greg hughes - dot net - Safe Computing http://www.greghughes.net/rant/ Note that the contents of this site represent my own thoughts and opinions, not those of anyone else - like my employer - or even my dog for that matter. Besides, the dog would post things that make sense. I don't. http://www.greghughes.net/images/gregheadshot1.png greg hughes - dot net - Safe Computing http://www.greghughes.net/rant/ en-us Greg Hughes Thu, 07 Jun 2012 00:18:14 GMT newtelligence dasBlog 2.1.8015.804 greg@greghughes.net greg@greghughes.net http://www.greghughes.net/rant/Trackback.aspx?guid=888eb255-6c64-47a0-b7a3-c14248b50abd http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,888eb255-6c64-47a0-b7a3-c14248b50abd.aspx http://www.greghughes.net/rant/CommentView,guid,888eb255-6c64-47a0-b7a3-c14248b50abd.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=888eb255-6c64-47a0-b7a3-c14248b50abd

A topic I always enjoy... I post this with the hope that you’ll be able to take something from it as a message to carry to others.

You may have heard that apparently the LinkedIn password list consisting on 16.5 million passwords was stolen and a table of hashed password values has been posted online. You may have received emails from concerned people you know, intended to let you know about the issue. And while it’s a good idea to change your password now, I wanted to take the opportunity to expand on the topic a bit.

One message I consistently try to send is that it’s *always* a good idea to change your passwords regularly to protect against threats such as this and others.

This specific case (as the info is exposed today) doesn’t represent an immediate broad threat for LinkedIn accounts, beyond the ability to potentially build a library of valid passwords sans usernames. But, there is enough information exposed to suggest a need to take reasonable action. In this case, the leaked info is a hashed (encrypted weakly but non-reversible) password list. The version of the list posted online contains only the hashed password values and not the associated user names or email addresses. However, the bad guys could possess that additional info, and just not be releasing it. Yet. We don’t know.

“Hashed” means you cannot simply unencrypt the list and see the actual passwords. Instead you’d have to create your own list or library of possible passwords, create hashes for all of those, and then compare the resulting hashes to the stolen password hash list to find any matches. At that point, you’d know that you have a valid password for *someone’s* account on LinkedIn, but you would not know whose account the password it is associated with (since the login emails were not posted). But again, that account login/email info might be held by the bad guys who posted the hash list, there’s no way to tell for sure.

If the bad guys also have the account names/email addresses, the real risk is that they would do a dictionary discovery “attack” against the hashed password list, correlate the resulting validated passwords to the respective email addresses (LinkedIn uses your email address as the login name) and then use those credentials to try to access LinkedIn -- as well as to attempt to access other sites/services where people might (and likely do) use the same login credentials.

So, yes. Change your passwords, not only on LinkedIn but also on other sites where the same user name and password are used. But do it because it’s always been a good thing to do, not just when credential theft scares happen to come up. And also know that an actual readable list of Linkedin passwords and other login credentials have not been posted in the wild -- at least not yet.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. LinkedIn, passwords, hashing, and re-using credentials http://www.greghughes.net/rant/PermaLink,guid,888eb255-6c64-47a0-b7a3-c14248b50abd.aspx http://www.greghughes.net/rant/LinkedInPasswordsHashingAndReusingCredentials.aspx Thu, 07 Jun 2012 00:18:14 GMT <p> <i>A topic I always enjoy... I post this with the hope that you’ll be able to take something from it as a message to carry to others.</i> <p> You may have heard that apparently <a href="http://www.infoworld.com/t/hacking/65-million-linkedin-passwords-reportedly-stolen-posted-online-194976" target="_blank">the LinkedIn password list consisting on 16.5 million passwords was stolen</a> and a table of hashed password values has been posted online. You may have received emails from concerned people you know, intended to let you know about the issue. And while it’s a good idea to change your password now, I wanted to take the opportunity to expand on the topic a bit. <p> One message I consistently try to send is that it’s *<b>always</b>* a good idea to change your passwords regularly to protect against threats such as this and others. <p> This specific case (as the info is exposed today) doesn’t represent an immediate broad threat for LinkedIn accounts, beyond the ability to potentially build a library of valid passwords sans usernames. But, there is enough information exposed to suggest a need to take reasonable action. In this case, the leaked info is a hashed (encrypted weakly but non-reversible) password list. The version of the list posted online contains only the hashed password values and not the associated user names or email addresses. However, the bad guys <em>could</em> possess that additional info, and just not be releasing it. Yet. We don’t know. <p> “Hashed” means you cannot simply unencrypt the list and see the actual passwords. Instead you’d have to create your own list or library of possible passwords, create hashes for all of those, and then compare the resulting hashes to the stolen password hash list to find any matches. At that point, you’d know that you have a valid password for *<b>someone’s</b>* account on LinkedIn, but you would not know whose account the password it is associated with (since the login emails were not posted). But again, that account login/email info <em>might</em> be held by the bad guys who posted the hash list, there’s no way to tell for sure. <p> If the bad guys also have the account names/email addresses, the real risk is that they would do a dictionary discovery “attack” against the hashed password list, correlate the resulting validated passwords to the respective email addresses (LinkedIn uses your email address as the login name) and then use those credentials to try to access LinkedIn -- as well as to attempt to access other sites/services where people might (and likely do) use the same login credentials. <p> So, yes. Change your passwords, not only on LinkedIn but also on other sites where the same user name and password are used. But do it because it’s always been a good thing to do, not just when credential theft scares happen to come up. And also know that an actual readable list of Linkedin passwords and other login credentials have not been posted in the wild -- at least not yet. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,888eb255-6c64-47a0-b7a3-c14248b50abd.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=6f63e3dd-aae8-4db8-a739-9849f8d39621 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,6f63e3dd-aae8-4db8-a739-9849f8d39621.aspx http://www.greghughes.net/rant/CommentView,guid,6f63e3dd-aae8-4db8-a739-9849f8d39621.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=6f63e3dd-aae8-4db8-a739-9849f8d39621 2

Shorthand used to be reserved for stenographers and people who took dictation or a lot of notes. But for the vast majority of us it was never fun. Remember those days? Now shorthand is cool again, but in text messages sent and received on cell phones. And it seems as if everyone under 25 is doing it (as well as some of us old people).

Parents, if you're lost in the world of texting because the abbreviated vocabulary is confusing, no worries. Mobile phone manufacturer LG has released a new web site that allows you to decode txt message slang, and you can use it at http://www.lgdtxtr.com/.

So now you can get a better handle on what your kids are up to. Enjoy.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. De-TXT-er: A tool for parents who want to know what their kids are saying http://www.greghughes.net/rant/PermaLink,guid,6f63e3dd-aae8-4db8-a739-9849f8d39621.aspx http://www.greghughes.net/rant/DeTXTerAToolForParentsWhoWantToKnowWhatTheirKidsAreSaying.aspx Wed, 27 May 2009 17:13:39 GMT <p> Shorthand used to be reserved for stenographers and people who <gasp> took dictation or a <em>lot</em> of notes. But for the vast majority of us it was never fun. Remember those days? Now shorthand is cool again, but in text messages sent and received on cell phones. And it seems as if <em>everyone</em> under 25 is doing it (as well as some of us old people). </p> <p> Parents, if you're lost in the world of texting because the abbreviated vocabulary is confusing, no worries. Mobile phone manufacturer LG has released a new web site that allows you to decode txt message slang, and you can use it at <a href="http://www.lgdtxtr.com/" target="_blank">http://www.lgdtxtr.com/</a>. </p> <p> So now you can get a better handle on what your kids are up to. Enjoy. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,6f63e3dd-aae8-4db8-a739-9849f8d39621.aspx Mobile Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=8fef5eab-8032-473a-a6e0-497cac608347 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,8fef5eab-8032-473a-a6e0-497cac608347.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=8fef5eab-8032-473a-a6e0-497cac608347 1

UPDATE: We've had a great response and have assigned all of our beta invitations for the first round of testing, but please check the details below and let me know if you think you'd be able to help in a future phase!

I'm working with a software company to test some cool software that's currently in the early beta stage of development. The software is of a security nature and will be of interest to IT and security folks as well as individual computer users. We're looking for people with netbooks and notebook computers, especially ones with webcams built in, to test the software and provide feedback.

You'll be provided a test key and the beta software, and will need to honor the confidentiality provisions of the test program. It's nothing too complicated and the test risks are very small. You'll install the software, run through a few operational tests and let us know the results. We will ask first for technical results ("Did this work?") as well as your opinions and thoughts, should you wish to provide them.

What you'll need to provide and have available for the test:

  • One or more notebook or netbook computers
  • Computer(s) must be running Windows XP, Vista or Windows 7
  • If it has a webcam built in, all the better (but not required)
  • A Flickr account (basic account is fine)
  • An email account and server information (for application configuration to allow sending of email alerts)

What you'll get as a result of testing and providing feedback:

  • A free copy of the release version of the software when it's released (and you'll be glad you have it installed if your computer is ever lost or stolen, hint hint)
  • Satisfaction and a sincere thank-you from me and the developers of the software

This software is quite interesting and has a lot of promise to provide real security value when it hits the streets, so we want to find as many complete test cases as we can. If you're interested, please email me at greg@greghughes.net and provide the details about your system, OS, etc - or call me at 503-766-2258. We are testing now, so let me know!

And thanks!



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Beta test opportunity: Help us test a cool security application for notebooks http://www.greghughes.net/rant/PermaLink,guid,8fef5eab-8032-473a-a6e0-497cac608347.aspx http://www.greghughes.net/rant/BetaTestOpportunityHelpUsTestACoolSecurityApplicationForNotebooks.aspx Tue, 24 Mar 2009 01:26:09 GMT <p> <i><b>UPDATE: </b>We've had a great response and have assigned all of our beta invitations for the first round of testing, but please check the details below and let me know if you think you'd be able to help in a future phase!</i> </p> <p> I'm working with a software company to test some cool software that's currently in the early beta stage of development. The software is of a security nature and will be of interest to IT and security folks as well as individual computer users. We're looking for people with <strong>netbooks</strong> and <strong>notebook computers</strong>, especially ones with <strong>webcams</strong> built in, to test the software and provide feedback. </p> <p> You'll be provided a test key and the beta software, and will need to honor the confidentiality provisions of the test program. It's nothing too complicated and the test risks are very small. You'll install the software, run through a few operational tests and let us know the results. We will ask first for technical results ("Did this work?") as well as your opinions and thoughts, should you wish to provide them. </p> <p> What you'll need to provide and have available for the test: </p> <ul> <li> One or more notebook or netbook computers</li> <li> Computer(s) must be running Windows XP, Vista or Windows 7</li> <li> If it has a webcam built in, all the better (but not required)</li> <li> A Flickr account (basic account is fine)</li> <li> An email account and server information (for application configuration to allow sending of email alerts)</li> </ul> <p> What you'll get as a result of testing and providing feedback: </p> <ul> <li> A free copy of the release version of the software when it's released (and you'll be glad you have it installed if your computer is ever lost or stolen, <em>hint hint</em>)</li> <li> Satisfaction and a sincere thank-you from me and the developers of the software</li> </ul> <p> This software is quite interesting and has a lot of promise to provide real security value when it hits the streets, so we want to find as many complete test cases as we can. If you're interested, please email me at greg@greghughes.net and provide the details about your system, OS, etc - or call me at 503-766-2258. We are testing now, so let me know! </p> <p> And thanks! </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,8fef5eab-8032-473a-a6e0-497cac608347.aspx Geek Out IT Security Safe Computing Tech Windows
http://www.greghughes.net/rant/Trackback.aspx?guid=5a784293-8605-4438-82c3-8b106efccd59 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,5a784293-8605-4438-82c3-8b106efccd59.aspx http://www.greghughes.net/rant/CommentView,guid,5a784293-8605-4438-82c3-8b106efccd59.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=5a784293-8605-4438-82c3-8b106efccd59

Google seeded a paper comic book to some people recently, to present and describe their future web browser (or you might just think of it as the web browser of the future), which is called Google Browser or Chrome.


So, what's the story? Making the browser more stable, more usable, more secure. At first glance, it looks like a strong starting point for the future of Internet browsers. Written from the ground-up from scratch and with the experience of several years of past browser platforms to learn from, Google has addressed many of the main concerns in today's browsers.

Now the only question is: When will we get it? I will be watching here to see if something shows up. Hopefully it's soon!

UPDATE: The release date is tomorrow (Tuesday, September 2, 2008) - More info and link to screenshots here.

A variety of technologies are incorporated into the Chrome design that improve on common browser weaknesses. The key improvements fall into the areas of stability (memory allocation and management, process management), some incredibly cool javascript environment enhancements (in the form of a new, open-source javascript engine), a bunch of user experience improvements and significant security changes.

And, it's all open source. That's right - Anyone (including other browser makers) can leverage the work done in the Chrome project and can contribute or modify to meet their own needs. Good move, Google.


Pretty exciting stuff. It will be fun to see what comes next, and when.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Google's Dream Browser, Chrome: Coming soon to your computer http://www.greghughes.net/rant/PermaLink,guid,5a784293-8605-4438-82c3-8b106efccd59.aspx http://www.greghughes.net/rant/GooglesDreamBrowserChromeComingSoonToYourComputer.aspx Mon, 01 Sep 2008 18:57:24 GMT <p style="clear: both;"> Google <a href="http://blogoscoped.com/google-chrome/" target="_blank">seeded a paper comic book</a> to some people recently, to present and describe their future web browser (or you might just think of it as the web browser of the future), which is called Google Browser or Chrome.<br> </p> <p style="clear: both;"> <a href="http://www.greghughes.net/rant/content/binary/screen-chrome-comic3.jpg"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/screen-chrome-comic2.jpg" style="margin: 0pt auto; text-align: center; display: block;" align="" height="227" width="453"></a> <br style="clear: both;"> So, what's the story? Making the browser more stable, more usable, more secure. At first glance, it looks like a strong starting point for the future of Internet browsers. Written from the ground-up from scratch and with the experience of several years of past browser platforms to learn from, Google has addressed many of the main concerns in today's browsers.<br> </p> <p style="clear: both;"> Now the only question is: When will we get it? I will be <a href="http://blogoscoped.com/google-chrome/34" target="_blank">watching here</a> to see if something shows up. Hopefully it's soon! <br> </p> <blockquote> <p style="clear: both;"> <i><b>UPDATE: </b>The release date is tomorrow (Tuesday, September 2, 2008) - <a href="http://www.greghughes.net/rant/MoreOnChromeOfficialGoogleAnnouncementAndScreenshots.aspx">More info and link to screenshots here</a>.</i> <br> </p> </blockquote> <p style="clear: both;"> A variety of technologies are incorporated into the Chrome design that improve on common browser weaknesses. The key improvements fall into the areas of <a href="http://blogoscoped.com/google-chrome/3" target="_blank">stability</a> (memory allocation and management, process management), some incredibly <a href="http://blogoscoped.com/google-chrome/12" target="_blank">cool javascript environment enhancements</a> (in the form of a new, open-source javascript engine), a bunch of <a href="http://blogoscoped.com/google-chrome/18" title="" target="_blank">user experience improvements</a> and <a href="http://blogoscoped.com/google-chrome/25" target="_blank">significant security changes</a>. <br> </p> <p style="clear: both;"> And, it's all <a href="http://blogoscoped.com/google-chrome/34" target="_blank">open source</a>. That's right - Anyone (including other browser makers) can leverage the work done in the Chrome project and can contribute or modify to meet their own needs. Good move, Google.<br> </p> <p style="clear: both;"> <a href="http://www.greghughes.net/rant/content/binary/chrome-capture2.jpg"><img class="linked-to-original" src="http://www.greghughes.net/rant/content/binary/chrome-capture1.jpg" style="margin: 0pt auto; text-align: center; display: block;" height="337" width="450"></a> <br style="clear: both;"> Pretty exciting stuff. It will be fun to see what comes next, and when.<br> <br> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,5a784293-8605-4438-82c3-8b106efccd59.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=dd9f2147-3af4-4c3d-8625-67df9065920f http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,dd9f2147-3af4-4c3d-8625-67df9065920f.aspx http://www.greghughes.net/rant/CommentView,guid,dd9f2147-3af4-4c3d-8625-67df9065920f.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=dd9f2147-3af4-4c3d-8625-67df9065920f 1

I know this isn't exactly a new thing, but as I was installing the IE8 Beta 1 for x64 architecture on a computer today to do some testing, I felt a warm-fuzzy sense of appreciation for the fact that more and more we are seeing software that checks for patches and updates before installing and running for the first time. It makes for more-secure system, which is nothing but good.

image

No matter what you think of Internet Explorer (and for the record/what it's worth, I like it quite a bit these days), you have to admit the safer installation process is a great improvement.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Installers that patch their software before first run - Smart security move http://www.greghughes.net/rant/PermaLink,guid,dd9f2147-3af4-4c3d-8625-67df9065920f.aspx http://www.greghughes.net/rant/InstallersThatPatchTheirSoftwareBeforeFirstRunSmartSecurityMove.aspx Wed, 16 Jul 2008 00:58:44 GMT <p> I know this isn't exactly a new thing, but as I was installing the IE8 Beta 1 for x64 architecture on a computer today to do some testing, I felt a warm-fuzzy sense of appreciation for the fact that more and more we are seeing software that checks for patches and updates before installing and running for the first time. It makes for more-secure system, which is nothing but good. </p> <p align="center"> <a href="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/Installersthatpatchtheirsoftwarebeforefi_FCCD/image_2.png"><img style="border-right: 0px; border-top: 0px; margin: 10px 0px 10px 15px; border-left: 0px; border-bottom: 0px" height="375" alt="image" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/Installersthatpatchtheirsoftwarebeforefi_FCCD/image_thumb.png" width="504" border="0"></a> </p> <p align="left"> No matter what you think of Internet Explorer (and for the record/what it's worth, I like it quite a bit these days), you have to admit the safer installation process is a great improvement. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,dd9f2147-3af4-4c3d-8625-67df9065920f.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=3518bde8-25b7-4709-b240-626c1ffee982 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,3518bde8-25b7-4709-b240-626c1ffee982.aspx http://www.greghughes.net/rant/CommentView,guid,3518bde8-25b7-4709-b240-626c1ffee982.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=3518bde8-25b7-4709-b240-626c1ffee982 2 Mark Russinovich, a Microsoft Technical Fellow, presented a very good session at the TechEd IT Forum last year on the topic of advanced eradication of malware on Windows machines. It's a great session and has some useful advanced techniques for removal. It is also a very good resource for those who want to better understand how malware infects and what some of the risks are. Lots of practical information and how-to's in this one.

Fortunately, the session was recorded and is available online for anyone who wants to see it. If viruses and malware are a part of your job or if this type of security topic is of interest to you, it's an hour and twelve minutes well-spent. I went looking for this session online hoping to find the PowerPoint and found the whole session with video and demo and everything - terrific stuff.

(Updated 4/7 - link to video fixed)



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Cleaning Malware on Windows - A lesson by Mark Russinovich http://www.greghughes.net/rant/PermaLink,guid,3518bde8-25b7-4709-b240-626c1ffee982.aspx http://www.greghughes.net/rant/CleaningMalwareOnWindowsALessonByMarkRussinovich.aspx Mon, 07 Apr 2008 06:16:56 GMT <a href="http://blogs.technet.com/markrussinovich/">Mark Russinovich</a>, a Microsoft Technical Fellow, presented a very good session at the TechEd IT Forum last year on the topic of advanced eradication of malware on Windows machines. It's a great session and has some useful advanced techniques for removal. It is also a very good resource for those who want to better understand how malware infects and what some of the risks are. Lots of practical information and how-to's in this one.<br> <br> Fortunately, <a href="http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359">the session was recorded and is available online</a> for anyone who wants to see it. If viruses and malware are a part of your job or if this type of security topic is of interest to you, it's an hour and twelve minutes well-spent. I went looking for this session online hoping to find the PowerPoint and found the whole session with video and demo and everything - terrific stuff.<br> <br> <i>(Updated 4/7 - link to video fixed)</i> <br> <p> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,3518bde8-25b7-4709-b240-626c1ffee982.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=36220895-a996-4e44-adba-85299cfdc199 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,36220895-a996-4e44-adba-85299cfdc199.aspx http://www.greghughes.net/rant/CommentView,guid,36220895-a996-4e44-adba-85299cfdc199.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=36220895-a996-4e44-adba-85299cfdc199

OneCare on 64-bit works! I somehow missed the release, but a little while back Microsoft released Windows Live OneCare v2.0, and in that release added support for 64-Bit Windows Vista. A few months ago (before OneCare v2) I had just bought a new laptop that came with the 64-bit Vista Ultimate edition pre-installed, and when I went to install the then-released version of OneCare, I was pretty disappointed that it would not work.

When I was in Costco the other day, I noticed a OneCare package on the shelf and picked it up to glance at the system requirements. Lo and behold, the packaging had changed and now indicated that 64-bit Vista was supported! When did they slip that in? I didn't see mention of it on the OneCare blog or anywhere else.

But hey, all I knew was it looked like I would be able to use it now, so I was looking forward to giving it a try.

