Wednesday, March 5, 2008

Full disk encryption for all!

To echo Bruce Schneier's comments, it's important to encrypt the data on your laptops. Yes, the laptops get stolen, they get lost and your private data is on them. So if you scramble up that data (using an encryption product), then you are somewhat insulating yourself from having that data stolen.

A new attack was introduced by Ed Felten and his band of merry Princeton grad students a week ago, which showed how to steal the encryption key and gain access to hard drive data, even if the data is encrypted. Let's just say, this is not an attack that most of you need to worry about. You are still much better off encrypting your data, than not encrypting your data.

I personally use the FileVault capability within Mac OS X. There are a bunch of 3rd party utilities, but FileVault works fine for me. I don't see any reason to make it harder than it needs to be.

Tuesday, March 4, 2008

There is no 100% security

I've seen a couple of data points recently where folks have published personal information, with the idea that the bad guys couldn't use if for identity theft. They were wrong and pretty stupid for doing it in the first place.

The first is Todd Davis, CEO of a company called LifeLock. I'm actually a customer and they do identity theft protection services. They've built a marketing campaign around this guy publishing his Social Security Number and challenging the bad guys to try to rip him off. You've probably seen the ads.

He did get compromised. How? Basically, there was a failing on the part of a 3rd party that didn't do the proper credit authorizations. This had nothing to do with LifeLock, but he was compromised nonetheless.

The second example is a UK media personality called Jeremy Clarkson. This guy published his bank account and it was then looted by an identity thief. Of course, these are outlandish examples of people doing stupid things to prove a point. And they did just that.

The moral of the story is not to paint a target on your head. There is no way to be 100% secure. That's why credit monitoring and making sure you understand exactly what is happening in your bank and credit accounts is so important. If you know something is an issue, you can start working immediately to fix it and hopefully contain the real damage.

Photo credit: alicetiara

Monday, March 3, 2008

Are you clean? Let Google decide for you.

Interesting post on Roger Thompson's blog here about Google (in their infinite wisdom) deciding to block organic search links to sites they deem "bad." 90% of the time this works and is a good thing. If there is malware hosted on a site, you want Google to be blocking access from the search engine.

But what if there isn't malware there? What if it's a case of mistaken identity? The idea that it could take 12 months to get this fixed would do significant damage to the web sites that are mistakenly accused.

The answer? Actually there isn't one. You should be using a tool like Roger's LinkScanner or McAfee's SiteAdvisor as a matter of practice (yes, it's one of Security Mike's suggestions). But there isn't much you as a user can do besides cutting and pasting the URL into your own browser, which is a pain the backside.

Although hope is not a strategy, we can only hope that Google is right a lot more often then they are wrong...

Image credit:

Thursday, February 28, 2008

PayPal takes a bite out of Apple

I'm a big fan of the Mac as a computing platform. No, OS X isn't more secure than Vista. But there are a lot less folks looking to exploit it and it's certainly architected (as is Vista) in a more secure fashion than Windows XP.

But does that mean you should be using all of Apple's applications. Like the Safari browser? Not necessarily. The CSO (chief security officer) of PayPal goes on a bit of a tirade in this NetworkWorld article about why Safari isn't a good option - for those that care about security anyway.

The reality is that he's right. I personally use Firefox on all my devices (both Macs, PCs, and virtualized PCs running on my Mac). I do that because of NoScript. I've mentioned that plug-in before, but until it is ported to (or that capability included in) the other browsers, I'm not going anywhere. It's that important.

So yes, Safari is missing some stuff. Like no built-in phishing filter or support for extended validation SSL certificates. I find the former to be a much bigger issue than the latter, as evidenced in today's Daily Incite. But suffice it to say, these aren't deal breakers for me. It's all about NoScript and that drives me to Firefox.

Photo credit: karmablue

Tuesday, February 26, 2008

Should you use virtual credit cards?

I got a press call this morning from a guy looking to learn more about "virtual credit cards." These are one-time use numbers that protect your main credit card and can only be used one time on one site. This capability is available from a few of the large credit card banks. Check out more information at the Cardratings site.

The reality is that using these virtual credit card numbers are a pain in the butt. You have to either download some software or go to yet another web site to get the right credential to use it. Is it worth it? The answer is a big maybe.

