| Deb Shinder's profileMS SECURITYPhotosBlogLists |  Tools  Help |
|
9/9/2006 New Blog SpaceFor whatever reason, when I try to post to this blog now (since the switch from MSN Spaces to Live Spaces) via email or Windows Live Writer, a lot of annoying formatting code appears at the beginning of the post. That's just not acceptable, so I've created a brand new blog, where this doesn't happen.
For my new posts, see http://deb-tech.spaces.live.com. There you won't have to contend with this problem. And thanks for reading! 9/1/2006 What's going on with my Live Spaces blog?p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:'Calibri","sans-serif';}
span.EmailStyle17
{font-family:'Calibri","sans-serif';color:windowtext;}
.MsoChpDefault
{;}
@page Section1
{size:8.5in 11.0in;margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
Suddenly I’m seeing a bunch of formatting information at the top of each blog post. This is NOT a good thing. This wasn’t happening with MSN Spaces, but occurred with the switch to Live Spaces.
Come on, Microsoft, let’s clean this up. I don’t like it.
Vista Price Leak: If only my electric bill had gone up the same percentage as my operating systemp.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:'Calibri","sans-serif';}
span.EmailStyle17
{font-family:'Calibri","sans-serif';color:windowtext;}
p.bodycopy, li.bodycopy, div.bodycopy
{margin:0in;margin-bottom:.0001pt;text-indent:9.35pt;line-height:12.0pt;font-size:10.0pt;font-family:'Arial","sans-serif';}
p.firstgraph, li.firstgraph, div.firstgraph
{margin:0in;margin-bottom:.0001pt;line-height:12.0pt;font-size:10.0pt;font-family:'Arial","sans-serif';}
.MsoChpDefault
{;}
@page Section1
{size:8.5in 11.0in;margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
Amazon’s pre-order prices for Microsoft’s Vista operating system became common knowledge when Ed Bott posted them on his ZDNet blog on August 28th. You can see that post here: http://blogs.zdnet.com/Bott/?p=125.
The prices may or may not be accurate, but the post resulted in much discussion in the forums. Many pundits seized on the highest price point, $399 for Vista Ultimate Edition, ignoring the fact that Home Basic is listed at the same price as XP Home and Business Edition at the same price as XP Pro.
I only wish my electric company and corner gas station followed the same pricing model as Microsoft (keeping the same price for the comparable product). Instead, I’m paying more than three times as much for electricity this summer as I did in 2001 when XP was released, and twice as much for gasoline.
5/9/2006 Outlook wish listp.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';}
span.EmailStyle17
{font-family:Arial;color:windowtext;}
@page Section1
{size:8.5in 11.0in;margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
As with many people who get a lot of email and conduct most of their business that way, for me Outlook is the interface – at least, insofar as I can make it.
Keeping most of my important information on the Exchange server, in the form of mail messages, notes, attachments, etc. makes it easy to access from anywhere and the folder structure makes it easy to organize. But it could be better.
Today I’m wishing that Outlook would allow me to create a note in any Outlook folder. Why must a folder be limited to only one type of item (for instance, mail)? Yes, I know I can create a new note in the Notes folder and then drag it into a mail folder, but then it becomes a message. Why can’t I have a folder named Microsoft where I can store not only mail messages from/about MS, but also notes, task lists and calendars related to Microsoft projects? Or is there already a way to do this and I just haven’t discovered it? If so, someone please write and let me know.
That’s my Outlook wish list item for the day. 5/1/2006 Security is not just a Microsoft issuep.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman';}
span.EmailStyle17
{font-family:Arial;color:windowtext;}
@page Section1
{size:8.5in 11.0in;margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
Few days go by without someone writing to me and saying that Microsoft’s security efforts are “a joke.” Almost daily I encounter articles by tech columnists recommending that we all use Linux or Macintosh, run non-Microsoft applications, use an alternative browser, and so forth “for better security.”
