Microsoft released a very large number of patches today, however the only critical ones are for Vista, Windows 7, and Internet Explorer. Some of the patches will require a reboot, so I'd recommend installing them manually as soon as you fire up your computer today so that you aren't interrupted by the updates later.
Wednesday, December 15, 2010
Thursday, November 11, 2010
Firesheep - Protect Yourself
Due in part to its use in hijacking people's Facebook pages, the Firefox add-on "Firesheep" has been getting a lot of press lately. I've had a couple of clients ask me how to avoid this particular type of attack.
Firstly, I don't really recommend the use of WiFi hotspots that are unencrypted. I know that in this day and age of free WiFi at every Starbucks it is difficult to live by this ideal, however I think that it's important to be mindful that if a WiFi spot is "open" the traffic going over the network can be seen by the other machines in range of the network, and this is an added risk inherent to unsecured wireless networks (yes, even your neighbor's.)
Secondly, I recommend that you set all your important sites to use SSL (https) if this feature is available. Some services offer this, but it has to be configured, other services (like Gmail for one) have this set up by default. I would not log in to any site that is not using SSL (again the https:// in front of the URL) over an unsecured WiFi connection.
My final bit of advice is to be sure that your mobile devices (laptops, phones, etc.) are not set to automatically log in to services like Facebook if you use them on open wireless networks. My solution to this is that I never set up open WiFi connections to connect automatically, so that it is a conscious decision to connect, and I can ensure that I'm not logged in to anything that isn't using encryption prior to connecting.
Keeping aware of the level of security that the network you are connected to is using is important, and is the only sure fire way to ensure that you aren't a victim to hijacks like Firesheep.
Firstly, I don't really recommend the use of WiFi hotspots that are unencrypted. I know that in this day and age of free WiFi at every Starbucks it is difficult to live by this ideal, however I think that it's important to be mindful that if a WiFi spot is "open" the traffic going over the network can be seen by the other machines in range of the network, and this is an added risk inherent to unsecured wireless networks (yes, even your neighbor's.)
Secondly, I recommend that you set all your important sites to use SSL (https) if this feature is available. Some services offer this, but it has to be configured, other services (like Gmail for one) have this set up by default. I would not log in to any site that is not using SSL (again the https:// in front of the URL) over an unsecured WiFi connection.
My final bit of advice is to be sure that your mobile devices (laptops, phones, etc.) are not set to automatically log in to services like Facebook if you use them on open wireless networks. My solution to this is that I never set up open WiFi connections to connect automatically, so that it is a conscious decision to connect, and I can ensure that I'm not logged in to anything that isn't using encryption prior to connecting.
Keeping aware of the level of security that the network you are connected to is using is important, and is the only sure fire way to ensure that you aren't a victim to hijacks like Firesheep.
Thursday, October 28, 2010
Firefox Update Released
Firefox has been updated to address a vulnerability that is currently being exploited in a "zero day" attack. If you use the Firefox browser I highly recommend updating it!
The latest stable version of Firefox can be downloaded here.
The latest stable version of Firefox can be downloaded here.
Monday, October 11, 2010
Microsoft Releasing 16 Patches Tomorrow
Microsoft has announced in its latest security advisory that it will be addressing 49 vulnerabilities with patches tomorrow. This is the largest number of vulnerabilities to date addressed in one day.
Ten of the patches are deemed "critical", and the patches will address issues in Microsoft OS software from XP to Windows 7, Server OSes, and Applications such as their Office suite.
So if your Windows computer is slow tomorrow, or your network seems sluggish, it may be downloading the plethora of patches that will be released tomorrow morning. If your machine is set to receive updates overnight, be sure to leave it on tomorrow and to reboot it first thing in the morning.
Ten of the patches are deemed "critical", and the patches will address issues in Microsoft OS software from XP to Windows 7, Server OSes, and Applications such as their Office suite.
So if your Windows computer is slow tomorrow, or your network seems sluggish, it may be downloading the plethora of patches that will be released tomorrow morning. If your machine is set to receive updates overnight, be sure to leave it on tomorrow and to reboot it first thing in the morning.
Tuesday, September 21, 2010
Adobe Patches Flash Vulnerability
Adobe has released a patch for a vulnerability in their Flash software earlier than they initially planned to. The vulnerability that was announced on the 13th was originally planned to be patched next week, however the patch has now been released almost a week ahead of schedule.
Use the auto-update feature in Flash, or download the patch from Adobe's website.
Use the auto-update feature in Flash, or download the patch from Adobe's website.
Friday, September 10, 2010
Windows Virus/Worm Going Around
Reports started coming in yesterday of multiple infections from the "Here You Have" worm (a variant of W32/VBMania@MM). Here are several articles detailing the worm.
If you are using the practices I advocate (e.g. not clicking on any link sent via email that you weren't expecting to receive, and not giving your user account administrative privileges) then your risk of getting this virus is low. If you have the ability to filter out websites on your network, I would filter out the expressions "sharedocuments.com" and "sharemovies.com" as these are the sites that hosted the original files.
As always I highly recommend that you keep your anti-virus up to date and that you patch your system early and often.
If you are using the practices I advocate (e.g. not clicking on any link sent via email that you weren't expecting to receive, and not giving your user account administrative privileges) then your risk of getting this virus is low. If you have the ability to filter out websites on your network, I would filter out the expressions "sharedocuments.com" and "sharemovies.com" as these are the sites that hosted the original files.
As always I highly recommend that you keep your anti-virus up to date and that you patch your system early and often.
Wednesday, August 25, 2010
Microsoft DLL Vulnerability
Yesterday Microsoft released a security advisory for a vulnerability in how Windows handles dynamic link libraries or DLLs. This is a vulnerability in the core of Windows that can also impact many applications running on Windows, so it's a pretty big concern.
If you are running a home computer on Windows, your best bet at protection is to disable the WebClient service. To do this right-click on your "My Computer" icon and choose "Manage", go to "Services and Applications" and choose "Services". Scroll down to "WebClient", right-click on it and select "Properties", change the startup type to "Disabled" and click "OK". Then stop the service if it is running (right click on it and choose "Stop".)
Note that if you are in an enterprise environment disabling the WebClient service may cause some applications to lose functionality (particularly applications like Microsoft SharePoint). If you are in such an environment, I advise you to contact your Helpdesk for assistance in how to address this issue.
Microsoft has no ETA for a fix for this issue, and as it is a core piece of Windows that affects how third-party applications interact with the OS, it may be a while before this can be addressed.
If you are running a home computer on Windows, your best bet at protection is to disable the WebClient service. To do this right-click on your "My Computer" icon and choose "Manage", go to "Services and Applications" and choose "Services". Scroll down to "WebClient", right-click on it and select "Properties", change the startup type to "Disabled" and click "OK". Then stop the service if it is running (right click on it and choose "Stop".)
Note that if you are in an enterprise environment disabling the WebClient service may cause some applications to lose functionality (particularly applications like Microsoft SharePoint). If you are in such an environment, I advise you to contact your Helpdesk for assistance in how to address this issue.
Microsoft has no ETA for a fix for this issue, and as it is a core piece of Windows that affects how third-party applications interact with the OS, it may be a while before this can be addressed.
Monday, August 9, 2010
Microsoft Patch Day - Tuesday August 10
Microsoft will be releasing a record number of patches tomorrow, August 10th. A total of 14 bulletins will be released, addressing over 30 issues. Information on these patches can be found here.
So if you are a Windows user be aware that there will be a lot of updates recommended for your machine tomorrow. As always, I recommend that when this many patches come out at once, it's best to wait a bit before updating your machine, just to make sure there aren't any problems or compatibility issues with your software. If you want to do this you can turn off Automatic Updates from your control panel, just be sure to remember to turn it back on once you've installed the patches!
So if you are a Windows user be aware that there will be a lot of updates recommended for your machine tomorrow. As always, I recommend that when this many patches come out at once, it's best to wait a bit before updating your machine, just to make sure there aren't any problems or compatibility issues with your software. If you want to do this you can turn off Automatic Updates from your control panel, just be sure to remember to turn it back on once you've installed the patches!
Thursday, August 5, 2010
Critical Microsoft Patch - Out of Band
I'm a little late on this one, however it's a critical patch for a vulnerability that is being widely exploited, so I figured I should post about it anyway.
Microsoft released an out of band patch to address a security vulnerability this Tuesday. This patch affects all versions of Windows and should be applied immediately.
So, if you're a Windows user run that Windows Update ASAP!
Microsoft released an out of band patch to address a security vulnerability this Tuesday. This patch affects all versions of Windows and should be applied immediately.
So, if you're a Windows user run that Windows Update ASAP!
Thursday, July 29, 2010
Anti-Virus on Mobile Devices
As the mobile computing platform becomes more and more ubiquitous, it is inevitable that we'll start to see malware/spyware/viruses and other nasty things that used to be limited to the realm of PCs start to appear on these devices. It is interesting to me that we are seeing these appear in much the same way that they did when the PC moved from the realm of "geekdom" into the living rooms of suburbia, it's starting with screensaver and wallpaper apps.
