November 9, 2008
Windows 7 is the next version of Microsoft Windows.
See the full post for more Windows 7 analysis
Looking ahead to the finish line, Sinofksy declined to provide a schedule for Windows 7, though my sources tell me it could arrive as soon as mid-2009, or about a year before Microsoft’s vague public pronouncements. He said that the build released at PDC was an M3, or “milestone 3″ build of the product and that that would be followed by a beta release. Sometime in that timeframe, there will be a fairly public beta–”everyone will be able to sign up and get it,” Sinofsky noted–and then the release candidate (RC) phase. “These will be very visible milestones,” he said, “and each step informs the next. There’s no point in a guessing game for the schedule. It’s a promise and deliver schedule.”
Paul Thurrott’s SuperSite for Windows: Windows 7 Preview, Part 1: Let’s Just Pretend Vista Never Happened, Shall We?
November 9, 2008
Word to the wise:
WPA Cracked - additional details, (Sat, Nov 8th)
UPDATE: The WPA whitepaper is out: Practical attacks against WEP and WPA please, test it before making the change on your production environment), and increase your wireless detection stance and check for multiple MIC failure messages. — Raul Siles www.raulsiles.com
November 9, 2008
The WPA wireless encryption standard is now crackable. Is WPA2 still safe, this article argues yes:
Researchers have announced they can crack WPA in 12-minutes. Some people wonder if WPA2 will soon be next.
It won’t be. WPA was always known to be a weak hack, WPA2 has always been known to be secure. The reason for the compromise was that that hardware didn’t support the AES encryption in WPA2, so a weaker crypto was needed to fix the obvious flaws with WEP without requiring a hardware upgrade.
[…]
The moral of the story is that you should always have been planning WPA2-AES-CCMP eventually, and been planning to rely upon that for many years. If you planned to only do WPA-RC4-TKIP, then you were wrong.
WPA2 is not next on the chopping block
November 9, 2008
Style and substance, eh? I will be trying the LiveCD!
Fedora 10 is quite beautiful, but even better, it runs well. And though it’s best to avoid installing it on a vital production machine before the November 25th release, there’s little harm in treating yourself to a liveCD test drive.
Upcoming Fedora 10 Release Has Style and Substance
November 7, 2008
The battle over the usability and suitability of Linux for the desktop continues.
The pessimistic view:
Desktop Linux - Will It Ever Stick?
popsci.com: About seven years ago, I tried to free myself from the oppression and misery of running Windows ME by installing Linux on my PC. Ever installed the Linux operating system? It’s not for the faint of heart. So, when it was recently reported that Linux-based netbooks are being returned at a rate four-times higher than their Windows-based brethren, I can’t say I was surprised.
read more
And defending the Linux desktop:
GNU/Linux is user-friendly - and logical too
itwire.com: Over at iTWire, we are often in the position where we disagree with a fellow writer and say so. This morning, I found my colleague Davey Winder’s piece “Opinion: why Linux sucks at being user friendly” to be a litle too general to pass without comment.
read more
Read both and judge for yourself. Better yet, you can use a Live CD and try Linux on your current computer without making any permanent changes!
November 5, 2008
Via the Security Fix blog:
Malware Piggybacks on Obama Win
Cyber criminals are blasting out massive amounts of spam touting a video of President-elect Barack Obama’s victory speech. Recipients who click the included link are taken to a site that prompts visitors to install an Adobe Flash Player update. The bogus update, however, is actually a data-stealing Trojan horse. The messages, with such subject lines as “election results winner,” and “the new president’s cabinet?”, and “fear of a black president,” direct recipients to a site featuring a picture of Obama beneath an official U.S. government seal and the domain name america.gov (the real domain names used to host these fraudulent sites appear to differ from message to message). Beside Obama’s visage is an embedded video player that reads “loading player.” A few seconds after the site loads, the visitor is prompted to download the malware, disguised as “adobe_flash9.exe”.
October 30, 2008
Check this post Software Can Duplicate Your Keys Using a Photo Taken From 200 Feet Away [Scary] from Gizmodo:
There are skilled locksmiths out there that can reproduce a key from high-resolution images, but new software developed by computer scientists at UC San Diego has simplified the process to a frightening degree. In fact, their "Sneakey" system can reproduce a key with only a grainy cellphone image or, in one case, a picture taken from 200 feet away with a five-inch telephoto lens.
“The program is simple. You have to click on the photo to tell it where the top of the key is, and a few other control points. From here, it normalizes the key’s size and position. Since each pixel then corresponds to a set distance, it can accurately guess the height of each of the key cuts,” explained Benjamin Laxton, the first author on the paper who recently earned his Master’s degree in computer science from UC San Diego.
