Tag Archives | Security

iPhone 3.0 is a Giant Security Rollup

Posted by David Worthington on June 18, 2009 at 8:07 pm

In the countdown to iPhone 3.0, users were not just waiting for the ability to cut and paste: Apple was sitting on a slew of critical security fixes. CNET is reporting that the iPhone 3.0 software update fixes 46 security vulnerabilities, and I’m not the least bit surprised.

While some teams at Apple may have security expertise, the company lacks a holistic company-wide approach to secure development. The company practices security through obscurity, hoping that hackers will not exploit bugs if that do not know about them, which is not security at all.

Earlier this month, Security expert Rich Mogull sharply criticized Apple for falling short on protecting its customers. He recommended that Apple adopt a security development life cycle (SDL) process that a handful of companies, including Microsoft, implemented several years ago, and share with third party developers.

The number of security vulnerabilities found in Microsoft’s product have dropped markedly, because it changed how it makes its software. No code can be shipped out of Redmond unless it has gone through the SDL process. Apple is another story.

If left unpatched, the iPhone is as exposed as the broad side of a mountain. Twelve iPhone components are exploitable ranging from its Mail application and Safari browser down to lower level graphics and telephony stacks.

Apple’s saving grace is that it controls the iPhone’s application ecosystem, and it’s harder for malware to reach users . It has said that it evaluates apps against security criteria, but I wonder how comprehensive that process is in light of its disjointed vetting process. Maybe it has just been lucky.

In March I called for Apple to assist its developers to write secure Apps for the iPhone. I repeat that call, and am upping the ante by challenging Apple to share its internal processes for secure development (if those processes are even mature enough to share).

I love my iPhone, and own several Apple computers, but I’m not in love with Apple’s halfhearted approach to security.

3 comments

Find My iPhone: Cool Idea, Some Quirks

Posted by Harry McCracken on June 17, 2009 at 5:41 pm

iPhone MissingI’ve never lost an iPhone, but I still wince when I think of the StarTac phone that disappeared on me at Spring COMDEX (back when there was such as thing as COMDEX) and the Palm Tungsten PDA that was stolen from my car about a week after I’d bought it. And I do misplace my iPhone around the house all the time. So  I was immediately intrigued by Find My iPhone, one of iPhone 3.0’s 100 new features. Part of Apple’s $99 MobileMe service, FMI lets you locate your iPhone on a map, send it messages (in hopes they’ll be read by some honest soul who found your phone), play a tone (even if the phone is in vibrate mode), and–if all else fails–remotely wipe the phone of all its data.

With today’s release of the iPhone 3.0 update, I’ve been playing with Find My iPhone–and it’s been a somewhat confusing experience. For one thing, Apple buried the setting that lets you turn Find My iPhone on in an un-Apple-ish way: It’s in the Mail, Calendar, Contacts section of Settings (even though it has nothing to do with mail, calendars, or contacts) under the settings in Accounts for your MobileMe account (which, in my case, only remind me that they’re for MobileMe when I click all the way through).

Continue Reading →

7 comments

Obama’s Cybersecurity Initivate a Step in the Right Direction

Posted by David Worthington on May 29, 2009 at 5:39 pm

Today, U.S. President Barack Obama took the wraps off of a 60-day review of the nation’s electronic infrastructure. The report outlined concrete steps towards achieving better security, called for the creation of a cyber security czar in the White House staff, and emphasized the importance of respecting people’s privacy.

In April, I wrote “Obama gets it,” in an article about how critical U.S.infrastructure was vulnerable to damage and disruption. While some of the details haven’t been shared yet, the initiative that the President announced today does chart the right course.

The report concludes that the federal government needs to its increase investment in achieving security and resiliency in information and communications infrastructures, and calls for a public-private partnership to coordinate responses to cyber attacks in addition to rallying  international cooperation to mitigate security risks.

Another goal is to educate the public about the importance of cyber security, but with incidents such as the U.S Army being hacked in news headlines, reality has already helped there.

Obama’s plan mirrors a bipartisan effort that was championed by U.S. Senators John Rockefeller (D-W.V.) and Olympia Snowe (R-Maine). The bill that they proposed also called for a White House position to coordinate all Federal security efforts.

Rex Black, a well known security expert and president of Rex Black Consulting Services, told me that it was understandable that Obama would want someone to fill that role. The position should be staffed by the White House rather than the Commerce Department or Military due to the turf wars that would inevitably happen, he added.

