Defensive Computing

Netbook computers are small and underpowered, making them a turn-off for many. But consider the Honda Fit, which was raved about in The Wall Street Journal on Saturday.

The Fit is a small, cheap, underpowered 5 door hatchback. Yet, Jeff Sabatini in the Journal said, "The Fit truly offers everything you need in a car, and nothing you don't." This is exactly the niche that Netbooks seek to occupy in the laptop computer world.

Compared with other cars in its class (the Chevrolet Aveo 5, the Nissan Versa and the Scion xD), Sabatini argues that a lot of good design choices went into the Fit. Below are some quotes from the article:

• ... a lot of car for the money--even as it's not a lot of car
• ...a car fairly well equipped with the stuff we take for granted
• It may not sound like a lot, but 117 horsepower is plenty
• [it aims] ...to be not just a good small car, but an exceptional car, period
• load up 4 adults and, despite its diminutive size, the car still doesn't feel small
• For not a lot of money the Fit is a whole lot of fun to drive

In other words, small and cheap don't have to imply a miserable user experience.

Rather than blindly ruling out Netbooks, look for one that made the right trade-offs. To my mind, this excludes models with a 9-inch screen and puts a great emphasis on the keyboard. The number of available models is huge and constantly in-flux, as are prices.

I think Netbooks are the next big thing. They will make great second computers for normal people, third computers for techies, and first computers for children. They will become mandatory take-to-class computers for students. For anyone interested in defensive computing, they will be mandatory when traveling (think both good enough and sacrificial lamb).

That said, I couldn't drive a Honda Fit as I never learned to drive a stick shift.

See a summary of all my Defensive Computing postings.

On November 6th, an article appeared in the New York Times that all Word users should review.

The question in the Q and A column was Is it possible to extract the content from a corrupted Microsoft Word 2003 file that won't open? Turns out there are a number of options.

When opening a file with File -> Open, the "Files of Type" drop-down menu has an option to "Recover Text from Any File."

A more ambitious approach is to repair the document. In Word 2002, 2003 and 2007, use File -> Open, navigate to the file and select "Open and Repair" from the drop-down menu on the Open button.

In addition, the article links to Microsoft Knowledge Base articles with additional tips, and, a commercial product.

Let me add, that recovering and repairing may help or hurt. Thus, I suggest attempting each on a copy of the broken document, one created exclusively for this purpose.

See a summary of all my Defensive Computing postings.

I have a lot of e-mail addresses and thus attract my fair share of unwanted and malicious e-mail. The latest malware spreading e-mail to land in my in-boxes has purported to be from the package delivery company UPS. Thursday, I received two of these, but there have been other similar messages recently.

As you can see in the picture below, it came with an attached ZIP file.

A malicious email that was not from the UPS package delivery company

ZIP files are commonly used as a container to transmit malicious software. The number in the name of the ZIP file is probably there to evade detection by antivirus software; the numbers were different in the two messages received Thursday.

The ZIP file contained a single EXE called UPSInvoice_997612.exe. I uploaded the file to VirusTotal.com, where 4 of the 36 antivirus applications detected it as malicious.

As I've noted before: never decide to trust an e-mail message based on the sender. It is very easy to forge the "From" address when sending e-mail.

And, hopefully by now it should go without saying, Windows users should never run an executable file sent by e-mail. Mac and Linux users (including the many new Netbook Linux users) can ignore this warning.

See a summary of all my Defensive Computing postings.

If you use a Windows computer connected to a network, a newly discovered bug makes it possible for a bad guy to wreak havoc on the computer without your doing anything. The most vulnerable versions of Windows are XP, 2000 and Server 2003. Vista and Server 2008 are also vulnerable, but not as badly. Microsoft considers the bug important enough to issue the patch immediately rather than waiting for their normal once-a-month patch Tuesday.

Susan Bradley, writing for the Windows Secrets newsletter recommends immediately installing the just-issued patch. Then she offers some unusual advice, suggesting people first restart their computers "to verify that your machine is bootable." Can't hurt. Then she says to install the patch and reboot again. Her article also includes direct links to the patch for each version of Windows. If, for some reason, you can't run Windows/Microsoft Update you can manually download the patch and install it.

