Thursday, August 29, 2002

[Blogfish] QUOTE Uncover the real WINNT killer. Last Friday I got to work and was greeted by mr. blue screen. After rebooting a couple of times only to see the message "kernelos32.exe is either missing or corrupt" I asked our sysadmin for help. "Your Winnt directory is missing" he told me. What? "It's not there. What were you doing that caused this to happen?" That last inquiry has propelled me into a virus hunt that will uncover the real WINNT killer. Just jotting down one possility I saw on FuzzyBlog: Microsoft said Thursday that "critical" security lapses in its Office software and Internet Explorer Web browser put tens of millions of users at risk of having their files read and altered by online attackers. The world's leading software maker said that an attacker, using e-mail or a Web page, could use Internet related parts of Office to run programs, alter data and wipe out a hard drive, as well as view file and clipboard contents on a user's system. I never thought viruses actually wiped out hard drives. I never even knew someone who knew someone who had an aunt whose entire hard drive was wiped out. Does this really happen? QUOTE [Blogfish] Alison You need to Check the anti-virus hoax pages to find out what your exact situation is.  There are viruses that say you have some problem other than what you really have.  There are virus hoaxes that say there is this file that the anti-viruses can't detect & if you find it on your system you need to delete it, but it is really a file you need to run your system, so you follow the hoax instructions, delete the file, and now your system really is crashed.  Even though you may be too wise to fall for this, some co-worker might not.  Millions of dollars have been ssiphoned from American Businesses because the Nigerian Scam is sent out very much the same way as computer viruses are distributed.  Anyone who can fall for a hoax, can fall for a financial con game.  I have a lot more faith in the anti-hoax anti-virus vendors than I do in the outfits that supply the software, or the people in charge of computer systems in corporate America.  http://www.vmyths.com/ Truth About Computer Virus Myths & Hoaxes Check my guide to the basics of personal computer security posted Aug 15.  I can send you by e-mail attachment the Word document I am referring to.  I just do not want to put into general circulation a working document that has tons of links where I have not asked permission to quote people, and do in fact quote without attribution, because I figured out netiquette after I started on the document.  Ask me to send you my Computer Security Myths document.  I try to avoid sending people as e-mail attachments something I think would be of interest to them, because of the high risk of a virus in any attachment you were not expecting. I have a few other Security documents I can share.  Mac Policy doc is a barely begun outline that spells out the philosophy of what I want to accomplish with my Computer Security Essays.  There are some risks that I must not detail because the cyber terrorists have not yet figured out how to do those things.  I want to communicate at a level that anyone can understand, non-technical or technical, not talk down to people, avoid bashing any vendor, and avoid getting in an arguement.  I will let someone else's documents bash vendor practices that put us at this kind of risk.  Getting this work to the web was one of the reasons I started my Radio Weblog.  I wanted to learn what could be done, get good at it, then select presentation method.  I leaning towards a separate category on a separate host with Instant Outlining. There is one that I downloaded from Europe that explains Banking practices and why Identity Theft is so prevalent.  Ask for my e-fraud document.  I did a series of messages (#s 3258 3261 3293 3314 3341) at http://groups.yahoo.com/group/TYR basically spelling out that the situation with a lack of Internet Privacy has been permitted to deteriorate a lot worse than most people realize, but for each hazard there are things that people can do to mitigate the risks. I was planning to expand on these but then thought that my Computer Myths approach was a better way to hopefully contribute to customers of computer systems putting an end to this idiocy. I also plan to incorporate these TYR posts into my eventual FAQ on Computer Security Common Sense. An earlier effort was via http://www.TechRepublic.com/forumdiscuss/thread_detail.jhtml?thread_id=20600  go to the archives of http://www.year2000.com/ecommerce and search for the post I made called "Computer Myths" When you are past this crisis, go visit Internet Storm Watch http://www.incidents.org/isw/iswp.php  Basically they have software so that people's Firewalls can send copies of Intrusion Logs to this outfit.  They merge logs & sort by where the trouble is originating & notify the ISPs of the hackers & work with law enforcement to track the hackers down & put them out of business.  This is a beautiful concept & I betcha a lot of people are not aware that this is going on, such as the people making federal government pronouncements these days about computer security.  http://www.radium.ncsc.mil/tpep/epl/epl-by-vendor.html There is such a thing as a secure computer system. There is such a thing as a computer system that can be made secure. Various government agencies, such as the military, have some standards for security that computer systems that they buy & install need to meet.  Then a new bunch of people get elected and want nothing to do with the work that was done by their enemy in the political party that was in charge before, and they reinvent the wheel. Here is a directory of secure systems by vendor. Some vendors are conspicuous by their absense. Some vendors that are here, I would study the small print with great interest. There are technical documents here explaining ..if you get such & such a system that can be made secure ... how to go about doing so. If you reading this and you really in government, politics, law enforcement, and saying Oh Al, you too cynical, but this stuff is constructive, then prove to me you really are in a position to change policy or to go after the computer criminals (I not going to send some of my stuff to malware creators pretending to be cybercops), I could send you as an e-mail attachment collection of some posts I have made to Government sites soliciting Security Tips, such as what I think needs to be done about Terrorists and Airport Security.  My Air Security to FBI document is what I posted 10 days after 9/11 after I calmed down and checked phraseology and elegance of my writing. My Security Gov document has what I sent to the Gore commission back when there were all the arsons of Black Churches, the terrorist attack in Atlanta GA, and some suspicion that an American airliner had been brought down by a surface to air missile. My Cyber TV Word document has collection of places allegedly selling illegal consumer electronics, through spam, which I want to share with any law enforcement that really wants to crack down on such places.  When I see spam that seems obviously for some illegal enterprise and they stupid enough to give name of place to send money to, I think in terms of starting such a collection of places to share with law enforcement, if we can ever figure out how not to drown them in millions of spam forwards. Lobby inside your corporation to get a real computer security audit, or to have your annual financial auditors do a computer security audit.  It does not matter if you run your biz on Microsoft Operating System, one of IBM's, Unix, Linux, etc.  You can get a competent audit.  There are audits designed for major ERP packages.   Check out  http://www.pentasafe.com ... basically IS security management lets them load this thing that rattles your computer door knobs and gives a report on how many insecure entrances you have, and makes computer security policy reccommendations based on where your biz is most at risk.  It does not provide any info that would help the bad guys, and it communicates at a level understandable to non-technical management. Here is a place for computer security technical professionals http://groups.yahoo.com/group/e-com-sec/  http://www.ifccfbi.gov There is a depth to this computer fraud complaint operation that goes beyond what is apparent to most consumers.  Law enforcement individuals doing investigations can post here that they are interested in a particular business, web site, suspect, etc. then there are regular searches to see if two or more policepersons expressed an interest in the same suspect, within the last 24 hours & an e-mail is sent to introduce them to each other.   Computer crime is global.  The victims are global.  Law enforcement personnel could be working in duplicate investigations except for this cooperative venture.  http://www.icsa.net/html/labs/  I think I have the right link here.  I found this outfit when researching what firewall to get for my home PC.  They have firewalls from 40 some outfits on PCs connected to the internet & they continuously bombard them with every piece of nonsense the malware people come up with.  What they are doing is quality testing the fact that the firewalls really do what they are advertised to do.  Many popular brand names are conspicuous by their absence from the list of firewalls that do in fact do what they are advertised to do. One of my computer security e-mail contacts sent me his Computer Security Glossary that spells out his honey pot strategy for keeping an intruder distracted long enough to back trace him.  I personally feel people time better spent keeping the intruders out in the first place, but my view is a minority in the West today. Another contact sent me copy of Halcrow's draft policy on corporate Computer Security Policy. I am collecting goodies like these, and then can share some with other people making similar collections. 10:33:08 AM