Today I uninstalled my frustratingly cruddy other (to remain nameless) antivirus software and installed the OneCare suite. For about $40 a year I can protect three PCs and centrally manage two of them from the computer I designate as the "hub" machine. Nice.

image

OneCare v2 includes:

  • Antivirus & Antispyware protection
  • Online ID protection
  • Bi-Directional Firewall
  • Multi-PC management
  • Printer sharing
  • Data backup and restore capabilities
  • Maintenance and cleanup tasks (defrag, clean up useless stuff, etc.)

It's an easy and quick install, and a good way to make sure you're protected. You can watch a product demo and download the free 90-day trial here.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Windows Live OneCare security suite now runs on 64-bit Vista http://www.greghughes.net/rant/PermaLink,guid,36220895-a996-4e44-adba-85299cfdc199.aspx http://www.greghughes.net/rant/WindowsLiveOneCareSecuritySuiteNowRunsOn64bitVista.aspx Wed, 13 Feb 2008 02:33:14 GMT <p> <a href="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/WindowsLiveOneCaresecuritysuitenowrunson_104E1/OneCarev2Splash_2.jpg"><img style="border-right: 0px; border-top: 0px; margin: 10px 0px 10px 15px; border-left: 0px; border-bottom: 0px" height="203" alt="OneCare on 64-bit works!" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/WindowsLiveOneCaresecuritysuitenowrunson_104E1/OneCarev2Splash_thumb.jpg" width="244" align="right" border="0"></a> I somehow missed the release, but a little while back Microsoft released <a href="http://onecare.live.com">Windows Live OneCare</a> v2.0, and in that release added support for 64-Bit Windows Vista. A few months ago (before OneCare v2) I had just bought a new laptop that came with the 64-bit Vista Ultimate edition pre-installed, and when I went to install the then-released version of OneCare, I was pretty disappointed that it would not work. </p> <p> When I was in Costco the other day, I noticed a OneCare package on the shelf and picked it up to glance at the <a href="http://onecare.live.com/standard/en-us/purchase/sysreq.htm">system requirements</a>. Lo and behold, the packaging had changed and now indicated that 64-bit Vista was supported! When did they slip that in? I didn't see mention of it on the <a href="http://windowsonecare.spaces.live.com/PersonalSpace.aspx">OneCare blog</a> or anywhere else. </p> <p> But hey, all I knew was it looked like I would be able to use it now, so I was looking forward to giving it a try. </p> <p> Today I uninstalled my frustratingly cruddy other (to remain nameless) antivirus software and installed the OneCare suite. For about $40 a year I can protect three PCs and centrally manage two of them from the computer I designate as the "hub" machine. Nice. </p> <p> <a href="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/WindowsLiveOneCaresecuritysuitenowrunson_104E1/image_2.png"><img style="border-right: 0px; border-top: 0px; margin: 10px 0px 10px 15px; border-left: 0px; border-bottom: 0px" height="179" alt="image" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/WindowsLiveOneCaresecuritysuitenowrunson_104E1/image_thumb.png" width="244" align="right" border="0"></a> </p> <p> OneCare v2 includes: </p> <ul> <li> Antivirus &amp; Antispyware protection</li> <li> Online ID protection</li> <li> Bi-Directional Firewall</li> <li> Multi-PC management</li> <li> Printer sharing</li> <li> Data backup and restore capabilities</li> <li> Maintenance and cleanup tasks (defrag, clean up useless stuff, etc.)</li> </ul> <p> It's an easy and quick install, and a good way to make sure you're protected. <a href="http://onecare.live.com">You can watch a product demo and download the free 90-day trial here</a>. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,36220895-a996-4e44-adba-85299cfdc199.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=82ee018e-778f-4b20-8606-b8e23cec069e http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,82ee018e-778f-4b20-8606-b8e23cec069e.aspx http://www.greghughes.net/rant/CommentView,guid,82ee018e-778f-4b20-8606-b8e23cec069e.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=82ee018e-778f-4b20-8606-b8e23cec069e 3

Yahoo OpenID (click for the site) Today came an announcement that represents a pretty big step in the identity space. Yahoo! announced they have rolled out beta support for OpenID v2.0 and that Yahoo! is now a provider of OpenIDs. In fact, anyone who has a Yahoo! account can quickly generate a Yahoo! or Flickr-branded OpenID to sign onto any web site that supports OpenID v2.0 for authentication. That's 248 million accounts at Yahoo! that can now potentially be leveraged across the Internet for sign-on.

OpenID is an important standard that came out of the open-source community, which will likely change the way we provide identifying information and gain access to secured web sites on the Internet. It allows its users to have a single identity that can be used across different sites on the Internet. It also allows users to have the proper level of control over how they identify themselves and who they want to trust with that process.

One significant key to success for OpenID as a standard is adoption by a set of trusted identity "providers" - or OpenID-issuing organizations that people are comfortable with when it comes to asserting their identity information. With Yahoo! a large number of regular, everyday people can use their existing accounts to perform OpenID logins on any site supporting the standard. In the future, the hope is that other consumer-trusted providers will see the value of brand recognition that goes along with being the OpenID provider for consumers. Yahoo has me as an OpenID client now, which means every time I log onto an OpenID-enabled site and use that ID, I am by default thinking on some level about Yahoo! -- Pretty smart. It's time for banks, other financial service providers, and similar industries to seriously start thinking this one through. It's coming, and now is the time to be on the bandwagon.

Where can you use your OpenID to log in? Lots of places. There's a list of web sites over at myopenid.com, a service provided by Portland company JanRain. The people at JanRain have created some great software and services around the OpenID standard that businesses can use to leverage OpenID, and that enable social networks around the standard. It's pretty cool stuff.

Here's some basic information about OpenID from the Yahoo! OpenID provider site:

What is OpenID?

In a nutshell, the OpenID technology makes life simpler by having only one username and password to remember.

Once you have enabled your Yahoo! account for OpenID access, you only need to remember your Yahoo! ID and password to use hundreds of websites... So bid farewell to password spreadsheets and stickies all over your desk!

When you are on a web site that supports OpenID login, simply look for a Yahoo! login button. Or if you see a text box with an OpenID icon, simply type in "yahoo.com". You will be sent to Yahoo! to verify your Yahoo! ID and password, and then you will be able to continue on.

You can find out even more at openid.net (the OpenID Foundation), and it's worth pointing out that you can also get an OpenID from a slew of other organizations - after all, it's all about making it your choice. The OpenID foundation keeps a list of providers on its wiki and at this link.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Yahoo! announces provider support for OpenID http://www.greghughes.net/rant/PermaLink,guid,82ee018e-778f-4b20-8606-b8e23cec069e.aspx http://www.greghughes.net/rant/YahooAnnouncesProviderSupportForOpenID.aspx Thu, 31 Jan 2008 03:46:31 GMT <p> <a href="http://openid.yahoo.com/" target="_blank"><img style="border-top-width: 0px; border-left-width: 0px; border-bottom-width: 0px; margin: 10px 0px 10px 15px; border-right-width: 0px" height="136" alt="Yahoo OpenID (click for the site)" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/YahooannouncesprovidersupportforOpenID_1160A/YahooOpenID_5.gif" width="294" align="right" border="0"></a> Today came an announcement that represents a pretty big step in the identity space. Yahoo! <a href="http://developer.yahoo.net/blog/archives/2008/01/yahoo-openid-beta.html" target="_blank">announced they have rolled out beta support for OpenID v2.0</a> and that <a href="http://openid.yahoo.com/" target="_blank">Yahoo! is now a provider of OpenIDs</a>. In fact, anyone who has a Yahoo! account can quickly generate a Yahoo! or Flickr-branded OpenID to sign onto any web site that supports <a href="http://openid.net/specs/openid-authentication-2_0.html" target="_blank">OpenID v2.0</a> for authentication. That's 248 million accounts at Yahoo! that can now potentially be leveraged across the Internet for sign-on. </p> <p> <a href="http://openid.net/" target="_blank">OpenID</a> is an important standard that came out of the open-source community, which will likely change the way we provide identifying information and gain access to secured web sites on the Internet. It allows its users to have a <em>single identity</em> that can be used <em>across different sites</em> on the Internet. It also allows users to have the proper level of control over how they identify themselves and who they want to trust with that process. </p> <p> One significant key to success for OpenID as a standard is adoption by a set of trusted identity "providers" - or OpenID-issuing organizations that people are comfortable with when it comes to asserting their identity information. With Yahoo! a large number of regular, everyday people can use their existing accounts to perform OpenID logins on any site supporting the standard. In the future, the hope is that other consumer-trusted providers will see the value of brand recognition that goes along with being the OpenID provider for consumers. Yahoo has me as an OpenID client now, which means every time I log onto an OpenID-enabled site and use that ID, I am by default thinking on some level about Yahoo! -- Pretty smart. It's time for banks, other financial service providers, and similar industries to seriously start thinking this one through. It's coming, and now is the time to be on the bandwagon. </p> <p> Where can you use your OpenID to log in? Lots of places. There's a <a href="https://www.myopenid.com/directory" target="_blank">list of web sites</a> over at myopenid.com, a service provided by Portland company <a href="http://janrain.com/" target="_blank">JanRain</a>. The people at JanRain have created some great software and services around the OpenID standard that businesses can use to leverage OpenID, and that enable social networks around the standard. It's pretty <a href="http://www.janrain.com" target="_blank">cool stuff</a>. </p> <p> Here's some basic information about OpenID from the Yahoo! <a href="http://openid.yahoo.com/" target="_blank">OpenID provider site</a>: </p> <blockquote> <p> <strong>What is OpenID? </strong> <p> In a nutshell, the OpenID technology makes life simpler by having only one username and password to remember. <p> Once you have enabled your Yahoo! account for OpenID access, you only need to remember your Yahoo! ID and password to use hundreds of websites... So bid farewell to password spreadsheets and stickies all over your desk! <p> When you are on a web site that supports OpenID login, simply look for a Yahoo! login button. Or if you see a text box with an OpenID icon, simply type in "yahoo.com". You will be sent to Yahoo! to verify your Yahoo! ID and password, and then you will be able to continue on. </p> </blockquote> <p> You can find out even more at <a href="http://openid.net/" target="_blank">openid.net</a> (the OpenID Foundation), and it's worth pointing out that you can also get an OpenID from a slew of other organizations - after all, it's all about making it your choice. The OpenID foundation keeps a list of providers on its wiki and <a href="http://openid.net/get/" target="_blank">at this link</a>. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,82ee018e-778f-4b20-8606-b8e23cec069e.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=3d79458a-2aec-430c-a699-163095d284b7 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,3d79458a-2aec-430c-a699-163095d284b7.aspx http://www.greghughes.net/rant/CommentView,guid,3d79458a-2aec-430c-a699-163095d284b7.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=3d79458a-2aec-430c-a699-163095d284b7 1

image I just ran across Microsoft.com's strong password checker, which is a little web-based app that lets you type a password or passphrase in and it tells you the relative strength. It's pretty nice and worth bookmarking.

Why are strong passwords important? Simple - because the simpler it is, the easier it is for someone to "brute-force" attack. That's a term that means they take a program that uses common terms, words and phrases to try to figure out your password by trying it over and over until it works. Strong passwords are complex in the variety of character types, are longer in size and don't use dictionary or other predictable, common terms.

Links:



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Strong password checker online http://www.greghughes.net/rant/PermaLink,guid,3d79458a-2aec-430c-a699-163095d284b7.aspx http://www.greghughes.net/rant/StrongPasswordCheckerOnline.aspx Wed, 15 Aug 2007 05:02:12 GMT <p> <a href="http://www.microsoft.com/protect/yourself/password/checker.mspx" target="_blank" atomicselection="true"><img style="border-right: 0px; border-top: 0px; margin: 0px 0px 10px 15px; border-left: 0px; border-bottom: 0px" height="302" alt="image" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/Strongpasswordcheckeronline_1330D/image_1.png" width="412" align="right" border="0"></a>I just ran across Microsoft.com's <a href="http://www.microsoft.com/protect/yourself/password/checker.mspx" target="_blank">strong password checker</a>, which is a little web-based app that lets you type a password or <a href="http://www.greghughes.net/rant/PassphrasesVsPasswordsRealLifeTrial.aspx" target="_blank">passphrase</a> in and it tells you the relative strength. It's pretty nice and worth bookmarking. </p> <p> Why are strong passwords important? Simple - because the simpler it is, the easier it is for someone to "brute-force" attack. That's a term that means they take a program that uses common terms, words and phrases to try to figure out your password by trying it over and over until it works. Strong passwords are complex in the variety of character types, are longer in size and don't use dictionary or other predictable,&nbsp;common terms. </p> <p> Links: </p> <ul> <li> <a href="http://www.microsoft.com/protect/yourself/password/checker.mspx" target="_blank">Microsoft Strong Password Checker</a> </li> <li> <a href="http://www.microsoft.com/protect/yourself/password/create.mspx" target="_blank">Creating Strong Passwords article</a> (I agree with most of what they say but not all - Suggesting blank passwords?!?! Whaaat?!?!)</li> </ul> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,3d79458a-2aec-430c-a699-163095d284b7.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=734772e0-a507-40b9-ae1f-45f700b88c0c http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,734772e0-a507-40b9-ae1f-45f700b88c0c.aspx http://www.greghughes.net/rant/CommentView,guid,734772e0-a507-40b9-ae1f-45f700b88c0c.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=734772e0-a507-40b9-ae1f-45f700b88c0c

Recent security issues revealed by a group of security researchers, which will be showcased this week at the Blackhat conference in Las Vegas, are apparently dealt with via an update to the iPhone software released last night by Apple. You can read the change-log here.

Time to load up iTunes, all you iPhone users, and get your security fixes.

Also, looks like the Engadget guys seem to think Safari runs better in general and Boy Genius Report has a few non-security-related fixes/changes they have found.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Apple releases v1.0.1 security update for the iPhone http://www.greghughes.net/rant/PermaLink,guid,734772e0-a507-40b9-ae1f-45f700b88c0c.aspx http://www.greghughes.net/rant/AppleReleasesV101SecurityUpdateForTheIPhone.aspx Wed, 01 Aug 2007 15:36:17 GMT <p> Recent security issues revealed by a group of security researchers, which will be showcased this week at the Blackhat conference in Las Vegas, are apparently dealt with via an update to the <a href="http://docs.info.apple.com/article.html?artnum=306173" target="_blank">iPhone software released last night&nbsp;by Apple</a>. You can read the <a href="http://docs.info.apple.com/article.html?artnum=306173" target="_blank">change-log here</a>. </p> <p> Time to load up iTunes, all you iPhone users, and get your security fixes. </p> <p> Also, looks like the <a href="http://feeds.engadget.com/~r/weblogsinc/engadget/~3/139393204/" target="_blank">Engadget guys seem to think</a> Safari runs better in general and <a href="http://www.boygeniusreport.com/2007/07/31/apple-iphone-update-101-released/" target="_blank">Boy Genius Report has a few non-security-related fixes/changes</a> they have found. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,734772e0-a507-40b9-ae1f-45f700b88c0c.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=6a666522-ddc2-400d-bb07-79930fa82eac http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,6a666522-ddc2-400d-bb07-79930fa82eac.aspx http://www.greghughes.net/rant/CommentView,guid,6a666522-ddc2-400d-bb07-79930fa82eac.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=6a666522-ddc2-400d-bb07-79930fa82eac

One of the cool new features in Windows Server 2008 (which is currently available in beta) is Network Access Protection. This feature allows network admins to set up comprehensive network controls to allow access only to the proper computers and users, and based on a set of "health" criteria determined by the admin. For example, let's say you want to require antivirus software to be up to date and patches installed before allowing a VPN connection to the LAN. NAP lets you do that. Wireless and wired networks can be significantly enhanced for local and remote access. It's the next wave of access management and control, and any IT network admin needs to get familiar. This is leaps and bounds above the "NAP-lite" capabilities from Server 2003.

This podcast interview with Jeff Sigman covers the subject well, and give you a quick preview into what the capabilities are. Listen, download the beta and give it a try.

RunAs Radio Show #13 | 7/4/2007 (34 minutes)
Jeff Sigman Gives Us Network Access Protection

The final installment of interviews from Microsoft Tech Ed US 2007 in Orlando, Richard and Greg talk to Jeff Sigman, the Release Manager for Network Access Protection (NAP). Jeff digs into exactly what NAP is all about, how it interact with Windows Server 2008, Vista and Windows XP.

Links: RunAs Radio web site  and RSS feed

As always, we welcome your input and ideas for the show - Just email info@runasradio.com and let us know what's on your mind! We might even read your email on the air, and we are always interested to know what you would like to hear more about as we book our guests.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Network Access Protection in Windows Server 2008 - an interview with Jeff Sigman http://www.greghughes.net/rant/PermaLink,guid,6a666522-ddc2-400d-bb07-79930fa82eac.aspx http://www.greghughes.net/rant/NetworkAccessProtectionInWindowsServer2008AnInterviewWithJeffSigman.aspx Mon, 09 Jul 2007 22:17:23 GMT <p> One of the cool new features in Windows Server 2008 (which is currently available in beta) is Network Access Protection. This feature allows network admins to set up comprehensive network controls to allow access only to the proper computers and users, and based on a set of "health" criteria determined by the admin. For example, let's say you want to require antivirus software to be up to date and patches installed before allowing a VPN connection to the LAN. NAP lets you do that. Wireless and wired networks can be significantly enhanced for local and remote access. It's the next wave of access management and control, and any IT network admin needs to get familiar. This is leaps and bounds above the "NAP-lite" capabilities from Server 2003. </p> <p> This <a href="http://www.runasradio.com/default.aspx?showNum=13" target="_blank">podcast interview with Jeff Sigman</a> covers the subject well, and give you a quick preview into what the capabilities are. Listen, download the beta&nbsp;and give it a try. </p> <blockquote> <p> <strong><strong><img style="margin: 0px 0px 10px 15px" height="64" src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/RunAsRadioShow4TalkingCompliancewithSimo_6ED4/RaRlogo1%5B8%5D.jpg" width="240" align="right">RunAs</strong> Radio Show #13 | 7/4/2007 (34 minutes)<br> </strong><strong><a href="http://www.runasradio.com/default.aspx?showNum=13" target="_blank">Jeff Sigman Gives Us Network Access Protection</a></strong> </p> <p> The final installment of interviews from Microsoft Tech Ed US 2007 in Orlando, Richard and Greg talk to Jeff Sigman, the Release Manager for Network Access Protection (NAP). Jeff digs into exactly what NAP is all about, how it interact with Windows Server 2008, Vista and Windows XP. <p> <strong></strong> <p> <strong>Links:</strong> <strong><a href="http://www.runasradio.com/">RunAs Radio web site</a></strong>&nbsp;and&nbsp;<strong><a href="http://www.intellectualhedonism.com/SyndicationService.asmx/GetRssCategory?categoryName=RunAs%20Radio">RSS feed</a></strong> </p> </blockquote> <p> <em>As always, we welcome your input and ideas for the show&nbsp;- Just email </em><a href="mailto:info@runasradio.com"><strong><em>info@runasradio.com</em></strong></a><em> and let us know what's on&nbsp;your mind! We might even read your email on the air, and we&nbsp;are always interested to know what you would like to hear more about as we book our guests.</em> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,6a666522-ddc2-400d-bb07-79930fa82eac.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=5feee2c2-fa98-4a86-8240-96439d9ba44c http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,5feee2c2-fa98-4a86-8240-96439d9ba44c.aspx http://www.greghughes.net/rant/CommentView,guid,5feee2c2-fa98-4a86-8240-96439d9ba44c.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=5feee2c2-fa98-4a86-8240-96439d9ba44c

The FBI is contacting more than one million computer owners and operators whose computers have been victimized and taken over by fraudsters and other criminals who have installed "bots" which they then use to launch distributed criminal computer attacks and fraud scams.

“The majority of victims are not even aware that their computer has been compromised or their personal information exploited,” said FBI Assistant Director for the Cyber Division James Finch. “An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised.”

So, if the FBI calls you might want to cooperate. But - exercise some common sense and a little caution: if you get a call or contact, be sure to confirm it's actually the FBI. The classic technique used by scammers is to take commonly used communication methods and closely mirror or duplicate them in order to make you think you're providing sensitive data to a legitimate business or agency, when in fact it's the bad guy in disguise. So verify, verify, verify.

The FBI press release is here. Snipped from the press release, an important warning about being wary of potential malicious information requests:

"The FBI will not contact you online and request your personal information so be wary of fraud schemes that request this type of information, especially via unsolicited emails. To report fraudulent activity or financial scams, contact the nearest FBI office or police department, and file a complaint online with the Internet Crime Complaint Center, www.ic3.gov ."



