Wednesday, October 10, 2007

Should you trust automatic updates?

Jaikumar Vijayan asks an interesting question in this ComputerWorld column: Should you trust Microsoft (or anyone else) to patch for you? Should you be implementing an automatic patching strategy?

It gets back to a risk analysis. Are you more at risk by not patching (or patching when you get around to it) or taking the risk that a vendor would do a faulty update that will break something?

I can only rely on the data, especially for consumers and the vendors do a pretty good job. I can count on the fingers of one hand the number of times that a patch has been busted and needed to be fixed. I know there are millions of computers that get compromised because they are not patched.

Ultimately it gets back to what you are willing to do. If you are willing to analyze the patches and are disciplined about applying the updates, then I don't have a problem with you doing so. But if you aren't going to be religious about it, then turn on the automatic updates.

Jaikumar knows more than pretty much all the consumers out there. So he doesn't need to trust the vendor. You probably do.

Photo credit: Trust, originally uploaded by thorinside

It's Exploit Wednesday - Are you patched?

As described on Monday, Microsoft issued their monthly set of patches yesterday. There were 6 in all (as opposed to the 7 that they previewed). 4 are critical and have to do with Windows, Office and SharePoint.

Regardless of how Microsoft grades their patches, you should install them as quickly as possible. Once the patch is out there, the bad guys can reverse engineer the attack. That's why I have proclaimed the day after Patch Tuesday to be "Exploit Wednesday" as well start to see these attacks in the wild - as early as today.

So run Microsoft Update on your machine and install the patches. Here is the list of patches you should be applying. If there are no patches listed, then click the link to "check for updates" to make sure you've got the latest patches.

Once it is done, you can check the history to ensure the patches happened successfully.

Tuesday, October 9, 2007

Is Facebook playing lip service or the ostrich game?

I love the NY DA's office. These guys go after big hairy issues. Of course, they generate a ton of press for themselves, but it's all good because they are asking the right kinds of questions.

Per the All things Digital blog, Facebook is now under investigation for not adequately protecting minors. Investigators set up fake profiles and got solicited - and not in a good way. Of course Facebook is showing the right amount of deference and saying they take the issues seriously. Blah blah blah.

The fact remains that no one at Facebook is accountable for this. There doesn't seem to be a high profile security/privacy officer. That's ridiculous. MySpace has one, especially after they booted off 29,000 registered sex offenders. TWENTY NINE THOUSAND.

How many of them opened up shop at Facebook? Greater than zero, I suspect.

This is no time for Facebook to be burying their head in the sand. Zuckerberg has to stop focusing on how much money the company is worth and start assuring parents about the safety of their children. That kind of liability (once the lawsuits start flying) can turn over $10 billion into Napster overnight.

Yes, stopping hackers and making sure your machine isn't turned into a zombie is a critical goal of Security Mike's Guide. But I think the biggest impact I can hope to have is on the kids. They need to grow up fast in today's environment, and their folks need tools to teach them right from wrong.

Photo credit: Ostrich, originally uploaded by Dappers

Friday, October 5, 2007

Security Mike Update: QuickTime 7.2

Per Brian Krebs' great Security Fix blog, Apple has issued a patch to QuickTime for Windows users. If you use iTunes on Windows XP or Vista, that means you. So patch your devices ASAP. Here's how:

  1. Find Apple Software Update in your Programs Menu and click on it.
  2. The following dialog box comes up.

  3. Install it. You'll see in my screen shot that I am on Windows Vista and will need to authenticate as an administrator to perform the update.
  4. You'll see the following screen to confirm that it was installed. Then you need to restart.

  5. You are good to go.
Once Security Mike's Portal goes live on October 15, I'll just be providing these updates to subscribers. So enjoy for now. The best way to make sure you are on top of things is to buy Security Mike's Guide and get the update service free for 6 months.

October Patch Tuesday is coming!

That's right, it's that time of the month. For Patch Tuesday that is. Microsoft's monthly ritual of updating their software to fix bugs and close security holes. As part of Security Mike's Update Service, you'll get an analysis of each month's updates and also a few screen shots to help you ensure the patches were installed correctly.

Since Security Mike's Portal doesn't launch until October 15, I'll post this month's analysis on the Blog and then on Tuesday post the screen shots to confirm your successful update.

This month Microsoft is issuing 7 updates - 4 of them critical. But regardless of how Microsoft grades their updates, you need to get in the habit of making sure the patches are applied as soon as possible.

So look for a more detailed analysis on Tuesday.

Thursday, October 4, 2007

Don't weep for WEP

I'm going to preview Step 1: Securing Your Network tomorrow for those of you that have already purchased Security Mike's Guide. Not to steal my own thunder (or give away the store), but one of the defenses is to encrypt your wireless connection.

But you shouldn't use WEP. Or Wired Wireless Equivalent Privacy, which pretty much has more holes than Swiss Cheese. The folks at Symantec cover a new WEP attack that can break a long WEP key in less than 60 seconds. You may as well not have any security.

WEP was a start, but at this point it's no good and you shouldn't use it. Don't take it from me, listen to world renowned security expert - Bart Simpson.

