Windows Watch: Security - keeping an eye on the latest XP and Vista news

Microsoft antiphising advice

It's hard to know at what point repeating advice about phishing does more harm than good as it becomes background noise but there are some useful tips to be found on the Microsoft antiphishing site.

Always double check links in emails before clicking on them. In fact I would go further than that to say never left-click on a link in an email. It is much better to right click on the link and copy the address to the clipboard first. Look at it for suspicious content. Otherwise enter the address of the site by hand using the address you always do. Why risk clicking on a link that purports to be from a bank if you already know the address.

Instant Messaging is also risky now. For example I managed to rickroll someone by changing the text displayed for the link to something other than the link itself. We had all just assumed that the Instant Messages were plain text and the software automatically created the links when it detected an URL. In fact the messages are HTML so it is possible to have a different link to the text that is displayed. I also got caught out by clicking on a link that installed a Trojan.

Technorati Tags: security,phising

Posted by Tim Smith on May 15, 2008 | Permalink | Comments (0) | TrackBack

Microsoft antiphising advice

It's hard to know at what point repeating advice about phishing does more harm than good as it becomes background noise but there are some useful tips to be found on the Microsoft antiphishing site.

Technorati Tags: security,phising

Posted by Tim Smith on May 15, 2008 | Permalink | Comments (0) | TrackBack

Service Pack 3 not so smooth all round

We are reading reports that there are some sporadic problems when installing XP Service Pack 3 on computers. There have been reports of problems with AMD systems.

I know this is no relief for anyone with a damaged system but it is really important to take a complete backup before making a radical change like a Service Pack.

Find out more here

Posted by Tim Smith on May 13, 2008 | Permalink | Comments (0) | TrackBack

Windows is not alone in being vulnerable

The most spirited discussions I read on our forums are the debates over the relative security of Linux/Mac OS compared to Windows.

Things really get heated when someone makes the claim that *nix (read Linux and Max OS) based operating systems never get viruses or vulnerabilities.

This just isn't true, as the steady trickle of updates to my Ubuntu installation proves. I'm not passing judgement on the severity of the possibility of the computer being hacked, but the vulnerabilities do exist and need to be countered.

The comments following this blog post ( Word up to Linux fan boys: Multiple Linux flaws show that Linux also has kernel issues ) reflect my experience.

One revealing remark was someone who said

"I have used Linux for over 4 years without even a thought to virus or security. All with no problems."

As I said the other day, that should really read "All with no apparent problems"

At one point the blog author ended up making this remark

"In fact, the strangest thing since I've joined this blog is I've found myself defending Microsoft more often then I'd like to due to people claiming things are Microsoft's fault when they aren't, or making ridiculous claims of Linux/Mac's capability of standing up to certain flaws."

It's a situation I've found myself in many times. There are many things about Microsoft products that annoy me, but I'm not prepared to stay silent when people make arguments based on hearsay or general FUD. There's no shame in admitting that there have been problems with your favourite operating system. To do otherwise just makes you look stupid.

Posted by Tim Smith on May 12, 2008 | Permalink | Comments (0) | TrackBack

The service packs are coming

News from the Windows Update Product Team Blog. Windows XP Service Pack 3 is now on Windows Update. It's not on Automatic Updates yet but that'll be happening soon.

So far this service pack has been notable for a distinct lack of problems. I've not heard of any problems either in reader letters or in our Windows forum.

I may live to eat these words, but if this continues then Microsoft deserve some praise for a job well done.

Posted by Tim Smith on May 7, 2008 | Permalink | Comments (0) | TrackBack

When only the most secure password will do

I know this is a bug, but it's a funny one. In certain conditions Windows 2000 will present the following error message:

"Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes."

For more information and fix, in the highly unlikely event of it happening to you, can be found on the Microsoft KnowledgeBase. Just as well it's not combined with a fingerprint scanner really.

Posted by Tim Smith on May 6, 2008 | Permalink | Comments (0) | TrackBack

Just because you don't know it's there....

There has been a lot of lively discussion on the web in general (and our forums in particular) as to the value of security software. Some people have even suggested that there is no point in installing anti-virus. Before going any further, let me just say I think this is a very, very bad idea.

One discussion I was involved in revolved around the value of a software firewall. I've had several people tell me that the firewall on a router is all the protection they need. Other discussions have been running on LifeHacker and AskMetafilter.

Routers certainly offer valuable protection but only really against inbound threats. If a computer tries to connect to your home network that hasn't been invited it is simply ignored. That protects from threats outside the network.