October 30, 2008
A series of three articles goes deep into the trend of fake antivirus/antispyware programs that are popular among malware authors. Highly recommended reading for an understanding of how this stuff works. All are written by Joe Stewart of SecureWorks.
The Phish That Bites Back looks at what can happen if you try to fight back at phishing emails; you can actually accelerate the process of infecting your computer.
Rogue Antivirus Dissected, Part 1 looks at how fake malware cons you out of your money and whether these products can actually detect any viruses or malware.
Rogue Antivirus Dissected, Part 2 follows the money trail inside the affiliate programs that make it profitable to spread this malicious software far and wide.
September 19, 2008
The recent news about the theft of emails and other private and personal information from the Yahoo webmail account of Alaska Governor and Vice-Presidential candidate Sarah Palin has drawn new attention to security practices associated with webmail accounts.
Gov. Palin’s account was not so much “hacked” as her identity was stolen by someone using publicly available information researched over the Internet. Whatever the method, it was a deplorable act; but it highlighted some inherent flaws in the systems webmail services use to secure users accounts.
PC World has a rundown on how this happened and, more importantly for our readers, how to prevent it from happening to you:
The hacker who claims credit for breaking into Sarah Palin’s Yahoo Mail account is revealing how he did it — and the process is far simpler than one might have imagined. Keep reading and see if your own accounts are really as secure as you think.
So be sure to check the security on your webmail accounts, I know I’m checking mine!
September 17, 2008
An email newsletter article from Cloudmark, makers of an effective subscription antispam service, lays it out:
How Spammers Get Your Email Address
You’ve been careful not to give your email address to anyone except your friends and colleagues, but you still get spam. How did the spammers find you? Even the most well-guarded email addresses eventually become targets of spam. How? The answer explains why spam is an inevitable part of Internet life.
If an email address can send and receive messages, it can be detected as a target for spam. Spammers employ a variety of methods to discover valid email addresses, generally by using automated programs that search for addresses, test their validity, and quickly build a large database of targets for spam and phishing.
The article goes on to list the most common methods spammers use to get or “harvest” email addresses. It also lists some steps you can take to prevent getting on a spam list.
Read the whole thing here.
July 12, 2008
The first step: be aware of what it is. See my last post for more details.
Defending against social engineering means awareness and vigilance:
Traditional security measures remain important. Antivirus, antispam, antimalware, URL filtering, and other tools – installed and regularly updated at endpoints, the Internet gateway, and “in the cloud” – provide essential protection. Security policies, including formal ones tailored to the individual needs of enterprises, and informal ones implemented at home via a family discussion, must also be established, periodically discussed, and enforced. Finally, large and small enterprises must continually educate and train their employees while consumers need to do their due diligence to keep abreast of social engineering techniques. The bottom line: be skeptical, but not paranoid.
Trend Micro: First Line of Defense
July 12, 2008
One of the most commonly used tools in the arsenal of the bad guys: social engineering. It’s effective because it uses the victim’s own good guy instincts against him.
A good overview of social engineering published by Trend Micro:
Cyber criminals have used social engineering since the dawn of the virus. As cyber threats have evolved, one constant has remained – the effectiveness of social engineering. The success of social engineering is due to its exploitation of the inherent emotions of humans, including empathy, sympathy, curiosity, and fear. People marvel at the achievements of athletes, cower in fear of illness or disease, and sympathize with the plights of those affected by a natural disaster. Social engineering plays on these emotions to entice humans to take actions that suit the nefarious purposes of cyber criminals.
Social engineering is particularly effective because it manipulates the natural human tendency to trust. Our natural willingness to trust leaves many of us vulnerable to attack. Hardware and software are quite effective at protecting against a range of cyber threats. However, the weakest link in the chain of protection is the most likely to be exploited. In this case, the weakest link is the human PC user. As Trend Micro Threat Research Project Manager Jamz Yaneza puts it, “Many of your connections may be secure, but it’s that connection between the chair and the keyboard that may cause a problem.”
Trend Micro: First Line of Defense
Read the whole article for a better understanding of the concept.
To know how to defend, one must know how one can be exploited.
May 14, 2008
Some useful tips to help identify phishing scams, but beware, the criminals are getting smarter. Some scams may not trigger the alerts listed in this article from Trend Micro:
What Does Phishing Look Like?
People are still falling prey to phishing scams, so what can be done? “The first step is helping people realize what phishing looks like,” says Jamz Yaneza, Threat Research Project Manager for Trend Micro. “If people recognize email or phone calls as suspicious, they are less likely to bite.” The following are some common characteristics that may help identify phishing scams, as well as some advice to avoid being scammed:
Misspellings and Poor Grammar
Phishing often starts with email. Although most such email remains targeted toward U.S. users, non-native English speakers are often the authors. For this reason, some emails appear to be written in broken English, with misspellings and poor grammar. “Take this observation with a grain of salt,” warns Yaneza. “Cyber criminals are now outsourcing these communications to professional writers and designers. Only 70 percent of what I see looks unprofessional, and that number is dropping rapidly. It is becoming increasingly difficult to distinguish legitimate email from spam.”
