Category Archives: security

You network guys…

One of my clients has a problem. We’ll call him Melvin, because I like changing names when I tell stories.

Melvin doesn’t like network guys, and takes every possible opportunity to tell anyone within earshot. “You network guys don’t understand what’s going on over that wire, and you don’t want to.”

We do understand, but not the way he thinks network guys should. Melvin is wrong.

Continue reading You network guys…

Misguided security, episode 14

I was working in a data center, where we had a couple of Cisco VOIP phones. I don’t know who put them in or when–it’s possible they predated me. We never got them working, but nobody ever really tried, either.

The idea was that two guys working on servers in different datacenters across the WAN might need to talk. The reality was that we didn’t do that very often and usually had other ways to do it–a cellphone being the most obvious option. Our networking guys always had much more pressing issues than getting the VOIP phones working, so the phones just sat there and looked pretty. Until the wrong guy noticed them one day, that is.

Continue reading Misguided security, episode 14

The circulating privacy threat warnings miss the boat

This week I’ve had multiple people send me warnings they saw on Facebook about a new privacy threat, which, after I read about it, really appears just to be something that aggregates information already available about you.

Perhaps not coincidentally, PC Magazine has a piece telling you what you need to do if you’re really concerned about privacy and really want to disappear. http://www.pcmag.com/article2/0,2817,2376023,00.asp
Continue reading The circulating privacy threat warnings miss the boat

Some security-ish short takes

Windows 7 SP1 is coming soon. Possibly as soon as this weekend.

Historically, service packs tend to get off to a bit of a rocky start, so I’m not going to be installing this right away. But since it’s so imminent, I’m not going to be installing Windows 7 on anything else yet either. I’ll probably give it a couple of weeks, then slipstream and install. Being the first on the block to install a service pack usually isn’t a good idea. Seems to me that in one Slashdot poll several years ago, given the choice between installing a service pack on the first day or watching the movie Master of Disguise, the really bad Dana Carvey movie won out. There’s a reason for that.

Microsoft Security Essentials, Take 43,291. And while we’re picking on Microsoft, my biggest beef with Microsoft Security Essentials is that it doesn’t update itself quickly enough. But you can make it check for updates as frequently as every hour. Directions are at http://lifehacker.com/5733597/change-microsoft-security-essentials-update-frequency

They cite this as a good thing to do on laptops. I completely agree. My laptop gets used just sporadically enough that it has trouble staying updated, and usually, when I use it on the road, it’s not up to date at first, and it’s when you’re using strange networks that you most want to be up to date.

Frankly I think it’s a good thing to do on your desktop too. When the signatures get updated, would you rather get the updates right away, or tomorrow? I’ll vote for right away.

When I was administering antivirus for a living, when I updated my AV server, my clients got the updates within an hour or so. Sometimes it was within a few minutes. That system wasn’t even directly connected to the Internet. So if that system needed its updates that fast, so do home PCs.

Passwords. It’s now possible to test 400,000 passwords per second using Amazon’s services, at a cost of 28 cents per minute. So, testing 24 million possible passwords costs 28 cents.

Strengthen your passwords. Going to 16 characters with two uppers, two lowers, two special characters and two umlauts is overkill, but you want to be using more than 8 characters, and use at least one number, one upper and one lowercase letter, and one special character like a punctuation mark. If your password is something like “popcorn,” well, let’s do the math. It takes one second to test 400,000 passwords, and there are arguably a million words in the English language, so cracking a simple one-word password should take a maximum of two and a half seconds and cost 3 cents.

Defrag scareware

This isn’t exactly news, as word has been going around for a couple of weeks, but if you haven’t heard about it elsewhere, there are some fake defragmenters going around.

I heard mention of it today, and it reminded me that I saw one last week when I was working on my mother in law’s computer. This was especially obnoxious, considering that at the time, I was running Firefox and I was visiting a mainstream site.

So there are a couple of things you need to keep in mind.
Continue reading Defrag scareware

Unlocking the Malicious Software Removal Tool

When Microsoft’s monthly security patches come down, if you’ve ever clicked on the button to see what it’s installing, you may have noticed the Malicious Software Removal Tool.

If you’re wondering, it’s a rudimentary antimalware tool that removes selected vermin from your system. It doesn’t remove all known malware. And I don’t know exactly how Microsoft decides what to remove and when. But given the number of people who don’t run any kind of antimalware software, it probably seemed like a good idea when they rolled it out in 2005. And in the first 15 months they pushed the tool out with the monthly patches, it removed 16 million instances of malicious software. Not bad.

The tool has some power that you can unlock that normally isn’t exercised when you do your monthly updates.

Note: In a corporate environment, you may not get the Malicious Software Tool automatically if you’re managing Windows updates yourself. Microsoft has instructions for deploying it to your enterprise.

Continue reading Unlocking the Malicious Software Removal Tool

Don’t use Internet Explorer this Christmas

In case you haven’t heard elsewhere, there’s a nifty unpatched vulnerability for Internet Explorer floating around. And it’s actively being exploited. Metasploit, an exploit toolkit used by penetration testers and script kiddies alike, is able to detect and utilize it.

Under these circumstances, Microsoft has been known to rush out a patch before the next scheduled Patch Tuesday, but the Christmas and New Year’s holidays will obviously slow things down.

In the meantime, installing Firefox and/or Chrome is prudent. I have and use both, since, to my knowledge, there hasn’t been a time yet when both of the two most popular alternative browsers had unpatched exploits in the wild.

How to clean viruses off other people’s systems safely

What should you do when someone hands you a computer, tells you they think it has a virus, and asks you to clean it?

Proceed carefully, that’s what. You don’t want to infect your other computers with whatever it has.

To get it gone safely and effectively, you really need two things: an antivirus live CD, and a spare router.
Continue reading How to clean viruses off other people’s systems safely