Security Awareness Post 2

October is National Cyber Security Awareness Month, and as I stated in the last post, I decided to celebrate by writing some Security Awareness posts. Almost as if they knew what I was going to write about, I received this spam comment on my last post this morning: "such a very informative and valued article, regards" The poster's name, which is undoubtedly fake, was hotlinked to: hxxp://www.antivirus-finder.blogspot.com. That, in turn, turns out to be a blog that links to various unknown and quite possibly shady anti-malware programs. ("Malware" is a collective term for malicious software, such as viruses, worms, trojan … Continue reading Security Awareness Post 2

Security Awareness Post 2: Beware of malicious software

October is National Cyber Security Awareness Month, and as I stated in the last post, I decided to celebrate by writing some Security Awareness posts. Almost as if they knew what I was going to write about, I received this spam comment on my last post this morning: "such a very informative and valued article, regards" The poster's name, which is undoubtedly fake, was hotlinked to: hxxp://www.antivirus-finder.blogspot.com. That, in turn, turns out to be a blog that links to various unknown and quite possibly shady anti-malware programs. ("Malware" is a collective term for malicious software, such as viruses, worms, trojan … Continue reading Security Awareness Post 2: Beware of malicious software

October is National Cybersecurity Awareness Month

The U.S. President has declared October 2010 to be "National Cyber Security Awareness Month." While the term "cyber" may not be particularly clear to most people, what this really is about is How To Stay Safe Online; and not just in America. Staying safe online is crucial everywhere. To celebrate, I thought I'd try and jam in as many little advise posts as possible between now and, well, when everyone knows how to stay safe online. Thus, without further ado: Advise #1: No, you really haven't won the U.K. Lottery. Nor have you won the Microsoft Lottery. Nor does anyone really want you to … Continue reading October is National Cybersecurity Awareness Month

Don’t fire people until after you wipe their phones

A very commonly required feature for mobile access to email is remote wipe – the ability to reach out and wipe all corporate data off a mobile device. Exchange ActiveSync supports this feature and has for several versions now. You, as the Exchange or Security administrator can issue a remote wipe command to a compliant device, or the user can do it themselves through Exchange, and the next time the user connects the device will be wiped. There are two major flaws in that design. One is the well understood "the next time the user connects" part: you cannot reach out … Continue reading Don’t fire people until after you wipe their phones

Fake Anti-Malware is Apparently Microsoft’s Fault

Munir Kotadia, an IT Journalist in Australia, has finally managed to figure out how to blame Microsoft for the fake anti-malware epidemic. Apparently, the reason is that “Microsoft could save the world from fake security applications by introducing a whitelist for apps from legitimate security firms” and, presumably, has neglected to do so out of sheer malice. I’m clearly not a thinker at the same level as Munir; maybe that is why I don’t fully get this white list he proposes. Does he want one only of security software? How would you identify security software? I can see only two ways. … Continue reading Fake Anti-Malware is Apparently Microsoft’s Fault

Web Of Trust: RIP

It's official. I just received an e-mail from Thawte notifying me that, as of November 16, 2009, the most innovative and useful idea in PKI since its inception, the Web of Trust, will die. Thawte was founded 14 years ago by Mark Shuttleworth. The primary purpose was to get around the then-current U.S. export restrictions on cryptography. Shuttleworth also had an idea that drew from PGP: rather than force everyone who wanted an e-mail certificate to get verified by some central entity – and pay for the privilege – why not have them verified by a distributed verification system, similar … Continue reading Web Of Trust: RIP

And finally, standard user malware

Today I finally got wind of my first piece of true standard user malware. MS Antispyware 2008 has turned standard user. The version in question installs the binaries in c:\documents and settings\all users\application data\<something>, and makes itself resident by infecting HKCU\…\Run. Curiously, the legitimate anti-malware program (one of the top 3) failed to detect the infector. Obviously, this version is much easier to remove than the ones that require admin privileges. However, MS Antispyware is not about being hard to remove. It just needs to run until the user pays for the privilege, and more than likely, even as a … Continue reading And finally, standard user malware

Is it ActiveX that is the problem?

Last week, an expert from Verizon, nee Cybertrust, posted a note about the Active Template Library (ATL) security vulnerability over on the Verizon Business Security Blog. For home users, the phone company now advises you to use a different browser, ostensibly because IE and ActiveX are inherently insecure. I felt that quite missed the point that (a) browsers are software, and (b) all software has vulnerabilities, and (c) extension technologies in browsers add functionality, which (d) is implemented in the form of software, and therefore (e) introduce additional vulnerabilities. Just because Internet Explorer's extension technology is called ActiveX does not … Continue reading Is it ActiveX that is the problem?

Please do not e-mail my social security number

Recently I had a very interesting incident. I wrote an article some time in 2008 and the publisher paid me a little bit of money for it. That means the publisher must send a report to the Internal Revenue Service (IRS – the U.S. tax department) reporting that they paid me, as well as send me a form called a 1099 form that I can use to report this money on my tax return. A few days ago the comptroller for the publisher sent me an e-mail asking for my social security number (my national ID number for any non-Americans … Continue reading Please do not e-mail my social security number

Kip Hawley: "No, the TSA is Necessary Because This is War!"

CBS News did a story a few days ago on the Transportation Security Administration (TSA). Basically it was a tit-for-tat between Bruce Schneier, security pontificator extraordinaire, and Kip Hawley, the administrator of the TSA. Mr. Hawley's maintans that the TSA provides a necessary service because we are at war, and the obvious battleground, apparently, is airplanes. Surely, we must all realize that just because the terrorists used airplanes once, they can't possibly have enough imagination to go for another target next time. Mr. Schneier, wisely, disagrees, points out all the flaws in what the TSA does, and calls the whole … Continue reading Kip Hawley: "No, the TSA is Necessary Because This is War!"