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. You might get a call from the FBI (but confirm it's really them) - Operation Bot Roast initiative underway http://www.greghughes.net/rant/PermaLink,guid,5feee2c2-fa98-4a86-8240-96439d9ba44c.aspx http://www.greghughes.net/rant/YouMightGetACallFromTheFBIButConfirmItsReallyThemOperationBotRoastInitiativeUnderway.aspx Thu, 14 Jun 2007 16:43:02 GMT <p> The FBI is <a href="http://news.bbc.co.uk/1/hi/technology/6752853.stm" target="_blank">contacting more than one million computer owners</a> and operators whose computers have been victimized and taken over by fraudsters and other criminals who have installed "bots" which they then use to launch distributed criminal computer attacks and fraud scams. </p> <blockquote> <p> <em>“The majority of victims are not even aware that their computer has been compromised or their personal information exploited,” said FBI Assistant Director for the Cyber Division James Finch. “An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised.”</em> </p> </blockquote> <p> So, if the FBI calls you might want to cooperate. But - exercise some common sense and a little caution:&nbsp;if you get a call or contact, be sure to confirm it's actually the FBI. The classic technique used by scammers&nbsp;is to take commonly used communication methods and closely mirror or duplicate them in order to make you think you're providing sensitive data to a legitimate business or agency, when in fact it's the bad guy in disguise. So verify, verify, verify. </p> <p> The <a href="/" target="_blank">FBI press release is here</a>. Snipped from the press release, an important&nbsp;warning about being wary of potential malicious information requests: </p> <blockquote> <p> <em>"The FBI will not contact you online and request your personal information so be wary of fraud schemes that request this type of information, especially via unsolicited emails. To report fraudulent activity or financial scams, contact the nearest FBI office or police department, and file a complaint online with the Internet Crime Complaint Center, </em><a href="http://www.ic3.gov/"><em>www.ic3.gov</em></a><em>."</em> </p> </blockquote> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,5feee2c2-fa98-4a86-8240-96439d9ba44c.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=4267b4a1-d769-4830-8d64-a38c85d8a5a1 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,4267b4a1-d769-4830-8d64-a38c85d8a5a1.aspx http://www.greghughes.net/rant/CommentView,guid,4267b4a1-d769-4830-8d64-a38c85d8a5a1.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=4267b4a1-d769-4830-8d64-a38c85d8a5a1

Bad guys are not stupid. What the lack in morals they sometimes make up for in creativity and smarts. That's why they can be so dangerous. Think like a bad guy: If you wanted to find a way to take advantage of a large public event in order to gain fraudulent access to thousands (or more) individual computers so you could install keystroke logging software and trojan software to allow you to grow your rogue bot network, what would you do?

Well if it was today, maybe you'd think to yourself, "Hey the Superbowl is this weekend. Let's set up a fake site and trick people into going there with an email and screw 'em all over."

Or, if you were smarter, you'd just take over the server that houses the site for Dolphins Stadium.

If this doesn't tell you why you should be focused on security, then what does?

The news item is here, and an advisory with a description is here.

The official Web site of Dolphin Stadium, home of Sunday’s Super Bowl XLI, has been hacked and seeded with exploit code targeting two known Windows security flaws.

In the attack, which was discovered by malware hunters at Websense Security Labs, the server hosting the site was breached and a link to a malicious JavaScript file was inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit the vulnerabilities.

According to Dan Hubbard, senior director, security and technology research at Websense, the malicious site hosting the script has been taken offline by law enforcement officials but the hacked Dolphin Stadium site — which is attracting a lot of Super Bowl-related traffic — is still hosting the malicious JavaScript.

A visitor to the site with an unpatched Windows machine will connect to a remote server registered to a nameserver in China and download a Trojan keylogger/backdoor that gives the attacker “full access to the compromised computer,” Hubbard said.

Oy. What's it gonna take??



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Superbowl stadium site hacked - why security matters http://www.greghughes.net/rant/PermaLink,guid,4267b4a1-d769-4830-8d64-a38c85d8a5a1.aspx http://www.greghughes.net/rant/SuperbowlStadiumSiteHackedWhySecurityMatters.aspx Fri, 02 Feb 2007 20:58:44 GMT <p> Bad guys are not stupid. What the lack in morals they sometimes make up for in creativity and smarts. That's why they can be so dangerous. Think like a bad guy: If you wanted to find a way to take advantage of a large public event in order to gain fraudulent access to thousands (or more) individual computers so you could install keystroke logging software and trojan software to allow you to grow your rogue bot network, what would you do? </p> <p> Well if it was today, maybe you'd think to yourself, "Hey the Superbowl is this weekend. Let's set up a fake site and trick people into going there with an email and screw 'em all over." </p> <p> Or, if you were smarter, you'd just take over the server that houses the site for Dolphins Stadium. </p> <p> If this doesn't tell you why you should be focused on security, then what does? </p> <p> The <a href="http://blogs.zdnet.com/security/?p=15&amp;tag=nl.e589" target="_blank">news item is here</a>, and an <a href="http://www.websense.com/securitylabs/alerts/alert.php?AlertID=733" target="_blank">advisory with a description</a> is here. </p> <blockquote> <p> <em>The official Web site of Dolphin Stadium, home of Sunday’s Super Bowl XLI, has been hacked and seeded with exploit code targeting two known Windows security flaws.</em> </p> <p> <em>In the attack, which was discovered by malware hunters at Websense Security Labs, the server hosting the site was breached and a link to a malicious JavaScript file was inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit the vulnerabilities.</em> <p> <em>According to Dan Hubbard, senior director, security and technology research at Websense, the malicious site hosting the script has been taken offline by law enforcement officials but the hacked Dolphin Stadium site — which is attracting a lot of Super Bowl-related traffic — is still hosting the malicious JavaScript.</em> <p> <em>A visitor to the site with an unpatched Windows machine will connect to a remote server registered to a nameserver in China and download a Trojan keylogger/backdoor that gives the attacker “full access to the compromised computer,” Hubbard said.</em> </p> </blockquote> <p> Oy. What's it gonna take?? </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,4267b4a1-d769-4830-8d64-a38c85d8a5a1.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=706fbf45-f617-41ae-a2e7-e676cd339a92 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,706fbf45-f617-41ae-a2e7-e676cd339a92.aspx http://www.greghughes.net/rant/CommentView,guid,706fbf45-f617-41ae-a2e7-e676cd339a92.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=706fbf45-f617-41ae-a2e7-e676cd339a92 1

I recently moved the greghughes.net domain (web site, mail and everything else) to a godaddy.com virtual dedicated server. In doing so, I lost the anti-spam services that were previously provided by my old web host. Needless to say, the resulting load of spam was fairly overwhelming. My prior host had an appliance out front that caught the better part of the junk email headed for my email server, but a fair amount still got through. At any rate, the move and resulting lack of junk mail protection necessitated a thoughtful look at the options out there.

My criteria were as follows:

  1. Needs to be software I can run myself. I've had my fun (yeah, that's sarcasm) with expensive services that are not overly effective. Complicated billing, archaic payment systems (invoices without a dollar amount? what?) and a couple hundred bucks or more a year was not for me.
  2. Preferably open-source. Nothing solves problems that plague the community like the members of the community, so I figured there must be something out there that the afflicted masses build and maintain.
  3. It had to stop spam, not just identify and tag it. My email server (MailEnable) is already capable of detecting and "flagging" emails as spam, but that doesn't stop it from getting to my mail server in the first place. The goal was to prevent, not react. So I was looking for a gateway-like solution - something that receives all the inbound email, checks it, and forwards on only the good stuff.
  4. It needs to learn how to act. Static rules don't work. We see it in the fraud world, and it certainly applies to spam battles, as well. The system has to be able to learn and adapt and operate in the context of my email accounts.
  5. It needs to be kept current. An open source project that no one has worked on for six months or more is likely a dead project, and that won't get you anywhere in a world where the landscape changes constantly. Spammers change tactics a lot, and the tools to prevent spam have to evolve to keep pace.

I did a bit of research, and frankly I came up with very little that met all my criteria. Sure, there are a whole slew of commercial products out there, but as I said before, I was looking for open source and free (or very close to it). I'm not looking to buy.

The one thing I found that truly seemed to fit the bill was ASSP, which stands for Anti-Spam SMTP Proxy. It's an open source, Perl-based gateway application that you can run on any operating system that supports the Perl interpreted language (which is pretty much all of them). It requires Perl v5.8 and a specific set of Perl modules, and it can be run as a daemon/service. ASSP has been updated about every two months in the recent past, with the most recent update having been in December (as of the time of this writing).

"The ASSP server project is an Open Source platform-independent transparent SMTP proxy server that leverages numerous methodologies and technologies to both rigidly and adaptively identify spam."

I quickly downloaded the ASSP files, installed the necessary Perl modules and was on my way. I had the ASSP service up and running within just about 15 or 20 minutes. Note that to get the app to run as a service, you will need to manually edit the config file and set the flag in there to specify that you want to run it as a service, or else the only way you'll be able to get it to start is on the command line. Alternatively, you can start ASSP from the command line, access the web admin interface, and change the setting there. Once you do so, you'll be able to start the Windows service or run the daemon in Linux or whatever OS you're working with.

The first thing I did after getting the service set up was to access the web administrative interface and change the default admin password. Do that first. Please. Then I put all of the anti-spam options into "training" mode and I specified a few of the basic server settings (like my domain and email account). I set it up to accept all inbound connections for email (SMTP) from the Internet on port 25, and to forward all emails that are determined not to be spam to the MailEnable server on another (unused) port. Since the MailEnable SMTP server is on the same host, the configuration and security setup was pretty simple. Of course, I them spent some considerable time looking through the many, many settings available. It's cool stuff, but you don't have to tackle it all right up front.

It's worth mentioning here that the ASSP wiki has a lot of good information about setting you system up. Be sure to refer to that resource. If you do, you can be up and running in no time. If you don't, you might just wish you had. Remember, always read the freakin' manual before you ask questions. Heh.

The training mode actually results in all email being delivered (not blocked), but it adds some header information to the email which you can read if you like in order to determine whether or not the ASSP system is flagging it as spam. I actually set up my Thunderbird client with a rule to look for the ASSP header and if the spam flag was true, to move the email off to another folder.

What you are supposed to do during this training period is to categorize the good and bad email, and in doing so tell the ASSP service how to treat the email it sees coming in. I used the email interface for submitting spam and good mail to ASSP for about a week before I turned training mode off. Reporting is very easy. I specified two email aliases in the ASSP system, such as spam-no@greghughes.net and spam-yes@greghughes.net (those are not the actual addresses of course) and on a regular basis forwarded groups of email back to the ASSP service that fit into each category. In fact, I even went back into my archive of valid email from before installing ASSP and forwarded a bunch of it to the system, so it could quickly learn what valid email looks like in my world. Your learning period will probably be about a week or so, or however long it takes you to gather 400 or more spam emails along with some some good, valid email.

Once you've provided the system with a corpus of good and bad email, you run a little Perl script on the server to update the Bayesian spam detection database, which is the adaptive learning part of the system. I did this a few times - about daily - throughout the first week. With each update the system got smarter and smarter. Once spam email was being very effectively categorized by ASSP, I switched the system from learning mode into normal operating mode and also configured ASSP to forward a copy of all spam emails it receives to a separate email account (say something like allspam@yourdomain.com). In doing so I have created a place for the system to provide me with all the spam email so that I can continue to peruse it when I feel like it in order to make sure nothing gets trapped in there as a false positive. But my main email account is spam-free. Initially I found a few valid emails were ending up being categorized as spam, but all I had to do was to forward those to the email error reporting interface mentioned above and then rebuild the database, and now for the past few days I have seen zero false positives. I intend to continue to check that account now and then, just to ensure I don't miss any critical email. It's a quick and easy process, especially since all the spam that is blocked by the system as a result of coming from known spammer sources (RBL lists) never even makes it into the system. So, I'm just weeding through the small remainder of the stuff that the system analyzes and weeds out in the second phase of its analysis.

Here is what the service has done for my email account since I turned it on about 12 days ago:

General Runtime Information

ASSP Proxy Uptime:
12.232 days

Messages Processed:
2297 (187.8 per day)

Non-Local Mail Blocked (percentage of email that is spam):
87.5%

CPU Usage:
0.27% avg

That's 288 valid emails and 2009 blocked as spam. As I said at the beginning, a bit overwhelming for only one email account in the mix, and obviously quite necessary to do something about it.

I still need to do some small amount of work to make sure the service stays up and running from a high-availability standpoint, and in fact I have that minor issue with not only the ASSP service but also a couple other email services and even the IIS service. Resource constraints seem to play havoc now and then on my virtual server, but I think I have managed to get a handle on that.

For anyone that's looking to put an anti-spam proxy in place for your own mail server, I most definitely recommend checking out ASSP and giving it a try. Download it here (use the most recent stable version). Or check out the ASSP Wiki, which contains documentation, the FAQ, and everything else you can think of. A high-level list of features can also be found on the ASSP home page at SourceForge.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Using ASSP to prevent spam on your mail server http://www.greghughes.net/rant/PermaLink,guid,706fbf45-f617-41ae-a2e7-e676cd339a92.aspx http://www.greghughes.net/rant/UsingASSPToPreventSpamOnYourMailServer.aspx Mon, 15 Jan 2007 10:18:28 GMT <p> I recently moved the greghughes.net domain (web site, mail and everything else) to a <a href="https://www.godaddy.com/gdshop/hosting/virtual.asp?se=%2B&amp;ci=466&amp;display=virtual" target="_blank">godaddy.com virtual dedicated server</a>. In doing so, I lost the anti-spam services that were previously provided by my old web host. Needless to say, the resulting load of spam was fairly overwhelming. My prior host had an appliance out front that caught the better part of the junk email headed for my email server, but a fair amount still got through. At any rate, the move and resulting lack of junk mail protection necessitated a thoughtful look at the options out there. </p> <p> My criteria were as follows: </p> <ol> <li> <strong>Needs to be software I can run myself.</strong> I've had my fun (yeah, that's sarcasm) with expensive services that are not overly effective. Complicated billing, archaic payment systems (invoices without a dollar amount? what?)&nbsp;and a couple hundred bucks or more a year&nbsp;was not for me.</li> <li> <strong>Preferably open-source.</strong> Nothing solves problems that plague the community like the members of the community, so I figured there must be something out there that the afflicted masses&nbsp;build and maintain.</li> <li> <strong>It had to <em>stop</em> spam, not just identify and tag it.</strong> My email server (MailEnable) is already capable of detecting and "flagging" emails as spam, but that doesn't <em>stop it</em> from getting to my mail server in the first place. The goal was to prevent, not react. So I was looking for a gateway-like solution - something that receives all the inbound email, checks it, and forwards on only the good stuff.</li> <li> <strong>It needs to learn how to act.</strong> Static rules don't work. We see it in the fraud world, and it certainly applies to spam battles, as well. The system has to be able to learn and adapt and operate in the context of <em>my</em> email accounts.</li> <li> <strong>It needs to be kept current.</strong> An open&nbsp;source project&nbsp;that no one has worked on for six months or more is likely a dead project, and that won't get you anywhere in a world where the landscape changes constantly. Spammers change tactics a lot, and the tools to prevent spam have to evolve to keep pace.</li> </ol> <p> I did a bit of research, and frankly I came up with very little that met all my criteria. Sure, there are a whole slew of commercial products out there, but as I said before, I was looking for open source and free (or very close to it). I'm not looking to buy. </p> <p> The one thing I found that truly seemed to fit the bill was ASSP, which stands for <a href="http://assp.sourceforge.net/" target="_blank">Anti-Spam SMTP Proxy</a>. It's an open source, Perl-based gateway application that you can run on any&nbsp;operating system that supports the Perl&nbsp;interpreted language (which is pretty much all of them). It requires Perl v5.8 and a specific set of Perl modules, and it can be run as a daemon/service.&nbsp;ASSP has&nbsp;been updated about every two months in the recent past, with the most recent update having been in December (as of the time of this writing). </p> <blockquote> <p> <em>"<a href="http://assp.sourceforge.net/" target="_blank">The ASSP server project</a> is an Open Source platform-independent transparent SMTP proxy server that leverages numerous methodologies and technologies to both rigidly and adaptively identify spam."</em> </p> </blockquote> <p> I quickly downloaded the ASSP files,&nbsp;installed&nbsp;the necessary Perl modules and was on my way. I had the ASSP service up and running within just about 15 or 20 minutes. Note that to get the app to run as a service, you will need to manually edit the config file and set the flag in there to specify that you want to run it as a service, or else the only way you'll be able to get it to start is on the command line. Alternatively, you can start ASSP&nbsp;from the command line, access the web admin&nbsp;interface, and change the setting there. Once you do so, you'll be able to&nbsp;start the Windows service or run the daemon in Linux or whatever OS you're working with. </p> <p> The first thing I did after getting the service set up was to access the web administrative interface&nbsp;and change the&nbsp;default&nbsp;admin&nbsp;password. Do that first. Please. Then I&nbsp;put all of the anti-spam options into "training" mode and I specified a few of the basic server settings (like my domain and email account). I set it up to accept all inbound connections for email (SMTP) from the Internet on port 25, and to forward all emails that are determined not to be spam to the MailEnable server on another (unused) port. Since the MailEnable SMTP server is on the same host, the configuration and security setup&nbsp;was pretty simple. Of course, I them spent some considerable time looking through the many, many settings available. It's cool stuff, but you don't have to tackle it all right up front. </p> <p> <em>It's worth mentioning here that the </em><a href="http://www.asspsmtp.org/wiki/Welcome" target="_blank"><em>ASSP wiki</em></a><em> has a lot of good information about setting you system up. Be sure to refer to that resource. If you do, you can be up and running in no time. If you don't, you might just wish you had. Remember, always read the freakin' manual before you ask questions. Heh.</em> </p> <p> The training mode actually results in all email being delivered (not blocked), but it adds some header information to the email which you can read if you like&nbsp;in order to determine whether or not the ASSP system is flagging it as spam. I actually set up my Thunderbird client with a rule to look for the ASSP header and if the spam flag was true, to move the email off to another folder. </p> <p> What you are supposed to do during this training period is to categorize the good and bad email, and in doing so tell the ASSP service how to treat the email it sees coming in. I used the email interface for submitting spam and good mail to ASSP for about a week before I turned training mode off. Reporting is very easy. I specified two email aliases&nbsp;in the ASSP system, such as <a href="mailto:spam-no@greghughes.net">spam-no@greghughes.net</a> and <a href="mailto:spam-yes@greghughes.net">spam-yes@greghughes.net</a> (those are not the actual addresses of course) and on a regular basis forwarded groups of email back to the ASSP service&nbsp;that fit into each category. In fact, I even went back into my archive of valid email from before installing ASSP&nbsp;and forwarded a bunch of it to the system, so it could quickly learn what&nbsp;valid email looks like&nbsp;in my world. Your learning period will probably be about a week or so, or however long it takes you to gather 400 or more spam emails along with some some good,&nbsp;valid&nbsp;email. </p> <p> Once you've provided the system with a corpus of good and bad email, you run a little Perl script on the server to update the Bayesian spam detection database, which is the adaptive learning part of the system. I did this a few times - about daily -&nbsp;throughout the first week. With each update the system got smarter and smarter. Once spam email was being very effectively categorized by ASSP, I switched the system from learning mode into normal operating mode and also configured ASSP to forward a copy of all spam emails it receives to a separate email account (say something like <a href="mailto:allspam@yourdomain.com">allspam@yourdomain.com</a>). In doing so I have created a place for the system to provide me with all the spam email so that I can continue to peruse it when I feel like it in order to make sure nothing gets trapped in there as a false positive. But my main email account is spam-free. Initially I found a few valid emails were ending up being categorized as spam, but all I had to do was to forward those to the email error reporting interface mentioned above and then&nbsp;rebuild the database, and now for the past few days I have seen zero false positives. I intend to continue to check that account now and then, just to ensure I don't miss any critical email. It's a quick and easy process, especially since all the spam that is blocked by the system as a result of coming from known spammer sources (RBL lists) never even makes it into the system. So, I'm just weeding through the small&nbsp;remainder of the stuff&nbsp;that the system analyzes and weeds out in the second phase of its analysis. </p> <p> Here is what the service has done for my email account&nbsp;since I turned it on about 12 days ago: </p> <blockquote> <p> <strong>General Runtime Information</strong> <p> <b>ASSP Proxy Uptime:</b> <br> 12.232 days <p> <b>Messages Processed:</b> <br> 2297 (187.8 per day) <p> <b>Non-Local Mail Blocked (percentage of email that is spam):</b> <br> 87.5% <p> <b>CPU Usage:</b> <br> 0.27% avg </p> </blockquote> <p> That's 288 valid emails and 2009 blocked as spam. As I said at the beginning, a bit overwhelming for only one email account&nbsp;in the mix, and obviously quite&nbsp;necessary to do something about it. </p> <p> I still need to do some small amount of work to make sure the service stays up and running from a high-availability standpoint, and in fact I have that minor issue with not only the ASSP service but also a couple other email services and even the IIS service. Resource constraints seem to play havoc now and then on my virtual server, but I think I have managed to get a handle on that. </p> <p> For anyone that's looking to put an anti-spam proxy in place for your own mail server, I most definitely recommend checking out ASSP and giving it a try. <a href="http://www.asspsmtp.org/wiki/Downloads" target="_blank">Download it here</a>&nbsp;(use the most recent stable version). Or <a href="http://www.asspsmtp.org/wiki/Welcome" target="_blank">check out the ASSP&nbsp;Wiki</a>, which contains documentation, the FAQ, and everything else you can think of. A high-level list of features can also be found on the <a href="http://assp.sourceforge.net/" target="_blank">ASSP home page at SourceForge</a>. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,706fbf45-f617-41ae-a2e7-e676cd339a92.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=a9024e11-1a54-4618-b3d5-32149ebeb646 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,a9024e11-1a54-4618-b3d5-32149ebeb646.aspx http://www.greghughes.net/rant/CommentView,guid,a9024e11-1a54-4618-b3d5-32149ebeb646.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=a9024e11-1a54-4618-b3d5-32149ebeb646

In May, the National Security Agency (yes, that one) published a guide in PDF form (818KB PDF file) called "The 60 Minute Network Security Guide - First Steps Towards a Secure Network Environment."