The report strikes a political balance: New laws and mandates could come as a consequence, but the White House said that it would avoid imposing new requirements on the private sector if it could be avoided. Privacy was also mentioned more than 60 times in the report, and the President said unequivocally, “Our pursuit of cyber security will not–I repeat, will not include–monitoring private sector networks or Internet traffic.”

Overall, I am heartened by the high priority that Obama has placed this very serious problem so early on during his Presidency. He is giving credibility to the people that are trying to solve it, and that will only help drive towards a solution–even if we have to walk before we can run.

4 comments

WinPatrol: A Must-Have Free Tool

Posted by Steve Bass on May 6, 2009 at 7:20 pm

Steve Bass's TechBiteWinPatrol is a free tool you just must have on your Windows PC: It gives you a way to stop unwanted programs from loading (and tells you which apps are safe), watches out for spyware and keyloggers, keeps your System tray uncluttered, and when you boot, can get you to the desktop quickly.

At its core, WinPatrol raises a flag when something suspicious happens within critical parts of your system. For instance, you’ll get an alert when anything is added to any of the Registry’s Startup locations and you’ll have the option of blocking it or disabling it later. WinPatrol watches almost 20 functions, including when a browser plug-in is added, a file type association is changed, a scheduled task is created, your HOST file is touched, or a new ActiveX component is installed.

Continue Reading →

No comments

Hide File Extensions, Invite Hackers?

Posted by Harry McCracken on May 5, 2009 at 12:56 pm

Mikko, at F-Secure’s Weblog:

…in Windows NT, 2000, XP and Vista, Explorer used to Hide extensions for known file types. And virus writers used this “feature” to make people mistake executables for stuff such as document files.

The trick was to rename VIRUS.EXE to VIRUS.TXT.EXE or VIRUS.JPG.EXE, and Windows would hide the .EXE part of the filename.

Additionally, virus writers would change the icon inside the executable to look like the icon of a text file or an image, and everybody would be fooled.

Surely this won’t work in Windows 7.

As a grizzled old Windows veteran, I remember the days when computer users spent a lot more time thinking about extensions (and we liked it, dagnab it!). It was kind of discombobulating when Microsoft began downplaying them. But Mikko brings up a pretty compelling reason why it’s not a great idea to hide ’em. Wonder if Microsoft has thought about this, and why it hasn’t erred on the side of safety?

13 comments

Identity Theft Protections Put Off Until Tomorrow–Again

Posted by David Worthington on May 4, 2009 at 6:53 pm

Measures that would protect consumers from identity theft have been delayed, because many businesses are not compliant yet with federal regulations. Fortunately, there are solutions to help them protect your privacy.

In 2007, the United States Federal Trade Commission issued its final rules on identity theft “red flags” and address discrepancies. Fast forward to today, and the implementation of those rules has been delayed for a second time until August 1st.

The rules are intended to protect consumers from identity threat by governing how businesses that deal with credit handle financial information. Industries affected by the rules include healthcare providers (doctors, hospitals), utilities (gas, electric, telephone, cable TV, etc.), auto (car, motorcycle, RV dealerships), real estate (brokers, lenders), banks and credit unions and more, according to Compliance Coach, a company that sells risk assessment software.

It was an e-mail pitch from Compliance Coach about the delay that inspired me to write this article. The delay has occurred due in part to the fact that many businesses are not yet compliant with the rules or are unaware that they applies to them, the company says. It’s onto something.

A few weeks ago, I had a conversation with Peter Coffee, director of platform research at Salesforce.com. Peter said that it would be okay for me to disclose that a significant portion of IT professionals (not all of who were Salesforce customers), surveyed in third party research that it uses internally, understand that they are not compliant with existing laws and legal rulings that affect IT operations.

He noted in a follow-up e-mail that the research he discussed is not a statement of the legal opinions of the company’s corporate counsel, nor is it a formal statement of the assurances provided by the team that is headed by its chief trust officer.

Salesforce needs to think hard about compliance, because its customers are forced to tackle issues around data when they use its services. The cloud computing model that Salesforce pioneered–where data is hosted by a third party on remote servers–forces companies to build applications that abide by regulations that govern data, such as who can access it, and where it can exist.

Today’s delay is yet another example of how traditional IT has trouble keeping pace with cloud services. It is simply too difficult for many businesses to build the systems that they need to be compliant.

