Sunday, March 29, 2009

Conficker - the lead story on 60 Minutes last night!

I should've posted about this before, but my pal Neopublius sent out an email on Saturday that I'm just going to shamelessly copy here, 'cause it's got the goods you need:

"There is a pretty serious computer virus making the rounds with a target activation date of April First. There is a background article here: The article links to a Microsoft site with a free scan and removal tool, there is a another tool here:

As always, run some virus protection on your computer, don’t download or open attachments from people you don’t know, and stay out of the bad neighborhoods on the internet."

Here's an article with a few more technical details... BTW this issue is PC-only, but don't get all smug just yet if you're on a Mac or Linux - Conficker is a "remote exploit" vulnerability, and MacOS X has its own remote exploit critters to deal with.

Tuesday, March 17, 2009

SQL Injection: Tenderizing websites the world over

Some folks like to inject some sort of marinade into chicken/steak/whatever prior to stoking up the grill... I couldn't resist the title's play on words, but you do need to know about yet another thing that's somewhat new, that is yet another peril of doing e-commerce on the web - "SQL Injection".

SQL is a very popular language for manipulating databases, and it's practically a sure thing that you've accessed an SQL database server many times in your websurfing adventures. For instance, just this morning I took at look at the BAE Systems job search site, and got this:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near the keyword 'AND'.

/includes/local_subs.asp, line 1586

Which means roughly "this SQL-based database query engine is busted; come back later".

But back to SQL Injection - the problem is serious enough that that phrase has made it into the mainstream media - an article in USA Today describes the vulnerability in detail. The upshot for you, Dear Surfer, is to keep everything that you use to access web content updated with the latest patches - which is almost a job unto itself: the article mentions Internet Explorer, Firefox, Safari, Opera, Chrome, Adobe Flash, Adobe Reader, iTunes, QuickTime, Windows Media Player and RealPlayer. Most or all of those tools can be configured to check for updates, and more and more I'm turning that feature on. (Historically my philosophy has been "if it ain't broke don't fix it" in terms of software updates, but things have gotten to the point where I feel I just have to trust the vendors not to break stuff when they update their applications, in order to try to stay ahead of all of these vulnerabilities.)

Monday, March 16, 2009

The Basic Basics - Continued

OK, Part One's list items were probably familiar to most, although perhaps not the last one ("don't normally use Windows logged in with Admin privileges"). Here are some more nuggets of ponderment:
  1. Make sure that the internet router box that you use has "NAT" (Network Address Translation) turned on. It probably is, since most or all consumer-grade routers have it enabled by default, but it doesn't hurt to make sure. One way to see if you have NAT working is to do the following: (1) Figure out what your Windows IP address is - e.g. open a Command Prompt window and type "ipconfig"; it will show a number that might look like "" or something like that. (There are other ways to do this, but I won't detail them here.) (2) Determine what your "external" IP address is - this is the address that the rest of the world thinks you're at. I use this site to get my external address. If your Windows IP address and your external address are different, then you have NAT working. If not, you really need to get this addressed (no pun intended?).
  2. This is another obvious one, but can be tedious to adhere to all the time: Don't Use Obvious Passwords, at least for any sites/accounts that you consider confidential and/or valuable. I was lazy about this for the longest time, but finally hunkered down and changed all of my on-line financial passwords to things less guessable/dictionary lookupable. A tool that made this easier for me is Roboform2Go, which is a "password vault" application that I keep on a USB memory stick. RF2G can act as a Firefox/IE plugin; you have to enter a password to unlock it (optionally for a limited amount of time for each use); after that, it will auto-fill the username and password fields of sites that you've told it about. Generally it works very well although it seems to be a little Firefox-unfriendly (sometimes I have to quit out of FF before starting RF2G; otherwise it doesn't start up correctly). There are other alternatives out there but this is the one I use.
  3. Consider using what's called Multi-Factor Authentication for logging into your on-line commerce/shopping accounts where possible. For instance, both EBay and PayPal can be set up to do this. You have to buy a little gizmo that they sell, but it's quite inexpensive (right now it's $5). After you've received this "security key" you set up your Ebay and/or PayPal accounts to use it. Thereafter, when you log in and enter your normal password on the site, you are prompted to enter the number that the key's LCD display shows whenever you press the button on it. That number changes every 30 seconds... This form of authentication is very secure, and apparently this particular security key is being adopted by more and more on-line businesses, so hopefully your five-buck key will be good for more than just EBay/PayPal. More details are here, and a discussion about using the key with "OpenID" (which is a topic for another day) is here.
  4. Here's a follow-on to the item last time about how you're quite vulnerable when connecting to free public wi-fi access points - be doubly sure that your firewall (either Windows' or a third party one) is turned on before connecting to the WAP. Even if you're going to use some kind of Virtual Private Network to do your surfing, your system is still exposed in the time it takes for you to establish the VPN connection. (A sideline to this - just because you fire up your laptop some place and see a WAP called "Free WiFi For My Homies" or similar, it doesn't mean that it's safe to connect. For all you know it could be a WAP set up specifically to steal whatever it can from your computer when you connect, or to infect it with who-knows-what malware-wise.)
OK, that's a wrap for this lovely Monday!

