Week of November 22, 2005
Last week's stories
MS tries to win back German hearts and minds
Net surfing in Italy? Take your passport along
Another hacker gainfully employed
'Weaselboy' spammer on trial in UK
Alert
Spammers are sending out spoofed emails from @headfry.com addresses. We are not sending you these emails. They are coming from various evil doers, trying to increase the odds of getting you to open their spamulicious wares. They may also contain a raft of viruses, and other nasty goodies that will make your life hell.
We do not send you email, unless you ask for it. We especially do not EVER ask you for personal data such as passwords (see the 'phishing' section under Tip of the Week), or your PIN number. Be particularly wary of emails with attachments.
Keep your anti-virus and firewall products up to date- you must use the 'update' services, or you will be vulnerable to new attacks as they emerge. Sometimes these products need to update several times a day, just to try to keep pace with the baddies.
Also ensure if you run Windows- that you use the Microsoft update service on a regular basis to get 'fixes' for problems with Windows or the Office Suite, or with Internet Explorer, etc. You can sign up to get these updates automatically- they need your permission to do this to avoid breaking various laws. This Microsoft link also takes you to a page where you can download a free anti-spyware product, and get a free virus scan.
This MS page lists the webpages of various vendors that sell anti-virus (AV) products over the Net. Many offer a free trial period. Don't forget to renew them.
MS release beta of consumer AV product - it's free- for now (US only)
MS has released the promised beta of the OneCare, a one stop shopping security product, with anti-virus software and a firewall included. For now it is free to US residents, so if you have a newish computer running XP, with Service Pack 2 installed (it includes various security features- you can also download that free from the Windows Update site) - give it a whirl, and let us know what you think.
It also has a backup service that sound useful. You can set it up to automatically do backups on a scheduled basis to an external drive, or to a DVD/CD. Very important if you cant afford to lose data.
Why is email spoofing such a pain?
It is very difficult to stop. And it can affect just about anyone, and often does- without their knowing- until emails start to bounce back. The way the Net works, there is no email authentication system built in. As a result, it is very easy to manipulate addresses and 'headers' and send mail from legitimate addresses or fake ones.
There are various efforts underway to try to come up with a solution, but none of them are simple, or particularly elegant, so help is not around the corner.
Meanwhile, only the paranoid survive.
Failure is not an option
Read Mary's latest Globe & Mail column about failed IT projects, and why they are costing taxpayers billions. And whether anything can be done about it.
If we all ran our respective businesses and personal finances in such a slipshod manner, we would surely pay dearly for it. Not so, it seems, in government, where ill-considered and unwieldly IT projects continue to take centre stage.
Not to even mention the privacy and security ramifications of these colossal projects.
Huge money is also wasted in the private sector on IT, but at least shareholders, theoretically, have the option to vote with their feet.
No easy way for banks to secure e-banking
A few weeks back, US banking regulators, seemingly abruptly, issued 'a guidance' requiring member banks to adopt tougher authentication methods to authenticate the identity of online banking customers. This development- actually long in the making- got a lot of global press.
We have been covering this angle for a long time- the archives are riddled with stories. However, the spectre of US banking examiners auditing US banks to the new requirements, got many folk to sit up and take notice, especially as the time-line to comply is not too far off- year-end 2006.
But will two-factor authentication solve anything, with phishing attacks rife, and a upsurge in the use of keyloggers by the bad guys?
In case you haven't followed the debate here previously, read what security guru Bruce Schneier has to say, and a rather predictable response from a vendor who has much to lose if Schneier's argument prevails.
Both make perfectly reasonable arguments as to why tokens, and/or smart cards will either help - or not - but the bottom line is that the bad guys have already come up with work-arounds for these not- so- cutting- edge technologies- and have moved on.
Voice ID to the rescue?
Various banks around the world are experimenting with tokens, one- time passwords, and smart cards- mainly for commercial clients. In Japan, some are using iris scanners and biometrics at ATMs. In Australia, Bendigo Bank is turning to voice authentication- possibly as an add-on to support a token roll out.
Some day, voice ID will inevitably come into its own, possibly even as a stand-alone ID measure. Bill Gates is a believer.
But not today.
The Twenty Most Critical Internet Security Vulnerabilities
The well-respected US SANS Institute just released its latest Top 20 Critical Vulnerabilities list. It makes for glum reading. What is particularly noteworthy is how the bad guys have adapted over the past year- constantly refining their ability to seek out and exploit weak links in IT systems.
Backup is safe- surely?
While Windows vulnerabilities continue to plague users, SANS has identified a raft of problems in critical backup software that can be exploited, allowing an attacker to 'obtain access to the sensitive backed-up data'. The software in question includes products from data storage giants such as Symantec/Veritas, Computer Associates, EMC and Sun.
SANS suggests that data should be encrypted 'when stored on backup media', and while in transit across the network, and 'backup media should be securely erased, or physically destroyed at the end of its useful life'.
What about security products?
If that wasn't bad enough, SANS also identifies flaws in security products used by a large number of end users, including anti-virus and personal firewall software- the flaws potentially impact gateways, as well as servers and desktops- very bad news for organisations, as a gateway is, well, just that- a stairway to heaven.
What is horribly frustrating is that many of these flaws are old-school- just garden variety buffer overflow vulnerabilities. One would rationally expect that dedicated security software vendors would know better- household names such as Symantec, Trend Micro, and Mcafee. These vulnerabilities are not benign. As SANS points out, they 'can be used to take a complete control of the user's system with limited or no user interaction'.
It also points out- something we have been saying for years- but that the vendors often vigorously deny- that the bad guys can evade AV software, and 'bypass anti-virus scanning' completely.
To avoid a single point of failure, SANS recommend the use of 'different anti-virus vendor solutions for gateway and desktop'. If one goes belly up, maybe the other will hold. Not very encouraging.
Festering databases
Database insecurity is also highlighted in the report. It is not unusual for databases to be installed without the knowledge of system administrators- and they may thus sit around unpatched and unloved. A recent raft of disclosures about serious vulnerabilities in Oracle databases, underscores the point.
Read the report. If you are a technical person, it makes sobering reading, and provides ample guidance for fixes.
If you are not, it will still be supremely clear that all is not well in cyberspace. And that users cannot, rationally, take the rap for it.
Nasty spammer gets six years
Francis McCrae's days of flying helicopters, and cavorting about in designer duds- appear to be at an end. According to the BBC, he has been convicted of threatening to kill, blackmail, threatening to destroy or damage property, concealing criminal property, and fraudulent trading. He defrauded victims of millions of pounds- with various scams that centred around 'selling' domain names.
However, he also threatened the police with bombs, bullied and berated those who threatened his lifestyle, or who had the misfortune to cross his path, and generally acted like The Real Jerk.
The BBC stated that 'during the trial, Francis-Macrae defied Judge Nicholas Coleman QC by refusing to reveal where he hid up to £425,000, saying Cambridgeshire Police would "steal" it.
He will be spending six years as a guest of Her Majesty- where he will have every reason to be paranoid.
|