[Bruce's Computing Category] passes on news of Radio's change to referrer visibility.  QUOTE A tiny change in Radio's aggregator makes referer logs more interesting. Please read this if you provide an RSS source for Radio users, and you watch your referer logs. Updated. [Scripting News] Well I don't watch my referer logs every day, but I do check them from time to time. UNQUOTE [Bruce's Computing Category] [Bruce's Place] shares a story QUOTE Dead Men Tell No Passwords The man in charge of some of Norway's most precious electronic documents died without divulging the way to access them. A plea to hackers to help crack the system is out. By Michelle Delio. [Wired News] UNQUOTE [Bruce's Place] If the security works, why break it?  If the documents cannot be accessed, and the only person who knew how to access them died, then it is as if the data was in the man's head and he died.  There is something wrong with this picture.  Where I work, I have some computer security responsibilities, but they are not exclusively in my head.  With each new boss, I ask if I can give a briefing on what kind of computer security we have, and what to do if I get run over by the proverbial union truck.  One of my suggestions is to provide on paper, a list of the most secret passwords to get into such things as computer security itself, then that paper is to go in an envelope in the safe of our corporate lawyer or auditor or some outside firm that we have some confidentiality agreement with, then if anything happens to me or my boss, there is this backup of the most important corporate stuff that is in our brains.  When I change the master security access codes, I tell my boss that I did so, and why I did so. After a new boss has been on board a year or two, I ask if I can give a briefing on the strengths and weaknesses of our computer security.  We do get intruder alerts, and I notify the managers involved.  For example, executives are out to lunch, and some unknown person is in their office trying different password combinations, then the computer security kicks in and pulls the plug on that work station (you only get a certain number tries to forget your password, then computer security makes certain automatic assumptions), then a few minutes later history repeats at the next office down the hall.  Then a few hours later, I am reviewing the system message logs and discover the fact that this was happening.  I have made some changes to the system logging so that we discover this kind of stuff faster. 1:55:33 AM

The Bush administration is calling for a centralized Network Operations Center (NOC) to coordinate cyber-security warnings, says this week's e-week.  Previously Computer Security has been voluntary and optional, but the feds want corporations to disclose what they are doing, if anything, towards that goal.  The feds do not know if there is any such thing as secure wireless technology, and if none, no federal agency is to buy any.  I wonder what the military will do to communicate with planes in the sky and ships at sea, if this ban goes into effect. Wednesday = no posts except updates to some stories and categories (access my collection via Radio url number system) because my health was temporarily impaired (I suspect a new food allergy ... as we get older, our body discovers new things to complain about). Tuesday topics:  Blog Education; Computer Illiteracy; Current Events; Politics; Quality; Tara Sue Grubb vs. Howard Coble; 12:44:55 AM

© Copyright 2002 Al Macintyre.