. Just in case, make sure you write it down on a yellow sticky and put it somewhere easy to see.

And don't forget to have your browser set to 'remember password' to make life easy for you - and the cyberthief.

- --Peek at junk email and open attachments from unknown sources. Open attachments from strangers, secret crushes, long-lost friends saying "what's up," or strangers hawking cheap drugs -- you'll never know unless you peek at that email. One of the many fun things that can happen when you open an attachment containing malicious code is infecting your computer with a Trojan horse or virus, which can easily lead to identity theft.

- --Stuff your wallet with juicy identifying tidbits. Wallets and purses are more than just handy cash-carrying devices. They often have credit cards, identification, insurance information and even Social Security cards. Obviously, more is better if you'd like to become the prey of fraudsters. Losing or misplacing a wallet or purse can cause more problems than just the hassle of replacing all those cards and buying a new bag. Armed with your date of birth, Social Security number and mailing address, there's no limit to the damage thieves could cause.

- --Make your checks payable to criminals. If you're like most people, you wouldn't post your checking account information on your front door, though you should if you'd like to be a victim of fraud. Similarly, checks reflecting the same information can be dropped casually into unsecured mailboxes. Statistically the chances of your mailbox being targeted by criminal elements are low, but not that low. According to the 2008 Identity Fraud Survey Report from Javelin Strategy and Research, almost 1 in 10 victims of identity theft who can pinpoint the scene of the crime say that it happened at the mailbox.

- --Opt out? Opt in! While you're mailing checks from the unlocked mailbox, go ahead and get credit card companies to send you all the pre-approved offers that the postman can cram into the box. Similarly, don't get credit card statements online; leave them on the side of the road so that they're more convenient for fraudsters who lack the technical knowledge or follow-through to launch complicated hacking schemes.

- --Nothing is too good to be true. Everyone wants to feel special and maybe more importantly, filthy rich. When reading an emailed proposition from an African business tycoon, an imperiled prince or downtrodden heiress offering millions of dollars in exchange for some small measure of assistance, it's difficult not to wish it were true. Falling for the story will undoubtedly lead to unpleasantness.

More information:

http://finance.yahoo.com/banking-budgeting/article/104894/7-Surefire-Ways-to

-Become-an-ID-Theft-Victim

************************************************************************

2. Malware

- --Zeus. A Trojan being spread by the so-called "Rock Phish" group of Russian criminals through phishing scams. Zeus is designed not only to trick victims into clicking on a link in a phishing email to give up personal information, but also to drop a Trojan on the victim's computer at the same time. The new attacks combine phishing and the Zeus Trojan to steal personal information and spread financial crimeware. Zeus can steal personal data such as usernames, passwords and Social Security numbers entered by the user while interacting with other websites.

More information:

http://www.scmagazineus.com/Rock-Phish-gang-adds-malware-download-to-attacks

/article/109240/

- -- RaceForTibet. Rootkit* malware that surreptitiously installs a keystroke logger on end users' PCs once they open a Flash movie file which uses a cartoon to mask its malware payload. The captured data is reportedly sent to a computer in China. The cartoon ridicules the effort of a Chinese gymnast and then displays images supporting a free Tibet.

The malware is being distributed as an attachment called RaceForTibet.exe.

More information:

http://www.itpro.co.uk/wireless/news/187935/tibet-supporters-targeted-by-tro

jans.html

* Rootkit: http://en.wikipedia.org/wiki/Rootkit

- -- OSX.RSPlug.A. A Mac Trojan that spreads by spam emails designed to lure users to pornography sites. Visitors are presented with a still image from a salacious video. Clicking on the image to play the video returns the following message: "Quicktime Player is unable to play movie file. Please click here to download new version of codec." After the linked page loads, malware is downloaded and launches an installer. The installer requires the user to enter the admin password. Once the password has been entered, the malware infection is complete. The Trojan alters network settings, redirecting webpages and funneling advertisements for porn sites to your Mac.

More information:

http://www.geekstogo.com/2007/10/31/osxrspluga-trojan-info-and-removal/

************************************************************************

3. Scams and Hoaxes

- --Economic Stimulus Refund Phishing Scam A number of phishing scam emails are currently targeting US taxpayers by offering bogus refund payments as bait. This email, purporting to be from the Internal Revenue Service (IRS), claims that the recipient is qualified to receive the 2008 Economic Stimulus Refund. The recipient is instructed to follow a link in the message in order to fill in an online form, ostensibly to allow the refund to be processed. The email includes the IRS logo and copyright notice and is from a seemingly genuine IRS email address. However, the email is not from the IRS.

More information:

http://www.hoax-slayer.com/economic-stimulus-refund-scam.shtml

- --United States District Court Subpoena Malware Email This seemingly official email purports to be a subpoena sent by the United States District Court. The message claims that the recipient must testify before a Grand Jury at a specified place and time. The recipient is instructed to follow a link in the message to download and print a complete copy of the subpoena document. However, the message is not from the United States District Court. In fact, the message is an attempt to trick recipients into installing information-stealing malware on their computers.

