Can you hear that? It's a Skype vulnerability.

Those of you out there that really enjoy the free (or low cost) calling afforded by Skype need to be aware of a recent vulnerability found in Skype for Windows. TippingPoint's Zero Day initiative is responsible for the disclosure and pushing Skype to patch the issue. So update your Skype as soon as you can. You want to make sure you have version 3.6.0.216 or later.

For more information, check out Secunia's write-up of the vulnerability.

When typos attack

We all make mistakes. In my case, it's pretty much all through the day. I tend to type pretty fast and let spell checker figure it out. But in the case of browsing the web, these innocent typos may not be so innocent.

According to a recent McAfee study, a new attack vector is called "typo-squatting," which preys upon the folks that make simple typos when browsing. The bad guys register domains that seem like the one you are looking for. Then the fun begins. "These squatter-run sites generate click-through advertising revenues, lure unsuspecting consumers into scams and harvest email addresses to flood users with unwanted email."

Since drive-by Trojans and other nasty web attacks don't need user interaction anymore, it's all the more important to make sure your devices are configured securely. Right, that's Step 2 in Security Mike's Guide. Step 3 focuses on securely configuring your browser.

Over the next week or so, when Step 4 goes live, you'll also learn about a utility that plugs into your browser to show whether a web site is good. None of these methods are totally foolproof, but the more layers of security you have, the more likely you won't get nailed.

A downside to being a Billionaire

I guess the grass isn't always greener on the other side. Even if the other side is you having a couple billion dollars. I dug into the archives for this post by Ed Dickson, which described how NYC Mayor Bloomberg was victimized twice, almost simultaneously, by thieves trying to get at his multi-billion dollar wallet.

Check out Ed's post for the details, but let's take a quick look at what we can learn from these attacks. The first was a pretty standard check counterfeiting attack. Not much you can do about that. If someone gets a copy of your check, with the routing number and account number, then they can produce a likeness that could be accepted by any number of merchants out there.

The banks invest a lot in anti-counterfeiting marks on the checks, but in the end it's up to the merchant and your bank as to whether they will accept the fake. Most of the time they won't, but other times they may. That's why it's so important for you to keep on top of your finances and check your balances daily. Then you'll know if unauthorized charges are showing up. This is discussed in detail in Step 6 of Security Mike's Guide to Internet Security.

The second attack involved the criminal logging into Mr. Mayor's bank account and transferring money to a 3rd party financial institution. How did someone get his login and password? Who knows? It could have been anything. This is another example where staying on top of your account balances would have shown a weird transfer and you could have investigated it.

I'm sure Bloomberg has people to look into this. That's how they found the issues and with a high profile victim like the Mayor, the banks and law enforcement will work hard to bring the perpetrators to justice. It makes for good PR. I'm sure the bank also returned the money right where they found it, and no one but the criminals are any worse for wear.

So I guess the grass is greener after all for the Billionaires out there. If it's not, you certainly can afford a lot of spray paint, sod or whatever else you want to use to make your grass seem greener.

Did you blink? You may have missed Firefox 2.0.0.11

That's right, the fine folks at Mozilla bungled one of the updates associated with 2.0.0.10. I could do some research to figure out what they messed up, but do you really care? Right, I didn't think so.

So just update to the latest version of Firefox and rejoice. Detailed instructions are on the Portal for Security Mike members.

Turn off Autorun - yet another reminder

Tony Bradley makes a great point on the Hack Report site about Autorun. Sure it seems convenient that when you load in a CD, DVD, or USB stick to take some automatic actions. Isn't is great to have the new Springsteen disc start to play once you put it in?

Actually, not so much. If any of that media is malicious, you've got no defense. If you remember back to the original Sony Rootkit issue from a few years back, most folks ended up installing the rootkit because they had Autorun engaged and the software automatically launched when the disc was loaded.

It was my Velvet Revolver disc that infected me. But I'm reasonably technical, so I was able to remove it pretty quickly.

I've already posted about this back in September in Autorun can be hazardous to your health. But I think it's important enough to mention it again.

So do yourself a favor and turn off Autorun. Detailed instructions are in Step 2 of Security Mike's Guide.

