particlestorm.net

A great introductory article about the issues facing web community developers trying to balance user expression with the security of the other users around them.

http://www.alistapart.com/articles/secureyourcode

I’m predicting that the “Web 2.0″ (or 3.0 some think) will soon hit critical mass, meaning interfacing with interactive web sites will become a daily part of life. Unfortunately, this atmosphere strikes me as the ‘cool lets do everything’ environment of personal computers just coming onto the Internet. Often when a new area of technology comes out people are quick to propel its strengths and forget about it’s weaknesses. Then 2 years later their once pristine machine is a smoldering pile of crap filled with more junk salesman trying to sell you pills and software and the ex-king of Nigeria just won’t go away.

The web can do an amazing amount of things but it is only now that the people are starting to see the security issues that might exist in sites already wildly out of control. The well publicized “Worm of MySpace” helped bring these dangers to people’s attentions. I predict that over the next year the ‘research / hacking’ community will focus much more on these ‘web 2.0′ sites and find major security issues. Depending on how big of a site and how sensitive the data, it may or may not become as large spread of a problem as spyware is.

Will all these hyper configurable community sites because the next bastion for spyware and viruses? Will MySpace get into a contest on wither it or the Russian Botnet Armies have more power to do damage?

Microsoft has been on the offensive during the last year trying to convince the world that Windows is a better choice to Linux when it comes to servers. They have been doing this by “sponsoring” research reports, in other words paying large sums of money to “research” companies so they say good things about Microsoft. The latest is a report from Forrester that “Windows Users Haver Fewer Vulnerabilities“. This report is laughable to anyone who is involved in the computer security industry but, unfortunately, a lot of people don’t know better and are swayed by Microsoft’s propaganda.

For anyone who wants the true story, The Register has just published an in-depth report about the security of Windows and Linux. This report was written by Nicholas Petreley, who is a Linux supporter but is also a highly regarded Technology Writer and has written columns for InfoWorld and ComputerWorld.

The report itself is very detailed and backed by lots of hard facts. The Register has a good summery of the report but I encourage anyone who is interested to read the full report. Here are the links:

The full report in HTML format: Click here
The full report in PDF format: Click Here
The Register article about the report: Click Here

So Aaron won’t be disappointed, here is my latest anti-Microsoft propaganda. Today, our buddies up in Washington released 10 more security advisories that detail 22 new security flaws. Everyone should now embark on their monthly pilgrimage to windowsupdate.microsoft.com and update their computers. With 22 new flaws for ‘bad guys’ to exploit I am sure a new round of viruses will be landing in your email anytime soon. Or you could download a free copy of SUSE Linux 9.1 from Novell and release your computer from it’s crappy Windows prison. If you have a little bit of patience, you can wait 3 weeks and then install the brand new Novell SUSE Linux 9.2 Professional edition when it is released in early November. Other good Linux flavors include Redhat, Fedora, and my favorite, Debian.

Yet another security flaw in the software that flows out of Redmond. This time, the poorly written piece of code is in the ASP.NET framework used to serve up web pages. Netcraft, the authority on tracking what is serving up the Internet, estimates over 2.9 million active web sites could be vulnerable.

What is really sad, but not very surprising, is how simple this exploit is. Simply by replacing a ‘/’ in a URL with a ” or a ‘%5C’ a web browser can gain access to a “password protected” area of the web site. For example, say your site has an administration section located at “http://www.mysite.com/admin/” which is only accessible with your user and password. Well, now anyone on the net can go to “http://www.mysite.com%5Cadmin/” and wreck havoc to your web site by changing all your settings or installing a virus.

Microsoft is supposedly focused on security but I just can’t believe they could let such simple security problems get into their code in the first place. Sometimes I think they took the so-called “Infinite Monkey Theorem“, the one about monkeys sitting at typewriters eventually reproducing Shakespeare, a little too serious and decided to employ a couple million monkeys to write their crappy code. What type of peer review process do they have where such obvious security problems can slip through the cracks?

For those interested, here is the link to Microsoft’s security advisory: Click Here

Building on my last post about Firefox, there is now an even better reason to dump Microsoft Internet Explorer. According to this article on news.com, Microsoft reiterated its position that it will not fix any security problems in Internet Explorer, except the version that is in Windows XP. This means that if you run an older version of Windows, like about 200 million other people, then you are going to be forced to upgrade to Windows XP if you want to keep your computer secure. Without the security fixes, which come out on a monthly basis, your Windows 2000, Me, NT, or 98 version of software will be wide open to viruses, spyware, malware, and all sorts of other horrible problems.

