June 2005 Archives

Windows 2000 Security Roll-Up

The last free set of security updates to Windows 2000 has been released. On July 1, Windows 2000 moves into "extended support", which means further updates will cost you.
By Chris on June 30, 2005 12:17 PM |

Bluetooth Safety Tips

PC World has some Bluetooth security advice. You really shouldn't need to think about security just to make a phone call — it should just work. The most successful security protocols are the ones that you hardly notice. Take SSL, for instance. It's used millions of times a day by people who never even realized it was there. Protocol designers need to concentrate on making their creations secure so that users don't have to.
By Chris on June 29, 2005 4:04 PM |

Pakistan Goes Off The Grid

A cut submarine fiber cable has taken the entire country of Pakistan off the internet. Ouch — I get upset when my home DSL goes down.
By Chris on June 29, 2005 2:58 PM |

Bluetooth Security Warning #90125

This Bluetooth vulnerability appears to be the same one covered here earlier. Engadget has an amusing, jaded take:
Their advice: get a longer PIN; they say that an eight-digit PIN will take 100 years to crack. Our bet is that a) the “very expensive” gear will turn out to be stupidly cheap and easy to put together on your own; b) eight-digit PINs will be cracked in a lot less than 100 years; and c) we’re not going to see this one in the wild any time soon.
By Chris on June 28, 2005 11:43 AM |

AT&T To Launch 24 Hour Security News

AT&T is planning to create an online 24 hours video news feed devoted entirely to computer security issues. It will be nice to have this new resource, but it's sad that the state of computer security has become so bad that it is possible to come up with enough content to run a never-ending stream of news about it.
By Chris on June 27, 2005 10:13 AM |

Hire a Hacker

Linda Leung, writing in Network World, has advice on how to hire reformed hackers to work for your software company. Her conclusion: "If you do want to hire a reformed black hat as a consultant, don't let him anywhere near your network." Of course, if you don't let your newly hired hacker anywhere near your network, how do they do their job?
By Chris on June 24, 2005 9:28 AM |

Hotmail to Require Sender ID

Actually, I'm not sure "require" is the right word — it looks like Hotmail will start using the lack of a Sender ID tag to score email as spam. The Hotmail spam filters take a number of things into account when determining whether a message is spam, and come November, not using Sender ID will be one.
I hate spam as much as the next guy, but this is bad news for Hotmail users. Only a small percentage of email systems use Sender ID thanks to a variety of issues. Cynics will argue that Microsoft is using their millions of Hotmail users as leverage to increase adoption of their flawed protocol (and they'd be right). What we really need is email system vendors to work together to solve the problem rather than trying to run each other's products into the ground.
By Chris on June 23, 2005 11:26 AM |

Wi-Fi Location Services

A company called Skyhook Wireless announced a nifty service for using Wi-Fi access points to locate a user in a manner similar to GPS. By assessing the relative strength of broadcast beacons from known Wi-Fi access points the service can pinpoint a user's location. While similar to GPS, it doesn't have quite the accuracy — and it requires an appropriate level of Wi-Fi density so its use is limited to urban areas. Still, they've identified several potential markets for the technology, and I'm hoping they find some buyers for this very novel use of Wi-Fi.
By Chris on June 22, 2005 8:43 AM |

Credit Card Pranks

An entertaining article on the security — or lack thereof — of credit card signature checking. I've now had this emailed to me twice in all seriousness, so I'll take a moment to play Snopes and point out that it's not (entirely) real:
  • It's on ZUG, a comedy site, "the world's only comedy site", in fact.
  • Most of the receipts given as examples are from restaurants, the employees of which don't see your signature until after you've left
  • The author quotes "ZUG reader Fronzel Neekburm".
  • All a business really needs is your credit card number; the only time a signature comes into play is if you later dispute the charges with your credit card company
  • He's a really lousy tipper. Come on, $1.00 on a $7.90 tab? That's 12.7%. Maybe his servers were too busy grumbling about their tips to notice the goofy signatures.
It's definitely possible to get away with signing your charge card slip with a goofy signature, which is not at all surprising to anybody who has ever bought anything over the internet or by phone without signing anything at all.
By Chris on June 21, 2005 8:56 AM |