Security Mike Update: QuickTime 0day attack

The QuickTime 0day is out there and has gotten a lot of press this week. I've published an Update notification for Security Mike Members. Check out the Portal for instructions on how to deal with the issue. For the most part, the configurations shown in Security Mike's Guide protects against the QT attack, but there are exceptions.

Once again, thinking before you click is a good thing to do.

I'm back

My little flirtation with blogging using the capabilities built into Security Mike's Portal didn't last too long. It turns out Blogger is really a great blogging platform and the stuff built into the Portal sucks. Sucks really bad.

Sorry for the little diversion. If you have subscribed to the Feedburner feed (either through RSS or email) you don't have to do anything. If you do check out the web page, once again set your phaser to stun and point it at Security Mike's Blog.

Firefox 2.0.0.10 Update Posted

Another day, another Security Mike Update. This time Mozilla has updated the Firefox browser to 2.0.0.10 to address a pretty serious URI handling issue.

Step by step instructions are available on the Portal. Once you log in, hit PAGES, then SECURITY MIKE'S UPDATES, then PATCHES and you'll see the Update.

TinyURL could be hazardous to your health

As mentioned in this post by PR aficionado Steve Rubel, the TinyURL service went down briefly, which potentially leaves lots of other services in the lurch.

Personally, I felt no pain because TinyURL was down. That's because I don't use it and I don't think you should either.

Why? Because it allows potential attackers to hide bad URLs. Indulge me for a second, if an attacker wanted to get you to click on a link and browse to a web page with malicious cargo, all they would have to do is send you a spam email with a TinyURL link.

Most people would just click on it and their machine would be compromised. But since you are reading Security Mike's Blog, you aren't most people. Thus, you'll get into the habit of not clicking on any obscured links - like TinyURL provides.

I know the TinyURLs are much prettier. Beauty is only skin deep - remember that.

Apple Mac OS X 10.4.11 Update Posted

As part of Security Mike's update service, subscribers get step-by-step instructions on how to apply the most recent patches from the major OS vendors.

Last week, Apple released a MASSIVE patch which updates the OS X operating system to version 10.4.11.

If you are a Security Mike member and have registered for the Portal, you can get detailed instructions at this link:
https://www.securitymike.com/site.php/spgs/read/apple-osx-update-nov-2007/

If not, you can subscribe at this link:
http://buy.securitymike.com

I've moved to Security Mike's Portal

I'll no longer be posting to this blog. I've moved over to Security Mike's Portal.

If you get the feed via RSS or email, you don't have to change anything.

If you come to the Website, then you'll need to head over to:
https://www.securitymike.com/site.php/blog/read/security_mikes_blog/

See you there!

Should you trust automatic updates?

Jaikumar Vijayan asks an interesting question in this ComputerWorld column: Should you trust Microsoft (or anyone else) to patch for you? Should you be implementing an automatic patching strategy?

It gets back to a risk analysis. Are you more at risk by not patching (or patching when you get around to it) or taking the risk that a vendor would do a faulty update that will break something?

I can only rely on the data, especially for consumers and the vendors do a pretty good job. I can count on the fingers of one hand the number of times that a patch has been busted and needed to be fixed. I know there are millions of computers that get compromised because they are not patched.

Ultimately it gets back to what you are willing to do. If you are willing to analyze the patches and are disciplined about applying the updates, then I don't have a problem with you doing so. But if you aren't going to be religious about it, then turn on the automatic updates.

Jaikumar knows more than pretty much all the consumers out there. So he doesn't need to trust the vendor. You probably do.

Photo credit: Trust, originally uploaded by thorinside

It's Exploit Wednesday - Are you patched?

As described on Monday, Microsoft issued their monthly set of patches yesterday. There were 6 in all (as opposed to the 7 that they previewed). 4 are critical and have to do with Windows, Office and SharePoint.

Regardless of how Microsoft grades their patches, you should install them as quickly as possible. Once the patch is out there, the bad guys can reverse engineer the attack. That's why I have proclaimed the day after Patch Tuesday to be "Exploit Wednesday" as well start to see these attacks in the wild - as early as today.

So run Microsoft Update on your machine and install the patches. Here is the list of patches you should be applying. If there are no patches listed, then click the link to "check for updates" to make sure you've got the latest patches.



Once it is done, you can check the history to ensure the patches happened successfully.

Is Facebook playing lip service or the ostrich game?

