Security Mike's Blog

Full disk encryption for all!

Wed, 05 Mar 2008 07:32:00 +0000

To echo Bruce Schneier's comments, it's important to encrypt the data on your laptops. Yes, the laptops get stolen, they get lost and your private data is on them. So if you scramble up that data (using an encryption product), then you are somewhat insulating yourself from having that data stolen.

A new attack was introduced by Ed Felten and his band of merry Princeton grad students a week ago, which showed how to steal the encryption key and gain access to hard drive data, even if the data is encrypted. Let's just say, this is not an attack that most of you need to worry about. You are still much better off encrypting your data, than not encrypting your data.

I personally use the FileVault capability within Mac OS X. There are a bunch of 3rd party utilities, but FileVault works fine for me. I don't see any reason to make it harder than it needs to be.

There is no 100% security

Tue, 04 Mar 2008 08:00:00 +0000

I've seen a couple of data points recently where folks have published personal information, with the idea that the bad guys couldn't use if for identity theft. They were wrong and pretty stupid for doing it in the first place.

The first is Todd Davis, CEO of a company called LifeLock. I'm actually a customer and they do identity theft protection services. They've built a marketing campaign around this guy publishing his Social Security Number and challenging the bad guys to try to rip him off. You've probably seen the ads.

He did get compromised. How? Basically, there was a failing on the part of a 3rd party that didn't do the proper credit authorizations. This had nothing to do with LifeLock, but he was compromised nonetheless.

The second example is a UK media personality called Jeremy Clarkson. This guy published his bank account and it was then looted by an identity thief. Of course, these are outlandish examples of people doing stupid things to prove a point. And they did just that.

The moral of the story is not to paint a target on your head. There is no way to be 100% secure. That's why credit monitoring and making sure you understand exactly what is happening in your bank and credit accounts is so important. If you know something is an issue, you can start working immediately to fix it and hopefully contain the real damage.

Photo credit: alicetiara

Are you clean? Let Google decide for you.

Mon, 03 Mar 2008 12:38:00 +0000

Interesting post on Roger Thompson's blog here about Google (in their infinite wisdom) deciding to block organic search links to sites they deem "bad." 90% of the time this works and is a good thing. If there is malware hosted on a site, you want Google to be blocking access from the search engine.

But what if there isn't malware there? What if it's a case of mistaken identity? The idea that it could take 12 months to get this fixed would do significant damage to the web sites that are mistakenly accused.

The answer? Actually there isn't one. You should be using a tool like Roger's LinkScanner or McAfee's SiteAdvisor as a matter of practice (yes, it's one of Security Mike's suggestions). But there isn't much you as a user can do besides cutting and pasting the URL into your own browser, which is a pain the backside.

Although hope is not a strategy, we can only hope that Google is right a lot more often then they are wrong...

Image credit: onedigitallife.com

PayPal takes a bite out of Apple

Thu, 28 Feb 2008 07:11:00 +0000

I'm a big fan of the Mac as a computing platform. No, OS X isn't more secure than Vista. But there are a lot less folks looking to exploit it and it's certainly architected (as is Vista) in a more secure fashion than Windows XP.

But does that mean you should be using all of Apple's applications. Like the Safari browser? Not necessarily. The CSO (chief security officer) of PayPal goes on a bit of a tirade in this NetworkWorld article about why Safari isn't a good option - for those that care about security anyway.

The reality is that he's right. I personally use Firefox on all my devices (both Macs, PCs, and virtualized PCs running on my Mac). I do that because of NoScript. I've mentioned that plug-in before, but until it is ported to (or that capability included in) the other browsers, I'm not going anywhere. It's that important.

So yes, Safari is missing some stuff. Like no built-in phishing filter or support for extended validation SSL certificates. I find the former to be a much bigger issue than the latter, as evidenced in today's Daily Incite. But suffice it to say, these aren't deal breakers for me. It's all about NoScript and that drives me to Firefox.

Photo credit: karmablue

Should you use virtual credit cards?

Tue, 26 Feb 2008 16:58:00 +0000

I got a press call this morning from a guy looking to learn more about "virtual credit cards." These are one-time use numbers that protect your main credit card and can only be used one time on one site. This capability is available from a few of the large credit card banks. Check out more information at the Cardratings site.

The reality is that using these virtual credit card numbers are a pain in the butt. You have to either download some software or go to yet another web site to get the right credential to use it. Is it worth it? The answer is a big maybe.

If you are doing business with a totally new site, then it probably does. Credibility and trust are earned and until a vendor has an opportunity to earn my trust, I'd rather shield my true financial information.

On the other hand, you are now pretty much insulated since you will be reimbursed on any fraudulent charges on your card. But to be clear, having your credit card compromised is a huge hassle, so you want to avoid it.

Truth be told, I don't use virtual credit cards very often. But I am also very selective about the online merchants I use. As always, you are better safe than sorry.

Photo credit: pt

Wherefore broadcast SSIDs?

Mon, 25 Feb 2008 18:20:00 +0000

It really is amazing how many open wireless network you can find. If you are somewhat technical, get a wireless scanner (like NetStumbler) and see what you can find. Once you are in there, you can use an open source tool like Metasploit to attack, I mean test, the machines you find on the open network. Statistically, you'd probably be successful in compromising machines a majority of the times you try.