So, it is time to start seriously considering using an anti-virus/anti-malware application on your mobile device. There are quite a few to choose from, on the Android platform I am partial to Lookout, and on the iPhone Intego (if you're running a Mac).
Apple will argue that their platform is more secure because they keep their app store "locked down", however a few programs have managed to slip under their radar, so I'm not sure how comfortable one should be with relying solely on Apple to protect your device.
The Android marketplace is more open than Apple's store, however it provides you with a lot of information about what the applications are going to access... if you download a new wallpaper and it is accessing your IM and GPS, maybe you should think twice. While paying attention to what you're installing provides you some protection, there's really no reason not to install a virus scanner on your Android phone, it's free!
So keep in mind that your "cell phone" is no longer just a phone, it's a mobile computing platform that should be just as protected as your laptop or desktop computer. Pay attention to what you're installing and what it has access to, and take the same precautions that you would when installing software on your computer, and you'll be in good shape!
So, it is time to start seriously considering using an anti-virus/anti-malware application on your mobile device. There are quite a few to choose from, on the Android platform I am partial to Lookout, and on the iPhone Intego (if you're running a Mac).
Apple will argue that their platform is more secure because they keep their app store "locked down", however a few programs have managed to slip under their radar, so I'm not sure how comfortable one should be with relying solely on Apple to protect your device.
The Android marketplace is more open than Apple's store, however it provides you with a lot of information about what the applications are going to access... if you download a new wallpaper and it is accessing your IM and GPS, maybe you should think twice. While paying attention to what you're installing provides you some protection, there's really no reason not to install a virus scanner on your Android phone, it's free!
So keep in mind that your "cell phone" is no longer just a phone, it's a mobile computing platform that should be just as protected as your laptop or desktop computer. Pay attention to what you're installing and what it has access to, and take the same precautions that you would when installing software on your computer, and you'll be in good shape!
Monday, July 26, 2010
Still Waiting to Upgrade Internet Explorer?
Microsoft: IE8 barred 1 billion malware downloads | The Digital Home - CNET News
Perhaps the above article will help convince you...
If Microsoft's marketing bombardment pleading with people to upgrade their Internet Explorer to the latest version has fallen on deaf ears in your house, you may be interested to know that according to Microsoft the latest version of their browser has blocked over 1 billion malware downloads with the SmartScreen filter.
I have always recommended taking a "multiple vendor" approach to computer security. I'm a firm believer that you don't let the fox guard the coop, however I do know that in some networks (especially Windows shops) it isn't really possible to deploy another browser. So if you find yourself in a position where you simply must install Internet Explorer, I'd highly recommend running IE 8 over any other version as it is, in my experience, the most stable and secure version of the Microsoft offering.
Surf safe!
Perhaps the above article will help convince you...
If Microsoft's marketing bombardment pleading with people to upgrade their Internet Explorer to the latest version has fallen on deaf ears in your house, you may be interested to know that according to Microsoft the latest version of their browser has blocked over 1 billion malware downloads with the SmartScreen filter.
I have always recommended taking a "multiple vendor" approach to computer security. I'm a firm believer that you don't let the fox guard the coop, however I do know that in some networks (especially Windows shops) it isn't really possible to deploy another browser. So if you find yourself in a position where you simply must install Internet Explorer, I'd highly recommend running IE 8 over any other version as it is, in my experience, the most stable and secure version of the Microsoft offering.
Surf safe!
Friday, July 9, 2010
Microsoft Patch Day - Tuesday July 13
Microsoft has announced that it will be releasing four critical patches next Tuesday. One of these addresses the help file issue that I mentioned in an earlier post.
Be sure to set aside some time on Tuesday evening to install these patches.
Be sure to set aside some time on Tuesday evening to install these patches.
Sunday, July 4, 2010
Facebook Exploit in the Wild
There's a "virus" going around on Facebook right now, and it seems to have spread rather quickly. A link to a website will be "liked" (recommended) by someone on your friends list. The link says "The Shocking Tattoo That Got This Girl's Parents Arrested" and the link appears to take you to a Blogger page. Embedded on that blogger page is a redirect that exploits the "like" button feature and adds this link to your Facebook profile.
I've been unable to find any official release from Facebook regarding this exploit, however I have seen people recommending that once you see this link on your profile you remove it, change your Facebook password, and run a full virus scan. While this advice couldn't hurt, I think it's overkill, it's unlikely that this type of exploit would compromise your password or your computer system, most likely just removing the recommendation or "un-liking" the link will suffice.
If Facebook releases anything on this, I'll update this post.
I've been unable to find any official release from Facebook regarding this exploit, however I have seen people recommending that once you see this link on your profile you remove it, change your Facebook password, and run a full virus scan. While this advice couldn't hurt, I think it's overkill, it's unlikely that this type of exploit would compromise your password or your computer system, most likely just removing the recommendation or "un-liking" the link will suffice.
If Facebook releases anything on this, I'll update this post.
Monday, June 28, 2010
Adobe Patch Due Tomorrow
Pre-Notification - Quarterly Security Updates for Adobe Reader and Acrobat - Adobe Product Security Incident Response Team (PSIRT)
The above link is an announcement from Adobe regarding a patch for their Reader and Acrobat software that addresses the vulnerability I mentioned way back in April. According to the announcement this patch will be released tomorrow.
I highly recommend that you patch your systems with this critical update as soon as it becomes available, I've already seen a few attacks that leverage this vulnerability, so the sooner you protect yourself, the better.
The above link is an announcement from Adobe regarding a patch for their Reader and Acrobat software that addresses the vulnerability I mentioned way back in April. According to the announcement this patch will be released tomorrow.
I highly recommend that you patch your systems with this critical update as soon as it becomes available, I've already seen a few attacks that leverage this vulnerability, so the sooner you protect yourself, the better.
Friday, June 18, 2010
Windows XP Vulnerability Being Exploited
I'm a little late to the party on this one, so my apologies for the delay in delivering this news.
Microsoft has released a workaround for an un-patched vulnerability in Windows XP. Earlier this week, this vulnerability was being actively exploited on the Internet.
If you are running XP, I recommend that you implement the workaround (note, however, it will break your Control Panel and any other applications that rely on the HCP protocol until it is removed.)
That being said, I want to briefly touch on one of the aspects on the disclosure of this vulnerability that is interesting to me. This vulnerability was discovered by a Google engineer, Tavis Ormandy, and he initially reported it to Microsoft On June 5th. Microsoft acknowledged the receipt of the report on the same day. Now, we all know that Microsoft delivers patches on Tuesdays, they usually package them up into one Tuesday a month, and I'm sure everyone can understand that you don't just write a patch and deploy it, you have to test it, make sure it doesn't cause more problems (or vulnerabilities) and ensure that it doesn't cause problems for other software on the system. There is no way any reasonable person would expect that Microsoft would have issued a patch for this immediately, it was going to take time to find a viable solution.
Apparently Mr. Ormandy didn't think that Microsoft was taking this threat seriously enough, so five days after reporting the issue to Microsoft he created an exploit for the vulnerability and posted it to a popular discussion group that deals with these types of software bugs.
There's been a lot of speculation about the motivation for this action, especially since Tavis Ormandy works for Google, and Google is one of Microsoft's competitors. Were his actions altruistic as he states (Microsoft was not responding in a timely manner, so I had to pressure them into acting, and then they did post a fix, so I was right to do this)? Or were his actions simply a marketing ploy to be-smudge a competitor's reputation? Who knows, it's all speculation, right?
One thing I want to say is that when you are dealing with open source, the "marketing ploy" aspect of this type of disclosure becomes moot. The only reason that Microsoft has to complain is that they believe in "security through obscurity" which, as we can see, is not really any security at all. In an open development, vulnerabilities are discussed, awareness is high, and patches and workarounds are deployed rapidly because there's no attempt to cover up the problem while it is being worked on. Microsoft is doing a disservice to their customers by not notifying them of these vulnerabilities immediately so that the customers can take actions to protect their networks.
In any case, this is an interesting story and I will be watching to see how it unfolds in the press.
Microsoft has released a workaround for an un-patched vulnerability in Windows XP. Earlier this week, this vulnerability was being actively exploited on the Internet.
If you are running XP, I recommend that you implement the workaround (note, however, it will break your Control Panel and any other applications that rely on the HCP protocol until it is removed.)
That being said, I want to briefly touch on one of the aspects on the disclosure of this vulnerability that is interesting to me. This vulnerability was discovered by a Google engineer, Tavis Ormandy, and he initially reported it to Microsoft On June 5th. Microsoft acknowledged the receipt of the report on the same day. Now, we all know that Microsoft delivers patches on Tuesdays, they usually package them up into one Tuesday a month, and I'm sure everyone can understand that you don't just write a patch and deploy it, you have to test it, make sure it doesn't cause more problems (or vulnerabilities) and ensure that it doesn't cause problems for other software on the system. There is no way any reasonable person would expect that Microsoft would have issued a patch for this immediately, it was going to take time to find a viable solution.
