Archive for the Security Category

« Older Entries
Newer Entries »

So I Was On Vacation Over The Weekend….

Posted in Security, Tips with tags , , on June 16, 2008 by itnerd

… And my wife and I ended up staying at a small Inn about 250km’s north of Toronto. One of the things that they advertised was high speed Internet (as I needed access if I got an emergency call from someone). When we got to Inn, there was no Ethernet jack. I flipped open my Macbook Pro and didn’t see a wireless connection (except for the one form the Inn across the street which was locked down). So my wife went to the office and came back with one of these powerline networking kits. I plugged it in and it worked right away.

This is where the fun begins.

I noticed from the IP address that I was assigned that the Macbook Pro was on the Internet with no firewall between the Macbook Pro and the Internet. Fortunatley OS X has a built in firewall that protects the computer from external attacks, so that was a non issue for me. Also, I noted that there was another PC that was visible to me. It turned out to be the office PC that I was seeing. To top it off, the guest account was enabled and I was able to fully browse the file system of the computer as well as copy and place stuff on to the computer if I were so inclined (which I was not).

Clearly, security was not the Inn’s primary concern.

The take home message is as follows:

  1. Always have a firewall on your computer (or use a router that has one) if it is connected to the Internet and turned on. This way you are more or less protected from the outside world.
  2. Never assume that people can’t see the stuff on your computer. Assume that the can and take steps to prevent it which includes disabling the “Guest” accounts on your computer.


The latter is important. Here’s how you do that under Windows XP:

  1. Right-click My Computer, and then click Manage.
  2. Click Local Users and Groups.
  3. Click Users.
  4. Right-click the Guest account, choose Properties.
  5. On the General tab, select Account is Disabled.
  6. Click Ok.

Note: This only works on a computer with Windows XP Home or Windows XP Professional computer that is NOT on a domain.

On Mac OS X 10.5, here’s how you do it:

  1. Go to System Preferences
  2. Click on the Accounts icon
  3. Highlight the “Guest Account” and ensure that “Allow Guests To Log Into This Computer” is unchecked.

Leave a comment »

Safari “Carpet Bombing” Flaw Is Potentially Serious Says ZDNet And Stopthebadware.org

Posted in Commentary, Security with tags , , on May 30, 2008 by itnerd

You’ll recall that in a previous posting I wrote about three flaws in the Apple Safari web browser. I took Apple to task for not fixing all three flaws, which earned me the wrath of the Apple fanboi community (just look at the comments in that posting). Well it seems that others feel the same way that I do. Stopthebadware.org and zdnet have postings that contend that these issues should be fixed now. In the case of Stopthebadware.org, Laureli Mallek contends:

“Assuming Nitesh’s analysis is accurate, “unwanted downloads,” as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file. StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.”

And in the case of ZDNet, Ryan Naraine says:

“Think about it: A combo-attack where Dhanjani’s Safari vulnerability is used to drop a nasty executable on your desktop and another (known or unknown) vulnerability used to run it. Instant drive-by malware installation!”

Apple wants to play the security card by claiming that they are more secure than Windows. If they want to do that, they have to address issues like this when they appear as opposed to brushing them off as non-issues. I think part of the problem is that the Apple crowd have this impression that they are immune to the attacks that plague Windows users. The fact is that as the number of Apple users grows, the number of attacks that target the Apple platform will grow as well.

So Apple, do the right thing and fix these issues now.

In the meantime, I’ll continue to use Firefox.

Leave a comment »

Three Vulnerabilities In Safari…. Apple Will Only Fix 1…. WTF?

Posted in Commentary, Security with tags , on May 16, 2008 by itnerd

Apple loves to brag about Safari’s security by saying “Apple engineers designed Safari to be secure from day one.” (Go to www.apple.com/safari and click on security on the left side). But people keep finding holes in the browser that according to some are really serious.

Take Nitesh Dhanjani for example. He’s a security researcher who found three vulnerabilities in Safari and reported them to Apple. They in turn said that they would only fix one that they considered to be critical. As for the other two? He was told that Apple will look at them, but they will not do anything about them at this time. It’s a good thing that he wrote about these two issues in his blog for all to see. I’m guessing that Apple will do something about them now that they’re in the public eye.

