The other day I was reading an excellent article over on CNET about the dangers of AT&T's "free" WiFi. Basically, your iPhone will automatically connect to any WiFi network that claims it is an AT&T network. This means that anyone with a WiFi router and a little free time on their hands can trick your iPhone into joining their network. (Credit for this discovery should be given to Samy Kamkar of the MySpace worm fame, I'd link to his site but he's a prankster and I don't want to risk my reader's machines getting punk'd.)
You can address this issue on the iPhone easily enough by turning off the "auto join" feature in the WiFi settings. However, it should be mentioned that there's nothing preventing someone from creating a rogue hotspot near enough to a Starbucks or other location where legit AT&T connections exist, so the only real protection is to stay off of AT&T's WiFi network until they improve client security on the iPhone.
My intention in this post is not so much to delve into the particulars of this iPhone vulnerability, it's more to use this example as a springboard for discussing home WiFi security...
I am still shocked when I drive around my neighborhood and see the unsecured WiFi networks with the default SSID (network name). I've gone over this before so I won't go into the general details of WiFi security, however the article at CNET brings up another reason that I haven't touched on in the past:
If your home network is set to the default settings, that means that your laptop/phone/etc. will connect to any other network that is set up the same way. Depending on your client's firewall settings, this could potentially expose you to viruses, malware, or even prying eyes of other users on the network.
All of this can be avoided by simply changing the SSID and adding some kind of wireless security to your network. Again, my guide to doing this can be found here.
If you take a little time to set things up right, you save yourself a ton of headaches down the line.
Thursday, April 29, 2010
Monday, April 26, 2010
The Death of the Floppy Disk
Sony has announced that they are winding down production of the floppy disk. It's the end of an era...
For all of us who used tape as storage and saved our pennies to be able to afford a disk drive for our home computer, we are now, officially, old. At least the record companies still make vinyl!
I bid a sad and fond farewell to our friend, the floppy disk, as it joins the legions of obsolete technology that are continually riding off into the sunset...
For all of us who used tape as storage and saved our pennies to be able to afford a disk drive for our home computer, we are now, officially, old. At least the record companies still make vinyl!
I bid a sad and fond farewell to our friend, the floppy disk, as it joins the legions of obsolete technology that are continually riding off into the sunset...
Friday, April 23, 2010
McAfee Mea Culpa
Just a quick post to link the apology that McAfee offered via their blog late last night. Luckily none of my clients were impacted by this!
Wednesday, April 21, 2010
McAfee DAT 5985 - Causing Computer Problems
There are some initial reports of the McAfee VirusScan update 5985 causing computers to crash. I have already seen this on three systems, all running Windows XP SP3.
I would highly recommend disabling auto-update until the bad update is repaired by Network Associates.
UPDATE: If you have been impacted by this, there is a KB article here to help you resolve the issue.
UPDATE #2: There is a full fix for the issue here. It's not a very simple fix, however I have tested it and it works.
I would highly recommend disabling auto-update until the bad update is repaired by Network Associates.
UPDATE: If you have been impacted by this, there is a KB article here to help you resolve the issue.
UPDATE #2: There is a full fix for the issue here. It's not a very simple fix, however I have tested it and it works.
Tuesday, April 20, 2010
Poor Grey Powell?
So I’m sure that anyone who hasn’t been living under a rock for the past two days is familiar with the scoop that Gizmodo had with the next generation iPhone being leaked. And the Internet is abuzz with chatter about the 27 year old software engineer who blew it big time and “lost” the new iPhone at a bar on his birthday, only to have it found and “sold” to Gizmodo.
However the question still remains, was this truly a case of lost-and-found, or did Apple just perform another one of the “leaks” it is known for. Is this just a case of viral marketing? Either way what will happen to poor Grey Powell?
Firstly you have to know a little history; Apple has been a master of “controlled leaks” in its past, using them to generate buzz about new products and updates to older lines. They’ve done this type of thing on purpose before, so there’s no telling if this is just an elaborate marketing scheme.
On the flip side, it is a pretty “big” leak, more like a burst dam, however that could be used to lend plausibility to the viral marketing (“Apple would never allow a leak this big!”)
But in either case what happens to Mr. Powell? If it was a legitimate case of losing the prototype, I’m sure that a harsh reprimand will be in order, perhaps even termination, and where does a Software Engineer with a reputation for losing prototypes and causing Internet scandals go to find work?
Some sites are commenting on the fact that a search on Grey Powell doesn’t turn up much. It seems conspicuous that in this day and age a 27 year old of any kind would have this small an Internet footprint… especially one who is a Software Engineer. However it could be that this is a clue, maybe he’s really careful about his privacy because he understands the danger of putting too much information online. Yet that doesn’t sound like the type of guy that would go to a bar and drop a prototype on accident.
I don’t know if we’ll see or hear more from poor Grey Powell, but he sure has provided us some entertainment!
However the question still remains, was this truly a case of lost-and-found, or did Apple just perform another one of the “leaks” it is known for. Is this just a case of viral marketing? Either way what will happen to poor Grey Powell?