It's good stuff. Sure, it's not a 100% guide to everything you need to know and do, but it covers the bases quite well. Some have balked at the complex password and rotation requirements and made the requisite "that won't work in the real world" noise, but those of us who actually do operate in the real world know it can be done and that 90 days is a bad number (it's too long IMO, and lacks usability - it should be either 84 or 42 days). Sure, a few people will complain (it's human nature and it takes all kinds), but the vast majority are more than happy to do their part. Don't let the vocal few chase you away from what is proven over and over to be right.

There are always good and effective ways to accomplish goal while meeting requirements: For example, the use of passphrases instead of regular passwords makes complex, long passwords a cinch, and all it takes is about 5 minutes of user education to show people how well it can work (use your all-hands meetings and you'll be amazed what you'll get accomplished in a short period).

Read the guide, use it, and you'll be better off. A variety of other security configuration guides from the NSA can be found here. There are more than 80 guides covering server and client operating systems, network infrastructure, database platforms, and more.

( via lifehacker.com )



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. The NSA's 60-Minute Guide to Network Security http://www.greghughes.net/rant/PermaLink,guid,a9024e11-1a54-4618-b3d5-32149ebeb646.aspx http://www.greghughes.net/rant/TheNSAs60MinuteGuideToNetworkSecurity.aspx Mon, 08 Jan 2007 00:48:57 GMT <p> <img style="BORDER-RIGHT: 0px; BORDER-TOP: 0px; MARGIN: 0px 0px 5px 15px; BORDER-LEFT: 0px; BORDER-BOTTOM: 0px" height=148 src="http://www.greghughes.net/rant/content/binary/WindowsLiveWriter/TheNSAsGuidetoNetworkSecurity_DE5A/NSA1%5B1%5D.jpg" width=240 align=right border=0> In May, the National Security Agency (yes, <em>that</em> one) published a guide in PDF form (<a href="http://www.nsa.gov/snac/support/I33-011R-2006.pdf" target=_blank>818KB PDF file</a>) called "The 60 Minute Network Security Guide - First Steps Towards a Secure Network Environment." </p> <p> It's good stuff. Sure, it's not a 100% guide to everything you need to know and do, but it covers the bases quite well. Some have balked at the complex password and rotation requirements and made the requisite "that won't work in the real world" noise, but those of us who <em>actually do</em> operate in the real world know it can be done and that 90 days is a bad number (it's too long IMO,&nbsp;and lacks usability - it should be either&nbsp;84 or 42 days). Sure, a few people will complain (it's human nature and it takes all kinds), but the vast majority are more than happy to do their part. Don't let the vocal few chase you away from what is proven over and over to be right. </p> <p> There are always good and effective ways to accomplish goal while meeting requirements: For example, the use of <a href="http://www.greghughes.net/rant/PermaLink,guid,b28e705f-2014-478a-95f9-f95466f758e5.aspx">passphrases</a> instead of regular passwords makes complex, long passwords a cinch, and all it takes is about 5 minutes of user education to show people how well it can work (use your all-hands meetings and you'll be amazed what you'll get accomplished in a short period). </p> <p> Read <a href="http://www.nsa.gov/snac/support/I33-011R-2006.pdf" target=_blank>the guide</a>, use it, and you'll be better off. A variety of other security configuration guides from the NSA <a href="http://www.nsa.gov/snac/" target=_blank>can be found here</a>. There are more than 80 guides covering server and client operating systems, network infrastructure, database platforms, and more. </p> <p> <font size=1>(</font><a href="http://www.lifehacker.com/software/networking/secure-your-network-nsastyle-226392.php" target=_blank><font size=1>via lifehacker.com</font></a><font size=1>)</font> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,a9024e11-1a54-4618-b3d5-32149ebeb646.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=efdabbdd-4987-4594-9a66-00e0131ad66d http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,efdabbdd-4987-4594-9a66-00e0131ad66d.aspx http://www.greghughes.net/rant/CommentView,guid,efdabbdd-4987-4594-9a66-00e0131ad66d.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=efdabbdd-4987-4594-9a66-00e0131ad66d 8

Vista_logoWell, honestly, it's about time.

Bloggers are all over the story, and are espousing a variety of opinions, but I have wondered for years when Microsoft would finally crack down on software thieves and simply not allow their software to run unless it was legitimately licensed. I'm responsible for cutting a big check each year to Microsoft to pay for the software we use at the company I work at. It costs me more, in effect, because others are taking without paying.

So, Windows Vista will detect piracy and take action. In Microsoft's words:

"Collectively termed the Microsoft Software Protection Platform, the new technologies will introduce improvements in how Microsoft software activates, is validated online and behaves when tampering or hacking is detected."

Thinking about this from a security guy's perspective, one thing bothers me: Turning off the anti-malware capabilities on unlicensed copies? Are you kidding me? That means the rest of the world falls victim to everyone out there that's running pirated Windows? Please, please, please change this one - Microsoft might be a victim, but no need to invite the rest of the world into that club. And it looks like Richi Jennings agrees with me on that one. That's just poor prioritization. Hopefully someone will rethink the approach in that specific area...

Elsewhere, Ed Bott at ZDNet has written a very good piece describing the changes and his thoughts on the matter. He has some important point, ones that Microsoft should make sure they have thought completely through and have a plan for - especially where it comes to Volume License customers. Those are the people you don't want to aggravate, for sure.

Among Bott's comments:

Microsoft denies that this is a "kill switch" for Windows Vista, even giving it a separate question and answer in its mock interview announcing the program. Technically, they're right, I suppose. Switching a PC into a degraded functionality where all you can do is browse the Internet doesn't kill it; but it's arguably a near-death experience. The accompanying white paper describes the experience in more detail:

By choosing "Access your computer with reduced functionality," the default Web browser will be started and the user will be presented with an option to purchase a new product key. There is no start menu, no desktop icons, and the desktop background is changed to black. The Web browser will fully function and Internet connectivity will not be blocked. After one hour, the system will log the user out without warning. It will not shut down the machine, and the user can log back in. Note: This is different from the Windows XP RFM experience, which limits screen resolution, colors, sounds and other features. [emphasis added]

My head practically exploded when I read this sentence describing the new, improved punishment regimen: "Windows Vista will have a reduced functionality mode but one that is enhanced." Enhanced reduced functionality? Orwell would be proud.

Snarky as ever, Engadget reports:

Well, Microsoft has fired the first salvo in this war on pirates -- according to The Associated Press, the Redmond crew will be taking "much harsher steps to curtail piracy" than in years past. First, the company will "deny access" to some of the "most anticipated features," including Windows Aero, the new GUI. Then, Vista will start issuing ransom demands (we're not kidding about this part), demanding that a legitimate copy be bought within 30 days, or else. What would such consequences entail? How about limiting Web access to an hour at a time? Further, what about not being able to open documents from the desktop or "run other programs such as Outlook e-mail software" ? However, the article goes on to say: "Microsoft said it won't stop a computer running pirated Vista software from working completely, and it will continue to deliver critical security updates." So for those of you keeping score, Microsoft wants to make using your computer as miserable as possible, while keeping it as "safe" as possible, ok?

People out there will whine and complain and say it's not fair, that it's all a bunch of red tape and people will be inconvenienced (and they might be right about that one point), and a million other things that go along with the typical victim mentality (sorry guys, but possession of stolen goods is illegal, even if it's inconvenient, and possessing stolen stuff unknowingly doesn't make the goods any less stolen). And Microsoft needs to make sure that legitimate users are not impacted in a truly meaningful and workable way. But the fact of the matter is that Microsoft is right on this one. In fact, it seems to me that if I ran a company that created software for use by consumers and businesses, and if I wanted to make sure it was being legitimately used and paid for, I'd just keep it from working at all if it was obviously stolen.

But the politics of huge-mega-corporation-attacked-by-angry-mob is a multi-billion-dollar business, apparently.

Glad to see they're finally doing something about it, though.

Some Techmeme-tracked discussion on the topic:

Technorati tags: , , , ,


greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Vista anti-piracy features will cripple illegitimate copies - finally http://www.greghughes.net/rant/PermaLink,guid,efdabbdd-4987-4594-9a66-00e0131ad66d.aspx http://www.greghughes.net/rant/VistaAntipiracyFeaturesWillCrippleIllegitimateCopiesFinally.aspx Thu, 05 Oct 2006 14:51:25 GMT <p> <img alt="Vista_logo" hspace="12" src="http://www.greghughes.net/images/Vista_logo.jpg" align="right" vspace="6" border="1">Well, honestly, <a href="http://www.microsoft.com/presspass/features/2006/oct06/10-04SoftwareProtection.mspx" target="_blank">it's about time</a>. </p> <p> Bloggers are all over the story, and are espousing a variety of&nbsp;opinions,&nbsp;but I have <a href="http://www.greghughes.net/rant/HeyMicrosoftGoAheadAndPatchPiratedSoftwareHeresHowToMakeItWork.aspx" target="_blank">wondered for years</a> when Microsoft would finally crack down on software thieves and simply not allow their software to run unless it was legitimately licensed. I'm responsible for cutting a big check each year to Microsoft to pay for the software we use at the company I work at. It costs me more, in effect, because others are taking without paying. </p> <p> So, Windows Vista will detect piracy and take action. In Microsoft's words: </p> <blockquote> <p> <em>"Collectively termed the Microsoft Software Protection Platform, the new technologies will introduce improvements in how Microsoft software activates, is validated online and behaves when tampering or hacking is detected."</em> </p> </blockquote> <p> Thinking about this from a security guy's perspective, one thing bothers me: Turning off the anti-malware capabilities on unlicensed copies? Are you kidding me? That means the rest of the world falls victim to everyone out there that's running pirated Windows? Please, please, please change this one - Microsoft might be a victim, but no need to invite the rest of the world into that club. And it looks like <a href="http://richi.co.uk/blog/2006/10/vista-software-protection-platform.html" target="_blank">Richi Jennings agrees with me on that one</a>. That's just poor prioritization. Hopefully someone will rethink the approach in that specific area... </p> <p> Elsewhere, <a href="http://blogs.zdnet.com/Bott/?p=148" target="_blank">Ed Bott at ZDNet has written a very good piece</a> describing the changes and his thoughts&nbsp;on the matter. He has some important point, ones that Microsoft should make sure they have thought completely through and have a plan for - especially where it comes to Volume License customers. Those are the people you don't want to aggravate, for sure. </p> <p> Among Bott's <a href="http://blogs.zdnet.com/Bott/?p=148" target="_blank">comments</a>: </p> <blockquote> <p> <em>Microsoft denies that this is a "kill switch" for Windows&nbsp;Vista, even&nbsp;giving it&nbsp;a separate question and answer in its mock interview announcing the program. Technically, they're right, I suppose. Switching a PC into a degraded functionality where all you can do is browse the Internet doesn't kill it; but it's arguably a near-death experience. The accompanying white paper describes </em><a></a><em>the experience in more detail: </em> <blockquote> <p> <em>By choosing "Access your computer with reduced functionality," the default Web browser will be started and the user will be presented with an option to purchase a new product key. <strong>There is no start menu, no desktop icons, and the desktop background is changed to black.</strong> The Web browser will fully function and Internet connectivity will not be blocked. <strong>After one hour, the system will log the user out without warning.</strong> It will not shut down the machine, and the user can log back in. Note: This is different from the Windows XP RFM experience, which limits screen resolution, colors, sounds and other features. [emphasis added]</em> </p> </blockquote> <p> <em>My head practically exploded when I read this sentence describing the new, improved punishment regimen:&nbsp;"Windows Vista will have a reduced functionality mode but one that is enhanced." Enhanced reduced functionality? Orwell would be proud.</em> </p> </blockquote> <p> Snarky as ever, <a href="http://www.engadget.com/2006/10/04/microsoft-will-cripple-pcs-running-pirated-copies-of-vista/" target="_blank">Engadget reports</a>: </p> <blockquote> <p> <em>Well, Microsoft has fired the first salvo in this war on pirates -- according to The Associated Press, the Redmond crew will be taking "much harsher steps to curtail piracy" than in years past. First, the company will "deny access" to some of the "most anticipated features," including Windows Aero, the new GUI. Then, Vista will start issuing ransom demands (we're not kidding about this part), demanding that a legitimate copy be bought within 30 days, or else. What would such consequences entail? How about limiting Web access to an hour at a time? Further, what about not being able to open documents from the desktop or "run other programs such as Outlook e-mail software" ? However, the article goes on to say: "Microsoft said it won't stop a computer running pirated Vista software from working completely, and it will continue to deliver critical security updates." So for those of you keeping score, Microsoft wants to make using your computer as miserable as possible, while keeping it as "safe" as possible, ok?</em> </p> </blockquote> <p> People out there will whine and complain and say it's not fair, that it's all a bunch of red tape and people will be inconvenienced (and they might be right about that one point), and a million other things that go along with the typical victim mentality (sorry guys, but&nbsp;possession of stolen goods is illegal, even if it's&nbsp;inconvenient, and&nbsp;possessing stolen stuff&nbsp;unknowingly doesn't make the goods any less stolen). And Microsoft needs to make sure that legitimate users are not impacted in a truly meaningful and workable way. But the fact of the matter is that Microsoft is right on this one. In fact, it seems to me that if I ran a company&nbsp;that created&nbsp;software for use by consumers and businesses, and if I wanted to make sure it was being legitimately used and paid for, I'd just keep it from working <em>at all</em> if it was obviously stolen. </p> <p> But the politics of huge-mega-corporation-attacked-by-angry-mob is a multi-billion-dollar business, apparently. </p> <p> Glad to see they're finally doing <em>something</em> about it, though. </p> <p> Some Techmeme-tracked&nbsp;discussion on the topic: </p> <ul> <li> <cite>Matt Hickey / <a href="http://crunchgear.com/">CrunchGear</a>:</cite> <a href="http://crunchgear.com/2006/10/05/microsoft-readies-vista-for-piracy-wars/">Microsoft Readies Vista for Piracy Wars</a> <li> <cite>Jordan Running / <a href="http://www.downloadsquad.com/">Download Squad</a>:</cite> <a href="http://www.downloadsquad.com/2006/10/04/microsoft-threatens-to-cripple-pirated-vista-pcs/">Microsoft threatens to cripple pirated Vista PCs</a> <li> <cite>Cisco Cheng / <a href="http://gearlog.com/blogs/gearlog/default.aspx">Gearlog</a>:</cite> <a href="http://gearlog.com/blogs/gearlog/archive/2006/10/04/ReducedFM.aspx">Windows Vista: Reduced Functionality Mode</a> <li> <cite>Chron.Com / <a href="http://blogs.chron.com/techblog/">TechBlog</a>:</cite> <a href="http://blogs.chron.com/techblog/archives/2006/10/may_i_see_your.html">May I see your Windows license and registration, ma'am?</a> <li> <cite>Jack Schofield / <a href="http://blogs.guardian.co.uk/technology/">Guardian Unlimited</a>:</cite> <a href="http://blogs.guardian.co.uk/technology/archives/2006/10/04/microsofts_software_protection_platform_wga_will_get_tougher.html">Microsoft's Software Protection Platform — WGA will get tougher</a> <li> <cite><a href="http://www.computerworld.com/blogs/blog">Computerworld Blogs blogs</a>:</cite> <a href="http://www.computerworld.com/blogs/node/3657">Vista's SPP: bastard child of WPA and WGA? (and geek wallets)</a> <li> <cite>Ed Bott / <a href="http://blogs.zdnet.com/Bott">Ed Bott's Microsoft Report</a>:</cite> <a href="http://blogs.zdnet.com/Bott/?p=148">For Vista, WGA gets tougher</a> </li> </ul> <p> <div class="wlWriterSmartContent" id="0767317B-992E-4b12-91E0-4F059A8CECA8:7060227d-b18c-4ed0-9822-53485d8daa0b" contenteditable="false" style="padding-right: 0px; display: inline; padding-left: 0px; padding-bottom: 0px; margin: 0px; padding-top: 0px">Technorati tags: <a href="http://technorati.com/tags/Vista" rel="tag">Vista</a>, <a href="http://technorati.com/tags/Piracy" rel="tag">Piracy</a>, <a href="http://technorati.com/tags/WSPP" rel="tag">WSPP</a>, <a href="http://technorati.com/tags/Windows" rel="tag">Windows</a>, <a href="http://technorati.com/tags/Microsoft" rel="tag">Microsoft</a> </div> > <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,efdabbdd-4987-4594-9a66-00e0131ad66d.aspx IT Security Safe Computing Tech Things that Suck
http://www.greghughes.net/rant/Trackback.aspx?guid=523b5f06-7bb7-49a1-84b3-38994ca60ba5 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,523b5f06-7bb7-49a1-84b3-38994ca60ba5.aspx http://www.greghughes.net/rant/CommentView,guid,523b5f06-7bb7-49a1-84b3-38994ca60ba5.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=523b5f06-7bb7-49a1-84b3-38994ca60ba5

My job is all about catching bad guys, building great software to help do that, protecting information, and a variety of similar things. the company I work for builds software than somewhere around a third of the country uses in some manner to conduct financial transaction on the Internet, so the topic of security is important to me.

I'm regularly participating these days in interviews with members of the media, and recently one resulting story was published that I thought did a nice job of covering the bases regarding security in financial services and the human elements. What has to be recognized in order to succeed in this fight is that the user is not predictable, accountable or reliable. It's the truth, it's important to know, and it's a fact we have to plan for and design into our security models.

Read the story here: Finance on Windows - "For Your Eyes Only"



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Weakest link in the security chain? That's easy: The people. http://www.greghughes.net/rant/PermaLink,guid,523b5f06-7bb7-49a1-84b3-38994ca60ba5.aspx http://www.greghughes.net/rant/WeakestLinkInTheSecurityChainThatsEasyThePeople.aspx Tue, 03 Oct 2006 21:05:14 GMT <p> My job is all about catching bad guys, building great software to help do that, protecting information, and a variety of similar things. the company I work for builds software than somewhere around a third of the country uses in some manner to conduct financial transaction on the Internet, so the topic of security is important to me. </p> <p> I'm regularly participating these days in interviews with members of the media, and recently one resulting <a href="http://www.onwindows.com/article.asp?id=684" target="_blank">story was published that I thought did a nice job of covering the bases</a> regarding security in financial services and the human elements. What has to be recognized in order to succeed in this fight is that the user is not predictable, accountable or reliable. It's the truth, it's important to know, and it's a fact we have to plan for&nbsp;and design into our security models. </p> <p> Read the story here: <a href="http://www.onwindows.com/article.asp?id=684" target="_blank">Finance on Windows - "For Your Eyes Only"</a> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,523b5f06-7bb7-49a1-84b3-38994ca60ba5.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=a647f572-8b73-49d6-b458-a54e219db6c7 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,a647f572-8b73-49d6-b458-a54e219db6c7.aspx http://www.greghughes.net/rant/CommentView,guid,a647f572-8b73-49d6-b458-a54e219db6c7.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=a647f572-8b73-49d6-b458-a54e219db6c7

Proof that cyber-crime is real, Consumer Reports is out with their State of the Net survey. It's pretty much as bad as we all know. From MSNBC:

"...American consumers lost more than $8 billion over the last two years to viruses, spyware and various schemes.

" Additionally, it shows consumers face a 1-in-3 chance of becoming a cybervictim -about the same as last year."

Thing is, prevention is much less costly than reactively paying for damage already done. You want to prevent the guy from getting into your place? Or do you prefer to let him in but then keep him from walking out the door with your money? Or are you like most people, who are resigned to watching him walk out the door with the prize, throwing your hands up in the air, and blaming someone (anyone, really) else?

How do we convince people, and what will it take?



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. State of the Net: Over $8 billion lost in past two years http://www.greghughes.net/rant/PermaLink,guid,a647f572-8b73-49d6-b458-a54e219db6c7.aspx http://www.greghughes.net/rant/StateOfTheNetOver8BillionLostInPastTwoYears.aspx Wed, 09 Aug 2006 21:57:19 GMT <p> Proof that cyber-crime is real, Consumer Reports is out with their State of the Net survey. It's pretty much as bad as we all know. <a href="http://www.msnbc.msn.com/ID/14242897">From MSNBC</a>: </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <em>"...American consumers lost more than $8 billion over the last two years to viruses, spyware and various schemes. </em> </p> <p class=textBodyBlack> <span id=byLine></span><em>" Additionally, it shows consumers face a 1-in-3 chance of becoming a cybervictim -about the same as last year."</em> </p> </blockquote> <p class=textBodyBlack> Thing is, prevention is much less costly than reactively paying for damage already done. You want to prevent the guy from getting into your place? Or do you prefer to let him in but then keep him from walking out the door with your money? Or are you like most people, who are resigned to watching him walk out the door with the prize, throwing your hands up in the air, and blaming someone (anyone, really) else? </p> <p class=textBodyBlack> How do we convince people, and what will it take? </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,a647f572-8b73-49d6-b458-a54e219db6c7.aspx IT Security Safe Computing Tech Things that Suck
http://www.greghughes.net/rant/Trackback.aspx?guid=30acceb4-aa74-48af-9862-cfff4dea6124 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,30acceb4-aa74-48af-9862-cfff4dea6124.aspx http://www.greghughes.net/rant/CommentView,guid,30acceb4-aa74-48af-9862-cfff4dea6124.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=30acceb4-aa74-48af-9862-cfff4dea6124 1


UPDATE -

AOL apologizes (not as if it makes a difference at this point, though):

"This was a screw-up, and we're angry and upset about it. It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant," AOL, a unit of Time Warner, said in a statement. "Although there was no personally identifiable data linked to these accounts, we're absolutely not defending this. It was a mistake, and we apologize. We've launched an internal investigation into what happened, and we are taking steps to ensure that this type of thing never happens again."