Cloud services can help organizations with limited IT resources meet today’s standards for business processes and data, because cloud providers must meet those considerations as part of their business model. The easier that is for businesses to be compliant, the safer your personal information becomes. Now let’s just hope that the FTC’s new protections go into effect with no further delays.

6 comments

War of the Firefox Extension Developers

Posted by Harry McCracken on May 4, 2009 at 2:16 pm

firefoxlgoArs Technica’s Ryan Paul has posted a good piece on an alarming story: The developers of two popular and useful Firefox extensions, NoScript and AdBlock Plus, descended into an ugly squabble that involved each one attempting to interfere with the other’s operation–and which eventually led to NoScript having secret features designed to futz around with AdBlock Plus, if it was present. In a roundabout way, the ugly situation did Firefox users a service by making clear something which many of us didn’t know: Firefox doesn’t do enough to draw boundaries between extensions that prevent them from interfering with each other. The good news is that Mozilla is reacting to the tussle by establishing guidelines for what extension behavior is and isn’t kosher. NoScript’s developer has published an apology and agreed to follow the new rules. And I, for one, will be a tad paranoid from now on when installing new extensions–especially since the recent unpleasantness involved not obscure rogue add-ons but two of the best-known Firefox enhancers on the planet.

One comment

Facebook Phishing Attack

Posted by Harry McCracken on April 29, 2009 at 1:14 pm

A couple of hours ago I got an oddly terse message from a Facebook friend who I’m not used to hearing from:

Facebook phish

It wasn’t hard to identify it as a hoax, one that wasn’t really from the “sender” in question–especially when I noticed that the “Facebook” URL mentioned something called fbaction.net. Out of curiosity, I clicked anyhow–hey, I like living dangerously–and got a fake Facebook login screen. I therefore entered a fake user name and fake password, whereupon it sent me to the real Facebook (and, presumably, stole my fake credentials).

Over at TechCrunch, M.G, Siegler explains that I was one of many Facebook users who heard from these guys. Facebook blocked the site from being shared via Facebook, and reported it as a bad actor, so recent browsers with anti-phishing features could protect their users. But I’m sure some other random troublemaker will try precisely the same trick again soon.

Bottom line:

1) Be suspicious of odd Facebook messages, especially ones that demand you click on something without explaining why;

2) Be suspicious of messages you receive from random Facebook pals that don’t carry any clear indication they’re real and personal;

3) Be very suspicious of anything involving a URL that’s a variant on Facebook.

4) If you do click, watch the URL you go to very, very carefully.

5) Remember that none of this advice is Facebook-specific–it applies to…well, everything.

6) Be grateful that so many phishers really aren’t very good at their job–and paranoid about the possibility of being fooled by one who knows what he’s doing.

No comments

Windows 7 Eliminates AutoRun/AutoPlay Security Hole

Posted by Harry McCracken on April 28, 2009 at 2:47 pm

It seems unlikely that Microsoft has any major news involving Windows 7 features up its sleeve, but interesting tidbits are still coming out. The latest is today’s news that it’s eliminating the venerable AutoRun feature for USB drives. A blog post at the company’s Engineering Windows 7 blog explains that the Conficker worm  used AutoRun (which identifies programs on a removable device and lets users choose to have them run automatically) and AutoPlay (which notices that you’ve inserted a removable storage device and provides a menu of tasks to choose from) to provide an AutoPlay item that looks like it’ll open up a folder but which actually launches Conficker. Windows 7 won’t display AutoRun items in this menu, and Microsoft says it’ll update Windows Vista and Windows XP to behave the same way. Conficker may be devious, but the security hole was pretty gaping all along; it’s surprising that it took this long for it to be publicized and for Microsoft to seal it up.

AutoPlay will still display AutoRun items on CDs and DVDs–which are presumably far less likely to carry worms than USB drives–but Microsoft is tweaking the message you get to make it clearer that launching an AutoRun item involves running a program from an external device.

Side note: Microsoft’s Security Research and Defense Blog also has an item on the change, in which it says that “AutoPlay will no longer support the AutoRun functionality for non removable optical media” This momentarily confused me–it brought to mind visions of a DVD drive with a single disc sealed up inside the computer–but I’m reasonably sure that it’s a typo and that the poster meant to say “non-optical removable media.”

6 comments