More information: http://www.uscourts.gov/newsroom/2008/alert.cfm

http://www.hoax-slayer.com/subpoena-phishing-scam.shtml

- --Visa Personal Password Phishing Scam An email claiming that recipients can protect their Visa credit card for online purchases by clicking a link in the message and creating a personal password. However, the message is just another phishing scam and was not sent by Visa. Those who fall for the ruse and click the link will be taken to a very sophisticated, but fraudulent, website that has been designed to closely resemble the genuine Visa website.

More information: http://www.hoax-slayer.com/visa-password-scam.shtml

- --Mail Server Report

According to this warning message, a dangerous virus is being distributed via emails with the subject line "Mail Server Report". The warning claims that opening attachments that come with the email will first display a message saying "It is too late now, your life is no longer beautiful" before destroying all files on the infected computer and stealing personal information. However these claims are untrue.

There is not, nor has there ever been, a virus like the one described in this bogus warning message.

More information: http://www.hoax-slayer.com/mail-server-report-hoax.shtml

************************************************************************

4. Microsoft and Apple Security Updates

Microsoft and Apple provide free security updates for their software products.

Windows: Microsoft issues patches for all Microsoft products on the second Tuesday of each month as well as out-of-cycle patches on any day of the month. The next scheduled release date is May 13th. Check manually too, once every two weeks, to make sure all of the updates have been installed.

More information: http://www.microsoft.com/athome/security/default.mspx

OS X: Updates are issued frequently, and their contents may differ depending on which processor is in your Mac (PPC or Intel).

More information: http://www.apple.com/support/downloads/

iPhones: Must be updated manually:

http://docs.info.apple.com/article.html?artnum=305744

************************************************************************

5. Security Newsbytes

- --Hannaford to Spend Millions on IT Security Upgrades After Breach Executives at Hannaford Bros. Co. have said that the grocer expects to spend millions of dollars on IT security upgrades in the wake of the recent network intrusion that resulted in the theft of up to 4.2 million credit and debit card numbers from its systems. The planned upgrades include the installation of new intrusion-prevention systems that will monitor activities on Hannaford's network and the individual systems at its stores, plus the deployment of PIN pad devices with encryption support in store checkout aisles. Hannaford also has signed on IBM to do around-the-clock network security monitoring.

More information:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&;arti

cleId=9079652

- --Microsoft Reports 300% Increase in Trojan Downloaders Computer users are increasingly at risk of being lured to websites that surreptitiously download malicious software onto their machines, but stolen or lost laptops still represent most of the security breaches reported, according to the latest six-month Microsoft Security Intelligence Report. Exploits, malicious software, and hacking accounted for 13% of all security breach notifications recorded in the second half of 2007, while 57% of the breaches publicly disclosed involved lost or stolen equipment. Malicious software attacks via Trojan downloaders and droppers increased by 300% during the same time period.

More information:

http://www.news.com/8301-10784_3-9925077-7.html?tag=nefd.only

- -- Firefox and Safari Updates Tackle "Alternative" Browser Bugs Mozilla has updated its Firefox web browser in response to the discovery of a vulnerability which allows miscreants to take control of vulnerable systems. Apple has pushed out an update for both the Windows and Mac versions of its Safari web browser. The more serious Mac flaws, if left unchecked, create a means for hackers to crash browsers or inject malicious code into vulnerable systems.

More information:

http://www.mozilla.org/security/announce/2008/mfsa2008-20.html

http://support.apple.com/kb/HT1467

************************************************************************

Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product. Readers are invited to subscribe for free at https://www.sans.org/newsletters/ouch

PC World: Vista's Despised UAC Nails Rootkits

Mon, 09 Jun 2008 20:58:17 GMT

It can spot [all] rootkits [used in the tests] before they install. While only six of 30 rootkits could run on the OS, the testers had to turn off UAC to get even that far. Vista's UAC itself spotted everything thrown in front of it. [That alone got me to turn UAC back on although rootkit authors simply may not be interested in engineering for Vista.]. When testing Windows XP, of 30 rootkits thrown at XP anti-malware scanners, the best of the all-purpose suites was Avira AntiVir Premium Security Suite, which found 29 active rootkits. The anti-rootkit tools fared better with four achieving perfect scores but all failed to remove any of the rootkits they had found.

SANS Spyware Mini-Quiz

Fri, 21 Mar 2008 01:58:51 GMT

SANS Institute Security Newsletter for Computer Users
Volume 4, Number 11 November 2007
************************************************************************
A formatted version of the OUCH newsletter can be found at https://www.sans.org/newsletters/ouch. You can subscribe to OUCH on the same site. Send your comments to OUCH@sans.org.
************************************************************************
Spyware Mini-Quiz
(1) Approximately how many computers on the Internet are infected with spyware?
a. 25%
b. 45%
c. 60%
d. 80%
(2) What is the single best thing you can do to protect your computer against spyware?
a. Disable Active-X in Internet Explorer
b. Protect your computer with a firewall
c. Install anti-spyware and keep it updated
d. Only browse websites that you know and trust
************************************************************************
Answers
(1) d. While expert opinions vary, most sources agree that 80% is a reliable estimate.
(2) c. Antispyware is as important as antivirus software for protecting your computer.

