Posted tagged ‘Security’

Chrome/IE security flaw

April 28, 2009

Kaspersky Labs journalist Ryan Maraine writes up the new security problem when running IE + Google Chrome.

http://blogs.zdnet.com/security/?p=3224&tag=nl.e019

I was particularly interested in this since I run Chrome as my default browser and IE6 as a secondary.  I mainly use IE for online banking (since it doesn’t play well with Chrome) and my time card at work.  However, if you’re surfing with IE while Chrome is installed, you need to read this article.  I will copy over what Ryan said:
 

The skinny:

  • If a user has Google Chrome installed, visiting an attacker-controlled web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker’s choice.

The “high severity” vulnerability affects Google Chrome versions 1.0.154.55 and earlier.

So class, what is rule #1 for making sure a system is secure?  That’s right.  Keep your A/V (you do have A/V, right?), OS, and other software fully patched.  I’m typing this in Chrome v. 1.0.154.59.  So I’m (hopefully) all set, as I’m 4 builds ahead of the vulnerability.  Keep it up to date.  You can check your version by clicking on the “wrench” icon in the upper right hand corner of Chrome and clicking “About Google Chrome.”

Here’s another snide sort of comment Ryan included:
 

“It is important to note that the way Internet Explorer processes URL protocol handlers is a known Achilles’ heel and has been widely used previously to attack other various applications,” [Roi Saltzman at IBM] said.  Proof-of-concept code for this issue is publicly available.
Microsoft maintains the problems are not related to vulnerabilities in its code.
Of course.

CanSecWest provides security lessons

March 19, 2009

Interesting to see some of the results of CanSecWest.  Within “seconds” Safari/MacBook fell, and the others were soon to follow.  The  Safari attack was, of course, planned beforehand to execute flawlessly.

I have heard it said that ‘obscurity does not equal security.’  There are two sides to that.  One (obivously) is that you can’t assume you’re secure simply because you’re obscure.  But the flip side of that is this: while no system is truly secure, many systems are ignored by ‘street security analysts’ (in part) due to a low ROI.

So what’s the point?  I think part of the point is that every system can be exploited – even ones that aren’t market giants.  And while this is true, most security/obscurity concepts are very basic.  So be safe out there.  Here’s a brief list for starters (add more in the comments, readers!)

– Keep A/V software installed and updated (especially on a Windows system).  Use only one A/V system.  Geeks disagree as to the best A/V program, but I personally recommend Kaspersky or AVG.  If you need a free system, try AVG or Avast!, but Kaspersky is worth the money.

– Don’t use cracked software.  I’m not saying I think it’s ethical to exploit users by overcharging them for a piece of software (nor will I say that it’s ethical to pay nothing for the same software).  I’m just saying that many people who are willing to exploit a major software company by cracking their software are also willing to exploit you.  There are plenty of totally legal and reputable downloads out there (Linux distros, freeware, music released under the Creative Commons License, etc).  But be prepared to suffer if you download the shady stuff.

– Secure your wireless network (that one’s for my neighbors).  It’s not really that hard.  Or pay me $50 to do it for you.  It’s worth it.

– Keep all your software patched.  This is basic stuff, but it’s important.

– Stay off of questionable Web sites.  Think before you click.

– Don’t click links in dubious emails that read like they were written by a fourth grader.  Don’t even bother responding to them.  If you need to get to an important Web site, make sure you know what the official URL is, and use only that URL.  Don’t be afraid to contact a company directly to verify the authenticity of any communication you receive which claims to be from them.

– Remember that your bank/credit card lender/PayPal/MySpace won’t ever ask for any kind of account information, including your PIN, SSN, or password via email.  Along that line, most businesses which require you to have an important financial account will almost always contact you via regular mail if your account status is in jeopardy.  If you receive an email stating that your account is in bad standing or requires an update to your information, DON’T use the contact information in the email.  Contact the company, but use contact information you KNOW is good (like through their official website or literature), and ask about the email.  99% of the time, they are false, but know how to contact the company in the other 1% of instances.

– Just maybe, consider one of the less pervasive OSes out there.  Ubuntu is a good one for former Windows users, and it runs pretty well on the x86 (Pentium-type computer – your typical PC).  Mark and I have both posted (he more than I) about how relatively simple Ubuntu is to install and run, even as a second operating system.  Look through the archives for some of those posts about Wubi and the like.

Something else you might consider is running Ubuntu as a second OS to use mainly when you’re on the Web, especially if you do financial transactions on the Web.  Many of the exploits out there are based on drive-by downloads (as in the ones used in CanSecWest), and you’re less likely to be exploited on the Web if you’re running Linux/Firefox.  Not necessarily less ABLE to be exploited, just less likely.  Because even though obscurity doesn’t equal security, obscurity does equal … well, obscurity – you aren’t an easy target if you’re obscure.  Sounds lame, but it’s true.

Data destruction (with DBAN)

December 9, 2008

Recent legislation has caused the American healthcare industry to change the way it handles information.  This has radiated into the IT realm in a variety of ways – network security, physical (facility) security, background checks, et cetera.  In my particular job role, I am responsible to make sure that our data never leaves our property.  Or more specifically, that our property never leaves the facility with data on it.  In other words, I clean computers prior to disposal. 

