Google Desktop Security Flaw with Internet Explorer
I've always had a bad feeling about google desktop, the application that enables things like searching your computer with google. It just seemed to me very difficult to make an app like that completely secure, and the functionality it provides doesn't seem worth the risk. At least, not yet.
This week, a security expert showcased a CSS-related security hole that allows a would-be intruder to use Internet Explorer to access the information on your computer and execute remote commands via Google Desktop.
In all fairness, despite my concern I can't really blame the desktop app. According to the article, the flaw isn't in Google's product per se; it's in Internet Explorer. In addition to Google Desktop, the exploit could be used to access any number of other applications that use a similar setup.
Firefox, IE, Opera, and Konqueror have all agreed to a set of standardized security features that will find their way into all browsers in future releases. This is pretty significant. Throughout the history of web browser development, it's been near-impossible to get the various camps to agree on standards of any kind.
Some of the highlights of the agreed-upon security features include:
In the default setting, all pop-up browser windows will now have URL location bars, so that you can see what site is hosting the pop-up.
Beefed-up and phisher-resistant high security certificates will be created and issued to deserving sites. The notification will be standardized -- if you're on a site with one of these certificates enabled, your address bar will turn green.
I wonder how this will affect web developers who use sleek pop-up windows without location bars purely because they look better that way. It will be interesting to see if this practice phases out or if it sticks around on sites that don't have much concern with the perception of high level security.
Protection Control Center: More XP Support for the Holidays
Several customers have sent us emails pointing out that the Protection Control Center's icon doesn't show up as "security software" in the Windows Security Center. Although the PCC provides full protection against viruses, spyware, and intrusions, the current version doesn't get recognized by the Windows Security Center suite. This is why even though you have the PCC installed, you may still see a red "x" in your system tray indicating that XP thinks you have no protection software installed.
Help is on the way. The newest PCC update should be available in time for Christmas, and it will include among other things, better support for the Windows Security Center. Installing the new update will ensure that your system recognizes that the PCC is doing its job.
If you are current PCC user, you don't need to do anything special to receive the update. You'll be notified when it is available via the PCC's update manager.
In yesterday's entry I linked to a story about Sony discontinuing one of its digital rights management programs. It turned out that the XCP software they force consumers to install in order to listen to certain music CDs also installs spyware on their machine.
Things appear to have gotten even worse for Sony. An AP story circulating today points out that the XCP uninstaller Sony is distributing creates an even bigger security threat than the original malware. The story quotes Princeton University analysts as follows:
"The consequences of the flaw are severe," Felten and Halderman wrote in a blog posting Tuesday. "It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get."
If you are one of the estimated 500,000 music fans who installed the XCP software on your computer, you may want to wait for the dust to settle before you use the Sony-provided uninstaller.
Here's a roundup of what's going on this week in the areas of Protection and Security:
U.N. Internet Summit - Representatives gather this week in Tunisia to discuss global policy issues surrounding the governance of the internet at the World Summit on the Information Society.
Direct identity theft statistics may be inflated - Most studies and statistics include "synthetic" identity theft which involves no direct breach of security between a victim and the perpetrator.
Sony won't be selling protected CD's anymore - After it was discovered that some of Sony's rights-protected music CD's create a security vulnerability in host computers, Sony has decided to discontinue the program.
New varieties of "Sober" virus circulating - This new strain circulates in emails with the subject lines in German saying things like "60 years of Freedom: Who's Celebrating".
Here's a recap of the questions we have addressed from our readers on the EarthLink Protection Control Center (PCC).
Ben Kaplan, Security Applications Product Manager answers more of your questions to the Protection Blog.
In this post read answers to the following questions:
- Why doesn’t Widows recognize that I have anti-virus software installed?
- Is Protection Control Center compatible with Norton Anti-Virus?
- How often are the PCC spyware/virus definitions updated?
- With Earthlink protection, Do I still need an antivirus program or not?
- Does the new PCC work with older Windows versions?
- Can I download and use PCC without using TotalAccess 2005?
Protection Control Center: More Questions Answered
Ben Kaplan, Security Applications Product Manager answers more of your questions to the Protection Blog.
In this post read answers to the following questions:
- How often are the PCC spyware/virus definitions updated?
- With Earthlink protection, Do I still need an antivirus program or not?
- Does the new PCC work with older Windows versions?
- Can I download and use PCC without using TotalAccess 2005?
