Shortly after someone published exploit code for a newly discovered Windows 2000 flaw, someone created the Zotob worm.
Once installed, Zotob will try to seek out and infect other computers
on the same network. It also opens a backdoor trojan that allows
someone to access the infected machine.
Several slightly different versions of Zotob have been released. The
creators of these separate versions apparently have gone to war with
each other. Now owners of infected computers not only have to deal with
a virus infection. They also are dealt the double indignity of seeing
their machine become a battleground, as the different Zotob worms try
to exterminate each other.
In the past, people released viruses and worms for bragging rights.
They wanted to show their fellow miscreants how cool they were, so they
would infect millions of computers for the hell of it. These days, an
infected computer is worth money.
Everyone - from spammers to organized crime to international terrorists
- pay good money for control of large networks of infected computers.
These computers can be used to send spam. They can be used to launch
denial of service attacks. They can be used for a number of illegal
things.
An infected computer now is "turf" belonging to whoever can take the
machine and keep it. If a competitor is discovered, that competitor
must go. The best way to avoid being hit in the crossfire of this or
any future computer gang war is to have a policeman nearby. By that, I
mean that you must have an antivirus program which is kept up-to-date
on a constant basis.
You also need to make sure you install Windows security updates, as soon as they come out. Turn on automatic updates or visit http://windowsupdate.microsoft.com
at least once a week. Microsoft Updates usually are released on the
second Tuesday of each month. Occasionally, a very critical update is
released off schedule, so take the time to check at least once a week.
Recently
a fellow told me that he was quitting the
Internet! He had enough and didn’t want anymore. No
more spam, no more viruses, no more spyware, he just felt it was not
worth it. "I'm shutting of my broadband
connection. It's become too invasive to my privacy and it seems that
one has to have more and more protection and I'm just tired of what is
going on with the internet." If this speaks to you, maybe some of
these suggestions could put more fun back improve your internet surfing.
However I'm not because so far I don't
really find it that difficult to avoid infections. A few relatively
simple things minimize the risk:
1) Use Antivirus software
and keep it up to date, Grisoft's AVG is free, effective, and doesn't
mess up my machine like some other popular Antiviruses I could
name
2) A firewall, some free ones such as Zonealarm or Sygate Personal are also quite
good
3) Use
text at the very least to preview email, Chilton Preview for Outlook is very effective
4) Change things like .vbs and .reg files to open with a text editor in Windows by default
5)Don't use Internet Explorer! I've
used Opera for years but now use Firefox for almost all my browsing,
but occasional tricky site ends up requiring IE for a short time.
6) Disable the Messenger service in XP
7) If it looks weird don't open it! Don't trust your relatives on the internet!
8) Be stealthy, very few internet sites really need your email address, get a webmail account just for the junk mail
Selecting a good password is an important part of password security. The key
is to find a password that is easy for you to remember and hard for others
to
guess.
Create a good (strong) password:
1) Include both uppercase and lowercase letters (case-sensitive).
2) Include both letters and numbers (alpha-numeric).
3) Do not include your login name, a.k.a. username, in any form (as-is, reversed,
capitalized, doubled).
4) Avoid words that can be found in a dictionary (including foreign
and technical dictionaries).
5) Do not use a password that has
been given as an example of a good password.
Create an easy to remember password:
One possible way to pick a good password is to make up your own acronym.
Create a phrase that has meaning to you and pick the first letter of each
word. Make sure your phase has numbers in the middle. A
combination of numbers and
letters is harder to guess or crack with a computer program.
For example:
"I love to shop for sandals in
the Spring." (Il2s4sitS)
2) "I'm going to work out 3 times a week." (Ig2wo3taw)
3) "Last summer
I caught a 30 inch striped bass." (LsIca30isb)
A similar method is to take out all the vowels from a short phrase.
For example:
1) "I work 8 hours a day." (wrk8hrsdy)
2) "You're once, twice, three times a lady."
- Lionel Richie (Yr123tmsLdy)
Protect your Password:
1)Memorize your password.
2) If you must write down your new password because you are afraid to forget
it, then:
2A) Never write your
username and your password on the same piece of
paper.
2B)
Do not place a written copy of your password on the side of your monitor, under your keyboard, etc.
3) Destroy the written copy as soon as you have memorized your password.
4) Do not allow anyone to look over your shoulder while you are entering your
password.
5) Change your password often.
6) Change your password immediately if it has been compromised.
One
phenomenon that has become quite obvious from the vast numbers of virus
victims over the last year is that people click first and ask questions
later. Maybe we're inspired by the false belief that firewalls,
antivirus software, and anti-spyware programs protect us from all
viruses, worms, and
intrusive programs. But even the best of these shields can't always
protect you from your biggest security threat: yourself.
Don't click e-mail attachments: Most viruses and worms
arrive on
your PC in the form of e-mail attachments. A few of them exploit
security flaws in Windows
or in your browser to launch automatically, but if
you keep your
programs updated, your chances of being infected via this route
are slim to none.
Don't believe the return address: Though an e-mail
message may claim
it's from your bank, your ISP, or even your boss, that
doesn't mean it is. Spammers and virus mailers generally spoof the From address
field in their
messages with a legitimate address that they've stolen. You may
even have received spam from yourself as a result of this clever technique.
Of course, not all e-mail is bad. But if a message from a coworker or
friend insists that you launch a file attachment, first confirm with the sender
what the file is (make a call or send
an e-mail asking whether the purported
sender in fact e-mailed the file attachment, and whether it is indeed intended
for you). If you have any doubts about the legitimacy of the message and its
attachment, delete them.