AOL, over on their research wiki site, on Sunday posted an article describing their release of search data collected for more than a half million AOL users over a three month period. They claimed the data was made "anonymous," and that it was being released for research reasons. Problem is, it's not anonymous enough. Each unique user was replaced with a unique random identifier. That means you can see everything that user 336072 searched for. What if someone examined everything you searched for over three months? Even without knowing your name explicitly, do you think they might be able to find out some interesting things? Have you ever done a "vanity" search?

It's just not anonymous enough. I have a copy of the data that I downloaded before it was taken offline, and I've poked around in it a bit, so I know. Not only that, but spammers and search engine "optimizers" out there are going to have a field-freakin-day with this data. No, I won't share it with anyone else. It never should have been released in the first place, so I am not going to add fuel to the fire.

Michael Arrington at TechCrunch wrote about it in his blog entry entitled "AOL Proudly Releases Massive Amounts of Private Data," and updated his post a couple times as AOL mysteriously removed the data file from the web, as well as the page announcing the availability.

Arrington: "AOL must have missed the uproar over the DOJ's demand for "anonymized" search data last year that caused all sorts of pain for Microsoft and Google. That's the only way to explain their release of data that includes 20 million web queries from 650,000 AOL users."

When you consider that AOL search is - get this one - actually Google's search with a different face on it, you can imagine what the emails and phone calls that went flying around between the two companies on Sunday afternoon might have sounded like. Ouch.

Yeah, and so much for the privacy of AOL's users. If you're an AOL user, is that what you signed up for, to be a guinea pig in AOL's poorly-planned foray into academia? I think not. This is identity theft just waiting to happen, that's what this is. Again from Arrington:

"The data includes personal names, addresses, social security numbers and everything else someone might type into a search box. The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with "buy ecstasy" and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless. "

Google says "do no evil" and keeps this kind of data under wraps when challenged in federal court. AOL? Not so much.

Any would-be AOL boycotters better be prepared, though. Last we checked, you can't even cancel your account at AOL without being put through the ringer. Several years ago when I canceled mine it was a several-months-long experience before I was able to decipher enough to get the billing truly stopped. Coming and going, that's how they get ya in Dulles... There's a reason PC Magazine ranked AOL "Number One" in a list of things you'd really rather not be on...

Technorati : , , ,



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. AOL screws the pooch - or at least about 650,000 of their own users http://www.greghughes.net/rant/PermaLink,guid,30acceb4-aa74-48af-9862-cfff4dea6124.aspx http://www.greghughes.net/rant/AOLScrewsThePoochOrAtLeastAbout650000OfTheirOwnUsers.aspx Mon, 07 Aug 2006 10:25:00 GMT <strong> <p> <hr> </p> <p> UPDATE - </strong> <a href="http://news.com.com/2100-1030_3-6102793.html">AOL apologizes</a> (not as if it makes a difference at this point, though):> <blockquote dir=ltr style="MARGIN-RIGHT: 0px"> <p> <em>"This was a screw-up, and we're angry and upset about it. It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant," AOL, a unit of Time Warner, said in a statement. "Although there was no personally identifiable data linked to these accounts, we're absolutely not defending this. It was a mistake, and we apologize. We've launched an internal investigation into what happened, and we are taking steps to ensure that this type of thing never happens again."</em> </p> </blockquote> <p dir=ltr> <hr> </p> <p> AOL, over on their research wiki site, on Sunday posted an article describing their release of search data collected for more than a half million AOL users over a three month period. They claimed the data was made "anonymous," and that it was being released for research reasons. Problem is, it's not anonymous enough. Each unique user was replaced with a unique random identifier. That means you can see everything that user 336072 searched for. What if someone examined everything <em>you</em> searched for over three months? Even without knowing your name explicitly, do you think they might be able to find out some interesting things? Have you ever done a <a href="http://www.urbandictionary.com/define.php?term=vanity+search">"vanity" search</a>? </p> <p> It's just not anonymous enough. I have a copy of the data that I downloaded before it was taken offline, and I've poked around in it a bit, so I know. Not only that, but spammers and search engine "optimizers" out there are going to have a field-freakin-day with this data. No, I won't share it with anyone else. It never should have been released in the first place, so I am not going to add fuel to the fire. </p> <p> Michael Arrington at TechCrunch wrote about it in his blog entry entitled "<a title="permanent link to aol proudly releases massive amounts of private data" href="http://www.techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/" rel=bookmark>AOL Proudly Releases Massive Amounts of Private Data</a>," and updated his post a couple times as AOL mysteriously removed the data file from the web, as well as the page announcing the availability. </p> <blockquote dir=ltr style="MARGIN-RIGHT: 0px"> <p> <a href="http://www.techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/">Arrington</a>: <em>"AOL must have missed the uproar over the DOJ's demand for "anonymized" search data last year that caused all sorts of pain for Microsoft and Google. That's the only way to explain their release of data that includes 20 million web queries from 650,000 AOL users."</em> </p> </blockquote> <p> When you consider that AOL search is - get this one - actually Google's search with a different face on it, you can imagine what the emails and phone calls that went flying around between the two companies on Sunday afternoon might have sounded like. Ouch. </p> <p> Yeah, and <a href="http://www.zoliblog.com/blog/_archives/2006/8/6/2204969.html">so much for the privacy of AOL's users</a>. If you're an AOL user, is that what you signed up for, to be a guinea pig in AOL's poorly-planned foray into academia? I think not. This is identity theft just waiting to happen, that's what this is. Again <a href="http://www.techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/">from Arrington</a>: </p> <blockquote dir=ltr style="MARGIN-RIGHT: 0px"> <p> <em><em>"The data includes personal names, addresses, social security numbers and everything else someone might type into a search box. The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with "buy ecstasy" and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless.</em></em> " </p> </blockquote> <p> Google says "do no evil" and keeps this kind of data under wraps when challenged in federal court. AOL? Not so much. </p> <p> Any would-be AOL boycotters better be prepared, though. Last we checked, you <a href="http://www.youtube.com/watch?v=xIVZ9b0RgmY">can't even cancel your account</a> at AOL without being put through the ringer. Several years ago when I canceled mine it was a several-months-long experience before I was able to decipher enough to get the billing truly stopped. Coming and going, that's how they get ya in Dulles... There's a reason PC Magazine ranked AOL "<a href="http://www.pcworld.com/article/125772-2/article.html">Number One</a>" in a list of things you'd really rather not be on... </p> <p class=zoundry_bw_tags> <!-- Tag links generated by Zoundry Blog Writer. Do not manually edit. http://www.zoundry.com --><span class=ztags><span class=ztagspace>Technorati</span> : <a class=ztag href="http://technorati.com/tag/AOL" rel=tag>AOL</a>, <a class=ztag href="http://technorati.com/tag/privacy" rel=tag>privacy</a>, <a class=ztag href="http://technorati.com/tag/private%20data" rel=tag>private data</a>, <a class=ztag href="http://technorati.com/tag/release" rel=tag>release</a></span> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,30acceb4-aa74-48af-9862-cfff4dea6124.aspx IT Security Safe Computing Tech Things that Suck
http://www.greghughes.net/rant/Trackback.aspx?guid=6978874b-7479-40b1-aa1a-cd14b0508568 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,6978874b-7479-40b1-aa1a-cd14b0508568.aspx http://www.greghughes.net/rant/CommentView,guid,6978874b-7479-40b1-aa1a-cd14b0508568.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=6978874b-7479-40b1-aa1a-cd14b0508568

The U.S. Senate on Thursday ratified the first and only international treaty designed exclusively to combat computer crime. You can read the full text of the Council of Europe Convention on Cybercrime here.

What does this mean? Well, a lot of things. But all told, it means law enforcement officials from around the world will have a more agile, speedier, and more capable framework for cooperating in combating bad guys that are out to hurt others on the Internet. For those of us working to stop bad guys, it makes doing so more possible and can help remove some barriers that tend to get in the way. For those of us in the United States, the provisions are not really anything new. But for other countries that ratify, it means a much enhanced ability to work together.

The Senate did not consider an optional provision of the convention that deals with combating Internet hate speech, which would likely have run afoul of the First Amendment to the U.S. Constitution.

Summary of the Senate activity is in an article at news.com.

Technorati : , ,



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. US Senate ratifies cybercrime treaty http://www.greghughes.net/rant/PermaLink,guid,6978874b-7479-40b1-aa1a-cd14b0508568.aspx http://www.greghughes.net/rant/USSenateRatifiesCybercrimeTreaty.aspx Sat, 05 Aug 2006 21:57:00 GMT <p> The U.S. Senate on Thursday ratified the first and only international treaty designed exclusively to combat computer crime. You can <a href="http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm">read the full text of the Council of Europe Convention on Cybercrime here</a>. </p> <p> What does this mean? Well, a lot of things. But all told, it means law enforcement officials from around the world will have a more agile, speedier, and more capable framework for cooperating in combating bad guys that are out to hurt others on the Internet. For those of us working to stop bad guys, it makes doing so more possible and can help remove some barriers that tend to get in the way. For those of us in the United States, the provisions are not really anything new. But for other countries that ratify, it means a much enhanced ability to work together. </p> <p> The Senate did not consider an optional provision of the convention that deals with combating Internet hate speech, which would likely have run afoul of the First Amendment to the U.S. Constitution. </p> <p> Summary of the Senate activity is in an article <a href="http://news.com.com/2100-7348_3-6102354.html">at news.com</a>. </p> <p class="zoundry_bw_tags"> <!-- Tag links generated by Zoundry Blog Writer. Do not manually edit. http://www.zoundry.com --> <span class="ztags"><span class="ztagspace">Technorati</span> : <a href="http://technorati.com/tag/cybercrime" class="ztag" rel="tag">cybercrime</a>, <a href="http://technorati.com/tag/fraud" class="ztag" rel="tag">fraud</a>, <a href="http://technorati.com/tag/treaty" class="ztag" rel="tag">treaty</a></span> </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,6978874b-7479-40b1-aa1a-cd14b0508568.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=2b6bc592-1e47-4df3-8a9d-c1932be8a53e http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,2b6bc592-1e47-4df3-8a9d-c1932be8a53e.aspx http://www.greghughes.net/rant/CommentView,guid,2b6bc592-1e47-4df3-8a9d-c1932be8a53e.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=2b6bc592-1e47-4df3-8a9d-c1932be8a53e

Tell me what you think, share what you know... In large part, I help catch bad guys for a living. So I have my own perspective and base of experience, but please share yours.

You may already be familiar with the term "phishing" and possibly you have a good idea of what it means. If you're not familiar with the term, you should be. Essentially, bad guys set up fake "phishing" web sites, typically by copying an online banking or other e-commerce site. The bad guys then send out emails or use other means to try to get you to visit the fraudulent web site they've set up, in hopes you'll think it's legitimate and "update" Phishing - click for Univerity of Colorado's takeyour banking or other private information there. In reality you're not communicating with the actual bank or e-commerce company at all, and you're not really updating anything - Rather, you are providing confidential identity and financial information to cyber-criminals. The bad guys then use that information to steal money, defraud you and others, and to create a new identity or leverage yours for their own gain. They're good at what they do, and the fact of the matter is, it works well enough for those who are the best in their "industry" (and it is its own micro-industry, as we'll discuss) to be motivated to make a career of it.

The general technique of convincing you via trickery to give up your private and sensitive information is called "social engineering." Bad guys act in ways that cause you think you're communicating with a legitimate business, but in reality you're being defrauded of information and - in turn - your financial and identity assets. More recently even myspace.com and similar sites have been faked, so we know these criminals are creative and go after us where we live. Whether it's a phone call from someone who sounds like a legitimate business person or a web site that looks like it's the real thing, it's all social engineering - tricking you into believing you're communicating information to a legitimate person or business when you're not.

You've likely seen emails show up in your in-box that pretend to be from ABC Bank or XYZ Credit Union. Beware any email that request information from you. The emails typically say something has happened to your account or that they;re verifying information, and you need to update your information by clicking a link to go to the bank's web site. But those emails are fakes, and so are the sites that load when you click the link. They're sent (well, spammed really) to anywhere from a few thousand to millions of people at once. Even when only a very small percentage of victims actually take the bait (hence the term phishing, eh?) , the bad guys win and come out ahead - big time.

Unfortunately, people do take the bait. I see it every single day in my work. Just the other day I dealt with a situation in which someone who provided their information to a phishing site fraudster was ripped off for $19,000. We're talking about serious stuff here... Now, when you lose money it's sometimes recoverable (but not always - you can sometimes be held responsible for giving away security secrets, after all). But if someone steals your private identifying information - things like driver's license numbers, dates of birth, social security numbers and the like - it's bad news. You're in trouble. Recovering from a stolen identity can be nearly - and oftentimes completely - impossible. You can get a couple thousand dollars back if you get tricked into giving up a password, but you can't take back your social security number once someone knows it.

You get the picture.

So, phishing is when someone sends an email and tries to get you to provide your secret information on a web site that looks like a legitimate one, but which is really just a fake copy that some bad guy controls. A lot like walking into what you think is your favorite coffee chain and walking out with a Strychnine latte, really. And on top of that, you paid the bad guy who you thought was your friendly barista $5 for it - and left a tip.

We've covered some of the basics of phishing fraud - just the first thin layer of the problem, actually. Over the course of some future posts, we'll dig a bit deeper into the details of what makes up a phishing campaign and what can be done about it. We'll also discuss pharming, spear-phishing and other cute terms that start with "ph" but which are really just about the farthest thing from cute you can imagine.

There are solid reasons for this madness that plagues the financial service and e-commerce industries. But truly understanding the problem means more than just knowing what phishing emails look like and avoiding fake sites. The fact that the sites are even there in the first place, that the email actually reaches your in-box, that you can't tell a fake site from the real one - all of these things are problems in and of themselves. To truly prevent the problem - and let's face it, prevention is the golden key here - we need to know and understand much, much more.

For instance, do you know why certain banks, credit unions and online retailers are targeted over others? Here's a hint: It's not always about how many customers they have to target or how big a name the bank is, although that can be a factor. Many of the biggest targets are credit unions with just a few thousand customers. And do you know what the phishers actually do with the information they fraudulently trick you into providing?

Do you have any idea who the bad guys are?

That's a taste of what we'll be discussing here over the next few weeks. I'll publish some of my thoughts on these topics and more. Not the secret stuff that lets us catch them, but the information consumers and institutions can use to help combat the problem. It's an opportunity to learn and share information. If you have ideas, thoughts or comments about the phishing problem, or online fraud in general, please leave a comment on this entry, or write about it on your own blog, or alternatively you can email me (but please use the comments if it's safe and reasonable to do so in order to provide the benefit to others - I tend to get a lot of emails that would be much better from a community standpoint if they were posted instead as comments). I'll leverage my own thoughts as well as the thoughts of others like you to help build parts of the future discussion. With hat tips all along the way, of course.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Let's talk about Phishing Scams - more devious than you probably know http://www.greghughes.net/rant/PermaLink,guid,2b6bc592-1e47-4df3-8a9d-c1932be8a53e.aspx http://www.greghughes.net/rant/LetsTalkAboutPhishingScamsMoreDeviousThanYouProbablyKnow.aspx Sat, 29 Jul 2006 06:04:12 GMT <p> <em>Tell me what you think, share what you know... In large part, I help catch bad guys for a living. So I have my own perspective and base of experience, but please share yours.</em> </p> <p> You may already be familiar with the term "<a href="http://www.colorado.edu/its/security/awareness/phishing/">phishing</a>" and possibly you have a good idea of what it means. If you're not familiar with the term, you should be. Essentially, bad guys set up fake "phishing" web sites, typically by copying an online banking or other e-commerce site.&nbsp;The bad guys then send out emails or use other means to try to get you to&nbsp;visit the fraudulent web site they've set up,&nbsp;in hopes you'll think&nbsp;it's legitimate&nbsp;and "update" <img alt="Phishing - click for Univerity of Colorado's take" src="http://www.greghughes.net/images/phishing.jpg" align="right" border="0" hspace="12" vspace="12">your banking or other private information there. In reality you're not communicating with the actual&nbsp;bank or e-commerce com<a href="http://www.colorado.edu/its/security/awareness/phishing/"></a>pany at all, and you're not really <em>updating </em>anything - Rather, you are providing confidential identity and financial&nbsp;information to cyber-criminals. The bad guys then use that information to steal money, defraud you and others, and to create a new identity&nbsp;or leverage yours for their own gain. They're good at what they do, and the fact of the matter is, it works well enough for those who are the best in their "industry" (and it is its own micro-industry, as we'll discuss) to be motivated to make a career of it. </p> <p> The general technique of convincing you via trickery&nbsp;to&nbsp;give up your private and sensitive information&nbsp;is&nbsp;called "social engineering." Bad guys act in ways that cause you think you're&nbsp;communicating with a legitimate business, but in reality you're being defrauded of information and - in turn - your financial and identity assets.&nbsp;More recently even myspace.com and similar sites have been faked, so we know these criminals are creative and go after us where we live.&nbsp;Whether it's a phone call from someone who sounds like a legitimate business person or a web site that looks like it's the real thing, it's all social engineering - tricking you into believing you're communicating information to a legitimate person or business when you're not. </p> <p> You've likely seen emails show up in your in-box that pretend to be from ABC Bank or XYZ Credit Union. Beware any email that request information from you. The emails typically say something has happened to your account or that they;re verifying information,&nbsp;and you need to update your information by clicking a link to go to the bank's web site. But those emails&nbsp;are fakes, and so are the sites that load when you click the link. They're&nbsp;sent (well, spammed really)&nbsp;to&nbsp;anywhere from a few thousand to <em>millions</em> of people at once. Even when&nbsp;only a very small percentage of victims actually&nbsp;take the bait&nbsp;(hence the term <em>phishing</em>, eh?) , the bad guys win and come out ahead -&nbsp;big time. </p> <p> Unfortunately, people <em>do</em> take the bait. I see it every single day in my work. Just the other day I dealt with a situation in which someone who provided their information to a phishing site fraudster was ripped off for $19,000. We're talking&nbsp;about serious stuff here... Now, when you lose money it's sometimes recoverable (but not always - you can sometimes be held responsible for giving away security secrets, after all). But if someone steals your private identifying information&nbsp;- things like driver's license numbers, dates of birth, social security numbers and the like - it's bad news.&nbsp;You're in trouble. Recovering from a stolen identity can be nearly - and oftentimes&nbsp;completely -&nbsp;impossible. You can get a couple thousand dollars back if you get tricked into giving up a password, but you can't take back your social security number once someone knows it. </p> <p> You get the picture. </p> <p> So, phishing is when someone sends an email and tries to get you to provide your secret information on a web site that looks like a legitimate one, but which is really just a fake copy that some bad guy controls. A lot like walking into what you <em>think</em> is your favorite coffee chain and walking out with a Strychnine latte, really. And on top of that, you paid the bad guy who you thought was your friendly barista $5 for it - and left a tip. </p> <p> We've covered some of the basics of phishing fraud&nbsp;- just the first thin layer of the problem, actually.&nbsp;Over the course of some future posts, we'll dig a bit deeper into the details of what makes up a phishing campaign and what can be done about it. We'll also discuss pharming, spear-phishing and other cute terms that start with&nbsp;"ph" but which are really just about the farthest thing from cute you can imagine. </p> <p> There are solid reasons for this madness that plagues the financial service and e-commerce industries. But truly understanding the problem means more than just knowing what phishing emails look like and avoiding fake sites. The fact that the sites are even <em>there </em>in the first place, that the email actually <em>reaches</em> your in-box, that&nbsp;you can't tell a fake site from the real one - all of these things are problems in and of themselves. To truly prevent the problem - and let's face it, <em>prevention</em> is the golden key here - we need to know and understand much, much more. </p> <p> For instance, do you know <em>why</em> certain banks, credit unions and online retailers&nbsp;are targeted over others? Here's a hint: It's not always about how many customers they have to target or how big a name the bank is, although that can be a factor. Many of the biggest targets are credit unions with just a few thousand customers. And do you know what the phishers actually <em>do</em> with the information they fraudulently trick you into providing? </p> <p> Do you have any idea <em>who</em> the bad guys are? </p> <p> That's a taste of what we'll be discussing here over the next few weeks. I'll publish some of my&nbsp;thoughts on these topics and more. Not the secret stuff that lets us catch them, but the information consumers and institutions can use to help combat the problem. It's an opportunity to learn and&nbsp;share information. If you have ideas, thoughts or comments about the&nbsp;phishing problem, or online fraud in general,&nbsp;please leave a comment on this entry, or write about it on your own blog, or alternatively you can email me (but please use the comments if it's safe and reasonable to do so in order to provide the benefit to others - I tend to get a lot of emails that would be much better from a community standpoint if they were posted instead as comments). I'll leverage my own thoughts as well as the thoughts of others like you&nbsp;to help build parts of the future discussion. With hat tips all along the way, of course. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,2b6bc592-1e47-4df3-8a9d-c1932be8a53e.aspx IT Security Safe Computing Tech Things that Suck
http://www.greghughes.net/rant/Trackback.aspx?guid=52b6a2ca-9012-4551-8a89-d930858f57cf http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,52b6a2ca-9012-4551-8a89-d930858f57cf.aspx http://www.greghughes.net/rant/CommentView,guid,52b6a2ca-9012-4551-8a89-d930858f57cf.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=52b6a2ca-9012-4551-8a89-d930858f57cf

Looks like a new variant of an old virus is making the rounds.