A few questions have come in regarding the new EarthLink Protection Control Center (PCC). Security Applications Product Manager Ben Kaplan has been kind enough to address them, and as a service to all of our readers we've published them here along with Ben's suggestions. Thanks to all who wrote in.
Meet the PCC - Earthlink's new computer protection tool
When EarthLink decided to launch a free anti-virus, anti-spyware, firewall solution I was so excited. We had the chance to dramatically help consumers protect their computers with very powerful protection tools but more importantly the chance to make it easy for them to do so.
The EarthLink Protection Control Center (PCC) protects users from viruses, spyware, and phisher sites with the added protection of a firewall. Instead of having to use separate applications to scan for viruses and spyware, the PCC scans for all threats with the same efficacy and at blazing speeds! The PCC scans up to twice as fast as other methods!
Former NSA cloak-and-dagger man Ira Winkler thinks that there is plenty of good security technology out there, we're just not using it or training people to think about security effectively.
In an interview with CIO Insight magazine, Winkler discusses "the simple things" that companies can do to improve data security. His comments are focused on business security, but the concepts apply to home users too, and some of the details may apply to home network users.
New York Times columnist Thomas L. Friedman has a funny and thought-provoking column (registration required) in today's paper.
He's considering running for President with the campaign promise that after 4 years, our cell phone service would be at least as good as Ghana's, and if elected for a second term, as good as it is in Japan.
While that sounds funny, his underlying point is important. The Internet is becoming a backbone platform for education, communication, and entertainment throughout the world, and the US is ranked 16th in broadband Internet penetration, behind -- no, not Ghana -- but well behind Canada, Belgium, Japan, and long-term leader South Korea. Other studies suggest we may be higher, 12th instead of 16th, and that the study methodology may be flawed.
Whether or not the studies are perfect, Friedman's point remains strong: How can we make sure the benefits of new technologies reach as many people as possible?
And as an even greater challenge, how can we do it in such a way that people's identity and data remain secure, especially as they learn to navigate a world where threats may *look* like video games or urgent requests from your bank? I hope we come up with good robust answers, and fairly quickly.
Susan Crawford has a nice commentary on how those of us who are technologically inclined -- and especially those who are concerned about the future of technology policy -- should react to the new Pew Internet & American Life study (pdf file) that found most people are confused about all these new terms like phishing and podcasting.
In a nutshell, Crawford says that we need to take on explaining these terms to people in a concrete and real way. Examples of that, some Crawfords, some mine, include:
Show someone how to read blogs via RSS feed, or help your parents install the EarthLink Toolbar to block phishing sites. Help them listen to a podcast.
This confusion that most consumers are feeling is also a big part of why EarthLink joined the Anti-Spyware Coalition. Consumers need the industry players speak the same language when we're talking about these new technology threats!
Let us know if the Anti-Spyware Coalition is on the right track! Comments on the draft documents will be accepted until August 12, 2005.
Kim Cameron, Identity and Access Architect (at Microsoft Corp.) has developed "The Laws of Identity.”
The paper starts off: “The Internet was built without a way to know who and what you are connecting to. This limits what we can do with it and exposes us to growing dangers. If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet.”
The laws are:
User Control and Consent
Minimal Disclosure for a Constrained Use
Justifiable Parties
Directed Identity
Pluralism of Operators and Technologies
Human Integration
Consistent Experience Across Contexts
I have often considered jumping on someone's unsecured wireless network to browse the Internet – I can see four wireless networks from inside my apartment and two of them are wide open. This article has changed my mind about considering that in the future.
Wouldn't it be awful to learn that someone has used your unsecured wireless network for some sort of malicious activities?
Apparently, hacking isn't just a sport anymore. Hackers are trading in their badge of glory for cold hard cash.
In the last year, we have seen a dramatic shift to hacking for financial gain," said Oliver Friedrichs, a senior manager at Symantec Security Response. "The benefit of creating a widespread worm on the Internet has really been superseded by the potential of monetary gain.
I’m not afraid to admit it: I love online shopping. I love locating hard-to-find items. I love the selection and being empowered to find the best price. I love the convenience of searching several stores within minutes and not searching for a parking spot. And of course, I love never having to go to another shopping mall.
