Tuesday, February 26, 2008

Fear of Internet Predators ... unfounded?

Sometimes smart people say that darnedest things …

This morning I got up to write about kids and what we can do to protect them in this wacky internet enabled world, and for a few minutes – I had one of those rare bursts of good news!

I read lots of different blogs, and news streams – everything from MS/NBC to Computerworld, to Schneier on Security. I generally like Schneier on Security and am reading a couple of his books now.

But today I’m not a fan. His headline Fear of Internet Predators Largely Unfounded sounded great!! But then after reading it, it didn’t smell quite right to me. I checked on the sources and found a link to this article from the Crimes Against Children Research Center at UNH and finally a press release from UNH -

Here’s an excerpt

For example, in spite of public concern, the authors found that adolescents' use of popular social networking sites such as MySpace and Facebook do not appear to increase their risk of being victimized by online predators. Rather, it is risky online interactions such as talking online about sex to unknown people that increases vulnerability, according to the researchers.

From my (admittedly limited) time on those two social sites, they seem to be established largely for the type of personal connectivity between both people you know and people you don’t know that would enable the risky behavior that increases vulnerability. While it's true they could meet a predator in class, or related to a sports team - it's a lot riskier online because of the lack of visual and other types of validation.

"what do you mean by this?"

When you or I see someone on the street, or buy something in a store - our eyes and ears can tell us things like "the store is clean, it's been here for years, many people shop here. The owner is here every day, and the merchandise feels like it has a quality to it". Online - we are missing all the tactile senses, and have to develop a sense of validation through other means. eg. other people rate the site highly, they are certified to be who they say they are ...

With meeting people it's the same. I'm coaching kids sports - when they show up for the first practice, I've got a good idea they are who they say they are. If I were to meet the same group online for an online class I'm teaching - then I really wouldn't know.

This 'not knowing' is why I caution the use of the social sites. While many people use them for their daily news, gossip and jokes - as soon as your pool of friends is extended beyond people you've personally 'validated' (seen them etc) it's contaminated. The internet is a great tool - but it is like a sword and needs to be respected.

Back to my thoughts on the article - just like any statistical article, it's great to get some numbers - but the conclusions are suspect. From my perspective, it's great that there aren't as many predators or negitive experiences as perceived - but it's still a risky environment that one should be carefully prepared for.

Monday, February 25, 2008

Hackers ramp up Facebook, MySpace attacks

quickie!

don't follow that inivite to facebook or MySpace if you don't REALLY know who sent it to you!!

Hackers ramp up Facebook, MySpace attacks

update from 2-27: Here's a free tool - Killbit - that you can run on your desktop to stop the current stream of desktop issues

Saturday, February 23, 2008

who's fave five are you in?

I don't know why, but that catch phrase from T-mobile ...

I was talking to some corporate consultants the other day about risks in the enterprise, I could tell they were pretty blase' about security. They had a firewall. They had an anti-virus tool - I'm sure I sounded like one of Charlie Brown's teachers. wonk wa wonk wah wahh.

So I asked them, do you use a cell phone or pda for business? "of course" - is the data on it protected? "uh..." Do you know that even secure internet traffic isn't secure over wireless?

Then the typical tragedy of this space occured - I brought someone from the happy world of not really knowing about the threats going on, into the panicked world of "aaah! I'm never using the internet again!" I've really got to work out a better way to get action then inducing extreme fear. :)

it's not all bad - just remember all mobile devices could be lost - so any data on them (if you value it!) should be encrypted. Also, unless you've got more saftety on your portable than I know about, don't use free, unsecured access. When you do, you've brought your entire laptop or phone to that network. As the gentleman in the article above demonstrated, it's pretty easy to access all of the places you access when that happens.

here's another article on phones - and don't be afraid, it's not all bad
Users fear for mobile security

ID theft on the decline

good news! less people in 07 were victims of identity theft!
bad news :( those who were lost more money


Zero Day Security Victor R Garza and Matt Hines InfoWorld ID theft on the decline February 12, 2008 01:36 PM By Matt Hines

Experian sues LifeLock, alleges fraud - The Red Tape Chronicles - MSNBC.com

AHA! I've been wondering when this one was going to happen!

I heard the adds for LifeLock, and a $1,000,000 guarantee sounded pretty darn interesting ... but then when I when I googled Experian - I found AnnualCreditReport.com (for free annual reports) and it's other site FreeCreditReport.com (paradoxically this site is for profit, the first month is free) and I was confused why I would need LifeLock if this was all they were doing for me.

I didn't! and you don't. take a look at the article below, and save your money as well as your ID

Experian sues LifeLock, alleges fraud - The Red Tape Chronicles - MSNBC.com

Friday, February 15, 2008

BOT WHATS???

*propeller head alert! When I wrote this it all made perfect sense ... to me. If you're a normal non-techie sort, skip down to "Got it – so what do I do?"


I’m reading a lot about botnets and rootkits these days. There are even a few companies set up just to track and fight these ‘armies’.