The problem is that many attacks don't rely on slipping past a firewall. I've been speaking with several security experts recently and they all say that browsers pose a big threat due to malicious (or hacked) websites. Sometimes just accessing the site is enough to get infected. And from that point the malicious software is sending information out of the network. By default most routers will let them do so quite happily.

My router didn't help me when a computer I was using was hit by a virus but luckily I was running a software firewall (ZoneAlarm as it happens) that stopped it in its tracks.

Allysa Myers on the McAfee Avert Labs Blog also points out that it's very hard to tell if a computer has been infected any more. If you want to steal data from people the last thing you want them to know is that you're doing it.

I've seen demonstrations with Sophos of modern viruses and there really is no way of knowing that the computer has become infected.

True there is a performance penalty for running all of this but it is very minor, especially when you consider the alternatives. I also have problems believing people who say they can tell the difference, especially when they are usually the ones with more powerful computers. As suggested in a Windows Secrets article by Fred Langa, people rarely notice a less than 10% drop in performance.

Technorati Tags: security,virus,antivirus,firewall

Posted by Tim Smith on May 6, 2008 | Permalink | Comments (0) | TrackBack

AVG Free 8 is here

Hot on the heels of the full Security Suite, AVG AntiVirus Free 8 is here.

One clever extra is the Linkscanner software. This software scans links in Google Searches to check for malicious scripts that might damage the computer. I've been using it a little while as a stand alone app. It's similar to McAfee's SiteAdvisor (for Firefox and for Internet Explorer) but it works on the fly. The advantage of this is that it still protects without any delays for threats to be identified.

It doesn't seem to be included in the updater for AVG Free 7.5 so it needs to be an uninstall/reinstall job.

Technorati Tags: antivirus,avg,free,security,download

Posted by Tim Smith on April 25, 2008 | Permalink | Comments (0) | TrackBack

AVG Free 8 is here

Hot on the heels of the full Security Suite, AVG AntiVirus Free 8 is here.

It doesn't seem to be included in the updater for AVG Free 7.5 so it needs to be an uninstall/reinstall job.

Technorati Tags: antivirus,avg,free,security,download

Posted by Tim Smith on April 25, 2008 | Permalink | Comments (0) | TrackBack

Coming, ready or not

Windows Vista Service Pack 1 is coming to a PC near you now, courtesy of Automatic Updates. As far as we have heard, the reboot problem has now been sorted.

Don't feel left out if you use Windows XP, Service Pack 3 is due very soon.

Technorati Tags: vista,servicepack1

Posted by Tim Smith on April 24, 2008 | Permalink | Comments (0) | TrackBack

Even updates need updates

As the Apple Software Update tools doesn't seem to proactively alert me, other people might need this.

The tool itself needs updating, so it's worth checking again.

Technorati Tags: apple,updates

Posted by Tim Smith on April 8, 2008 | Permalink | Comments (0) | TrackBack

Another reason to dislike malware writers

Fair enough there are precious few reasons to like them as it is, but as the McAfee Avert Labs points out, they may also be making a substantial contribution to global warming.

While I hope no one is printing spam out and wasting paper, the load placed on the internet in general sending and blocking spam uses a considerable amount of energy. In fact the writer even suggests that the amount of energy wasted by home computers infected by the most recent Storm outbreak would power his house for 8 years. And that's without considering the load on ISP servers and the like.

There's not much we can do about the writers themselves, but keeping a computer clean of viruses and the like is not just for personal benefit, but everyone's.

If you haven't already, take a look at:

Technorati Tags: malware,security,mcafee

Posted by Tim Smith on April 7, 2008 | Permalink | Comments (0) | TrackBack

Want to know about viruses? Let some loose*

* In a controlled environment, of course.

Yesterday Computeractive was given a sneak preview of a new incentive being set up by security firm Kaspersky Lab - training workshops where attendees can, for a fee, learn about how viruses and other online threats work by deliberately infecting computers and monitoring the results.

The PCs in question are isolated on a closed network with no access to the internet, so there's no risk of any threat spreading further, and viruses are provided on CD - not, obviously, to be taken away afterwards. We successfully infected our workstation with the Sasser and Netsky worms, and a couple of Trojan programs for good measure, while monitoring the changes made to files and the registry, before removing them again. The PC pictured above is monitoring data sent over the network by a worm. As well as these practical sessions, the courses include theory lessons on the different threats found online, the motivation behind them and strategies for minimising the threat to businesses.

Look out for more details on the courses next week.

