December 24, 2008
2008 In Security Stories
Looking back over the year’s stats, here are some of the top items we ran:
- Quitting Facebook - Why Did It Take the NYT?
- Man Uses Facebook Address Book Tool, Goes to Jail
- Security: Thunderbird vs. Outlook
- Facebook and MySpace Back New York Sex Offender Law
- Privacy Drives Google Chrome Fork
- Google Zen: The Answerless Answer
- Crack a Locked iPhone in Three Taps
- GoolagScan is Dork-in-a-Box
- Porn-Loving Mac Users in Trojan’s Crosshairs
- G-Archiver Harvests Your GMail Account Name & Password
- Anti-DRM Riot Sweeps Through Amazon Spore Reviews
Observations? Four of the eleven items are about Google, and they say something about the company’s odd position:
- Privacy Drives Google Chrome Fork
- Google Zen: The Answerless Answer
- GoolagScan is Dork-in-a-Box
- G-Archiver Harvests Your GMail Account Name & Password
On one hand, you have Google working hard to bake privacy and security controls into Chrome. On the other, you have the company’s ongoing campaign to get us all over its data retention policies. Of that I wrote:
“The company makes genuinely great products that do improve over time, to the point it’s easier to focus on what we can easily see — Google Maps, Gmail — than what we can’t see so easily — an implicit agreement to risk or simply forfeit our privacy so Google’s advertising efficiency can improve.”
The other two Google stories were about a skeezy developer who wrote a seemingly helpful Gmail archiving app that quietly harvested usernames and passwords; and the usefulness of Google as a tool for blackhats.
Maybe I could be accused of having a list that skews Google because I’ve got some kind of obsession, but when you consider the breadth of topics represented by those four items, it suggests that Google’s ubiquity is part of the story.
A few social networking items are also on the list, showing again a certain breadth in topics:
- Quitting Facebook - Why Did It Take the NYT?
- Man Uses Facebook Address Book Tool, Goes to Jail
- Facebook and MySpace Back New York Sex Offender Law
I’ve dropped a lot of my reserve about using Facebook after deciding a privacy blogger ought not be abstaining from something he’s prone to criticize. I could create a phony account and use it to run roughshod over my own imaginary creation’s privacy, but there’s no real motivation to understand how it works with nothing on the line. So I have a Facebook account and I work to keep my personal and professional associations in the correct silos. It seems more like work than socializing.
Posted by mhall at 4:29 PM | Add Comment
December 17, 2008
Yahoo Ratchets Down Data Retention Period
“Yahoo said Wednesday it will anonymize most of the data it collects about people’s Web searches after three months, a move that could put further pressure on competitors Google and Microsoft to do the same due to privacy concerns.
“Yahoo, which previously kept the data for 13 months, will now retain it for the least amount of time compared to its rivals.
“Google said in September that it would anonymize data after nine months, down from 18 months. Microsoft keeps data for 18 months, although it said earlier this month it would reduce the period to six months if its rivals did the same.”
Good for Yahoo, but I have to wonder if the company is in any position to put pressure on anyone; let alone Google.
(Link)
Posted by mhall at 5:11 PM | Add Comment
December 16, 2008
Microsoft Stays Classy on OneCare Drawdown
“Microsoft announced plans last month to kill off its subscription-based, Live OneCare security package. Did it forget to tell customers?
“The software giant continues to send e-mail renewal notices for the full $49.95 annual subscription rate, even though Microsoft (NASDAQ: MSFT) said in November it plans to transition to a free security offering, code-named Morro, starting in the second half of 2009.”
You know … even going half-price on the renewal would be polite.
(Link)
Posted by mhall at 7:04 PM | Add Comment
December 5, 2008
Social Networking Kills (Ongoing)
Social Network Profile Costs Woman College Degree_):
“Forget losing your job, apparently your MySpace or Facebook profile and photos can now cause you to lose your degree. In what may be one of the most frightening rulings regarding social networks and privacy to date, a federal judge has ruled against a former student of Millersville University of Pennsylvania who was denied her college degree because of an unseemly online photo and its accompanying caption found on her social network profile.