So what are they? Wikipedia defines them as:
Botnet is a jargon term for a collection of software robots, or bots, which run autonomously and automatically. They run on groups of "zombie" computers controlled remotely. This can also refer to the network of computers using distributed computing software. AKA (called zombie computers) running programs, usually referred to as worms, Trojan horses, or backdoors)
A rootkit is a program (or combination of several programs) designed to take fundamental control a computer system, without authorization by the system's owners and legitimate managers. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. AKA (malware, spyware, adware)

So. What’s that mean to me?

Botnets are designed for a larger attack. Rootkits are just for ripping you off. In either case it’s not good! One sign would be if your computer that is running slow. It may just be the side effect of not running cleanup scripts on your registry, or running out of RAM – but then again, your computer may just be part of a botnet army doing processing for whoever runs it. I’ve read estimates of 25-50 million computers in the US and up to 150 million world wide are infected with Bots. They could be used for a variety of schemes none of them attractive. (eg. Phishing, Pharming, DoS, …)

Rootkits such as SilentBanker (a Man in the Browser attack for those of you keeping score) and Infostealer are designed to get access to your bank accounts. As long as that backdoor is available to its boss (wherever he may be) – your information on that computer, and the things you use it for are not secure.

Got it – so what do I do?

I’m starting to consider rootkits/botnets something like herpes. Once you’re infected you may never get rid of it. There are some good anti-rootkits out there, but even the best ones seem to cover only 50-75% of the known problems. You’re much better off trying to avoid catching it in the first place! (see Candy Canes from strangers for tips on safe surfing).

Most of the firewalls I’ve tried lately also ‘flag’ results from search engines letting you know if they’re safe or not. I see it in my system from Zonelabs, and VCom. McAfee Site Advisor will check out the links on a page for you also.

update!
Here's a description article on how bad things are getting from TechSpot, and a couple of good sites - Webroot, the market leader and Prevx, I haven't used, but looks good

update #2! (2-28)
Here's a description of a teenager going to jail for creating a botnet of 400,000 computers over 3 months. in this article "script kiddie" refers to someone who is computer savvy, but isn't the original author of the hacking tools they are using - they're just the one who has targeted and unleashed it.

Wednesday, February 13, 2008

quickie! a nice addition for your browser

Ever wonder if the website you're viewing is 'safe'?


This free browser plugin, McAfee Site Advisor will check it and the links returned from Google or Yahoo against their DB of known badguys.

Saturday, February 9, 2008

More fun with passwords

I was having lunch with my buddy Nick the other day talking about this blog. Now Nick isn’t in my target audience – he’s an excellent programmer, very aware of security threats and I’m sure he’s running a great hardware firewall at home.


The thing that caught his attention the most was something I discussed a while back in Mmmm, I love hunny – User Ids are being stolen via rootkits (software that is undetectable by your antivirus program) and are then sold to middlemen who then resell them to people who form attacks. These Ids are NOT being taken by the bored teenager down the street, hacking ids is big business these days for organized crime and it's going to get worse.

The part where it really gets interesting – MOST people do not create great username/password combinations to begin with, THEN they re-use that same combination on every site they go to!

So – let’s just say I’m running a really simple rootkit (one I can buy for about $75) that’ll tell me all the websites you visit. If any of them (like y! mail) is running non-secure – I can easily nab your username/ password. Then, referencing my handy dandy list of all your websites, I can try out each one to see where it works! Once I login as you, I’ll change the mailing address, or see if I can get money out --- or in a worse case scenario, I’ll sell your good stocks to buy the penny stocks I’m holding, then I’ll sell out of my account when the time is right! (pump and dump, baby)

It gets better – most people I talk to don’t ever change their passwords. Never. Or if they do, they store them in a file called passwords.txt file on their C drive. Not good. Even better are the folks that put them on a sticky and leave it up on their screen 24x7. (uh, other people might just read that!)

Whaddya do? - there are a lot of good solutions in this area – robo-form is interesting, Password Safe looks really good – but so far I’m using another piece of open source software called KeePass. Install it on a USB stick, and carry your passwords with you. Even better, have it generate new, incredibly complex and unique passwords for you and you’ll never have to worry about remembering them!

I’m still experimenting in this area – if you’re interested in more, email me!

Thursday, February 7, 2008

Chat rooms, IM riskier than social networking sites for kids

for young kids - I'm thinking they don't need to be on any of these options! :) but that's just me

Chat rooms, IM riskier than social networking sites for kids

low tech always beats high tech

"low tech always beats high tech" is a quote from an author I'm reading on Security issues - Bruce Schneier

He's got a point. How good is my router, firewall etc, when my laptop is stolen? All the data I've been keeping private is right there on the hard drive. hmm - seems like my phone and PDA have a lot of data too

One thing to consider would be to use a program to encrypt/decrypt all your stored data. That way if your computing device is ever lost or stolen (which is bad), at least your identity will not be.