Posted by Tom Royal on April 4, 2008 | Permalink | Comments (0) | TrackBack

Update for Opera Browser

If the browser hasn't already alerted you, it's time to update Opera to version 9.27.

It's a painless job and apart from a restart should leave you back where you started. There are some security updates and improvements on the Acid test.

Technorati Tags: opera,browsers,updates

Posted by Tim Smith on April 4, 2008 | Permalink | Comments (0) | TrackBack

Stay safe on April Fools day

It's that time of year again when we all try to fool each other (or stick paper fish on each other in France). It also makes an ideal opportunity for nastyware writers over the globe.

There's a report from the McAfee Avert Labs Blog that the Storm worm has a new variant for today.

So this is a special appeal for everyone to be a little extra careful when reading emails or IM messages.

Technorati Tags: security,strom,malware

Posted by Tim Smith on April 1, 2008 | Permalink | Comments (0) | TrackBack

Firefox and addons signing

Thanks to Asa Dotzler who has left a comment explaining the signing process for Firefox addons in more detail. Here it is in case you haven't seen it on the original post.

"The signing process doesn't have anything to do with ensuring addons haven't been changed. Signing is to let you know who is providing the add-on, but if you get the addon from Mozilla's add-on site, we verify all of that for you so all you have to do is trust Mozilla, not necessarily every add-on author."

I'm glad to clear that up.

Technorati Tags: firefox

Posted by Tim Smith on March 31, 2008 | Permalink | Comments (0) | TrackBack

Opera and browser addons

I was writing yesterday about addons for Internet Explorer 7/8 and Firefox but nothing about Opera, my prefered browser.

There are extra bits of code that can be downloaded for Opera called Widgets that perform many of the functions that addons do but with some differences.

Really they are more like desktop widgets than browser addons. Think of the Yahoo Widget Engine or the Windows Vista Sidebar. They are more informational than adding new features to the browser. My biggest annoyance is that they appear on the Taskbar and are grouped with the main Opera Window, which quickly becomes unwieldy.

I have asked Opera about this because I depend on some of the Firefox addons when designing web pages or writing blogs. The answer was that of security. Addons can have quite a lot of power when it comes to what they can do or acccess. Firefox has a signing process to ensure addons haven't been changed but I can't remember ever having seen a signed addon. I just click on install. After my virus attack the other week I suppose I should be more careful but how?

There is one Widget tool that is worth having a look at, Widgetize, the widget generator. This is a three step wizard for creating a widget link for a blog. You can take a look by clicking on the button below in Opera to see the Widget for this blog.

Technorati Tags: opera,browsers,web,security

Posted by Tim Smith on March 26, 2008 | Permalink | Comments (1) | TrackBack

Virus update

Sadly my hopes for the Symantec Virus removal tool were overly optimistic. Just then the Microsoft updates window appeared with the March Malicious Software Removal Tool. What great timing I thought.

This also reported having removed a virus but the problems did not go away and Internet Explorer is riddled with popups and dodgy warning messages.

Enough is enough, so I've asked our Systems department to wipe the computer and start again. My files are safe in a roaming profile (a clever technology where the Documents and Settings folder is copied to a server so that it is available wherever I log in) so the only inconvenience installing extra software not included in the default setup.

I recognise that I've very lucky to be able to do this and it is unlikely to be an option for most home users. But spending some time preparing for a disaster like this is a good investment.

Software like DriveImageXML is a good start although restoring the image may require creating a Windows recovery disc, using something like Barts PE. These tools are all free but frankly I think this is a situation where it is worth spending a little money to save time. Something like Acronis True Image 11 Home is much simpler to use and worth the £40 price tag. Now all I need to do is find the time to make the backup.

Posted by Tim Smith on March 18, 2008 | Permalink | Comments (0) | TrackBack

Are your passwords safe?

It must be my day for being shamefaced. Having fallen for a trojan, I then took a look at the Microsoft Password Checker. Only a couple of my passwords were considered strong or safe and quite a few came up as weak.

That was mainly due to length as they use a mix of cases, numbers and non alpha numerical characters.

Perhaps it's time for a complete security overhaul...

