Don't accept "home-grown" security fixes

Today's SANS "Newsbites" newsletter has a cautionary comment about security fixes. Sometimes third parties announce "fixes" to security problems. Such is the case with a recently announced Internet Explorer vulnerability. But the editorial comment by Pescatore warns, in a cuttingly humorous way, not to accept "fixes" from other than the original vendor.

 

You can subscribe to get these semi-weekly "SANS Newsbites" by email or you can view them online in the Newsbites Archive. Subscribiing requires that you set up a login account.

 

Another related newsletter for end-users is Ouch!, a monthly security awareness newsletter.

Phishers attack smaller banks

Recent attacks on some small banks' web sites showed a troubling fact -- the attacks were very sophisticated and very hard for people to tell they had arrived at fake sites.  The attack of the web sites redirected traffic to a "bad" server, which had a web sites set up to mimic the original.  To nearly any user, the site looked genuine.  They arrived at the criminals' site even if they typed in the correct web address for their bank.

 

This type of attack is the first of its kind and may become more common. 'Even if you do go to your online bank's Web site, you need to be very careful,' says Bob Breeden, special agent supervisor with the Florida Department of Law Enforcement's Computer Crime Center.

 

Read the full article in ComputerWorld

cnet news adds The Big Picture

cnet news.com (news.com.com) has a neat feature.  It's either new or I just hadn't tried it out before -- "The Big Picture".  When you are on a page about a single story, let's say " Microsoft to bring Hotmail onto the Desktop", click on "THE BIG PICTURE" link (dark red background, white letters) in the right column next to the story.  Then click on the small blue " full screen" text link to get the largest view.

 

Play with it.  This interactive utility shows relationships of stories, topics, and companies. If you hold your mouse over a story image, a little box slides down and contains a link to the story itself. You can choose to display stories, topics, companies, or any combination. Experiment. Have fun!  cnet also has a " Learn more" page.

Phish Fry starts

CastleCops and Sunbelt Security have a new joint venture -- the Phishing Incident Reporting and Termination (PIRT) Squad. You can volunteer to help out by joining the PIRT squad, submitting new phishing scams, generating reports or contacting officials.  They have how-to type FAQs and a Fried Phish tool (... gotta love the pun).  But you can benefit from the work of others if you prefer.  Visit and check out the site.

Hearing loss bites Apple

After getting bitten by complaints about the loud volume of iPods causing hearing loss, Apple is now offering a tasty downlod to address that on several (but not all) models.  The download lets iPod users set a maximum volume level.  If you use an iPod, get this download!  Remember, your body is a temple.

Throw-away email accounts

Why would you use a disposable email account? To reduce spam. Let's say you place an order online and have to provide an email account. Do you know for sure that the site wil not sell or otherwise let others know your email address? That's one way you start getting spam.

One way to combat this is to use a temporary email account when you order online. You wait for any needed emails to arrive (confirming the order, etc.), then you delete (throw away) the email account. You could, of course, keep the email account active until you actually start receiving spam or until it expires. Either way, it helps keep spam out of your normal, personal mailbox.

You can get a list of sites that offer free temporary email acounts at Prospector - Free Stuff. Make sure to check the free email account site's privacy policy first. You don't want to get spammed by signing up for the temporary account, do you?

Spam? Fight back!

You can give spammers a taste of what they're dishing out. How? Subscribe to the " Do Not Intrude Registry" and let BlueSecurity's "Blue Frog" use its Active Deterrence.

Groups name Adware, Malware offenders

The Center for Democracy and Technology (CDT) has a list of software companies that use adware. Another organization, StopBadware.org has also published a list of "malware" programs that do not comply with the group's guidelines.ZD Net article (CDT)TechWorld article (StopBadware.org)

Security tips from Comcast

Comcast has several tips about computer security.  Here are a few:

• How do I stop spam?
• How does a spammer get my email address?
• What's with an email I got but it's not my address listed?
• Home user's Computer Security Checklist
• How to handle ID Theft
• Online fraud risk test

Comcast also recommends reviewing "How do I get my email program to reveal the full headers?" at SpamCop.net.

