1/25/05

Lost Laptops

No, this is not a discussion about obesity (yuk, yuk). It is about laptop computer security. A headline served up by my RSS newsfeed this morning caught my eye: "Londoners top world in leaving laptops in taxis." In a class I teach, Internet Security: Tools and Techniques, I discuss "Securing the Road Warrior and the Teleworker." I have references to two earlier articles on the same subject. (This one about a lost US Dept. of State notebook and another posted on MSNBC entitled "Top Secret British Laptop Missing, Defense Ministry official reportedly left laptop in taxi.") And Wired mentions it here.

Here are pointers to 3 columns that touch on the protection needs of notebook PCs. They could use a bit of updating, but the problems and the solutions have not changed.

More on Hotspot (In)Security

In a recent short blog entry, I pointed you to Wayne Rash's column and added a few suggestions of my own. A friend was singulary unimpressed. I suspect that it is because Wayne's column -- and my enthusiastic support of it -- isn't "the sky is falling" enough for some security folks. Maybe I am getting too old for this. I rather believe that after 18 years of doing this, I have a good sense of real risk. There is a sense that "a little paranoia is a good thing" in network security. That is wrong. Paranoia is a disorder. It is irrational. A clear sense of real risk is what we need.

All to say, here is another call for calm that my friend might not like as posted in The Register.

1/21/05

Safety at Hotspots

Wireless hotspots are ... well, hot. And they can be safe for computing with a bit of care on your part. Wayne Rash at CMP has excellent suggestions in his column at www.securitypipeline.com/57702370. I have a few additions, which I hope are obvious.
  • Antivirus software. Of course.You always have your AV protection up, running, and updated, right?
  • PC firewall. You have it running all the time, also, on your portable PC, right?
A wireless hotspot with its lack of confidentiality on the connection leaves your communications open to snooping (which Wayne covers). It also might make your system an attack target. Make sure your PC firewall knows that you are now in untrusted territory. You may have set it as "trusted" when working at home or the office.

1/8/05

My Most Current Spam Barrier

In June 2003's NetSec Letter #27, "Spam Control," I described various methods of controlling spam, including my set-up. I gave an update in my blog entry "My Current Spam Barrier." Since then I have made some changes, which I describe here.

First, I want to briefly (for detail see the above URLs) remind you of what I've done, and tell you why I made a change. While I receive e-mail through the mail servers for Avolio Consulting (avolio.com), I have an ISP for connectivity to the Internet from my home and office. I decided mail would flow like this:

Internet → avolio server → ISP → mailbox@ISP


I did this because the ISP provided a web interface for when I was away from my e-mail client, and because the ISP has a full-time staff of people doing backups and otherwise maintaining the e-mail servers... I guess.

An added benefit was that the ISP filtered mail through a spam-catcher. It was very effective. Any spam that got through to that mailbox was stopped. And it was extremely rare that any nonspam was misfiled. So reliable was it that I just stopped checking the Spam folder.

So, why did I change? The ISP implemented what seemed to me to be a malfunctioning sender verification system. Daily, I found e-mail delayed in my avolio.com queue waiting to deliver to my ISP mailbox due to a sender verification problem. Sometimes it was spam (so, it was doing its job). Often -- usually -- it was legitimate e-mail. Further, it was e-mail from addresses that had previously worked. Finally, one day came the straw the broke this camel's back, with 3 messages from a friend delayed. I stopped forwarding e-mail to my ISP mailbox. And started to get a bunch of spam.

You see, the things I had put in place were fairly effective. But, not effective enough. The ISP's spam filter was picking up the slack for what I missed with PostFix and Spamassassin. I needed to add something more.

The something I added is greylisting. It is described in Evan Harris' whitepaper " The Next Step in the Spam Control War: Greylisting." Simply put, it looks at the IP address of the host attempting the delivery, the envelope sender address, and the envelope recipient address. "If we have never seen this triplet before, then [we] refuse this delivery and any others that may come within a certain period of time with a temporary failure." This works because "Any well behaved message transfer agent (MTA) should attempt retries" if given a soft error message (a 400-level error, such as one meaning "service unavailable, try later"). This delay only occurs the first time an attempt is made. So, it only affects the first ever attempted delivery from a particular IP address from a particular sender, to a particular user's mailbox. All other attempts breeze through.

I won't go into more detail than this; read the paper. I am currently implementing this in PostFix using the a greylisting extension. And, it is great. I've dramatically reduced the incoming spam. I've also cut down the number of spam messages I used to catch in my spam "hold" box (see my previous blog, mentioned above) from roughly 100 a day (remember, these were quarantined for me to quickly check out and toss) to under 10 a day, and sometimes none. I've also gotten no complaints from users about missing mailing list e-mails, nor from senders complaining about e-mail bouncing. A review of the mail logs indicate that legitimate (non-spam) e-mail that is greylisted is retried by the sending system in an hour, and some systems retry in 10 minutes.

Will it work forever? No. But it works very well for now.

1/6/05

What Every Home PC User Needs (UPDATED--see below)

Last year, when I was still writing the monthly NetSec Letter I wrote promoted Personal Firewall Day, an idea of friend and security colleague Paul Robertson. (See http://www.personalfirewallday.org/.)