If you are doing business with a totally new site, then it probably does. Credibility and trust are earned and until a vendor has an opportunity to earn my trust, I'd rather shield my true financial information.

On the other hand, you are now pretty much insulated since you will be reimbursed on any fraudulent charges on your card. But to be clear, having your credit card compromised is a huge hassle, so you want to avoid it.

Truth be told, I don't use virtual credit cards very often. But I am also very selective about the online merchants I use. As always, you are better safe than sorry.

Photo credit: pt

Monday, February 25, 2008

Wherefore broadcast SSIDs?

It really is amazing how many open wireless network you can find. If you are somewhat technical, get a wireless scanner (like NetStumbler) and see what you can find. Once you are in there, you can use an open source tool like Metasploit to attack, I mean test, the machines you find on the open network. Statistically, you'd probably be successful in compromising machines a majority of the times you try.

Yes, that's scary stuff. It's also why the first step on Security Mike's Guide is to secure your networks. One of the common misconceptions is that you need to stop broadcasting your SSID, which is the network identifier of your wireless network. I'm with Steve Riley on this one. He does a pretty good treatment about why it doesn't matter whether you broadcast or not.

Whether someone can see your network or not is besides the point. The real question is whether they can access it. By doing some very simple security configurations on your wireless router, you can make it a LOT harder to penetrate.

Photo credit: dasmart

Friday, February 22, 2008

PayPal E-mail authentication

PayPal is one of the 2-3 most phished brands out there. That means they are targeted more often by phishing attacks than anyone else. If you use PayPal, then you need to be aware of the security capabilities they use to protect your account information. NetworkWorld had a recent interview discussing their security methods.
  1. Two-factor authentication - PayPal will issue you a token to more securely authenticate to your account. It costs $5 and you'll have to carry it around. I definitely adds more security to your account, but you have to carry the thing around. Did I mention you have to carry it around? I think using a strong password will provide enough security.

  2. Signed e-mail - PayPal also used a technology called DKIM (domain keys internet mail) to add a digital signature to any emails they send to you. Many of the major email client (yahoo and gmail for sure) will tell you the message is signed. This verifies that the message is actually from PayPal and not from an attacker. Below you can see what the signature looks like in Gmail. The "signed-by" and "mailed-by" fields show that has sent the message.

As usual, an ounce of awareness is worth a couple of pounds of protection. Your own knowledge is far and away your best defense.

Thursday, February 21, 2008

Don't bank at Starbucks

The Wall Street Journal's Walt Mossberg has some sage advice here about what you should and SHOULD NOT do on public Wi-Fi networks. The reality is that it's easy to compromise your machine and your data on these networks. A bad guy can set up a fake access point, or compromise your internal routing tables, or download a Trojan onto your machine.

I know, I know - what else are you going to do at Starbucks? You've got a couple of options. Personally, I use a 3G EVDO wireless service from Verizon (Sprint and AT&T also have competing services) to provide my connectivity when I'm out of the office.

Yet, the reality is that I do connect on some public WiFi networks. It's not frequent, but it does happen. To protect those sessions, I use a public VPN service to encrypt the traffic from my machine to the Internet. The service I use is from WiTopia. There are a bunch of other one's and you could also set up a proxy server on your own network if you are technically-inclined.

The main point is to reiterate Mossberg's view. Don't do anything sensitive on a public WiFi network. It's bad for the health of your identity.

Wednesday, February 20, 2008

Make sure it's really Microsoft Update

The innovation on the part of the bad guys continues to amaze. Per SC Magazine, these folks are using some URL obfuscation to get you to a Microsoft Update imposter site. F-Secure is credited with finding the bad site, and there are lots of details on their blog site.

Finnish anti-virus firm F-Secure warned Friday that a new malware-laced Microsoft Update page has appeared in the wild and is hosted on a URL that incorporates the actual Microsoft Update address – – with a period substituted for a forward slash.

The slightly modified URL takes the victim to a fake Microsoft Update “welcome” page that prominently features an urgent notice telling the visitor to install a “critical Windows XP/2000/2003/Vista update!” Install is mispelled on the bogus update page (“intall”), F-Secure reported.

