BitTorrent Exploit Discovered in Opera

Post ImageAs much as I love Opera, it is still just software, and that means it too is vulnerable to security issues. Maybe not as badly as IE or Firefox, but vulnerable nonetheless. That said, I’d be remiss if I only posted about Opera’s positives and ignored this bit of news:

It is being reported that Opera v9.20 is vulnerable to an attack which causes it to consume 100% of its host machine’s resources, rendering the PC unusable.

There is currently no work-around so anyone worried about this situation should disable the BitTorrent engine within Opera by following the instructions found on Opera’s site.

Fortunately I wouldn’t have been affected by this. The first thing I did after installing Opera 9.2 was disable BitTorrent downloading in the browser, as I much prefer µTorrent.

Read: TorrentFreak

Windows Vista Exploits Exposed!

Post ImageI was going to post something last week about the “fatal flaw” found in the speech recognition feature of Windows Vista, but I never got around to it. And now, thanks to Long Zheng’s brilliant post, there is simply no point. Here’s a snippet:

Last week, the media went schizophrenic over the Windows Vista speech recognition ‘loophole’ which allowed anyone with a microphone to have full access over your computer. Granted, you must also be partially-deaf, turned your speaker volume to full, carefully place your microphone next to the speakers, turn on speech recognition and train your speech profile as if you were someone else.

The rest of the post is quite funny, and discusses other possible exploits such as the mouse and keyboard, and Visual Studio. Definitely worth a read!

Read: Long Zheng

Thoughts About Online Privacy

Post ImageI just did a quick search of my blog and found to my surprise that I haven’t really written about privacy before. It’s a topic that is often discussed, especially as more and more of our lives move online, so I figured I’d have said something about it in the past. Oh well, now is as good a time as any. I’d have to say that my opinion about online privacy is different than most. First, here’s the usual perspective:

Chuck Sanchez, a 25-year-old Chicagoan, recently deleted references to his public relations firm on his MySpace page after everyone from a job applicant to his fiancee’s mother found the page.

“It’s simply not worth it,” he says. “I want my personal site to be just that: personal.”

I agree it’s smart (and let’s be honest, common sense) to be careful about what you post online. But attempting to remove references is futile. It’s almost as stupid as thinking that if you never post about something that it’ll never get online. That’s just a dangerous way to think about privacy.

When it comes to online privacy, I keep these two things in mind:

  1. Eventually, despite your best efforts, any information (personal or otherwise) could become universally accessible.
  2. The only way to protect yourself from the potentially negative effects related to information disclosure is to contribute to the stream of information, to maintain an active online voice.

That voice can be a website, a blog, a profile at a social networking site, or anything else that works for you, even a combination of these things. As long as you can continually contribute positive information to the stream of information, you should be fine.

Everyone makes mistakes. Usually you learn from your mistakes. Unfortunately, it’s primarily the mistakes that make it online and not the learning experiences that follow. When it comes to online privacy, you just need to maintain a balance between disclosure of the mistakes and your sharing of the learning experiences. If you do that, it’s much less likely that you’ll run into disclosure problems.

Another thought. Imagine a world in which all personal information was kept private. How would you know who to trust? It’s often the personal information that allows us to make decisions about a person. This happens consciously (such as when you are reading a resume) and subconsciously (such as when your opinion of someone changes based on their clothing). Now imagine a world in which all personal information is publicly disclosed. With complete information, it becomes trivial to make decisions about whom to trust, based on what is essentially pattern recognition. Of course, having complete information could have severe social consequences.

I don’t think either extreme is ideal, though I learn towards the side of full disclosure. And if that changes, you’ll be able to read about it here.

One more thing: in general, I’d say people are pretty lazy. If your “information stream” is pretty full, potential employers or other interested individuals will be much less likely to spend the time reading it all. And if they do, your contributions to the information stream should come in handy!

Read: Yahoo News

Norton 360

Post ImageI stopped running Symantec’s consumer products a long time ago. I like the corporate products, but their Norton packages were always too bloated or confusing I found. Or they wouldn’t behave as expected, or they’d interfere with something. Okay now that I think about it, there’s lots of reasons I don’t like the Norton software applications. And now, I have one more reason:

Symantec unveiled plans for its new software, then code-named Genesis, in February. The product is to rival Microsoft’s OneCare and Windows Vista security technology, and will integrate components of Symantec’s current security, PC optimization and backup products, the security company has said.

On Wednesday, Symantec announced that Genesis will be called Norton 360 and that the product is slated to ship by the end of March next year, a change from the original September due date.