I love the NY DA's office. These guys go after big hairy issues. Of course, they generate a ton of press for themselves, but it's all good because they are asking the right kinds of questions.

Per the All things Digital blog, Facebook is now under investigation for not adequately protecting minors. Investigators set up fake profiles and got solicited - and not in a good way. Of course Facebook is showing the right amount of deference and saying they take the issues seriously. Blah blah blah.

The fact remains that no one at Facebook is accountable for this. There doesn't seem to be a high profile security/privacy officer. That's ridiculous. MySpace has one, especially after they booted off 29,000 registered sex offenders. TWENTY NINE THOUSAND.

How many of them opened up shop at Facebook? Greater than zero, I suspect.

This is no time for Facebook to be burying their head in the sand. Zuckerberg has to stop focusing on how much money the company is worth and start assuring parents about the safety of their children. That kind of liability (once the lawsuits start flying) can turn over $10 billion into Napster overnight.

Yes, stopping hackers and making sure your machine isn't turned into a zombie is a critical goal of Security Mike's Guide. But I think the biggest impact I can hope to have is on the kids. They need to grow up fast in today's environment, and their folks need tools to teach them right from wrong.

Photo credit: Ostrich, originally uploaded by Dappers

Security Mike Update: QuickTime 7.2

Per Brian Krebs' great Security Fix blog, Apple has issued a patch to QuickTime for Windows users. If you use iTunes on Windows XP or Vista, that means you. So patch your devices ASAP. Here's how:

1. Find Apple Software Update in your Programs Menu and click on it.
2. The following dialog box comes up.
   
   
3. Install it. You'll see in my screen shot that I am on Windows Vista and will need to authenticate as an administrator to perform the update.
4. You'll see the following screen to confirm that it was installed. Then you need to restart.
   
   
   
5. You are good to go.

Once Security Mike's Portal goes live on October 15, I'll just be providing these updates to subscribers. So enjoy for now. The best way to make sure you are on top of things is to buy Security Mike's Guide and get the update service free for 6 months.

October Patch Tuesday is coming!

That's right, it's that time of the month. For Patch Tuesday that is. Microsoft's monthly ritual of updating their software to fix bugs and close security holes. As part of Security Mike's Update Service, you'll get an analysis of each month's updates and also a few screen shots to help you ensure the patches were installed correctly.

Since Security Mike's Portal doesn't launch until October 15, I'll post this month's analysis on the Blog and then on Tuesday post the screen shots to confirm your successful update.

This month Microsoft is issuing 7 updates - 4 of them critical. But regardless of how Microsoft grades their updates, you need to get in the habit of making sure the patches are applied as soon as possible.

So look for a more detailed analysis on Tuesday.

Don't weep for WEP

I'm going to preview Step 1: Securing Your Network tomorrow for those of you that have already purchased Security Mike's Guide. Not to steal my own thunder (or give away the store), but one of the defenses is to encrypt your wireless connection.

But you shouldn't use WEP. Or Wired Wireless Equivalent Privacy, which pretty much has more holes than Swiss Cheese. The folks at Symantec cover a new WEP attack that can break a long WEP key in less than 60 seconds. You may as well not have any security.

WEP was a start, but at this point it's no good and you shouldn't use it. Don't take it from me, listen to world renowned security expert - Bart Simpson.

Online mayhem mirrors offline mayhem

Via Richard Stiennon's Threat Chaos blog, a professor at Rochester Institute of Technology has studied almost 14,000 kids in a "online victimization study" and the answers were reasonably predictable.

No surprises here. In the 7th-8th graders surveyed for instance: 21% have lied online about their age, 10% pretended to be someone else, 7% have circumvented security measures, 5% have used IT devices to cheat on school work.

Richard uses this data point to draw the conclusion that we'll need to spend a lot more resources to control bad behavior in the future because these kids will be in the workforce before we know it.

For some reason, I'm not so pessimistic and I won't be driven by fear. I think that you will have bad behavior in every forum in every region from a SMALL subset of society. If you asked how many kids have lied about their age to try to buy beer: I think a similar percentage would be guilty as charged.

So it 's not all bad, but we can't assume that kids will do the right thing online. Thus we need to teach our kids to defend themselves. Pretty much like we do offline.