Never Send Information Via Internet
Many consumers remain unaware that banks and other companies never request sensitive, personal information over the Internet. Also, banks never call and ask for bank account information or Social Security numbers over the telephone. It’s best to personally vow to never disclose sensitive information when receiving an email or telephone call. Only provide private information when first initiating a phone call to verify the identity of the person at the other end. If requested to provide a Social Security number, ask to provide the last four digits only. For example, phone companies request a Social Security to verify account information but will accept the last four digits alone if callers provide additional proof of identity.
Beware of Clicking
Spam itself is not dangerous—it’s what users do after receiving the spam that creates phishing problems. For example, suppose that a user receives a spam email requesting the user to click on an additional link to learn more or provide more information. This is where the trouble begins. Refusing to click on embedded links can circumvent a phishing attack. “Banks and other organizations never ask users to download software,” says Yaneza. “Occasionally a bank will request users to download a browser helper toolbar but that is becoming rare as phishing attacks increase.”
Avoid Ploys for Help
Although many volunteer organizations now use email to solicit donations, it is best to verify a request for a contribution by calling the organization directly. Many phishing attempts, such as the 419 scams described in the first article, are disguised as solicitations for helping someone in need.
Stop Forwarding e-Petitions
Email chains and online petitions are almost never legitimate. Instead, they are initiated by scammers searching for quick and easy ways to collect a mass email list. Unfortunately, people who forward these emails to friends and family are playing right into criminals’ hands. Some petitions feature names, addresses and email addresses. An e-petition is unlikely to actually find its way to the White House, for example. Upon closer inspection, most emails fail to request that a certain action be performed to resolve a problem. For example, a popular e-petition supposedly originating from Mothers Against Drunk Driving (M.A.D.D.) contains no call to action or instructions once the list reaches its stated 5,000 person signature goal. [1] Spammers use these lists to perpetrate phishing and other Internet crimes.
Be Vigilant
Consumers are the first line of defense in protecting against phishing attacks. The best advice is to open attachments from known or expected sources only and to delete all unwanted and suspicious messages. If email arrives from a known company or Web site, only click on links that are hosted on the same site. Redirections to another site are a sure sign the email may not be legitimate.
Technology Solutions
For maximum protection against phishing, implement a comprehensive anti-phishing solution, comprising protection at all possible entry-points—including the Internet gateway, messaging gateway, endpoint clients, endpoint servers, and the network. Trend Micro offers a variety of anti-phishing solutions to suit both consumer, small to medium-sized business and enterprise needs. In addition, keep all operating system, browser, desktop applications, and instant messaging (IM) security patches up to date to guard against the newest phishing scams.
May 9, 2008
Nope, not a rerun of “Deadliest Catch”, it’s the lingo of the underside of the Internet.
Phishing attacks are attempts to trick users into giving up confidential information usually through a fraudulent email. However, phishing attacks are on the rise and using new techniques, like the telephone:
Although more commonly associated with email, phishing also uses other communication techniques. As Internet users have become more savvy, phishing technology continue to grow more sophisticated, and new scams are continually occurring. For example, creative thieves are now using “vishing,” which uses Voice over Internet Protocol (VoIP) phones instead of a misdirected Web link to steal user information. Rather than using an email campaign, thieves use a VoIP system to cover a particular area. A recorded message tells the person receiving the call, for example, that their credit card has been breached and to “call the following (regional) phone number immediately to resolve the matter.” Of course the phone number does not belong to a credit card company, but rather to the criminals behind the scheme.
Trend Micro First Line of Defense Newsletter
Read the rest of the newsletter to learn more.
May 2, 2008
From Windows Server newsletter:
Microsoft Delays Release Of XP SP3
The saga continues. No, you can’t have XP SP3. Nothing to see here. Move along folks. They pulled SP3 and blame a “compatibility issue” with their Microsoft Dynamics RMS (a SMB retail-chain-management application). SP3 seems to cause data corruption. And they are also “Temporarily holding any additional automatic distribution of Windows Vista SP1,” said a spokeswoman for Microsoft. And oh, they only had a few -years- to check for these things before SP3’s release. The conspiracy theorists are going to have a field day with this one. I can already hear them muttering, “nobody knows anybody who uses RMS, fishy”. I’ll be sure to update you when Microsoft gets that update updated with a new update. *g*
April 29, 2008
From Cnet News:
Microsoft says it has stopped automatically updating machines to Vista Service Pack 1 after discovering a bug that can cause problems between the OS and another of the company’s products.
View Original Article
April 29, 2008
Apparently, there’s a last minute fix for the long awaited service pack for the venerable Windows XP:
An anonymous reader sends word that Microsoft Windows XP SP3, which had been scheduled to hit the Web today, was pulled back at the last minute. SP3 apparently broke a Microsoft application, Microsoft Dynamics Retail Management System. Their solution is to set up a filter to make sure that no system running the affected software will get automatically updated; once the filter is in place, SP3 will be released to the Web. A fix for the incompatibility will follow.
Read more of this story at Slashdot.
View Original Article
April 22, 2008
The newest and probably last Service Pack for Windows XP is scheduled for release on April 29th. The folks at Cnet have a hands-on preview:
Microsoft says the service pack includes functionality previously released as updates. Perhaps that’s why the download and installation for SP3 was effortless on our test system. XP SP3 took only 30 minutes to download, and 10 minutes to install.
- Some updates relevant to the home user include:
Support for WPA2, the latest standards-based wireless security solution derived from the IEEE 802.11i standard.
- Improvements to black-hole router detection (detecting routers that are silently discarding packets). Windows XP SP3 turns this protection on by default.
- BITS 2.5, which is required by Microsoft System Center Configuration Manager 2007 and Windows Live OneCare.
- Peer Name Resolution Protocol (PNRP), which allows Windows XP applications to communicate with Windows Vista programs that use PNRP.
- Windows Installer 3.1, which contains new and enhanced functionality and addresses some issues that Microsoft found in Windows Installer 3.0.
- Digital Identity Management Service (DIMS), which allows users who log on to any domain-joined computer to silently access all of their certificates and private keys for applications and services.
However, the balance of these improvements are not necessarily relevant to the home user. For example:
MMC 3.0, which is a framework that provides common navigation, menus, toolbars, and workflow across diverse tools.
MSXML6, which provides better reliability, security, and conformance with the XML 1.0 and XML Schema 1.0 W3C Recommendations as well as System.Xml 2.0.
IPsec filter creation and maintenance. XP SP3 reduces the number of filters that are required for a server and domain isolation deployment. Also, the Simple Policy Update removes the requirement for explicit network infrastructure permit filters and introduces enhanced fallback to clear behavior.
The Security Options control panel includes more descriptive text to explain settings and prevent incorrect settings configuration.
Network Access Protection (NAP), which is a policy enforcement platform built into Windows Vista, Windows Server 2008, and Windows XP SP3 to better protect network assets by enforcing compliance with system health requirements.
Starting April 29, all Windows XP SP2 users should upgrade to SP3, if only to get a complete set of Windows XP patches installed.
A slideshow of Service Pack 3 is available from PC Magazine here.
April 18, 2008
Alex Eckelberry at Sunbelt Software just heard a rumour
We just got this in from a credible source:
I have just been advised by my Dell representative that Dell will be offering XP on Optiplex and Latitude computers through 2011 at no extra cost. Vista media will be available for those who think they might want to install it later on. Vostro computer orders will have the same option at a $50.00 premium.
Note: this means that there will be an extended period of review available for Windows 7 before we have to commit to it.
She told me that the reps are thrilled to be able to respond to the increasing expressions of concern from customers regarding the June 30 cut-off XP date publicized by Microsoft. She also told me that, of the more than 100 customers she has, only one is ordering Vista computers…
Anyone have any confirmation on this rumor? If it’s true, it’s really good news…
Alex Eckelberry
View Original Article
If this is true, it could mean that a lot of people are going to go from Windows XP directly to Windows 7, skipping Vista entirely. It remains to be seen whether this will be a good thing.
Tags: WindowsXP
April 14, 2008
The end is in sight for Windows XP, and what a great run it’s been!
From Mary Jo Foley’s All About Microsoft blog:
Microsoft made it official on April 3: There will be no new reprieves for Windows XP (other than on Ultra Low-Cost PCs).
Some customers and partners had been hoping the company might extend again the deadline for all PC makers to be allowed to preload Windows XP, rather than Windows Vista, on new PCs. But today, Microsoft officials said the current June 30, 2008 cut-off date would remain in place for the vast majority of machines.
[…]
For plain-vanilla PCs, Microsoft is holding fast to its June 30 preload cut-off for XP. (In September, Microsoft granted PC makers a five-month extension, allowing them to continue preloading and selling at retail Windows XP until June 30 of this year. ) As Microsoft noted previously, users still will be able to get XP preloaded on new machines from white-box vendors/system builders through January 31, 2009. And Vista Business and Ultimate customers with volume-license contracts can still get XP via their “downgrade” rights.
Microsoft will still provide mainstream (free) support for XP until April 2009. Extended support (free for security fixes and paid for other help) ends in 2014.
[…]