A standard of Defensive Computing is that the less software installed and running the better. This particular bug is with a part of Windows known as the Server service. If you are not sharing files and/or printers on a local area network, then you don't need to have the server service running, bug or no bug.

Making a Windows service not run all the time is called disabling and/or stopping. Stopping refers to the instance of the service currently running. Disabling means preventing it from ever starting again. Microsoft describes how to both stop and disable the Server service in Security Bulletin MS08-067. They also suggest doing the same to the Computer Browser service.

Anyone not sharing files and/or printers on a network should also turn off File and Printer Sharing for Microsoft Networks (the Windows XP name) on all network definitions. For example, on a laptop with both wired Ethernet networking and wireless Wi-Fi networking, File and Printer Sharing should be turned off in both network definitions.

If the Server and Computer Browser services are disabled, then some people might consider the last point (and the next) overkill. I think they are a good idea because it means two mistakes would have to be made to enable file and printer sharing as opposed to only one mistake.

Build a better fence around your Windows computer.

For still more safety, look into how your firewall is configured to ensure that it does not allow incoming traffic on TCP port 139 or 445. Again, this is for someone not sharing files and printers. Firewall configuration varies widely, but if you are using the Windows firewall in XP, the exception for this is called "File and Printer sharing."

Firewalls are the first line of defense against this type of problem. With that in mind, you may want to review the series of postings I did recently on adding a second router to a LAN to provide additional firewall protection to your most important computers. See A second router protects adults from kids.

See a summary of all my Defensive Computing postings.

Frank Hayes, writing in Computerworld, does a great job recounting how an Excel to PDF conversion resulted in Barclays Capital making a multi-million dollar mistake in their offering to buy part of Lehman Brothers. In and of itself, it's an interesting story, but Hayes concludes with this advice for using technology:

Keep it simple.
Don't make assumptions.
And never, ever trust tech more than you really have to.

Agreed.

See a summary of all my Defensive Computing postings.

Update October 20, 2008 Noon EDT. According to Secunia they now detect version 10 of the Flash Player and they have corrected their FAQ. However, the most important issue, treating version 9 of the Flash Player as good rather than bad has not changed.
Update October 20, 2008 9 PM EDT. An email from Secunia said they don't consider version 9,0,124,0 of the Flash Player to be bad because it is the latest edition of version 9 and because Adobe still supports version 9.

I've mentioned previously that I'm a big fan of Secunia's Online Software Inspector for rooting out old buggy software on a Windows computer. Although it's not perfect, Windows users are much better off with it than without it. But there are two recent issues.

Sample report from the Secunia Online Software Inspector.

One long-standing issue is that OSI is a Java applet and Secunia could do a better job of making new users aware of the Java requirement--not only what Java is, but also the required version and the currently installed version.

First problem

What's new about Java is that the necessary version has been updated.

As I write this, Secunia's FAQ says Java version 1.5.0_12 or later is needed, while its system requirements page says that Java 1.6.x or later is needed. I discovered the hard way that the system requirements page is correct.

As part of installing the latest version of the Adobe Flash Player, I tried to run a Secunia scan on a system with Java version 1.5.0_15, only to have it fail in a new way. After trying to load Java 50 times, it gave up and issued the error below.

Running Secunia OSI with an old version of Java.

I can only assume this has something to do with the Online Software Inspector update on October 16.

So, what version of Java, if any, is installed on your computer? See my www.javatester.org Web site.

Second problem

The other problem with Secunia's OSI is that it is behind the times on the Adobe Flash Player.*

For one thing, it still thinks version 9 of the Adobe Flash Player is OK. According to Adobe, it's not. Then too, it does not yet detect version 10 of the Flash Player at all.

I'm sure Secunia will get up to speed on the Flash Player soon. Its Online Software Inspector is still a very valuable service, and the new version seems to run much faster than the old one (even though it can't count to two--see screenshot below).

The Secunia Online Software Inspector reports an inconsistent number of errors.