“The woman, Stacy Snyder, sued Millersville in 2007. Snyder was student-teaching at a high school, but had received poor evaluations regarding her professionalism in the classroom. Before her semester-long teaching assignment was up, she was barred from campus. However, it was not the negative reviews that caused her to be barred nor were they responsible for the loss of her degree. It was a MySpace photo.
“In the photo, Synder was posed standing with a cocktail. The caption read ‘drunken pirate.’ It was accompanied by a note which made reference to her supervising teacher. That led to the school’s decision to end her assignment, which in turn meant she now no longer qualified for her bachelor’s degree in education.”
Well … o.k. MySpace didn’t kill anybody. Having worked at a high school for several years, and having seen some student teachers who were supernovae of incompetence, I’m moved to wonder what this woman did to get barred from campus. (ReadWriteWeb’s writeup would benefit from taking that into account … yes, doing whatever was required to get barred from campus “negates her years of completed course work towards her education degree.”)
Also, Facebook’s got a worm:
“Facebook’s 120 million users are being targeted by a virus dubbed ‘Koobface’ that uses the social network’s messaging system to infect PCs, then tries to gather sensitive information such as credit card numbers.
“It is the latest attack by hackers increasingly looking to prey on users of social networking sites.
“‘A few other viruses have tried to use Facebook in similar ways to propagate themselves,’ Facebook spokesman Barry Schnitt said in an e-mail. He said a ‘very small percentage of users’ had been affected by these viruses.
“‘It is on the rise, relative to other threats like e-mails,’ said Craig Schmugar, a researcher with McAfee.”
Facebook spokesman Schnitt’s characterization of the virus’ limited spread is something that little of the coverage is willing to pin down, though a brief bit at Mass High Tech reports “hundreds of Boston journalists, ad execs and public relations professionals” have at least been sent the Koobface e-mail from an infected contact.
Posted by mhall at 1:30 PM | Add Comment
December 2, 2008
UPDATED: Apple to Users: Double Up on Prophylactics
The Register on an Apple technical note that may have been written while high:
“Apple goes further than just recommending the use of one scanner to advise the use of multiple tools. ‘Apple encourages the widespread use of multiple anti-virus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult,’ it said.
“Quite aside from the expense, the use of multiple anti-virus scanners could affect system performance and smacks of overkill. Users who use one anti-virus scanner, a personal firewall and keeping up to date with patching would be safer than just relying on two anti-virus scanners to bail them out of trouble, according to general security best-practice.
“Using multiple scanners on mail gateways and servers makes sense, but on the desktop the advice is a lot more questionable.”
The news people will latch on to is that Cupertino itself is recommending the use of AV software, but the thought of going beyond that recommendation to suggest people double up and run two AV apps? Maybe Norton, Intego and McAfee wrote checks in identical amounts.
Alternately, as was pointed out by a colleague, maybe Apple meant it would be good to have more than one antivirus product out on the market. You know … let one hundred viruses blossom and let one hundred antivirus solutions contend.
UPDATE:_ Awww … Apple pulled the page because it was “old and outdated,” which is odd considering WaPo’s Brian Krebs, who noticed it in the first place, said it went up on 11/21.
(Link)
Posted by mhall at 12:09 PM | Add Comment
November 25, 2008
The Nekkid Photos Were Coming From INSIDE THE IPHONE
This would be a cautionary tale if it didn’t involve doing stuff nobody needs to be told not to do. And if it were true:
“According to a story in the Associated Press, Phillip Sherman accidentally left his iPhone behind at a local McDonald’s franchise in Fayetteville, Arkansas.
“After he returned to retrieve it, he said he discovered nude photos of his wife that he’d stored on his iPhone had been illegally distributed on the Internet without his consent.
“Now he and his wife, Tina, are suing the McDonald’s Corp., the franchise owner and the store manager for $3 million in damages, according to the AP, for ‘suffering, embarrassment and the cost of having to move to a new home.’ The suit says that Sherman left the phone at the McDonald’s in July and that employees promised to secure it until he returned.
“Whatever the outcome of the case, security experts say it’s another example of how unauthorized access and distribution of inappropriate or confidential content can ignite corporate brand disasters and data security headaches.”
Imagine my disappointment when the Houston Chronicle said the story’s likely a hoax, serving to rope in ‘net horndogs who occasionally end up with malware on their computers.