Online mayhem mirrors offline mayhem

Via Richard Stiennon's Threat Chaos blog, a professor at Rochester Institute of Technology has studied almost 14,000 kids in a "online victimization study" and the answers were reasonably predictable.
No surprises here. In the 7th-8th graders surveyed for instance: 21% have lied online about their age, 10% pretended to be someone else, 7% have circumvented security measures, 5% have used IT devices to cheat on school work.
Richard uses this data point to draw the conclusion that we'll need to spend a lot more resources to control bad behavior in the future because these kids will be in the workforce before we know it.

For some reason, I'm not so pessimistic and I won't be driven by fear. I think that you will have bad behavior in every forum in every region from a SMALL subset of society. If you asked how many kids have lied about their age to try to buy beer: I think a similar percentage would be guilty as charged.

So it 's not all bad, but we can't assume that kids will do the right thing online. Thus we need to teach our kids to defend themselves. Pretty much like we do offline.

Photo Credit: The Grim Reaper Cometh, originally uploaded by Stuck in Customs

Tuesday, October 2, 2007

78% of consumer PCs NOT protected

Boy, I guess I have a lot of work to do. Based on this study by McAfee and the National Cyber Security Alliance, only 22% of PCs have up to date AV, spyware and a properly configured firewall.

What is a "properly configured firewall" anyway? That's why I'm not a big fan of survey. I think for the most part the numbers are trumped up to make whatever case needs to be made.

The reality is that a majority of consumer PCs are not adequately protected. And that's why I'm focusing a lot of my efforts on Security Mike.

It's not that consumers don't want to be protected - it's that they don't know how. Even worse, the vendors aren't really helping. Personally I think AV, spyware and a firewall are NOT sufficient to protect someone from the hazards out there in cyber-space.

So the good news is that there is a huge need for Security Mike's Guide. The bad news is that there is a huge need for Security Mike's Guide.

Teaching how to Phish

I love the profit motive. Even though sometimes it cuts the wrong way. As opposed to just phishing at record volumes, a number of "entrepreneurs" have introduced do it yourself phishing kits. Why give the kid a phish, when you can teach them to phish?

These tools give very unsophisticated attacker a set of templates and tools to launch a phishing attack in minutes, not days or weeks - as in the good old days.

You can learn more by checking out Dancho's post on a new upgrade to a common phishing kit.

What does this mean for you? Basically, the problem is going to get worse before it gets better. Probably a lot worse. There will be more phishing attacks and that means you have to constantly be on your guard.

This is a case where using a Gmail (despite their recent problems) and/or Yahoo! Mail service is a good idea. Both services have top-notch spam fighting for consumers. Your telco or cable company that provides your Internet access - not so much.

To be clear, you also need to be able to detect a phishing attack. Some will still get through your spam filters. Step 8 in Security Mike's Guide to Internet Security gives you lots of tips.

Photo Credit: Money Fish, originally uploaded by Lindsay Bayerstein

Monday, October 1, 2007

GMail users: Check Your Filters

A pretty serious security issue within GMail was disclosed last week. I could explain the details, but odds are you don't care. If you do, check out these posts from Ryan Naraine. Suffice it to say, an attacker could direct you to a website that would inject code into your browser to add a GMail filter to redirect your email.

Right, you want it in English. Basically, if you go to a bad web page, someone could have all of your email forwarded to them. Right, all of it.

What's the risk? What if you have bank account information or have to do a password reset. Or have some other sensitive or private information in email. You wouldn't be alone - Security Mike sure does. But I don't use a webmail system for my most sensitive stuff.

This is where the post normally would stop, since I've told you about the issue and directed you to a few resources to go fix it. But since Security Mike's Portal is not going to be operational until October 15, I'll give you the fully monty.

First of all, you need to make sure your GMail isn't forwarded anywhere else. Hit "Settings" in the upper right hand corner of your screen. Then "Forwarding and POP" under the "Settings" tab. Here is the tab/screenshot to show that.

Click on the image for a larger version

The key here is to have no surprises. If you have set up a forward on your account, that's fine. But an unexpected forward is bad. That's what you are looking for.

Next make sure there are no unknown filters. Again, hit "Settings" in the Upper Right Hand Corner, and then "Filters." You see I have no filters set up, so I'm OK. If you have already set up filters (as you can see I don't use GMail too much), that's fine. You just want to look for strange filters that you HAVE NOT set up. Get rid of those if they are there.

You should be all set. Checking your forwarding and filters is a good thing to do every so often (every day for the next week, then maybe once a week). Remember, if someone owns your email, they pretty much own you.

McAfee joins the upgrade parade

Last week I showed how my Big Yellow friends (that's Symantec, for those of you not familiar with my lingo) were trying to get me to upgrade to the latest version. Not to be outdone, I got the following email from the folks at McAfee last night.

I used McAfee on an old machine that pretty much died about 12 months ago. I didn't have a great experience with McAfee either, so I just let the subscription lapse when it expired.

McAfee uses the fear card as well, which I guess works because these are big companies that sell a lot of software.

The big message I take out of these upgrade/renewal attempts? Basically there is no way you should be paying retail for security software. Even if you decide to go with a big market name (which is OK), by waiting for a day or week you can save 50%.

To be clear, Security Mike's Guide can show you how to protect your systems without paying for security software, but at a minimum please don't pay retail. You are wasting money.