*This was tested again Sunday October 19, 2008 at 3 p.m. EDT.
Initially tested Saturday October 18, 2008 at 7 p.m. EDT.
See a summary of all my Defensive Computing postings.

Adobe just released version 10 of the free Flash Player Web browser plug-in. The new version (10.0.12.36) replaces version 9,0,124,0 (yes, those are commas, not periods) and includes an important fix for a security flaw known as "clickjacking," as well as fixes for other problems.

Everyone should update their copy of the Flash Player, and this post explains how to do so on Windows machines (the Flash Player also runs on OS X and Linux).

Updating the Flash Player on a Windows machine is unusually cumbersome. In part, this is because the Internet Explorer version is packaged very differently from the Firefox/Opera/Chrome version, so the Flash Player needs to be installed separately into each browser.*

Another reason for the unusual hassle is that for many years, installing a new version didn't remove old versions. Then too, if all goes well, you should be able to remove recent versions of Flash in the normal way, but all doesn't always go well. For example, on the Windows XP computer I'm writing this on, version 9,0,124,0 of the Flash Player plug-in is installed and working fine, yet it doesn't show up in the "Add or Remove programs list" in the control panel.

Thus, the safest approach is to use Adobe's Flash Player uninstaller program.

I've written about this before, so rather than rehash it fully, what follows is a seven-step cheat sheet.

Step 1: To get the lay of the land, use Adobe's Flash tester page to see which version is currently being used by your Web browsers. I say "browsers" because this needs to be done in each installed Web browser.

Uninstalling

Step2: Download the Adobe Flash Player uninstaller here. If you've done this before, do it again. The Windows uninstaller was last updated on October 15, 2008.

Step 3: Shut down all running programs, then run the uninstaller. Below are the uninstall details.

A detailed report from the Adobe Flash un-installer program

Step 4: Check the output from the uninstaller to see if you need to restart Windows. Here is what Adobe says about this:

"Internet Explorer users may have to reboot to clear all uninstalled Flash Player ActiveX control files. If you're not certain, select the "Show Details" button in the Flash Player uninstaller. If there are any log lines that begin with "Delete on Reboot..." then you'll need to reboot BEFORE running the Flash Player installer again."

Step 5: Adobe's Flash Player uninstaller is limited in a few ways. For one, it does not deal with portable versions of Firefox (see Portable Firefox and the Flash Player). It also doesn't handle other software, such as Dreamweaver, that includes its own copy of the Flash Player. Then too, there used to be a bug with its not searching for installed copies of Flash in places used by very old browsers.

The best way to get a true inventory of all instances of the Flash Player is to run the Secunia Online Software Inspector and turn on the checkbox to "Enable thorough system inspection." Expect it to take awhile.

Installing

Step 6: In Internet Explorer, first make sure that only one copy of IE is running. Then get the new version of the Flash Player at www.adobe.com/go/getflash. Look for a checkbox about also installing the Google toolbar. If there is one, I suggest turning it off on the theory that the less software installed the better.

The Flash Player installs like any other ActiveX control. Adobe warns, however, that "if you don't have administrator access, then you may not be able to install Flash Player successfully."

Step 7: For Firefox, Opera, and Chrome, Adobe also warns that you "may require administrative access to your PC" (see Flash Player installation instructions). Start any of these browsers, go to www.adobe.com/go/getflash, and download a file called install_flash_player.exe.

Downloading the Flash Player installer for the plug-in version of the Flash Player

Close all Web browsers, then run the installation program. Finally, start each non-IE Web browser on your computer and verify the installation at the Flash tester page.

Here's the pot of gold at the end of the rainbow:

The latest and greatest Flash Player

If you have any problems, see Troubleshoot Adobe Flash Player installation for Windows. You can also download flash at adobe.com/shockwave/download/alternates/.

To answer the question you may be thinking, yes, in an ideal world this posting would not be needed, let alone be so long.

*Adobe refers to the Firefox/Opera/Chrome version of the Flash Player as the "plug-in" version. In Internet Explorer, the Flash Player is an ActiveX control. You'll see them listed separately in the list of installed software in the control panel.

See a summary of all my Defensive Computing postings.