Apparently Mr. Ormandy didn't think that Microsoft was taking this threat seriously enough, so five days after reporting the issue to Microsoft he created an exploit for the vulnerability and posted it to a popular discussion group that deals with these types of software bugs.
There's been a lot of speculation about the motivation for this action, especially since Tavis Ormandy works for Google, and Google is one of Microsoft's competitors. Were his actions altruistic as he states (Microsoft was not responding in a timely manner, so I had to pressure them into acting, and then they did post a fix, so I was right to do this)? Or were his actions simply a marketing ploy to be-smudge a competitor's reputation? Who knows, it's all speculation, right?
One thing I want to say is that when you are dealing with open source, the "marketing ploy" aspect of this type of disclosure becomes moot. The only reason that Microsoft has to complain is that they believe in "security through obscurity" which, as we can see, is not really any security at all. In an open development, vulnerabilities are discussed, awareness is high, and patches and workarounds are deployed rapidly because there's no attempt to cover up the problem while it is being worked on. Microsoft is doing a disservice to their customers by not notifying them of these vulnerabilities immediately so that the customers can take actions to protect their networks.
In any case, this is an interesting story and I will be watching to see how it unfolds in the press.
Friday, June 4, 2010
Microsoft Patch Day - Tuesday June 8
June 2010 Security Bulletin Advance Notification - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
Next Tuesday will be a big patch day for all you Windows users. Microsoft will be releasing a slew of patches addressing several critical vulnerabilities (some of which are months overdue in my opinion.)
So be sure to set aside some time Tuesday or Wednesday to let those patches run!
Next Tuesday will be a big patch day for all you Windows users. Microsoft will be releasing a slew of patches addressing several critical vulnerabilities (some of which are months overdue in my opinion.)
So be sure to set aside some time Tuesday or Wednesday to let those patches run!
Tuesday, May 25, 2010
Facebook Privacy Scanner
I've had a couple people mention to me in passing that they need to shore up their Facebook security settings, and of course I directed them here.
Today I stumbled upon reclaimprivacy.org which is a site that will scan your Facebook page and alert you to any information that is publicly available. It's pretty easy to use and works really well.
Yet another weapon in the Facebook privacy battle...
Today I stumbled upon reclaimprivacy.org which is a site that will scan your Facebook page and alert you to any information that is publicly available. It's pretty easy to use and works really well.
Yet another weapon in the Facebook privacy battle...
Tuesday, May 18, 2010
Steve Jobs and "Freedom"
I know I'm late to the party on this one, but I had to link this Gawker post with an email exchange between Ryan Tate and Steve Jobs. I think that it's great that Steve Jobs is so willing to engage with his customers and critics, even if it is 90% posturing and marketing spin.
I wonder what the exchange would have been like if Ryan had been Richard Stallman? It's interesting to me how the word "freedom" has taken on different meanings over the last decade or so. I quote the following from Merriam-Webster's dictionary:
Main Entry: free·dom
Function: noun
1 : the quality or state of being free: as a : the absence of necessity, coercion, or constraint in choice or action b : liberation from slavery or restraint or from the power of another c : the quality or state of being exempt or released from something onerous
I think when most of us talk about freedom we're thinking about 1a and 1b... I think that Apple looks at freedom as 1c and that the emphasis is on the word onerous:
Main Entry: oner·ous
Function: adjective
1 : excessively burdensome or costly
2 : involving a return benefit, compensation, or consideration onerous donation
Why that definition sounds like a description of most Apple hardware! And, in the interest of full disclosure, I am typing this blog entry on a Mac...
Come on Steve, get with the program. No one buys that Apple is about freedom. Apple is about profit and as its CEO you have a fiduciary responsibility to protect that profit. No one is going to blame you for doing your job, but lets cut the "freedom" rhetoric... or at the very least practice what you preach and trade in your iPad for a Lemote Yeeloong the only computer that actually can run all free software (and hence meet the primary definition of freedom).
I wonder what the exchange would have been like if Ryan had been Richard Stallman? It's interesting to me how the word "freedom" has taken on different meanings over the last decade or so. I quote the following from Merriam-Webster's dictionary:
Main Entry: free·dom
Function: noun
1 : the quality or state of being free: as a : the absence of necessity, coercion, or constraint in choice or action b : liberation from slavery or restraint or from the power of another c : the quality or state of being exempt or released from something onerous
I think when most of us talk about freedom we're thinking about 1a and 1b... I think that Apple looks at freedom as 1c and that the emphasis is on the word onerous:
Main Entry: oner·ous
Function: adjective
1 : excessively burdensome or costly
2 : involving a return benefit, compensation, or consideration onerous donation
Why that definition sounds like a description of most Apple hardware! And, in the interest of full disclosure, I am typing this blog entry on a Mac...
Come on Steve, get with the program. No one buys that Apple is about freedom. Apple is about profit and as its CEO you have a fiduciary responsibility to protect that profit. No one is going to blame you for doing your job, but lets cut the "freedom" rhetoric... or at the very least practice what you preach and trade in your iPad for a Lemote Yeeloong the only computer that actually can run all free software (and hence meet the primary definition of freedom).
Friday, May 14, 2010
Facebook Privacy Battle Rages On
Yesterday CNN had this article about how users are leaving Facebook due to privacy concerns, and Facebook fired another salvo in an attempt to protect its reputation by announcing a new service that is aimed at protecting private information.
While this new service will help prevent unauthorized access to your personal Facebook login unless you approve the access yourself (by answering a security question), and it would notify you of any attempts to access your account on unauthorized machines, I think that this quote from the Facebook engineer is more important than any new security feature; "As always, though, the first line of defense is you. We need you to help by practicing safe behavior on Facebook and wherever you go online".
In my mind, the main issue with Facebook's privacy problems is who they are intentionally sharing your private information with. I think that everyone who uses Facebook needs to take any announcement of "security improvements" or "privacy enhancements" with a grain of salt... the interface for Facebook could be made as secure as your online banking site, it wouldn't change the fact that the "banker" (Facebook) is doling out your "money" (personal information) to anyone they choose. Facebook needs to stop putting the impetus for privacy on their users, and start working to educate their users about how their information is being used.
Facebook needs to focus on making their privacy policy and settings clear and simple, and by default these settings should be locked down until the user decides that information should be shared. As long as people continue to be surprised when they find their personal information in unexpected places online, Facebook will have an uphill PR battle to fight. The issue isn't so much that the personal information is being monetized, it's that it's being done in a way that is not transparent to the user.
While this new service will help prevent unauthorized access to your personal Facebook login unless you approve the access yourself (by answering a security question), and it would notify you of any attempts to access your account on unauthorized machines, I think that this quote from the Facebook engineer is more important than any new security feature; "As always, though, the first line of defense is you. We need you to help by practicing safe behavior on Facebook and wherever you go online".
In my mind, the main issue with Facebook's privacy problems is who they are intentionally sharing your private information with. I think that everyone who uses Facebook needs to take any announcement of "security improvements" or "privacy enhancements" with a grain of salt... the interface for Facebook could be made as secure as your online banking site, it wouldn't change the fact that the "banker" (Facebook) is doling out your "money" (personal information) to anyone they choose. Facebook needs to stop putting the impetus for privacy on their users, and start working to educate their users about how their information is being used.
Facebook needs to focus on making their privacy policy and settings clear and simple, and by default these settings should be locked down until the user decides that information should be shared. As long as people continue to be surprised when they find their personal information in unexpected places online, Facebook will have an uphill PR battle to fight. The issue isn't so much that the personal information is being monetized, it's that it's being done in a way that is not transparent to the user.
Friday, May 7, 2010
New Worm Spreads via Yahoo! IM and Skype
Bkis Blog » Skype – New target of the worm spreading via IM
The above blog has the details of a new worm (virus) that is being spread via obfuscated links in IM messages. I've posted about this type of thing before...
Remember you should always verify a link, file, image, etc. before opening it, even if it appears to come from someone you know. It's much less of a hassle to send a quick email or IM asking "did you really send me this link?" than it is to clean up the mess after you're infected!
The above blog has the details of a new worm (virus) that is being spread via obfuscated links in IM messages. I've posted about this type of thing before...
Remember you should always verify a link, file, image, etc. before opening it, even if it appears to come from someone you know. It's much less of a hassle to send a quick email or IM asking "did you really send me this link?" than it is to clean up the mess after you're infected!
Thursday, May 6, 2010
More Facebook Privacy Drama
Understanding Facebook's privacy aftershocks | The Social - CNET News
The above article continues to highlight the many dangers of posting too much personal information online. I thought I'd use this opportunity to reference my former article on protecting your personal information.
Remember, in many respects the Internet is still the Wild West... be careful out there!
The above article continues to highlight the many dangers of posting too much personal information online. I thought I'd use this opportunity to reference my former article on protecting your personal information.
Remember, in many respects the Internet is still the Wild West... be careful out there!
Thursday, April 29, 2010
Whose Hotspot is it Anyway?