(Link)
Posted by mhall at 12:05 PM | Add Comment
November 21, 2008
Worm Drives Military to Ban Removable Storage
“The Defense Department’s geeks are spooked by a rapidly spreading worm crawling across their networks. So they’ve suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further.
“The ban comes from the commander of U.S. Strategic Command, according to an internal Army e-mail. It applies to both the secret SIPR and unclassified NIPR nets. The suspension, which includes everything from external hard drives to ‘floppy disks,’ is supposed to take effect ‘immediately.’ Similar notices went out to the other military services.
“In some organizations, the ban would be only a minor inconvenience. But the military relies heavily on such drives to store information. Bandwidth is often scarce out in the field. Networks are often considered unreliable. Takeaway storage is used constantly as a substitute.
I had the pleasure of serving as an Information Systems Security NCO (ISSNCO) while I was stationed at Ft. Bragg. The only thing surprising about this particular article to me is that it’s happening now. The amount of crap people drug back and forth between their laptops and their home computers was astounding.
On the other hand, back when I was worrying about what people were up to on their laptops echelons below battalion were seldom even allowed to have a live Internet connection of any sort. When the CO wanted a networked printer, we ended up buying some bizarre $89 collection of parallel port dongles that connected to each other with telephone wire and “networked” with a printer by sending each other little “I’m using the printer!” signals.
(Link)
Posted by mhall at 4:50 PM | Add Comment
November 19, 2008
Free OneCare: Killer Generosity from Microsoft?
“Microsoft said Wednesday it will discontinue sales of its subscription PC security service and instead offer free software to help protect computers from viruses, spyware and other threats.
“With the move, the software giant appears to be taking aim at McAfee and Symantec, its chief rivals in the PC security market.
“Microsoft (NASDAQ: MSFT) plans to halt sales of its Windows Live OneCare service on June 30. The service being discontinued costs $49.95 a year and covers up to three PCs.
“The new security program, which the company has code-named ‘Morro,’ will be available as a free download in the second half of next year.”
I like the “appears to be taking aim at McAfee and Symantec” bit. Microsoft appeared to be taking aim at McAfee and Symantec three years ago when it started giving away its anti-spyware software and bought Sybari to start working on more comprehensive client-side security software.
McAfee and Symantec started running for cover in 2005 through increased pushes into the enterprise, and they haven’t really looked back, even though OneCare was pretty anemic and got off to a horrible start.
I’d say this is less about “taking aim” at anybody than it is giving its putative rivals the finger on its way out of a market it wasn’t doing so well in.
(Link)
Posted by mhall at 4:41 PM | Add Comment
November 13, 2008
New Safari Intros Anti-Phishing Measures
Apple released Safari 3.2 today. The big news is that it includes phishing protection similar to that offered by other browsers, but it also includes a number of security fixes (most of which seem to apply to the Windows version of Safari).
The phishing protection takes the form of a bit of text in the upper right corner of a Safari Window. When visiting a site with Extended Validation (EV) SSL certificates, Safari shows the site’s name in that spot, as in this screen shot from a visit to PayPal:
In February, PayPal’s CISO advised users to avoid Safari because of its lack of EV SSL support, which had the predictable effect of upsetting a lot of people who promptly argued that it didn’t matter anyhow.
Now everybody wins. Even though at least one study shows that 70 percent of us ignore the presence (or lack thereof) of EV SSL indicators when our browsers provide them.
Posted by mhall at 6:33 PM | Add Comment
November 11, 2008
Kaminsky Vulnerability Still Present in 10 Percent of DNS Servers
“More than 10 percent of the Internet’s DNS (Domain Name System) servers are still vulnerable to cache-poisoning attacks, according to a worldwide survey of public-facing Internet nameservers.
“‘We estimate there’s 11.9 million nameservers out there, and over 40 percent allow open recursion, so they accept queries from anyone. Of those, a quarter are not patched. So there’s 1.3 million nameservers that are trivially vulnerable,’ said Liu, who is Infoblox’s vice president of architecture.
“Other DNS servers may well allow recursion, but are not open to everyone, so they were not picked up by the survey, he said.
(Link)
Posted by mhall at 3:47 PM | Add Comment