An “Urgent Install” button appears in the fake notice, next to a prompt reading “Get critical update (obligatory).” Users who click on the button receive a file labeled WindowsUpdateAgent30-x86-x64.exe, which installs a trojan-dropper on the victim's PC. F-Secure said the bogus update page is a “fast flux” site and uses a wide range of IP addresses attached to the “" portion of the URL.

If you are a consumer, what to do? Basically, make sure you launch Microsoft (or Windows) Update yourself. DO NOT click on a link that you get via email. Launch Microsoft Update and then it will take you to the correct update site. Scrutinize the address in the bar and make sure it's really a Microsoft site.

And just be aware. That's usually the best defense.

Friday, February 15, 2008

Now this is security awareness!

My friend Alan Shimel tells a great story about how his oldest son is more security-aware than 98% of the Internet users out there. And I may be conservative on that front.

Yesterday I talked about using strong passwords and protecting them, since they are the key to the kingdom. But, as a technologist tends to do, I focused on throwing technology at the problem.

The first rule of thumb is to not tell anyone your passwords. Not your wife, your dog, and certainly not your mother in law. And I get along with my mother in law. Shimel's son is right, he shouldn't tell his Dad the password. Trust has nothing to do with it.

That being said, you always want to have fail safes. So make sure your passwords are stored somewhere, so if something does happen to you - someone else can pick up the pieces. Maybe keep it in your safety deposit box or with the trustee of your estate.

And teach your kids these lessons. It's never too early to teach them safe Internet practices.

Photo credit: Silfverduk

Thursday, February 14, 2008

Protecting the Keys to Your Kingdom

Passwords are the path of least resistance. Almost everything you do online is protected by a password. Your bank accounts. Your credit cards. Your online merchants. Of course, you could use different, very strong passwords (15-20 random characters) on each site, but who has time for that?

Odds are you are like everyone else out there and use the same 2 or 3 passwords for all of your sites and you write them down on a piece of paper that you store in your wallet or at your desk. Don't feel bad, you aren't alone.

But it's still not a good idea. Brian Krebs goes over a few password storage tips and tools in this post. Send him a note and thank him. He's provides some great advice.

I use Mac OS X for 95% of my computing tasks. So I bought the leading password manager for Mac users - 1Password. It works great. I let it generate very strong passwords for my sensitive sites. They are stored in it's secure vault and I let the tool fill in the forms on the web sites. It does cost money, but for me it's worth it.

If you are looking for some free stuff, then Brian's post points to a couple of open source tools. I can't vouch for them because I've never used them. But figuring out a way to increase the strength of your passwords should be a priority.

Photo credit: Secure password of the week by Simon Lieschke

To Catch a Phish: Practice, Practice, Practice

Our adversaries are very good. Very very good. They are experts at deception and intrigue. They make a living (and a very good living at that) from separating you from your personal information. They prey on your gullability and trusting nature.

I don't advocate that you become a full on paranoid like me. Everytime I get a strange email that seems suspicious, I'm tearing apart the headers and doing link analysis to figure out if the message is legit. And I'm just an amateur. I know a lot of guys that pull these messages apart professionally.

Unfortunately, I'm not opening up your email nor are my security research friends. So you've got to learn to walk for yourself. How do you do that? I'm glad you asked. Step 7 in Security Mike's Guide will be all about detecting attempts at identity theft and other fraud techniques. What they look like, how to detect them, all of that stuff. I'm trying to teach you to fish (no pun intended), as opposed to just giving you a fish.

But you can get started, while I'm still working on the Security Mike content. CRN does a nice job in highlighting 10 phishing scams. The bad guys have moved on from these, so the likelihood that you'll get this very attack is small. But the techniques don't change that often. So pay attention and apply a wee bit of paranoia when you are opening your emails and surfing the web, and you'll be a lot better off for it.

Photo credit: Hook, line and sinker... by ToastyKen

Wednesday, February 13, 2008

February Patch Tuesday - Making up for Lost Time

I sure hope we weren't lulled into a false sense of security by the very light January Patch events (only two fixes shipped). This month, we make up for lost time with 11 new patches to install. 6 critical, but all the same - just install them all. Better safe than pwned.