I have known for years that Microsoft is an evil company but this sinks to a new low. Now they are using the rampant security problems in Internet Explorer, which is built into all versions of Windows since 98, to force their customers to upgrade to Windows XP. Many customers have chosen not to shell out the $99+ to upgrade their version of Windows because they feel that what they have works good enough. In fact, according to IDC, 49.2% of Windows users don’t currently
run Windows XP. With Microsoft’s next version of Windows not being released until sometime after 2006, it looks like Microsoft had to get ‘creative’ to find a way to get people to give them more money.

So, what should you do to protect yourself? I would start with dumping Internet Explorer and using Firefox instead. It is free, secure, and fast. But, because Internet Explorer is built into Windows, you still will be vulnerable, although by not browsing the Internet with IE you will have some protection. You should still make sure to run a virus scanner and firewall. If you really want to be secure, install Linux on your PC or go buy a Macintosh.

I ran across this article on Wired that actually shows how you can open a supposedly unbreakable lock with a ballpoint pen. Having owned one of these locks in the past, it was quite a shock to see. According to the article, all you do is take the tube of the pin, cut four small slits in the top of it, and shove the tube into the lock’s cylindrical lock hole and twist. This news story has been spreading around news groups all over the Internet and surely every criminal in the country will know this knowledge soon.

I recommend taking a look at the article yourself and then go to your bike shop and get a lock not based on the “axial pin tumbler” locking mechanism. A strong chain with a combination lock would even be better, even though chains are pretty easy to cut. The vulnerable type of locks are also used for locking down laptops so you should replace those as well.

Here is the link to the Wired article: Click Here

Microsoft dropped a bomb shell on the security world today with its latest monthly security patch. This round of fixes includes a major flaw in the way Windows handles the JPEG graphics format. Most of the images you see in emails and on the Internet are JPEG files, commonly ending in “.jpg”. By just looking at an infected JPEG file this flaw can allow bad people to install viruses on your computer. That means, without the fix installed, by just opening an email with a picture or looking at a website you can become infected!

I highly recommend that everyone who is using Microsoft Windows go to http://windowsupdate.microsoft.com and install the fix. You should also go to http://office.microsoft.com/officeupdate/ to fix this problem in Microsoft Office products.

The good news is that there isn’t a virus that takes advantage of this latest problem with Windows and other Microsoft products. But, if the past is any indication, there will be viruses released in the next month that will spread using this security problem. So, every Windows user needs to install the updates before it is too late.

Here is a good article from CNet: Click Here

Here is the link to Microsoft’s security bulletin: Click Here

There is a new security threat on the loose in the Net. There is a file floating around in emails and on news groups that says it is a picture of Osama Bin Laden committing suicide. But it really is a Trojan horse called Hackarmy, also known as Hacarmy, that will infect your Windows computer when you try to look at the file. Click here for a link to a news article about the new virus and click here for a more technical writeup of the Trojan horse from SARC. So, no matter how curious you are, do not open any files that are claiming to be pictures of Bin Laden killing himself.

There is another computer virus in the wild that is causing lots of problems. This latest virus, called Evaman, is clogging the mail servers of Hotmail and Yahoo. The virus can infect all versions of Windows via the email it sends out. The email will arrive with one of the following subject lines:

Delivery Status (Failure)
failed transaction
failure delivery
mail failure
returned mail
server error

The attachment to the email is the virus so do not open it! More technical information about the virus can be found on Symantec’s Security Response page.

Sometimes I feel really sorry for people who use Internet Explorer. Besides being technologically inferior to other browsers, such as Mozilla and Opera, it is filled with security holes. Techworld.com broke a story today about a new security hole in Internet Explorer that has no fix. You can read that story by clicking here. This problem is really bad because by just clicking on a link an attacker can install files on your computer and gain complete control of it. I expect a new round of worms to come out of this, because Internet Explorer is also used to render email under Outlook Express. Did I mention there is no fix for this security problem? All a web browser should ever do is render web pages on the screen… it has no business running programs. Why does Microsoft build stuff into their programs that just opens them up to later security issues? I recommend everyone switch to Netscape, Mozilla, or Opera and stop using Internet Explorer and Outlook Express.