Getting Podcasts

ZDNet has a great overview of Podcasting -- Podcasting 101.  It's a video feed, so you'll need to first choose to receive it either in Windows Media Player or Realmedia Player.  ZDNnet discusses what Podcasting is (getting audio or video via an RSS source), how you get it, and how you use it.

 

If you scroll down to the bottom of the ZDNet page linked above, you'll see a ton of links to other cnet videos. Explore. Enjoy. Learn.

 

ZDNet has a bunch of blogs too, if you're interested.

Obese pix need file size diet!

Many Windows XP users are in the bad habit of taking their photos and then attaching them to an email message without making any changes. It's not a big deal if you have broadband, right? Wrong. Consider that you may be sending your ultra-cool-gotta-see-it pix to people who really don't want to deal with huge images. The more megapixels your camera has, the more likely that you're a bloated pic offender.

The solution is to edit photos down to a reasonable file size before attaching to emails. Windows XP users can easily resize those images using Microsoft's free " Image Resizer" PowerToy. After you install the tool, just right-click on an image in Windows Explorer and choose to resize it to a smaller dimension better suited as an email picture or attachment.

If you have an image editor, it's a also good idea to improve the images where needed, then "optimize" them to further reduce file size before shipping them on to unsuspecting friends.

This information is based on a blurb by David Chernicoff in the "Windows UPDATE Client" email newsletter anyone get for free from Windows IT Pro. The magazine offers several of these free emailed newsletters. Drop by their site and make your choice.

Blasting Web Ads

The Internet used to be for a free exchange of ideas among scholars and the military -- see DARPA, and then computer enthusiasts (geeks like me). But the advent of HTTP and World Wide Web page caused a blossoming most never saw coming. Commercial web presence now drives much of the web, not academicians and geeks. This irritates many people who have been used to all information on the web being free.

If you have a real need to reduce displayed advertising, consider taking the following actions:

• Turn on your browser's Pop-up blocker. Only allow pop-ups on sites you choose.
• Use FlashSwitch to toggle Flash off/on as you want, since some ads are now done in Flash.

There's a real problem with too many people blocking ads, though, because the real challenge here is a financial one. Creating and maintaining a good web site costs money -- there's no free lunch. If too many people hide ads by using these or other methods, a web site owner might have to start charging a subscription fee to defray costs. So maybe it wouldn't hurt that much to let ads display. And if (on a site you trusted) you saw an ad that really caught your eye, you might even want to click on it.

Google Safe Browsing for Firefox

If you are a Firefox user, you may want to install the free "Google Safe Browsing" extension. It alerts you when a web page you visit might be being used to steal personal information.

Fed site keeps you on guard

Onguard Online has tips from the federal government and the information technology industry to help you guard against internet fraud, safeguard ytour personal information, and better secure your computer data. If you like internet aution sites like eBay, check that out there too.

Email scam pretends to be from IRS

A recent phishing email scam pretends to be from the IRS and about a tax refund. The email links to a web site that claims to be able to tell you the status of your refund. It also asks for your name, Social Security account number, and credit card data. Don't fall for it.

Anti-Phishing, Pharming tips from Microsoft

Microsoft's web page, "Help prevent identity theft from phishing scams", defines Phishing, shows some images to help explain what it looks like, and offers some tips to reduce identity theft.

A companion page, "Pharming: Is your trusted Web site a clever fake?", gives you cautions and tips about criminally redirected web pages.

Microsoft "Live" tools

Microsoft is now gathering its "Live" product tools onto one web page, Windows Live Ideas. Many of these are in beta, but it's a pretty cool collection. Windows Live Mail is webmail with an Outlook feel, including message preview, Calendar, Contacts, and "Today" tabs. YOu can sign up and try any of these.

Microsoft blogs

Microsoft, like many other companies these days, has some blogs at the Microsoft Developer Network site.  You might find a couple of them interesting even if you're not a developer.

The Internet Explorer 7 blog lets you keep track of the latest news and comments about this upcoming major upgrade.  In fact, there's even a more specialized IE 7 blog, ClearType in IE7.  And speaking of fonts, you may find the Font Blog interesting.