Meanwhile:
On April 18, Oracle ships a patch update to fix thirty-six security vulnerabilities (http://www.eweek.com/article2/0,1895,1950801,00.asp)
On April 21, Yahoo News ran a story from TechWeb.com citing Kaspersky Labs’ analysis showing the number of malware threats against Linux doubled in 2005 (http://news.yahoo.com/s/cmp/20060422/tc_cmp/186500718)
On April 29, Mozilla rushes out an update to Firefox to address its latest vulnerability soon after InformationWeek reports a zero day bug that could crash the browser and possibly be used to introduce malware (http://www.informationweek.com/news/showArticle.jhtml?articleID=186700930&subSection=All+Stories)
On May 1, Physorg.com reports that the SANS Institute warns in its updated list of Top 20 Internet Security Vulnerabilities that hackers and virus writers are increasingly targeting the Mac OS (http://www.physorg.com/news65707489.html)
Sure, virus writers, spyware distributors and hackers and attackers still focus mostly on Windows. Well, why wouldn’t they? According to most reports, Windows still has around 90% of the operating system market share. Add to that the fact that a large proportion of hackers subscribe to the anti-Microsoft philosophy, and it’s inevitable that there will be far more of them writing their malware specifically for Microsoft products. After all, who’s destined to be the target of more wacko would-be assassins, the president of the U.S. (whomever that may be at the moment) or Joe Smith down the street who’s known only to a handful of people?
Even with all these reasons for the bad guys to concentrate only on Windows and Microsoft apps, though, they’re getting bored with that and reaching out to touch other systems. The point is that you can’t escape security problems just by using non-Microsoft products. Their security problems may get more publicity, but the false sense of security you get by using that “secure” OS or browser may end up exposing you to even more risk. 4/17/2006 Phishers take advantage of current newsNot long ago, a news
story hit the wires that the IRS was requesting PayPal provide them with
information to help catch tax evaders. The phishers have jumped right on it -
today I got a phishing message purporting to be from PayPal, which read in part:
"Dear customer,
As seen in the news these days, the Internal Revenue Services
(I.R.S.) is asking PayPal for customer information to check for possible tax
evaders. In order to assure that your account is safe we ask you to verify your
personal data. [link labeled "Click here to verify your information"]. After you
complete the verification process you are free to use your account just like you
used to."
Of course, the fact
that I don't have a PayPal account, and wouldn't go near PayPal after their
behavior several years ago when an identity thief charged a bunch of stuff to
one of our credit cards through PayPal, was a tipoff that the message was a scam
-- but I wonder how many real PayPal customers heard the news about the IRS and
will now fall for this as a consequence.
Same day, my husband
got the first phishing scam we've seen for our own bank. We're always getting
them about our supposed Wells Fargo, Bank of America, Washington Mutual etc.
accounts (none of which we have), but because we use a small localized bank, we
had previously been spared scams naming our real bank. Not anymore. It appears
the phishers are now targeting the smaller banks. And the link it contains
displays the legit URL that you use for online banking with that bank -- except,
of course, if you hover over it you see the site it's really linked to:
ferry-distribution.com, which is registered to a company in France. Nice
try.
The phishers are
definitely getting more insidious. My policy is "never respond to any
unsolicited email from financial institutions or services." If I'm really doing
business with them, I'll call them or stop by their office to discuss my
financial matters. But for those people who do have accounts with PayPal and
eBay, that could be a problem. What a shame that criminals have crippled a
useful form of communication.
4/9/2006 Is AT&T sending your email to the NSA?According to the
Electronic Frontier Foundation, a well known Internet privacy advocacy group,
AT&T is sending all its Internet traffic through the National Security
Agency, where the government could be reading all your super secret email
messages and monitoring your web requests. The EFF filed legal briefs in San
Francisco for a class-action suit to that effect last week, asking for a
preliminary injunction.
The New York Times
reported back in December that the president authorized the NSA to intercept
telephone and Internet communications within the U.S. without court
authorization, for the purpose of detecting terrorist activities. But will the
government really limit its surveillance to that purpose? It's not a matter of
whether or not your party is in power. Even if you trust this administration,
bureaucrats tend to sometimes go off on tangents of their own. Knowledge is
power, after all, and knowing what we're all doing and saying on the Internet
all the time could make someone very powerful indeed. And the other party will
be back in power eventually; what will they do with such
knowledge?
Read more about it
on the EFF's web site at http://www.eff.org/news/archives/2006_04.php#004538.
