Essential Computer Security

Tony Bradley on Facebook
Tony_BradleyPCW
- HP Slate vs. iPad: Focus on Flash. http://bit.ly/bImbyN about 27 minutes ago from API
- Smartphone Survey Only Tells Part of the Story. http://bit.ly/95J11j about 2 hours ago from API
- Is the iPad a business tool? Perhaps with the right business-friendly apps. http://bit.ly/dqIBgo about 4 hours ago from API
- Planning to use your iPad for business as well as pleasure? Make sure you have the right accessories. http://bit.ly/cxbs6C about 7 hours ago from API
- Vast Majority Feel Internet Access is a Right. http://bit.ly/bH4Rp7 about 9 hours ago from API
"Tony provided Aladdin Knowledge Systems with excellent content featuring the right combination of comprehensive security knowledge and the effective application of security in today’s business environment.”
Mike Lange
Aladdin Knowledge Systems
My Sites

Evolution and Future of Cybercrime

You can put the word ‘cyber’ on the front of just about anything and make it sound more “cool”, or “ominous” as the case may be. You don’t need to travel to Ethiopia when you can just visit CyberEthiopia. Instead of having sex, you can have cybersex. Why just commit a crime, when you can commit a cybercrime? No. Really. Why would you?

If you need to acquire $50,000 you would need to find a target with a fair net worth. You would probably need to be armed, risking the lives of others whether you have an intent to do harm or not. Your own life will be at risk. The obstacles to success, and the odds of failure are both high- most likely resulting in your incarceration or death. At least in jail or 6 feet under, you probably won’t need that $50,000 any more.

What if you could just sneak $1 out of the wallet of 50,000 different people? They probably won’t notice. If they discover the $1 missing, they probably won’t care, or may even assume they just lost it or mis-counted. If they catch you in the act, odds are good that they will be disgruntled, however it is highly unlikely that the theft of $1 could result in physical harm, never mind death. Hell, if you simply ask 50,000 people to give you $1, you may be successful. Look at the kid that created the $1 Million Web Page. A little corny and very hard to read, but people lined up to give the kid $1 (I’ll bet he’s kicking himself for not thinking to make it the $10 Million Web Page). It could take some time to find 50,000 victims though.

Now, what if you could sneak $1 from 50,000 different people while sitting at your laptop in the local coffee shop? What if you never have to physically confront a single person, nor risk physical harm in any way? What if you could perpetrate a virtual crime, cyberpickpocketing? It has the word ‘cyber’ at the front, so it must be cool! How about if your cyberpickpocketing could net $50,000 today? How about in the next hour or two? That definitely sounds like a more solid business plan than the “Pickpocketing Across America” approach cited above.

That is the allure of cybercrime. As Marcus Ranum, CSO of Tenable Network Security and author of The Myth of Homeland Security, discusses on Tenable’s blog, cybercrime provides a criminal with a means of automation and anonymity, requires very little in terms of information technology knowledge or equipment, and can cross global borders in a heartbeat, making it easier to hide and harder to be prosecuted. Ranum’s post is an excellent read. For many of the same reasons: automation, efficiency, lack of potential for physical harm, mass-impact, anonymity, and difficulty finding and prosecuting an attacker internationally- cyberterror will also gain appeal (at least to those likely to find ‘appeal’ in committing acts of terror in the first place) in my opinion. But, we’ll save that issue for a future post.

_________________________________________

Tony Bradley
www.tonybradley.com
Essential. Computer. Security.

Tags: Blog by Tony Bradley
Comments Off

Profile: Firefox 3 Security

Since it was originally introduced, the Firefox web browser has proven itself as a worthy and capable web browsing application, and a solid rival to Microsoft’s dominant Internet Explorer. Firefox has built a loyal and growing fanbase.

Initially, many made the switch from Internet Explorer to Firefox based on hype regarding its superior security. Over time, Firefox has had its share of flaws and vulnerabilities, showing itself to be formidable, but not impenetrable.

The focus of this profile though is not on whether or not the Firefox web browser itself is secure, but rather what features and functionality it offers to you, the user, to protect your computer and your personal information while you surf the web. Firefox 3 incorporates a number of updates aimed at security, including anti-malware functionality, forged web page protection improvements, and integration with the Parental Controls in Windows Vista.