Don't
believe the message: To persuade you to launch a virus-laden mail attachment or provide your personal information, virus authors
must earn your
trust. They try to accomplish this by composing
convincing-looking messages that appear to be sent from Microsoft, your ISP, or
some other entity you do business with. The message may even contain links to a
counterfeit version of the company's Web site, complete with genuine-looking
graphics and corporate logos.
Often the message laments that the company is experiencing technical
problems, and that it needs you to click an executable attachment. You don't
need to rely on your intuition to determine whether this message is truthful.
If the message hasn't been verified by a company representative via phone or in
person, it almost certainly contains a virus. Microsoft doesn't e-mail updates
to its customers, and neither should your ISP.
Don't believe the link, either:
A link in an e-mail message that claims
to point to a Citibank Web site may not really go there. Devious
phishing scams use the wonders of HTML to snooker you into uploading
your Social
Security number, PIN, credit card number, password, or other sensitive
data to a scammer's Web site. A carefully crafted e-mail message
purporting
to be from your bank, PayPal, or some other institution (and often also
containing links to the real company's Web site) warns that you must
update your records there. The biggest tip-off should be this: Banks
and ISPs don't lose your information and then send e-mail requests for
you to reenter it online. Another tip-off is that the link text and the
real underlying URL don't match. Always examine log-in Web pages and
their URLs closely. The site sends unsuspecting Citibank
customers to a non-Citibank site (which no longer exists, fortunately).
If you do get hooked by creeps on a phishing expedition, notify your
bank, ISP, or other institution
immediately.
Practice abstinence. Resist viewing or replying to messages from questionable sources or
opening dubious attachments-- most viruses, worms and Trojans enter computers this way. If the email seems
too good to be true, it probably isn't. Many schemes use `social engineering'
methods to lure unsuspecting users into revealing personal information
or into confirming their email address for use in more schemes or
spam.
Make
sure your antivirus and personal firewall software is up to date. An
updated antivirus program blocks incoming threats from known viruses
and worms while an updated personal firewall blocks incoming threats
from
hackers, identity thieves and even new, unknown viruses and worms. Make
sure
that your personal firewall provides outbound protection measures, too.
Outbound
protection is vital in case malicious code does make it onto the PC and
starts trying
to 'call home' to establish a back door method for hackers to disguise
their activities.
Schedule a monthly check-up. Vulnerability patches and bug fixes are released often, but you don't
always hear about them. Take a few minutes one day a month to check for updates on all your software
vendors' Web sites.
Very interesting article by Kim Zetter, in Wired, about wearable computing guru Steve Mann. Mann's made it his mission to make people more aware of surveillance cameras around them by engaging in what he calls "equiveillance through sousveillance":
The opposite of surveillance -- French for watching from above -- sousveillance refers to watching from below, essentially from beneath the eye in the sky. It's the equivalent of keeping an eye on the eye.
With that in mind, Mann conducted his tour with conference participants to see how those conducting surveillance would respond to being monitored.
Mann sported his signature camera eyewear, while some of the other participants wore CFP conference bags around their necks. The bags had a dark plastic dome stitched on one side -- modeled after store surveillance domes -- which they pointed randomly at passersby, unnerving them. Conference organizers had outfitted a handful of the bag domes with wireless webcams -- they wouldn't say which bags contained cameras -- which transmitted and recorded live streaming video to monitors in the conference lobby.
In the stores, as conference attendees snapped pictures of three smoked domes in the ceiling of a Mont Blanc pen shop, an employee inside waved his arms overhead. The intruders interpreted his gesture as happy excitement at being photographed until a summoned security guard halted the photography.
Mann asked the guard why, if the Mont Blanc cameras were recording him, he couldn't, in turn, record the cameras. But the philosophical question, asked again at Nordstrom and the Gap, was beyond the comprehension of store managers who were more concerned with the practical issues of prohibiting store photography.
At the Gap, photographers were told they couldn't take pictures because the Gap didn't want competitors to study and copy its clothing displays. At Nordstrom, an undercover security guard who looked like Baby Spice and sported a badge identifying her as Agent No. 1, summoned a manager who told Mann that customers would be disturbed by the handheld cameras.
Illogically, she didn't have a problem with participants pointing their conference bag domes around the store to take photos, just with the handheld cameras.
Mann said that duplicity is often necessary in order to mirror the Kafkaesque nature of surveillance.
He has designed a wallet that requires someone to show ID in order to see his ID. The device consists of a wallet with a card reader on it. His driver's license can be seen only partially through a display. And in order for someone to see the rest of his ID, they have to swipe their own ID through the card reader to open the wallet.
He also made a briefcase that has a fingerprint scan that requires the fingerprint of someone else to open it.
Mann quoted Simon Davies of Privacy International, a London-based nonprofit that monitors civil liberties issues: "The totalitarian regime is the regime that would like to know everything about everyone but reveal nothing about itself," Mann said.
He considered such a government an "inequiveillant regime" and likened it to signing a contract with another party without being allowed to keep a copy of the contract.
"What I argue is that if I'm going to be held accountable for my actions that I should be allowed to record ... my actions," Mann said. "Especially if somebody else is keeping a record of my actions."
"In Europe, data is owned by the person to whom it relates. In the United States, data becomes the property of the company which collects it," said Simon Davies, director of Privacy International, a London-based lobbying group. What is more personal than your likeness, either on film or digital format, so if you should own your name, address, phone number, SS number, etc - then you own your pictures taken with or without your knowledge or approval. Many groups concerned about privacy want the US to adopt the European ownship of personal data.
The Earth is going down. Way, way down. To the mat, hard and painful and with a sad moaning broken-boned crunch. Don't take my world for it. Just read the headlines, the latest major, soul-stabbing report.