Yes, that's scary stuff. It's also why the first step on Security Mike's Guide is to secure your networks. One of the common misconceptions is that you need to stop broadcasting your SSID, which is the network identifier of your wireless network. I'm with Steve Riley on this one. He does a pretty good treatment about why it doesn't matter whether you broadcast or not.

Whether someone can see your network or not is besides the point. The real question is whether they can access it. By doing some very simple security configurations on your wireless router, you can make it a LOT harder to penetrate.

Photo credit: dasmart

PayPal E-mail authentication

Fri, 22 Feb 2008 03:33:00 +0000

PayPal is one of the 2-3 most phished brands out there. That means they are targeted more often by phishing attacks than anyone else. If you use PayPal, then you need to be aware of the security capabilities they use to protect your account information. NetworkWorld had a recent interview discussing their security methods.

Two-factor authentication - PayPal will issue you a token to more securely authenticate to your account. It costs $5 and you'll have to carry it around. I definitely adds more security to your account, but you have to carry the thing around. Did I mention you have to carry it around? I think using a strong password will provide enough security.
Signed e-mail - PayPal also used a technology called DKIM (domain keys internet mail) to add a digital signature to any emails they send to you. Many of the major email client (yahoo and gmail for sure) will tell you the message is signed. This verifies that the message is actually from PayPal and not from an attacker. Below you can see what the signature looks like in Gmail. The "signed-by" and "mailed-by" fields show that paypal.com has sent the message.

As usual, an ounce of awareness is worth a couple of pounds of protection. Your own knowledge is far and away your best defense.

Don't bank at Starbucks

Thu, 21 Feb 2008 09:32:00 +0000

The Wall Street Journal's Walt Mossberg has some sage advice here about what you should and SHOULD NOT do on public Wi-Fi networks. The reality is that it's easy to compromise your machine and your data on these networks. A bad guy can set up a fake access point, or compromise your internal routing tables, or download a Trojan onto your machine.

I know, I know - what else are you going to do at Starbucks? You've got a couple of options. Personally, I use a 3G EVDO wireless service from Verizon (Sprint and AT&T also have competing services) to provide my connectivity when I'm out of the office.

Yet, the reality is that I do connect on some public WiFi networks. It's not frequent, but it does happen. To protect those sessions, I use a public VPN service to encrypt the traffic from my machine to the Internet. The service I use is from WiTopia. There are a bunch of other one's and you could also set up a proxy server on your own network if you are technically-inclined.

The main point is to reiterate Mossberg's view. Don't do anything sensitive on a public WiFi network. It's bad for the health of your identity.

Make sure it's really Microsoft Update

Wed, 20 Feb 2008 12:06:00 +0000

The innovation on the part of the bad guys continues to amaze. Per SC Magazine, these folks are using some URL obfuscation to get you to a Microsoft Update imposter site. F-Secure is credited with finding the bad site, and there are lots of details on their blog site.

Finnish anti-virus firm F-Secure warned Friday that a new malware-laced Microsoft Update page has appeared in the wild and is hosted on a URL that incorporates the actual Microsoft Update address – microsoft.com/cfm48 – with a period substituted for a forward slash.

The slightly modified URL takes the victim to a fake Microsoft Update “welcome” page that prominently features an urgent notice telling the visitor to install a “critical Windows XP/2000/2003/Vista update!” Install is mispelled on the bogus update page (“intall”), F-Secure reported.

An “Urgent Install” button appears in the fake notice, next to a prompt reading “Get critical update (obligatory).” Users who click on the button receive a file labeled WindowsUpdateAgent30-x86-x64.exe, which installs a trojan-dropper on the victim's PC. F-Secure said the bogus update page is a “fast flux” site and uses a wide range of IP addresses attached to the “cfm48.com" portion of the URL.

If you are a consumer, what to do? Basically, make sure you launch Microsoft (or Windows) Update yourself. DO NOT click on a link that you get via email. Launch Microsoft Update and then it will take you to the correct update site. Scrutinize the address in the bar and make sure it's really a Microsoft site.

And just be aware. That's usually the best defense.

Now this is security awareness!

Fri, 15 Feb 2008 06:14:00 +0000

My friend Alan Shimel tells a great story about how his oldest son is more security-aware than 98% of the Internet users out there. And I may be conservative on that front.

Yesterday I talked about using strong passwords and protecting them, since they are the key to the kingdom. But, as a technologist tends to do, I focused on throwing technology at the problem.

The first rule of thumb is to not tell anyone your passwords. Not your wife, your dog, and certainly not your mother in law. And I get along with my mother in law. Shimel's son is right, he shouldn't tell his Dad the password. Trust has nothing to do with it.

That being said, you always want to have fail safes. So make sure your passwords are stored somewhere, so if something does happen to you - someone else can pick up the pieces. Maybe keep it in your safety deposit box or with the trustee of your estate.

And teach your kids these lessons. It's never too early to teach them safe Internet practices.

Photo credit: Silfverduk