Copyright 2007, SANS Institute (http://www.sans.org)

Ten Myths About Identity Fraud

Tue, 18 Mar 2008 23:30:05 GMT

Ten Myths About Identity Fraud FEBRUARY 12, 2008 | 5:38 PM By Tim Wilson According to new studies of the ID fraud space, some reports offer data that debunks many of the current myths about identity theft. 1. There is a higher incidence of ID fraud today than in past years - The trend is downward, not upward. 2. There are more victims of identity theft and fraud today than there have ever been before - Some estimates are that the number is down, not up, from the year before. 3. Identity fraudsters are stealing record amounts of money from their victims - the cost of identity fraud and theft underwent its most precipitous drop last year. 4. Most identity theft and fraud occurs online - criminals are moving to places where the pickings are easier: telephone and mail fraud due in part to better web defenses. 5. Online attackers are the greatest perpetrators of identity fraud and theft. identity theft is often committed by someone you know, rather than a stranger - a surprising 17 percent. 6. Large security breaches are the most dangerous to users – Apparently criminals can only exploit so many identities regardless of the size of the “haul”. 7. Identity thieves distribute their booty widely, selling or publishing it wherever they can - no evidence found that fraudsters who misuse breach data were selling the data broadly or distributing it over the Internet. 8. Valid credit cards are an identity thief's primary target - There are many other ways to use personal data that can be just as dangerous to the consumer, researchers say. 9. Fraudsters steal as much personal data as they can, storing it up until they are ready to use it - in most cases, online fraudsters don't store up stolen ID information, but cycle through it quickly. 10. The incidence of identity fraud is pretty much the same from state to state - Consumers in California, Delaware, Idaho, Illinois, and West Virginia have experienced a higher rate of identity fraud and theft.

How to help avoid browser hijacking

Mon, 30 Jan 2006 18:44:23 GMT

Micorsoft Security At Home: "Browser hijacking" is a common type of online attack in which hackers take control of your computer's Internet browser and change how and what it displays when you're surfing the Web. [Included are: info for determining whether your browser has been hijacked; more importantly, preventing hijacks; and what you can do to restore a browser that's been hijacked. Once again the same basic steps apply: use your common sense about downloading executable code from "strangers"; keep your operating system up to date especially with security fixes, your MANDATORY protective / detective tools (anti mal/spy/ad ware) as well - same thing for your browser of course.]

Basics for Safer Downloading at Work

Sat, 06 Aug 2005 03:20:59 GMT

Protecting your computer from the potential dangers of downloading takes a bit of forethought, a bit of caution, and strict adherence to the rule: when in doubt, save before you download.

A Gentle Introduction To Cryptography

Sun, 15 May 2005 16:18:00 GMT

Cryptography, a young science, will play a prominent role in the security of protecting digital assets. This article tries to explain the basics of cryptography (encryption) using plain language. [An effective, brief introduction to cryptography and several other security concepts. Worth a read.]

Microsoft offers WPA2 Wi-Fi security

Sat, 14 May 2005 23:16:49 GMT

Microsoft has added a key wireless LAN security specification to Windows XP. The specification, called Wi-Fi Protected Access 2 or WPA2, requires a Wi-Fi client to include the Advanced Encryption Standard (AES) algorithm. WPA2 is an implementation of IEEE 802.11i, the wireless LAN security standard. The new, free software from Microsoft supports all features of WPA2, according to a Microsoft program manager.

PGP launches a radical overhaul of its PGP desktop security suite

Sat, 14 May 2005 02:56:54 GMT

PGP Corporation has launched a radical overhaul of its PGP desktop security suite aimed at making its products more comprehensive and easier to use. PGP Desktop 9.0, released Monday 9 May, features "automatic operation so email, instant messaging (IM), whole disk, and file encryption are secure without user interaction or training", the blurb boasts.

PGP Whole Disk encryption means an entire laptop, including USB drives and backups, can be secured at one fell swoop against previous approaches where users have used the software to set up a virtual, encrypted disk on their PC. Existing product features - such as PGP Virtual Disk encryption, PGP Zip (file compression), and PGP Shred (permanent file deletion) - have been retained.

Microsoft To Offer PC Health Service Called OneCare

Sat, 14 May 2005 02:21:46 GMT

Microsoft is launching a PC "health service" that promises to deliver automated protection, maintenance and machine tune-ups in a single package. Windows OneCare initially is being distributed to company employees as part of a testing and development process before public beta availability later this year. The subscription service will be continually updated in an effort to address safety issues such as worms, viruses and spyware.

Micorosoft also is focused on broader PC health issues, including: the protection of digital photos, music, financial data and software, as well as system performance. Windows OneCare will provide updated antivirus, antispyware and two-way firewall protection. The package offers periodic disk cleanup, hard-drive defragmentation and file repair. Automated file backup also is offered, along with the option to back up all files on the system or only those that have changed since the last time the action was performed.