Are you kidding me? What kind of a name is Norton 360? Nevermind that they already have SystemWorks, which does the same thing. I wasn’t initially that happy that Microsoft called their new Xbox the Xbox 360, but it grew on me. It’s a fairly unique name though don’t you think? Not exactly the kind of thing that can be appended to any old product. I mean, what does the “360” mean for Norton? Unless it means a complete turnaround in their software’s performance and effectiveness, I don’t like the name one bit. Maybe they think the “360” will make their software seem “cool”, like the Xbox. Maybe they forgot they sold security software, and that no matter how hard you try, it simply isn’t sexy or cool.

Well the release date has been pushed out quite far, so they still have time to change the name. Here’s to hoping!

Read: CNET

Kudos Symantec

Post ImageI’d be remiss if I didn’t give props to Symantec today. It seems that Google, Sun, and many of Microsoft’s other so-called competitors could learn a thing or two from the security firm. Instead of whining to the government, Symantec plans to innovate and compete with Microsoft:

John Thompson vowed that it would put more resources into research and development over the coming the year, speaking to reporters at the Symantec’s annual Vision conference here.

“Our strategy is to out-innovate Microsoft. We know more about security than they ever will,” Thompson said.

How refreshing to hear that a company is going to compete against Microsoft for once!

Read: CNET

Windows Defender (Beta 2)

Post ImageMicrosoft released Windows Defender (formerly Microsoft Antispyware, hence the Beta 2) yesterday, making it available as a free download and I just installed it. Apparently existing Antispyware users will be notified about the update, but I hadn’t received anything before I installed Defender. Fortunately it appears to have upgraded or removed Antispyware for me. Here’s Microsoft’s description of the software:

Windows Defender (Beta 2) is a free program that helps you stay productive by protecting your computer against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software.

Some of the main changes/features include a redesigned interface, improved detection and removal, support for 64 bit platforms, and the most important one of all: Windows Defender can be run by all users on a computer, with or without administrative privileges.

Some other things I noticed:

  • Checking for updates seemed to take a long time, and the UI for it is ugly compared to Antispyware.
  • The red and yellow target icon has been replaced by a grey, plain looking brick wall. The icon doesn’t appear to stay in the status bar anymore.
  • The logo is using the new Vista graphic for Windows (this makes it the first application I have installed that uses the graphic).
  • There’s a lot of wasted whitespace on the “Home” screen.
  • Software Explorer is a new feature that lets you manage software permissions. Also shows you a bunch of information about each program.
  • I need to test it out a little more, but so far it seems to use more memory than Antispyware.

If you want to give it a try, you can download it from Microsoft.

Read: Windows Defender

Another misleading headline

Post ImageI took a quick look at the headlines on CNET, and one in particular caught my eye. The story is titled “Windows Wi-Fi vulnerability discovered“, and given that I use wireless networks all the time, I decided I should take a look. Here’s how the article describes the problem:

When a PC running Windows XP or Windows 2000 boots up, it will automatically try to connect to a wireless network. If the computer can’t set up a wireless connection, it will establish an ad hoc connection to a local address. This is assigned with an IP address and Windows associates this address with the SSID of the last wireless network it connected to.

The machine will then broadcast this SSID, looking to connect with other computers in the immediate area.

The idea is that a hacker could then connect to the computer and compromise it. All of that I understand. Yet as I was reading this, I kept thinking to myself, “that’s not what happens when there are no wireless networks.” I don’t experience what is described above! Then I realized why.

A full nine paragraphs into the story:

MessageLabs believes that users running Windows XP Service Pack 2 (SP2) are not at risk.

There’s no way they could have mentioned that earlier? All this kind of story does is spread needless FUD about Windows. If you have a properly updated machine, you’re fine! Not only that, but any firewall (like the one built-in to XP and enabled by default in SP2) would prevent any such problem.

If nothing else, I hope Windows Vista is regarded as secure, so that I don’t have to put up with articles such as this one. No matter your religious affiliation, the current Windows stuff is pretty solid. And no matter what operating system you use, if you don’t keep it properly updated, you do so at your own risk!

Read: CNET

Malware and Web 2.0

For most of us, the Sober worm of 2003 is history. Painful history maybe, but history nonetheless. We’ve updated our virus scanners, checked and re-checked our firewalls, installed all the patches, etc. But just as in the biological world, mutations eventually make their presence known:

A variant of Sober known as Win32/Sober.Z@mm is pummeling servers at Hotmail and MSN with “unusually high mail load,” causing delays in e-mail delivery to Hotmail and MSN customers, said Brooke Richardson, MSN’s lead product manager. Richardson also indicated that Internet service providers besides Comcast may be having problems directing e-mail to Hotmail and MSN servers.

So in a way, Sober has returned, and it’s affecting MSN and Hotmail (though I personally haven’t noticed any problems). I think the return of the Sober worm has greater importance this time around though. When Sober wreaked havoc on servers in 2003, Web 2.0 (which I use in this post regardless of how accurate the term is) was but a glimmer in the future. Hosted services were still considered unready to take off. Now though, Web 2.0 is all the rage and hosted services are popping up everywhere.