If you take a look at these issues, these are things that according to him things that other browsers handle but Safari does not. So one could argue that Safari is lacking in some functionality that Internet Explorer and Firefox have. That bothers me. That’s also the reason why Firefox has been my default browser on my MacBook Pro for as long as I’ve had the machine. It appears that something I said in this blog some time ago is coming true. Apple is making decisions that makes that “more secure than Microsoft” aura disappear. Which means that all the momentum that Apple has been gaining is at risk. All it takes is one high profile exploit using one of those issues (or some other issue that we know nothing about) for things to come tumbling down around them.

5 Comments »

Buy A Refub iPod, Get A Virus For Free

Posted in Commentary, Security with tags , on April 30, 2008 by itnerd

Ina Fried who writes for news.com decided to buy a re-certified iPod via buy.com to save a few bucks. But when he plugged it into his Mac, he got a nasty surprise. Namely the AdobeR.exe virus. He contacted buy.com who swapped it right away. When they looked into it further, they declared that it was an isolated incident.

Maybe it’s an isolated incident for them, but Apple had a bunch of brand new iPods ship with a virus on them back in 2006. Also, Best Buy had a bunch of picture frames ship with a virus recently as well. The fact is, anything that has some form of storage on it can have “unwanted passengers” hop on for a ride into your computer. The best thing that you can do is to make sure that you have up to date anti-virus protection (I recommend AVG Free for PC users. Mac users can try ClamXav) on your computer so that if you happen to be unlucky enough to have a product with a virus on it, you can at least stop it from doing any damage.

1 Comment »

Another Sign That Vista Is Half Baked… UAC Is Easy For Coders To Bypass

Posted in Commentary, Security with tags , on April 28, 2008 by itnerd

I’ve made no secret of the fact that I think Vista sucks isn’t all that it’s cracked up to be. But I read something a few minutes ago that really says to me that I should stick with XP. Free software developers from the non-profit NeoSmart Technologies have published a report detailing their experience with coding around Windows Vista’s UAC (User Account Control) limitations, including the steps they took to make their software perform system actions without requiring admin approval or UAC elevation. Their conclusion? That Windows Vista’s improved security model is nothing more than a series of obstacles that in reality only make it more difficult for honest guys to publish working code and not actually providing any true protection from malware authors. Note the key comment from these guys:

“Perhaps most importantly though, is the fact that Windows Vista’s newly-implemented security limitations are artificial at best, easy to code around, and only there to give the impression of security.”

The only upshot is that the methods that they employed make the code more secure in some ways, but still it’s a bit of a hole. I can’t wait for Microsoft to respond to the fact that their annoying pop ups telling you to cancel or allow something are just bullshit there for show and don’t actually provide any security.

Oh, here’s a document that describes what User Account Control is supposed to do for you.

1 Comment »

Safari & Firefox Updated… More Security For You!

Posted in Products, Security with tags , , on April 17, 2008 by itnerd

Last night brought two updates to two popular web browsers.

Apple’s Safari was updated to version 3.11 last night. The security fixes address four vulnerabilities, two of which are Windows only:

  • WebKit
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
    Impact: Visiting a malicious website may result in cross-site scripting
  • WebKit
    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2, Windows XP or Vista
    Impact: Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution
  • Safari
    Available for: Windows XP or Vista
    Impact: A maliciously crafted website may control the contents of the address bar
  • Safari
    Available for: Windows XP or Vista
    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

The word on the street is that one of the two Webkit related fixes resolves the bug that was recently used to successfully attack a MacBook Air in the CanSecWest PWN2OWN contest. This update is available through Software Update. It should also be noted that Software Update itself on the Windows platform was also updated last night.

Mozilla Firefox was also updated as well to version 2.0.0.14. to fix a security issue with the Javascript garbage collector. The update will eventually appear for Firefox users and will require a restart of the browsers. Alternately, uses can go to the “Help” menu and “Check For Updates” option.

Leave a comment »

Bell: Throttles Your Bittorent And Serves Up Malware Too

Posted in Commentary, Security with tags , , on April 9, 2008 by itnerd

The Toronto Star has an interesting article about Bell Canada’s Internet Service (one assumes that they’re talking about Sympatico) carrying the most malicious activity in Canada. That would include things like viruses, malware, spyware, etc. A spokesman for Symantec (who authored the study) said the following:

“Since Bell is Canada’s largest Internet provider, it’s not surprising that its users were either knowingly or unknowingly responsible for 17 per cent of what’s termed “malicious” or “undesirable” activity here, said Dean Turner, Calgary-based director of Symantec’s global intelligence network.”

To absolutely nobody’s surprise, Bell rejects their findings. Jason Laszlo who is Bell’s sock puppet spokesman said the following:

“We flat-out refuse to accept these statistics as valid,” Laszlo said. “And if Symantec is not able to properly substantiate these claims, we will demand that they withdraw and amend their findings.”