PFD was January 15. I don't know what, if anything, is planned for this year. But, it is obvious to be that in addition to personal firewalls and anti-virus software, a critical add-on to home computers is spyware detection software. I have just recently wrote on problems friends and I have had with spyware. (See what I wrote last month in " Spyware/Adware Removal Disables Windows98 Machine" and " Malware -- the threat is real," and today in " Spyware/Adware Removal Disables XP Pro."

Why this blog entry then? I want to simply spell out what every home PC should have in a form that you and I can send out to relatives and friends.

Every home PC should have the following:
  • Antivirus software. You know this. Surely you have it. If you do not, you are foolish. Keep it up to date. It's worth the money. Really it is.
  • Personal Firewall. Use a free firewall, such as ZoneAlarm (that's what I use) or any others you find at www.personalfirewallday.org/firewall.html. If you run Windows XP, enable the firewall that comes with XP. Your antivirus vendor might have a deal with bundled AV and personal firewall. Check it out.
  • Spyware removal software. This is a new (over the last year) problem, and one that many home-users are ignoring. Don't have spyware? I bet you do. Ever click on something that said "Click here to speed up your Internet connection?" Ever install "free" software? Maybe you've added a neat item on your toolbar that shows the weather or stock reports. Computer running slower and slower? Are you now plagued with pop-up advertisements? There is a good chance you have some spyware running on your computer.

    Something called Marketscore has gotten attention recently. Security vendor WatchGuard recommends treating it as spyware. They write, "Marketscore claims to be 'Internet accelerator software'..." See the complete write-up at www.watchguard.com/RSS/showarticle.aspx?pack=RSS.Marketscore. The University of Maryland, and others, classify it as spyware. See their spyware alert at www.helpdesk.umd.edu/documents/4/4444/.

    Get and run some spyware detection software. Your AV vendor may have something. Microsoft, the University of Maryland, and others (including me) recommend


Other resources:

Be careful out there.

Oliver (no last name given) commented, "SpyBot installs 'DSO Exploit'" I find no evidence of that, just that earlier versions tagged this exploit but could not deal with it. Everything I see says Spybot gets good grades.

He also recommended Ad-Aware (as I did, above) and SpyWare Doctor.
Colleague and paisano Dave Piscitello has an interesting article on this subject on securitypipeline. Check out "What's The Difference Between Spyware And Viruses?"
This slashdot post, refers to Microsoft's AntiSpyware annoucement, and this review of it. It is a test release.

It is worth pointing out that most people recommend using two different products for countering spyware (for example, both SpyBot and Ad-Aware.

Be careful you get the correct software. Some companies put tags on their webpage such that if you do a search for one product, a competitor's product shows up. This is not merely the search engine company helping you out. It is "deceptive marketing practices," as Dave Piscitello says in his weblog. See entry #336 in the spam and spyware section of his weblog.

An example of something similar, not as sleazy, but nearly as obnoxious... Type "adaware" (note no hyphen -- the product is Ad-Aware) in a Google search and the first thing that you get is a sponsor's (i.e., paid advertiser) link to something called "NoAdware"" indicating it is the "2005 highest rated spyware remover." Hmmmm. 2005 is 6 days old as I type this. Must have been a quick test. It does not say that on the web page -- not that I can see -- but in the advertisement on Google it does. On the web page it says, "21,756,915 downloads by people in over 100 countries as of 04:02PM EST, Jan 06, 2005." I wonder how many of them thought they were getting Ad-Aware? This product might be great. I just don't like this practice. But, then Dave did point out that they were infamous in other places. For example, they show up in the The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites.

Malware -- the threat is real (Updated)

A friend was spending part of his day last week cleaning up malware (adware, spyware) from a home computers, including his business computer in his home office. (Search for "spyware review" will turn up a lot of sites including this review in PC Magazine. Friday, he IMed me the following:
Remember I told you I was battling spyware and the like? Well, my debit card was denied yesterday. I checked the bank statement on-line and found an unexplained charge for over $1K from [name1 omitted]. Turns out I made a legit purchase from [name2 omitted] for $100 and some trojan program tagged along and xferred over $1K to someone else's account at [name1 omitted]. They tagged it as suspicious and blocked further withdrawals. I talked to them and they will refund (and I hope will prosecute).
Now, this wasn't your average spyware... or was it? It did what any spyware/adware/malware can do. It just did something illegal.

Yesterday (12Dec04), Marcus Ranum posted the following in the firewall-wizards list.
... What is the cost of enumerating viruses and malware and running antivirus software ($19/year/desktop...) versus the cost of telling the system exactly what code you want to allow to run. (Hmmm, let's see - I could define my desktop computer's "allow" list in 3 seconds: Eudora, Opera, Photoshop, Powerpoint, Word, and directory toolkit) The obvious answer is "default deny" rather than "default permit and block/enumerate all evil."

