Category Archives: Security

Virus in a picture

Reports that viruses are now being found in digital photo frames, ready to infect your computer as soon as you plug them in to start putting pictures on them. (Thanks David)

The logo doesn’t make it secure

http://www.greatreads.com.au/the7deadlysins/competition1.htm

See the protocol on the front? On the page, net to the big verisign logo:

We guarantee that every transaction you make on our website will be safe. Our secure server software (SSL) is the best software available today for secure commerce transactions. It encrypts all of your personal information, including credit card number, name, and address, so that it cannot be read as the information travels over the Internet. When an order is received, SSL is again used to unscramble the message, check that it came from the correct sender, and verify that it has

Has what? It’s a mystery.

What is it with these half-baked web pages?

It’s not just phishers who can’t spell

We were talking about phishing attempts the other week, and noting that bad spelling and grammar can be an indication that something is amiss. And it was noted that sometimes big companies make mistakes like this.

As an example, I got this the other week…

Amazon email with misspelt word

Now, I’m assuming that it’s actually legit, but sloppy, as it does appear that each link goes to an Amazon.com URL.

Why Facebook sucks

Now, I know there’s a lot to like about Facebook.

And I know the way it’s open to developers to fiddle about with it is part of its success.

But this in turn gives it a usability problems. For example, I noted a video on my home page, shared by someone I know. It looked interesting.

So I click it.

It doesn’t play the video. Nuh uh. Because I’m new to Facebook, instead it shows me a scary security dialogue offering to add the Facebook Video application to my account. And because we all know these days to be very wary of security dialogues (they mean something bad might happen if I choose the wrong option, right?) I have to very carefully read all of it.

WTF?! Five security options, an application description and a disclaimer and a link to the Platform Application Terms of Use, plus a link in case I’m Afraid of abuse by this application? I JUST WANT TO WATCH THE FREAKING VIDEO!

You don’t get this problem with YouTube. Well, not if you’re one of the 99%* of people who already have Flash installed. (Hey, Facebook Video uses Flash as well, as it happens.)

*This is a guess, though from memory it’s something like that.

Seriously, all this is too much information. (And it turns out the first option is compulsory for this application — if you decide to be ultra-careful and don’t say Yes, you can’t have Facebook Video.) For something which is not actually an infrastructure security issue (unless I’ve seriously misread how Facebook works, all this lives inside your browser; nothing’s coming down to be installed on your computer), but is more of a privacy issue, I’d argue that sensible hidden defaults, only shown if the user is interested, would be more suitable for this kind of thing.

Now, as to why you’d post video hidden away in the Facebook walled garden, rather than on Youtube where anybody can find it… I can only assume that you don’t want too many people to see it, that you’re being fussy — you only want your “friends” or a particular demographic watching. It’s a little counter-intuitive when for most, it’s hits/views that are what we’re looking for — the more the merrier.

I guess that’s why I’m a Facebook cynic in general.

Anti-virus performance

Even if you avoid putting multitudes of security packages onto your computer, you need to be careful choosing what you do install. For now I’m going with Windows Firewall because it’s easy and cheap and seemingly fast. (Yeah I know it doesn’t block outbound connections.)

And anti-virus? Well I’m beginning to think, despite what I said last month, that CA AntiVirus may be helping to cause my Media Center problems. It’s also continuing to bug my kids (non-Admin users; and I plan to join them in that group) with pointless error messages.

Kaspersky gets a good rap from C/Net, so I’ve downloaded a trial version. I don’t have any hard data, but the machines already seem more responsive.

By the way, reading an APCMag anti-virus review (Feb 2007), it noted that Norton takes up over 300Mb of disk space! 300Mb?!? For anti-virus? That’s insane.

Protection rackets

Just how much PC security do you need?

Ryan Naraine notes that all the various protection software for Windows is getting out of hand: “Here’s a list of the products sitting on your machine, sucking valuable system resources under the guise of protecting you from hacker attacks: Anti-virus, anti-spyware, anti-rootkit, anti-spam, drive-by browser protection, etc., etc.”

I mean, the evils of viruses and other nasties are that they take your computer’s resources and waste them for their own purposes, depriving you of using them.

But anti-virus and other products do the same thing: they also take your computer’s resources and use them for their own purposes, and you pay for the privilege!

It’s like the over-zealous spam filter than zaps legitimate emails. The purpose of these products should be to make your life easier and save you time. If they slow everything down and make life hard, are they really worth the trouble?

How about some common-sense, appropriate security privileges for everyday computer use, and protection only for attacks that can arrive genuinely unannounced and without the user causing it?

Obviously you need some defence against stuff that can get in unannounced. Firewalls and virus scanning on emails and downloads would seem to be appropriate here, but I suspect anything else is going over the top.