Importing Internet Explorer Settings

This is not entirely a “security” feature, but it helps you migrate from Internet Explorer to Firefox and it does have some impact on security. If you choose to, Firefox 3 will import your existing Internet Explorer settings, including your Favorites, and your saved passwords.

Site Security Details

By clicking on the icon to the left of the URL in the address bar (the “Site Favicon” in Firefox terms), you can reveal detailed information about the page you are viewing or the current site you are visiting. The details that are displayed include whether or not the connection is encrypted, information about who owns the web site, and whether or not you have ever visited the site previously or have any cookies or saved passwords associated with the site.

Site Permissions Details

Clicking on the Permissions tab at the top of the site details will display the page you see here. This console lets you customize and control what the site, or page, is allowed to do. Using the options here, you can control whether or not images can be loaded, whether or not pop-up windows are displayed, whether or not cookies can be stored, and whether or not extensions or themes from the site can be loaded.

Firefox 3 Security Options

If you click on Tools, then Options, you will open up the Options console for Firefox 3 where you can customize and configure the various options. Click on the Security tab at the top, and you will see the window we have displayed here.

Some of the security options in Firefox 3 include blocking sites from installing Add-Ons, and storing passwords. You can also assign a Master Password that you must enter in order to “unlock” the rest of your passwords for some added security.

While phishing attacks have been around for some time, attackers continue to innovate and devise new attacks. Recently, one of the emerging methods of spreading malware is by exploiting weak or flawed web servers to plant malware on otherwise benign sites- some very well known. Firefox 3 keeps tabs on the sites that have been identified as compromised, and provides warnings to let you know that you may be visiting a suspected attack site.

Firefox 3 will also let you know if the site you are visiting appears to be a forgery of a legitimate site. This feature is strengthened because rather than just warning you, the contents of suspected forgery sites are not displayed. This makes it substantially more obvious to the user that there may be an issue.

Configure Warning Messages

Clicking on the Settings button of the Warning Messages area at the bottom of the Security Options allows you to choose which events you want to receive warning messages for. The options revolve around encryption, and encrypted sites. You can choose whether or not to display a warning when viewing an encrypted page, when leaving an encrypted page, when you submit information that is not encrypted, and more.

Summary of Firefox 3 Security

I have highlighted a few of the key security features in Firefox 3, but not all of them. In addition to the features and functions I have already covered, Firefox 3 also provides:

New SSL error pages: clearer and stricter error pages are used when Firefox encounters an invalid SSL certificate.
Add-ons and Plugin version check: Firefox now automatically checks add-on and plugin versions and will disable older, insecure versions.
Secure add-on updates: to improve add-on update security, add-ons that provide updates in an insecure manner will be disabled.
Anti-virus integration: Firefox will inform anti-virus software when downloading executables.

Firefox 3, like its predecessors, is a solid competitor for Internet Explorer, and provides a wonderful option for those seeking an alternative web browser. Just remember, you still have to pay attention to vulnerability alerts and exploits, and keep your Firefox installation up to date to stay protected against new and emerging threats.

Tags: Web Browser Security by Tony Bradley
Comments Off

March 2008

To view a summary of the March 2008 bulletins, visit Microsoft Security Bulletin Summary for March, 2008. Click the links below to view the individual Microsoft Security Bulletins and to download any patches that might be required for your system. You can also visit Windows Update to automatically determine what patches or updates your system needs.

Microsoft Security Bulletin MS08-014
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
Microsoft Criticality: Critical
- http://www.microsoft.com/technet/security/bulletin/ms8-014.mspx
Microsoft Security Bulletin MS08-015
Vulnerability in Microsoft Outlook Could Allow Remote Code Execution
Microsoft Criticality: Critical
- http://www.microsoft.com/technet/security/bulletin/ms8-015.mspx
Microsoft Security Bulletin MS08-016
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
Microsoft Criticality: Critical
- http://www.microsoft.com/technet/security/bulletin/ms8-016.mspx
Microsoft Security Bulletin MS08-017
Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution
Microsoft Criticality: Critical
- http://www.microsoft.com/technet/security/bulletin/ms8-017.mspx

Tags: 2008 by Tony Bradley
Comments Off

Computer Security In Plain English For Normal People

Tony_BradleyPCW

My Sites