But our blog entry the other day got me thinking. An Internet user for nearly 10 years, I tend to be a tad too comfortable when it comes to shopping online. But I certainly don’t want to join the 13% who’ve already fallen prey to identity theft. Since I’m not willing to let fear rob me of this thing I love, I’ve decided to get smarter about it. And guess what? You probably should, too. To lessen our chances of adding to the statistic, here are a few sites with worthwhile safety-savvy tips:
Ok, the Supreme Court's decision yesterday in NCTA v Brand X and Metro-Goldwyn-Mayer v Grokster aren't strictly computer/internet security issues, but they may be of interest to readers of this blog anyway.
The issue in Brand X was whether cable internet companies should be treated like DSL companies, and be required to allow independent ISPs, like EarthLink, to sell our services over their networks. The Supreme Court said no. Cable companies sell "information services" and DSL companies sell "telecommunications services" and they're completely different.
Most people reading that are responding "what?" and "I don't understand."
Law Professor Tim Wu has the most accessible explanation of the Brand X case and it's consequences that I've seen. Professor Susan Crawford's blog also includes interesting commentary on "what the Supreme Court thinks of the internet" -- discussing both Brand X and Grokster.
Like Brand X, Grokster is a confusing decision. Basically the court said that you can't have a business based on encouraging people to engage in illegal activities like sharing copyrighted material, but you can still have businesses that allow file sharing. "How?" is where things get confusing.
If your head hurts, don't be alarmed. Be glad that you aren't a technology lawyer who has to try to tell clients what services they can or cannot provide. :)
Grokster does have some security implications, although they're on the tenuous side.
We know that file sharing products make it easy for unsuspecting users to get infected with viruses, spyware, and other malware. If there are fewer filesharing products out there, and there is an attempt to reduce sharing of illegal copies, there will also be fewer opportunities for spyware vendors to fill your computer with malicious or unwanted software.
The Grokster decision is NOT the end of spyware and viruses, but it may have a small side effect of reducing their spread for awhile.
Microsoft has no plans to release a patch to deal with a recent pop-up spoof that affects the Internet Explorer browser. This particular spoof could get users to go from a legitimate site to a malicious one where they are tricked into giving out personal information.
See the full article from News.com
CNN profiles an "ethical hacker" who uses his talents for good by helping companies work on shoring up the security of their wireless networks.
He gives four simple tips toward safe hot-spot surfing:
• Look for additional security software, such as a firewall.
• Be wary of "evil twins"—fake hot spots that only look real. These could easily be hackers trying to trick you into giving them access to your computer. Safest bet to avoid these sneaky crooks? Pre-pay for wireless access in advance.
• Don't send sensitive email on wireless networks that don't have high-level security.
• Activate the security software on your home system to deter hackers from using your wireless network for free.
This information according to a TechWeb article by Gregg Keizer
According to the NISCC, whose duties correspond to the U.S. Computer Emergency Readiness Team (US-CERT), more than 300 U.K. agencies and companies have been targeted by the attack, which involves more than 75 different Trojan horses and in many cases, can be traced back to the Far East.
Americans want Congress to keep Internet safe, but doesn't trust it to do it right
In a new survey funded by the Washington-based Cyber Security Industry Alliance released on Wednesday, 71% of those polled want Congress to pass new laws to help keep the Internet safe. Unfortunately, the same poll shows that they hold low opinions of Congress and the Federal Trade Commission to do anything about the issue.
The FBI scores a little better, but still not as well as tech companies such as Microsoft and Dell.
Cleaning up a compromised computer can be frustrating....
There's an interesting blog entry in the Washington Post's Security Fix blog by Brian Krebs. Brian documents the nearly day long adventure he had trying to clean up and secure a friend's computer.
Although the bulk of the entry is about what all it took to clean up the spyware and malware tenaciously clinging to his friend's computer, one comment sticks out:
Though I am a veteran witness of such atrocities, I remain awestruck by the juxtaposition of those two offerings. Somewhere out there, a diabolical marketing machine is reaching through cyberspace offering wide-eyed kids all kinds of goodies, including their very own custom-made smileyfaces or "emoticons," for use with AOL's chat program, AND their choice of highly addictive narcotics and sexual-performance enhancement drugs, with a selection of adult Web sites to boot!
Charming, isn't it? But very much in line with Ben Edelman's findings which I blogged about a few weeks ago. I hope that the FTC will consider enforcement actions under the Children's Online Privacy Protection Act (COPPA), which prohibits certain types of online marketing to children under 13 years old, unless the company has explicit parental permission.
