IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.
vnunet.com

« October 2005 | Main | December 2005 »

Football fever

OK, a confession. Football bores me rigid, but I'm willing to respect a supporter for his or her passion. But for some reason hackers seem to think fans are stupid, or trust their clubs implicitly. Why else target them with repeated phishing scams?

November 22, 2005 | Permalink | Comments (0) | TrackBack

Government gets guts

While the news that Microsoft is opening up its file formats is good, the reasons have very little to do with security and everything to do with profits. 

Since governments started realising that storing documents in proprietary formats was a bad idea, Microsoft has been locked out of some very lucrative deals.

It's an argument for governments (and businesses) to stop being so hands-off and sort out security by insisting on it.

November 22, 2005 | Permalink | Comments (0) | TrackBack

Meanwhile wise heads attack

Still on the Sony story the chaps and chapesses from the Electronic Frontier Foundation are riding into the fray, along with the Texas government.

Now Texas is the most free market state in a free market country. To get those folks riled up takes some serious doing. Sony BMG better check those kneepads and get into grovelling mode.

November 22, 2005 | Permalink | Comments (0) | TrackBack

Sony gets support

Is there no community the RIAA won't piss off? Its president's most recent remarks in praise of Sony are guaranteed to set people's teeth on edge.

I can't for the life of me work out if they do this deliberately or if the RIAA is just so confident at the stranglehold it has on the music industry that it doesn't care how much it sticks it to consumers. I suspect the latter.

November 22, 2005 | Permalink | Comments (0) | TrackBack

Stupid rationalisations

Attitudes may have changed slightly but this latest survey really makes my blood boil:  flirtatious women are 'asking' to be raped, according to a sizeable minority.

Now let's apply this lesson to IT security. Got a shiny new laptop that you're using in public? You must be begging to get beaten up and robbed. Look at the way you're flaunting that 3G data card with its flashing lights attracting the eyes of muggers.

Flashing a 17in screen with brilliant colour? For shame! You're displaying £2,000 worth of easily floggable gear. Begging for it obviously. And as for the blatant way some people use their smartphones in public …

Like most stupid prejudices it's easy to spot double standards when you try and apply them to other areas.

November 22, 2005 | Permalink | Comments (0) | TrackBack

Security after the fact

We're going to see a huge boom in computer-based home security devices but, heartening though this story is, the burglary still went ahead.

Like CCTV cameras, home security devices are only good for catching the criminals after the act, not stopping the problems before they occur. You could argue that there's no way to catch a criminal before they act but good door locks would make it harder for them in the first place.

Then again, this kind of evidence is just what the police are looking for. It's difficult for the criminal to deny the crime if his mug is emblazoned across the camera.

Now it's time to use this wireless technology in other ways. Riot police can smash cameras but if the data has already been sent the evidence will still convict them. Wireless links can spread information outside the control of a repressive regime.

William Gibson once said that the street finds its own uses for technology, and he was right.

November 11, 2005 | Permalink | Comments (0) | TrackBack

Free at last

In this business you recognise that you seldom get a straight answer from a company spokesperson. They are paid to have a good opinion about their employer's products and as such are not to be trusted implicitly. But when they leave …

Look at the furore over Christopher Meyer's autobiography. Here's a man at the centre of government who told it like it is - once he'd left the service. His account opens a valuable insight into the way the world works.

Now a former Apple executive has opened his heart, and interesting reading it makes too.

Intellectual property protection is a morally defensible position but as he makes clear it sucks, badly. The current security regime makes us all innocent until proven guilty and anyone with a mind hates it. Fight back with any means possible.

November 11, 2005 | Permalink | Comments (0) | TrackBack

The Mouse Police never sleep

Forgive the Jethro Tull reference but they're a great band. So a day or so after Microsoft releases a patch and the hackers have created exploit code. What's an IT administrator to do?

Well not a lot, if truth be told. If you're running a 10,000 client system the chances of patching all the computers is roughly similar to me forming a meaningful relationship with Susan Sarandon. The best you can do is harm reduction.

That means withholding admin rights from as many people as possible and to hell with the complaints. A lot of people want to have full control of their PCs, but a lot of people are stupid about it.