Good idea. Where can I (average consumer) buy it? And will any average consumer want to run it?
On the list, Marcus suggested:
There are a few products out that do this. Citadel has a pretty cool package ( SecurePC) that's designed for kiosk applications. I've considered using it as a lock down tool for my laptop but the tool is a bit more "enterprisy" than I need. I think it's designed for locking down ATMs and stuff like that from a central point. What I want is something that has a ZoneAlarm-like "smart interface" that lets me reverse-engineer a policy over time.
I agree, it is overkill. Another friend and colleague, Jon McCown, pointed me to Prevx (neither Jon nor I work for them). Looks worth a field test. It works on XP and 2000. See http://www.prevx.com/prevxhome.asp.


A reader sent me a Google-discovered link to http://force.coresecurity.com/. It is in a beta-test period, apparently. The screenshots indicate program-level control (what can execute) as well as authorization (what that program may do). It may also be worth a look.


And today in a newsfeed this article mentioned another product with a free version, AntiHook 2.0. Lots to check out...


Okay, enough already! Marcus sent a pointer to FreezeX. Where have all of these been? Where have I been? :-)


A friend tested PrevX on his home computers. He wrote:
It is very happy (and effective) on my wife's Win2K computer. The kids go "various places" on it an tend to pick up barnacles, which seem to have a much tougher time now. I passworded the PrevX console so they can't just click "shoot me" as easily. And the best news was that it didn't break anything. :-)

1/5/05

E-mail Security: We Still Don't Bother

In an e-mail exchange with Dave Piscitello today, he asked about RSS Newsfeed readers. I mentioned that I still use Eudora, but have been recommending Mozilla's Thunderbird. He mentioned moving to a different e-mail client, and wrote
I am disappointed that I have to give up PGP but could not reasonably continue to purchase $100-200 worth of email and security software for the purpose of communicating with 9 people. What a sad indictment on the state of email security, huh?
Sad is not the word. Elsewhere on my web site are articles and columns I've written about e-mail security and e-mail security products. The earliest one is from mid-2000. And now, in 2005, we still do not regularly use secure e-mail! What are we thinking?

A year or more ago, I captured all these columns and articles on one page, The Secure Email collection. I am shocked that they are still relevant.

1/3/05

Spyware/Adware Removal Disables XP Pro

When my daughter came him from college for Christmas break, she brought her Windows XP Professional computer with her. She also brought some problems.

The computer worked find at school. But, when she installed it on our network, the first thing she noticed was she had no network connectivity. She could "see" other computers on the home network -- the "network neighborhood -- but could not "get out." Neither could she connect via TCP/IP to other systems on the home network. Having just recently dealt with similar symptoms on a Windows 98 system at home, I suspected spyware. Sure enough, when I installed both SpySweeper and SpyBot Search & Destroy, they reported numerous problems. I cleaned up the problems, and ... well, it was still broken. Remembering what I had just recently done with the '98 box, I tried to remove TCP/IP from the system. But, this is impossible (as far as I am able to tell) under XP. It is "an integral part of the system" and cannot be removed.

To make a long story short, I fiddled with the registry, and promptly broke things worse. Now, networking was completely broken. All I wanted to do was to reinstall the networking components of Windows. Simple, no? Simple under UNIX. Not in XP. It looked like all I could do was to reinstall Windows XP, and the only way to reinstall is to first format the partition. All her CDs of installed software were back at college. I saw that as an absolute last resort. (Although, with the working CDRW drive, I could have copied off her personal files and settings.) My friend Rick (back at DEC, when all else failed, we'd get him to lay hands on a seemingly dead computer to bring it back to life) offered to play with if if I dropped it off. I was reluctant to make the drive to Northern Virginia. I hated more to take up his valuable time (of which he gave a lot when I was struggling with the '98 system).

Another friend, Peter, came by with his family on New Year's Day. He inquired after my daughter's machine. I said, "Still dead... want to take a look before dinner?" After fiddling around until "Dinner!" was called, he made a suggestion: import good registry entries from my working XP Pro machine. A week ago I had run a program Rick found that claimed to add good registry entries to replace broken ones. I am not sure what entries the program replaced. I replaced, exporting from my registry and importing onto hers, (from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\) tcpip, dhcp, winsock, and winsock2. For good measure, I again uninstalled the network adapter from the hardware profile (using device manager).

The result: it works.

Today, I made these recommendations:
  1. Use Firefox, not IE. (Penn State recommends getting away from IE. I told her to keep it around for those web pages that only work with IE, but make Firefox her default browser.
  2. While she's getting away from dangerous programs, I suggested a move to Thunderbird. She can easily import her Outlook Excess settings and wind up with a better, safer e-mail client.
  3. Do not download anything (with the exception of Thunderbird and Firefox) until a spyware tools is installed.
  4. Install a spyware tool. There are a bunch. Well-regarded, among others, is Ad-Aware 6 and SpyBot Search & Destroy.
Spyware is a hot topic. My friend Dave Piscitello hyperbolically calls it your worst nightmare." Well, I can think of worse, but it is a terrible problem. As I mentioned, I had a similar problem with another computer and spyware that I discuss here. The guys at WatchGuard warn, "Marketscore walks like spyware and quacks like spyware."