The other day I was reading an excellent article over on CNET about the dangers of AT&T's "free" WiFi. Basically, your iPhone will automatically connect to any WiFi network that claims it is an AT&T network. This means that anyone with a WiFi router and a little free time on their hands can trick your iPhone into joining their network. (Credit for this discovery should be given to Samy Kamkar of the MySpace worm fame, I'd link to his site but he's a prankster and I don't want to risk my reader's machines getting punk'd.)
You can address this issue on the iPhone easily enough by turning off the "auto join" feature in the WiFi settings. However, it should be mentioned that there's nothing preventing someone from creating a rogue hotspot near enough to a Starbucks or other location where legit AT&T connections exist, so the only real protection is to stay off of AT&T's WiFi network until they improve client security on the iPhone.
My intention in this post is not so much to delve into the particulars of this iPhone vulnerability, it's more to use this example as a springboard for discussing home WiFi security...
I am still shocked when I drive around my neighborhood and see the unsecured WiFi networks with the default SSID (network name). I've gone over this before so I won't go into the general details of WiFi security, however the article at CNET brings up another reason that I haven't touched on in the past:
If your home network is set to the default settings, that means that your laptop/phone/etc. will connect to any other network that is set up the same way. Depending on your client's firewall settings, this could potentially expose you to viruses, malware, or even prying eyes of other users on the network.
All of this can be avoided by simply changing the SSID and adding some kind of wireless security to your network. Again, my guide to doing this can be found here.
If you take a little time to set things up right, you save yourself a ton of headaches down the line.
You can address this issue on the iPhone easily enough by turning off the "auto join" feature in the WiFi settings. However, it should be mentioned that there's nothing preventing someone from creating a rogue hotspot near enough to a Starbucks or other location where legit AT&T connections exist, so the only real protection is to stay off of AT&T's WiFi network until they improve client security on the iPhone.
My intention in this post is not so much to delve into the particulars of this iPhone vulnerability, it's more to use this example as a springboard for discussing home WiFi security...
I am still shocked when I drive around my neighborhood and see the unsecured WiFi networks with the default SSID (network name). I've gone over this before so I won't go into the general details of WiFi security, however the article at CNET brings up another reason that I haven't touched on in the past:
If your home network is set to the default settings, that means that your laptop/phone/etc. will connect to any other network that is set up the same way. Depending on your client's firewall settings, this could potentially expose you to viruses, malware, or even prying eyes of other users on the network.
All of this can be avoided by simply changing the SSID and adding some kind of wireless security to your network. Again, my guide to doing this can be found here.
If you take a little time to set things up right, you save yourself a ton of headaches down the line.
Monday, April 26, 2010
The Death of the Floppy Disk
Sony has announced that they are winding down production of the floppy disk. It's the end of an era...
For all of us who used tape as storage and saved our pennies to be able to afford a disk drive for our home computer, we are now, officially, old. At least the record companies still make vinyl!
I bid a sad and fond farewell to our friend, the floppy disk, as it joins the legions of obsolete technology that are continually riding off into the sunset...
For all of us who used tape as storage and saved our pennies to be able to afford a disk drive for our home computer, we are now, officially, old. At least the record companies still make vinyl!
I bid a sad and fond farewell to our friend, the floppy disk, as it joins the legions of obsolete technology that are continually riding off into the sunset...
Friday, April 23, 2010
McAfee Mea Culpa
Just a quick post to link the apology that McAfee offered via their blog late last night. Luckily none of my clients were impacted by this!
Wednesday, April 21, 2010
McAfee DAT 5985 - Causing Computer Problems
There are some initial reports of the McAfee VirusScan update 5985 causing computers to crash. I have already seen this on three systems, all running Windows XP SP3.
I would highly recommend disabling auto-update until the bad update is repaired by Network Associates.
UPDATE: If you have been impacted by this, there is a KB article here to help you resolve the issue.
UPDATE #2: There is a full fix for the issue here. It's not a very simple fix, however I have tested it and it works.
I would highly recommend disabling auto-update until the bad update is repaired by Network Associates.
UPDATE: If you have been impacted by this, there is a KB article here to help you resolve the issue.
UPDATE #2: There is a full fix for the issue here. It's not a very simple fix, however I have tested it and it works.
Tuesday, April 20, 2010
Poor Grey Powell?
So I’m sure that anyone who hasn’t been living under a rock for the past two days is familiar with the scoop that Gizmodo had with the next generation iPhone being leaked. And the Internet is abuzz with chatter about the 27 year old software engineer who blew it big time and “lost” the new iPhone at a bar on his birthday, only to have it found and “sold” to Gizmodo.
However the question still remains, was this truly a case of lost-and-found, or did Apple just perform another one of the “leaks” it is known for. Is this just a case of viral marketing? Either way what will happen to poor Grey Powell?
Firstly you have to know a little history; Apple has been a master of “controlled leaks” in its past, using them to generate buzz about new products and updates to older lines. They’ve done this type of thing on purpose before, so there’s no telling if this is just an elaborate marketing scheme.
On the flip side, it is a pretty “big” leak, more like a burst dam, however that could be used to lend plausibility to the viral marketing (“Apple would never allow a leak this big!”)
But in either case what happens to Mr. Powell? If it was a legitimate case of losing the prototype, I’m sure that a harsh reprimand will be in order, perhaps even termination, and where does a Software Engineer with a reputation for losing prototypes and causing Internet scandals go to find work?
Some sites are commenting on the fact that a search on Grey Powell doesn’t turn up much. It seems conspicuous that in this day and age a 27 year old of any kind would have this small an Internet footprint… especially one who is a Software Engineer. However it could be that this is a clue, maybe he’s really careful about his privacy because he understands the danger of putting too much information online. Yet that doesn’t sound like the type of guy that would go to a bar and drop a prototype on accident.
I don’t know if we’ll see or hear more from poor Grey Powell, but he sure has provided us some entertainment!
However the question still remains, was this truly a case of lost-and-found, or did Apple just perform another one of the “leaks” it is known for. Is this just a case of viral marketing? Either way what will happen to poor Grey Powell?
Firstly you have to know a little history; Apple has been a master of “controlled leaks” in its past, using them to generate buzz about new products and updates to older lines. They’ve done this type of thing on purpose before, so there’s no telling if this is just an elaborate marketing scheme.
On the flip side, it is a pretty “big” leak, more like a burst dam, however that could be used to lend plausibility to the viral marketing (“Apple would never allow a leak this big!”)
But in either case what happens to Mr. Powell? If it was a legitimate case of losing the prototype, I’m sure that a harsh reprimand will be in order, perhaps even termination, and where does a Software Engineer with a reputation for losing prototypes and causing Internet scandals go to find work?
Some sites are commenting on the fact that a search on Grey Powell doesn’t turn up much. It seems conspicuous that in this day and age a 27 year old of any kind would have this small an Internet footprint… especially one who is a Software Engineer. However it could be that this is a clue, maybe he’s really careful about his privacy because he understands the danger of putting too much information online. Yet that doesn’t sound like the type of guy that would go to a bar and drop a prototype on accident.
I don’t know if we’ll see or hear more from poor Grey Powell, but he sure has provided us some entertainment!
Tuesday, April 13, 2010
Adobe /Launch Exploit in the Wild
Sophos is reporting that some malware has been seen in the wild that exploits the /Launch vulnerability in Adobe that has been a major discussion around security blogs lately. Adobe will not be releasing a patch for this until tomorrow (even though it was supposed to come out today), so this qualifies as a 'zero day'.
I'd probably recommend steering clear of opening any PDF files off the Internet until this is patched. At the very least, if you open a PDF and get a pop-up that says it is damaged, click "Do Not Open" no matter what the pop-up says to do.
Surf safe!
I'd probably recommend steering clear of opening any PDF files off the Internet until this is patched. At the very least, if you open a PDF and get a pop-up that says it is damaged, click "Do Not Open" no matter what the pop-up says to do.
Surf safe!
Monday, April 12, 2010
Java Vulnerability
On Friday Google's Tavis Ormandy posted on full disclosure about a Java vulnerability that is easily exploited on all versions of Windows. This issue cannot be addressed by simply disabling the Java plug-ins, by my reading of the vulnerability the only way to protect your computer is to stick to browsing only sites that you know are safe or to uninstall Java in its entirety.
According to CNet, Oracle (who owns Sun, who makes Java) is not considering this threat important enough to release an out-of-band patch to address the issue.
To me, this illustrates two important issues:
1) In an Enterprise environment it is critical to be aware of what is installed on your network so that you can have visibility into your exposure when these types of issues arise. I'd also make a case for "less is more" here, you don't need to install Java on every machine in your network, and it's better to only install programs like this on machines that actually require them to do their job so that you limit your risk when a problem like this occurs.
2) You can have the best practices in the world; have your computer fully patched, have anti-virus and anti-malware installed, run a firewall on your network, etc... and still be exposed to critical vulnerabilities because a vendor decides that something like this isn't important enough to require an emergency patch.
In this case the only advice I can give you is to raise the "Internet Security Alert" system to orange, and to exercise extreme caution when using your browser until a patch is released. Then again, that's the advice I give every day...