4/5/2006 Will Apple take a bite out of the PC market?As soon as Apple started offering their new Intel-based Macs, users wanted to know if they could run Windows on it. Hint to PC makers: this just might be a subtle indication of market demand for a tiny system. I know the first time I saw the Mac Mini, my reaction was: Gosh, I wish it ran Windows; I'd buy one in a minute. Apparently I wasn't the only one thinking that way. (For those who are thinking "but there is already a PC that looks like the Mini -- exactly like the Mini -- made by AOpen, yes I know. The problem is the pricing; according to all I've read, the mini PC sells for over $1000, considerably more than the Mac (which starts at $599).
Hackers immediately set out to get XP to run on the new Macs, and succeeded.
Apple had a choice: stand up and fight for their purity, or give in to the inevitable. Which was the right moral choice is open to debate, but I think they made the right business decision. They've just announced that they're releasing software, called Boot Camp, to enable dual booting of OS X and Windows XP on their Intel systems. Now I don't have an excuse; I guess I'll have to get one.
Seems like a win-win situation for Apple and Microsoft. Hardcore Windows users who would never otherwise have bought a Macintosh will now be mightily tempted. Bipartisan computer hobbyists who want to use both operating systems can now do it on the same machine. Microsoft can sell Windows licenses to Mac owners who might not have sprung for an entire separate PC but would like to run Windows for certain applications, games, etc. Seems like the only ones who stand to get hurt are the PC makers who failed to offer Windows users a machine as compact and cute as the Mini at a comparable price.
3/29/2006 Update: Flash drives growing by the minuteJust a couple of
days ago we wrote about Samsung's 32 GB flash drive. Today we so this post
claiming that BUSlink has launched a 64 GB flash drive -- and this one is a
keyring USB drive, to boot. The price is a tad hefty ($5000; yep, that's five
thousand bucks) but other than that, what's not to like? http://www.engadget.com/2006/03/29/buslinks-64gb-usb-2-0-flash-drive-pro-2-series/
-- 3/27/2006 Bigger Portable Storage Devices Pose Bigger Security RisksLast week, we ran
across a report that Samsung is introducing a 32 GB flash drive (http://news.yahoo.com/s/nf/20060322/bs_nf/42277).
That's good news for digital photographers, digital music fans, and others who
can never get enough storage capacity. But what are the security
implications?
Samsung's drive is
intended to be a hard disk replacement, and nothing I've read indicates that it
will be removable. But you can bet that USB "thumb drives" with similar high
capacities are on the way. And that's enough to make those responsible for
securing the data on business networks shudder. Now employees, temps or
corporate espionage agents posing as janitors or repairmen will be able to walk
off with even more of your data, more conveniently.
These devices are
going to have lots of good uses, too. You'll be able to back up a lot of data on
a 32GB drive, and it'll make transporting large amounts of data between home and
office for legit purposes a breeze. But, deliberate thievery aside, what if that
drive (with personnel records, company financial data, client information, trade
secrets, etc.) gets lost?
Obviously, we're
going to need ways to exercise a lot more control over removable drives because
as capacity grows, so does the threat. We're likely to see more products
designed to address this need. One example is LANguard Portable Storage Control
(PSC), which lets you granularly control which users can access these types of
devices (it also controls access to floppy and CD/DVD drives). You can read more
about it here: http://www.windowsecurity.com/articles/Review-GFI-LANguard-Portable-Storage-Control.html.
Another useful product is DeviceWall (http://www.devicewall.com), which can force
all data copied to flash devices to be automatically
encrypted.
So rather than
lament the growing capacity of removable devices, security specialists need to
push for a proactive plan to manage them within the organization so workers can
enjoy their benefits without creating a security crisis.
3/24/2006 No Good DeedLike a lot of other
folks in the IT security business, I spend a lot of my time doing "pro bono"
work -- answering questions from people who read my articles, newsletters and
web postings. Given the huge volume, there's no way that I can respond to all of
them, but I set aside a certain amount of time each week to address as many as I
can.
Most of the people
who write are fantastic, and more than a few continuing friendships and business
relationships have started out this way. Occasionally, though, I deal with
someone who makes me wonder why in the heck I bother.