Mac OS X attack succeeds in 30 min

The Mac user community should no longer feel as safe.  Mac fanatics used to claim that the Mac was "safer".  The Windows crowd would retort that it was only because there were a whole lot less Macs so it wasn't worth the time for "black hats" to bother with.

 

Well, the malware is heading to Macs too. One person accepting a challenge to hack a Swedish user's Mac OS X computer found that he could hack a Mac in less than 30 minutes. The successful hacker says that there are a lot of unpublished exploits of the Mac OS X.

 

My point is not to bash the Mac, but to remind all that system and data security is a concern for computer users of all types.

Splogs and Blog comment spamming

Spam + Blog = Splog

http://en.wikipedia.org/wiki/Splog

After blogs got popular, spammers latched onto them too. This happened fast and seems to have caught Blogger.com (bought by Google) by surprise. Some spam blogs serve solely to drive traffic to other spam sites. The text of such sites may be nonsense, with the links being the only thing the spammer is really interested in having on the page.

Spam in Blogs is called comment spamming. To reduce automatic spam attacks of blog comments, Blogger now offers:

• Comment moderation -- the blog administrator has to approve a comment before it actually gets posted.
• Word verification. They added the option to require entry of some letters ("word verification") that are displayed as a graphic. Automatic ("bot") type processes can't cope with that.
• Screening of blogs that are included in the "Next Blog" feature of the Blogger NavBar (which some blogs hide).
• A "Flag" button on the Blogger NavBar. This lets a person "flag" a blog as questionable and ripe for review for elimination.

Several blogs and other web sites have commented on and proposed ways to fight blog spamming...

• Fight Splog
• Splog Reporter started on October, 2005 in response to spamming of blogs. Splog Reporter equates Splogs with terrorism of the blogosphere.
• Splog Reporter adds Firefox extension
• Spam of blogs (cnet news.com )
• Splog Spot bills itself as the world's largest splog database.
• Fight Splog! reports that 442 splogging servers have been identified as used in attacks.
• Blogging industry infected with splog flu

Blogs at Blogger splogger haven?
ProBlogger reports that Blog search engine owner Mark Cuban has criticised Google for not blocking sploggers, who are using its free blogspot.com to create tons of splogs daily. Cuban says that blog search engine sites may need to start deleting any blogs from offending domains such as blogspot.com or ones that end in ".info".

IE 7 will handle "feeds"

Microsoft's site about IE 7 shows that Internet Explorer version 7 will include the ability to interact discover and read syndicated "feeds" such as the one from this blog.  Firefox already does that, by the way, with its " Live Bookmarks" feature.

 

I discovered this fact about IE 7 by following a link in Ray Ozzie's Microsoft blog that touts a "Live Clipboard" as being needed for the web.

Track down those trying to use your 'puter

Everyone knows that you should run a Firewall program, even in addition to (or instead of) the default Windows Firewall that comes with Windows XP. "So great", you say. "I do have a firewall. But what do I do with alert information the firewall shows -- for example the IP (Internet Protocol) address of another computer trying to access mine?" Personally, I'm mighty curious about even the attempts my firewall blocked. Aren't you?

Well, you can figure out who owns the source IP by looking at the Firewall logs. For example, my ZoneAlarm firewall "More info" option showed that the computer that had sent the data packet that caused an alert to be entered into the log was 70.224.246.43. OK, but exactly who owns that computer IP address and who should I email for details, assuming I want more information?

Luckily, the "WHOIS" database at ARIN (as well as some others) gives a free listing of such information, based on the registration of the IP address/web site. Just enter the IP address at their site and you get detailed information. Try the above IP address and see what you get.

If you have a web address (URL) instead of an IP address, you can get information via the general WHOIS database at whois.net or AllWhoIs.com. For example, enter umc.org into the AllWhoIs Search field and click on "Search". Scroll down through the results to see what data is available.

With such tools, you can often trace attempts to get into or out of your computer. It's important to check on these attempts periodically, if only for peace of mind. I do so every month or so.

And remember -- it's important to check who's trying to send information out of your computer as well as who's trying to get in. Check on both types of attempts.