A Simple, Elegant Information-Delivery Solution or Theft Vulnerability

Thu, 10 Mar 2005 20:51:19 GMT

[The article describes the solution to data transportation/delivery problem involving 12GB that was delivered to a consultant on 30 CD-R discs. The consultant considered other media/methods to return the data to the client- DVD-RW, FTP, external hard drives, USB drives, and finally settled on a "small" MP3 player - the Entempo Spirit 20GB MP3 player for $130 delivered. He plugged in the Spirit, copied the data to it, wrapped the device in a sheet of bubble wrap along with a USB cable, stuck it in a flat-rate USPS Express Mail envelope, and dropped it off at the post office. He didn't need to include a power supply or any software; the software was unnecessary (at least using Windows XP), and the internal battery will run the unit for about 10 hours. Neat huh? Scary huh!]

SANS "Ouch" Newsletter ( Vol. 2 Num. 3) Excerpts

Thu, 10 Mar 2005 20:25:26 GMT

What To Avoid This Month

I. Email from people trying to get you to divulge private details
These are often trying to steal your identity (and your money)
I.1 Washington Mutual Bank - 'Unauthorized Access to Your Washington Mutual Account'
I.2 SouthTrust Bank - 'Notification From SouthTrust Online Banking'
I.3 Huntington Bank - 'Huntington Bank Security Update Notification'
I.4 Paypal - 'Unauthorized Access...'
I.5 MSN - 'Microsoft Network customer data verification'
I.6 KeyBank - 'SECURE YOUR ACCOUNT NOW'
I.7 Google - Email Lottery International

Details About Things To Avoid

I. Email from people trying to steal your identity (and your money)
I.1 Washington Mutual Bank - 'Unauthorized Access To Your Washington Mutual Account'
The Bait: An email sent to you for Unauthorized Access to your account.
What it tries to make you do: Click on the link within the email.
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/02-24-05_Wamu/02-24-05_Wamu.html

I.2 SouthTrust Bank - 'Notification From SouthTrust Online Banking'
The Bait: Email stating that your account may have been accessed by someone else.
What it tries to make you do: Click on the suspect link.
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/02-22-05_SouthTrust/02-22-05_SouthTrust.html

I.3 Huntington Bank - 'Huntington Bank Security Update Notification'
The Bait: New payment security for the bank.
What it tries to make you do: click on the link within the email.
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/02-18-05_Huntington/02-18-05_Huntington.html

I.4 Paypal - 'Unauthorized Access...'
The Bait: An email that alerts you to unauthorized access to your PayPal account.
What it tries to make you do: Click on the link it provides
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/02-17-05_Paypal/02-17-05_Paypal.html

I.5 MSN - 'Microsoft Network customer data verification'
The Bait: Email sent to you to verify your information on your account.
What it tries to make you do: Click on the link within the email
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/02-15-05_MSN/02-15-05_MSN.html

I.6 KeyBank - 'SECURE YOUR ACCOUNT NOW'
The Bait: Create a secure code for access to KeyBank.
What it tries to make you do: Click on the picture link
Where you can see how it actually appears:
http://www.antiphishing.org/phishing_archive/02-08-05_Key/02-01-05_Key.html

I.7 Google - Email Lottery International
The Bait: Google Lottery Winner
What it tries to make you do: Reply to the email and take money from you.
Where you can see how it actually appears:
http://www.hoax-slayer.com/google-lottery-scam.html

IV. Avoiding Phishing Scams: Tips from Fraud.org:
Information, tips and contact information for avoiding and reporting phishing.
http://www.fraud.org/tips/internet/phishing.htm

V. Email Worm Spoofing: Spoofing Explained:
Easy-to-understand information on how worms use spoofing to spread.
http://www.hoax-slayer.com/email-worm-spoofing.html

Streamload makes it easy to safeguard important stuff and pass along giant-sized files

Thu, 10 Mar 2005 01:13:35 GMT

Check out Streamload. It's an online storage service that [allows you to access, and even stream, your favorite music and videos to any Web-connected PC in the world? Or how about sharing your fancy, high-resolution photos with the folks back home through a simple URL in an e-mail ], plus you can use it for free if you accept some restrictions. If you're willing to shell out a few bucks per month it gets even better, because the service doesn't charge you for predetermined storage limits (as Xdrive does) or even by the amount of storage you actually use (like Data Deposit Box). Instead, Streamload charges for the amount of data you and your friends subsequently download from your account.

Firefox Patch Fixes Vulnerabilities And Prevents Crashing

Wed, 09 Mar 2005 20:45:23 GMT

It's time to update the millions of Firefox 1.0 browsers that have been downloaded over the past 11 weeks. The Mozilla Foundation on Thursday released its first security update to Firefox, comprising a series of patches intended to prevent spoofing and phishing attacks and fix glitches that cause the browser to crash. The security update, Firefox 1.0.1, can be downloaded immediately at www.mozilla.org. The update covers a handful of security vulnerabilities and approximately 40 other fixes related to browser performance based on user feedback to Mozilla. The security vulnerabilities range from "moderately critical" in nature to not critical. None of them are highly critical, and there are no known exploits for any of the vulnerabilities.

Keystroke Logger Surreptitiously Installed at New Zealand Internet Cafe

Wed, 09 Mar 2005 17:14:57 GMT

A cyber thief in Wellington, New Zealand apparently installed keystroke-logging software at an Internet cafe that allowed him to harvest user names and passwords belonging to people who conducted online banking there. Consumers are being warned to use caution while banking on line. [Experts warn against using internet cafes when sending/receiving sensitive information. Who needs to be warned about this?!]