You can get the specifics of the patches from NetworkWorld or directly from the Microsoft Security Response Center.

Later today, updates (with screenshots of all the updates you should have installed) for Vista, XP, and two flavors of Mac (Leopard and Tiger) will be up on Security Mike's Portal. Log in to get the latest and greatest.

Tuesday, February 12, 2008

This Cupid I don't need

With this weeks festive Valentine's Day celebration upon us, the social engineers are back at work. These folks come up with new and innovative ways to get you to open email and then own your machine. The payload is usually the eponymous Storm worm, so be on your guard. You can get more details about what the FBI thinks is in store for the rest of this week.

Don't fall for it. By using the tactics discussed in Security Mike's Guide you are reasonably protected, but there is nothing that substitutes for good old common sense.

I'm sure you have plenty of secret admirers, hopefully they'll send you flowers. Email solicitations to click on links, you don't need. If it seems too good to be true, it is. If it's a love note from someone that doesn't love you, don't open it.

The best way to protect yourself online is constant vigilance. Expect the worst from folks on the Internet, they rarely let you down.

Cupid image originally uploaded by Shoeless Joe/64.

Friday, February 8, 2008

Mike Rothman - The 419

I do get some random stuff in my email, but this one takes the cake. Evidently, someone calling themselves Mike Rothman is running a 419 scam. Here is the message, then we can decompose it to see the typical "tells" that indicate that there is a REALLY high likelihood the message is bogus.

To: mike_rothman@XXXXXX
Subject: RE: Att.
Date: Thu, 7 Feb 2008 22:36:52 +0100

Dear mr Rothman,

I do not know you either, so I will send you some pictures of my estate in Germany, you can look at it at google earth from above. Sended you the adress before.



My age is 50, married with a German Lady, having two Sons.

Further, I 'am not interested in the company you are working for, only how to get the money to Germany. BUSINESS ! ! !

Now it's your turn.



From: mike_rothman@XXXXXX
Subject: Att.
Date: Thu, 7 Feb 2008 21:25:38 +0100

I received your quick response to my proposal. To formally introduce my self to you, I am an old top banker and have worked with Scottish Investment Trust for so many as one of their fund manager. I am an international staff, presently in Scotland office.
Scottish Investment Company is registered in Scotland number 1651. I started work with SIT 2004 and I am responsible for the European Jurisdiction Equity. I was with Abbey National Asset mangers before I moved to SIT, and a member of CFA institute.
I graduated from University of Dundee and Edinburgh where I got my BSc and MBA in civil engineering respectively.
First, I believe it is necessary for me to express my profound gratitude to you for even responding to my email with interest. I am obliged to you for your gracious concern and I hope your assistance is really genuine, although through your email I would know if I could count on you at least to an extent.
I sincerely, appreciate your interest to assist me in this project. I need a reliable foreigner who would be of assistance to me in order to have the funds transferred.
However, I would like to be convinced of your willingness, commitment and most of all your trustworthiness to execute this deal with me. I certainly cannot compromise any of these virtues, you know what I mean, and I have my principles.
Without doubt, you will eventually earn the benefits or our partnership if we are able to work things out and have the funds relocated within couple of weeks or thereabout and thereafter disbursed to your other respective accounts.
Indeed, it is necessary for me to be certain of the person to whom I will be entrusting this deal, my trust will definitely not be given out lightly, I need to be fully convinced that you are a matured person with some integrity, we should at least have respect for each other, this I would say is very essential.

Scottish Investment Trust (SIT) was founded in 1887; The Scottish Investment Trust (SIT) today is one of the world’s oldest and largest independent, self-managed investment trusts with assets of over £45 billion at 30 September 2007.
We have been working to provide solid returns for investors for over 115 years - through a number of bull and bear markets and the most volatile conditions. Our approach has generated real long term growth in both capital and income.
When you invest in SIT you are buying shares in a company that invests in the stocks and shares of companies on the world's major stockmarkets. Your investment has the potential to grow both through incomes from dividends and through capital growth from increases in share price.
SIT has a diversified equity portfolio and invests in a broad spread of international equities. Although there is always an element of risk involved in any stockmarket investment, we aim to lower this by spreading investment over numerous companies and sectors around the world, while actively searching for opportunities to benefit our investors and maximise returns.
We aim to provide steady growth in both capital and income, whilst prudently spreading investment risk. We consider these to be the key requirements for anyone seeking a solid core holding for their investment planning.