Technorati Tags: security,passwords

Posted by Tim Smith on March 12, 2008 | Permalink | Comments (0) | TrackBack

It happens to us all

I managed to infect my computer with a piece of nastyware yesterday, Trojan.Vundo to be precise.
The link to the file came through on my instant messaging software from someone I trust. That's not a dig at them, it's possible that it was a spoof of some kind. Anyway it looked relavent so I clicked on it. And now I really wish I hadn't.
Thankfully the effects appear to have been contained but getting rid of the wretched thing is proving quite difficult. My first attempt to run the Symantec removal tool hung when it encountered the Symantec Virus checker.
It's running now so hopefully I can return to normal without having to restore the backup image. That would be even more hassle.
The moral of the story. Always check links first. Always. And ask people what they are first.
I stand humbled.

Posted by Tim Smith on March 12, 2008 | Permalink | Comments (0) | TrackBack

What software can you trust?

Trust is a curious notion online. We often have people who are very suspicious of what we write, and then cheerfully accept something that a blog post they found in Google wrote about having seen a report of about an article found on a rumour site. Sorry if I sound bitter.

When it comes to software, it seems that the situation can be even worse, and I'm guilty of maybe being too fast to trust as well.

I started thinking this about a report on Coding Horror of a Google Mail backup utility that was programmed to email usernames and passwords back to the author.

There's no need to use the main email software for this so no one was any the wiser until a programmer did some research and noticed the outgoing email.

The good news is that this programmer changed the receiving Googlemail account and deleted the user details. Of course, we only have his word for it.

What can be done?

I'm not even sure if there is an answer here as it is so hard to be sure of where software has come from. It's one reason I've stuck with the Opera browser so long and put up with the lack of addons. Firefox Addons are great but I'm never completely sure of who has created them or what they do.

Having said that, when I submitted a widget to the Yahoo Widget Gallery, they did actually check the code. I know this because they rejected it (here comes the bitterness again though it was with good reason). So there are places you can trust.

So I think I'm going to stick with software from companies know. And keep my ear to the ground if I want to install something else. That is at least one advantage of Open Source, that people can check easily if they want to.

Technorati Tags: security

Posted by Tim Smith on March 11, 2008 | Permalink | Comments (0) | TrackBack

No password safer than weak password?!

I couldn't quite believe the headline Set a Blank Password in Windows XP To Protect the Computer from Internet Attacks but it seems that there might actually be something in this.

If there is no password on an account it cannot be accessed over the network or internet. There is still the question of physical security but this is less of a problem at home. Unless you want to run parental controls software. Or your house is broken into, as we heard in an email into the office a couple of days ago.

Given that most people end up using simple passwords for an easy life, this advice is fairly good. But I would still recommend people to create a strong password (upper and lower case, numbers and even extra characters like !"£$% if allowed).

And never, ever, ever leave a notebook without a password when out and about.

Technorati Tags: XP,security

Posted by Tim Smith on March 11, 2008 | Permalink | Comments (0) | TrackBack

Open source: more secure?

I recently interviewed Mike Schroepfer, VP of Engineering at Mozilla, the organisation that produces the Firefox web browser. He was in London to talk about Firefox 3, and you can read about that browser and its new security features in our news section here.

During our discussion, though, Mr Schroepfer made some fairly bold claims. One of the most interesting was that, to put it simply, open source software (such as Firefox or Linux) is inherently more secure than closed-source software (Internet Explorer, or Windows).

Or, as he put it:

“Open source means that it’s an open process. I like to say that you don’t have to trust anything I say – you can go and check it out for yourself. Dial in to one of our meetings, look at our bug tracking system, look at the source code yourself. You don’t have to trust anything I or anyone else says - anyone in the world can verify it, at any point in time. I think that’s a lot more comforting to me than some promise from some executive that, “yes, it is secure, we’re doing a great job”. Well, how do you know? How do I really know for sure?"

This quote was still in my mind when, this morning, I came across this story from the Coding Horror blog. A reader claims that, having examined a shareware utility that downloads Gmail messages for backup purposes he found that it was programmed to email the username and password details of every user's Gmail account to the software author.

It's important to note at this point that the allegation could be untrue - however, were I a user of G-Archiver I'd want to change my Gmail password and stop using the program until more details are available, just to be on the safe side.

In a way, this incident proves that security issues with closed-source software can be found - as long as a technically-minded and curious user decides to poke around. On the other hand, the process would be easier with an open source program - and it could easily be argued that only a fool would create a program to steal passwords, include his own email address in it then post the code for all to see.

That said, I'm not sure that I'm ready to start distrusting all closed-source software in future. Much as I love the idea of OpenOffice and the GIMP, I'm completely lost without my copies of Microsoft Word and Photoshop. I do generally, however, pick free open source software rather than shareware / closed source freeware. What do you think - do you choose open source because it's more secure, because it's free, or not at all? And, ultimately, who do you trust when it comes to the software running on your computer?

