Do you have a spare $447,000 laying around?

Today's topic is not new news - the incident happened last July - but I've thought about it many times since hearing about it. This makes me ever more paranoid about doing any financial transactions online... I still do them just because it's so dang convenient, but I wonder how long the model that's in place (authenticated "secure" browser sessions) can continue to work.

Full details can be found in a Technology Review article, but the gist of this is that a construction company in Mountain View, California was liberated of $447K from its commercial bank account, while one of its employees was signed in to it.

You might think "oh someone got his password" - but the company had implemented what everyone thought was the Safe And Secure thing to do: the account was set up to not only require a normal password, but also a second, "one time" password that is generated by a small electronic device or card that the person logging in has to have in his or her physical possession (I have one that I use with my PayPal account).

Unfortunately, his system had been infected with a malware program that basically waited for him to sign into the commercial account, and then while he was signed in, perform transactions in the background to withdraw and transfer the loot to several Bad Guy Accounts.

So - what to do? I'm going to sound like one of those magical round plastic disc things that everyone used to have, that had music on them (I think they were called "phonograph records") - I've said most of this before... But I feel reasonably secure in doing these things on my systems:

• keeping antivirus software updated (I'm now using Microsoft's new and free Security Essentials on almost all of my PCs)
• making sure the web browser is up-to-date
  
• disabling scripting (JavaScript and ActiveX) in the browser. I use NoScript in Firefox, which lets me selectively enable or disable scripts on a per-site basis
• keeping browser plugins and standalone programs such as Adobe Acrobat and Flash updated
• using a one-time password device on all financial accounts that support it, in order to have the magic that's called Dual Factor Authentication. Paypal and eBay, as well as many other banks/institutions support these, and sometimes a device that is obtained from one place can be used elsewhere - for instance, the Verisign device that I got from PayPal is supported by my credit union

I'll close by saying that I think some of my friends roll their eyes when I start yammering about these things - all I'll say is, "don't come cryin' to me when something very bad happens because you weren't taking precautions."

Hmmm, I think my Dad told me that, a long time ago.

GSM Phone Security - Not So Secure Anymore

Happy new year to everyone! Really. I would like to think it will be better than that last one!

This has been in the press recently: Although it's not trivial to do - a snoop needs about $1000 worth of equipment to accomplish it - but the security scheme that digital cell phones use - "GSM" - has been cracked. This means if you're an AT&T (don't get me started about that company!) or T-Mobile subscriber in the US, your calls can no longer be considered to be private. (Verizon, Sprint, etc. use CDMA technology, which is totally different than GSM.)

The researcher that published the technique is being lambasted quite a bit for doing it, but I believe his intentions are noble - as is so often the case in big business, companies are loathe to do anything that costs them money and prefer to ignore Elephants In The Living Room until they're forced to do something.

Now, another blogger asserts that there's nothing to worry about, and that the phone companies will move to the stronger 128-bit encryption protocol (the current protocol is "only" 64 bit) - but it could be said that the publication of the decryption technique will at least hurry them along a bit, and even with that, who knows when this will actually be 100% deployed across the country?

***

While we're on the subject - the cordless landline phones I use in my home are Panasonic "DECT 6.0" phones - I got them at Costco, but DECT 6.0 phones are sold "everywhere". In theory my phones provide secured communications that can't be monitored, but I have seen mention here and there that some phone manufacturers don't enable the encryption that DECT provides. So when I order a pizza (mmmmm, Fast Pizza Delivery pizza!) over the phone and give them my credit card information, I really have no idea whether that conversation could be monitored by some crook with a sophisticated radio receiver (e.g. GNU Radio).

So for the moment, since I'm stuck with AT&T Wireless for the time being, and because I use DECT 6.0 phones at home, I have no assurance that my conversations are secure. You might say "well who cares - I have nothing to hide!" - well, how many times do you use your cell or home wireless phone to perform financial transactions with your bank, broker, credit card company,...?

An Acrobat (PDF) Reader Alternative

I wrote about an Adobe zero-day exploit a while back... They've been in the security news quite a bit lately; their huge success with Acrobat as a document distribution standard and the Flash media player becoming more and more common has ironically made their products a favored target of malware creators.

I finally got fed up with how large Acrobat Adobe Reader has gotten - the version 9 installer for XP is 35.7 MB (vs. 21MB for v8, 15MB for v6, ...) - so recently I installed a free alternative called Foxit. The latest version, 3.1, has a 5MB installer that results in a 7.2MB installation. Compare this to the 206MB Acrobat Reader installation that is on my PC!!! (wtf?)

But the best news is that Foxit starts up much faster than Acrobat Reader. I view PDFs all the time, and so far I have not had any issues with this application. It does have a tiny advertisement window as shown below (The blue area in the upper right corner), but this only seems to advertise Foxit's own payware products, which seems fair given that the reader is free.


I'll also mention that Foxit is potentially a better choice than Acrobat Reader since most exploits that are targeted at Acrobat do not manifest themselves in FoxIt. However, Foxit's popularity as an Acrobat alternative has made it the target of the malware authors, but it appears that the Foxit folks take security seriously and are prompt to release updates, as discussed here.