Increasing variety of form factors for USB flash drives

Fri, 04 Mar 2005 18:34:40 GMT

Not only are they available in inch-long versions that are easy to conceal in any pocket, purse or wallet, but also there are forms that are not even recognizable as storage devices unless one knows what to look for. Consider for example the “USB MP3 Player Watch” with 256M bytes of storage. This device looks like an analog watch. Then there is the SwissMemory USB Memory & Knife. This gadget, includes a blade, scissors, file with screwdriver tip, pen and USB memory, in 64M, 128M, 256M, or 512M-byte capacities. The USB Pen (not a “PenDrive”) is a pen that uses standard ink refills but also includes 128M bytes of USB flash memory.

Microsoft promises free anti-spyware, new version of IE

Fri, 04 Mar 2005 18:10:28 GMT

The company, by midyear, plans to release a test version of a new Internet Explorer browser that better protects users from scams and malicious code while surfing the Web, Chairman and Chief Software Architect Bill Gates said in a keynote address at the RSA Conference 2005 in San Francisco.

Microsoft bought anti-spyware software maker Giant Company Software in December and released a beta of Windows AntiSpyware in January. In addition to its free consumer product, Microsoft will offer a for-pay anti-spyware product for corporate users that will support enterprise needs for management and deployment, said Amy Roberts, a director in Microsoft's Security Business and Technology Unit. Roberts would not say when the enterprise anti-spyware product will be available.

Microsoft Malicious Software Removal Tool

Thu, 03 Mar 2005 01:48:50 GMT

On January 11, Microsoft made available the Malicious Software Removal Tool, a free tool designed to check for and help remove infections by critical viruses and worms. In its initial release, the tool checks for the existence of malicious software (malware) on computers running the Windows 2000, Windows XP, or Windows Server 2003 operating systems.

Test Your Knowledge -- (Microsoft) Security Guidance for Small Business

Thu, 03 Mar 2005 01:46:31 GMT

Security Quiz: Test Your Knowledge -- Security Guidance for Small Business Take our Security Quiz and find out how much you know about important security issues that can have an impact on your business. [A short test (ten questions) from the folks at Microsoft. If you get even one of the answers wrong you need to get help improving your security - "yesterday".]

Five Tips for Using a Public PC

Thu, 03 Mar 2005 01:09:50 GMT

Five Tips for Using a Public PC With spying software, a criminal can grab your passwords and usernames. Ultimately, you could lose your money or have your identity stolen. That should tell you enough to be wary of public PC terminals.

LogMeIn and GoToMyPC make remote access easier

Tue, 01 Mar 2005 16:46:45 GMT

Two new services, GoToMyPC and LogMeIn, promise simple and secure access to your computer from just about anywhere -- provided, of course, that you leave it on, and online. All traffic between computers is encrypted from end to end. Because the services use standard Web communications techniques, they work through most, though not all, corporate firewalls without intervention from information-technology departments. You may, however, run into trouble if you are trying to get into your PC from a public computer, such as those in libraries or hotel business centers. These may not permit you to download the application you need to establish remote connections.

Although the computer being accessed must run Windows, you can use GoToMyPC from any browser that supports Java, including Macs and even Pocket PCs. The latter's displays may be too small to be of much use. LogMeIn can be used from Windows computers and Pocket PCs but not Macs.

The Security Mentor

Thu, 17 Feb 2005 22:42:11 GMT

The Security Mentor provides "advice for normal people about computer and information security from Beryllium Sphere(R) LLC." The blog is a client resource and marketing tool for Beryllium Sphere LLC, a computer security consulting company in Redmond, Washington, USA. Fred Wamsley is the owner and chief blogger. His company specializes in serving small businesses, especially the SOHO (small office/home office) market. Fred describes who he is trying to reach with his blog, saying: 'My target reader is someone motivated enough to do online research but unwilling to become a full-fledged nerd. The "computer person by default" at a small business, who becomes the de facto IT department because "s/he knows about those computers", is a perfect example.' [This looks like an excellent site - albeit a direct and effective competitor. It's straightforward, easy to understand writing gets right to the point. As an example, here's an excerpt from the Monday, February 07, 2005 post on Phishing - "Phishing is getting more tricky and insidious. 'Phishing' scams, you'll remember, are when someone sets up a fake web site pretending to be your bank or something else so they can trick you into typing in your banking password. Then they can use the password to loot your account."]

Researchers crack car alarm system

Wed, 16 Feb 2005 21:53:10 GMT

Researchers have found a way to crack the code used in millions of car keys. The research team at Johns Hopkins University said it discovered that the "immobilizer" security system developed by Texas Instruments - a radio-frequency security system being used in more than 150 million new Fords, Toyotas and Nissans - could be cracked using a "relatively inexpensive electronic device." Texas Instruments was recently given demonstrations of the team's code cracking capabilities, but the company maintains its system is secure. Tony Sabetti, a business manager with Texas Instruments, said the hardware used to crack the codes is cumbersome, expensive and not practical for common thieves.