Photo Credit: The Grim Reaper Cometh, originally uploaded by Stuck in Customs

78% of consumer PCs NOT protected

Boy, I guess I have a lot of work to do. Based on this study by McAfee and the National Cyber Security Alliance, only 22% of PCs have up to date AV, spyware and a properly configured firewall.

What is a "properly configured firewall" anyway? That's why I'm not a big fan of survey. I think for the most part the numbers are trumped up to make whatever case needs to be made.

The reality is that a majority of consumer PCs are not adequately protected. And that's why I'm focusing a lot of my efforts on Security Mike.

It's not that consumers don't want to be protected - it's that they don't know how. Even worse, the vendors aren't really helping. Personally I think AV, spyware and a firewall are NOT sufficient to protect someone from the hazards out there in cyber-space.

So the good news is that there is a huge need for Security Mike's Guide. The bad news is that there is a huge need for Security Mike's Guide.

Teaching how to Phish

I love the profit motive. Even though sometimes it cuts the wrong way. As opposed to just phishing at record volumes, a number of "entrepreneurs" have introduced do it yourself phishing kits. Why give the kid a phish, when you can teach them to phish?

These tools give very unsophisticated attacker a set of templates and tools to launch a phishing attack in minutes, not days or weeks - as in the good old days.

You can learn more by checking out Dancho's post on a new upgrade to a common phishing kit.

What does this mean for you? Basically, the problem is going to get worse before it gets better. Probably a lot worse. There will be more phishing attacks and that means you have to constantly be on your guard.

This is a case where using a Gmail (despite their recent problems) and/or Yahoo! Mail service is a good idea. Both services have top-notch spam fighting for consumers. Your telco or cable company that provides your Internet access - not so much.

To be clear, you also need to be able to detect a phishing attack. Some will still get through your spam filters. Step 8 in Security Mike's Guide to Internet Security gives you lots of tips.

Photo Credit: Money Fish, originally uploaded by Lindsay Bayerstein

GMail users: Check Your Filters

A pretty serious security issue within GMail was disclosed last week. I could explain the details, but odds are you don't care. If you do, check out these posts from Ryan Naraine. Suffice it to say, an attacker could direct you to a website that would inject code into your browser to add a GMail filter to redirect your email.

Right, you want it in English. Basically, if you go to a bad web page, someone could have all of your email forwarded to them. Right, all of it.

What's the risk? What if you have bank account information or have to do a password reset. Or have some other sensitive or private information in email. You wouldn't be alone - Security Mike sure does. But I don't use a webmail system for my most sensitive stuff.

This is where the post normally would stop, since I've told you about the issue and directed you to a few resources to go fix it. But since Security Mike's Portal is not going to be operational until October 15, I'll give you the fully monty.

First of all, you need to make sure your GMail isn't forwarded anywhere else. Hit "Settings" in the upper right hand corner of your screen. Then "Forwarding and POP" under the "Settings" tab. Here is the tab/screenshot to show that.

Click on the image for a larger version

The key here is to have no surprises. If you have set up a forward on your account, that's fine. But an unexpected forward is bad. That's what you are looking for.

Next make sure there are no unknown filters. Again, hit "Settings" in the Upper Right Hand Corner, and then "Filters." You see I have no filters set up, so I'm OK. If you have already set up filters (as you can see I don't use GMail too much), that's fine. You just want to look for strange filters that you HAVE NOT set up. Get rid of those if they are there.



You should be all set. Checking your forwarding and filters is a good thing to do every so often (every day for the next week, then maybe once a week). Remember, if someone owns your email, they pretty much own you.

McAfee joins the upgrade parade

Last week I showed how my Big Yellow friends (that's Symantec, for those of you not familiar with my lingo) were trying to get me to upgrade to the latest version. Not to be outdone, I got the following email from the folks at McAfee last night.

I used McAfee on an old machine that pretty much died about 12 months ago. I didn't have a great experience with McAfee either, so I just let the subscription lapse when it expired.


McAfee uses the fear card as well, which I guess works because these are big companies that sell a lot of software.

The big message I take out of these upgrade/renewal attempts? Basically there is no way you should be paying retail for security software. Even if you decide to go with a big market name (which is OK), by waiting for a day or week you can save 50%.

To be clear, Security Mike's Guide can show you how to protect your systems without paying for security software, but at a minimum please don't pay retail. You are wasting money.