According to CNet, Oracle (who owns Sun, who makes Java) is not considering this threat important enough to release an out-of-band patch to address the issue.
To me, this illustrates two important issues:
1) In an Enterprise environment it is critical to be aware of what is installed on your network so that you can have visibility into your exposure when these types of issues arise. I'd also make a case for "less is more" here, you don't need to install Java on every machine in your network, and it's better to only install programs like this on machines that actually require them to do their job so that you limit your risk when a problem like this occurs.
2) You can have the best practices in the world; have your computer fully patched, have anti-virus and anti-malware installed, run a firewall on your network, etc... and still be exposed to critical vulnerabilities because a vendor decides that something like this isn't important enough to require an emergency patch.
In this case the only advice I can give you is to raise the "Internet Security Alert" system to orange, and to exercise extreme caution when using your browser until a patch is released. Then again, that's the advice I give every day...
Friday, April 9, 2010
Facebook Users - Beware of Hidden Video
There's a headline that will grab your attention! And that's just what this latest version of the 'koobface' worm wants to do. This time the worm is trying to trick users of the Facebook application to click on a link to "hidden videos", and if they do they get a pop-up asking them to install a codec to view the video with... unfortunately it's not a codec, it's a virus.
I know, dear readers, that I need not warn you about clicking on sketchy links... do I?
I know, dear readers, that I need not warn you about clicking on sketchy links... do I?
Tuesday, April 6, 2010
Google Releases Buzz Safety Video - Internet Safety
Google has released a video offering safety tips for their Buzz application. This got me to thinking about Internet safety, a topic that often comes up with clients who have children, especially pre-teens and teenagers.
First, a history lesson: I'd like to relate a story from my youth, when I was about 13 or 14 years old I saved up my allowance and (with a little help from my grandparents) purchased a modem for my Commodore 64. I'm not going to date myself by disclosing the exact year, however it was about the same time that Steve Case made his first foray into the online world. The Internet still being in its infancy, Bulletin Board Systems (or BBSes) were all the rage. Through my school friends, I got the phone numbers for some local BBSes and began talking to the denizens of these online communities.
Now this was back in the day when the only people with computers were computer nerds, and one of the things (if not the only thing) that we discussed on these BBS systems was software. I was using the clunky, hokey, software that came with my modem to connect to these systems, and it was problematic and cumbersome for me. Luckily (I thought), the community was ready to help, and one of the Operators of my favorite BBS offered to provide me with some better software. I was thrilled, and promptly gave him my home address so he could drop the floppy discs through our mail slot.
Well, you can see where this is going... my parents were none too thrilled when a shaggy, middle-aged, stranger sauntered up to our door and asked for their 13 year old son by name.
Now in my case I was lucky, the whole thing was innocent enough. The stranger genuinely wanted to help me with my computer, I learned a lesson about privacy and strangers, and likely the roots of my career in network security are in this story. However, we live in a different era now, and the Internet is rife with predators of all kinds.
So my clients are justifiably concerned about the safety of their children online. The questions I get run the gambit: "What software can I get to filter our Internet?" "How can I monitor what my kid is doing on his/her laptop?" "Is there a way to read my kid's email without them knowing?" you'd be amazed, even shocked, by some of the requests I get. The delicate thing for me is that the answer is not some piece of software or hardware that will protect any child who stumbles onto the Internet... the answer is twofold:
1) Education about safe use.
2) Having a healthy, trusting, relationship with your kids.
Obviously, step one is the easier of the two. That's the area where things like this Google video about Buzz can help. Making sure that your kid is just as careful online as he/she would be in a public park is a good starter.
As for step two... it's a little out of my area of expertise, except to say that the more you try to block/filter/spy on your kids computer use, the less likely you are to know what's really going on. For every home network with a firewall and parental controls, there's three friends your child has who have unfettered Internet access and WiFi that they are happy to share. The best defense is making sure that your child understands the risks and can protect her/himself.
So if I were to offer a word of advice on this subject, it would be to take a couple of minutes and watch the Google video with your kid. It may start the conversation, and that's a step in the right direction.
First, a history lesson: I'd like to relate a story from my youth, when I was about 13 or 14 years old I saved up my allowance and (with a little help from my grandparents) purchased a modem for my Commodore 64. I'm not going to date myself by disclosing the exact year, however it was about the same time that Steve Case made his first foray into the online world. The Internet still being in its infancy, Bulletin Board Systems (or BBSes) were all the rage. Through my school friends, I got the phone numbers for some local BBSes and began talking to the denizens of these online communities.
Now this was back in the day when the only people with computers were computer nerds, and one of the things (if not the only thing) that we discussed on these BBS systems was software. I was using the clunky, hokey, software that came with my modem to connect to these systems, and it was problematic and cumbersome for me. Luckily (I thought), the community was ready to help, and one of the Operators of my favorite BBS offered to provide me with some better software. I was thrilled, and promptly gave him my home address so he could drop the floppy discs through our mail slot.
Well, you can see where this is going... my parents were none too thrilled when a shaggy, middle-aged, stranger sauntered up to our door and asked for their 13 year old son by name.
Now in my case I was lucky, the whole thing was innocent enough. The stranger genuinely wanted to help me with my computer, I learned a lesson about privacy and strangers, and likely the roots of my career in network security are in this story. However, we live in a different era now, and the Internet is rife with predators of all kinds.
So my clients are justifiably concerned about the safety of their children online. The questions I get run the gambit: "What software can I get to filter our Internet?" "How can I monitor what my kid is doing on his/her laptop?" "Is there a way to read my kid's email without them knowing?" you'd be amazed, even shocked, by some of the requests I get. The delicate thing for me is that the answer is not some piece of software or hardware that will protect any child who stumbles onto the Internet... the answer is twofold:
1) Education about safe use.
2) Having a healthy, trusting, relationship with your kids.
Obviously, step one is the easier of the two. That's the area where things like this Google video about Buzz can help. Making sure that your kid is just as careful online as he/she would be in a public park is a good starter.
As for step two... it's a little out of my area of expertise, except to say that the more you try to block/filter/spy on your kids computer use, the less likely you are to know what's really going on. For every home network with a firewall and parental controls, there's three friends your child has who have unfettered Internet access and WiFi that they are happy to share. The best defense is making sure that your child understands the risks and can protect her/himself.
So if I were to offer a word of advice on this subject, it would be to take a couple of minutes and watch the Google video with your kid. It may start the conversation, and that's a step in the right direction.
Friday, April 2, 2010
Update Your Browser
Another round of critical updates was released this week. Sorry for the late notice, but some family issues prevented me posting about this in a timely manner.
Hopefully most of you have already updated your browsers, however if you haven't then be sure to update Firefox or Internet Explorer as soon as possible!
Hopefully most of you have already updated your browsers, however if you haven't then be sure to update Firefox or Internet Explorer as soon as possible!
Tuesday, March 30, 2010
Standardization for Nimble I.T.
One of the things that both frustrates and amazes me is the difficulty I often face in getting I.T. Departments to standardize. From my perspective, it seems to me that standardization is a no-brainer; if, on any machine, you know what the settings should be, then it becomes a lot easier to troubleshoot problems. If you are remote and trying to walk a user through something over the phone, it’s a huge advantage to know that all the icons and settings are the same so you can visualize what that user sees. If your hardware is all the same, it becomes easy to keep spare parts on hand. These are just a few of the many advantages that any I.T. department can reap if they implement standards on their networks.
Yet even with all the advantages, I’ve found it hard to sell Standardization to I.T. Staff in general. I suspect that this may be partly due to the common misconception among some I.T. professionals that by keeping things complicated and difficult they are making their position more valuable and achieving some level of job security, even though in practice this is rarely the case, and often has the reverse effect of making one “too valuable” to promote.
In my experience, I.T. Teams are far more effective when they are able to collaborate well, and by having a level and understood playing field (which is another advantage that standardization provides) everyone is able to understand how things are set up and contribute to mitigating risks, increasing efficiency, and solving any problems that crop up on the network.
Speaking of problems, another advantage to standardization is that it makes anomalies a lot easier to identify. When everything on your network is set up the same, rogue machines or applications stick out like a sore thumb.
Lastly, having standards makes mergers or acquisitions a lot less painful. It’s far easier to integrate when at least one side of the network is standardized.
If you are ever in the position to start a network from scratch, or if you are ever put in charge of a network redesign or upgrade, these are perfect opportunities to implement standards, and I would strongly encourage anyone in this position to consider setting and documenting standards right from the start. It will make your life a lot easier down the line.
Yet even with all the advantages, I’ve found it hard to sell Standardization to I.T. Staff in general. I suspect that this may be partly due to the common misconception among some I.T. professionals that by keeping things complicated and difficult they are making their position more valuable and achieving some level of job security, even though in practice this is rarely the case, and often has the reverse effect of making one “too valuable” to promote.