If you work in a corporation, then you might be interested in a blog posting by Joel Hruska over at Ars Technica that reviews a report by Compuware on how and why corporations lose data.

(Credit: Compuware)

Compuware surveyed 1,112 "IT practitioners" and found that only 1 percent of data losses could be attributed to hackers.

The other 99 percent? Mostly negligent insiders. The next biggest sources of trouble were outsourcing and malicious employees.

Asked about their employer's ability to monitor and detect information theft, most of those surveyed said their employers did a poor job.

If you like to cut to the chase, here is Hruska's conclusion:

The report ultimately suggests that the vast majority of companies have security models that are semifunctional at best. Accountability is a hit-or-miss affair, confidence in the system as a whole is minimal, and the flaws that contribute to data breaches aren't confined to any single level of an organization.

Ouch.

See a summary of all my Defensive Computing postings.

There was an interesting article recently in The New York Times about getting locked out of a Gmail account.

In August, blogger Alan Shimel of StillSecure wrote about his problems regaining access to a Yahoo e-mail account. Suffice it to say that if someone learns your Web mail password, it's a very difficult situation--one that may not end well.

For one thing, the Web mail provider may not know enough about you to determine the true account owner. Worse still, anyone using a free Web mail account from Google (Gmail), Yahoo, or Microsoft (Hotmail) can't expect to talk to a human being to resolve a problem with their account. Talking to person at Google requires a subscription to Google Apps Premier Edition for $50 a year. Microsoft and Yahoo similarly offer telephone support only to "premium" customers.

If you care about a Web mail account, then some homework may be in order.

Alternate e-mail address

One thing Web mail users should have associated with their account is an alternate e-mail address. This is typically optional, but it can be critical, should you get locked out. I think you're safer not using an address from the same provider as your alternate. That is, don't provide a Gmail e-mail address as the alternate for a Gmail account. Too many eggs in one basket.

If you're like me, with no recollection or notes about the alternate e-mail address associated with your Web mail account, here's how to check (after first logging in to your account):

Gmail: Click on the "Settings" link in the top right corner, then go to the "Accounts" tab and click on the link in the "Google Account settings" section.

Classic Hotmail: Click on "Options" in the top right corner, then View and Edit your personal information. Your alternate e-mail address is displayed along with a link to change it.

Classic Yahoo: Click on "Options" in the top right corner, then "Mail Options", then (on the left) click on "Account Information" and re-enter your password. Yahoo will then display "Alternate Email 1" and "Alternate Email 2." Yahoo supports two alternate e-mail addresses, a great safety net, since our e-mail providers change over time.

Secure connections

Gmail, Hotmail, and Yahoo Mail all offer secure connections when you initially log on and enter your password. Hotmail and Yahoo then switch back to unsecured, HTTP, connections. Gmail offers an option to always use a secure HTTPS connection, even when reading and writing e-mail. Highly recommended.

To enable this feature, Gmail users should click on "Settings" in the top-right corner, then on the default "General" tab, scroll to the bottom of the page, and turn on the radio button to "Always use https."

Truthiness

Web mail may be one of those places where little white lies are acceptable. The governor of Alaska, who recently had her Yahoo e-mail exposed to the world, set herself up for failure by truthfully answering some questions.

Every Web mail system asks for personal information as a means of identification, should you lose your password. The problem is that this personal information can also be used by a bad guy to learn your password.

Yahoo and Hotmail limit their secret questions to a handful of preselected questions. The straw that broke the camel's back for the governor of Alaska was the question of where she met her spouse. Being a public figure, it didn't take much guessing for someone to correctly answer this question and fool Yahoo into thinking that person was the governor. There were some other canned questions too, but they were also easy to answer using public information.

Public figure or not, there is no reason to answer Web mail security questions truthfully. After all, who are you really lying to? A potential bad guy trying to learn your password.

So, when asked the name of your favorite teacher, feel free to respond "xyz" or with any random word or sentence that no one will guess. Then, of course, write it down in a safe place. The price for making up random answers is the burden of recovery. This is the eternal relationship between security and convenience. More security always entails less convenience.