(All this is assuming you don’t adopt Josh’s model and disconnect your Windows computer from the Net entirely. Few of us would be willing to make that sacrifice. The network is the computer.)

Spot the phish

McAfee have a great ten question quiz to challenge whether or not you can spot phishing sites. Give it a go. I got 9 out of 10.

Once you finish, it shows you the answers, and how to spot the fake sites.

Of course, one of the problems is that a prime indication of a fake site is awkward or badly phrased wording. This, unfortunately, is not limited to fake web sites. While it isn’t generally a trait of big corporate web sites, that have professionals working on them, there’s any number of smaller businesses that have badly designed, misspelt or awkwardly-worded sites.

In most cases, it’s careful inspection of the URL that will indicate for sure if you’re talking to the right people. Some of the quiz examples excluded this information, to make you look for other signs, which was good. But in practice all browsers should be displaying the URL. Some older versions don’t do this on popup windows and so on, which is a problem… you can see it by right-clicking and looking at the properties of the page, but most people wouldn’t remember to do this consistently.

Web server certificate perils

The replacement of web server certs is easy in theory. You should be able to use the old cert request with the CA to simply get a renewal of the existing cert.

Should be able to. I found out to my peril this week that it doesn’t necessarily work that way.

Using a corporate Certificate Authority, the new certs were ready to go, so on Wednesday night I arranged to get Admin access to the Win2K servers to put them in. Alas I was running late and missed the window in which I’d been given access! A consequence of the facilities guys being a little too efficient, I suppose.

No matter: attempt two was made the following night. Following these steps to import the cert all worked fine. Then use the IIS config applet to replace the old cert. Done.

Except it didn’t work. Browsing to the server on HTTPS failed with the usual kind of useless browser error: it claimed a DNS error/server not found, which made no sense. Nothing in the IIS log that told me anything.

Talked to the CA guy the next day. Very puzzled. Any amount of inspecting the old and new certs showed nothing.

On a whim, I decided to start from scratch: re-generate the cert requests and get the certs re-done.

Somehow, it worked. Still don’t know why, but it did. Memo for next time: just do the extra requests; don’t try and take a shortcut by re-using the old ones.

Amusing aside: While talking to the contact in Facilities Management, my other phone beeped. It was the coin sound from Galaga. “Hey… isn’t that from Galaga?” Yep, well spotted!

Wrestling with CA Internet Security Suite

CA Internet Security I’ve used Vet, the old Aussie favourite, for anti-virus on my primary PC for several years. After the initial investment it’s been A$39.95 per year, so it’s (I guess) reasonably cheap. It also meets my primary requirements for security software:

Small footprint on CPU, RAM and disk.
An interface that shutsthehellup and gets on with the job… especially when the kids are trying to play games. They (quite rightly) grumble when a full-screen game is shutdown just because some applet wants to tell you it’s downloading an update for itself.

Vet got bought by Computer Associates some years ago, morphing into CA Antivirus. My current subscription was about to run out, and they offered me an upgrade to the full CA Internet Security Suite, for 1-3 PCs, for A$69.95, less than double the cost of renewing the single anti-virus licence. Given I’d been having problems with Free AVG on my second computer (it won’t shut up about the updates it’s loading, and sometimes complains that it’s not working, particularly when a non-Admin user is logged on), I’d considered getting a second licence anyway, so it seemed like a good deal.

And I’d be gaining a Spyware detector and a more fully-fledged firewall than the Windows one. Question is, were they any good? I knew the CA Antivirus would do the job, but what about the others?

Installation was straightforward. Licence looked over-long, but was in fact a base licence with extra points for virtually every country in the world. There must be a better way to present this… choose the country first?

Antivirus ran as I expected. Did a full scan, then shut up and sat in the background. No problems.

The firewall? Once it started, it began popping up alerts… it might claim to be pre-configured for some programs, but appeared not to know about very obscure ones such as FIREFOX.EXE and IEXPLORE.EXE. Hmmm. It was fine once it knows about things, but evidently needs to be babied along for a day or two at first. The configuration screen seemed sluggish, and it wasn’t clear if it had picked up the existing rules from the Windows Firewall. So I’m not sure about this. It’s tempting to shut it off and just use the Windows Firewall instead, which wouldn’t catch outbound malware, but then, I’ve never had issues with that.

Anti-spam I’m frankly, not that interested in. The protection provided by my ISP and by Outlook is good enough that I don’t want to complicate things by adding a third barrier into the mix. (I also got stung the other week by over-zealous spam filters — you can read about it here.)

Spyware. I’m generally in favour of anti-spyware applications. While I’m not of the “every cookie is a threat to my privacy” school of paranoia, there are some genuinely malicious applications out there. (See Jeff Attwood’s recent post on this.) But I run a pretty tight ship with regards to downloads, so I’ve never considered it to be a big problem. So Spyware detection I consider a nice-to-have.