Cybersource Safe Internet Computer

Sat, 30 Oct 2004 20:53:21 GMT

According to the Cybersource web site: Every time you restart your Safe Internet Computer, it is wiped clean of any malware and reset to factory settings. A clean slate, every day. The SafeIC is a small-form factor PC which will sit unobtrusively in your lounge room, study or home office. It plugs straight into your ADSL router or office hub/switch. It needs zero configuration. If your home or office is connected to the Internet, the SafeIC will be connected too. ["Computers" like this were formerly called "dumb terminals"; then "network computers". No onboard permanent storage, no hard disk drive (or writeable optical drive - there must be some form of temporary storage); original system restored each time system is restarted (which is why it could be impervious to malware although frequent, deliberate restarts would be required). Monitor not included. At AU$595, which includes "all the software", it is expensive. The software environment isn't MS Windows nor is the application software from Microsoft . The product brochure indicates a "standards compliant browser"; an office suite that "supports" Microsoft file formats; games and educational programs; and an RDP (Remote Desktop Protocol) client that "connects to Windows Terminal Server or Windows XP Profressional." Once such a connection is made, especially if it's a long-lived one, this arrangement doesn't seem so safe.]

The Non-Admin blog - running with least privilege on the desktop

Sat, 30 Oct 2004 14:03:55 GMT

[the author states] I'm sort of building up, one post at a time, one comprehensive piece on running as a limited user (non-admin). [The author is with MCS Federal, focusing on US Federal government customers. ]

Windows XP Security Checklist

Fri, 29 Oct 2004 22:58:27 GMT

Although Windows XP Professional is built on the Windows 2000 kernel, there are significant differences between the operating systems - especially when it comes to security. This checklist is partially based on our popular Windows 2000 security checklist and covers both Windows XP Professional and XP Home Edition. Unfortunately, Windows XP Home Edition doesn't have all of the security features of XP Professional, so not all of the options are available for both versions. If you're concerned about your data, we strongly recommend upgrading to XP Professional as soon as possible. When implementing these recommendations, keep in mind that there is a trade off between increased security levels and usability for any Operating System. To help you decide how much security you need, we've divided the checklist into Basic, Intermediate, and Advanced Security options. You should assess your potential security risks, determine the value of your data, and balance your needs accordingly.

This is a "live" document which will be updated over time as new security recommendations are published by Microsoft.

User Education Is A Flawed Strategy For Protecting Computer Users From Internet Scams

Fri, 29 Oct 2004 18:56:23 GMT

One of the "Internet's foremost experts in Web usability" (according to Business Week) and the man who ranks number six on ZDNet's "The Web's Ten Most Influential People" calls for a change in policy to thwart Internet scams, saying, "User education is not the answer to security problems." Jakob Nielsen says a strategy relying on user education puts the burden on the wrong shoulders. The only real solution, according to Nielsen, is to make security a built-in feature of all computing elements.

Home PCs not protected

Wed, 27 Oct 2004 23:45:34 GMT

In findings, from a detailed survey of 329 consumers that included inspections of each of their home computers, released Monday by America Online and the National Cyber Security Alliance (NCSA), a picture emerges of consumers increasingly using their home PCs for sensitive, online transactions without adequately protecting themselves from cybercrime.

While 77% of the survey respondents believed they were safe from online threats, two-thirds lacked current anti-virus software and did not use any firewall protection. More than half said they did not understand the difference between the two. Yet 84% stored personal data on their home PCs, and 72% routinely used the Internet for sensitive transactions, such as banking and medical data exchanges.

Half Million Pay To Use 'Secure' Browser

Fri, 22 Oct 2004 23:42:50 GMT

Winferno Software, the Boston-based software company, positions the paid browser as the only security-focused Web browser on the market. Secure IE is compatible with both Internet Explorer and Windows. Secure IE users can block spyware, popups, and decide to allow or disable Flash and Active X. The browser allows retention of cookies for trusted sites and clearing private information based on user-set security zones, features, Winferno claims, that are not available to users of Mozilla, Firefox, or Opera browsers. The browser includes built-in search engine access, connection optimization, and automatic software updates.

Watch Out For Security Freeware Gotchas

Thu, 21 Oct 2004 22:21:07 GMT

Security freeware is pretty popular. The price is right and everyone needs more security. What's the catch? But just because software is free doesn't exempt it from the requirements of paid software. Folks who write security tools should practice secure coding. Authors of security freeware should be accessible and accountable for the product they provide; in security-speak, the software should have readily identifiable, non-repudiable origins. Folks who make security software available should have competent, security-savvy staff to support and maintain it.

So if you are considering security freeware, remember the five Ws. Who wrote the software? Can you identify and trust the developer? What does the software do? When should you use security freeware? Why are you choosing freeware over commercial ware? Where do you intend to use security freeware?

Bypass Windows 98’s Never-ending Defrag Operation

Thu, 21 Oct 2004 20:07:04 GMT

If you’re supporting the Windows 98 operating system, chances are that you’ve encountered the mind-numbing problem in which Disk Defragmenter is unable to complete a defrag operation. In this situation, Disk Defragmenter works normally until it gets to about the 10 percent complete marker.