Firstly you have to know a little history; Apple has been a master of “controlled leaks” in its past, using them to generate buzz about new products and updates to older lines. They’ve done this type of thing on purpose before, so there’s no telling if this is just an elaborate marketing scheme.
On the flip side, it is a pretty “big” leak, more like a burst dam, however that could be used to lend plausibility to the viral marketing (“Apple would never allow a leak this big!”)
But in either case what happens to Mr. Powell? If it was a legitimate case of losing the prototype, I’m sure that a harsh reprimand will be in order, perhaps even termination, and where does a Software Engineer with a reputation for losing prototypes and causing Internet scandals go to find work?
Some sites are commenting on the fact that a search on Grey Powell doesn’t turn up much. It seems conspicuous that in this day and age a 27 year old of any kind would have this small an Internet footprint… especially one who is a Software Engineer. However it could be that this is a clue, maybe he’s really careful about his privacy because he understands the danger of putting too much information online. Yet that doesn’t sound like the type of guy that would go to a bar and drop a prototype on accident.
I don’t know if we’ll see or hear more from poor Grey Powell, but he sure has provided us some entertainment!
Tuesday, April 13, 2010
Adobe /Launch Exploit in the Wild
Sophos is reporting that some malware has been seen in the wild that exploits the /Launch vulnerability in Adobe that has been a major discussion around security blogs lately. Adobe will not be releasing a patch for this until tomorrow (even though it was supposed to come out today), so this qualifies as a 'zero day'.
I'd probably recommend steering clear of opening any PDF files off the Internet until this is patched. At the very least, if you open a PDF and get a pop-up that says it is damaged, click "Do Not Open" no matter what the pop-up says to do.
Surf safe!
I'd probably recommend steering clear of opening any PDF files off the Internet until this is patched. At the very least, if you open a PDF and get a pop-up that says it is damaged, click "Do Not Open" no matter what the pop-up says to do.
Surf safe!
Monday, April 12, 2010
Java Vulnerability
On Friday Google's Tavis Ormandy posted on full disclosure about a Java vulnerability that is easily exploited on all versions of Windows. This issue cannot be addressed by simply disabling the Java plug-ins, by my reading of the vulnerability the only way to protect your computer is to stick to browsing only sites that you know are safe or to uninstall Java in its entirety.
According to CNet, Oracle (who owns Sun, who makes Java) is not considering this threat important enough to release an out-of-band patch to address the issue.
To me, this illustrates two important issues:
1) In an Enterprise environment it is critical to be aware of what is installed on your network so that you can have visibility into your exposure when these types of issues arise. I'd also make a case for "less is more" here, you don't need to install Java on every machine in your network, and it's better to only install programs like this on machines that actually require them to do their job so that you limit your risk when a problem like this occurs.
2) You can have the best practices in the world; have your computer fully patched, have anti-virus and anti-malware installed, run a firewall on your network, etc... and still be exposed to critical vulnerabilities because a vendor decides that something like this isn't important enough to require an emergency patch.
In this case the only advice I can give you is to raise the "Internet Security Alert" system to orange, and to exercise extreme caution when using your browser until a patch is released. Then again, that's the advice I give every day...
According to CNet, Oracle (who owns Sun, who makes Java) is not considering this threat important enough to release an out-of-band patch to address the issue.
To me, this illustrates two important issues:
1) In an Enterprise environment it is critical to be aware of what is installed on your network so that you can have visibility into your exposure when these types of issues arise. I'd also make a case for "less is more" here, you don't need to install Java on every machine in your network, and it's better to only install programs like this on machines that actually require them to do their job so that you limit your risk when a problem like this occurs.
2) You can have the best practices in the world; have your computer fully patched, have anti-virus and anti-malware installed, run a firewall on your network, etc... and still be exposed to critical vulnerabilities because a vendor decides that something like this isn't important enough to require an emergency patch.
In this case the only advice I can give you is to raise the "Internet Security Alert" system to orange, and to exercise extreme caution when using your browser until a patch is released. Then again, that's the advice I give every day...
Friday, April 9, 2010
Facebook Users - Beware of Hidden Video
There's a headline that will grab your attention! And that's just what this latest version of the 'koobface' worm wants to do. This time the worm is trying to trick users of the Facebook application to click on a link to "hidden videos", and if they do they get a pop-up asking them to install a codec to view the video with... unfortunately it's not a codec, it's a virus.
I know, dear readers, that I need not warn you about clicking on sketchy links... do I?
I know, dear readers, that I need not warn you about clicking on sketchy links... do I?
Tuesday, April 6, 2010
Google Releases Buzz Safety Video - Internet Safety
Google has released a video offering safety tips for their Buzz application. This got me to thinking about Internet safety, a topic that often comes up with clients who have children, especially pre-teens and teenagers.
First, a history lesson: I'd like to relate a story from my youth, when I was about 13 or 14 years old I saved up my allowance and (with a little help from my grandparents) purchased a modem for my Commodore 64. I'm not going to date myself by disclosing the exact year, however it was about the same time that Steve Case made his first foray into the online world. The Internet still being in its infancy, Bulletin Board Systems (or BBSes) were all the rage. Through my school friends, I got the phone numbers for some local BBSes and began talking to the denizens of these online communities.