Take the recent
message from a reader who had followed one of the tips in my newsletter that was
actually in response to a different reader's problem that was similar, but
different, from the problem he was having. When the solution didn't work for him
(and in fact, he said it made things worse), he apparently wrote to tell me so
and his message was one of those I didn't get to that week. The next week, I
did catch his message claiming that I had "screwed up his machine and
didn't even have the courtesy to acknowledge it." When I wrote back to explain
that we receive sometimes up to 1000 messages per day at that address and I was
sorry I hadn't seen the previous one, I tried to be friendly and as usual,
addressed him by his first name.
His response was, in
part, that I should "consider whether first person usage is appropriate"
and "review your internal procedures for routing and reviewing feedback
messages." Now that really makes me want to spend more time
trying to help this guy, don't you think?
Reminds me of the
adage that "no good deed goes unpunished." Sometimes those folks get me down for
a moment. But it's all those others out there, the vast majority who understand
that free help has its limits and who aren't looking for someone else to blame
for their problems, who keep me going -- and loving what I do, despite the rough
spots now and then. And when I have an experience like this, it makes me
appreciate the rest of you even more.
Thank you all for
reading! 3/15/2006 "Too Much Security" (Revisited)Today Tom brought my
attention to the following article on SearchNetworking.com: http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci1172626,00.html.
Apparently it was
meant to be good PR for Microsoft's ISA Server and Network Engines' ISA
appliances, to which Jelly Belly (the famous jelly bean company based in
California) switched from their Linux-based VPN device. But to me, it reads like
an underhanded swipe at Microsoft's products. They switched because the Linux
VPN was "too secure?"
The resulting
implication is that the ISA-based VPN is less secure, but that's a misleading
conclusion. Although I often say that security and accessibility are on opposite
ends of a continuum, that does NOT mean that inaccessibility in itself equals
security.
Here's an analogy
that might help clarify the situation. Police officers have a "security problem"
in that there are numerous cases in which criminals take their guns away from
them and use the police weapon against the officer. There are several ways to
deal with this. Officers undergo weapon retention training where they learn
"best practices" (automatically keeping the gun side away when you're talking to
someone, how to detect when a person is thinking about going for your gun, how
to defend against a gun grab). Another option is to use a high security holster,
which requires that you know the "trick" in order to release the
gun.
What officers DON'T
do is superglue their guns into their holsters. Of course, that WOULD prevent
others from taking it away from them -- but is that "security?" Of course not,
because the officer him/herself wouldn't be able to get the gun when it was
needed, either. That's merely inaccessibility. An officer who is unable to use
his/her firearm is certainly NOT more secure.
And that's the
mistake made by the writer of the above article: he confuses inaccessibility
with security. In fact, he goes on to describe the REAL problems with the Linux
system: "it was too complex to manage and remote users would run into IP blocks
on the road, not allowing them to log on. It became increasingly time-consuming
and costly to work with, and authentication problems were plenty." In other
words, it wasn't "too secure" -- it was too inaccessible.
Real security makes
your network inaccessible only to UNAUTHORIZED persons, not to the people who
need access. 3/11/2006 Too Much Control?I've always had a
tendency to be a "do it yourselfer" (you know, one of those who subscribes to
the policy that if you want something done right, you have to do it yourself),
or - to put it a little less nicely - a bit of a control freak. I guess that's
why I became a police officer, and then years later, an IT pro. The first
objective of a cop is to control the situation. And we all know network
administration and network security are all about control.
But sometimes I
think, in both occupations, we tend to go a little overboard. There is, after
all, such a thing as being too controlling (just ask any spoiled brat only child
with an overprotective mother). When cops come on too strong, they lose the
support of the citizens who fund their salaries. When moms won't loosen up on
the reins, they drive their children to rebellion. And when we IT folks try to
exert too much control over our users and their computers, we may find them
actually like rebellious children, too, going out of their ways to circumvent
our security mechanisms, even when those mechanisms are "for their own
good."
I was reminded of
this a few days ago when a friend lamented that she was prohibited from having
dual monitors at work, even though she does extensive research that requires
multiple open windows and a second monitor would greatly enhance her
productivity. It wasn't a matter of budget; she'd offered to buy the second
monitor herself. But the company's IT policies forbid attaching anything to the
networked computers without permission of the IT staff -- a sensible policy. And
the IT staff wouldn't approve attaching anything she brought in "for
security reasons."