I'll write more on this topic later if there is interest
Truecrypt 5.0 is out and it's free - The INQUIRER

World Privacy Forum: Top Ten Opt Outs

Grocery Stores, Department stores, and Casinos all use loyalty cards to track an individuals purchases and activites to give them a better chance to target you for more products you "need". Generally it seemed to me a fair trade-off - they get some data, I get a better deal. I'm not sure how much I care about all the lists I'm in - but I do care about some of them related to my finances.

"Opt Out" is a strange term for choosing not to participate. Back in the day I was launching a startup website I remember debating with the owners ... if we have an automatic "opt in" (including the new member in what we choose) we'd get more value. BUT it seemed more than a little dishonest to sign people up for something they don't know about, so we chose to set the default to "opt out"

not every website works this way. many big ones don't - not Yahoo not even your bank!

check out this list - then you decide where you want to share, and where you want out
World Privacy Forum: Top Ten Opt Outs

Wednesday, February 6, 2008

How do I send secure email?

A couple of Sundays ago I was up getting the griddle ready for some pancakes when an old buddy called.

“hey Dave, I’m looking to sell my Giants season tickets to a guy back east. What’s a secure way to send him account information via email?”

Jack and I worked together years ago at a software company in Palo Alto. He knew regular email wasn’t considered safe – but wasn’t sure why.

Generally the text you send in an email is about as safe as “snail mailing” a postcard.

Is your data in postcard worth really worrying about? Probably not. There are SO many pieces of mail – WHO would want to read it?? Also if you just one or two a year, no one. Those 2 postcards probably say something like “the weather is here, wish you were beautiful!” ;) ...thanks Buffet!

But if you sent a LOT of postcards, describing your daily life, your kids life – bills you’re paying …. Hmmm – that could be interesting to many of the mail handlers

So as with other types of attacks we have to look at what’s the frequency it could occur, what’s the likelihood and is the technology available? (have you ever heard of a product called ECHELON? It’s our government’s massive collection, correlation of ALL email, telephone and IM traffic. hmmm is that George Orwell laughing ...

With email, many people read/write in excess of 10 or 20 a day. It’s normally under the radar of your firewall and virus checker – and it’s up to you what’s in it. Emails do not travel from your computer to your friends computer directly – nor is it traveling encrypted. Nor is it stored encrypted at many of the most popular internet providers. (sorry yahoo!)

General rules of security still apply here – don’t give out your full name, don’t send your social security number, don’t inquire about billing issues. These are all vital pieces of your Non-Public Information (NPI). That should be protected by you and any institution you’re working with.

Beyond divulging NPI, the other risk here is social engineering. Did you know that the infamous hacker Kevin Mitnick was known for using social engineering to gain access to private data? By reading all of someone’s email for the past month, I could get a pretty good idea of who you are, where you live and perhaps enough information to convince a doorman, or a security guard or a online help person that I should be allowed access to your account.

Scary stuff – but it doesn’t need to be. Knowledge is your best weapon!

Securing your outbound email is a critical piece of your security portfolio.

There are dozens of solutions for the corporate user to send secure email – the easiest to implement and to use works similar to a safety deposit box. You have a “key”, and so does your recipient. Here’s a website that offers this service – http://www.hush.com/ for free. No installs on your PC are necessary, just a little thought to come up with a good password for your access AND a shared question the recipient would know the answer.

Another option comes with some firewalls. With the ZoneAlarm product and probably others there is an area you can tell it what type of NPI to scan your outbound emails for, and to XXXX out those areas. This helps with keeping SSN private, but it still leaves the rest of your text in the clear.

I’ve seen several options for kids – this one at Kidsafe mail sounds pretty good so far. For the amount of email my kids have now, I’m not sure I need it. Currently they have ‘regular’ accounts that their mom and I monitor the traffic in/out via our internet provider.

Monday, February 4, 2008

Antivirus firms, testers form standards group

Depending on how you look at it, this could be great news - or notso much. :)

Most people don't realize how MANY standards are used in software development.

It's not the same as building a house, or filing taxes or even releasing a new vitamin into the market. Looking into the world of 'Flintsones chewables' - these vitamins have been tested privately, independently and then by the FDA before they are released.

In most places I've worked, there are teams of people who debate, discuss and finally decide on their internal standards for how they will create software. While this is great for that company (assuming of course all the internal groups comply) it's usually a different group of people across the street at *their* company.

So it's not really a lack of standards, it's the opposite - too many!!

When it comes to measuring how good is a firewall or an anti-malware solution, I've run into the same problem. It's hard to tell since they all have different statistics and ways of deciding theirs is "the best". I've read a lot of the reviews, and tried out a few - that helped me decide what's best for my family. But what's best for yours? that depends! I've created a Threat Matrix for homeowners to help you decide - if you send me an email, I'll send you a copy.


this newly formed board should help - I'd hope to see something meaningful from them this time next year. :)
Antivirus firms, testers form standards group