There's also a duty of care from software suppliers. It only needs one malformed patch to make everyone wary of installing the next one.

So patch up, but remember not just to rely on the patches. A lot of software vendors are already crowing about the fact that patch or no patch their customers were protected. Check out their claims and, if the technology is usable, use it. Just relying on patching is not an option.

November 11, 2005 | Permalink | Comments (0) | TrackBack

Protect your market by killing it?

A measure of intellectual property protection is important in many industries but why does think its right to protect an album is superior to our right to safe computing?

 

The Sony rootkit fiasco is deepening, now viruses are being designed to exploit it. Malware is a big enough problem as it is without a music company driving a coach and horses through our protection, and all for the sake of bands who are mostly mediocre. Let's face it, when anti virus companies are so concerned they blacklist your rights management code the situation looks pretty dire.

 

Now in a free market we're all told exists the answer would be simple; just don't buy the product. But the music industry isn’t exactly a free market – after all when the top five music companies and top three retailers collude on price fixing what else are they willing to do to preserve their stranglehold on the market.

In the short term there's not a lot we can do about it, it takes a lot to give up bands you've cherished over the years. What we really need is a test case for the right to return CDs with duff copy protection, either that or the kind of massive class action suit that only American juries can hand out.

 

November 10, 2005 | Permalink | Comments (0) | TrackBack

Anyone for ID

It's bad enough that ID cards are going to cost so much, but now it seems that they won't last either.

Is there anyone apart from the suppliers and a handful of the Westminster establishment who really thinks this is still a good idea?

November 10, 2005 | Permalink | Comments (0) | TrackBack

China crisis

China's intellectual property crackdown has more to do with finance than right or wrong.

Its efforts to crack down on pirates are to be welcomed, but there's more at stake than intellectual property.

As the nation that's fast becoming the world's manufacturer it's in China's best interests to see that it doesn't become a land of knocked-off goods and dodgy kit. Those of us around in the 1970s can remember what 'Made in Taiwan' used to suggest.

November 10, 2005 | Permalink | Comments (0) | TrackBack

Taking the rough with the smooth

Computer users are a passionate lot, and I wouldn't have it any other way. I would be loath to give up my BBC Model B computer and you'd have prize my Sinclair ZX81 out of my cold, dead fingers before it left my possession.

Other computer users are just as passionate. What does it say that years after the OS/2 operating system was commercially retired (or stabbed in the back, depending on your viewpoint) a group still meets regularly in a London pub to discuss its pros and cons.

But there's something slightly unnerving about one group in particular: Apple enthusiasts. They have thinner skins than someone on their fifteenth facelift and any article that could be perceived as criticising their beloved gadgets or the software that runs on them brings howls of protests and accusations of being in Microsoft's pocket or worse.

After I reported on four flaws in QuickTime our message boards were soon filling up with such accusations, and frankly abusive stuff some of it was too.

No matter, it's par for the course with journalism and nothing to complain about. But with this kind of volume of mail we thought we'd recheck and had the story confirmed.

As I said at the start, enthusiasm for technology is a wonderful thing. But you have to see the good and the bad side of these things. No complex application, or operating system, with millions of lines of code and complex architecture can ever be perfect. If one person can find flaws in it and write exploit code you can bet your bottom dollar someone else will too; it's happened all throughout history.

When Charles Darwin made his historic voyage in the Beagle he didn't immediately come up with the theory of natural selection. Instead he pondered, refined, worked on other things entirely and may never have published at all. Then, when he got the news that Alfred Russel Wallace had come to exactly the same conclusions, he published, albeit naming Wallace as a co-originator in his presentation.

So when a researcher finds a hole in some software, especially a critical hole or four, what then? They could keep quiet and hope no-one notices or let people know, once a cure has been found.

The first choice is folly, because if a hacker does exploit the hole users won't get a warning and will be left exposed. The researcher has a duty to publish responsibly, and so do we.

November 9, 2005 | Permalink | Comments (0) | TrackBack

Management hubris?