In my experience, I.T. Teams are far more effective when they are able to collaborate well, and by having a level and understood playing field (which is another advantage that standardization provides) everyone is able to understand how things are set up and contribute to mitigating risks, increasing efficiency, and solving any problems that crop up on the network.
Speaking of problems, another advantage to standardization is that it makes anomalies a lot easier to identify. When everything on your network is set up the same, rogue machines or applications stick out like a sore thumb.
Lastly, having standards makes mergers or acquisitions a lot less painful. It’s far easier to integrate when at least one side of the network is standardized.
If you are ever in the position to start a network from scratch, or if you are ever put in charge of a network redesign or upgrade, these are perfect opportunities to implement standards, and I would strongly encourage anyone in this position to consider setting and documenting standards right from the start. It will make your life a lot easier down the line.
Friday, March 26, 2010
Don't Toss That Drive... Yet!
One of the more common questions I am asked is "How do I dispose of my old computer parts safely?" Usually this question is more about the proper disposal of e-waste (hint: you don't just throw it in the trash can), yet there is another side of disposing of old hardware that the average user rarely considers; how does one make sure that the information stored on this device does not fall into the wrong hands?
You may not know it, but when you delete a file from your computer it doesn't actually go anywhere. Deleting a file essentially just deletes the location ("address") of that file from the table ("phone book") on the disk drive that tells the computer where the file is located. Much like having an unlisted number in a phone book doesn't actually remove your house from its location, it just unclutters the phone book and makes it harder to find.
For someone with experience working on computers, it is relatively simple to read the contents of a disk and see the remnants of these files and the information contained in them. There are those unscrupulous individuals who actively search out old hard drives and computers in the hopes of uncovering personal information about the former user that can then be used for identity theft or other unsavory things.
You can see why it's not a good idea to just throw away your hard drive or donate your computer even if you've deleted your files (note: on most computers even formatting your hard drive only destroys the "phone book", leaving all the data intact on the drive). So are we all doomed to slowly fill up our garages or cupboards with old hard drives that we don't dare dispose of? How do we protect this data?
One way to do this is called "wiping" the hard drive. What wiping does is it actually goes to the file location on the disk and overwrites it multiple times with random data, making it harder to recover. Working off my prior allegory of the phone book and the house, you can liken this to bulldozing your house and then unlisting your number... no one will find your house then! There are several applications that you can download that will do this type of wiping for you:
One of my favorite open-source options is Darik's Boot and Nuke. If you prefer a full-featured program that can even be used on individual files BCWipe by Jetico will do Department of Defense level wiping. There's even wiping software built directly into your hard drive that you can use (I'll leave that to be explained by Robin Harris).
Once you successfully wipe all the data off your hard drive, you can safely donate it to your favorite charity or sell it at your next garage sale without worrying about your old Quickbooks data or tax returns falling into the wrong hands.
You may not know it, but when you delete a file from your computer it doesn't actually go anywhere. Deleting a file essentially just deletes the location ("address") of that file from the table ("phone book") on the disk drive that tells the computer where the file is located. Much like having an unlisted number in a phone book doesn't actually remove your house from its location, it just unclutters the phone book and makes it harder to find.
For someone with experience working on computers, it is relatively simple to read the contents of a disk and see the remnants of these files and the information contained in them. There are those unscrupulous individuals who actively search out old hard drives and computers in the hopes of uncovering personal information about the former user that can then be used for identity theft or other unsavory things.
You can see why it's not a good idea to just throw away your hard drive or donate your computer even if you've deleted your files (note: on most computers even formatting your hard drive only destroys the "phone book", leaving all the data intact on the drive). So are we all doomed to slowly fill up our garages or cupboards with old hard drives that we don't dare dispose of? How do we protect this data?
One way to do this is called "wiping" the hard drive. What wiping does is it actually goes to the file location on the disk and overwrites it multiple times with random data, making it harder to recover. Working off my prior allegory of the phone book and the house, you can liken this to bulldozing your house and then unlisting your number... no one will find your house then! There are several applications that you can download that will do this type of wiping for you:
One of my favorite open-source options is Darik's Boot and Nuke. If you prefer a full-featured program that can even be used on individual files BCWipe by Jetico will do Department of Defense level wiping. There's even wiping software built directly into your hard drive that you can use (I'll leave that to be explained by Robin Harris).
Once you successfully wipe all the data off your hard drive, you can safely donate it to your favorite charity or sell it at your next garage sale without worrying about your old Quickbooks data or tax returns falling into the wrong hands.
Wednesday, March 24, 2010
Update Your Firefox
Firefox has released version 3.6.2 which addresses a major vulnerability that was disclosed on Monday. Update your Firefox immediately!
http://www.mozilla.com/firefox/
http://www.mozilla.com/firefox/
Thursday, March 11, 2010
Internet Explorer Exploit "In The Wild"
Microsoft released an Internet Explorer Security Advisory two days ago, and today security expert Moshe Ben Abu released exploit code for this vulnerability. This means that we'll likely see malware starting to use this vulnerability to infect computers pretty soon.
Microsoft recommends (as do I) that if you are running an old version of Internet Explorer it be upgraded to version 8 (you can get that for free, here). This will protect you from this new exploit.
Surf safe!
Microsoft recommends (as do I) that if you are running an old version of Internet Explorer it be upgraded to version 8 (you can get that for free, here). This will protect you from this new exploit.
Surf safe!
Wednesday, February 24, 2010
Documentation for Nimble I.T.
This article is aimed more for the I.T. Professional than for the layperson, however the fundamentals can be applied to many areas outside of Information Technology.
There are many areas in I.T. where poor documentation is a pain point. Most often the first experience people have with this problem is in programming; code that is poorly annotated can be fine if you’re the only one working on a program and you know all the ins-and-outs of what you’re doing (though some would argue that even in this situation good notes will make things easier in the long run), however when you begin to work in a team environment where more than one pair of eyes has to look at the code, good notes become imperative to the success of the team.
This is not a phenomenon that is limited to programming. I have witnessed huge numbers of hours lost trying to reverse-engineer a system that was poorly (or not at all) documented. Occasionally some of these systems have to be completely rebuilt from the ground up in order to resolve some issue that can’t be tracked down, resulting in large expenses of both time and money. I have also often been called in to address issues left behind by an employee who has left an organization suddenly and there is little or no clue as to what said employee was actually doing (either through laziness, or in a misguided attempt to attain job security by being the only one who understands the systems they support).
In all of the above situations, it is fairly obvious how good documentation would help. However, in my experience many I.T. professionals and managers don’t realize that good documentation can also make a more nimble and efficient I.T. organization, especially in lean environments.
When systems are properly documented, organizations aren’t stuck with resources that can’t be reassigned because they are the only ones who can maintain their area of responsibility. Good documentation allows you to cherry pick your best talent for important projects without worrying about the “hole” that will be made in the organization by that personnel being reassigned. Training new hires becomes a lot easier when there is a good set of documented policies and procedures in place for any duties a trainee will be learning.
Getting there can be a challenge; leadership has to cultivate a culture of documentation. Projects cannot be signed off as completed without good documentation being in place. Documenting becomes a part of implementation, and not something done after the fact.
This can be made easier by getting the staff to buy in and understand that documentation works to everyone’s advantage. One of the biggest hurdles is overcoming the all too common belief that hording information about processes and systems is a way to obtain “job security”, it should be pointed out that this behavior has a side-effect of getting one stuck on the corporate ladder.
Good documentation can make all the difference in your I.T. environment, it’s not just for coders anymore!
There are many areas in I.T. where poor documentation is a pain point. Most often the first experience people have with this problem is in programming; code that is poorly annotated can be fine if you’re the only one working on a program and you know all the ins-and-outs of what you’re doing (though some would argue that even in this situation good notes will make things easier in the long run), however when you begin to work in a team environment where more than one pair of eyes has to look at the code, good notes become imperative to the success of the team.
This is not a phenomenon that is limited to programming. I have witnessed huge numbers of hours lost trying to reverse-engineer a system that was poorly (or not at all) documented. Occasionally some of these systems have to be completely rebuilt from the ground up in order to resolve some issue that can’t be tracked down, resulting in large expenses of both time and money. I have also often been called in to address issues left behind by an employee who has left an organization suddenly and there is little or no clue as to what said employee was actually doing (either through laziness, or in a misguided attempt to attain job security by being the only one who understands the systems they support).
In all of the above situations, it is fairly obvious how good documentation would help. However, in my experience many I.T. professionals and managers don’t realize that good documentation can also make a more nimble and efficient I.T. organization, especially in lean environments.
When systems are properly documented, organizations aren’t stuck with resources that can’t be reassigned because they are the only ones who can maintain their area of responsibility. Good documentation allows you to cherry pick your best talent for important projects without worrying about the “hole” that will be made in the organization by that personnel being reassigned. Training new hires becomes a lot easier when there is a good set of documented policies and procedures in place for any duties a trainee will be learning.
Getting there can be a challenge; leadership has to cultivate a culture of documentation. Projects cannot be signed off as completed without good documentation being in place. Documenting becomes a part of implementation, and not something done after the fact.