Online attack puts 1.4 million records at risk

Thu, 21 Oct 2004 19:58:21 GMT

An August intrusion into a social researcher's computer may mean that more than a million Californians need to call the credit bureaus.

On Tuesday, the California Department of Social Services warned the providers and recipients of the state's In Home Support Services (IHSS) that their names, addresses, telephone numbers, Social Security numbers and dates of birth may be circulating the Internet. IHSS allows individuals to get paid for providing in-home care to senior citizens. The warning comes after an unknown attacker slipped in through a security hole in a social researcher's unsecured computer at the University of California, Berkeley, on Aug. 1, perhaps making off with 1.4 million database records containing personal information. The researcher noticed the trespass on Aug. 30 and the university notified the state in mid-September.

SANS "Ouch" newsletter for "unsophisticated end users"

Tue, 19 Oct 2004 16:22:32 GMT

A new free SANS newsletter has gotten rave reviews from unsophisticated end users - they really appreciate the plain non-technical writing and the cool examples. It's called OUCH! More than 500 security awareness professionals from around the US and the world helped them get it right. If you want to redistribute it to your users, that' allowed. The newsletter includes a pointer to a great phishing quiz for anyone who thinks he or she can spot a phishing email. To subscribe go to the newsletter page at the SANS portal and choose it.

SIW v1.44

Tue, 19 Oct 2004 14:40:58 GMT

SIW is a system information tool, that gathers detailed information about your system properties and settings. It includes detailed specs for CPU, Network, TCP/IP, Memory, Hardware, Users, Network Shares, and more, as well as real-time monitors for CPU, Memory and network traffic. SIW also displays currently active network connections, installed codecs, connected MS SQL and Oracle database servers (if any) and more. A standalone tool that does not require installation.

Google Launches Desktop Search (Beta)

Fri, 15 Oct 2004 23:57:39 GMT

It appears that every geek’s favorite search engine has won the race as the Mountain View, California company unveiled Google Desktop Search (GDS) on Thursday morning. The main feature of GDS is the ability of the user to search all files and folders of their computers hard drive, in addition to the Internet when running search strings through Google. The application itself is very small - only about 400k - and according to Google, after installation, GDS will run in the background indexing your hard drive on a continuous basis.

Privacy advocates have expressed some serious concerns about GDS. The biggest questions concerning the security of computer administrator files and folders on a Windows XP machine, and the ability to search other users' personal e-mail in a search queue. To help alleviate fears, Google engineers made it clear that no information contained on indexed hard drives is ever sent back to Mountain View, although they did acknowledge that the program will "ping" Google's servers on a daily basis in an effort to monitor the health of the program and determine how users are utilizing the features in GDS. You can download GDS here.

Excerpt from Google Desktop Search Terms and Conditions: Consent to Collect Non-Personal Information
Google Desktop Search may collect certain non-personally identifiable information that resides on your computer, including, without limitation, the number of searches you do and the time it takes to see your results. Unless you choose to opt out, either during installation or at any time after installation, non-personal information collected will be sent to Google. This information will be used by Google only for purposes of operating and improving future versions of Google Desktop Search and will not be disclosed to any third party or used for any purpose other than as described in this agreement. To learn more, please read the Privacy Policy located at desktop.google.com/privacypolicy.html.

[The excerpt from the "T&C's" implies that you can opt out from the collection of "non-personal information". I'm going to install it myself and see if my firewall can do the same thing. UPDATE: more information - see Google's Desktop Search is valuable, yet creepy , excerpt below. Yet the author states that, according to a "consensus of internet security and privacy experts", GDS will not generate controversy. Note: This version is Beta status and Google has been known to run beta programs for months or years. ]

Desktop Search does three things in particular that could compromise your privacy when someone else uses your computer:

First, the software keeps a copy of all your AOL Instant Messenger conversations. AIM, for many users, is like talking over the water cooler at work -- you say things you don't want preserved for posterity. Until now, AIM conversations with your buddies disappeared from your computer the moment you closed the discussion window. Desktop Search, however, makes a copy of AIM conversations and keeps them forever.

Second, the software keeps its own copy of all your Outlook and Outlook Express e-mail messages -- even after you delete them from within Outlook or Outlook Express. A confidential company memo, in other words, will still pop up during Google searches after you've emptied the Deleted Items folder in Outlook.

Third, the software keeps a copy of every Web page you visit and lists those pages in search results with the date and time of your visit. This even includes Web pages that are supposed to be secure from prying eyes, such as those run by online banking sites.

That means if someone else uses your PC and enters the word "bank" or "brokerage" in Desktop Search, they could uncover your confidential financial information. There are controls within Desktop Search to block each of these three search features, but it's not immediately obvious how to find them and many users will never bother to learn.

New back-up options for hurricane season

Fri, 24 Sep 2004 00:52:23 GMT

Your back-up options are improving. Good tools need to make files easy to back up, restore and move offsite, and between them, EVault and Phoenix Technologies provide complimentary systems. EVault offers easy offsite backup; Phoenix easy recovery from virus-ravaged personal systems.