Microsoft released 10 new patches today—one of which it deems critical. Seven of the security bulletins affect Windows.
Microsoft has also unveiled a major revamp of its patching service. Consumers will be offered a one-stop destination for software patches through a new Microsoft Update service that allows customers to get updates for Office and other applications from the same place they get Windows patches.
You may have read the headlines already. The MSN Web site in Korea—the one written in Korean, for Korean consumers—got hacked. For nearly half a day, the site was unavailable while MSN worked hard to purge the site of little booby-traps that could transmit site visitors' usernames and passwords to the hackers.
The danger is past. And for those of us in the U.S., apparently there's nothing to be concerned about. According to Microsoft, their U.S. Web site is not vulnerable to this particular type of security threat.
Think you’re pretty smart about your security online? I thought I was. But according to study released yesterday, chances are we’re not as smart as we thought.
Pennsylvania’s Annenberg Public Policy Center published the “Open to Exploitation: American Shoppers Online and Offline” study on Wednesday—discovering that U.S. Internet users are “dangerously ignorant” about online exploitation. Most test-takers failed, answering only an average of 6.7 correctly out of 17 true-or-false questions.
You can redeem your intellect like I did by reading more about the study’s findings here, or test yourself here.
The Norwegian makers of the Opera web browser recently surveyed the “adult online population” about web browsers and their relation to internet security.
The poll found that more than half the “adult online population” knows there’s a relationship between the web browser one uses and their potential online security risk; however, consumers aren’t switching browsers to reduce the potential risk.
"Changing to a more secure browser is one of the simplest ways for Web users to make surfing safer and minimize the risk of falling victim to virus, spyware or 'phishing' attacks," said Opera's chief technical officer Haakon Wium Lie, referring to various techniques of tricking Internet users to hand over personal information, such as credit card numbers and passwords."
My personal choice of web browser is Firefox; that is not say it’s the best choice just one I have made based on what I use the internet for.
Security Advisory (May 8, 2005) The Mozilla Foundation is aware of two potentially critical Firefox security vulnerabilities as reported publicly Saturday, May 7th. There are currently no known active exploits of these vulnerabilities although a "proof of concept" has been reported. Changes to the Mozilla Update web service have been made to mitigate the risk of an exploit. Mozilla is aggressively working to provide a more comprehensive solution to these potential vulnerabilities and will provide that solution in a forthcoming security update. Users can further protect themselves today by temporarily disabling JavaScript.
Further information including the availability of updates will be posted at Mozilla.
With today’s launch of the latest Netscape 8.0 browser touting increased security, and the recent rumblings about Mozilla’s open-source Firefox browser—one has to wonder about browsers in general.
Mozilla has been quick to disclose and fix Firefox vulnerabilities. Pretty smart, considering that Firefox’s increasing popularity has them at a 10.28% market share. According to the Browser Market Share Study, browser ranking and market share results as of April 26,2005 are:
- Internet Explorer - 83.07%
- Firefox - 10.28%
- Mozilla - 3.81%
- Netscape - 0.92%
- AOL - 0.85%
- MSN - 0.67%
- Opera - 0.41%
Interesting to note that Internet Explorer is down from 95% from last June.
But which browser has experienced the most vulnerabilities?
According to Symantec’s Internet Security Threat Report, published in March 2005, in the last six months of 2004, Mozilla browsers were affected by 21 vulnerabilities, compared to 13 for Internet Explorer, 6 for Opera, and none for Safari.
You can read Symantec’s news release here. And for a more general, side-by-side browser comparison, you might be interested in this.
The FCC will vote tomorrow (Thursday, 5/19) on new regulations that may require Internet phone providers to offer 911 services. Turns out, many of them don't. The problem lies not in their unwillingness to do so, but in the technical requirements to synch up VOIP services to the 911 systems. This could be huge, driving up prices and stunting VOIP growth. Definitely something to keep our eye on.
Be on the lookout! Last week Microsoft announced their plans to release eight security bulletins today April the 12th. As of 9:30 this morning, I hadn't seen them yet...
Five of the updates are expected to be high priority patches for the operating system. Check out Windows Update, Office Update and the Microsoft Download Center for the latest.
Another way to stay up to date with Microsoft, is to turn on Automatic Updates. See this link for more details.
Hey, fruit lovers, don't forget we have similar security updates for Macintosh from Apple. You can learn more about Apple's Software Update feature at this link.