This can be made easier by getting the staff to buy in and understand that documentation works to everyone’s advantage. One of the biggest hurdles is overcoming the all too common belief that hording information about processes and systems is a way to obtain “job security”, it should be pointed out that this behavior has a side-effect of getting one stuck on the corporate ladder.
Good documentation can make all the difference in your I.T. environment, it’s not just for coders anymore!
Monday, February 15, 2010
More Adobe Security Holes - Can't Catch a Break!
Adobe - Security Bulletins: APSB10-07 Security Advisory for Adobe Reader and Acrobat
Adobe has released the above security bulletin warning of more holes in its ubiquitous Flash and Reader applications. This comes on the heals of patches that were released almost exactly one month ago, to address other critical security holes.
Updates from Adobe will be available tomorrow, so be sure to patch your Adobe Reader (open Reader and click on Help -> Check for Updates...) and Flash (download here) first thing in the morning.
Adobe has released the above security bulletin warning of more holes in its ubiquitous Flash and Reader applications. This comes on the heals of patches that were released almost exactly one month ago, to address other critical security holes.
Updates from Adobe will be available tomorrow, so be sure to patch your Adobe Reader (open Reader and click on Help -> Check for Updates...) and Flash (download here) first thing in the morning.
Monday, February 8, 2010
Microsoft Patch Day
Microsoft Security Bulletin Advance Notification for February 2010
Microsoft has announced that tomorrow they will be releasing several patches to fix two dozen bugs and vulnerabilities in their Windows and Office software. If you are running XP you will have five critical OS updates, if you are running Vista or Windows 7 you will only have three.
If you want to get the patches as quickly as possible, I'd recommend running Windows Update or Microsoft Update first thing Tuesday morning. If you want to wait and install them overnight, make sure that your auto-update is turned on and leave your computer on overnight to patch it.
Microsoft has announced that tomorrow they will be releasing several patches to fix two dozen bugs and vulnerabilities in their Windows and Office software. If you are running XP you will have five critical OS updates, if you are running Vista or Windows 7 you will only have three.
If you want to get the patches as quickly as possible, I'd recommend running Windows Update or Microsoft Update first thing Tuesday morning. If you want to wait and install them overnight, make sure that your auto-update is turned on and leave your computer on overnight to patch it.
Wednesday, February 3, 2010
iPhone Patch Released - 3.1.3
It's time to patch your iPhone and/or iPod. Apple released a patch last night that addresses several vulnerabilities in the iPhone OS, some of these vulnerabilities already have exploits that are out "in the wild".
To patch your device, hook it up to your computer and launch iTunes and it should find the update automatically. If it doesn't, click on your iPhone or iPod icon and click the Update button, then follow the prompts. Depending on your Internet connection, the update can take about 10 to 15 minutes to download (longer on slower connections) and it takes another 10 minutes to do the install. During this time you will be unable to make or receive calls.
To patch your device, hook it up to your computer and launch iTunes and it should find the update automatically. If it doesn't, click on your iPhone or iPod icon and click the Update button, then follow the prompts. Depending on your Internet connection, the update can take about 10 to 15 minutes to download (longer on slower connections) and it takes another 10 minutes to do the install. During this time you will be unable to make or receive calls.
Tuesday, February 2, 2010
Change Your Twitter Password
According to several reports this morning, there's been a widespread phishing attack targeting Twitter accounts. One of the company's founders is recommending that users change their passwords to protect their Twitter account.
Note that if you use the same password for other sites, you may want to change those to. I usually recommend that you use a different password for each application so that none of them are shared, that way you don't have to worry about changing all of them if one is compromised.
This touches on one of the points in a recent post of mine, where a URL is sent to a user (in this case a URL purporting to belong to twitter that actually goes to a malware site using the old http://twitter.badsite.com trick) and when the user enters their login information it is harvested. Please be careful when you receive emails with links like this, especially if you're usually logged in to your social networking sites and all of the sudden you are being prompted for your credentials... this should make you suspicious. Sophos is reporting that these types of attacks have been on an upswing lately.
So instead of it being "follow friday" it's "threat tuesday", change your Twitter password today!
Note that if you use the same password for other sites, you may want to change those to. I usually recommend that you use a different password for each application so that none of them are shared, that way you don't have to worry about changing all of them if one is compromised.
This touches on one of the points in a recent post of mine, where a URL is sent to a user (in this case a URL purporting to belong to twitter that actually goes to a malware site using the old http://twitter.badsite.com trick) and when the user enters their login information it is harvested. Please be careful when you receive emails with links like this, especially if you're usually logged in to your social networking sites and all of the sudden you are being prompted for your credentials... this should make you suspicious. Sophos is reporting that these types of attacks have been on an upswing lately.
So instead of it being "follow friday" it's "threat tuesday", change your Twitter password today!
Thursday, January 28, 2010
Friend or Foe?
In past posts about online security I've mentioned that if you receive an email that you weren't expecting, even if it appears to be from someone you know, you should be cautious in opening it. Most people aren't aware that the protocol used for sending email, SMTP, is not secure, and that it's relatively easy to "spoof" an email address and make an email look like it's coming from someone else. A lot of spammers and viruses/worms take advantage of this flaw in SMTP and use it to try to trick people into opening emails they probably wouldn't otherwise view.
Sometimes it's not enough to secure your own computer and practice safe computing. You may have friends and family who aren't as careful as you are, and if their computer or information gets compromised it can lead to a higher risk that you might be compromised as well.
The Financial Times recently reported on the series of hacks at Google, and one of the things that the attackers did to gain access was to compromise the computers of friends of people who work at Google and use their messaging accounts to trick Google employees into clicking on links that compromised their own machines.
Earlier this month I posted about protecting your online identity. One thing to keep in mind is that even if you lock down your social networking profile so that only your "friends" can see it, you have no way of knowing if one of the people who can see your information is as careful with their account as you are with yours. A friend who forgets to log out of Facebook at a public kiosk will expose any information you have shared with them to a curious stranger who logs onto the kiosk after them.
In this day and age the old adage "trust but verify" has never been more appropriate. Next time a friend sends you a link, make sure that you think twice before clicking, you really have no way to know exactly who is on the other end of that email or IM!
Sometimes it's not enough to secure your own computer and practice safe computing. You may have friends and family who aren't as careful as you are, and if their computer or information gets compromised it can lead to a higher risk that you might be compromised as well.
The Financial Times recently reported on the series of hacks at Google, and one of the things that the attackers did to gain access was to compromise the computers of friends of people who work at Google and use their messaging accounts to trick Google employees into clicking on links that compromised their own machines.
Earlier this month I posted about protecting your online identity. One thing to keep in mind is that even if you lock down your social networking profile so that only your "friends" can see it, you have no way of knowing if one of the people who can see your information is as careful with their account as you are with yours. A friend who forgets to log out of Facebook at a public kiosk will expose any information you have shared with them to a curious stranger who logs onto the kiosk after them.
In this day and age the old adage "trust but verify" has never been more appropriate. Next time a friend sends you a link, make sure that you think twice before clicking, you really have no way to know exactly who is on the other end of that email or IM!
Tuesday, January 26, 2010
Avast Releases New Version
Upgrade to the new avast! version 5
Avast has upgraded their free anti-virus to Version 5. This new version does away with some of the more annoying features of the older version (in particular, pop-ups that could interrupt what you were doing without warning).
If you already have Avast, click on the above link to upgrade. If you don't have it and are looking for free anti-virus software that does the job well, Avast is a good option!
Avast has upgraded their free anti-virus to Version 5. This new version does away with some of the more annoying features of the older version (in particular, pop-ups that could interrupt what you were doing without warning).
If you already have Avast, click on the above link to upgrade. If you don't have it and are looking for free anti-virus software that does the job well, Avast is a good option!
Thursday, January 21, 2010
Internet Explorer "Zero Day" Patch - Macintosh Security Patch
Microsoft Security Bulletin Advance Notification for January 2010
The above bulletin from Microsoft announces that later today they will be releasing an "out-of-band" patch to fix a security hole in Internet Explorer. Preliminary reports state that this patch should be released around 10:00am Pacific time today.
The security hole that this patch addresses is the same hole that was used to hack Google earlier this month. With all the press that this story has received, the exploit has been released to the Internet, and there are already several malicious programs and sites that are using this security hole in an attempt to compromise people's computers.
If you are a PC user, I highly recommend that you run Windows Update (or Microsoft Update) this afternoon and install this critical patch.
About Security Update 2010-001
On the Macintosh front, the above link points to a security bulletin released by Apple that addresses several security holes in OS X. Macintosh users would also be wise to run Software Update today and install any needed patches.
The upshot is, if you're running a Mac or a PC, today is the day to install updates!
The above bulletin from Microsoft announces that later today they will be releasing an "out-of-band" patch to fix a security hole in Internet Explorer. Preliminary reports state that this patch should be released around 10:00am Pacific time today.
The security hole that this patch addresses is the same hole that was used to hack Google earlier this month. With all the press that this story has received, the exploit has been released to the Internet, and there are already several malicious programs and sites that are using this security hole in an attempt to compromise people's computers.