Chicken Little in the house

In this morning's post, I said Symantec wasn't using alarmist marketing to try to get me to pay for the Norton free trial that came on my machine. I was wrong. As I logged into my machine tonight I found this nice little warning from my Big Yellow friends.


I guess I won't be protected against new viruses, spyware and other security risks. They should have given me a third option. Renew NEVER.

Good news for folks that have purchased Security Mike's Guide. The screenshots for the uninstall Symantec bonus will be done within the next 7 days, since I'll be uninstalling.

Oh Nooooooooo! Norton is about to expire...

I got a fine email from my friends at Symantec last night. It seems the 60 day trial I got on my new computer is about to expire. They're being kind enough to give me a $20 discount. How nice of them.

But what happens if I decide not to pay? Will my machine self-destruct in 60 seconds? Will I all of a sudden be easy pickings for the bad guys?

In the immortal words of Mr. Bill: "Oh Nooooooooooooo!"

To their credit, the message wasn't alarmist. They could have done the typical chicken little marketing approach of telling you the world will end. Of course, it won't.


Now I figure about 50% of the folks out there will just click the link - pay the money and go about their day. Maybe it's 40%, maybe it's 60%. I'm just estimating here. That's why Symantec and McAfee pay so much to the computer makers to pre-load their stuff onto new PC. You call it crapware, but it's really a license to print money.

What about the folks that don't buy it? What happens to them? One group will delete the message and think they are still protected. But they aren't. If the security software isn't updated, then it can't catch the latest attacks. Not too useful. Those folks are blissfully unaware of what is out there.

And the third group, which unfortunately is a small minority, will uninstall Symantec and use some good configuration practices, a layered security defense, and some free utilities to save the $50 and be just as secure. You can be one of that small minority. Security Mike can show you how. Check it out.

Apathy is not the answer

I read a lot of stuff every day. It helps keep me on top of the industry and in a better position to advise my customers on what is happening now and what they have to do to defend against it.

Sometimes I read stuff that makes my blood boil because some folks don't understand that the world is bigger than just their microcosm of society. Check out this post on vitalsecurity.org if you want to see apathy at work.

This fine fellow (can you detect the sarcasm?) has decided not to use any kind of security protection because it's just easier to reinstall the operating system and start over. Paperghost (vitalsecurity.org's author) does a good job of discussing why this is a bad idea.

And to be clear, it is a bad idea. The bad guys can use your machine as a spambot. Or they could break into the applications you have running and also steal information from your web browsing sessions (like to your bank or brokerage). It's always bad when someone else has control over your computer. ALWAYS.

The real issue I have is that protecting your information just isn't that hard. It really isn't. Just follow Security Mike's 10 step program and you will be better off than pretty much everyone out there. Even better, you won't have to spend any money on these security tools - I point you towards free ones that work as good, if not better, than those you pay $50-80 a year for.

Check it out at Security Mike's web site.

Image courtesy of Despair, Inc.

Autorun is hazardous to your health

Steve Riley of Microsoft has a good post here on why you should turn off Autorun, which is the function for the computer to take automatic action if you insert a DVD or CD.


Why is this a bad thing? Basically if a bad guy (or gal) installs a virus on the CD, your machine will run it automatically - thus compromising your machine.

Steve provides some instructions to turn it off in Windows (XP and Vista). Not to steal my own thunder, but this is one of the simple configuration changes I'll be instructing you to make on your own machines (both Windows and Mac). This is in Step 2 of the Security Mike Guide.

Just in case you aren't sold, some of you may remember a few years back when Sony got into big trouble for installing a "rootkit" as part of their digital rights management on some audio CDs. Once you popped the CD in, your machine was compromised and it took a few steps (including tuning the registry) to clean it up. I fell for that once myself.

Turn off Autorun. Do it right now.

Smarten up about Phishing

This NetworkWorld article wonders if we will ever learn about Phishing? They are having a conference in a few weeks on that very topic. You won't be attending, so I'll tell you what is likely to be discussed.

1. A small minority of the Phishers out there are good. So your job is to make sure you don't get taken by the bad guys.
   
   
2. There are attacks coming from everywhere. Even online games. So you have to be careful and always have your guard up. It'll keep you alive.