Gmail is the most flexible of the major providers. It lets you choose your own secret question, thus giving you a fighting chance of picking a question to which no one else knows the answer. Still, if you have a safe place for storing passwords, a totally random answer can't be guessed.

To review your security question in Gmail, click on the "Settings" link in the top-right corner, then go to the "Accounts" tab, and click on the "Google Account settings" link in the section of the same name. Finally, click on "Change security question." You will have to re-enter your Gmail password.

Users of the classic Hotmail system can review their security question by clicking on "options" in the top-right corner, then clicking on "View and edit your personal information."

Yahoo e-mail users may be in for a surprise. Simply knowing your password is not sufficient to view, let alone change, your security question. As described in How do I update my secret question? Yahoo requires you to "verify the Answer to your current Secret Question in order to update it." I'm screwed.

Does someone already know your password?

If someone learned your Web mail password, would you know? It's one thing to have your e-mail read, but it's another to have it read over and over, day after day, by someone who knows your password and is smart enough not to tip their hat by changing it.

Potentially, there is much that Web mail providers can do to let account owners know that someone else is logging into their account when they're asleep. As far as I can tell, Hotmail and Yahoo mail do absolutely nothing in this regard. Gmail, however, offers an audit trail, if you know where to look.

When Gmail users first log in, they should scroll down to the bottom of the initial page and look for a message such as:

Last account activity: 22 hours ago at IP 66.88.111.222. Details
or
Last account activity: 22 minutes ago on this computer. Details

If you didn't last log in to your Gmail account when the message indicates, then someone knows your password.

Internet Protocol addresses can be linked to both an Internet service provider and a country, for sure, and maybe even to a city within the country. For more on this, see my earlier posting "What does your IP address say about you?"

Clicking on the "Details" link offers a longer history of Gmail account activity and an indication of whether the account is currently logged on at another computer. Letting one person log in to a Gmail account simultaneously from two different computers strikes me as a design mistake. But given that design, Gmail users can log off other computers that are currently logged into the same account. Needless to say, this, too, can alert you that someone knows your password.

Information about the most recent Gmail account activity is presented on the bottom of every Gmail Web page. For more, see Last account activity in the Gmail Help.

Test password recovery

Anyone involved in backing up computer files knows the importance of testing the recovery process, and the same applies with Web mail. The best way to ensure that you can recover or reset your password is to try it.

Yahoo password recovery (thanks to the governor of Alaska, it's now the infamous Yahoo password recovery) starts out by asking for your birthday, country of residence, and postal code. Without this gatekeeper information, knowing the secret question is useless. Even something as simple as your postal code needs to be saved rather than remembered because, as Yahoo points out, it may be from your home, your office, or a prior residence or prior work location.

Hotmail password recovery starts with the option to either "Use my location information and secret answer to verify my identity" or to "Send password reset instructions to me in e-mail." If you go the first route and answer the questions correctly, you get to choose a new password.

The location information is the same as Yahoo's--country, state, and ZIP code. If you go the second route, an e-mail message is sent to the alternate e-mail account with two links, one for confirming the request and resetting the password and another for doing nothing.

Gmail error handling isn't limited to just password recovery; they deal with a whole host of problems accessing your account, including:
I forgot my password
I forgot my username
My account has been compromised
My password doesn't seem to be working
Loading issues
Another error or problem

If you forget a Gmail password, you're taken here where, as with the other two systems, you enter the user ID and get in through a Captcha. At this point, there are no options. Google sends an e-mail to the alternate e-mail address. It doesn't display the entire alternate e-mail address (Hotmail, in contrast, does); just the domain name.

I tested this using a Yahoo.com e-mail address as the alternate to a Gmail account. Word to the wise: don't do this. The message from Gmail was treated as spam by Yahoo. The message includes a link that, when clicked, takes you to a Web page where you can enter a new password.

If you no longer have access to the alternate e-mail address, Google advises you to "...try the 'Forgot your password?' link again after five days. At that point, you'll be able to reset your password by answering the security question you provided when you created your account."

Web mail accounts may start out as toys or curiosities, but for many people, they end up being important. A little homework now may save a ton of grief later.

See a summary of all my Defensive Computing postings.