IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.

« March 2005 | Main | May 2005 »

No security for Windows XP x64

I have one family member who purchased a 64 bit laptop about one year ago. He figured he'd be ready for the future and was waiting to run a 64 bit operating system. I just sent him an email urging him not to do so, because the operating system is highly insecure.

Sure the software has a build in firewall and supports the NX-technology to prevent buffer overflow attacks. But for consumers there is no anti virus software available.

Symantec has only committed to creating an enterprise version of its anti virus software. Sources say that the company will take a "wait and see" approach for its consumer offering on 64 bit Windows: only when there are enough users hurting, will the company consider bringing them relief.

The lack of an anti virus product isn't the only problem that Windows XP Professional x64 edition faces. The software ships with only a limited number of 64 bit drivers – the old 32 bit versions don't work. So even if you hope and pray that you won't be hit by a virus, you shouldn't count on being able to use your scanner or webcam in 64 bit Windows.

April 29, 2005 | Permalink | Comments (2) | TrackBack

Quality of service

V7_n_infosecurity1 ISPs have had a rough day of it on the first day of Infosec.

No-one's had a good word to say about them on the floor of the show and it’s difficult not to see the point – we seem to accept quality of service from ISPs that we’d be up in arms about with any other utility.

A good credit card company calls you if your bills suddenly “show red” after large purchases are made. It’s a safe bet that if a home computer is sending hundreds of emails a day that’s something going on so why are ISPs abdicating their responsibility. 

There are technical fixes available to stop many security problems and the ISPs are missing a massive opportunity by not acting sooner. There’s a lot of residential and business users who would pay a little extra for a clean internet service and with a few million users that adds up to a lot.

April 26, 2005 | Permalink | Comments (1) | TrackBack

Merchants of FUD

There's a phrase you hear a lot in this industry – FUD. It stands for fear, uncertainty and doubt and is commonly used to sell you security products or policies.

It's less common than it used to be, thank goodness, but as Lord Toby Harris started to speak I felt my heart sink. He was soon spouting the kind of rubbish that would get anyone outside government publicly ridiculed at an event like InfoSec. Here's a quick taste.

“Britain is four meals away from anarchy” – but then again so is every advanced society.

“Over 100 countries have cyber attack facilities” – I should imagine every country has someone who could write a computer virus, but it doesn’t make them liable to declare war.

“Captured computers show that Al Qaeda are technically competent” – the lack of detail on this one makes me highly sceptical. What exactly is technically competent? The ability to open PDFs or deal with a Microsoft operating system for more than one day without punching the screen?

Overhyped rubbish like this masked some fundamentally sound ideas on improvements to the NICSS system, and his scare stories were actively turning listeners off as he spoke. We’ve all heard FUD before; it's solutions most people are after.

April 26, 2005 | Permalink | Comments (0) | TrackBack

Headless chickens

RSA's latest survey shows a depressing picture of the IT world's security view.

Fewer than one in 10 (eight per cent as it turns out) knows what identity management is, yet about a quarter blame lack of management buy-in as a factor in not implementing such systems.

Call me a cynic but, if you're going to the board with a plan that will affect systems across the whole company, you better be damn sure what you're talking about.

We know that solid identity management is key to building a viable e-commerce system. Explaining it to others is the only way of achieving it.

April 26, 2005 | Permalink | Comments (0) | TrackBack

Tomorrow’s the big day

It’s an early night tonight as tomorrow InfoSec 2005 kicks off. It’s the UK’s biggest security show (barring the annual DESi arms sales show in Docklands) and there’s going to be a lot of interesting stuff going on.

Things are kicking off tomorrow at 8am at a breakfast with Bruce Schneier and, given that you need to be sharp to take the full implications of all he usually says, it’s early to bed and early to rise. Bruce says he’s too hyped for caffeine these days but we’ll all be slurping down the tea to keep up with him.

The Microsoft’s former head of security Stuart Okin will open the conference. Stuart left last year for the heady worlds of Accenture’s consultation arm but he’s a good speaker who’ll drop some interesting gems.

Following in the wake of the WinHEC announcements Microsoft looks to be making a big thing of its 64 bit operating system and all the advantages of that extra complexity in making computers secure. This is particularly good at stopping memory resident worms – the hackers will respond with new methods but it’ll stop script kiddies in their tracks for a while.

Meanwhile every security vendor under the sun is going to be pushing the latest gizmo to deal with security problems both real and imagined. We’ll winnow out the wheat from the chaff and see what comes up.

April 25, 2005 | Permalink | Comments (0) | TrackBack

Apple's security myth

Security vulnerabilities are a fact of life. How you deal with them is what separates the serious players from just the players.

Apple earlier this week released a patch for a vulnerability in iSync. The flaw makes iSyncs "mRouter" tool vulnerable for a buffer overflow attack. Users who have local access to affected systems can then gain superuser privileges.

Apple however didn't bother plugging this hole for at least 3 months. As a Mac user, that makes me very nervous. Does Apple take the security of its users even serious?

Not if you ask Braden Thomas, an independent developer of security software and a member of the University of Southern California's Digital Security Interest Group who discovered the flaw:

"I was surprised that [Apple] did not include a fix in Security Update 2005-003," he wrote in an email to "In fact, an AppleFileServer DoS bug I discovered that was disclosed in February was fixed by Update 003."