Now this was back in the day when the only people with computers were computer nerds, and one of the things (if not the only thing) that we discussed on these BBS systems was software. I was using the clunky, hokey, software that came with my modem to connect to these systems, and it was problematic and cumbersome for me. Luckily (I thought), the community was ready to help, and one of the Operators of my favorite BBS offered to provide me with some better software. I was thrilled, and promptly gave him my home address so he could drop the floppy discs through our mail slot.
Well, you can see where this is going... my parents were none too thrilled when a shaggy, middle-aged, stranger sauntered up to our door and asked for their 13 year old son by name.
Now in my case I was lucky, the whole thing was innocent enough. The stranger genuinely wanted to help me with my computer, I learned a lesson about privacy and strangers, and likely the roots of my career in network security are in this story. However, we live in a different era now, and the Internet is rife with predators of all kinds.
So my clients are justifiably concerned about the safety of their children online. The questions I get run the gambit: "What software can I get to filter our Internet?" "How can I monitor what my kid is doing on his/her laptop?" "Is there a way to read my kid's email without them knowing?" you'd be amazed, even shocked, by some of the requests I get. The delicate thing for me is that the answer is not some piece of software or hardware that will protect any child who stumbles onto the Internet... the answer is twofold:
1) Education about safe use.
2) Having a healthy, trusting, relationship with your kids.
Obviously, step one is the easier of the two. That's the area where things like this Google video about Buzz can help. Making sure that your kid is just as careful online as he/she would be in a public park is a good starter.
As for step two... it's a little out of my area of expertise, except to say that the more you try to block/filter/spy on your kids computer use, the less likely you are to know what's really going on. For every home network with a firewall and parental controls, there's three friends your child has who have unfettered Internet access and WiFi that they are happy to share. The best defense is making sure that your child understands the risks and can protect her/himself.
So if I were to offer a word of advice on this subject, it would be to take a couple of minutes and watch the Google video with your kid. It may start the conversation, and that's a step in the right direction.
First, a history lesson: I'd like to relate a story from my youth, when I was about 13 or 14 years old I saved up my allowance and (with a little help from my grandparents) purchased a modem for my Commodore 64. I'm not going to date myself by disclosing the exact year, however it was about the same time that Steve Case made his first foray into the online world. The Internet still being in its infancy, Bulletin Board Systems (or BBSes) were all the rage. Through my school friends, I got the phone numbers for some local BBSes and began talking to the denizens of these online communities.
Now this was back in the day when the only people with computers were computer nerds, and one of the things (if not the only thing) that we discussed on these BBS systems was software. I was using the clunky, hokey, software that came with my modem to connect to these systems, and it was problematic and cumbersome for me. Luckily (I thought), the community was ready to help, and one of the Operators of my favorite BBS offered to provide me with some better software. I was thrilled, and promptly gave him my home address so he could drop the floppy discs through our mail slot.
Well, you can see where this is going... my parents were none too thrilled when a shaggy, middle-aged, stranger sauntered up to our door and asked for their 13 year old son by name.
Now in my case I was lucky, the whole thing was innocent enough. The stranger genuinely wanted to help me with my computer, I learned a lesson about privacy and strangers, and likely the roots of my career in network security are in this story. However, we live in a different era now, and the Internet is rife with predators of all kinds.
So my clients are justifiably concerned about the safety of their children online. The questions I get run the gambit: "What software can I get to filter our Internet?" "How can I monitor what my kid is doing on his/her laptop?" "Is there a way to read my kid's email without them knowing?" you'd be amazed, even shocked, by some of the requests I get. The delicate thing for me is that the answer is not some piece of software or hardware that will protect any child who stumbles onto the Internet... the answer is twofold:
1) Education about safe use.
2) Having a healthy, trusting, relationship with your kids.
Obviously, step one is the easier of the two. That's the area where things like this Google video about Buzz can help. Making sure that your kid is just as careful online as he/she would be in a public park is a good starter.
As for step two... it's a little out of my area of expertise, except to say that the more you try to block/filter/spy on your kids computer use, the less likely you are to know what's really going on. For every home network with a firewall and parental controls, there's three friends your child has who have unfettered Internet access and WiFi that they are happy to share. The best defense is making sure that your child understands the risks and can protect her/himself.
So if I were to offer a word of advice on this subject, it would be to take a couple of minutes and watch the Google video with your kid. It may start the conversation, and that's a step in the right direction.
Friday, April 2, 2010
Update Your Browser
Another round of critical updates was released this week. Sorry for the late notice, but some family issues prevented me posting about this in a timely manner.
Hopefully most of you have already updated your browsers, however if you haven't then be sure to update Firefox or Internet Explorer as soon as possible!
Hopefully most of you have already updated your browsers, however if you haven't then be sure to update Firefox or Internet Explorer as soon as possible!
Subscribe to:
Posts (Atom)
Posts