Posted by Tom Royal on March 10, 2008 | Permalink | Comments (0) | TrackBack

Cash points running Windows are 'easily hacked'

You might be thinking that if you don't use internet banking, your money is safe from problems with Windows. Rather worryingly, it seems that this may not be the case.

According to Silicon.com, security hackers (the good type) have been able to hack into cashpoint machines, and claim that up to 90 per cent of cash machines in the UK are vulnerable.

Some cases physical access to the cash point was possible with a key bought from the internet, allowing the hackers to take the money, or install key logging software to track account numbers and PINs.

Otherwise communication between the cash points and the banks was picked up in plain text.

I'm going to buy a large sock to hide my money up the chimney in I think....

Technorati Tags: security

Posted by Tim Smith on March 7, 2008 | Permalink | Comments (0) | TrackBack

Update for Mozilla Thunderbird released

An update has been released to fix a security flaw in Mozilla Thunderbird.

The problem could allow an attacker to run programs on a computer.

To be safe you should be running Thunderbird 2.0.0.12. It should check for updates automatically, otherwise click on the Help menu and then on Check for updates. A restart of Thunderbird (not the computer) is needed to complete the installation.

Mozilla SeaMonkey is also affected and should be upgraded.

Technorati Tags: thunderbird,seamonkey,updates,security

Posted by Tim Smith on February 28, 2008 | Permalink | Comments (0) | TrackBack

A reminder to backup

I know I go on about backing up a lot but it is with good reason as these pictures show.

Apparently the only sign that anything was wrong was a 'nasty rattle'.

More horrifying pictures to be found on the original forum post.

If lack of software is holding you back, have a look at Drive Image XML, it's free and can make complete backups to a network share.

Technorati Tags: backup,harddisk

Posted by Tim Smith on February 28, 2008 | Permalink | Comments (0) | TrackBack

Drive encryption cracked using compressed air

Windows Vista includes some new software called Bitlocker that promises to lock up your disks - not just files, but entire disks - so that they can't be accessed without a password. That's great news for some businesses, who need to make sure that, should a notebook computer get lost, the data still can't be accessed. In fact, the government could probably do with a bulk order.

But here's the thing - it's not quite as secure as we thought. A group of computer scientists from Princeton University has found a way to get around the encryption technology with something as simple as a can of compressed air.

Essentially, the way it works is to rely on the fact that memory chips, although they lose information when they're switched off, they don't do so instantly. It takes a few seconds, and if you cool the chips down (which is where the cold compressed air comes in) you can slow the process further. Because the drive password is stored in memory you can then remove the chips and read the password.

It's not just Windows, either. Both Macos and Linux implement drive encryption in the same way, so the same hack applies to them. You can read the paper on their research, or take a look at a video they've posted that summarises the process, with handy pictures.

Posted by Anthony Dhanendran on February 27, 2008 | Permalink | Comments (0) | TrackBack

New version of AVG Internet Security released

AVG_Brand_Logo.preview AVG (the company formerly known as Grisoft) has released a new version of their Internet Security software.

One new addition is the LinkScanner (the free version can be downloaded here). AVG bought Exploit Prevention Labs last year and have integrated their technology. Put simply it checks on behaviour rather than relying on lists of suspicious files. These days the more malicious hackers try to keep their attacks small enough to avoid notice, so definition lists are not as effective as they used to be.

You can keep up to date with the latest discoveries by Exploit Prevention Labs on their blog.

Hopefully some of the new features will trickle down to the free version soon.

Technorati Tags: avg,internetsecurity,security,malware,linkscanner

Posted by Tim Smith on February 27, 2008 | Permalink | Comments (0) | TrackBack

New version of AVG Internet Security released

AVG_Brand_Logo.preview AVG (the company formerly known as Grisoft) has released a new version of their Internet Security software.

You can keep up to date with the latest discoveries by Exploit Prevention Labs on their blog.

Hopefully some of the new features will trickle down to the free version soon.

Technorati Tags: avg,internetsecurity,security,malware,linkscanner

Posted by Tim Smith on February 27, 2008 | Permalink | Comments (0) | TrackBack

New version of the Opera web browser

Opera 9.26 has just been released. As this is a security and stability update (see the changelog for more details) it's a good idea to download and install it as soon as possible. You can do this from here.

If you don't have Opera yet, I strongly recommend you give it a go.

Technorati Tags: opera,security,updates

Posted by Tim Smith on February 25, 2008 | Permalink | Comments (0) | TrackBack

Advice on Vista Gadgets

Microsoft has some useful advice on staying safe when using Windows Vista Gadgets. These are small applications that either run in the Sidebar or on the Desktop.

I've been impressed with both Gadgets and the very similar Yahoo Widget engine. They are especially useful on widescreen monitors when on a notebook for keeping an eye on battery levels and the time.

But like any extra software there is a certain security risk. Nothing particular but anything that can access files on the computer needs some thought. So the information on this page is a useful reminder.

Now what would be really cool would be a built in GPS so I could set a reminder to hibernate when getting close to my home station. One day...

Technorati Tags: vista,security,gadgets

Posted by Tim Smith on February 18, 2008 | Permalink | Comments (0) | TrackBack

One rule to guide them all

Technorati Tags: zonealarm,firewall

A very humble request was made by ZoneAlarm just now, whether it should give itself permission to access the internet.

It's good to a program that doesn't have a big head.

Posted by Tim Smith on February 7, 2008 | Permalink | Comments (0) | TrackBack

Security problem with Firefox

News is coming in that there is an outstanding security vulnerability in Mozilla Firefox and it has been confirmed by Mozilla's Window Snyder's blog.

Mozilla has rated this as a low severity bug so it doesn't seem like there is any immediate need for panic. It also only applies if Firefox has had certain add-ons installed. Two quoted as vulnerable are Statusbar and Greasemonkey. The problem might allow an attacker to see what software is installed on a computer.

According to one of the comments, the extension NoScript can protect a computer. I've not confirmed this but it's certainly better than nothing. Alternatively you could use a different browser like Opera until the bug is fixed

Posted by Tim Smith on January 24, 2008 | Permalink | Comments (0) | TrackBack

New version of PC Tools Spyware Doctor

A press release has dropped into my inbox about the release of Spyware Doctor 5.5

There are improvements all round from rootkit removal and improved kernel level protection to improved performance.

The Network Guard blocks unauthorised changes to networking settings in the Registry. The rating system has also been improved to give a better idea of the severity of a particular threat.

Existing Spyware Doctor users can upgrade for free and there is more information on the Spyware Doctor homepage.

Posted by Tim Smith on January 18, 2008 | Permalink | Comments (0) | TrackBack

New version of AVG on the horizon

The second beta (test) version of AVG 8 has been released by Grisoft. The new software will be able to take advantage of dual core processors for better performance and will include extra protection from Exploit Prevention Labs.

This software checks web pages as they are downloaded, looking for anything malicious. It looks for behaviour rather than a signature so it will block malicious code even if the antivirus companies have not identified it. A standalone program for this is called LinkScanner, and the Lite version can be downloaded and used for free

If you want to take part in the Beta program, it can be downloaded after registration at http://beta.avg.com. I'd recommend that you don't do this with a critical computer, ie this is best left to a second computer or virtual machine.

Posted by Tim Smith on January 18, 2008 | Permalink | Comments (0) | TrackBack

Security blog from Microsoft

There is a new addition to my blogroll today, Security Tips & Talk, from Microsoft. There is some good advice but that's not the only reason for subscribing. Reading blogs like this is a good way to stay reminded of the need to keep up to date with security. Not just software updates but thinking before opening email attachments.

For a recent example, the top post tells of how the likely trend for cybercriminals in 2008 will be to do whatever it takes to make money. One example is electronic greeting card scams.

I got one of these from my mother of all people around Christmas, you don't get more of a trusted source than that! Taking a closer look it had a double file extension and that got the warning bells ringing. I decided to pass on whatever the contents were and also to take the (possibly risky!) path of being honest about ignoring the attachment.

Staying safe is about staying vigilant. I know that sounds trite but it's true. It's just like remembering to look before crossing the road.

Posted by Tim Smith on January 9, 2008 | Permalink | Comments (0) | TrackBack

Who do you trust?

There's a debate that occasionally flairs up on the Computeractive forum about getting Windows Updates from sources other than Microsoft. According to some of users there is an alternative site called Windizupdate.

Now the reason I haven't linked to this site is probably enough of a clue to where I stand on the matter.

My main objection is that I have absolutely no idea who 62NDS Solutions Ltd (the name at the bottom of the website) are. A little digging around reveals that they used a PO Box in Auckland, New Zealand to register the domain name. But that still doesn't give me any useful information for making an informed decision about whether they can be trusted. I'm not saying that they can't be trusted, just I have no reason to trust them with my computer.