It's one of those stories that sort of punches you in the karmic gut, about how they just completed this unprecedented, four-year, $24 million, U.N.-backed study involving 1,360 scientists from 95 nations who all pored over thousands of satellite images and countless scientific reports and reams of stats, and they all distilled their findings down to one deadly, heartbreaking summary.
And here it is: We, humankind, people, sentient carbon-based biped creatures, only us and no one else but us because it sure as hell ain't the goddamn lions or caribou or meerkats or rhododendrons, we humans have, in our shockingly short time one this wobbly sphere, used up a staggering 60 percent of the world's grasslands, forests, farmland, rivers and lakes.
That's right, 60 percent. Gone. Burned up. Used up. Much of it irreversibly. These are the basic ecosystem services that, simply put, sustain life on Earth. The glass ain't even half full, people. It's about three-fifths empty and draining fast and we are doing our damnedest to expedite the process because, well, this is just who we are.
[skip]
And this heartbreaking study, it comes hot on the heels of one of the most distressing and sobering pieces of journalism I've read in ages, an excerpt from a book by James Howard Kunstler called "The Long Emergency," all about the imminent and staggering oil/natural gas crisis now looming large over the U.S. and the world, a crisis of such dire proportions that it will very soon reshape American life like nothing since the Industrial Revolution. Except in reverse.
It's about peak oil. It's coming within a year or two. It means we've essentially siphoned off all the easily attainable oil on the planet (about 50 percent of the grand total) and getting to the remaining 50 percent -- the lower-quality stuff that's buried deep in rock or in impossibly difficult locations or that lies underneath countries where the people absolutely hate us -- will be so fraught and expensive and hypercompetitive that it will mean not only, in the immediate future, much more war and strife and pain but also, in the next decade or two, a radical -- and I do mean radical -- reshaping of life as we know it.
Petroleum and gas will become incredibly scarce and everything we know about consumer culture, travel, products, Wal-Mart, easy access to all daily goods and services, will essentially vanish, and we will return to a intensely local, viciously competitive agricultural model of raw survival. Read this article now about survival skills, and be empowered and amazed.
Another important source of knowledge which we should take advantage of before it vanishes entirely is our senior citizens. Many elderly people grew up in a world where wilderness lore was common knowledge. Talk to them. You may be surprised at the wealth of their knowledge, and those who possess it are usually quite willing to pass it on if you approach them correctly.
[skip]
But if these scientific studies and stories are to be believed -- and there's little reason to think otherwise -- that fire is about to get one hell of a lot hotter. Stock up on duct tape. And water. And hope.
Leaving U.S.? Passport May Be Needed To Get Back In
THE BUSH ADMINISTRATION'S announcement that U.S. citizens are soon going to need passports to get back into their country from Mexico and Canada, is being played as a way to keep Americans safer. But like most everything else this president has done in the name of security, the only things there will be more of if this measure goes through are bureaucracy, hassles for Americans who don't have passports and never needed them before to travel to Mexico or Canada, and bad feeling between the United States and its neighbors. Already, Canada has announced that it might require Americans to show passports before they can enter Canada.
Potential terrorists are probably the only demographic group who will not be deterred by the new passport requirement. Since when have terrorists been intimidated by the need to carry a passport? Back in February, 2002, the New York Times ran an article by Jeff Goodell about passport forgery. Goodell asked Alain Boucar, the director of Belgium's antifraud unit, how long it would take him to put someone else's photograph in Goodell's passport.
Boucar examines it. It's a standard United States passport, issued eight years ago, with a laminated photo page. ''Five minutes.''
He sticks his thumbnail into a corner of the laminate, showing me how you can peel it back. (You can loosen the laminate by sticking it in the freezer or a microwave oven -- it depends on the type of laminate -- or, better yet, by dissolving the adhesive with Undu, a product that is easily ordered on the Internet.) Boucar then points to the little blue emblem, called a guilloche, that overlaps the photo and the passport page and is supposed to make the photo difficult to remove. ''You might see a little line here. But if I do a good job, you would not notice.'' Of course, that person would have to be around the same age, height and weight as me, but Boucar's point is well taken: doing a passable job of doctoring a typical passport is not very hard.
Boucar then explains the tricks criminals use to fill in stolen blanks: how they feed passports into laser printers, for example. Or how they can create a perfectly good dry stamp -- an inkless stamp that leaves an embossed image on paper and is used to authenticate the passports of many countries -- by placing an old vinyl record over a passport marked with a real seal, then heating the record with an iron; the record is then pressed onto a fresh passport. Candle wax also works. As for ink stamps, they pose no challenge at all. Years ago, forgers would cut a fresh potato in half and use it to transfer a stamp from one passport to another. Today ''you just scan the page of a passport into a computer, print it out, then take it to a copy shop,'' Boucar says. ''They'll make you a rubber stamp in two minutes.''
And, oh, yeah. Most who don't now have passports will wait, and then they'll get stuck with the "new, improved" ones, with the special RFID chip that can be used to track citizens, via radio, remotely, as they travel, at airports, or any other place.
Those passports have the EU kind of pissed off, too.
Bush and his groupies have a positive genius for coming up with the policies most likely to alienate people and make international relations worse. It really is absolutely astounding. Pissing off neighbors is just a bonus.
Biometrics are seductive: you are your key. Your voiceprint unlocks the door of your house. Your retinal scan lets you in the corporate offices. Your thumbprint logs you on to your computer. Unfortunately, the reality of biometrics isn't that simple.
Biometrics are the oldest form of identification. Dogs have distinctive barks. Cats spray. Humans recognise each other's faces. On the telephone, your voice identifies you as the person on the line. On a paper contract, your signature identifies you as the person who signed it. Your photograph identifies you as the person who owns a particular passport.