So next time you claim OS X is more secure than Windows, take Apple's response to security threats into consideration. Security vulnerabilities are a fact of life. How you deal with them is what separates the serious players from just the players.

April 21, 2005 | Permalink | Comments (0) | TrackBack

Running with the Red Queen

If you've ever read the Alice series of books, or are an evolutionary scientist you'll know about the Red Queen. This describes how creatures evolve side by side in a constant race; cats evolve sharper eyes so birds have to do the same to spot them if they’re going to avoid being left on my carpet as a ‘present’ from Tiddles.

So the news that virus writers are moving away form email comes as no surprise. Although there’s still a few fools who open attachments from strangers they are a dying breed and computer crackers just move onto the next big thing.

So don’t prepare for the last war, get busy with the next one!

April 21, 2005 | Permalink | Comments (1) | TrackBack

Firefox under fire

As Firefox plugged yet another set of security holes, the question arises if the open source browser really is so much better than Microsoft's Internet Explorer.

Certainly Microsoft has a reputation for being insecure, but the Mozilla foundation so far has a pretty weak track record argues Information Week's Fred Langa.

Since the launch of Firefox, the Mozilla foundation has had to plug 21 vulnerabilities, according to a study by Symantec. Internet Explorer in the same period sprung 13 leaks, Opera six and Safari, Apple's browser for OS X none.

What does this say? Close to nothing unfortunately. Popular software is more attractive for hackers and virus writers to target, and the same goes for security vendors. The fact that 21 holes were detected in Firefox can mean that the product isn't yet mature, or just that it's more of a challenge for security experts to hunt for flaws because its perceived to be more secure.

April 19, 2005 | Permalink | Comments (2) | TrackBack

Hackers ate my tax return

The tax collectors at the Internal Revenue Service (IRS) had little to celebrate last Friday on the tax filing deadline. Because the same day the Government Accountability Office published a report revealing 60 vulnerabilities in the IRS's computer system. (click here to download a one page summary)

To add insult to injury, the IRS had been notified about 21 of these security holes during an earlier audit in 2002.

Not only is the security lacking, the organisation doesn’t even have the proper technology to monitor if its systems have been hacked and records have been altered.

As a tax payer you might be worried about the IRS's inability to properly secure their mainframe computer. But it also gives you a chance for the ideal defence during an audit: the IRS can't guarantee that it's records are accurate. Unless they have paper evidence, you can always argue that some hacker is responsible for that error in your tax return.

April 19, 2005 | Permalink | Comments (0) | TrackBack

HSBC signs up for the Month of Identity Theft

The financial giant HSBC is the latest institution that had to admit that it didn't care about the privacy of its customers and as a result exposed the files of 180,000 customers in the United States.

The company was quick to defer all blame to a retailer (rumour has it that the Ralph Lauren Polo store is the culprit) that was allegedly using an antiquated point-of-sale system. The credit card readers stored a copy of the credit card information instead of just forwarding it to the credit card processing computer. The incidents occurred between June 2002 and December 2004.

Ralph Lauren (if they are to blame) should be sued out of business for this , but HSBC is just as much to blame. The company never bothered looking into this matter prior to the breach – they were all too keen to accept the payments and fees.

HSBC is in good company. Earlier this week Reed Elsevier had to admit that the scope of a security breach in its online database LexisNexis was much larger than originally thought. Data for as many as 310,000 people has been compromised.

Maybe – just maybe – its time to take a very serious look at the state of our computer security, and maybe we could start talking about adopting legislation that requires companies to have a minimum level of security? Because about half a million consumers experienced this week that self regulation doesn't work. Maybe some effectively policed legislation would help me regain my trust in companies that deal with my personal data.

April 14, 2005 | Permalink | Comments (0) | TrackBack

You have zero privacy, but should you get over it?

A New Hampshire woman was once murdered after her stalker bought her address and social security number from an online information service.

Following the 11 September terrorist attacks, the Bush administration started an elaborate data mining operation to spy on its citizens. The project "Knowlegde is Power" was cut short by Congress before it could do much harm. But book author O'Harrow claims that the programme actually broadened after it was officially killed.

These and other examples come from a review of O'Harrow's book in the New York Times. It's a frightning tale of a world where we won't controll our own faith.

After 9/11, work was started on system dubbed "Matrix" that was to enable surveillance for both public and private security. An official with the Justice Department called it "the computer that every American is afraid of."

A company called ChoicePoint specialises in collecting data ranging from demographic data, criminal records and marketing data. It's customers: mainly government entities that use the system as a backup and cross check for their own databases. But the company also has a commercial arm to screen employees, blacklist shoplifters and do credit reporting.

The company's database also was hacked an thieves ran off with confidential data that can ruin the lives of 145,000 American residents. And the company has reported that phoney companies were downloading information on individuals. To add insult to injury, the company's chief executive Derek Smith is under investigation by the SEC for securities fraud.

Recently Lexis Nexis, a online database owned by Reed Elsevier, was hacked and over 32,000 personal records allegedly were stolen.

When Sun CEO Scott McNealy spoke his famous words: "You have zero privacy, get over it," did he realise that the lack of privacy inevitably would lead to a world where identity theft would be an everyday reality?

April 14, 2005 | Permalink | Comments (0) | TrackBack