When Security Software Fails

BusinessWeek cites a Yankee Group report that security software is increasingly insecure. The article points out that while much of this software was developed to protect users against flaws in Microsoft's code, for the first time this year the aggregate number of security holes in security software exceeds those found in Microsoft software.
This isn't happening because security software is getting worse; it's not. In general, all software is improving security as vulnerabilities become more widely reported and more quickly exploited. The main reason for that security software vendors like Symantec and McAfee are seeing an increase in holes relative to Microsoft is that while all software vendors are getting better at security, Microsoft is getting a lot better, and a lot faster. As Microsoft products improve, hackers move on to lower hanging fruit.
Another reason is that security software is, of course, the first line of defense. If a hacker wants to attack machines inside a firewall, first he has to hack the firewall. Hacking security software also provides great bang for the buck: once you've hacked a user's anti-virus software, you have free run of his machine.
via Slashdot
By Chris on June 20, 2005 10:46 AM |

The Blue Hat Conference

Another sign that Microsoft gets it: they invited a bunch of hackers to the headquarters to learn about their techniques and motiviations. No large software company is as focused on security as Microsoft. That's largely because they have had — and continues to have — such a huge number of security vulnerabilities, but Microsoft has come a long way. Every engineer at the company has it pounded into his or her head that security is the first thing that should be considered when writing new code. Now if we can only get other software companies on board...
By Chris on June 17, 2005 3:05 PM |

New York Surveillance Camera Players

A group called "The New York Surveillance Camera Players" has laboriously mapped out the location of surveillance cameras in a number of Manhattan neighborhoods. The point they are making is political, but it's still astonishing how much you are being watched as you walk the streets of the city.
via Curbed
By Chris on June 16, 2005 9:52 AM |

Korean Netizens Attack Dog S%!* Girl

Privacy in the age of the internet: a college student who didn't clean up after her dog is publicly shamed in South Korea. The mob mentality has moved online.
By Chris on June 15, 2005 3:45 PM |

Elektron Enterprise Edition

Today is the official release of Elektron Enterprise Edition (although if you visited yesterday, you may have noticed it was unofficially available then). Advantages include:
  • ODBC support, to store user credentials in your SQL database
  • LDAP support, to authenticate users against your directory server
  • The ability to authenticate users against another RADIUS server, allowing you to add Wi-Fi support to your existing RADIUS solution
  • RADIUS accounting
  • Authorization policies
  • Email and syslog notification of server events
You can download a thirty day trial now (and this really is the first release, despite the fact that its version number is 1.1 — we're keeping version numbers of Elektron editions in sync).
By Chris on June 14, 2005 10:12 AM |

Paid to Infect PCs

A Russian outfit called IframeDollars is paying website operators to infect user machines with spyware. The miscreants supply willing webmasters with code that exploits known holes in Internet Explorer in order to drop nine separate pieces of malware on the machines of unsuspecting users. The business is paying 6.1 cents per machine infected. They claim to have paid out $11,890 already, which amounts to 195,000 compromised machines.
By Chris on June 13, 2005 11:08 AM |

Unprivileged IE 7 on Longhorn Only

Mary Jo Foley reports that the unpriviliged version of IE 7 will run on Longhorn only. That's disappointing — users will be browsing with Administrator privileges for a few more years now.
By Chris on June 13, 2005 10:55 AM |

Apple Design Awards

Elektron picked up a runner-up as "Best Mac OS X Server Solution" at the 2005 Apple Design Awards.
By Chris on June 10, 2005 10:10 AM |

Wi-Fi Saves a Mini

Rory Blyth tells how an unsecured Wi-Fi connection got his Mini Cooper fixed correctly.
By Chris on June 10, 2005 9:55 AM |

