billso.com

From ComputerWorld: IBM security researchers claim that hackers are hiding or masking almost all of their Web attacks. JavaScript is still the tool of choice for infiltrating Web browsers. Most users shouldn’t turn off JavaScript, especially students who use tools like webmail, WebCT and TurnItIn.com. So we rely on antivirus and Internet security software that runs on the client-side to screen out these attacks before they can be executed.

Hackers have added more tricks to their toolboxes, because the potential payoff for evading security software and infecting computers can be huge. Encryption is one such tool - hackers often encrypt their programming code so that software cannot easily identify the attack.

As IBM researcher Kris Lamb states, hackers have stopped targeting the operating system and have moved to a higher level of the application stack that runs on almost any desktop and laptop computer that connects to the Internet - the web browser.

So we come back to good old common sense as the user’s best defense against computer attacks.

1. Hover your mouse over a web link and inspect the URL before clicking.
2. Don’t click URLs in email messages if the links look suspicious.
3. Find, install and use good security software. I recommend the free version of Avast for Windows users who need to protect their residential computers.
4. If you’re not using your computer at home, turn it off. You’ll burn less energy, and hackers cannot access your computer if it’s not running.

See my earlier posts on security software and attacks from 10 June 2007, 13 August 2006 and 27 November 2005 for more information.

From the SANS Institute, here’s an article by Deborah Hale that discusses how the US and Canadian change to an earlier Daylight Savings Time affects various flavors of Microsoft Windows, Linux, and other systems. I mentioned this change last week.

There are patches for Red Hat Linux, one of the most popular flavors of that operating system.

Five weeks to go, and Windows Vista is ready out of the box.

There is a patch available for Windows XP. Service Pack 2 must already be installed, however. Run Windows Update or Microsoft Update for more details about your machine.

Windows 2000 requires a manual process to update the registry, the massive database that Windows uses to store hardware and software information on a computer. Frankly, anyone who’s running Windows 2000 at this point needs to upgrade.

There is no official patch for earlier versions of Windows (ME, 98, 95, 3.x). It really is “time” to upgrade! (rimshot)

Also, users and administrators should check with software vendors to see if applications, utilities, and other software requires a patch. There’s a deeper discussion in this ComputerWorld article, focusing on Java applications as an example. ComputerWorld also offers this list of vendors and the DST patches or solutions that they’ve announced.

What a mess. At least it’s not as bad as Y2K or the introduction of the Euro (€).

At least WorldTimeServer will get the time right.

Tech: E-mail is not dead yet according to the CEO of ReturnPath. His company is the official e-mail change of address contractor for the US Postal Service. They also help companies match old and new e-mail addresses. I usually get an e-mail or two every month with some marketer that wants to “reconnect” with me. And I almost always say “no”.

IMHO, e-mail is still broken, and badly so. Spam filters provide some relief, but an alarming number of zombie PCs on the consumer broadband network continue to send most of the spam. ISPs should cut off user accounts that host zombie PCs, and require the user to repair their computer before getting online.

For my part, I’ve done the following:

1. The only time I use Internet Explorer is when I do a Windows Update. Otherwise, I leave the security settings at High, so I can’t even fill out a form in IE. The cache and auto-complete options are disabled.
2. When Windows XP SP2 goes gold, I’ll install it. The beta is working well on my test box. In the meantime, I check Windows Update at least once a week on each box, and I’ve enabled automatic downloading of updates.
3. I use other web browsers like Firefox for my web browsing. Firefox is fast, free, and relatively safe. It also has some great extensions that add nice features.
4. I stopped using Outlook Express and Outlook years ago. These clients are memory pigs and security nightmares.
5. Instead, I use Thunderbird as my primary e-mail client. It’s still in beta, but it works well. I can always use webmail clients when I’m away from my machines.
6. HTML in e-mail is a bad idea, and I do my best not to send out HTML formatted e-mail. I usually use plaintext, although Thunderbird’s default settings are still a bit strange.
7. I disable HTML formatting of incoming mail in my e-mail clients. I’ll miss your pretty formatting and bouncing smilies, but I’m less likely to load the webbugs and exploits that malware and spammers insert in messages.
8. I use SpamAssassin on my e-mail servers, and have added a block list from Bill Stearns. My SpamAssassin blocklist is here. Server-side blocking takes more time and skill to configure, but it’s a much better approach if you check your e-mail from several different computers. A client-side spam filter will only work on one computer.
9. I run software and hardware firewalls on my home computers. If you have DSL or a cable modem, and you don’t have a router or NAT box, you are living dangerously.
10. I use a free anti-virus program on all my computers, and do a deep virus scan every month. My virus scanner also checks incoming e-mails and their attachments.
11. I scan my computers with programs like SpywareBlaster and Ad Aware. Both are free.

The sad truth is that I’d have an easier time with security if I ran Linux on all of my computers. There just aren’t a lot of malware and virus threats on Linux boxes yet. I rarely have to do any security-related maintenance on my Linux boxes.

Tech: DSKY Simulator is a Javascript version of the Lunar Module’s main computer. Happy 35th anniversary, Apollo 11. NASA, where’s my damn skycar?

Tech: InfoWorld: You know you’ve got a browser problem when �?�: July 09, 2004: By Oliver Rist : NETWORKING : SECURITY: “The U.S. Department of Homeland Security, otherwise known as Dancing with Big Brother, tells the world to stop using the Web browser you fought long and hard to tie into your operating system. That’s what happened to beleaguered Microsoft when the department’s Computer Emergency Readiness Team (CERT) recently recommended users switch to alternate browser platforms to avoid the security holes in IE caused largely by ActiveX. And Microsoft isn’t objecting. icrosoft’s own Slate even posted an article advocating Firefox, a Mozilla offshoot, in favor of IE until Microsoft gets its security act together. Naturally, those alternate browser platforms have leaped on this opportunity with enthusiasm. Apple, Mozilla, and Opera jointly announced their development of an extension to their plug-in API that will handle ActiveX scripts differently — and apparently more securely — than IE does. All this work is being done in conjunction with Adobe, Macromedia, and Sun Microsystems, specifically to allow support for the companies’ plug-in versions of PDF, Flash, and Java.”