If you are a PC user, I highly recommend that you run Windows Update (or Microsoft Update) this afternoon and install this critical patch.
About Security Update 2010-001
On the Macintosh front, the above link points to a security bulletin released by Apple that addresses several security holes in OS X. Macintosh users would also be wise to run Software Update today and install any needed patches.
The upshot is, if you're running a Mac or a PC, today is the day to install updates!
Tuesday, January 19, 2010
Protecting Your Personal Information
My last post regarding fraudulent fund raising for Haiti really demonstrates how in the modern age of social networking we have to be more careful than ever about protecting ourselves online. In today's post I want to talk a bit about how seemingly innocuous information can really put you at risk.
Entering your ZIP code into a website is a pretty common occurrence, and you'd think that this information wouldn't be very useful, however here are just two examples of things that use your ZIP code for security:
- Most gas pumps require your ZIP code when you use a credit card
- Some email services use your ZIP code as a part of a default password.
Now I know that you can't really have an online life without ever entering your ZIP code, I just wanted to point out that even information that you don't normally think twice about disclosing could possibly be exploited in the wrong hands.
So what do you do to keep safe?
First, keep your wits about you when you are entering any information into a browser. Check for security (https instead of http, the little lock in the address window or at the bottom of your browser, etc.) any time you're entering information that could be exploited. Most companies are very aware that consumers are concerned about security risks, and if their site isn't secure you shouldn't hesitate to call them and ask for another way to deliver your information. If an offer sounds too good to be true, it likely is... do your research! Make sure that links you click on in an email actually match once you've arrived there in a browser, just because it says www.yourbank.com doesn't mean that's where it leads (click that link and see what I mean).
When you are doing online banking, I always recommend that you close all other browser windows and tabs and use only your bank's site until you are done. When you finish an online banking session, use the "log out" or "log off" feature on the site and completely close your browser to clean out any remaining tokens or cookies from the banking session. I always recommend that you select a unique and strong password for your online banking, and that you never use that password for anything else. (This holds true for any financial website, such as your 401(k), stockbroker, or other investment site.)
Next, I'd recommend that you look into the security settings on any social-networking sites that you use. There are several great articles about how to securely use Facebook, Twitter, and other social networking services. Most of these services even offer their own guides regarding their privacy policy (Facebook's can be found here). Many services also have a method where you can check and see what a public user sees about you. If a site does not have this service, log out and do a search for yourself and see what you can see.
Once you've got your privacy settings squared away to your liking, the next thing to keep in mind is to think before you post. If "friends of friends" can see your information, you may want to refrain from posting "Just bought a new huge flatscreen TV and surround sound theatre, had to cancel alarm service in order to make payments" to your social networking site (especially if it's going to be followed by "Forgot the cables, have to go back to the store" ten minutes later). It's becoming more and more common for thieves to choose their targets carefully, and you don't want to give them any information that will make you a victim.
One final bit of advice would be to seperate out your personal online space from your games. There are many popular games on social networking sites, however as these games grow in popularity they also grow in risk, by having a seperate "gaming" avatar, you can protect your personal information and still have fun online. (Footnote: even with your personal information unexposed, there are still ways to get scammed playing these games, so please be careful out there!)
While it is wonderful that modern technology makes it so much easier to share information and connect with people, it comes with the responsibility of making sure that the technology is used in a safe way. Being aware of the risks where your personal information is involved, and taking steps to mitigate these risks, helps to avoid the problems that these new tools can bring without negating the benefits that this technology brings to our lives.
Entering your ZIP code into a website is a pretty common occurrence, and you'd think that this information wouldn't be very useful, however here are just two examples of things that use your ZIP code for security:
- Most gas pumps require your ZIP code when you use a credit card
- Some email services use your ZIP code as a part of a default password.
Now I know that you can't really have an online life without ever entering your ZIP code, I just wanted to point out that even information that you don't normally think twice about disclosing could possibly be exploited in the wrong hands.
So what do you do to keep safe?
First, keep your wits about you when you are entering any information into a browser. Check for security (https instead of http, the little lock in the address window or at the bottom of your browser, etc.) any time you're entering information that could be exploited. Most companies are very aware that consumers are concerned about security risks, and if their site isn't secure you shouldn't hesitate to call them and ask for another way to deliver your information. If an offer sounds too good to be true, it likely is... do your research! Make sure that links you click on in an email actually match once you've arrived there in a browser, just because it says www.yourbank.com doesn't mean that's where it leads (click that link and see what I mean).
When you are doing online banking, I always recommend that you close all other browser windows and tabs and use only your bank's site until you are done. When you finish an online banking session, use the "log out" or "log off" feature on the site and completely close your browser to clean out any remaining tokens or cookies from the banking session. I always recommend that you select a unique and strong password for your online banking, and that you never use that password for anything else. (This holds true for any financial website, such as your 401(k), stockbroker, or other investment site.)
Next, I'd recommend that you look into the security settings on any social-networking sites that you use. There are several great articles about how to securely use Facebook, Twitter, and other social networking services. Most of these services even offer their own guides regarding their privacy policy (Facebook's can be found here). Many services also have a method where you can check and see what a public user sees about you. If a site does not have this service, log out and do a search for yourself and see what you can see.
Once you've got your privacy settings squared away to your liking, the next thing to keep in mind is to think before you post. If "friends of friends" can see your information, you may want to refrain from posting "Just bought a new huge flatscreen TV and surround sound theatre, had to cancel alarm service in order to make payments" to your social networking site (especially if it's going to be followed by "Forgot the cables, have to go back to the store" ten minutes later). It's becoming more and more common for thieves to choose their targets carefully, and you don't want to give them any information that will make you a victim.
One final bit of advice would be to seperate out your personal online space from your games. There are many popular games on social networking sites, however as these games grow in popularity they also grow in risk, by having a seperate "gaming" avatar, you can protect your personal information and still have fun online. (Footnote: even with your personal information unexposed, there are still ways to get scammed playing these games, so please be careful out there!)
While it is wonderful that modern technology makes it so much easier to share information and connect with people, it comes with the responsibility of making sure that the technology is used in a safe way. Being aware of the risks where your personal information is involved, and taking steps to mitigate these risks, helps to avoid the problems that these new tools can bring without negating the benefits that this technology brings to our lives.
Friday, January 15, 2010
Out of Tragedy - Fraud
As we rally around the people of Haiti and think about what we can do to assist them in this time of dire need, it is important to make sure that our contributions are quickly distributed and spent in the areas most needed by those who are suffering in this disaster. Unfortunately, in this age of social networks and cell-phone donations it is also a time to be especially careful about how we offer our assistance.
There have already been several fraudulent emails and scams targeting users of email, Facebook, and SMS messaging. Not only to these schemes aim to steal the funds that so many are generously donating to Haiti, they are also stealing information about identities and gathering marketing data.
If you want to help the people of Haiti, be sure to take just a moment to investigate the person, organization, or method that you are using to contribute. A good resource to see where you can help is NPR’s website where they have posted a list of ways to help. Another good place to contribute is directly to the Red Cross. If you receive a solicitation for aid, you can check it out on Snopes.com, where you can perform a simple search to see if the plea is legitimate or not.
It’s times like these that we take our technology for granted, it’s important that we all do what we can, and that we see our aid is delivered quickly and honestly. After witnessing the tragedy in Haiti, it's important that we don't put ourselves at risk when we reach out to help.
There have already been several fraudulent emails and scams targeting users of email, Facebook, and SMS messaging. Not only to these schemes aim to steal the funds that so many are generously donating to Haiti, they are also stealing information about identities and gathering marketing data.
If you want to help the people of Haiti, be sure to take just a moment to investigate the person, organization, or method that you are using to contribute. A good resource to see where you can help is NPR’s website where they have posted a list of ways to help. Another good place to contribute is directly to the Red Cross. If you receive a solicitation for aid, you can check it out on Snopes.com, where you can perform a simple search to see if the plea is legitimate or not.
It’s times like these that we take our technology for granted, it’s important that we all do what we can, and that we see our aid is delivered quickly and honestly. After witnessing the tragedy in Haiti, it's important that we don't put ourselves at risk when we reach out to help.
Thursday, January 14, 2010
Critical Adobe Updates
Adobe - Security Bulletin APSB10-02 Security Advisory for Adobe Reader and Acrobat
Adobe has released a critical security patch that fixes a vulnerability in Acrobat and Reader which has been exploited by certain trojans and malware packages to infect computers. I've personally seen several machines that have been compromised through this hole, and you may have read the news that even Google was hacked via an exploit of this security hole.
Be sure to update your Adobe applications so that you don't become a statistic!
Adobe has released a critical security patch that fixes a vulnerability in Acrobat and Reader which has been exploited by certain trojans and malware packages to infect computers. I've personally seen several machines that have been compromised through this hole, and you may have read the news that even Google was hacked via an exploit of this security hole.
Be sure to update your Adobe applications so that you don't become a statistic!
Subscribe to:
Posts (Atom)
Posts