Yet More MD5 Collisions

The definitive demonstration of collisions in the MD5 hash algorithm has been published: two completely different business letters with the same digest. The link includes background on the problem, and similar issues with SHA-1 have been discussed previously on this blog.
By Chris on June 10, 2005 9:43 AM |

Even Taxi Cabs Are Worried About Consumer Data Security

A TechWeb article says that Transaction Network Services Inc., which provides mobile credit card payment processing, will be adding encryption to its products.
The big news here is not that they are adding encryption, but that they didn't have it before. Transaction Network Services provides service to "taxi and limousine companies, towing services, arts and crafts shows, and mobile concession and souvenir stands" so that these merchants lacking land line phone access can process credit cards. For years they have been transmitting consumers' credit card information wirelessly without any protection. Better late than never, I suppose.
By Chris on June 9, 2005 9:47 AM |

IE 7 To Run Unprivileged

Internet Explorer will run reduced user privileges by default. I've mentioned this as a possible feature before, and it's nice to see it being implemented. Normally, when a program is launched by a user, the program has all the privileges of that user (install new programs, erase the hard drive, send spam). Since there's no reason for a web browser to need Administrator-level privileges, it makes perfect sense not to run it as Administrator. This simple change should save a lot of people of lot of security headaches (not that it will eliminate all of IE's security problems, but it will eliminate many of them and make others harder to exploit).
By Chris on June 8, 2005 10:28 AM |

Network Attack Trends

Counterpane Internet Security provides network security monitoring services. Their CTO, Bruce Schneier, has a write-up describing the attacks they've been seeing over the last year. The gist: increasingly sophisticated attacks and a shift from hobbyist hackers to criminal enterprises.
By Chris on June 7, 2005 10:51 AM |

Elektron on Mac OS X x86

It's official, the rumors were true: Apple is switching to Intel processors. Yes, we will be supporting it. Elektron already runs on Windows — that takes care of our endian issues, and the GUI components are written using Cocoa, which require only "small tweaks". I'm guessing that the port will take less than an afternoon.
As a Mac user, I'm excited. As a Mac developer, I have mixed feelings. It's nice to know that there is a firm roadmap for future Macs, but now our testing matrix just got that much larger. Fortunately for us the bulk of our code is in a faceless daemon process that has easily automated testing. I don't envy developers that have a lot of manual testing for each release. This effectively doubles the amount of QA needed for such applications.
By Chris on June 6, 2005 11:14 AM |

Bluetooth Crypto Broken

A pair of researchers from Tel Aviv University have uncovered a flaw in the Bluetooth pairing process that allows them to recover a device's PIN. The crack takes just .06 seconds on a Pentium 4, but requires passive eavesdropping while two Bluetooth devices are being paired. This occurs only infrequently, but the researchers have also demonstrated how trivial it is to force two previously paired devices to re-pair.
This is a significant piece of news for Bluetooth users. It leaves your Bluetooth handheld vulnerable to anyone within its range. As Bruce Schneier says in the article, "You can sit on the train and make phone calls on someone else’s phone." I guess I should finally be glad that my Treo 600 doesn't support Bluetooth.
via Schneier on Security
By Chris on June 3, 2005 11:33 AM |

Stick a Fork in Windows 2000

Microsoft is about to release the last batch of security patches for Windows 2000. It was announced a while ago that mainstream support for Windows 2000 would end at the close of this month, but this is the first news that Windows 2000 Service Pack 5 would be jettisoned in favor of an "update rollup". If you want to keep your PC secure, it looks like you'll be upgrading to Windows XP soon.
via Microsoft Watch
By Chris on June 2, 2005 9:30 AM |

Elektron 1.1.1

It never fails — you ship a software release and immediately find a bug that needs fixing. Elektron 1.1.1 repairs a problem with session timeouts (full details in the release notes included with the download). Download it here.
By Chris on June 1, 2005 11:46 AM |
« May 2005 | Main Index | Archives | July 2005 »