Nancy sent us an email asking about "torrents" and were they safe. For those of you not familiar with BitTorrent see Brian's BitTorrent FAQ. Basically, BitTorrent is a protocol used to efficiently download files. It's ideal for large transfers to many people. My warning with downloading (P2P transfers) is to have good anti-virus and anti-spyware protection installed. Most of the time you don't know or trust the source of the file. Also, there are many different BitTorrent clients available, it's possible the clients themselves could contain spyware. Make sure you do your homework. Brian's FAQ also points to a handful of recommended clients. Thanks for the question Nancy!
If you have questions or comments feel free to leave them on the site (see comment button below), or email us at protectionblog@earthlink.net.
In other news, I read and interesting report from John Leyden at The Register. The article talks about a decline in computer virus worms, attributed to wide spread use of Service Pack 2 (SP2, a major security upgrade to Windows XP) and the continued adoption of firewalls.
TechWeb recently highlighted a German security research project that found: "More Than 1 Million Bots On The Attack."
At least a million machines are under the control of hackers worldwide, said security experts in Germany, indicating that the bot and botnet problem is worse than anyone thought.
Using only three computers as "honeypots," machines deliberately left open to attack, thus attracting hackers and their bots so researchers can capture data on their actions, German security analysts at Aachen University were able to identify more than 100 botnets during a three-month project. Those botnets ranged in size from only a few hundred compromised PCs to several of up to 50,000 systems.
The volume, the Honeynet Project researchers said, was staggering. Even using conservative estimates, they projected over a million PCs worldwide are currently under the control of hackers running botnets.
The number of bots in attacker botnets is hard to pin down, added Dunham, but the figures cited by the Germans, he said, are probably conservative. "In just the last six months, the numbers of botnets surged from only a few hundred to over 6,000 total by our count," Dunham said. "It's not uncommon to see botnets with more than 50,000 PCs, so there could easily be a million or more total."
Our friends at Webroot wrote in to tell us about multi-factored authentication...
You have multi-factored authentication when you use any two of the following factors to confirm someone's identity:
1. Something you know (password)
2. Something you have (smart card, password token)
3. Something you are (finger print, retina, DNA, breath, voice)
4. Where you are (GPS)
Les Seagraves, Executive Editor EarthLink's Chief Privacy Officer, Les Seagraves, serves as Executive Editor of the Protection Blog. Les is a general counsel with EarthLink's legal department, where he leads the legal battle against spam and fraud. He's a frequent speaker for trade groups, conferences, continuing legal education and college classrooms. A true technology lawyer, Les has testified in congress and consulted with federal and state legislators on privacy, spam and other areas of technology law.
Mike Strutton As the Director of Product Management for EarthLink's Software Products, Mike has been engaged with many of EarthLink's protection products, aka The Blockers, as well as TotalAccess for Windows and Mac. Mike has been with EarthLink for over 10 years and has over 12 years of internet experience. Mike is an avid fan of the Apple Macintosh, but don't let that fool you, while he totes his Powerbook everywhere, he surrounds himself with 3 Dells in his office and 3 more at home.
Stephen Currie EarthLink's Director of Product Management for Communication Products is Stephen Currie, who oversees the EarthLink mail client, including the development and implementation of email tools like EarthLink spamBlocker. Stephen has also represented EarthLink at industry coalitions aimed at eradicating spam and other Internet abuse, and his expert opinion on spam has been featured in national media coverage.
Scott Mecredy A Senior Product Manager for Protection Software at EarthLink, Scott Mecredy has been developing consumer software for over 7 years. An industry thought leader (place pointer finger on chin and look longingly into space), he helped create ScamBlocker, the first comprehensive Phisher protection product available in the market. Scott's a Rock Star (in his own mind), and lives for one thing: a successful software launch.
Liza Barry-Kessler EarthLink's Senior Product Manager for Parental Controls. Although new to EarthLink, Liza is ancient in "internet years" having been online since 1987. She began her career in Parental Controls as a First Amendment lawyer at the Center for Democracy & Technology (www.cdt.org), where she was part of the team that launched the industry-wide internet-safety and privacy initiative, GetNetWise, in 1999.
Liza is also a nationally recognized expert on web filtering and internet privacy issues, both in the home and in school and library environments, and is co-author of the book "Privacy in the 21st Century: Issues for Public, School, and Academic Libraries," forthcoming from Libraries Unlimited publishers in June 2005.