One of the joys of a blog like this is that you can put in all the salacious but sadly unnewsworthy snippets of information, like something that came up at the briefing for this story.

In among a certain amount of mea culpa from those surveyed from the Economist Intelligence Unit about how bad they'd been in opening attachments and writing down passwords, there was an astonishing statistic. Over a third of those questioned said that they'd never made a security mistake.

If that's true I'll eat my hat.

November 9, 2005 | Permalink | Comments (0) | TrackBack

Think before you click

I've been writing on technology for over a decade now but if one of these latest attacks cause serious problems I may have to throw it all in and become a consultant.

There are some basic rules that should be burned into the top of every computer monitor.

1. Never open an attachment unless you know the source personally, and preferably check with them first

2. Microsoft will never send out spam telling you to upgrade

3. If you want a patch, go to the manufacturer's website to get it

These three simple rules will get you out of the vast majority of internet attacks. Nothing is 100 per cent safe in either the real or online worlds but you could save yourself a lot of heartache and misery by following them.

November 8, 2005 | Permalink | Comments (0) | TrackBack

Firefox faces problems

In among the general rejoicing at Mozilla over these figures on browser share there'll be a few worried faces in the developer labs.

You could argue until the cows come home over the security benefits of open versus closed source. I happen to think that open source is more secure and quicker to patch than commercial companies.

But all major code is unsafe; it will have flaws by its very nature. You can't have millions of lines of code and no mistakes, at least not until the gods start coding.

But the more popular Firefox becomes the more hackers will target it. The hacker, no matter if they're motivated by kudos or cash, will usually go for the largest number of users, and that means a popular browser.

So well done to Firefox, but also a warning: the Mozilla boys are going to need to be on their toes for a long time to come.

November 8, 2005 | Permalink | Comments (0) | TrackBack

Responsibility developing

Could it be that some software developers and testers are getting the message and that this latest case shows it? By waiting until Apple had a fix out before releasing its flaw discovery we have avoided mass panic and insecurity.


November 8, 2005 | Permalink | Comments (0) | TrackBack

Adware gets responsible

Well done to 180solutions for doing its bit to combat the growing problem of spyware. But you have to wonder how they didn't spot this before.

Getting people to accept spyware on their PCs is a major sales challenge, a real selling-fridges-to-Eskimos dilemma. If someone's very successful at it the supplier has a duty to check that they're performing in an ethical manner.

They could also think again about their payment model, which almost invites the fraudulent.

November 8, 2005 | Permalink | Comments (0) | TrackBack

Don't mention the car

While security is hot on the agenda at the Nokia conference one Nokia executive is very touchy on the subject of police security, to be exact speeding fines.

Anssi Vanjoki, who announced three new handsets today, is in the record books as the man with the largest speeding fine in the world. He was nabbed by Finnish police going 25 km/h over the speed limit on his beloved Harley Davidson and was hit with a €116,000 fine.

Under Finnish law fines are proportionate to your income and he was fined 14 days salary. But since he'd just cashing in share options worth €14 million the fine was a little hard to swallow.

He's in good company. Nokia's former president Pekka Ala-Pietila got git with a €33,000 fine for speeding a few years before.

November 3, 2005 | Permalink | Comments (1) | TrackBack

Tagged

Day one of the Nokia summit and I've been tagged – RFID tags are embedded in our event passes.

While I'm not wild about this I suppose it's harmlesss enough. But as we now discover a lot of people are going to be very pissed off. You see, they've integrated them into the event's competition.

A word of explanation. Exhibition organisers sell the space on these events on the basis that stand holders can demonstrate new products and build business. Attendees however know they come here to meet and greet old and new friends (typically in the bar) and maybe see a few displays they already know about. What follows is something akin to hunter/gatherer societies with nervous attendees being stalked by prowling stand holders.

To encourage visits to stand there's usually a competition – get a stamp from the exhibition stand to show you've had a demonstration and the person with enough stamps gets a prize. But the system has a flaw – it's usually a stamp on a piece of card. As generations of attendees have learnt these are usually unguarded or can be transferred between cards by moistening them and pressing them to another piece of paper.