I got an email tonight in my personal email account that pretended to be from Microsoft and which contained a virus in an attached ZIP file. The attachment was called "Microsoft SMS Manager.zip" and contains two files - which are packaged as a .JPG file and a .HTA file. The JPG file is actually the infected binary and the HTA file is a real HTA with malicious content to call the binary and perform some other actions. The email came from an IP at an ISP located in Asia.

Of course I didn't get infected, because I saw it as obviously fake. Microsoft will never send software or updates via email, but in the social engineering department this one is bound to fool a number of people (despite the bad grammar), so it's a good idea to get the word out. I confirmed the virus infection with Symantec's AV software client on the local machine.

Here is the info about the infected contents of the ZIP file (specifically the JPG file):

Scan type:  Auto-Protect Scan
Event:  Threat Found!
Threat: W32.Gavgent.A
File:  C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip\Product.jpg
Location:  C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip
Computer:  *******
User:  *******
Action taken:  Delete succeeded : Access denied
Date found: Saturday, July 08, 2006  11:22:31 PM

If the AV software is correct and it's actually a W32.Gavgent.A virus in this file, this is an older worm (1995) that was not too prevalent at the time. The dates on the files in the ZIP are 8/2005, so it's entirely possible this is a reuse of an older virus. The HTA file in the package is an actual HTA file, and it references "Gavgent.B" in it's contents, so it's likely this is a repackaging of the Gavgent.A variant. At this time, there is no reference to Gavgent.B at Symantec Security Response. Luckily the old Gavgent.A variant is what trips the Symantec software, so detection seems to be easy enough. Below is the header from the HTA file. The executable section contains a lot of obfuscated VBScript and an IFRAME that loads the microsoft.com site with some extra arguments on the query string.

<HTA:APPLICATION ID="GavGent.B-ID"
    APPLICATIONNAME="GavGent.B"
    CAPTION="Microsoft SMS Manager"
    SHOWINTASKBAR="yes"
    SYSMENU="yes"
    WINDOWSTATE="maximize">

This virus does the classic network worm thing and collects email addresses and spreads via the common methods. It tends to restart the computer it infects and is generally an annoying dude. It will also try to kill AV and other security processes upon execution. Details are available here.

The original email I received is below. The subject line was "SMS Manager from Microsoft."

Developer@microsoft.com wrote:

              Dear
Customer, This email provides you information about new product from Microsoft Corporation,
called Microsoft SMS Manager. These product would help your activities, you can send
and receive SMS messages through your PC with no charge before December 31, 2005 (trial
period). It's compatible with most of GSM and CDMA operators. The Installation's document
is attached (Microsoft SMS Manager.zip). For further informations, please contact 
              
                support@microsoft.com
              
              Best
Regards, --------------------------------------------------------------------- Microsoft
Corporation 
              
                http://www.microsoft.com
              
            


greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Virus via email pretends it's from Microsoft - watch out for it http://www.greghughes.net/rant/PermaLink,guid,52b6a2ca-9012-4551-8a89-d930858f57cf.aspx http://www.greghughes.net/rant/VirusViaEmailPretendsItsFromMicrosoftWatchOutForIt.aspx Sun, 09 Jul 2006 06:58:17 GMT <p> <font face="Helvetica">Looks like&nbsp;a new variant of an old virus is making the rounds.</font> </p> <p> <font face="Helvetica">I got an email tonight in my personal email account that pretended to be from Microsoft and&nbsp;which contained a virus in an attached&nbsp;ZIP file. The attachment was called "Microsoft SMS Manager.zip" and contains two files - which are packaged as a&nbsp;.JPG file and a .HTA file. The JPG file is actually the infected binary and the HTA file is a real HTA with malicious content to call the binary and perform some other actions. The email came from an IP at an ISP located&nbsp;in Asia. </font> </p> <p> <font face="Helvetica">Of course I didn't get infected, because I saw it as obviously fake.&nbsp;Microsoft will never send software or updates via email, but in the social engineering department this one is bound to fool a number of people (despite the bad grammar), so it's&nbsp;a good idea to get the word out. I confirmed the virus infection with Symantec's AV software client on the local machine.</font> </p> <p> <font face="Helvetica">Here is the info about the infected contents of the ZIP file (specifically the JPG file):</font> </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <font face="Helvetica">Scan type:&nbsp; Auto-Protect Scan<br /> Event:&nbsp; Threat Found!<br /> Threat: W32.Gavgent.A<br /> File:&nbsp; C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip\Product.jpg<br /> Location:&nbsp; C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip<br /> Computer:&nbsp; *******<br /> User:&nbsp; *******<br /> Action taken:&nbsp; Delete succeeded : Access denied<br /> Date found: Saturday, July 08, 2006&nbsp; 11:22:31 PM</font> </p> </blockquote> <p> <font face="Helvetica">If the AV software is correct and it's actually a <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.gavgent.a.html">W32.Gavgent.A</a> virus in this file, this is an older worm (1995) that was not too prevalent at the time. The dates on the files in the ZIP&nbsp;are 8/2005, so it's entirely possible this is a reuse of an older virus.&nbsp;The HTA file in the package is an actual HTA file, and it references "Gavgent.B" in it's contents, so it's likely this is a repackaging of the Gavgent.A variant. At this time, there is no reference to Gavgent.B at <a href="http://securityresponse.symantec.com/">Symantec Security Response</a>.&nbsp;Luckily the old Gavgent.A variant is what trips the Symantec software, so detection seems to be easy enough. Below is the header from the HTA file. The executable section contains a lot of obfuscated VBScript and an IFRAME that loads the microsoft.com site with some extra arguments on the query string.</font> </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <font face="Helvetica">&lt;HTA:APPLICATION ID="GavGent.B-ID" <br /> &nbsp;&nbsp;&nbsp; APPLICATIONNAME="GavGent.B"<br /> &nbsp;&nbsp;&nbsp; CAPTION="Microsoft SMS Manager"<br /> &nbsp;&nbsp;&nbsp; SHOWINTASKBAR="yes"<br /> &nbsp;&nbsp;&nbsp; SYSMENU="yes"<br /> &nbsp;&nbsp;&nbsp; WINDOWSTATE="maximize"&gt;</font> </p> </blockquote> <p> <font face="Helvetica">This virus does the classic network worm thing and collects email addresses and spreads via the common methods. It tends to restart the computer it infects and is generally an annoying dude. It will also try to kill AV and other security processes upon execution. <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.gavgent.a.html">Details are available here</a>.</font> </p> <p> <font face="Helvetica">The original email I received is below. The subject line was "SMS Manager from Microsoft."</font> </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <a class="moz-txt-link-abbreviated" href="mailto:Developer@microsoft.com"><font size="1">Developer@microsoft.com</font></a><font size="1"> wrote: </font> </p> <blockquote cite="midmd5:64756D6D79206D657373616765206964" type="cite"><pre wrap=""><font size="1">Dear Customer, This email provides you information about new product from Microsoft Corporation, called Microsoft SMS Manager. These product would help your activities, you can send and receive SMS messages through your PC with no charge before December 31, 2005 (trial period). It's compatible with most of GSM and CDMA operators. The Installation's document is attached (Microsoft SMS Manager.zip). For further informations, please contact </font><a class="moz-txt-link-abbreviated" href="mailto:support@microsoft.com"><font size="1">support@microsoft.com</font></a> <font size="1">Best Regards, --------------------------------------------------------------------- Microsoft Corporation </font><a class="moz-txt-link-freetext" href="http://www.microsoft.com/"><font size="1">http://www.microsoft.com</font></a></pre> </blockquote></blockquote> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,52b6a2ca-9012-4551-8a89-d930858f57cf.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=18739897-b0fc-41b0-8b03-d6c6703f2f9e http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,18739897-b0fc-41b0-8b03-d6c6703f2f9e.aspx http://www.greghughes.net/rant/CommentView,guid,18739897-b0fc-41b0-8b03-d6c6703f2f9e.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=18739897-b0fc-41b0-8b03-d6c6703f2f9e 5

The headline reads: "Credit card security rules to get update."

I see that and I think to myself, "Hey, cool."

Then I read the story.

What it should have said: "Credit card security rules that make perfect sense and protect your identity are about to be flushed right down the toilet because companies say it's too hard."

Now, that's not so cool.

Why is that? Industry requirements that were put in place not too long ago that required companies to encrypt sensitive information are going to be removed. Yes, you read that right - Removing the already established requirement to encrypt the data that is most sensitive and valuable. I'm not one who typically leans in the direction of government mandated standards, but in the absence of private self-regulation and in this particular case...

From CNET's News.com:

While security stands to benefit from a broader, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data.

"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.

In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more-acceptable compensating and mitigating controls," he said.

The Payment Card Industry (PCI) security standard was developed to improve the security of applications processing credit card transactions. In the best-practices world of layered security, we deploy security in multiple locations and in different parts of the lifecycle. We even get redundant, especially in areas that matter the most.

To think that more firewalls can protect data in a way that makes it unnecessary to encrypt is ridiculous. Encryption protects data from theft when other layers are compromised. It keeps data safe even from internal theft (and trust me, that's at least as common as external theft, often even more so). It means - if done correctly - that even is a server is stolen from a datacenter,  the bad guys still cannot get at the information that's stored in a secured form on the machine. Keeping people out is important, but encryption is about the bad guys that already got in. So let's can the firewall arguments, although perimeter security is still a critical thing to deploy.

Scanning software to make sure you cover the threats and reduce the chance of successful attack is a good thing - but having people analyze it with eyeballs is significantly better. Scanning software only finds the low hanging fruit that is exposed on the outside layers and only finds the things we already know about. It provides no mechanism for creative scrutiny and under-layer analysis. It doesn't account for finding the new threats and vulnerabilities. Those things take active brains and connected eyeballs. It's what I don't know how to detect that will kill me in this case. It's the holes I can't see today, but which will be all too obvious tomorrow. So let's drop the "build secure software" argument as an alternative to encryption, although it's still an important thing to do.

Ultimately, cutting out the data encryption requirements will make it easier for companies that do transactions - by trading off the security of sensitive, personal information. It comes at our expense. It's a bad idea. And you should do something about it.

It's not easy to do 99% of what makes up my job, and it's not always fun. Security is hard. It's not really supposed to be easy. But I do it because it's necessary and right. The identity of users is the proverbial gold and crown jewels of this real-life game. It's not about protecting institutional assets - it's all about protecting individual people's identities.

To be concise: Removing the encryption requirement is a fundamentally bad idea that will hurt real people in the real world. Especially in this day and age of identity theft and with the endless news stories covering data loss and theft where the data is vulnerable specifically because it's not encrypted, I'm rather shocked by the decision. It's another example of where doing what's right falls victim to doing what costs less and reduces complaints.

It's time to stand up for what's right for security. First of all, as a business you should not be storing any personal information that's not absolutely necessary and that I have not specifically told you I want you to store for me.  Protection of the personal information you do store is your responsibility, but I own it. Encryption of my sensitive information in your systems should be a requirement, not a nice-to-have or a convenience-based suggestion.