What worries me the most is that no one in the forum thread could give me a good any reason for trusting Windiz Update over Microsoft Update.

My feeling is that if you are going to use Windows you should get updates from Microsoft. By the same principle, if you use Ubuntu Linux (as I do too), get the updates from Ubuntu. Or AVG updates from AVG, etc etc.

In fact mentioning Linux does throw up an interesting question. It is possible to update Linux software from sources other than the official wizard. But the Linux community makes a real effort to make sure that not only do you download the right update but that it is the file it claims to be. Microsoft doesn't provide this extra information, but why should they?

Enough of my ranting, what does everyone else think?

Posted by Tim Smith on January 7, 2008 | Permalink | Comments (3) | TrackBack

Is storing passwords a good idea?

I don't know how typical a user I might be but I have far more user accounts on websites than I can possibly remember in my head. And that doesn't include the passwords, just trying to remember usernames or which email address I used is bad enough.

Still the web browsers are all ready to help by remembering these passwords for me and what a help that is. The only snag is this ease instantly makes me a little worried. Many years ago I made up a little motto about security 'It's only effective if it hurts'. The easier something is, the less secure it tends to be.

The problem here is what happens if someone gets access to my computer or manages to write an exploit to pull the information about of the browser directly. This article that appeared in my feeds today describes something I know only too well but can forget. It is almost laughably simple to steal the passwords if you get physical access to the computer. I might think that all my PayPal details are safe but for all I know the wife may be ordering a new pet ferret (don't ask).

The article does not talk about my browser of choice, Opera, which is a shame because Opera takes an interesting comprimise. Passwords are saved but cannot be retrieved. I know this because I asked once when they popped in for a chat. I had just moved computers and was hoping to move the passwords to the new one.

Of course not being able to extract the passwords is a pain (the usernames are visible) but then that just proves my point about security.

Posted by Tim Smith on January 3, 2008 | Permalink | Comments (2) | TrackBack

Some good advice for parents of gaming children

If you are worried about getting the right balance between freedom and protection for game playing children, there is some good advice to be found at InformativePost

Most of it is common sense but it is worth seeing it written down. Keep an eye on the games on the computer, and maybe even play them. It also reiterates that most effective forms of advice for parents worried about children and computers. Put the computer in the living room so you can see what they're doing.

As much as I would like to be able to remind my children that I am keeping an eye on their gaming by leaving the odd high score in the charts, few games seem to have these any more and I have a more realistic idea of my abilities.

On that note, I'm tempted to add that, if you do play the game yourself, to keep it quiet unless you do fairly well. Otherwise you might be challenged to a mulitplayer game!

Posted by Tim Smith on December 19, 2007 | Permalink | Comments (0) | TrackBack

Some good advice for parents of gaming children

If you are worried about getting the right balance between freedom and protection for game playing children, there is some good advice to be found at InformativePost

On that note, I'm tempted to add that, if you do play the game yourself, to keep it quiet unless you do fairly well. Otherwise you might be challenged to a mulitplayer game!

Posted by Tim Smith on December 19, 2007 | Permalink | Comments (0) | TrackBack

The Windows Update Team blog explains Office 2007 SP1

Updates are always going to be complicated, even though the Automatic Updates utility is pretty good. So this explanation of how and where to get Office 2007 SP1 is quite useful.

Basically, this service pack is not going to be included in Automatic Updates for a little while. Not everyone wants to upgrade immediately, especially companies that need to check if their in house software still works or needs adjustment.

Office 2007 Service Pack 1 will appear in the Vista Windows Update page but will have to be explicitly selected for the time being. At some point it will be included in Automatic Updates but there's no word of exactly when.

It's always worth checking Windows Update though. I found a few updates for Office 2003 that we use here the other day that were quite old.

Posted by Tim Smith on December 14, 2007 | Permalink | Comments (0) | TrackBack

When Computers go bad

It's not often that I get a genuine sense of fear when reading about computer problems. Losing work is annoying and may get me into trouble but there's always been a way out. No one dies and the world keeps turning.

That was my attitude when I started reading this article on the top 10 IT disasters of all time. I expected (and got) the usual selection of space rocket bloopers but the first item was very chilling because the it very nearly meant there was no one left to experience the world turning.

It appears that in 1983 a Russian computer decided that the American had launched five intercontinental missiles. Thanks to Lieutenant Colonel Petrov disaster was averted because he correctly realised that it was not a real attack.