One thing that is unlikely to be discussed is what to do if/when you do get compromised. There are few (if any) technical defenses to a well-executed Phishing attack. You should be in the habit of monitoring your financial accounts at least daily to REACT FASTER if your information is stolen.

The numbers indicate it will happen to you, so you better be ready. Remember, Security Mike's Guide will teach you the basics of how to detect a Phishing email in Step 7.

Picture source: http://www.flickr.com/photos/ezioman/456991202/

Breach Alert: Ameritrade 6.3 million customers compromised

Another day, another data breach - or so it seems. As part of Security Mike's role to educate the broader consumer audience on how to protect your identity, I'll refer to these data breaches and use the opportunity to reinforce many of the key messages in Security Mike's Guide.

If you want more details, check out Ed Dickson's post on the Ameritrade breach. Ed does a good job covering lots of identity related topics, so I'd recommend you reading his blog as well.

Let's break up the discussion into two main thoughts:

1. You are an Ameritrade customer - If you are one of the lucky 6.3 million, then I suggest you get on the horn with them ASAP and find out what they are doing to protect your identity. Are they issuing new account numbers? Are they going to pay for a credit monitoring service? Poke them in the eye a bit (they did lose your information, after all) and see what you can get. Also make sure you get more aggressive about your fraud alert and monitoring your accounts.
   
   
2. You are not an Ameritrade customer - Rejoice. It wasn't you this time. But soon enough it probably will be. No one is lucky indefinitely. Not even Security Mike. Take this time to revisit your identity protection measures and ensure they are up to snuff.

This brings up a pretty important point: In many cases, Identity Theft is NOT your fault. Ameritrade's customers had no involvement in this issue. Besides having the good fortune to have an account with them. So it's not enough to just take care of your own stuff, you need to also be ready to respond when your information is compromised.

An even sorrier state of affairs is that this breach probably happened years ago. Which is why CONSTANT VIGILANCE is critical when protecting your identity.

If you don't know where to start, do yourself a favor and get Security Mike's Special Report: 6 Easy Steps to Protect Your Identity. It's only available on Security Mike's Web Site.

Security Mike's Presale

I'm really excited to be announcing Security Mike's Guide to Internet Security. It's a 10-Step process broken up into 3 sections to help consumers protect themselves and their kids from hackers, identity thieves, and other online mayhem.

The product will be delivered via Security Mike's Portal, which will go live on October 15. I am taking pre-sale orders until then and offering a $10 discount, as well as a few bonuses to give you an incentive to jump on now.

You will be able to get the Guide for $27 until October 15. When the Portal launches the price is going up to $37.

If you want to find out more about the program, register on Security Mike's web site and you'll get the Special Report: 6 Easy Steps to Protect Your Identity. This is Step 6 in Security Mike's process and you can get it for free. These are things that EVERYONE should be doing, so register and download the document today.

I also mentioned a couple of bonuses. The first is a little guide on "How to Uninstall Symantec and McAfee (without killing your machine)." Since a hallmark of Security Mike's approach is that consumers don't need to pay for security software anymore, you'll want to get rid of those heavy "suites" that slow down your machine and lighten your wallet. This report shows you how to do that.

The second bonus is "How to talk to your kids about Internet Security." These are pretty hard discussions to have, but it's absolutely critical that you address the issues. This special report will provide some ideas and tactics for you to do just that, in Security Mike's no-nonsense way.

Remember, the pre-sale period ends on October 15. So don't delay. You can save some money and get the bonuses.

Hello World

Welcome to Security Mike's Blog. I'm glad you are here.

You see, Internet Security is a very dynamic business, and it requires constant vigilance. One of the reasons that I wrote Security Mike's Guide to Internet Security is that most people don't know how to even start securing their online environment. They certainly don't know how to stay on top of the new attacks.

So on this blog I will be providing tips, tutorials, and updates on how you can avoid being a victim of the attack de jour. I won't be providing as much detail as I do in Security Mike's Guide or on the Portal, but you'll at least know there is something you need to look into.

There are so many reasons I wrote Security Mike's Guide that I don't know where to start. So I won't. I'll be announcing the product in a bunch of different venues over the next few days. So I'll be linking to those posts, which will give you a better feel for what I'm trying to accomplish with the Guide and who it's meant for (and who it's not meant for as well).