Period.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Visa and Mastercard prepare to take one giant step backward - and your identity will be at risk http://www.greghughes.net/rant/PermaLink,guid,18739897-b0fc-41b0-8b03-d6c6703f2f9e.aspx http://www.greghughes.net/rant/VisaAndMastercardPrepareToTakeOneGiantStepBackwardAndYourIdentityWillBeAtRisk.aspx Sun, 02 Jul 2006 00:05:10 GMT <p> The <a href="http://news.com.com/2100-1029_3-6072594.html">headline</a> reads: "Credit card security rules to get update." </p> <p> I see that and I think to myself, "Hey, cool." </p> <p> Then I read the story. </p> <p> What it <em>should</em> have said: "Credit card security rules that make perfect sense and protect your identity are about to be flushed right down the toilet because companies say it's too hard." </p> <p> Now, that's <em>not</em> so cool. </p> <p> Why is that? Industry requirements that were put in place not too long ago that required companies to encrypt sensitive information are going to be <em>removed</em>. Yes, you read that right - Removing the already established requirement to encrypt the data that is most sensitive and valuable. I'm not one who typically leans in the direction of government mandated standards, but in the absence of private self-regulation and in this particular case... </p> <blockquote dir="ltr" style="margin-right: 0px;"> <p> <em><a href="http://news.com.com/2100-1029_3-6072594.html">From CNET's News.com</a>:</em> </p> <p> <em>While security stands to benefit from a broader, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data. </em> </p> <p> <em>"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. </em> </p> <p> <em>In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more-acceptable compensating and mitigating controls," he said.</em> </p> </blockquote> <p> The Payment Card Industry (PCI) security standard was developed to improve the security of applications processing credit card transactions. In the best-practices world of layered security, we deploy security in multiple locations and in different parts of the lifecycle. We even get redundant, especially in areas that matter the most. </p> <p> To think that more firewalls can protect data in a way that makes it unnecessary to encrypt is ridiculous. Encryption protects data from theft when other layers are compromised. It keeps data safe even from internal theft (and trust me, that's at least as common as external theft, often even more so). It means - if done correctly - that even is a server is stolen from a datacenter,&nbsp; the bad guys still cannot get at the information that's stored in a secured form&nbsp;on the machine. Keeping people out is important, but encryption is about the bad guys that already got in. So let's can the firewall arguments, although perimeter security is still a critical thing to deploy. </p> <p> Scanning software to make sure you cover the threats and reduce the chance of successful attack&nbsp;is a good thing&nbsp;- but having people analyze it with eyeballs is significantly better. Scanning software only finds the low hanging fruit that is exposed on the outside layers and only finds the things we already know about. It provides no mechanism for creative scrutiny and under-layer analysis. It doesn't account for finding the new threats and vulnerabilities. Those things take active brains and connected eyeballs. It's what I don't know how to detect that will kill me in this case. It's the holes I can't see today, but which will be all too obvious tomorrow. So let's drop the "build secure software" argument as an alternative to encryption, although it's still an important thing to do. </p> <p> Ultimately, cutting out the data encryption requirements <em>will</em> make it <em>easier</em> for companies that do transactions -&nbsp;by trading off the&nbsp;security of sensitive, personal information. It comes at our expense. It's a bad idea. And you should do something about it. </p> <p> It's not easy to do 99% of what makes up my job, and it's not always fun. Security is hard. It's not really supposed to be easy. But I do it because it's necessary and right. The identity of users is the proverbial gold and crown jewels of this real-life game. It's not about protecting institutional assets -&nbsp;it's all about protecting individual people's identities. </p> <p> To be concise: Removing the encryption requirement is a fundamentally bad idea that will hurt real people in the real world. Especially in this day and age of identity theft and&nbsp;with the endless news stories covering data loss and theft where the data is vulnerable specifically because it's not encrypted,&nbsp;I'm rather shocked by the decision. It's another example of where doing what's right falls victim to doing what costs less and reduces complaints. </p> <p> It's time to stand up for what's right for security. First of all, as a business you should not be storing any personal information that's not absolutely necessary and that I have not specifically told you I want you&nbsp;to store for me.&nbsp; Protection of the personal information you do store is your responsibility, but I own it. Encryption of my sensitive information in your systems should be a <em>requirement</em>, not a nice-to-have or a convenience-based suggestion. </p> <p> Period. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,18739897-b0fc-41b0-8b03-d6c6703f2f9e.aspx IT Security Safe Computing Things that Suck
http://www.greghughes.net/rant/Trackback.aspx?guid=6e6f3388-3d70-4ee7-81e5-0567d04d3a6c http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,6e6f3388-3d70-4ee7-81e5-0567d04d3a6c.aspx http://www.greghughes.net/rant/CommentView,guid,6e6f3388-3d70-4ee7-81e5-0567d04d3a6c.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=6e6f3388-3d70-4ee7-81e5-0567d04d3a6c 3 Identity Theft - A list of data breaches, why I'm shocked and angry, and why you should be, too... http://www.greghughes.net/rant/PermaLink,guid,6e6f3388-3d70-4ee7-81e5-0567d04d3a6c.aspx http://www.greghughes.net/rant/IdentityTheftAListOfDataBreachesWhyImShockedAndAngryAndWhyYouShouldBeToo.aspx Tue, 06 Jun 2006 06:06:00 GMT <p> A coworker <a href="http://www.wired.com/news/wireservice/0,71079-0.html?tw=wn_index_15">sent me a link to a news article</a> today, yet another one about a data breach from - you guessed it - a stolen laptop. This one was an auditor working for Ernst &amp; Young and doing an audit of Hotels.com, and apparently the auditor (and I can't believe this) left it in his or her car and it was broken into and stolen. </p> <p> So now, <em>thousands</em> of Hotels.com customers' personal data - meaning names, addresses and credit card information of about 243,000 people - is potentially in the hands of someone who could use it improperly. Oh, and by the way, <em>my name is certainly on that list</em>. </p> <p> Up until today I was frustrated to no end with these events. </p> <p> Now it's personal. Now I'm <em>angry</em>. </p> <p> And get this: The theft occurred in February and Ernst &amp; Young didn't notify Hotels.com until <em>the first week of May</em>. What??? And on top of <em>that</em>, customers were not notified until a few days ago. You've got to be kidding me... </p> <p> <em><strong>This post contains some useful&nbsp;information about data breaches,&nbsp;packaged with a bit of a rant by yours truly about information security - or the serious lack thereof - in US companies and institutions.</strong> As a reminder, what I post here is my own opinion and not that of my employer or anyone else. I work in information and cyber security, and I care - a lot - about these issues.</em> </p> <p> There's a major attitude problem - let's call it a lackadaisical mentality -&nbsp;out there and it's <em>high time someone did something about it</em>. Lazy security means lots of helpless victims, and we're so far behind the 8-ball as a country it's downright scary. There's a fundamental "people problem" at the root of this, and no matter how much technology we throw at it, the analog physical and human components need to be addressed before any of the technical issues can be resolved. </p> <p> The Privacy Rights Clearinghouse maintains <a href="http://www.privacyrights.org/ar/ChronDataBreaches.htm">an online chronology of data breaches</a> with descriptions of each event, outlining any known data breaches that have occurred since February, 2005. </p> <p> All told, as of the time I write this, there are <strong>84,797,096</strong> individuals whose identities are known to have been included in these data breaches. Banks, universities, health care providers, insurance companies, corporations, credit card providers... Lord only knows about the ones that have <em>not</em> been reported. Ugh, it's depressing. It's also ridiculous. </p> <p> What bothers me the most is how often the term "stolen laptop" shows up in the list. What <em>in the world</em> are people doing with sensitive information stored on computers that can <em>walk out the doors</em> of all of these heavily regulated companies and institutions? It's insane from a security management perspective. </p> <p> But then again, let's take a look at just how many US banks, universities, health care providers, insurance companies, corporations and&nbsp;credit card providers are certified under some kind of recognized information security management standard. Let's take the big standards - BS 7799-2 and ISO 27001 - for example. </p> <p> BS 7799-2:2002 (in this case, the "BS" stands for "British Standards") has long been the recognized standard for overall security management, and the new ISO/IEC 27001:2005 international standard is basically BS 7799-2:2002 in an updated form. It's also related to ISO 17799, since we're throwing around fancy names. Ultimately it's all the same stuff, just renamed and reassigned. The 27001&nbsp;standard represents a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes and IT systems.&nbsp;&nbsp;It is used to determine and evaluate a company's security management framework and is internationally recognized as the gold standard for security. </p> <p> If a company doesn't have a security management framework in place, not only is it unaware of what's happening in it's own walls, it doesn't really know whether or not&nbsp;it knows much of anything. Yeah, that's confusing. What you <em>don't know</em> is what will most likely kill you. Either way, it's <em>negligent</em> in this day and age not to be formally on top of information security, and that involves not just firewalls and technology, but risk assessments, people, processes, and an over-reaching management framework to ensure all the bases are covered. </p> <p> Did he say "negligent?" <em>Yes, negligent.</em> And I mean it. </p> <p> It's a lot of work to achieve and maintain the 7799/27001 certification and to hold up to ongoing audits, to be sure (just ask me or my coworkers about it some day, we <em>live</em> it), but it's <em>not</em> rocket science and for gosh sakes, IT'S IMPORTANT. And it's not about the actual certificate, it's about all the things that go into the process of&nbsp;getting the certificate and keeping it. </p> <p> So, if you had to hazard a guess, how many agencies, institutions and companies in the United States do you think&nbsp;have this important and recognized certification? </p> <p> Be prepared to be disappointed. Especially when compared to the number of certified organizations&nbsp;in other countries, like say Japan and India and Korea. Or pretty much any other developed country, for that matter. It's really quite pathetic. </p> <p> Of the 2600+ organizations on the certificate register, there are only&nbsp;<em>seven</em>&nbsp; (yes, that's "7") companies or organizations <em>in the entire United States</em> certified under ISO 27001, and only 39 have been certified in the US&nbsp;under BS 7799-2 and ISO 27001 <em>combined</em>. Keep in mind, there's overlap on the lists, as a number of companies (like ours) have converted from the British Standard cert to the ISO 27001 model, meaning we've been certified twice. </p> <p> This table shows how many organizations are certified under either ISO 27001 or BS 7799-2 as of June 5, 2006. The term "organization" can mean any one of several things: companies, portions or divisions&nbsp;of companies, agencies, or various other other entities. I've left off most of the countries that have only one certified organization to save space. </p> <p> <table class="MsoNormalTable" style="BORDER-RIGHT: 1pt inset; BORDER-TOP: 1pt inset; MARGIN-LEFT: 35.15pt; BORDER-LEFT: 1pt inset; WIDTH: 436px; BORDER-BOTTOM: 1pt inset; HEIGHT: 187px; mso-cellspacing: 2.2pt; mso-padding-alt: 0cm 0cm 0cm 0cm" cellspacing="3" cellpadding="0" width="436" border="1"> <tbody> <tr style="HEIGHT: 13.85pt; mso-yfti-irow: 0; mso-yfti-firstrow: yes"> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND: #ccffcc; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 110.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 13.85pt" valign="top" width="148"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Japan</span> <span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"><?xml:namespace prefix ="" o /> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 44.15pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 13.85pt" valign="top" width="59"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">1602</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 13.85pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="149"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"><?xml:namespace prefix ="" st1 /> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Brazil</span> </st1:country-region>&nbsp;</st1:place> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 13.85pt" valign="top" width="22"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">9</span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 13.85pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="183"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Slovenia</span> </st1:country-region>&nbsp;</st1:place> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 13.85pt" valign="top" width="58"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: #383838; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">2</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> </tr> <tr style="HEIGHT: 12pt; mso-yfti-irow: 1"> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND: #ccffcc; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 110.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="148"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">UK</span> </st1:country-region>&nbsp;</st1:place> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 44.15pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="59"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">244</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="149"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Sweden</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="22"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">8 <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="183"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">South Africa</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="58"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: #383838; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">2</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> </tr> <tr style="HEIGHT: 12pt; mso-yfti-irow: 2"> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND: #ccffcc; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 110.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="148"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">India</span> </st1:country-region>&nbsp;</st1:place> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 44.15pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="59"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">186</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="149"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Spain</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="22"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">7</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="183"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Armenia</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="58"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">1<o:p></o:p> </span> </p> </td> </tr> <tr style="HEIGHT: 12pt; mso-yfti-irow: 3"> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND: #ccffcc; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 110.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="148"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Taiwan</span> </st1:country-region>&nbsp;</st1:place> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 44.15pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="59"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">92</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="149"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Turkey</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja"></span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="22"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">7</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="183"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Bahrain</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="58"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: #383838; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">1</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> </tr> <tr style="HEIGHT: 12pt; mso-yfti-irow: 4"> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND: #ccffcc; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 110.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="148"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Germany</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 44.15pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="59"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">57</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="149"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Iceland</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="22"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">6</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <span style="BACKGROUND: fuchsia; mso-highlight: fuchsia"> <o:p></o:p> </span></span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="183"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Chile</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="58"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: #383838; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">1</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> </tr> <tr style="HEIGHT: 12pt; mso-yfti-irow: 5"> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND: #ccffcc; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 110.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="148"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Italy</span> </st1:country-region>&nbsp;</st1:place> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 44.15pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="59"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">42</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="149"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Greece</span> </st1:country-region>&nbsp;</st1:place> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="22"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">5</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="183"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Egypt</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja"></span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="58"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: #383838; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">1 </span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> </tr> <tr style="HEIGHT: 12pt; mso-yfti-irow: 6"> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND: #ccffcc; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 110.9pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="148"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <font color="#804040"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja"><font color="#800000"><strong>USA</strong></font></span> </st1:country-region> &nbsp;</font> </st1:place> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; WIDTH: 44.15pt; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="59"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <strong><font color="#800000"><span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">39</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"><font face="Verdana"> <o:p></o:p> </font></span></font></strong> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="149"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Kuwait</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="22"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">4</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BACKGROUND-POSITION: 0% 50%; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; BACKGROUND-ATTACHMENT: scroll; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; BACKGROUND-REPEAT: repeat; HEIGHT: 12pt; BACKGROUND-COLOR: #ccffcc" valign="top" width="183"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <st1:place w:st="on"> <st1:country-region w:st="on"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">Lebanon</span> </st1:country-region> </st1:place> <span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> <td style="BORDER-RIGHT: 1pt outset; PADDING-RIGHT: 5.4pt; BORDER-TOP: 1pt outset; PADDING-LEFT: 5.4pt; PADDING-BOTTOM: 0cm; BORDER-LEFT: 1pt outset; PADDING-TOP: 0cm; BORDER-BOTTOM: 1pt outset; HEIGHT: 12pt" valign="top" width="58"> <p class="MsoNormal" style="LINE-HEIGHT: 130%; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto"> <span lang="EN-GB" style="FONT-SIZE: 8pt; COLOR: black; LINE-HEIGHT: 130%; FONT-FAMILY: verdana; mso-ansi-language: en-gb; mso-fareast-language: ja">1</span><span lang="EN-GB" style="mso-ansi-language: en-gb; mso-fareast-language: ja"> <o:p></o:p> </span> </p> </td> </tr> </tbody> </table> </p> <p> And of the&nbsp;US companies, agencies and organizations on that list,&nbsp;<em>only one </em>of them is a bank (and even then it's&nbsp;only the information security team's component of the business). <em>None</em> of them are credit unions. <em>None</em> of them are insurance companies. <em>None</em> of them are health care providers. <em>One</em> of them is a university. <em>A couple</em> are government agencies - and not the same ones that have been in the news lately, that's for sure. </p> <p> If you think about it (or search for it, for that matter), how often do you hear about information disclosure <em>outside</em> the United States? Sure, it happens, but seemingly not nearly as often. And why is it, I wonder,&nbsp;that in Japan there are so many certifications? ISO 9000 (the gold standard for manufacturing) is huge there, as well.&nbsp; </p> <p> The fact of the matter is that overall,&nbsp;companies and institutions in the US don't take security nearly seriously enough. </p> <p> So - It's time to do something about this. Now, not tomorrow. It's already much too late, so we need to get moving. We're already in triage mode, friends. </p> <p> What to do? To start, if you do business with <em>any company that handles sensitive individual data</em>, ask them about their security certifications. And don't accept just a SAS-70 certification as covering the bases&nbsp;- it only covers operations of the datacenter and has practically nothing to do with the rest of the company. Also, make sure you know <em>specifically</em> what any issued certifications actually cover - this is called the "scope" of the certification. Is it the entire company (usually it's not so you have to ask), or is it just a department or division? If the company is not formally certified, do they have a security management framework and a standard they follow? </p> <p> Also, this is formal security management we're talking about. Don't accept lame responses like "we're covered under HIPPA" or "we get audited for Sarbanes-Oxley so that's all covered..." Sorry, that doesn't come close to cutting it. Neither of those auditing standards require a company to have a security management system in place, and neither come close to covering what's needed to ensure proper security standards are met outside of their narrowly focused scopes. </p> <p> Get educated. Find out what needs to change. Demand change. Question systems that put the secrets in the hands of people who don't have a personal stake in the game. Do business wherever possible only with companies that are cognizant enough of security to formalize their program on a standard framework and which preferably have external certification of the results of that effort.&nbsp;I'm not kidding here.&nbsp;And yes -&nbsp;it can be done. </p> <p> Unless you have a better idea (and feel free to share - comment away), that's what it will really take to create change - Market forces. We certainly can't count on the government to do anything about it - they'll just come up with vague, useless legal acts that almost always miss the mark and cost the business sector billions (take SARBOX for example). Individual action and demanding that companies get serious - and that they do so in a manner where they can be formally reviewed and held accountable - is the best real-world way to force change. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,6e6f3388-3d70-4ee7-81e5-0567d04d3a6c.aspx IT Security Safe Computing Things that Suck http://www.greghughes.net/rant/Trackback.aspx?guid=80745eda-52f2-4996-8b2a-d4970c7d7d69 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,80745eda-52f2-4996-8b2a-d4970c7d7d69.aspx http://www.greghughes.net/rant/CommentView,guid,80745eda-52f2-4996-8b2a-d4970c7d7d69.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=80745eda-52f2-4996-8b2a-d4970c7d7d69 1

If you run Firefox (or other Mozilla software based on the same codebase like Thunderbird) and have not upgraded it to the latest version (the latest Firefox - 1.5.0.2 - was released just last week), CERT says you really really need to.

From ZDNET:

"CERT advises people who use Mozilla's e-mail software, Thunderbird, and the Internet application suite Seamonkey to also upgrade to the latest versions (Thunderbird 1.5 and Seamonkey 1.0.1). CERT warned that any other products based on older Mozilla components, particularly the Gecko rendering engine, may also be affected.

"Firefox has traditionally been seen as being more secure than other Web browsers such as Microsoft's Internet Explorer. This is thought to be the first time that multiple vulnerabilities have been reported in Firefox and the Mozilla suite.

"Secunia warned that hackers could exploit the security holes to gain control of computer systems, conduct phishing attacks, and bypass security restrictions.

"One error that occurs in Firefox would allow arbitrary JavaScript code to be injected into Web pages as they load."

FireFoxUpdateUsers of Firefox can typically just click on the Firefox "Help" drop-down menu and then choose the "Check for Updates" option to see if they are running the latest version. If your version of Firefox does not have this option, you know you're way out of date and you should visit http://getfirefox.com right now and download the newest version ASAP.

Also, of use to corporate IT people is the Firefox Community Edition package from FrontMotion that includes features to do MSI installs and leverage associated Active Directory ADM files to manage Group Policy security functionality in Windows domains. Companies using this package can apply the patched versions in an automated, simpler and reliable fashion. Larger organizations that don't use such a package have to deal with either a more complicated update process or reliance on end users to perform the updates - which is never 100% successful, even in the smallest shops. Version-wise, it's important to note that FrontMotion's MSI installers tend to lag a bit behind the Firefox official releases (when a new FireFox release is issued, the FrontMotion crew uses it to create the new MSI installers and ADM files), so keep this in mind when deciding how to deploy.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Got Firefox? Thunderbird? Update it or face security issues http://www.greghughes.net/rant/PermaLink,guid,80745eda-52f2-4996-8b2a-d4970c7d7d69.aspx http://www.greghughes.net/rant/GotFirefoxThunderbirdUpdateItOrFaceSecurityIssues.aspx Thu, 20 Apr 2006 01:22:41 GMT <p> <img alt="" hspace="17" src="http://www.greghughes.net/images/firefox_logo.png" align="right" vspace="8" border="0" />If you run Firefox&nbsp;(or other Mozilla&nbsp;software based on the same codebase like Thunderbird)&nbsp;and have not upgraded it to the latest version (the latest Firefox - 1.5.0.2 - was released just last week), CERT <a href="http://news.zdnet.com/2100-9588_22-6062713.html?tag=nl.e589">says you really really need to</a>. </p> <p> <a href="http://news.zdnet.com/2100-9588_22-6062713.html?tag=nl.e589">From ZDNET</a>: </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <em>"CERT advises people who use Mozilla's e-mail software, Thunderbird, and the Internet application suite Seamonkey to also upgrade to the latest versions (Thunderbird 1.5 and Seamonkey 1.0.1). CERT warned that any other products based on older Mozilla components, particularly the Gecko rendering engine, may also be affected.</em> </p> <p> <em>"Firefox has traditionally been seen as being more secure than other Web browsers such as Microsoft's Internet Explorer. This is thought to be the first time that multiple vulnerabilities have been reported in Firefox and the Mozilla suite.</em> </p> <p> <em>"Secunia warned that hackers could exploit the security holes to gain control of computer systems, conduct phishing attacks, and bypass security restrictions.</em> </p> <p> <em>"One error that occurs in Firefox would allow arbitrary JavaScript code to be injected into Web pages as they load."</em> </p> </blockquote> <p> <img alt=FireFoxUpdate hspace=12 src="http://www.greghughes.net/images/firefoxupdate_small.jpg" align=right vspace=6 border=0>Users of Firefox can typically just click on the Firefox "Help" drop-down menu and then choose the "Check for Updates" option to see if they are running the latest version. If your version of Firefox does not have this option, you know you're <em>way</em> out of date and you should visit <a href="http://getfirefox.com/">http://getfirefox.com</a> right now and download the newest version ASAP. </p> <p> Also, of use to corporate IT people is the <a href="http://www.greghughes.net/rant/usewindowsmsisandactivedirectoryadmtemplatesforbusinessdeploymentandcontroloffirefox.aspx">Firefox Community Edition package from FrontMotion</a> that includes features to do MSI installs and leverage associated Active Directory ADM files to manage Group Policy security functionality in Windows domains. Companies using this package can apply the patched versions in an automated, simpler and reliable fashion.&nbsp;Larger organizations that don't use such a package have to deal with either&nbsp;a more complicated update process or reliance on end users to perform the updates - which is <em>never</em> 100% successful, even in the smallest shops. Version-wise, it's important to note that FrontMotion's MSI installers tend to lag a bit behind the Firefox official releases (when a new FireFox release is issued, the FrontMotion crew uses it to create the new MSI installers and ADM files), so keep this in mind when deciding how to deploy. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,80745eda-52f2-4996-8b2a-d4970c7d7d69.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=77752981-d0bc-4eec-8443-c9a2741e483c http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,77752981-d0bc-4eec-8443-c9a2741e483c.aspx http://www.greghughes.net/rant/CommentView,guid,77752981-d0bc-4eec-8443-c9a2741e483c.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=77752981-d0bc-4eec-8443-c9a2741e483c 1 Windows Defender released as beta-two version http://www.greghughes.net/rant/PermaLink,guid,77752981-d0bc-4eec-8443-c9a2741e483c.aspx http://www.greghughes.net/rant/WindowsDefenderReleasedAsBetatwoVersion.aspx Sun, 19 Feb 2006 21:46:39 GMT <p> <img alt="Windows Defender Logo" hspace="12" src="http://www.greghughes.net/images/WindowsDefenderLogo.jpg" align="right" vspace="6" border="0" />On Friday Microsoft released a the latest version of their anti-malware product, which is now called <a href="http://www.microsoft.com/athome/security/spyware/software/default.mspx">Windows&reg; Defender</a> (Beta 2). This software replaces the product formally known as Microsoft Antispyware. There's both 32- and 64-bit versions available to download. </p> <p> <a href="http://www.greghughes.net/images/WindowsDefender.jpg"></a>I've installed it and it runs just fine,&nbsp;but I get an error when it tries to update itself with the latest detection signatures. I'll try a reboot and see what happens a little later on. Hopefully that will help. </p> <p> The new UI is nicely done, and I like the fact that you don't have to be an administrator to run Defender. </p> <p> <table style="MARGIN: 10px 10px 3px" cellspacing="0" cellpadding="10" align="right" bgcolor="#eeeeee" border="0"> <tbody> <tr valign="top"> <td> <table style="MARGIN: 0px 0px 10px" cellspacing="0" cellpadding="0" border="0"> <tbody> <tr valign="top"> <td style="FONT-SIZE: 10px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" colspan="2"> <p> <b><font size="2">Defender information&nbsp;<br /> on Microsoft.com:</font></b> </p> <p> <b><a href="http://www.microsoft.com/athome/security/spyware/software/default.mspx">Windows Defender home</a></b> </p> </td> </tr> </tbody> </table> <table style="MARGIN: 0px 0px 10px" cellspacing="0" cellpadding="0" border="0"> <tbody> <tr valign="top"> <td style="FONT-SIZE: 10px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" colspan="2"> <b><a href="http://www.microsoft.com/athome/security/spyware/software/about/default.mspx">Product information</a></b></td> </tr> <tr> <td style="PADDING-RIGHT: 3px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 7px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" valign="top"> <span style="COLOR: #999999">&bull;&nbsp;</span></td> <td style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 6px; FONT-FAMILY: verdana, arial, helvetica, sans-serif"> <a href="http://www.microsoft.com/athome/security/spyware/software/about/overview.mspx">Beta overview</a></td> </tr> <tr> <td style="PADDING-RIGHT: 3px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 7px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" valign="top"> <span style="COLOR: #999999">&bull;&nbsp;</span></td> <td style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 6px; FONT-FAMILY: verdana, arial, helvetica, sans-serif"> <a href="http://www.microsoft.com/athome/security/spyware/software/about/faq.mspx">FAQ</a></td> </tr> <tr> <td style="PADDING-RIGHT: 3px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 7px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" valign="top"> <span style="COLOR: #999999">&bull;&nbsp;</span></td> <td style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 6px; FONT-FAMILY: verdana, arial, helvetica, sans-serif"> <a href="http://www.microsoft.com/athome/security/spyware/software/about/sysreq.mspx">System requirements</a></td> </tr> <tr> <td style="PADDING-RIGHT: 3px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 7px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" valign="top"> <span style="COLOR: #999999">&bull;&nbsp;</span></td> <td style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 6px; FONT-FAMILY: verdana, arial, helvetica, sans-serif"> <a href="http://www.microsoft.com/athome/security/spyware/software/about/releasenotes.mspx">Release notes</a></td> </tr> </tbody> </table> <table style="MARGIN: 0px 0px 10px" cellspacing="0" cellpadding="0" border="0"> <tbody> <tr valign="top"> <td style="FONT-SIZE: 10px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" colspan="2"> <b><a href="http://www.microsoft.com/athome/security/spyware/software/support/default.mspx">Support and training</a></b></td> </tr> <tr> <td style="PADDING-RIGHT: 3px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 7px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" valign="top"> <span style="COLOR: #999999">&bull;&nbsp;</span></td> <td style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 6px; FONT-FAMILY: verdana, arial, helvetica, sans-serif"> <a href="http://www.microsoft.com/athome/security/spyware/software/support/howto/default.mspx">Getting started</a></td> </tr> <tr> <td style="PADDING-RIGHT: 3px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 7px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" valign="top"> <span style="COLOR: #999999">&bull;&nbsp;</span></td> <td style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 6px; FONT-FAMILY: verdana, arial, helvetica, sans-serif"> <a href="http://www.microsoft.com/athome/security/spyware/software/support/howto/beyondbasics.mspx">Beyond basics</a></td> </tr> </tbody> </table> <table style="MARGIN: 0px 0px 10px" cellspacing="0" cellpadding="0" border="0"> <tbody> <tr valign="top"> <td style="FONT-SIZE: 10px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" colspan="2"> <b><a href="http://www.microsoft.com/athome/security/spyware/software/isv/default.mspx">Resources for software vendors</a></b></td> </tr> </tbody> </table> <table style="MARGIN: 0px 0px 10px" cellspacing="0" cellpadding="0" border="0"> <tbody> <tr valign="top"> <td style="FONT-SIZE: 10px; FONT-FAMILY: verdana, arial, helvetica, sans-serif" colspan="2"> <b><a href="http://www.microsoft.com/athome/security/spyware/software/msft/default.mspx">Microsoft's focus on spyware</a></b></td> </tr> </tbody> </table> </td> </tr> </tbody> </table> </p> <p> From the <a href="http://www.microsoft.com/downloads/details.aspx?familyid=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D&amp;displaylang=en">Windows Defender download site</a>:> </p> <p> <em>Windows Defender (Beta 2) is a free program that helps you stay productive by protecting your computer against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software.</em> </p> <p> <em>This release includes enhanced features that reflect ongoing input from customers, as well as Microsoft&rsquo;s growing understanding of the spyware landscape. <br /> <br /> Specific features of Windows Defender Beta 2 include:<br /> <br /> </em> </p> <ul> <li> <em><b>A redesigned and simplified user interface</b> &ndash; Incorporating feedback from our customers, the Windows Defender UI has been redesigned to make common tasks easier to accomplish with a warning system that adapts alert levels according to the severity of a threat so that it is less intrusive overall, but still ensures the user does not miss the most urgent alerts.<br /> </em> <li> <em><b>Improved detection and removal</b> &ndash; Based on a new engine, Windows Defender is able to detect and remove more threats posed by spyware and other potentially unwanted software. Real Time Protection has also been enhanced to better monitor key points in the operating system for changes.<br /> </em> <li> <em><b>Protection for all users</b> &ndash; Windows Defender can be run by all users on a computer with or without administrative privileges. This ensures that all users on a computer are protected by Windows Defender.<br /> </em> <li> <em><b>Support for 64-bit platforms, accessibility and localization</b> - Windows Defender Beta 2 also adds support for accessibility and 64-bit platforms. Microsoft also plans to release German and Japanese localized versions of Windows Defender Beta 2 soon after the availability of the English versions. Use WindowsDefenderX64.msi for 64-bit platforms.</em> </li> </ul> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,77752981-d0bc-4eec-8443-c9a2741e483c.aspx IT Security Safe Computing Tech http://www.greghughes.net/rant/Trackback.aspx?guid=d0273c69-e8c8-452c-a499-02435295ca25 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,d0273c69-e8c8-452c-a499-02435295ca25.aspx http://www.greghughes.net/rant/CommentView,guid,d0273c69-e8c8-452c-a499-02435295ca25.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=d0273c69-e8c8-452c-a499-02435295ca25 Applying the Principle of Least Privilege to User Accounts on Windows XP http://www.greghughes.net/rant/PermaLink,guid,d0273c69-e8c8-452c-a499-02435295ca25.aspx http://www.greghughes.net/rant/ApplyingThePrincipleOfLeastPrivilegeToUserAccountsOnWindowsXP.aspx Sat, 28 Jan 2006 17:51:48 GMT <p> Published just this month, <a href="http://go.microsoft.com/fwlink/?linkid=58446">an important&nbsp;whitepaper is now available</a> that provides authoritative information about applying&nbsp; the "don't run as admin" concept in the real world. </p> <p> Should you care? <u>Yes</u>. Absolutely. Why?&nbsp;Because running as an administrator or high-privileged user opens the door to malicious software ruling your world by potentially damaging your computer and data, compromising confidential information,&nbsp;and harming your company's reputation and business relationships. Put simply, you should do it because it's now possible, because with Windows Vista it will be enabled in terrific ways that reduce the pain, and just because it makes obvious good sense. </p> <p> Users will download and install software they're not supposed to. Policies don't solve technology problems. Rather they guide solutions to people problems. Users will take CDs they bought with a major record label on the sleeve and stick them in their CD-ROM drives, whether or not they are supposed to, and we've all learned recently that you cannot trust major record labels to product safe, appropriate software. Users will surf to web sites and (regardless of how much education and prevention you do, and how many times you tell them to never click on that stupid thing that says their computer might be infected) they'll click and download and even install software that wreaks havoc, logs keystrokes or any one of a thousand other bad things. </p> <p> People and process changes and preventions are important - don't get me wrong. We need to educate and provide standards, and we still need to hold people accountable for behavior. But that does not remove from us the responsibility to make proper and correct technology decisions when it comes to operation and implementation security. Period. </p> <p> People, process and technology - it's a combination of all three of these, in careful balance, that makes a true security ecosystem work. </p> <p> But making changes like this&nbsp;is, honestly,&nbsp;something that most business and technology people avoid, because they're afraid they won't be able to operate that way. Or they're afraid someone will complain. Sorry guys, not a good enough reason, not anymore. </p> <p> So... What's the problem we're trying to solve? From the paper: </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <em>"A significant factor that increases the risks from malicious software is the tendency to give users administrative rights on their client computers. When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, e-mail clients, and instant messaging programs, also have administrative rights. If these programs activate malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised Web site or by clicking a link in an e-mail message."</em> </p> </blockquote> <p> The approach into which the least-user model falls is a layered security, defense-in-depth style. We cannot rely solely upon one layer of security to solve all our malware problems, and the fact is this: If all computer users already ran with least-privileged accounts, the incidents of malware (spyware, adware, etc) would be significantly less. In the real world, we are stuck in a position of needing to make a change, but for the future we will do well to remember how taking the easier route early in a technology phase can come back to bite us later. </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <em>"A defense-in-depth strategy, with overlapping layers of security, is the best way to counter these threats, and the least-privileged user account (LUA) approach is an important part of that defensive strategy. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. This strategy also aims to limit the use of administrative credentials to administrators, and then only for administrative tasks. </em> </p> <p> <em>"The LUA approach can significantly mitigate the risks from malicious software and accidental incorrect configuration. However, because the LUA approach requires organizations to plan, test, and support limited access configurations, this approach can generate significant costs and challenges. These costs can include redevelopment of custom programs, changes to operational procedures, and deployment of additional tools."</em> </p> </blockquote> <p> Small and large organizations (of all types) are faced with this problem. While it's not the end of the world, it's often not a trivial task to change to a least-privileged computing model if you're already deployed in a mode where all users are administrators. This is common in software companies and other place where people have liberal privileges in order to provide ultimate flexibility in their development and design world. </p> <p> I should also note that in Windows Vista, the next version of Windows, there are significant improvements in the operating system that will make it completely feasible to apply a least-privilege user model to every single computer, while affording users the ability to install software and make appropriate configuration changes in a controlled and safer environment. In my opinion, any shop that deploys Vista when it's available and does not take advantage of this security capability is negligent (and there will be many companies where that will happen, just watch). Find out more about Windows Vista <a href="http://www.microsoft.com/technet/windowsvista/security/uac.mspx">User Account Control (UAC) at the Microsoft Technet site pages</a>&nbsp;that cover the subject, and be sure to read and subscribe to <a href="http://blogs.msdn.com/uac/">the UAC Team Blog</a>. </p> <p dir=ltr> I highly recommend this whitepaper. It cuts to the chase and explains things in a clear and concise way, while addressing real world concerns and providing links and references to third-party tools and information. If you run a network or a dev shop, or if you're in any way responsible for secure computing, this is a paper you need to get familiar with. </p> <p dir=ltr> Description&nbsp;and summary&nbsp;of the whitepaper from <a href="http://go.microsoft.com/fwlink/?linkid=" 58446??>the Microsoft download page</a>: </p> <blockquote dir=ltr style="margin-right: 0px"> <p> <em>This 100-level technical white paper provides information on the principle of least privilege and describes how to apply it to user accounts on Windows XP. The paper covers the following topics:</em> </p> <ul> <li> <em>Risks associated with administrative privileges </em> <li> <em>Definition of the principle of least privilege </em> <li> <em>Definition of the least-privileged user account (LUA) approach </em> <li> <em>Benefits of the LUA approach </em> <li> <em>Risk, security, usability, and cost tradeoffs </em> <li> <em>Implementing the LUA approach </em> <li> <em>Future developments</em> </li> </ul> <p> <em>This paper also describes at a high-level the issues that affect implementation of the LUA approach and provides useful links to other online resources that explain these concepts in more detail.</em> </p> </blockquote> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,d0273c69-e8c8-452c-a499-02435295ca25.aspx IT Security Safe Computing Tech http://www.greghughes.net/rant/Trackback.aspx?guid=e2b68915-3387-4956-b104-e9830c48fc68 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,e2b68915-3387-4956-b104-e9830c48fc68.aspx http://www.greghughes.net/rant/CommentView,guid,e2b68915-3387-4956-b104-e9830c48fc68.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=e2b68915-3387-4956-b104-e9830c48fc68