Oooh… Symantec is soooo scared.

One has to wonder if part of the reason why they’re picking on Bell is due to the fact that Symantec supplies consumer security products to Rogers for their Internet offering. In any case, Bell can likely solve this problem by getting those beavers of theirs to stop throttling the DSL connections of their customers (both retail and their resellers) and have them focus on dealing with whatever issue (perceived or real) that they have with malware.

UPDATE: The Globe And Mail has a more detailed version of this story. One quote worth noting is that he believes that traffic shaping (aka: Throttling) can deal with this issue:

“The net side effect is that when traffic shaping takes place, there are things that ISPs can do to reduce levels of malicious activity but so can users,” he said.

That seems a stupid thing to say considering he also said this:

“Users have to assume responsibility for their actions. Some people will be unaware that they’re computers are behaving badly while other people will be perfectly aware that their computers are behaving badly.”

That last statement implies that education and not throttling is the answer. In any case, he needs to clarify his statement.

UPDATE #2: Here’s a link to the actual research paper that I believe the article was referring to. (Warning: PDF Attached) The weird thing is that Bell is not mentioned in this PDF, but the rest of the facts in the PDF fit.

Leave a comment »

Your Router May Not Be Safe From Hackers

Posted in Security, Tips with tags , on April 8, 2008 by itnerd

If you’ve got a router on your home computer network made by D-Link or Linksys among others, then you need to read this story where researcher Dan Kaminsky (who will give the details of his hack tomorrow at the RSA Conference) has discovered a way to take over a router using a specially crafted web page. Here’s how PC World describes the hack:

“The victim would visit a malicious Web page that would use JavaScript code to trick the browser into making changes on the Web-based router configuration page. The JavaScript could tell the router to let the bad guys remotely administer the device, or it could force the router to download new firmware, again putting the router under the hacker’s control.”

This hack relies on the fact that the administrative passwords are rarely changed on most consumer routers by the people who own them, or are easily guessed. So the best way to protect yourself from this type of hack is to do two things:

  1. Disable remote administration: This feature allows you to remotely administer the router from OUTSIDE your network. That’s a major security risk. Most routers have this feature turned off by default and you should ensure it stays that way.
  2. Change the administrative password of the router when you install it: I can’t stress this enough. You wouldn’t leave your front door open on your home. Why do the same with your router? Pick a password that is not easily guessed or has special characters in it (for example, you could pick the word “password” but type “pa$$word” instead). While you’re at it, you should do the same thing for any wireless access you may have so that you stop the bad guys from using your Internet connection behind your back.

If you’re not sure how to do either of those items, consult your manual or check the support section of the company who makes your router. They often have “how to” guides that can be of assistance.

Leave a comment »

Vista Gets Owned In Hacking Contest. LINUX Remains Unbroken.

Posted in Commentary, Security with tags , , on April 1, 2008 by itnerd

A week after OS X got hacked at CanSecWest, Windows Vista fell to hackers participating in the PWN2OWN contest. Shane Macaulay (who ironically hacked OS X in last year’s contest) successfully compromised a fully patched Vista system using a Flash exploit. For his trouble, he managed to score $5000 and a Fujitsu U810. Not a bad days work. While it didn’t take two minutes like Charlie Miller’s hack of OS X, it still proves that two mainstream operating systems are vulnerable to hackers. As it stands, Ubuntu LINUX is still unhacked. It will be interesting to see if that continues to be the case.

Leave a comment »

Is Apple Insecure? Yes Say Researchers.

Posted in Commentary, Security with tags , on March 31, 2008 by itnerd

On the heels of being the first OS that was hacked at CanSecWest last week (via the Safari browser), not to mention having two highly critical security issues with the Windows version of Safari, comes the news that Apple is actually behind Microsoft in the way it addresses security issues (another view of this can be found here). The two guys who researched this found that the time it takes Apple to patch an issue has increased significantly, and Apple products are now experiencing more security related issues than ever before. Think about that for a second. This means that either Microsoft has come a long way in terms of improving it’s response to security issues, or Apple has taken a huge dive. Personally I think it’s a bit of both. But in any case, this is something that Apple is going to need to address right now. Otherwise, I think you’ll see that all the momentum that Apple gained from the mis-steps of Windows Vista is going to swing in the other direction as the shine from being “more secure than Microsoft” wears off.

1 Comment »

« Older Entries
Newer Entries »