So what happens in a few years when the vast majority of our data is stored online? Creating some sort of malicious software to target those data silos will become increasingly irresistable for those who write viruses, worms and the like. And that introduces a pretty big problem for users, and for those running the hosted services.

In a few years, all of my pictures will be on Flickr or something similar (in fact most of them already are). Many of my thoughts are online already on this blog (and millions of people use a central service like LiveJournal, MSN Spaces, Blogger, etc). Podcasts, video, documents and even more types of information will undoubtedly go online as the services become feasible and popular (and who knows what Windows Live and Office Live will mean). Combined with the data of millions of other people, this storage of my data is firstly a very juicy target, and secondly increasingly difficult to protect. All of that data needs to be proactively protected from attacks, it needs to be backed up in case of a successful attempt, and it really should be available all the time. And when the demand for sharing this information and data with other services on the rise (think APIs in the Web 2.0 world) security becomes somewhat more difficult.

Combined with the “mini bubble” we’re starting to see, in which corners will inevitably be cut in order to get products and services to market, I think malware will become increasingly more important. No longer will viruses and worms simply target websites, they will target our data. And don’t be fooled – a virus targeting the data on your local machine and distributed malware targeting the data of millions of users are two very different scenarios. If you lose the data on your local machine, you’re faced with a setback and the need to rebuild and move on. If the data of millions of users is made inaccessible, destroyed, or otherwise attacked, the people who own the data are affected, but so are countless businesses that rely on that data. It’s potentially much worse.

Granted, distributed technologies that are becoming more and more commonplace will help to alleviate some of the problems posed by malware of the future, but they can’t completely prevent outages or other negative effects. True also is the fact that platforms in general have matured and are more secure than in the past. However, the potential for major problems still exists.

Today, malware might make a website unavailable. Tomorrow, malware might make you (or at least the most important data which describes you) unavailable. Let’s hope those in the driver’s seat of the Web 2.0 era are considering security too, or we could be in for a very rough ride.

Hold developers liable for flaws?

Post ImageThat’s what one so-called “expert” thinks should happen. While most people will agree that security is a major issue, not everyone agrees on what should be done to combat security problems. This suggestion has got to be the most creative and ridiculous one I’ve come across:

Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, a former White House cybersecurity adviser.

Speaking Tuesday at the SecureLondon 2005 conference, Schmidt, who is now CEO of R&H Security Consulting, also called for better training for software developers. He said he believes that many developers don’t have the skills needed to write secure code.

If we’re going to hold software developers liable for their code, why don’t we hold users liable for their mistakes and errors too? Heck, why stop there! We might as well hold the farmer who grew the potatoes used in McDonald’s french fries liable for making people fat! Seriously, Schmidt is just way off base with regards to the liability issue. Training is one thing, liability is quite another.

You just can’t look at a piece of code and say with absolute certainty that it’s secure, even if you have proper security training. First of all, the developer cannot anticipate all of the ways in which the code might be used, nor can he/she predict what future technologies might impact the code. Secondly, there is quite often more than one developer who touches a piece of code, so it may not be written with the same caution or mind for security each time. There’s just too much uncertainty. Software development is often called “Computing Science” but a large portion of it is more “art” than “science”.

Read: CNET

Using Firefox? You're not safe!

Post ImageI have said it before, and I’ll say it again: Firefox isn’t really all that secure! It only seems more secure because it doesn’t have a large enough market share to warrant attacking. Fortunately, some other people have noticed this and done some excellent analysis, like George Ou and ZDNet:

Now that Firefox has become the first viable contender to Microsoft Internet Explorer in years, its popularity has brought with it some unwanted attention. Last week’s premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet. Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.

In the post, George shows that since March of this year, Firefox has encountered 40 vulnerabilities, compared with Internet Explorer’s 10. And since April 2005, there have been 11 exploits for Firefox compared with only 6 for Internet Explorer. One could make the case that Internet Explorer 6 has been around longer and thus many of it’s problems were fixed prior to March of this year. It would be interesting to see some data on that. Of course, Firefox shouldn’t have had any of the same vulnerabilities though, as it was released after IE6 and should have been able to learn from it’s mistakes, right?

A new report from Symantec found similar results, but also noted that hackers still focus their efforts on IE – no doubt because of the size of IE’s market share and installed base:

According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, “the most of any browser studied,” the report’s authors stated. Eighteen of these flaws were classified as high severity. “During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity,” the report noted.

The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as “high”, which Symantec defined as “resulting in a compromise of the entire system if exploited.”

See the browser wars aren’t really Firefox versus IE at all. No, the browser wars are hackers versus vendors.