EVault

Phoenix Technologies

Windows XP SP2 Firewall: needed or not

Thu, 23 Sep 2004 20:23:03 GMT

[With the Windows XP SP2 Firewall, do you still need a firewall to stop outbound traffic? The emphasis is mine. A firewall filters incoming traffic. Hardware firewalls, typically provided by NAT routers - those cable/DSL router/hubs, keep malicious traffic from ever reaching your computer. Software firewalls, such as the Windows firewall, discard malicious traffic if/when it gets to your computer. You don't need both - to handle incoming traffic that is. You can tell the new Windows Security Center that you'll manage your firewall yourself. However neither the typical individual/home hardware firewall nor the new Windows firewall will filter or manage outgoing traffic. You need one of the more complete firewall and security packages such as ZoneAlarm or a commercial grade (small) business router.]

AOL Boosts Security with New 'Passcode'

Wed, 22 Sep 2004 01:17:33 GMT

AOL PassCode uses SecurID, a token-authentication technology developed by RSA that features a keychain-size device that generates and displays a unique six-digit numeric security code every 60 seconds. AOL customers who sign up for the service enter their account password and the current device code in order to access their account. If the authentication server system validates the code, the user can access the AOL account. If not, access is denied. AOL contends that SecurID provides a higher standard of protection through a two-factor authentication system commonly employed by financial institutions, technology companies and other enterprises. AOL PassCode is offered for a one-time fee of US$9.95 for each device, plus $1.95 to $4.95 per month, depending on the number of screen names on the account that are secured to a PassCode device. [Finally! A big step up in security by a major provider albeit at a premium. The future is at least "two-factor" authentication.]

IBM Builds In PC Security

Fri, 17 Sep 2004 16:49:02 GMT

IBM has begun using new security hardware from National Semiconductor in its desktop PCs in an effort to fend off viruses and hackers. National Semiconductor's SafeKeeper Trusted I/O devices add to its existing chip design a "trusted platform module", a microcontroller that stores passwords, digital certificates, and encryption keys.

Mozilla Fixes Browser Bugs

Fri, 17 Sep 2004 16:45:50 GMT

The Mozilla Foundation has fixed 10 security bugs in its open-source Mozilla and Mozilla Firefox browsers and Thunderbird e-mail reader, with the release of new versions of all three products this week. Some of the vulnerabilities could allow attackers to run malicious code on a user's PC via a malicious e-mail, a specially crafted vCard, or a malformed graphic on a Web site, project leaders say.

Major graphics flaw threatens Windows PCs

Tue, 14 Sep 2004 22:31:15 GMT

Microsoft published on Tuesday a patch for a major security flaw in its software's handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable. The critical flaw has to do with how Microsoft's operating systems and other software process the widely used JPEG image format and could let attackers create an image file that would run a malicious program on a victim's computer as soon as the file is viewed. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has affected images.

Microsoft deactivates ActiveX

Tue, 14 Sep 2004 22:26:51 GMT

The company announced that the coming Windows XP Service Pack 2, which is focused on security, will allow consumers to block both pop-up ads and ActiveX scripting.

Microsoft to create pop-up safety lessons

Tue, 14 Sep 2004 22:24:46 GMT

The company plans to use more dialog boxes and other messages in future software releases to educate people on 'safe' computing.

WinZip offers fix for security flaw

Tue, 14 Sep 2004 22:19:39 GMT

But users of the popular compression tool will need to upgrade to version 9 of the software.

Apple fixes 15 flaws in Mac OS X

Tue, 14 Sep 2004 22:13:02 GMT

Many of the problems are flaws in the operating system's underlying open-source software, including a critical flaw in the Kerberos authentication system--software that can act as a gatekeeper for computer networks. The patch is available for Mac OS X 10.3.5 and Mac OS X 10.3.4, and also fixes issues in Mac OS X 10.2, known as "Jaguar."

First Windows CE Virus Emerges

Fri, 10 Sep 2004 22:44:33 GMT

The first known virus aimed at Microsoft's Windows CE operating system was sent to several anti-virus firms by its author over the weekend to prove that Pocket PCs and Smartphones are vulnerable to attack.

Microsoft Doubles Blocking Time For SP2

Fri, 10 Sep 2004 22:24:53 GMT

Microsoft doubles the time that businesses can block Windows XP Service Pack 2 (SP2) from downloading automatically.

ISPs Given Thumbs Down For Virus, Hacker Control

Fri, 10 Sep 2004 22:17:30 GMT

U.S. residential Internet users are much more satisfied with the spam protection from their Internet service providers, but remain unhappy with their ISPs' defenses against hackers and viruses.

Corporate-based Windows XP PCs affected by Service Pack 2 requirements

Fri, 10 Sep 2004 19:39:28 GMT

Analysis from AssetMetrix Research Labs, the research arm of AssetMetrix, indicates that an average company using Windows XP will encounter compatibility issues with SP2 on 10.3% of its Windows XP-based PCs. ... Companies with less than 100 XP installations had an average impact of around 12%, while larger companies tended to have closer to 6% of their Windows XP PCs affected.

Anecdotal results at the SANS Institute experiences page present a picture somewhat worse. The company's Windows XP Service Pack 2 has at this writing received almost 1800 responses. 29% of the respondents have experienced "big problems" with SP2 or had to rebuild their systems.