Recently in Security Category

So, one of the big attack modes in computer security these days is "phishing". Phishing is when someone induces a victim to disclose a username & password (or other important identity information) using something that appears to be a valid website. For example, someone might setup a fake Bank of America website, then email that link to thousands of people asking them to login and confirm their account. Even if only 1% of the recipients falls for the trick, the attacker gets access to hundreds or thousands of bank accounts.

One of the most important countermeasures to this attack is user education. Organizations have spent lots of money trying to educate users that they should never disclose their password to another site. Things as simple as never opening links from an email and verifying the "SSL Lock" icon on your browser are cornerstones to this process. But more importantly, users should never give their password to a site with the wrong URL. In our example above, if the link in the email goes to http://bankofamerica.com@geocities.com/~spammer/fake_login.html, the goal of user education is to get the user to stop and say "Hey, that doesn't look right...." In fact, social media pioneer MySpace spent a lot of time and effort combating these exact types of attacks through user education efforts on their login screens and banners.

That brings us to Twitter. There appears to be a whole universe of Twitter related tools and websites that ask you to use your Twitter username and password to access their services. This is a bad idea! First, in the specific instance, we are building up a huge body of websites with access to our Twitter accounts - a break in at any of them could result in massive compromise of Twitter accounts, regardless of Twitter's policies and security controls.

But more importantly, Twitter's importance to the "youngins" means that we're now raising a whole new generation of Internet users that are 1) vulnerable to exploitation because of their age and now 2) trained by prior experience that sharing their username/password with other sites is a good idea. Now, I'm not one of those people that will do anything "for the children", but this is still a scary prospect.

And before you pooh-pooh me, how many of you out there are using the same username and password for a lot of your social media sites, email accounts, Amazon, Etsy, etc.? I'd be shocked if most kids have strong passwords let alone separate passwords for all the different sites they use on a daily basis. So these phishing vulnerabilities are only going to be more important as time goes on. And the really scary thing - even if you and your kids are smart enough to avoid these pitfalls, the vulnerability has what we call a "network effect". Even if YOU aren't vulnerable, someone you're connected to probably is. And that can be just as bad. Think your 13 year old would never talk to strangers online? What about when his friend's account is compromised and some stranger is using that friend's Facebook or Twitter to talk to your 13 year old? Still feel safe? Think you would know better even if your 13 year old wouldn't? What if your best friend sent you a Facebook message to let you know that the party tomorrow is cancelled? How paranoid are you willing to be....?

What can be done? Well, for starters, Twitter should implement an API Key approach to programmatic sharing like the one used by Flickr (or some other well engineered security mechanism for sharing access). Then they need to lead the charge in educating users not to share their passwords with a site that doesn't end in "twitter.com". And parents, don't forget to spend some time with your kids - and not just explaining this stuff!

I recently reenabled S/MIME signing in my Outlook client. (S/MIME is a way to place a digital signature on an email message so the receipients can verify the sender.) When I tested sending mails back and forth to myself through my various clients, I had no problem. However, when I started sending email to other receipients, they all had issues opening the mail - most with the error message "Your digital ID name could not be found by the underlying security system."

This error is normally associated with difficulty opening encrypted mail. Since I wasn't using encryption, I couldn't fathom why this was happening. Many Google searches and Microsoft Knowledge Base articles later, I still hadn't found a solution. I finally had an "Ah-hah!" moment and found the problem. So, in the hope that someone will be spared some of my pain, here's my problem and solution.

I configured Outlook 2007 to use SHA512 for the signature algorithm. Unfortunately, this is not as widely supported as one might hope. Even on another Outlook 2007 installation at work, SHA512 couldn't be opened. Changing the signature algorithm back to SHA1 let everyone start seeing my emails again.

The "Your digital ID name could not be found by the underlying security system" error message is grossly misleading in this case! The system should really be reporting something like "The security system does not support the algorithm used to sign this message." I don't normally bash Microsoft, but in this case... you dropped the ball guys! Since SHA1 has started to show some signs of weakness, I'm hopefully that SHA512 will be more widely supported in the future. But until then, keep your S/MIME certificates set to SHA1 and AES256!

I occasionally get called up to fix someone's computer after it's befallen the evils of the Internet. Fortunately my immediate family has become relatively computer savvy over the years, so this is less of a problem now. (Although now Mom stumps me with more complex problems that I have no idea how to fix.) In the interest of possibly helping some newbies out there, I'm gonna list some tips for keeping the baddies out of your computer. There are plenty of lists like this on the net already. I'm not claiming this one is better or more complete - just that it's mine. :-) If you're on a Mac, you're on your own. If you use Linux, you've already declared your independence. This is for the people out there who are stuck on Windows and want it to "Just Work" - not the avid user who argues about vi vs. emacs.

1. Get a Recent Version of the Operating System (OS). I know it's expensive, but if you're running anything other than Windows 2000, XP or Vista, suck it up and buy a new version of the OS. Windows 98 may run fine on your PC, but it has no security. Just give up and move into the modern era. If your PC won't run at least Windows 2000, then you can hope and pray or you can go buy a newer computer.
2. Get an Antivirus Scanner. Do you ride in a car without using your seatbelt? Do you own a computer without an antivirus program? Either way you're being stupid and may have to pay the consequences some day. Sorry, but time to face reality. There are free antivirus scanners out there, so no excuses. Just buckle up, already.
3. Get an Anti-Malware Tool. Malware (aka spyware) is the latest threat. Anti-malware tools are not as common as antivirus programs, but you should get one. There's at least three major ones available - Ad Aware, Spybot - Search & Destroy!, and Microsoft's Windows Defender. I personally use Windows Defender, but anti-malware tools are like condoms - it's more important that you use one than it is to argue about the best brand.
4. Run Automatic Updates. You may have heard that automatic patching is a bad idea. If you have a test environment to download and validate patches before using them on your production machines, please do. But if you don't, suck it up and enable Automatic Updates.
5. Use Old School Email. Email used to be plain text. Then someone figured out you could send HTML and it would be pretty. Then hackers figured out you could send HTML and fuck up someone's life. Keep it old school, use plain text email. Set your mail program to send plain text. Set it to open all mail as plain text. This will stop almost every email security attack out there.
6. Run as a Limited User. Running as a Limited User prevents a virus or malware from completely ruining your computer (most of the time, at least). Check out this article from Microsoft for details on how to set it up.
7. Turn On Windows Firewall. Like Automatic Updates, just suck it up and do it.
8. Stop Clicking on Everything. A whole lot of attacks on computers rely on the user (that's you!) actively doing something to start the attack. So stop opening the spam emails offering you better mortgage rates or a bigger penis. And stop visiting every website you can get your hands on. Curiosity can kill your computer just as surely as it can kill a cat.
9. Spend 15 Minutes on Education. There's plenty of places where you can learn a little bit about security so this whole thing isn't so mystifying. If nothing else, check out Microsoft's Security page and learn something new.

Well, there you go. I'll probably add more to this page over time, but those tips should get you started.