But Nokia's got wise to this and now your RFID gets swiped, something that's impossible to cheat at because the RFID scanners are built into the mobile phones. Technology has eliminated one of those charming little rituals that make shows memorable, buy I can’t deny it's a more secure solution.

November 3, 2005 | Permalink | Comments (0) | TrackBack

Ring, ring

Oh there were laughs aplenty in the office when this story came out. You can just imagine the look on the Foreign Office accountant's face when a diplomat's phone came back with a £500,000 bill.

There's a serious side to this; the civil service has form for losing technology. There's even the suggestion that the ground war in Gulf One was held back because a laptop was stolen that held battle plans.

While a diplomat making huge numbers of calls to phone sex lines is amusing, the thought of terrorists being able to trace his security contacts is not. In all likelihood there was no security leak but if there was, the price for this stupid loss will be paid in blood.

November 2, 2005 | Permalink | Comments (0) | TrackBack

Biggest isn't always best

So AOL gets hit again. This isn't because AOL writes insecure code - it's just as insecure as the rest. But AOL's is the biggest IM client out there and has a large number of Western users, making a very attractive hacking target.

Maybe its refusal to interoperate with other IM clients could be seen as good news for the rest of us.

November 2, 2005 | Permalink | Comments (0) | TrackBack

Protect and survive

The news that three people managed to get £300,000 out of eBay customers (and that's just the amount people complained about) shows how easy it is to perform scams online. A British teenager pulled off a similar scam and it was months before he was stopped.

EBay was one of the early success stories of the web and has spawned whole industries; there's a shop in San Francisco where you can take in second hand goods, they'll sell them on eBay for you and split the profits. It's also having a major impact on the viability of second hand book shops.

It's also that rarity for an online company: profitable. EBay has never made a loss and profits were up 40 per cent last quarter. After all, it could afford to shell out billions for Skype so there's obviously money to burn.

Which begs the question as to why it can't invest a fraction of those profits in protecting its customers. The cynic would say that as it takes a cut from each and every sale the more sales the better. Life isn't that black and white but it still leaves you wondering if it will take a class action suit before the company starts making real efforts to beat off the scammers.

November 2, 2005 | Permalink | Comments (0) | TrackBack

Don't mention the car

While security is hot on the agenda at the Nokia conference one Nokia executive is very touchy on the subject of police security. To be exact - speeding fines.

Anssi Vanjoki, who announced three new handsets today, is in the record books as the man with the largest speeding fine in the world. He was nabbed by Finnish police going 25 km/h over the speed limit on his beloved Harley Davidson and was hit with a €116,000 fine.

Under Finnish law fines are proportionate to your income and he was fined 14 days salary. But since he'd just cashed in share options worth €14 million the fine was a little hard to swallow.

He's in good company. Nokia's former president Pekka Ala-Pietila got hit with a €33,000 fine for speeding a few years before.

November 2, 2005 | Permalink | Comments (0) | TrackBack

Tagged

Day one of the Nokia summit and I've been tagged - RFID tags are embedded in our event passes.

While I'm not wild about this I suppose it's harmless enough. But as we now discover, a lot of people are going to be very pissed off. You see, they've integrated them into the event's competition.

A word of explanation. Exhibition organisers sell the space on these events on the basis that stand holders can demonstrate new products and build business. Attendees, however, know they come here to meet and greet old and new friends (typically in the bar) and maybe see a few displays they already know about. What follows is something akin to hunter/gatherer societies with nervous attendees being stalked by prowling stand holders.

To encourage visits to the stands there's usually a competition - get a stamp from the exhibition stand to show you've had a demonstration and the person with enough stamps gets a prize.

But the system has a flaw: it's usually a stamp on a piece of card. As generations of attendees have learnt these are usually unguarded or can be transferred between cards by moistening them and pressing them to another piece of paper.

But Nokia's got wise to this and now your RFID gets swiped, something that's impossible to cheat at because the RFID scanners are built into the mobile phones. Technology has eliminated one of those charming little rituals that make shows memorable, buy I can't deny it's a more secure solution.

November 2, 2005 | Permalink | Comments (0) | TrackBack