Now that makes sense
if she wanted to bring in an external hard disk or a modem or some other device
that would be inputting data to the computer and network. But I fail to see how
a monitor poses a security risk. I think we've become a little like parents who
just automatically say "no" before the kid even gets the question out of his
mouth. We've become so overprotective of "our" networks and computer
systems that we forget that the users have to actually get work done
on those systems every day.
It's our job, not
the users', to know the dangers posed by various actions and prohibit those that
put the network at risk. But if we want the cooperation of those users, it might
behoove us to actually analyze each case and try to work with them
instead of against them when we can. 3/6/2006 Wi-fi Security Issues You May Not Have Thought AboutI get lots of reader
mail asking how to secure wireless networks set up at home or for small
businesses. The questions almost invariably focus on how to keep unauthorized
users from surfing on your bandwidth or, worse, gaining access to the Ethernet
network that's connected to the WAP. With so many of us running wi-fi networks,
these are all legitimate concerns. In fact, several surveys have shown that more
home networkers are using wireless than Ethernet (of course, many have
both). Lots of broadband providers are providing their customers with
wireless routers, and many others just find wi-fi easier to set up than a
cabled network.
But there's another
wireless threat that many people don't seem to have thought much about. That's
when you connect your laptop or handheld computer to a public wi-fi hotspot.
There have lately been reports of scam artists setting up their own wireless
networks configured to look like the wi-fi hotspots of legit providers, but when
you log in, they capture your passwords and other personal information. The
imitators use high gain antennas and other equipment to broadcast a stronger
signal than the real hotspot.
This is also a
danger in connecting to free wi-fi networks. They may be run by generous folks
who just want to share the love (and their Internet connection, sometimes to the
displeasure of their ISPs). But they may be run by someone with less noble
intentions.
Be sure that when
you do use a public hotspot, you take some precautions (such as turning on
personal firewall software if you don't use it at home or work because you're
behind a perimeter firewall, and disabling file sharing. Wireless is great, but
it does make you more vulnerable, so take a little more care when you connect
that way. And for a discussion of some legal issues pertaining to wireless
networks, see the March 7, 2006 edition of WXPnews at www.wxpnews.com.
3/2/2006 Phishing Scams and the End of AnonymityPhishers are getting
more sophisticated, and that puts Internet users - especially those who are new
to online communications - at risk. Some of these phishing emails make even a
seasoned skeptic like me pause and take a second look. This week, I've received
several copies of a message purporting to be from eBay's resolution department,
referencing a transaction supposedly agreed to by the recipient and another
member, and asking you to contact eBay about it. There's lots of legalese in
fine print at the bottom and even a helpful link you can click to "learn how you
can protect yourself from spoof emails."
Of course, if you
look a little closer and dig a little deeper, things start to look suspicious:
the message cautions that you can't answer it by email but must click the
response link, and a look at the source code of the HTML message reveals that
the logo and other graphics come from a site other than ebay.com.
I wasn't too worried
about it anyway, since I don't use eBay -- but I can see someone who hasn't
already seen a million of these things thinking it was real. And the problem is
exacerbated by the fact that it's difficult to contact eBay itself to ask about
the validity of the message if you don't have an eBay account and don't want to
enter the credit card information required to get an
account.
We're
already at the point where many people won't install software that hasn't been
digitally signed so that the identity of the publisher can be verified. Will we
soon reach the point where we won't accept email that doesn't have a digital
signature? Mark Minasi wrote in this week's IT Pro Update about laws removing
anonymity on the 'net (his focus was on Section 113 of the newest version of the
Violence Against Women Act that makes anonymous harrassment over the Internet a
federal crime (as anonymous telephone harrassment already was). While anonymity
can serve useful and even vital purposes -- such as protecting political
dissenters and whistleblowers from retaliation -- it is also the root of many of
the problems that plague the 'Net, such as spam, newsgroup flames, pedophiliac
activities and phishing scams. I can foresee a day when you'll have to have an
authenticated identity to log onto an ISP and you won't be able to hide behind a
cute screen name when you post to a web board or discussion list.
I have
mixed emotions about that. I wish it weren't necessary, but I'm afraid it's
becoming more so every day. The technological challenge then will be to
implement a world-wide identity management method that's as close to foolproof
as possible. And that's not going to be easy. Look at the time, effort and
expense involved in just managing identities in a large enterprise environment,
and imagine extending that to a whole world of Internet
users. --
|
|
||||
|
|