What makes biometrics useful for many of these applications is that they can be stored in a database. Alice's voice only works as a biometric identification on the telephone if you already know who she is; if she is a stranger, it doesn't help. It's the same with Alice's handwriting; you can recognize it only if you already know it. To solve this problem, banks keep signature cards on file. Alice signs her name on a card, and it is stored in the bank (the bank needs to maintain its secure perimeter in order for this to work right). When Alice signs a check, the bank verifies Alice's signature against the stored signature to ensure that the check is valid.
There are a bunch of different biometrics. I've mentioned handwriting, voiceprints, and face recognition. There are also hand geometry, fingerprints, retinal scans, DNA, typing patterns, signature geometry (not just the look of the signature, but the pen pressure, signature speed, etc.), and others. The technologies behind some of them are more reliable than others, and they'll all improve.
"Improve" means two different things. First, it means that the system will not incorrectly identify an impostor as Alice. The whole point of the biometric is to prove that Alice is Alice, so if an impostor can successfully fool the system it isn't working very well. This is called a false positive. Second, "improve" means that the system will not incorrectly identify Alice as an impostor. Again, the point of the biometric is to prove that Alice is Alice, and if Alice can't convince the system that she is her then it's not working very well, either. This is called a false negative. In general, you can tune a biometric system to err on the side of a false positive or a false negative.
Biometrics are great because they are really hard to forge: it's hard to put a false fingerprint on your finger, or make your retina look like someone else's. Some people can mimic others' voices, and Hollywood can make people's faces look like someone else, but these are specialized or expensive skills. When you see someone sign his name, you generally know it is him and not someone else.
Biometrics are lousy because they are so easy to forge: it's easy to steal a biometric after the measurement is taken. In all of the applications discussed above, the verifier needs to verify not only that the biometric is accurate but that it has been input correctly. Imagine a remote system that uses face recognition as a biometric. "In order to gain authorization, take a Polaroid picture of yourself and mail it in. We'll compare the picture with the one we have in file." What are the attacks here?
Easy. To masquerade as Alice, take a Polaroid picture of her when she's not looking. Then, at some later date, use it to fool the system. This attack works because while it is hard to make your face look like Alice's, it's easy to get a picture of Alice's face. And since the system does not verify that the picture is of your face, only that it matches the picture of Alice's face on file, we can fool it.
Similarly, we can fool a signature biometric using a photocopier or a fax machine. It's hard to forge the vice-president's signature on a letter giving you a promotion, but it's easy to cut his signature out of another letter, paste it on the letter giving you a promotion, and then photocopy the whole thing and send it to the human resources department...or just send them a fax. They won't be able to tell that the signature was cut from another document.
The moral is that biometrics work great only if the verifier can verify two things: one, that the biometric came from the person at the time of verification, and two, that the biometric matches the master biometric on file. If the system can't do that, it can't work. Biometrics are unique identifiers, but they are not secrets. (Repeat that sentence until it sinks in.)
Here's another possible biometric system: thumbprints for remote login authorizations. Alice puts her thumbprint on a reader embedded in the keyboard (don't laugh, there are a lot of companies who want to make this happen). The computer sends the digital thumbprint to the host. The host verifies the thumbprint and lets Alice in if it matches the thumbprint on file. This won't work because it's so easy to steal Alice's digital thumbprint, and once you have it it's easy to fool the host, again and again. Biometrics are unique identifiers, but they are not secrets.
Which brings us to the second major problem with biometrics: it doesn't handle failure very well. Imagine that Alice is using her thumbprint as a biometric, and someone steals it. Now what? This isn't a digital certificate, where some trusted third party can issue her another one. This is her thumb. She only has two. Once someone steals your biometric, it remains stolen for life; there's no getting back to a secure situation. (Other problems can arise: it's too cold for Alice's fingerprint to register on the reader, or her finger is too dry, or she loses it in a spectacular power-tool accident. Keys just don't have as dramatic a failure mode.)
A third, more minor problem, is that biometrics have to be common across different functions. Just as you should never use the same password on two different systems, the same encryption key should not be used for two different applications. If my fingerprint is used to start my car, unlock my medical records, and read my email, then it's not hard to imagine some very bad situations arising.
Biometrics are powerful and useful, but they are not keys. They are useful in situations where there is a trusted path from the reader to the verifier; in those cases all you need is a unique identifier. They are not useful when you need the characteristics of a key: secrecy, randomness, the ability to update or destory. Biometrics are unique identifiers, but they are not secrets.
Could we be constantly tracked through our clothes, shoes or even our cash in the future?
I'm not talking about having a microchip surgically implanted beneath your skin, which is what Applied Digital Systems of Palm Beach, Fla., would like to do. Nor am I talking about John Poindexter's creepy Total Information Awareness spy-veillance system.
Instead, in the future, we could be tracked because we'll be wearing, eating and carrying objects that are carefully designed to do so.
The generic name for this technology is RFID, which stands for radio frequency identification. RFID tags are miniscule microchips, which already have shrunk to half the size of a grain of sand. They listen for a radio query and respond by transmitting their unique ID code. Most RFID tags have no batteries: They use the power from the initial radio signal to transmit their response.
It becomes unnervingly easy to imagine a scenario where everything you buy that's more expensive than a Snickers will sport RFID tags, which typically include a 64-bit unique identifier yielding about 18 thousand trillion possible values. KSW-Microtec, a German company, has invented washable RFID tags designed to be sewn into clothing. And according to EE Times, the European central bank is considering embedding RFID tags into banknotes by 2005.
The privacy threat comes when RFID tags remain active once you leave a store. That's the scenario that should raise alarms--and currently the RFID industry seems to be giving mixed signals about whether the tags will be disabled or left enabled by default.