There are a variety of methods of destroying data, both digital and physical.  My personal favorite would be heating the hard drive platters past the Curie point (the point at which the metal is no longer capable of maintaining a magnetic charge).  However, your average IT facility does not have the means to make this happen.  Another method is degaussing – to oversimplify, degaussing is magnetizing the entire disk, causing all the bits to flip the same direction and erasing all data.  Encryption can also be used – not to destroy the data, but to make it effectively inaccessible.

These are proven methods which are indeed used, but they do have drawbacks – they can be expensive and can require special equipment.  Most often, they are services performed by third parties (with the exception of encryption).

Our company used to sell our old hardware to a vendor, who would certify the data destruction and then resell the equipment.  This is a handy solution, but due to our office’s remote location and some other recent changes, we are now wiping the disks ourselves with one of the most common methods – the software wipe.

Software wiping is most often done using a boot CD.  I use a Linux-based tool called DBAN (Darik’s Boot And Nuke), which I will talk more about later.

Even within the field of software-based data destruction, there are a variety of methods and algorithms, some (such as the Gutmann wipe) taking a very long time, but considered very secure.  Many people have strong opinions on this issue.  Our company currently requires at least the US Department of Defense (DoD) 3-pass method.  The method writes 3 passes of random data over the entire drive.

For this kind of wipe, I recommend DBAN, as mentioned earlier.  DBAN allows for unattended wiping of all drives on a system (or the drives of your choice), and it has proven very easy to use when used on physically healthy disks.  For damaged disks, you may be better off sending it to a data destruction company, in my opinion.

DBAN supports a variety of the standard methods, including Gutmann, DoD (3-pass or 7-pass), and others.  The standard DBAN is open source software and is distributed free of charge.  There is an enterprise version available which supports wiping over a network and wiping of multiple computers simultaneously.  Both versions, since they run from CD, are platform independent.  DBAN will wipe IDE, SATA, and SCSI drives.

Is Microsoft arrogant or is Vista really more secure?

November 3, 2008

So Microsoft’s Security Intelligence Report is on the streets.  And out comes their newest interesting claim – third party applications are killing Vista’s security.  My first thought is that this should make the list of the top 10 (or maybe 100) most arrogant thing I have ever heard MS say.  Then I thought more about it, and realized that it may carry some weight.

Ninety-six percent of the attacks compromising Vista machines come through non-MS plugins and browser mods such as toolbars (why anyone would want a commercial toolbar, I don’t know – it’s one of the great computing mysteries to me).  Only 6% come directly to the OS or other MS software (such as IE).  This is a serious change from XP, on which some 42% of attacks target Microsoft products.

I personally think that the Vista security revamp was a good thing.  And I can’t pretend to understand all the factors that go into why attackers aren’t attacking MS software.  But it’s food for thought.

Just a reminder – watch what you download.  Learn how to properly uninstall software if you don’t know how.  If you only use that Super Web Search toolbar once each year, uninstall it.  Take any trial software off the computer after you’re done using it.  And make sure you’re running good antivirus software (Kaspersky is the one I would recommend at this point). 

Thanks to ZDNet for bringing this interesting information to attention.

Vista UAC “designed to annoy users” per Microsoft manager

April 15, 2008

This is ridiculous.  We all knew that Vista had problems.  I made the mistake of buying it for my latest build and have regretted it numerous times.  And one of the most – well, annoying – features of Vista is UAC (User Account Control).  And now we know why they did it.

According to News.com, Microsoft group program manager David Cross admitted at a recent conference that “the reason we put UAC into the [Vista] platform was to annoy users – I’m serious.”  Somehow they felt that annoying users would cause independent software vendors to write more “secure” code so that it would not trip the UAC prompts.

The second annoyance is that he states some rather slanted statistical information.  He states that:

  • users don’t blindly accept prompts, according to their information
  • only 12% of users actually disable UAC

OK, here’s my rant about this.  MS only bases this on OPT-IN information.  That means that if you’re smart enough to not opt in (I NEVER opt in – if they want post-production beta testers, they should give them the software free!) then you aren’t telling them that you turned all their garbage off.  And to be honest, it’s probably the folks who know better than to opt in that also know to turn UAC off.  Not to mention that his statistics don’t tell us anything, because we don’t know how many people opted out!  I’m one of the ‘didn’t opt in’ users, and I will tell you this: I blindly accept prompts, and as soon as I figured otu how to turn off UAC, I did.  Take that, Mr. Biased Statistics.  I bet there’s fifty thousand more just like me.

OK, rant is over.  Really, I don’t think it’s just UAC that annoys us – it’s Microsoft.  This was in keeping with their track record.  But then again, if we all used Ubuntu, I wouldn’t have a job.  So thanks for being annoying, and thanks for finally admitting it.  But really – don’t use partial stats to try to prove something.  That’s worse than just annoying.

I got the tip on to this article from TechRepublic.