Microsoft Security VP Mike Nash answers a stack of questions posed by Slashdot readers. The Q&A is pretty good. Nash provides substantial answers to some fairly pointed questions. One thing is clear, both in the answers and in my own experience: Security is hard - if in no other way, then from the standpoint of overcoming the many cultural and technical hurdles.

Nash covers a broad range of important topics and addressed many, many issues. Click on over to read, but here's a very brief couple of excerpts:

On code security and secure code review processes:

"Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated."

And on the cultural challenges of prioritizing security:

"Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization."

If you're even tangentially involved in security for your organization, and especially if you're a technology company, this Q&A is definitely worth the read.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Q&A with Microsoft VP of Security Mike Nash - On Slashdot http://www.greghughes.net/rant/PermaLink,guid,e2b68915-3387-4956-b104-e9830c48fc68.aspx http://www.greghughes.net/rant/QAWithMicrosoftVPOfSecurityMikeNashOnSlashdot.aspx Fri, 27 Jan 2006 04:50:06 GMT <p> Microsoft Security VP Mike Nash <a href="http://interviews.slashdot.org/interviews/06/01/26/131246.shtml">answers a stack of questions posed by Slashdot readers</a>. The Q&amp;A is pretty good. Nash provides substantial answers to some fairly pointed questions. One thing is clear, both in the answers and in my own experience: Security is hard -&nbsp;if in no other way, then from the standpoint of overcoming the many cultural and technical hurdles. </p> <p> Nash covers a broad range of important topics and addressed many, many issues. Click on over to read, but here's a very brief couple of excerpts: </p> <p> On code security and secure code review processes: </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <em>"Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated."</em> </p> </blockquote> <p dir="ltr"> And on the cultural challenges of prioritizing security: </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <em>"Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization."</em> </p> </blockquote> <p> If you're even tangentially involved in security for your organization, and especially if you're a technology company, <a href="http://interviews.slashdot.org/interviews/06/01/26/131246.shtml">this Q&amp;A is definitely worth the read</a>. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,e2b68915-3387-4956-b104-e9830c48fc68.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=f2cb61ea-e850-41a7-9403-8d2e1c11df39 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,f2cb61ea-e850-41a7-9403-8d2e1c11df39.aspx http://www.greghughes.net/rant/CommentView,guid,f2cb61ea-e850-41a7-9403-8d2e1c11df39.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=f2cb61ea-e850-41a7-9403-8d2e1c11df39 1

As tends to happen from time to time, some sudden attention on the 'net (starting with the Security Fix blog at Washington Post) has been paid in the last couple days to what has been misleadingly described in some places as a "flaw" in the Windows wireless networking functionality. In reality, that's not quite the case. Rather, the potential problem (which some might argue is actually a feature) is related to an understood standard computer configuration (some would say "as-designed") of the spec governing dynamic configuration of IPv4 link-local addresses (RFC 3927 - see part 5). The authors of the spec even noted the potential risks and discussed the importance of taking that risk into consideration in design and deployment:

"The use of IPv4 Link-Local Addresses may open a network host to new attacks.  In particular, a host that previously did not have an IP address, and no IP stack running, was not susceptible to IP-based attacks.  By configuring a working address, the host may now be vulnerable to IP-based attacks." (read the spec)

Unfortunately, some have stated incorrectly that this represents an unknown or recently-discovered security hole or flaw. That's just not the case. This is, however, something that people should be aware of if they use or manage portable computers with wireless networking cards.

The problem has to do with the fact that the last wireless network name (or SSID) you successfully connected with is reused and associated with the generic IP address that gets assigned when your wireless card can't find a network to associate with, so someone who is also assigned an IP In that block and who knows what they're doing might try to connect to your computer using that network name and the generic IP address subnet. Yeah, it's technical but it's not too hard to protect yourself.

The first thing you should already have in place - and if you don't, you need to take care of this now - is a firewall to protect access to and from your computer. It's amazing how many problems can be mostly or completely mitigated with a decent and properly configured firewall. If you block incoming traffic with the firewall, then access to the wireless adapter is nowhere near as big of a deal.

On the technical side, there are a couple things that can be done to resolve the specific issue at hand. The most logical (and second most technical) step is to configure the network adapter in Windows to only allow infrastructure connections (to access points), and not Ad-Hoc connections (to other wireless cards in peer-to-peer mode). This can be done individually (on a specific computer by the user or administrator) or in a more automated fashion across a security domain (see below).

On a Windows computer, you can also get all geeked out (this is a more technical step) and disable the feature that automatically assigns the generic dynamic IP address when DHCP server is present (this auto-assign feature is sometimes referred to as APIPA - see this page for details on disabling it if interested, but use at your own risk, it involves editing the registry). It's this common and predictable IP address space that could potentially allow someone else to try to snoop into your computer, if you had none of the other standard protections - like firewalls and directory security - in place.

An even better option - where available - is to have your Windows Domain administrators control the setting for any group of computers managed by the domain's Group Policy. To do this, navigate in the Group Policy editor to:

Computer Configuration > Windows Settings > Security Settings >Wireless Networks

You notice there's nothing listed in that section by default - That's because you have to create your own policy if you want to take advantage of the features available. To do so, right click in the empty space and choose to create a new wireless policy. You'll give it a friendly name and the wizard will walk you through the steps required to set up your new policy. On the properties page (see below), you'll note an option is available to specify the network types to which you want to allow access. You can choose "Access point (infrastructure) networks only." Note that selecting this will force all computers to which the policy is applied to access point networks (so the wireless peer-to-peer networking without an access point - which is exactly the issue we're trying to mitigate - will no longer work).

Create_wireless_policy

Some companies use these settings to ensure the only wireless networks that business computers access are ones that are pre-approved, but that means a tradeoff between security and convenience, and road warriors often desire and need to use public access points for any of a number of reasons. How deeply and widely you apply the policies is a business decision - just be sure to consider all the potential business effects and consequences.

Note again that fixing a problem in just one place or in just one layer is most certainly not the right way to solve problems like this. Rather, taking a defense-in-depth approach, where you block access at as many layers as possible, is the way to approach network security issues.

For example, let's go back to enabling the software firewall on your computer - whether it be the Windows Firewall that is part of Windows XP SP2, or a third party firewall by a company like Symantec or others. This is another critical layer. Having a properly configured firewall in place helps to ensure access to your computer is protected, even if the wireless connection is "open." Layering protections allows you to be sure the problems are kept out, and also provides a possible mechanism to temporarily relax any one of the protections when needed in order to accomplish a specific task.



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. WiFi configuration matters - options to protect your computer from bad guys http://www.greghughes.net/rant/PermaLink,guid,f2cb61ea-e850-41a7-9403-8d2e1c11df39.aspx http://www.greghughes.net/rant/WiFiConfigurationMattersOptionsToProtectYourComputerFromBadGuys.aspx Sun, 15 Jan 2006 20:35:14 GMT <p> As tends to happen from time to time, some sudden attention on the 'net (starting with the <a href="http://blogs.washingtonpost.com/securityfix/2006/01/windows_feature.html">Security Fix blog</a> at Washington Post) has been paid in the last couple days to what has been&nbsp;misleadingly described in some places as a "flaw" in the Windows wireless networking functionality. In reality, that's not quite the case. Rather, the potential problem (which some might argue is actually a feature)&nbsp;is related to&nbsp;an understood standard computer configuration (some would&nbsp;say "as-designed") of the spec governing dynamic configuration of IPv4 link-local addresses (<a href="http://www.rfc-archive.org/getrfc.php?rfc=3927">RFC 3927</a> - see part 5). The authors of the spec even noted the potential risks and discussed the importance of taking that risk into consideration in design and deployment: </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <em>"The use of IPv4 Link-Local Addresses may open a network host to new attacks.&nbsp; In particular, a host that previously did not have an IP address, and no IP stack running, was not susceptible to IP-based attacks.&nbsp; By configuring a working address, the host may now be vulnerable to IP-based attacks." (<a href="http://www.rfc-archive.org/getrfc.php?rfc=3927">read the spec</a>)</em> </p> </blockquote> <p> Unfortunately, some have stated incorrectly that this represents an unknown or recently-discovered security hole or flaw. That's just not the case. This is, however, something that people should be aware of if they use or manage portable computers with wireless networking cards. </p> <p> The problem has to do with the fact that the last wireless network name (or SSID) you successfully connected with is reused and associated with the generic IP address that gets assigned when your&nbsp;wireless card&nbsp;can't find a network to associate with, so someone who is also assigned an IP In that block and who knows what they're doing might try to connect to your computer using that network name and the generic IP address subnet. Yeah, it's technical but it's not too hard to protect yourself. </p> <p> The first thing you should already have in place - and if you don't, you need to take care of this now - is a firewall to protect access to and from your computer. It's amazing how many problems can be mostly or completely mitigated with a decent and properly configured firewall. If you block incoming traffic with the firewall, then access to the wireless adapter is nowhere near as big of a deal. </p> <p> On the technical side, there are a couple things that can be done to resolve the specific issue at hand. The most logical (and second most technical) step is to configure the network adapter in Windows to only allow infrastructure connections (to access points), and not Ad-Hoc connections (to other wireless cards in peer-to-peer mode). This can be done individually (on a specific computer by the user or administrator) or in a more automated fashion across a security domain (see below). </p> <p> On a Windows computer, you can also get all geeked out (this is a more technical step) and disable the feature that automatically assigns the generic dynamic IP address when DHCP server is present (this auto-assign feature is sometimes referred to as&nbsp;APIPA - <a href="http://www.petri.co.il/disable_apipa_in_windows_2000_xp_2003.htm">see this page for details</a> on disabling it if interested, but use at your own risk, it involves editing the registry). It's this common and predictable IP address space that could potentially allow someone else to try to snoop into your computer, if you had none of the other standard protections -&nbsp;like firewalls and directory security -&nbsp;in place. </p> <p> An even better option - where available - is to have your Windows Domain administrators control the setting for any group of&nbsp;computers managed by the domain's Group Policy. To do this, navigate in the Group Policy editor to: </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <font size="1">Computer Configuration &gt; Windows Settings &gt; Security Settings &gt;Wireless Networks</font> </p> </blockquote> <p> You notice there's nothing listed in that section by default - That's because you have to create your own policy if you want to take advantage of the features available. To do so, right click in the empty space and choose to create a new wireless policy. You'll give it a friendly name and the wizard will walk you through the steps required to set up your new policy. On the properties page (see below), you'll note an option is available to specify the network types to which you want to allow access. You can choose&nbsp;"Access point (infrastructure) networks only." Note that selecting this will force all computers to which the policy is applied to access point networks (so the wireless peer-to-peer networking without an access point - which is exactly the issue we're trying to mitigate - will no longer work). </p> <p> <img alt="Create_wireless_policy" src="http://www.greghughes.net/images/create_wireless_policy.png" border="0" /> </p> <p> Some companies use these settings to ensure the <em>only</em> wireless networks that business computers access are ones that are pre-approved, but that means a tradeoff between security and convenience, and road warriors often desire and need to use public access points for any of a number of reasons. How deeply&nbsp;and widely you apply the policies is a business decision - just be sure to consider all the potential business effects and consequences. </p> <p> Note again that fixing a problem in just one place or in just one layer is most certainly <em>not</em> the right way to solve problems like this. Rather, taking a defense-in-depth approach, where you block access at as many layers as possible, is the way to approach network security issues. </p> <p> For example, let's go back to enabling the software firewall on your computer - whether it be the Windows Firewall that is part of Windows XP SP2, or a third party firewall by a company like Symantec or others. This&nbsp;is another critical layer. Having a properly configured firewall in place helps to ensure access to your computer is protected, even if the wireless connection is "open." Layering protections allows you to be sure the problems are kept out, and also provides a possible mechanism to temporarily relax any one of the protections when needed in order to accomplish a specific task. </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,f2cb61ea-e850-41a7-9403-8d2e1c11df39.aspx IT Security Safe Computing Tech
http://www.greghughes.net/rant/Trackback.aspx?guid=66a79c25-2581-4494-8224-c5bdc4cadd61 http://www.greghughes.net/rant/pingback.aspx http://www.greghughes.net/rant/PermaLink,guid,66a79c25-2581-4494-8224-c5bdc4cadd61.aspx http://www.greghughes.net/rant/CommentView,guid,66a79c25-2581-4494-8224-c5bdc4cadd61.aspx http://www.greghughes.net/rant/SyndicationService.asmx/GetEntryCommentsRss?guid=66a79c25-2581-4494-8224-c5bdc4cadd61

A patch for the truly nasty WMF vulnerability on all versions of Windows has just been pushed out in an extra release by Microsoft. It is described in Security Bulletin MS06-001. It's available for your WSUS server and from Microsoft Update, or you can get it by downloading it from the links on the security bulletin web page.

This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. Note This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This is a huge one - super critical, as there are many exploits in the wild that are actively taking advantage of this vulnerability. UPDATE NOW!



greghughes.net weblog - copyright 2009 - licensed under a Creative Commons License. Microsoft Security Bulletin MS06-001 - Critical patch released to fix WMF vulnerability http://www.greghughes.net/rant/PermaLink,guid,66a79c25-2581-4494-8224-c5bdc4cadd61.aspx http://www.greghughes.net/rant/MicrosoftSecurityBulletinMS06001CriticalPatchReleasedToFixWMFVulnerability.aspx Thu, 05 Jan 2006 22:01:32 GMT <p> A patch for the truly nasty WMF vulnerability on all versions of Windows has just been pushed out in an extra release by Microsoft. It is described in <a href="http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx">Security Bulletin MS06-001</a>.&nbsp;It's available for your WSUS server and from&nbsp;Microsoft Update, or you can get it by downloading it from the links on the security bulletin web page. </p> <blockquote dir="ltr" style="MARGIN-RIGHT: 0px"> <p> <em>This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. Note This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</em> </p> </blockquote> <p> This is a huge one - super critical, as there are many exploits in the wild that are actively taking advantage of this vulnerability. <a href="http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx">UPDATE NOW</a>! </p> <br /> <hr /> <font size="1">greghughes.net weblog - copyright 2009 - licensed under a <a href="http://creativecommons.org/licenses/by-nc-sa/2.0/">Creative Commons License</a>.</font> http://www.greghughes.net/rant/CommentView,guid,66a79c25-2581-4494-8224-c5bdc4cadd61.aspx IT Security Safe Computing Tech