Wednesday, March 11, 2009

The Basic Basics - Part One of ?

I wish I could do this as a separate page or file that's part of this blog, but I can't figure out how to do that. Soooo... Here are some first-level things to think about in terms of "hardening" your system(s) and network against the bad guys.
  1. Make sure that Windows Update is turned on on all systems. This can be configured in different ways - "fully automatic", "tell me when there's a new update", "download the update but don't install it until I say so", etc. Microsoft typically sends out Windows updates every Tuesday, but occasionally if something is really "hot" they'll do it sooner. For a long time I only installed these things when I was absolutely sure what they were, but have become convinced that for most people it's better just to let Microsoft do their thing. Generally, they've gotten better and better at it over the years.
  2. Make sure you have at least WinXP Service Pack 2 installed. This is because it includes an updated Firewall, that is turned on by default. (If you do have SP2, make sure the firewall is still turned on!)
  3. You should be running some kind of anti-virus software. This is not as much of a great thing as it used to be, as the bad guys are figuring out other, even sneakier ways to be bad, but you should still run something. I am running a couple free ones (on different systems): AVG Free, and Avira AntiVir Personal. Historically, the well-known commercial titles such as Norton and MacAfee have gotten bigger and bloatier over time (to the point where I stopped using them), but at least one of those has recently de-bloatified their stuff. I still use the free ones 'cuz I'm cheap, but heard a plug by a reputable computer repair guy in Hawaii for the Kaspersky stuff.
  4. If you have a wireless network in your home, you really really should have a particular kind of wireless encryption (WPA) turned on. Your wireless connection can be the weakest link in your network - if it's not robust, all of the other things here are not worth nearly as much, especially in terms of data privacy/security. Don't rely on just the "WEP" kind of encryption - you must use "WPA". Older routers and laptop wireless cards don't support WPA - I had to buy a new card for my laptop since its built-in card is WEP-only. (If you want to run an "open" network so that your friends and family and the occasional drive-by "guest" can get on your network easily, that can be done - but there's a right way and a wrong way. Hint: the right way involves setting up a "DMZ" on your router.)
  5. If you travel and/or use free wireless access points (say, at your local coffee shop), you are taking your laptop's overall security into your own hands, and not in a good way. This topic is really beyond the scope of this list, but - briefly, you need to figure out a way to use some kind of so-called "tunnelling" communication protocol whenever you're connected to such a network (e.g., VPN, which stands for Virtual Private Networking). There are free ways to do this (e.g. OpenVPN, which I haven't tried), and there are certainly "payware" ways.
  6. Don't use a Windows user account that has Administrator privileges for your day-to-day computer activities. This turns out to be kind of a pain in the *ss in some ways, but it does lessen the ability for malicious software ("malware") to sneak and and do things at the "administrator" (god-like) privileged level. In all likelihood your user account on your laptop has Administrator powers - if nothing else, check and see if it does, using the Control Panel's "User Accounts" applet.
That's enough to chew on for one session, ya think?

Adobe PDF exploit

Probably the biggest IS news item recently is the discovery of a fairly serious vulnerability in the venerable Adobe Acrobat "PDF" file format. Briefly, it's one that doesn't require you to actually do anything for the vulnerability to be triggered, other than have Windows Indexing Service enabled (which I believe is turned on by default in XP). Even if you don't have that enabled, merely passing your mouse cursor over the file in Windows Explorer could still trigger the exploit. Now, this is only if you've actually downloaded a PDF that has been hacked to have this kind of malware inside of it, but AFAIK this is a sort of a new thing, where you don't even have to open the file to get the bad stuff happening. Note that this vulnerability exists on MacOS as well.

The morbid details are here, or you can see the sanitized Adobe discussion here.

What the hay?

I just recently said I'd start blogging right after hell freezes over, but.... well there you go.

If nothing else, this'll be a place to record the tidbits and links about things I come across related to internet security (IS) issues, such as new exploits (esp. "zero day" ones), etc. It will at least initially be PC-centric, but I may inject a little Mac Goodness as needed since I support Grace's MacBook (which as of today has Leopard spots - thanks B!). I have no idea how long I'll keep this up, or how often I'll update it, so treat it as a Social Experiment.

As I am a relative Noob to the details of IS, I also thought I'd try to make this a place where more casual computer users (e.g. relatives, pet pigs, etc.) can learn a thing or two.

As I have no idea how this Blogspot thing works, please stand back a bit just in case something breaks and spins off debris at ballastic speeds, and please do wear your safety glasses.