So although I might be frustrated that my Yahoo Widget needs more work because there is a potential vulnerability to hackers, I can see the need for good coding. Even if the potential for it causing World War 3 is very slight.

Then again there were some stories a few years back about the UK and US armed forces running Windows on aircraft carriers. Now I'm worried again. Can you imagine Clippy asking if a sailor needs help with a pre emptive strike?

Posted by Tim Smith on December 11, 2007 | Permalink | Comments (0) | TrackBack

Microsoft claims Internet Explorer safer than Firefox

Granted this is no shock headline but there are figures backing up the claims. The Browser Vulnerability Analysis report (in PDF format) written by Jeff Jones, Security Strategy Director records that since November 2004 there have been 75 critical vulnerabilities in Firefox but just 54 for Internet Explorer in the same period.

These figures certainly go against the popular opinion about the two browsers but no one can deny the efforts made in IE7. As frustrating as the various Info Bar confirmations can be, they do mean that there is a higher chance of stopping attacks.

One thing that would interest me greatly about the relative security of these two browsers is the implications of addons. I think people are even more trusting about addons than they are about other software on the internet. Although I've found addons really useful for both browsers, I do worry about them posing a security risk.

Posted by Tim Smith on December 4, 2007 | Permalink | Comments (0) | TrackBack

Keep data safe

As this week has shown, physical security of information is just as important as passwords, as our Government has learnt to its cost. While part of me is appalled that the child benefit information was sent out without having been encrypted first, I can understand this is not always that easy to do.

So I'm having small worry about my data and whether or not I should encrypt it. The answer is probably yes but how?

Steganosmedium_2 If you have Windows XP Pro or Vista Ultimate there is encryption built in. One alternative is to use separate software such as the recently released Steganos Safe One. It can encrypt two 1GB areas, don't expect to include digital photo or music collections but that should keep you going for Word and Excel documents for some time to come.

As much as I want to promote safe data, I do feel that I should make some warnings. I once enabled Encrypting File System on my computer here in the office. All was fine and it was hardly noticeable. Right up until I had to change my login password. For some reason the various keys were not updated and I couldn't access any of my files.

Luckily I had a recent backup but I never got the files back. So as much as the extra security is valuable, it does make life a little more complicated. Time well spent though.

Posted by Tim Smith on November 21, 2007 | Permalink | Comments (0) | TrackBack

Parental controls appear on XBox 360

Xboxfamily I'm sure that arguments over the amount of time children spend on the computer or console are here to stay, but thankfully Microsoft has made life a little easier for parents (or maybe even older siblings) by adding parental controls to the Xbox 360.

Just in case hopeful offspring have 'forgotten' to mention this feature in all the excitment over ~~Halo 3 and Call of Duty~~ SpongeBob Square Pants, you can find more information on the official Xbox 360 site.

Similar effects, though probably involving just as much shouting, can be achieved by not putting consoles in bedrooms.

As with all security measures make sure that there is a good password protecting any parental controls and make sure that if they have been sent in an email that access to that email account is also protected.

Posted by Tim Smith on November 8, 2007 | Permalink | Comments (0) | TrackBack

Update on Quicktime update

It appears there's another update for Quicktime. Given my previous comments about security it's probably a good idea to upgrade if the Apple Update software hasn't already reminded you.

Posted by Tim Smith on November 7, 2007 | Permalink | Comments (0) | TrackBack

A worrying list of vulnerable applications

Bit9, makers of business software for controlling the software users can run has released a list of what it claims are the 'Top popular applications with critical security vulnerabilities'

The top five are:

Yahoo Messenger 8.1.0.239 and earlier
Apple QuickTime 7.2
Mozilla Firefox 2.0.0.6
Microsoft Windows Live (MSN) Messenger 7.0, 8.0
EMC VMware Player (and other products) 2.0, 1.0.4

Number five might be less of a mainstream product but the others are rather more common. Three of them are installed on my computer (though updated now)

I've said before that I tend not to be so worried about the fact that problems are found, but more how quickly they are fixed. Of course, the severity of the threat also makes a difference but I like to see that companies take security seriously.

It also reaffirms the importance for checking to see if updates are available for programs. I know that Microsoft has got into hot water recently over Windows Update but as we all end up with an ever increasing number of installed programs, autumatic checking seems to be the very least we should expect from software. I can't help but wonder how many security breaches have been avoided thanks to Windows Update. We'll probably never know but I'd guess they would have caused more inconvenience and cost.

Posted by Tim Smith on November 2, 2007 | Permalink | Comments (2) | TrackBack