Gillette Vice President Dick Cantwell said that its RFID tags would be disabled at the cash register only if the consumer chooses to "opt out" and asks for the tags to be turned off. "The protocol for the tag is that it has built in opt-out function for the retailer, manufacturer, consumer," Cantwell said.
Wal-Mart, on the other hand, says that's not the case. When asked if Wal-Mart will disable the RFID tags at checkout, company spokesman Bill Wertz told Gilbert: "My understanding is that we will."
If the tags stay active after they leave the store, the biggest privacy worries depend on the range of the RFID readers. There's a big difference between tags that can be read from an inch away compared to dozens or hundreds of feet away.
Privacy worries also depend on the size of the tags. Matrics of Columbia, Md., said it has claimed the record for the smallest RFID tag, a flat square measuring 550 microns a side with an antenna that varies between half an inch long to four inches by four inches, depending on the application. Without an antenna, the RFID tag is about the size of a flake of pepper.
First, consumers should be notified--a notice on a checkout receipt would work--when RFID tags are present in what they're buying. Second, RFID tags should be disabled by default at the checkout counter. Third, RFID tags should be placed on the product's packaging instead of on the product when possible. Fourth, RFID tags should be readily visible and easily removable.
UPDATE: When such tools become widely available, hackers and those with less pure motives could use a handheld device and the software to mark expensive goods as cheaper items and walk out through self checkout. Underage hackers could attempt to bypass age restrictions on alcoholic drinks and adult movies, and pranksters could create confusion by randomly swapping tags, requiring that a store do manual inventory.
Grunwald's software program, RFDump, makes rewriting RFIDs easy. While there are significant malicious uses of the program, consumers could also use it to protect themselves, he said.
"Everyone should have the right, once they leave the store, to erase the RFID tags," he said. Deleting information on the tags would allow people to stop RFID checkpoints in stores and other places from tracking which products they are carrying, or which have been inserted under their skin.
Owners of vehicles with onboard computers should brace themselves for an onslaught by hi-tech criminals who are causing havoc by infecting the devices with viruses.
Those with systems such as satellite navigation have been warned to secure the devices, after reports last week that the on-board computers of several Lexus models in the United States had been infected via cellphones.
And security experts in South Africa believe it is only a matter of time before local vehicles are targeted.
Ian Melamed, principal consultant at Shaya Technologies in Johannesburg, said computer viruses were now so widespread, they were starting to attack new devices such as cellphones and even on-board computers in cars. “If a device can carry data, it can carry a computer virus,” he said.
Melamed said about 150 000 cars in the US had been affected last week.
“Many of the vehicles also had their security codes breached,” said Melamed, a former computer expert with Interpol. “And with our high car theft and hijacking rate, it is only a matter of time before car owners in South Africa become targets. It is only a matter of time before these criminals (in the US) brag about their achievements on the Internet and spread the information on how to spread the virus or breach a vehicle’s computer security code.”
Many of the vehicles had satellite navigation systems linked to hands-free phone kits, via wireless Bluetooth technology and this was likely how the on-board systems of the cars had become infected, said Melamed.
“We are already starting to see a significant jump in the number of viruses affecting mobile devices such as cellphones and hand-held computers,” Melamed said. “As technology becomes more mobile, it is becoming increasingly important to guard against virus infections.
Although the viruses found on mobile devices are less advanced than those found on traditional computer networks, experts have warned that this will not be the case for long.
“We expect to see more elaborate viruses targeting mobile devices – viruses that are able to cripple those machines or steal the information housed in them,” said Melamed.
Melamed warned owners of such devices to always disable Bluetooth connectivity when possible.
“On-board devices in vehicles and mobile devices so readily available all pose a serious risk, once activated on a universal platform,” he said.
Automobile Virus Update
Lexus cars may be vulnerable to viruses that infect them via mobile phones. Landcruiser 100 models LX470 and LS430 have been discovered with infected operating systems that transfer within a range of 15 feet.
It seems that no one has done this yet, and the story is based on speculation that a cell phone can transfer a virus to the Lexus using Bluetooth. But it's only a matter of time before something like this actually works.
As for virus attacks and embedded systems well... Some (mainly older systems) are immune which are ROM based with insufficient RAM/Registers for executable code to be stored or operated. Until recently this would almost certainly have been true for all automobile based systems, however some now use FLASH ROM's and even smart/memory cards.
I guess a consequence of cheaper memory and short software development cycles requiring upgradeability as a standard is that we will get people developing attacks in exactly the same way as for motherboards in PCs. I guess it will soon be possible for my fridge to be made to think it's a microwave oven or a coffee machine with results that would delight and amuse a 7 year old attacker.
Automobile Viruses and DSRC from Thinking About Technology suggests how DSRC increases vulnerability. DSCR allows high-speed communications between vehicles and the roadside, or between moving vehicles, suggests other scenarios that could be more serious. What if a car thief can call his pick of any of a new model of a high end car and make it shut its engine off, all he needs for carjacking is a threatening demeanor. Worse yet, if he can call the police cars behind him and tell them to shut down, he has an excellent chance of escaping his pursuers.
Now that 80% of home PCs in the U.S. are infected with adware and spyware, according to one study, it turns out that nearly every anti-adware application on the market catches less than half of the bad stuff.
That's the conclusion of a remarkably comprehensive series of anti-adware tests conducted recently by Eric Howes, an instructor at the University of Illinois.
Howes, a well-known researcher among PC security professionals, collected 20 different anti-adware applications. He then infected a fresh install of Windows 2000 SP4 and Office 2000 SP3 with several dozen adware programs in separatestages. Finally, he counted how many active adware components were removed by each anti-adware product.
(Note: I use the single term "adware" in this article to refer to both "adware" and "spyware." Since it's not necessary for a spyware program to "call home" to be disruptive, the distinction between adware and spyware is meaningless. All such programs display ads or generate revenue for the adware maker in some other way. )
Howes's tests were conducted over a period of weeks in October 2004. His results were mentioned at the time in several places, including Slashdot and eWeek.
[skip]
Howes's test results sprawl over six long Web pages, with no overall totals or summary of the figures. It's a daunting body of data, but its bottom line is explosive. Adware seems to be evolving much faster than anti-adware, and the battle is so far being won by the adware side.
Each anti-adware application, according to Howe, removed a certain percentage of "critical" adware components. These are executable .exe and .com files, dynamic link library (.dll) files, and Windows Registry entries (autorun commands and the like).
Almost all the anti-adware programs that were tested removed fewer than half of the hundreds of adware components Howes cataloged. The best at removing adware was Giant AntiSpyware, but even that program removed less than two-thirds of a PC's unwanted guests.
Howes's tests were conducted before the Microsoft Corp. announced in December that it was purchasing Giant Company Software outright. For that reason, the tests use the version of Giant AntiSpyware that was available in October and not the newer Microsoft beta version that's currently available.
Even so, with Giant's application removing 63% of a PC's adware components, and its nearest competitor, Webroot Spy Sweeper, removing less than 50%, it's clear that Microsoft has a potential winner on its hands.
How to defend yourself against adware
First, let me make my opinion clear: The installation of adware should be illegal and harshly punished. Adware has exploded because it offers big economic incentives for its sponsors. They'll never adequately inform PC users about their software before it's installed. This troubling aspect of adware will never be wished away.
Only software that a PC user specifically consents to should legally be able to install — and "end-user license agreements" that stretch off the screen should never be counted as consent. (This isn't a knock on "ad-supported software," such as the Opera browser. Such legitimate software is clearly integrated with its advertising and makes it easy to shut off the ads by registering.)
In reality, today's tech-illiterate legislatures will never ban adware — if they could even think of an effective legal approach to do so. We need to engage the battle on a technical level instead.
To understand adware, you first need to know how PCs get it. The ways that Howes obtained the adware he used in his tests provide us with some perfect examples:
Software downloads. For one group of tests, Howes downloaded and installed Grokster, a popular peer-to-peer file-sharing program, from CNET Download.com. Installing Grokster and clicking OK in its subsequent dialog boxes loaded 15 separate adware programs, containing 134 "critical" executable components, by Howes's count. This source of infection would compromise even Windows XP with its new Service Pack 2 (SP2).
Drive-by downloads. To set up another group of tests, Howes used Internet Explorer to visit the following Web locations: 007 Arcade Games (a games site), LyricsDomain (a song lyrics site), and Innovators of Wrestling (yup, a wrestling site). This resulted in 23 different adware programs being installed, carrying 138 components, Howes says. Drive-by downloads such as these are now less of a problem for users who've installed XP SP2.
You can't step into the same river twice. For yet another test, Howes visited the wrestling site again, but on a different date. The makers of adware must have signed a lot of distribution contracts with the site in the interim. Howes says his PC picked up 25 adware programs and 153 components on that one visit alone. (You'll notice that I didn't link to the examples I cited above, and I strongly recommend that you avoid trying any of them.)
It's not enough to say "PC users should be more careful." Computer professionals, instead, have a duty and an obligation to prevent adware from infecting their PCs or anyone else's.
Introducing the Windows Secrets security baseline
Every PC needs the following six components for protection against hacker attacks, both from the Internet and from within your company or home. In each issue, starting today, this new section will summarize the top-rated products top-rated by trusted reviewers.
1. Hardware firewall. For wired home and small-office networking, the 8-port Linksys BEFSR81 router ($80 USD) is rated "the best of our testing" by Extreme Tech. For wireless networking, the new Belkin Wireless Pre-N router ($150) is currently highest-rated at CNET.
2. Software firewall. Often called a "personal firewall," ZoneAlarm Pro ($40) is number one according to several testers, including TopTenReviews.com and PC World's Best of 2004.
3. Antivirus. Trend Micro's PC-cillin Internet Security 2005 antivirus suite ($50), which includes a personal firewall, recently won head-to-head comparisons in PC World and CNET.
4. Antispam. Cloudmark Safetybar ($40, formerly SpamNet) is rated a Best Buy by PC World and Editors' Choice by PC Magazine.
6. Update management. Without naming a winner (because update software is highly related to your network's size), a wide-ranging buyer's guide to patch-management software was published in the Oct. 2004 Windows IT Pro magazine.
FORWARDING INSTRUCTIONS — news gains value when it's shared
Please share this information with your friends You're encouraged to refer your friends and colleagues to this free newsletter. Because most e-mail programs don't correctly display a formatted message that's been forwarded, simply call people's attention to the permanent Web address of this issue: WindowsSecrets.com/050127.
Internet computing security tips from a security expert, Bruce Schneier!
I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed."
But that's not true, and the reality is more complicated. You're screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.
Two years ago, I published a list of PC security recommendations. The idea was to give home users concrete actions they could take to improve security. This is an update of that list: a dozen things you can do to improve your security.
General: Turn off the computer when you're not using it, especially if you have an "always on" Internet connection.
Laptop security: Keep your laptop with you at all times when not at home; treat it as you would a wallet or purse. Regularly purge unneeded data files from your laptop. The same goes for PDAs. People tend to store more personal data--including passwords and PINs--on PDAs than they do on laptops.
Backups: Back up regularly. Back up to disk, tape or CD-ROM. There's a lot you can't defend against; a recent backup will at least let you recover from an attack. Store at least one set of backups off-site (a safe-deposit box is a good place) and at least one set on-site. Remember to destroy old backups. The best way to destroy CD-Rs is to microwave them on high for five seconds. You can also break them in half or run them through better shredders.
Operating systems: If possible, don't use Microsoft Windows. Buy a Macintosh or use Linux. If you must use Windows, set up Automatic Update so that you automatically receive security patches. And delete the files "command.com" and "cmd.exe."
Applications: Limit the number of applications on your machine. If you don't need it, don't install it. If you no longer need it, uninstall it. Look into one of the free office suites as an alternative to Microsoft Office. Regularly check for updates to the applications you use and install them. Keeping your applications patched is important, but don't lose sleep over it.
Browsing: Don't use Microsoft Internet Explorer, period. Limit use of cookies and applets to those few sites that provide services you need. Don't assume a Web site is what it claiSet your browser to regularly delete cookies. ms to be, unless you've typed in the URL yourself. Make sure the address bar shows the exact address, not a near-miss.
Web sites: Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure.
Think before you do business with a Web site. Limit the financial and personal data you send to Web sites--don't give out information unless you see a value to you. If you don't want to give out personal information, lie. Opt out of marketing notices. If the Web site gives you the option of not storing your information for later use, take it. Use a credit card for online purchases, not a debit card.
Passwords: You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc.
Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly.
Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.
E-mail: Turn off HTML e-mail. Don't automatically assume that any e-mail is from the "From" address.
Delete spam without reading it. Don't open messages with file attachments, unless you know what they contain; immediately delete them. Don't open cartoons, videos and similar "good for a laugh" files forwarded by your well-meaning friends; again, immediately delete them.
Never click links in e-mail unless you're sure about the e-mail; copy and paste the link into your browser instead. Don't use Outlook or Outlook Express. If you must use Microsoft Office, enable macro virus protection; in Office 2000, turn the security level to "high" and don't trust any received files unless you have to. If you're using Windows, turn off the "hide file extensions for known file types" option; it lets Trojan horses masquerade as other types of files. Uninstall the Windows Scripting Host if you can get along without it. If you can't, at least change your file associations, so that script files aren't automatically sent to the Scripting Host if you double-click them.
Antivirus and anti-spyware software: Use it--either a combined program or two separate programs. Download and install the updates, at least weekly and whenever you read about a new virus in the news. Some antivirus products automatically check for updates. Enable that feature and set it to "daily."
Firewall: Spend $50 for a Network Address Translator firewall device; it's likely to be good enough in default mode. On your laptop, use personal firewall software. If you can, hide your IP address. There's no reason to allow any incoming connections from anybody.
Encryption: Install an e-mail and file encryptor (like PGP). Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted.
None of the measures I've described are foolproof. If the secret police wants to target your data or your communications, no countermeasure on this list will stop them. But these precautions are all good network-hygiene measures, and they'll make you a more difficult target than the computer next door. And even if you only follow a few basic measures, you're unlikely to have any problems.
I'm stuck using Microsoft Windows and Office, but I use Opera for Web browsing and Eudora for e-mail. I use Windows Update to automatically get patches and install other patches when I hear about them. My antivirus software updates itself regularly. I keep my computer relatively clean and delete applications that I don't need. I'm diligent about backing up my data and about storing data files that are no longer needed offline.
I'm suspicious to the point of near-paranoia about e-mail attachments and Web sites. I delete cookies and spyware. I watch URLs to make sure I know where I am, and I don't trust unsolicited e-mails. I don't care about low-security passwords, but try to have good passwords for accounts that involve money. I still don't do Internet banking. I have my firewall set to deny all incoming connections. And I turn my computer off when I'm not using it.
That's basically it. Really, it's not that hard. The hardest part is developing an intuition about e-mail and Web sites. But that just takes experience.
Your inbox is awash in spam, your boss is chuckling over your credit report, and you've got a sneaking suspicion that Uncle Sam counts how many Löwenbräu you chug. Yes, your privacy's shot to hell, and you're tempted to shrug and settle for an open source life. But privacy isn't like virginity, forever lost after the first trespass. With some work, "reprivatization" is possible. Use this three-tiered guide to pick a level of solitude. But be warned: Going all the way off the grid is more Ted Kaczynski than Howard Hughes.
Going
Diss credit: Want to be hard to find? Start by dashing off stern opt-out letters to the big database companies and credit bureaus - Experian, Acxiom, Equifax. These folks may make a mint peddling personal info, but they can be cajoled into stopping. First, though, they'll make you jump through hoops - like filling out a 1040-sized form or idling in toll-free hell. Junkbusters (www.junkbusters.com) has a good list of opt-out addresses.
Anonymize: Ditch your ISP and sign up with a service that lets you surf by proxy, keeping your IP address concealed. Send email via an anonymous remailer like Mixmaster, a digital middleman that scrambles timestamps and message sizes. And if you're going to be advocating the violent overthrow of the government or bragging about your cool new bong, make sure your remailer routes messages through multiple machines.
Grok the fine print: Boring as it sounds, read the privacy statements that clutter your mailbox around tax time and sever ties with companies that admit, "Our privacy policy may change over time" - industry lingo for "We reserve the right to screw you."
Going Further
Ditch the digits:Want to drop out?Start by rustling up a new Social Security number.
The Social Security Administration doesn't accept paranoia as a criterion for granting a new card, but it recognizes cultural objections and religious pleas. One stratagem: Contend that your credit has been irrevocably damaged by a number-related snafu, or that you live in fear of a stalker who knows your digits. Once you switch your SSN, never use it. Instead, dole out 078-05-1120, an Eisenhower-era card that works 99 percent of the time.
Call cell-free: Use the humble pay phone. Mobile phones are being outfitted with global positioning satellite chips to comply with an FCC mandate. By 2006, all wireless networks must feature 911-friendly tracking technology. Marketers are cooking up ways to capitalize, like zapping burger coupons to your Nokia as you stroll by a fast-food joint.
Pay full price: You may relish saving 10 percent on Prell, but deep-six your buyers' club cards. Supermarkets and pharmacies haven't yet perfected the art of data mining, but it won't be long. "If you're having a child custody fight, they could subpoena your frequent-shopper cards and say, 'Look, he's buying too many potato chips, he's hurting the kids,'" says Robert Gellman, a Washington-based privacy consultant.
Gone
Move: Want to go completely off the grid? Start by moving - address changes bedevil databasers. But don't buy a home. All those loan apps will blow your cover. Residential hotels smell like cheap cigars and urine, but at least you can register under a pseudonym. Give a fake address: 3500 S. Wacker, Chicago, IL, 60616 - the front door for Comiskey Park.
Toss your cards:Pay cash for everything, and don't plan on a life of luxury. Any (legal) cash transaction more than $10,000 triggers government reporting regulations, which means you can forget about that Cadillac Escalade you've had your eye on. Settle for the subway or bus, using coins rather than prepaid fare cards, which keep a record of trips.
Go incognito: Facial-recognition gear will soon be ubiquitous in public spaces. To fool the systems, invest in a pair of bulky aviator sunglasses and a hat. If you fear being tailed, alter your gait every time you hit the street - a pigeon-toed shuffle one day, a bowlegged amble the next. There are also Central American plastic surgery mills, beloved of drug lords, that can alter the loops and whorls on your fingertips. It'll set you back 10 Gs, but then, Costa Rican doctors have been known to accept gold Rolexes in lieu of cash.
By Stewart M. Powell Hearst Newspapers WASHINGTON -- CIA Director George Tenet met with President Bush at least eight times in the 42 days before the catastrophic terrorist attacks on Sept. 11, 2001, a CIA spokesman said Thursday, correcting Tenet's testimony that he hadn't talked with the president during the entire month of August.
Bill Harlow, spokesman for the agency, said CIA records showed Tenet briefed the president on national security threats once during Bush's 27-day ranch vacation, on Aug. 17, and again at the White House on Aug. 31. He also met with the president at least six more times during the first eight days of September.
Bush has established the practice of receiving daily face-to-face intelligence briefings by the CIA chief.
Tenet's contacts with Bush during that period are significant because the CIA director was the highest ranking U.S. official who was aware of both the FBI's arrest of flight student Zacarias Moussaoui in Minnesota and the CIA warning to Bush that Osama bin Laden was "determined to strike" inside the United States.
The CIA warning memo to Bush on Aug. 6, 2001, also noted that the FBI had detected "patterns of suspicious activity in this country consistent with preparations for hijackings or other types of attacks."
Tenet learned of Moussaoui's arrest on Aug. 23 or Aug. 24 in a CIA memo entitled "Islamic Extremist Learns to Fly," investigators disclosed Wednesday.
Tenet's spokesman said "as far as we know" the CIA chief did not mention the arrest of Moussaoui to Bush on Aug. 31 or at subsequent meetings before the Sept. 11 attacks.
Tenet's testimony to the independent Sept. 11 commission on Wednesday that he had not spoken to Bush during the entire month of August raised eyebrows on the 10-member bipartisan panel.
Harlow said Tenet apparently did not mention Moussaoui's arrest to higher officials because the CIA's only involvement in the case at that point was to help gain access to data on Moussaoui's seized laptop computer if the FBI could not obtain a Foreign Intelligence Surveillance Act subpoena to examine the laptop's hard drive.
Tenet was briefed on the arrest of Moussaoui as "something that the FBI was dealing with in Minnesota" rather than something requiring CIA follow up, Harlow said.
Former Acting FBI Director Thomas Pickard, who served as acting director for 10 of the 11 weeks before the Sept. 11 attacks, told the inquiry Tuesday that he had learned of Moussaoui's arrest in Minnesota on the afternoon of Sept. 11 -- after the attacks.
Word of Moussaoui's arrest never reached the White House National Security Council's interagency Counterterrorism and Security Group, former counterterrorism czar Richard Clarke testified on March 24.
After the Sept. 11 attacks, FBI agents obtained the legal go-ahead to examine the hard drive on his laptop. It contained information on using crop-dusting airplanes.
Moussaoui was charged with federal conspiracy counts as an accomplice to the 19 suicide hijackers and awaits federal trial in Alexandria, Va.
Safety experts advise switching browsers as three 'Zero Day' flaws hit Microsoft Iain Thomson, vnunet.com 14 Jun 2004
Three new flaws for which no patch exists - so-called 'Zero Day' flaws - have been identified in Microsoft's Internet Explorer.
Like Sasser, two of the three vulnerabilities need no user intervention and can be downloaded just by logging on to the internet.
The third allows a false web address to be embedded in an email to misdirect users to a phishing site, which then attempts to capture user information.
The US Computer Emergency Readiness Team warned of the phishing flaw late on Friday, while security firm Ubizen highlighted the other two after being in contact with a researcher investigating computers where pornographic banners had been inserted into the browser toolbar.
Ubizen has advised computer users to switch to alternative web browsers like Netscape or Mozilla for the moment.
"[Changing browser is] a harsh workaround but at the end of the day it'll work," said Dick Van Droogenbroeck, senior security assessment engineer at Ubizen's Security Intelligence Laboratory.
"As there is no fix available, the hacker community will seek to massively exploit these vulnerabilities. Hit the wrong web page and it's over and out."