CA’s Spyware detector though, I didn’t like. It was probably doing an okay job, but it wouldn’t shut up. Every time a non-admin user logged in, it piped up with the fact that the user wouldn’t be able to change it’s configuration, even if the scanning had been turned off. Listen carefully, CA: I DON’T CARE. Either give me the option of turning off this warning, or don’t give it in the first place.

CA Antispyware error

I don’t want to subject non-admin users to pointless error messages so that a security measure of doubtful use can run. After all, the whole point of security software is to let you use your computer uninterrupted by problems. If the security software itself is going to insist on interrupting you, it kinda defeats the point, doesn’t it.

I’m not going to make every user an admin to avoid the warnings. If the manufacturer of an Internet Security product is telling me to have every user as admin, then they’re idiots.

Web filtering. Apparently the licence includes a free download of some parental web filtering software. I didn’t try it.

I also ran into problems with the licence keys. Evidently because my Vet licence expired, and all the new licences are linked to that one, CA’s system flagged them all as expired. The support web pages (which have an annoying tendency to keep opening new windows) suggested running a licence sync, which didn’t work. Their “24-7 web support” turned out to be an enquiry form. About 48 hours after putting in a request, the problem seemed to have cleared, but as I never got a reply from it, I don’t know if it fixed itself, it was something I did with my tinkering, or if CA’s support fixed it.

In conclusion I’m happy enough with the antivirus component, which is the essential element I really wanted. It’s quite obviously the most refined, mature product in the suite. The other stuff I either didn’t want, or can’t (or won’t) use because it doesn’t run well. If you’re looking for a fully-fledged Internet security suite… keep looking.

On the other hand, I’ve still got about 45 days to get a refund, if I want it. Anybody else care to nominate their favoured anti-virus apps for Windows XP?

Other reviews of CA Internet Security:

Reviews on Amazon.com almost universally pan it
PC Mag notes the current version firewall is not as good as the ZoneAlarm version previously offered. Yup.

Update: A month later I dumped this product.

Gone phishing

I’ve had many phishing attempts trying to impersonate banks, but this is the first I recall impersonating the Australian Taxation Office.

From: Australian Government <admin @ ato.gov.au>
To: dbowen @ custard.net.au
Date: 15-Jun-2007 16:32
Subject: Australian Taxation Office – Please Read This.

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $163.80
Please submit the tax refund request and allow us 6-9 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Regards, Australian Government

© Copyright 2007, Australian Taxation Office – All rights reserved..

The click here link was to: http://bigart.com.tr/ato/updatedb/ (rest snipped)… from the looks of it this domain is commonly used by phishers. Evidently they’ve been at it for a few months now.

OpenID – the next big thing?

Over the years, as new web services have come into prominence, there’s been a rush to get hold of the best IDs. Most people would chase something resembling their name, with those with popular names too late to the game being left with the lame IDs: nicknames, real name + licence plate number, or hackerz sp34k versions.

Some of the defunct web sites I got good IDs for include Excite and mail.com. Some I still use include Gmail (and all the other Google properties), Hotmail and Yahoo.

With the news that Microsoft will be supporting OpenId, I reckon the next big rush could be for this, particularly if Google and Yahoo are sensible and decide to jump on the bandwagon.

OpenID identifies you by a URL/URI, so it’s marginally less user-friendly than a conventional logon, but if it takes off (*if*) and gets widespread use around the web, from a user point of view, it could go a long way towards cutting down on the zillions of passwords people currently have to remember… and thus have to write them all down.

So I’ve got my OpenID already. Have you? Now, since Flickr are pissing everybody off with new limitations, maybe I’ll go over to Zooomr and take a look around there.

Perils of outsourcing

With outsourcing, many big corporations are becoming much more fragmented than they were before. It’s often a gradual process, with a bunch of internal staff first being moved only in name, but over time it takes hold in more concrete ways: being kicked off the email system, moved to new facilities off the internal computer networks, deleted from the corporate directories, that kind of thing. (As well as untold “new” people joining the fray.)

Which can mean a lot of inconvenience. Suddenly the outsourced people have all their phone numbers and email addresses change. They can’t easily find contacts within the company. And vice versa. Emails which contain sensitive information and formerly only got sent internally are going out on the live, insecure and slow internet.

VPNs and other hoop-jumping has to be set up just so people can work, and that’s before you start moving whole servers and applications outside the cosy confines of the corporate network.

And God help you if you want to set up an appointment with some busy people who are no longer viewable in your calendaring software.

Is it all worth it? Who am I to judge? Pah, what would us geeks know about it, anyway?