For the moment Foxit is available for Windows, Linux, and some handheld OSs, but not the Mac.

Why you should switch to Firefox

Executive summary: If you're using Internet Explorer v7 or earlier as your web browser, you should seriously consider switching to Firefox. Even if you're using the new v8 of IE, you're still not going to have as much protection from malware as with FF and the NoScript plugin.

--

I have been using Firefox as my primary browser for several years, and generally try to avoid Internet Explorer as much as possible. (Sometimes, though, it's not possible - my previous employer only supported IE for all of its Oracle infrastructure.) IE, being the most popular browser in the world - primarily because it is essentially built-in to Microsoft Windows - has been the primary target of cybercriminals for quite a while. Also, I like the fact that Firefox's user community has developed any number of (occasionally) useful plugins for it.

One (free) Firefox plugin that I run religiously on all of my systems is NoScript. Although there's a little bit of a hassle factor involved with using it, I feel a lot more "protected" from malicious web sites with it turned on. With its default settings, it will initially block all JavaScript, Java, Flash, etc. content and require you to specifically allow that content to be downloaded and displayed. You have the option of temporarily allowing content from a specific site, or adding the site to a "white list" of sites that will always be allowed through. (It protects against several other potential exploits, such as cross-site scripting.)

What prompted me to finally write something about Firefox and NoScript (this has been on my to-do list for a while) is the zero-day Adobe exploit that I posted about earlier today. NoScript can protect you from the exploit described in that post.

Finally: At the top I mentioned IE v8, which was released recently. I was hoping that Microsoft would take some steps to improve IE's resistance to malware, and I think they've made some good progress, but I found an article that seems to indicate that IE still has a ways to go. So although I'll continue to evaluate IE v8 on my Vista install as an intellectual exercise, I'll be keeping Firefox (and NoScript) as my favored "surfboard" for the indefinite future.

Urgent: Majority of Windows systems vulerable to Flash/Acrobat zero-day exploit

Firstly - you may be hearing the term "zero day exploit" more often these days in discussions about security issues. It basically means that the exploit under discussion is already being taken advantage of by the crooks.

Anyway, here's all of the details about the Flash/Acrobat Reader weakness. What is a little different about this one is that more than a few "legitimate" web sites have become infected with malicious Flash content, and so it's quite possible to be exposed to Eeeevil Stuff even if you're not snooping around the darker corners (and tubes) of the Internet. (Flash is used everywhere these days - e.g. YouTube basically runs on it.) Also, unlike some earlier exploits, disabling Javascript in Acrobat (which you should do - it's turned on by default when Acrobat Reader is installed) does not provide protection against this malware.

What seems almost criminal about this is that Adobe has apparently known about this defect for seven months. However, the exploit that actually takes advantage of it is apparently much more recent. I guess they decided to wait until really bad stuff happened before actually fixing their software...

A Pathetic Example of a Hacker...

First: the good news - this guy is probably wearing a bright orange jumper at the moment. The bad news - the accused was a security guard at a Texas hospital, and in his idle moments, he figured out how to break into some of the hospital computers - including the system that controls the hospital's heating and air conditioning systems. It doesn't seem that killing anyone was his real goal, but it gets hot down there and if he had wanted to turn off the AC on a hot day, he could've, causing all kinds of problems for the hospital. Fortunately his ego got the better of him and he posted Youtube videos of his adventures and other clues which led to his sudden wardrobe adjustment.

The whole story is here, which has a link to his last couple posts (prior to getting arrested!) on a hacker forum that he was a member of. (The best part about that thread is where someone labeled him a Massive Chunk of Fail after he was caught - that made me cackle.)

While we're on the topic of computers and health care - did you hear about the MRI machines that were infected with the Conficker worm a while back? Of course, that only happened because the machines had an internet connection. Doh!

New "zero day" Microsoft IE exploit

This has been in the news quite a bit over the last few days, but the nature of it prompts me to briefly post about it: there is a vulnerability in Internet Explorer versions 6 and 7 that can cause your Windows XP or Server 2003 system to be "hacked" just by visiting a site that is serving up the exploit - you don't even have to click on anything. The Microsoft Security Advisory about it is a pretty technical read, so check out this link first for information that is actually readable 8^) . There is a link there that will use MS's relatively new "Fix It" technology to download a ".msi" installer file that will install a workaround. I just tried this and it is pretty easy to do!

Here is yet another example of why it might be smart to use a browser other than Internet Explorer - most casual (and some not-so-casual) Windows users have it as their default, and sometimes only browser. I have been using Firefox for several years - it's not perfect, and as it becomes more popular it's getting its own share of attention from the crooks, but it's still not as prevalent as IE by about two-thirds. Other alternatives are Opera and Google Chrome (neither of which I've used much).

If you insist in using IE, at least update to the latest version, IE 8 (read about it here). You might already have it, as MS has made it a critical update for most or all Windows versions - which I'm not sure I agree with. I suppose (and hope) that their motivation might be that it has enough significant security updates so as to make it "critical" for most IE users.