However, in my First Email Proposal to you, I stated that the said funds came out as a result of the following:
""I handle all our Investor's Direct Capital Funds and secretly extract 1.3% Excess Maximum Return Capital Profit (EMRCP) per annum on each of the Investor's Magellan Capital Funds.
As an expert, I have made over £27.4m from the Investor's EMRCP and hereby looking
for someone to trust who will stand as an Investor to receive the funds as Annual Investment Proceeds from Scottish Magellan Capital Funds.

EXPLANATION: I have more than 158 Corporate Investors attached to my PORTFOLIO who’s Capital Investment Funds are been managed and administered by me alone.
This Capital Investment Funds has a value of US$5.4Billion FIXED. The $5.4billion is been used for trading in Stock Market, Crude Oil and Lending with Profit Returns.
Every Year, each Corporate Investor is expected to receive 20% interest from his total Investment Capital Funds which is paid to the Investor annually as their Excess Maximum Return Capital Profit (EMRCP). However, I made average of 21.3% from the Investor's Investment Capital Funds annually, which have exceeded our targeted 20% of Total Investment Capital Funds. On this note, I retained the extra 1.3% from the 21.3% as my personal profits for managing the Capital Investment which is this £27.4m. On the other hands, I cannot claim this funds without presenting someone to stand as an Investor otherwise our Establishment will convert the funds into the Company's Treasury. This is why I came to you for the deal to take place.
DURATION: If you are very serious as I am, we will have this transaction concluded with 25 Banking days from the date of start.
However, for such a business of lofty magnitude, I think the most important thing is for us to build a strong association between each other so that I can be able to trust you because I have been betrayed by so many people even by my co workers that I have now decided to play my cards very close to my chest. I will like this deal to be secret and confidential. No third party. Just between you and me. Do not discuss it with any Scottish Investment staff to avoid jeopardizing my work and position.

Before we go into this deal, I will like to know about you.
Following this mail, send me your telephone number so I can call you to discuss on the modalities of the transaction. You may as well call me on my number +4XXXX so that we can discuss on the modalities of the transaction.
Mike Rothman

From: XXXX
To: mike_rothman@XXXXX
Date: Thu, 7 Feb 2008 13:09:36 +0100

Dear mr. Rothman,

I'am a businessman, Dutch, living and working in Germany have several companies.

off course I'am interested for the 30%.

When this is phishing I'am not interested and can you better try to find someone else.
I will not pay any money for taxes, transport, lawyers, barristers or others.


To be clear, I haven't called the numbers to truly verify it's a phishing scheme. Who has time for that? But this message would have been on the express train to the circular bin for a couple of reasons:
  1. The complicated story - The scammer uses a fairly complicated story, which would really require an investment professional to figure out whether it's kosher or not. But all that complicated vernacular contributes to building a credible front in the form of the Scottish Investment Trust, which is a global and well known investment house.

  2. The request for "confidentiality" - The fact that this guy is claiming that he's got some additional funds because he "out-performed" sound like a hoax to me. Also the fact that he's requested confidentiality, even from other SIT personnel means this is a ruse.

  3. The fact that he needs a "foreigner" to place the money - Again, this just sounds funky. If he outperformed the expectation, I'm sure he'd be due a nice bonus from SIT. Not an illicit $35 million dollar payout that he needs to get out of the country.

  4. Other inconsistencies - You can't see the domain (I removed it), but it's a public email service in Australia. Yet the phone number he provided (I removed that also) is in the UK. These are inconsistencies that you need to catch.
But most of all USE YOUR HEAD. Seriously. Even if you play the lottery, you need to take action to buy the ticket. Beware of strangers offering gifts in the millions of dollars. If it sounds too good to be true, it pretty much is.

Instead the victim shared information about his life and family. He attached pictures of his house and put in addresses and phone numbers (which I removed to protect the idiotic). It's just ridiculous.

As Barnum said, there is a sucker born every minute. Don't you be one of them.

Photo credit: