Defensive Computing

A few recent stories highlighted a bedrock of Defensive Computing - if you surf the web on a Windows computer, you are safer using Firefox as opposed to Internet Explorer.

On June 26th at ZDNet Ryan Naraine wrote about a new bug in Internet Explorer (Zero-day flaw haunts Internet Explorer) for which Microsoft has no fix/patch. A few days later, he documented how the bad guys were exploiting this bug (Exploit code released for unpatched IE 7 vulnerability). That story starts with "Another day, another gaping hole affecting fully patched versions of Microsoft's Internet Explorer browser." We've been down this road before.

The original source for stories about this particular bug is US-CERT Vulnerability Note VU#516627 which says the bug affects IE6, IE7 and even the beta edition of the upcoming IE8. A trifecta.

Bring up the rear, IE6 suffers from another new bug for which there isn't yet a fix. Gregg Keizer wrote about this on June 26th at ComputerWorld (Researchers warn of IE6 zero-day bug).

Do you follow tech news? Were you aware of these new unpatched bugs in Internet Explorer? Have we gotten so used to IE bugs that they're barely news?

Old Versions of Software

Unpatched bugs in the latest version of software are bad enough. Then, there's the problem of not even using the latest and greatest version.

A recent survey, described by Robert Vamosi at CNET found "...637 million Web users are surfing with outdated Internet browsers..." ... Read more

Recently I wrote about Flagfox, a simple Firefox extension that puts a flag in the corner of the browser window indicating the country where the website being viewed resides. Hovering the mouse over the flag displays the IP address (explanation below) of the website and clicking the flag brings up more details, including the city where the site is located.

This can be important because there are many ways to be tricked into thinking you are at, for example, a bank website, when you are really viewing a well-crafted, scam copy designed to steal personal information. Flagfox can go a long way toward verifying that you are really looking at the website you expect. Anyone doing financial transactions online would be well served to use it.

When banks explain why their websites are safe and secure, they focus on the SSL encryption used to transmit data over the Internet. That's only part of the puzzle however. We can encrypt data and send it to the bad guys too. That's where Flagfox can help.

The problem is verifying the physical location of legitimate websites.

For example, on my computer, Flagfox reports that the login page for Capital One credit cards is in McLean, Virginia. Is this the real site, or, has my computer been compromised such that I'm looking at a phony copy?

The only way to verify the location is to ask the bank. So that's what I've been doing.

On July 3rd, I contacted ... Read more

A big part of phishing scams and identity theft is fooling people into thinking they are on one website when they are actually somewhere else. The technical tricks to accomplish this include lookalike and phony domain names, zapping the hosts file, tricks with URLs and assorted attacks on DNS servers. What's a normal person to do?

Flagfox is an unobtrusive extension for the Firefox web browser that offers some assistance by placing a flag in the bottom right corner of the Firefox window. The flag (shown below) indicates the country where the website physically resides.

If you don't recognize the flag, hover the mouse over it and a yellow pop-up window (below) displays the IP address of the website and the country where it resides. If you normally deal with a bank, brokerage or credit union in, for example, the United States, and one day you notice the flag is from another country, you are not at the website you thought you were.

Of course this only goes so far. If a legitimate website is in New Jersey and a phony, phishing copy of it resides in New Mexico, the flag will still be American. Before doing anything sensitive, such as banking, click on the flag to open a new tab showing a map and more precise location information such as the city and state.

This is the physical location of the website, not of the organization or person represented by the website. Although in the case of ... Read more

The list of talks is now firm for the upcoming hacker conference, known as The Last HOPE. Organized by 2600, who you may know from their weekly radio show, Off The Hook, on WBAI-FM or their quarterly magazine, the conference will be held July 18th through the 20th at the Hotel Pennsylvania in midtown Manhattan.

(Credit: 2600)

The 100 scheduled talks cover not only the expected computer hacking, but many other types of hacking too. Among the topics for computer techies are:

• Crippling Crypto: The Debian OpenSSL Debacle
• A fundamental flaw in virtualization
• Malicious User Interface techniques
• Intrusion Detection and Honeypots for the Home User
• Hacking with Microcontrollers
• Hacking the Business Traveler
• Identification Card Security
• Reverse Engineering Proprietary Algorithms
• Hacking the TI MSP430
• IPv6, the Next Generation
• Penetration Testing with Firefox
• Penetration Testing Using LiveCDs
• PGP vs. PKI
• RFID (a talk and a large demo)
• Malware with Adobe's Flash
• VoIP (in)security
• VLAN Layer 2 Attacks
• XSS Vectored Man-in-the-Middle Attacks

The non-computer hacking topics include:

• Biohacking - An Overview (about modifying DNA)
• Brain Hacking
• Consumer Electronics Hacking
• Hacking the Media
• Hacking Sex
• Hacking the Price of Food
• Food Hacking
• Hacking the Post Office

Anyone interested in security in the real world has a lot to choose from, including:

• Escaping High Security Handcuffs
• Design Defects in High Security Locks
• Methods of Copying High Security Keys
• Maintaining a Locksporting Organization
• Safecracking
• Ask a Spy a Question
• Strengths and Weaknesses of Physical Access Control Systems
• Bug Detection (not programming errors, surveillance bugs)

This story starts out like so many others, but then takes a twist.

On Monday, Adobe released a patch that fixed a critical bug in their Adobe Acrobat Reader program. This was reported at CNET by Robert Vamosi, at ZDNet by Ryan Naraine, at the Washington Post by Brian Krebs and elsewhere. When I ran the Adobe Reader on a couple machines, I was duly reminded by a yellow tooltip window that a bug fix was available. On each machine the patch installed just fine. Ho hum.

The twist came about when I went to verify that the patch had been installed. I had started with the latest version of the Adobe Reader, 8.1.2. After installing the patch, I still had version 8.1.2.

You would be excused at this point if you thought this posting was about how or why the patch hadn't been correctly installed. But no, it had installed fine. Pretty surprising behavior, especially since the Adobe Reader may be the most widely installed software on the planet.

So, how can you tell if you have the buggy or the patched version of version 8.1.2?

Of course, if you're online, you can always check for updates. But, update applications are far from foolproof. Just today, Adobe's updater warned me that it couldn't check for updates to itself.

Windows

Security firm Secunia issued an advisory about this bug on the June 24. Yet, four days later, its usually excellent ... Read more

Last night and this morning I couldn't get to my personal website. Other websites and email worked just fine. The website itself wasn't broken ("down" is the official nerd term), the Internet was.

A great service for pinpointing a problem like this is available at siteuptime.com. Their free Quick Check (shown below) can be used to test the availability of a website from New York, Chicago, San Francisco and/or London. The HTTP (website protocol) tests of my site showed that it was fine when accessed from all four cities.

As a politician referred to it, the "tube" between New York (where I was) and Florida (where the site resides) had sprung a leak.

The path traveled between any two computers on the Internet can be long and convoluted. Amazingly so. Fortunately, the underlying transmission protocols (TCP/IP) include a debugging command for just this type of routing problem. On Windows it is called "tracert", on Linux it is called "traceroute". I'm not a Mac person, but, according to this Apple KB item, it's also called "traceroute" on OSX where it is part of the Network Utility.

Traceroute shows every router between you and another computer on the Internet. It also shows the time it took for data to get to these intermediate routers, but that's usually not an issue. Below is an edited sample of a Windows XP traceroute between my New York computer and CNET.

C:\Documents and Settings\userid>tracert cnet.... Read more

I happened upon a computer today that hadn't been used in a couple years and was running Firefox version 1.0.6. That version still had a single X on the far right side for closing tabs. It wasn't until later that each tab got its own little X.

Clicking on "Help -> Check For Updates" told me that the latest version was 1.0.12. Nothing about version 1.5, 2, or the just-released 3. Likewise, when Firefox 2 users check for updates, they are only told about the latest go-round for version 2, nothing about version 3.

In general, the way Firefox self-updates is very well done. This is born out in the stats below, an excerpt from a website activity report showing, for this month, how many hits the site experienced from people using Firefox version 2.x. As you can see, the vast amount of Firefox 2 users are using the latest edition, 2.0.0.14.

Is the failure to look up the version ladder a bug or a conscious design decision? Either way, there are, no doubt, computer users that never got the memo, people still running Firefox version 1.0.12 or 1.5.x, thinking they have the latest and greatest.

Self-updating Firefox from version 2 to version 3 now, would be a mistake. While a new version is new, the decision to upgrade should not be automated. However, at some point Mozilla will stop maintaining version 2, a condition ... Read more

Unlike many people, my usage of Firefox 3 has been restricted to test and virtual machines. Thus, I may have stumbled across a bug that goes unnoticed on more actively used systems. There seems to be a problem installing the Flash and Java plugins, at least on Windows machines.

Firefox 3 obviously works fine with both Flash and Java, assuming they are already installed. But, if you try to view a web page that requires either plugin, clicking the "Install Missing Plugins" button (shown below) doesn't work, at least on four Windows machines that I tested.

On a Vista machine, Firefox never found the missing plugins, either Flash or Java. It just kept searching and searching. On Windows XP, both plugins were "not available" (see below). I tried this on XP Home and Professional and with both a normally installed copy of Firefox 3 and with the portable version. I even tried this on Windows 2000 and got the same results as with XP. None of these Windows machines had any anti-malware software installed.

It's not all bad news. Every time I manually installed the Flash and Java plugins things went fine.

To test this yourself with Java, you can use the version page at my JavaTester.org site. To test Flash, try the Adobe Flash tester page. You can double check that neither plugin is installed by entering "about:plugins" in the address bar, without the quotes.

A search of the Firefox tech support website and forum ... Read more

My last two postings were about making secure HTTPS web pages more obvious in Firefox 3 by adding back the colored address bar from version 2. There is yet another visual trick available with Firefox 3 that also makes secure web pages harder to miss.

As noted earlier, the new site identification button, which used to be merely a favorite icon, now turns blue on most HTTPS pages and turns dark green (see below) on those that offer extended proof of their identity (such as jr.com and paypal.com).

Firefox 3: site identification button with extended validation

The dark green site id button includes the strongly verified website name and is thus much wider and more obvious. In contrast, the blue site id button show below is easily missed.

Firefox 3: normal blue site id button

With a little configuring, we can get the blue site id button to also include the website name. While, domain names displayed in blue are not as well verified, the point is to get the extra visual clue that the page is encrypted.

This comes from a comment to this article by Johnathan Nightingale, who works on security at Mozilla.

"I would recommend that color blind users (or others, for that matter) also consider changing the browser.identity.ssl_domain_display pref in about:config. Changing this from 0 to 1 causes the verified domain to be displayed in the button for basic-identification sites."

To do this, first enter "about:config" in the address bar (

My last posting was about how Firefox 3 no longer changes the color of the address bar to indicate encrypted Web pages. It was a feature I liked in version 2, and I explained how to restore the yellow address bar in Firefox 3 for Windows.

However, I never got the concept behind yellow. To me, yellow means "warning" rather than "good" and Web pages displayed using the HTTPS protocol are good things, not something anyone needs to be warned about.

Green means good. Firefox 3 uses dark green for the new site identification button. IE7 uses a light green address bar (see below) when the phishing filter is enabled and you're looking at a Web page with an Extended Validation certificate (IE7 doesn't color the address bar for normally encrypted Web pages).

So, if you're going to force Firefox 3 to color the address bar for encrypted HTTPS pages, why not use green?

Follow the instructions from my previous posting, but insert the below into the userChrome.css file. The only difference is the background color; this specifies the same light green that IE7 uses.

#urlbar[level] .autocomplete-textbox-container
{ background-color: #D0F2C4 !important; }

Here are three screen shots from Firefox 3 of the same page, the NewEgg user log-on page. This is a normal, secure, HTTPS page, it does not use extended validation. Chose the behavior you prefer.

The default behavior in Firefox 3--a white address bar

Firefox 3 with the yellow address bar (color borrowed from version

One of the first things I noticed using Firefox 3 was that the address bar for HTTPS (encrypted) pages was no longer yellow. As the old joke goes, it's not a bug, it's a feature. That is, the decision was made for the address bar in Firefox 3 to always be white.

I thought the yellow address bar, advertising encrypted pages, was a great Firefox feature. It was in addition to the classic lock icon that also indicates encrypted pages. The problem with the lock was that it moved around from the bottom right corner to the bottom left corner to the top right corner of the screen depending on the browser being used. Also, it's small and easily overlooked. There was no overlooking the yellow address bar.

In Firefox 3, the visual indicator of encrypted pages is the icon just to the left of the Web page address.

This used to simply indicate the site you were on, nothing more. Webmasters know it as the favorite icon or favicon. In Firefox 3, it was upgraded from an icon to a button with new features, functions and a new name, it's now called the Site Identification button (also known as the "site favicon" and the "site identity button").

In the screenshot above, the gray button color indicates the page is not encrypted. In the screenshot below, the blue button color indicates that the page is encrypted.

The top-of-the-line color though is green (see below), which indicates ... Read more

In the first posting on this blog I said it would be a game-free zone. Despite this, I recommend reading The truth about last year's Xbox 360 recall by Paul Thurrott. The story is as much about Microsoft and hubris as it is about the Xbox 360.

You may recall that Microsoft had to replace many Xbox 360s that suffered from a "Red Ring of Death" and even went so far as to extend the warranty to three years. Microsoft never offered specifics on the problem and now we know why, it was embarrassing.

Anyone can call the Xbox 360 "... a hunk of unreliable junk that was foisted on us by people who are more concerned with their own image than with reality." But, it means more, when coming from a pro-Microsoft person, such as Mr. Thurrott.

FYI: The article refers to an "ASIC" which is an Application Specific Integrated Circuit. In the context of the article it refers to the graphics processor.

See a summary of all my Defensive Computing postings.

I love Firefox. Usually it goes hand-in-hand with Defensive Computing, as Firefox is more secure than Internet Explorer. But not today, not with the release of version 3 of Firefox.

Don't install Firefox version 3. Not today. not for a while.

Like all new software, Firefox 3 is best kept at arms length. Version 3 was a long time coming and, no doubt, features lots of new code. At the risk of repeating myself, all new software contains bugs and design flaws. Let the rest of the world debug it for you.

This is not to pick on Firefox or Mozilla. Recently in this blog, I suggested waiting on Windows XP SP3, which turned out, in retrospect, to be the right thing to do. I also suggested holding off on Vista and Leopard when they were new. How long to wait is a matter of opinion. However, waiting rather than rushing, is always the right defensive approach.

And, when the time comes to try Firefox version 3, go with the portable version available at portableapps.com. It can happily co-exist with a normally installed copy of Firefox. The only limitation I've found is that if the normally installed copy of Firefox is running, the portable version won't run (see below).

Finally, another repeat suggestion. Windows XP users should run all their web browsers under the free DropMyRights program. I wrote three postings about this last August. See Every Windows XP user should drop their rights.

Update June ... Read more

Just as patients have to trust their doctors, non-techies have to trust the advice they get from techies. My last posting was about an article in a newspaper that offered, what I felt, was questionable advice on setting up a WiFi wireless network. The July issue of PC Magazine recently arrived in my mailbox and it offers some advice on backing up your computer that is also, to me, questionable.

The article is called "Keep Your Data Safe" and doesn't seem to have been posted yet on pcmag.com.

One section of the article discusses external hard drives (page 72), an excellent medium for storing backup files. The sub-topic on "Multidrives" is what prompted this posting. The magazine defines products in this category as external hard drives that internally contain multiple hard disks (separate and distinct from Network Attached Storage).

RAID 0

One of the products is said to "...hold a pair of 1TB drives for a total of 2TB in a RAID 0 configuration or 1TB of RAID 1 storage.." Another product "uses two 2.5 inch hard drives that are internally connected to get you 500GB of speedy RAID 0 storage."

The term "RAID 0" does not belong in an article about backing up files.

Any hard disk can and will fail. Storing files on a hard disk without backup is playing Russian roulette with your data. You probably knew that. Storing files on a RAID 0 device is playing Russian roulette with two or three bullets ... Read more

I have, in the past, been critical of computer articles in the newspapers I regularly read, the Wall Street Journal and the New York Times. Often I've warned that you don't read PC Magazine for mutual fund advice and you shouldn't read the Wall Street Journal for computer advice. Yet, the reporters in these newspapers are significantly more technically qualified than the Orlando Sentinel.

Today, I'm in south Florida, where the Sun Sentinel is the local paper. They reprinted an article by Etan Horowitz (no relation), Set up a home wireless network, that originally appeared last month in the Orlando Sentinel.

The article contains a number of technical inaccuracies, which I'll discuss below and well as some important omissions. The hardest part of technology may very well be learning what advice to trust.

(Credit: Belkin)

The article says "Most new laptop and desktop computers have built-in wireless networking..." New desktop computers with built-in wireless networking? Not the ones I've seen.

It warns that "...if you are using an old computer you may have to buy a wireless network adapter." True enough, but they come in multiple form factors (PC card, Express card, PCI and USB) an important point that is not mentioned.

It says that "..a printer may ... require a wireless networking adapter."

Networking a printer that does not do networking on its own, requires a print server. As far as I know, there is no such thing as a wireless networking adapter for ... Read more

I'm writing this posting on a laptop computer that is, literally, in my lap. As I type, the poor machine gets bounced around which is not at all good for the hard disk. I'm tempting fate, perhaps the computer equivalent of driving without a seat belt.

I would be much better off if the computer had a Solid State Hard Disk (SSD) rather than the traditional hard disk with rotating platters. Hard disks are amazing feats of technology, but they are moving mechanical devices and nothing good comes from bouncing them around, be it on your lap or carrying a notebook computer around the room while it's running.

No doubt more and more laptop computers will move away from rotating platter, traditional, hard disks to Solid State Hard Disks because, in may ways, SSDs are better.

Because SSDs use flash ram to store data, there is no risk of mechanical failure. And, even though hard disks spin pretty fast, compared to the other internal components they are serious slow pokes. As a rule of thumb, SSDs are faster than traditional hard disks, but more on this below.

More power is needed to make hard disk platters rotate than is needed to power the flash ram in SSDs. Thus, laptop users can get more run-time from the same sized battery. Or, a computer with an SSD can be smaller and lighter because the same run-time can be had with a physically smaller battery.

Rotating hard disks generate heat, ... Read more

My last couple postings were about a bug fix for Windows, that I think is best avoided. Dealing with this particular fix, raised the issue, for me, of how to best deal with installing all patches, from a Defensive Computing standpoint.

I spent 10 years in the mainframe world administering to DB2 databases. The conundrum with installing patches is the same on mainframes as with PCs. Should you install every bug fix as soon as it's released or should you hold back a bit? And, if you do hold back, for how long?

The problem, in both environments, with installing bug fixes ASAP is that some will inevitably cause more problems than they fix. And when they do cause a problem, it may be a biggie, because a work-around could be days away. The problem with holding back, again in both environments, is how long to wait until you are reasonably sure that a patch won't break something accidentally. Do you install bug fixes a week after they were released? A month? Two months?

Mainframers have some advantage over Windows users when it comes to installing patches.*

For one, they can opt to not install patches until they "ripen" (my term). Assuming, for example, that patches are released monthly, a mainframe administrator can, if they want, install March patches in May and April patches in June. Windows/Microsoft update has no such date-oriented feature.

Another advantage is that mainframe patches are usually overseen by someone expert in the ... Read more

As I wrote a couple days ago, Microsoft released a new bug fix, KB932823, on May 28th which seemed suspicious for a number of reasons.

For one thing, the patch was released at the end of the month instead of Patch Tuesday. It turns out, according to a company spokesperson, that Microsoft releases patches twice a month, not just once a month. "While we release security updates on the 2nd Tuesday of the month, non-security updates are usually released either the 2nd or 4th Tuesday of the month." Who knew?

Since KB932823 is not a security related patch (terminology: "updates" means "patch" which in turn means "bug fix"), it doesn't show up in the list of latest security patches. The Microsoft spokesperson was unable to find a web page that explains or documents the fourth Tuesday bug fix schedule.

Still, this particular bug doesn't strike me as high priority, so I wouldn't install the patch. As I wrote previously, there are two workarounds, and according to Microsoft, the problem only "occurs if the Japanese Input Method Editor (IME) is the default keyboard layout."

The Microsoft spokesperson added that the problem only occurs on multi-core machines. So why was my English-only copy of XP running on a single-core processor offered this patch? Doesn't inspire confidence.

In addition, the problem also occurs on Windows Server 2003 where it is considered a "hotfix" rather than a critical bug. A hotfix is a bug fix that not only doesn't ... Read more

For some reason I felt the need today to run Microsoft Update (big brother to Windows Update) on my Windows XP computer. No particular reason, just felt it in my bones, even though I had run it recently after installing the Word viewer. Sure enough, it found a missing bug fix. It thinks the bug fix is critical, me, I'm not so sure.

Anyone who runs Windows Update manually, as I do, knows not to trust it all that much. It has, for example, found missing patches for software that was not installed. In April, I blogged about how Windows Update installed software with known bugs, converting a secure computer into an exploitable one.

This particular bug (a.k.a. KB932823) doesn't seem at all critical. The sole extent of the problem (see You may be unable to use Windows Internet Explorer 7 to download files on a computer that is running Windows Server 2003 or Windows XP) is that Internet Explorer 7 may not download a file when requested to do so. Here is the problem symptom, as described by Microsoft:

"You may be unable to use Windows Internet Explorer 7 to download files on a computer that is running Windows Server 2003 or Windows XP. For example, after you click Save in the File Download dialog box, the file is not downloaded."

In other words, it's not a security related thing at all.

And, there are two workarounds. One, provided by Microsoft in the problem ... Read more

Old versions of Adobe Flash Player, perhaps the most widely used software in the world, contain known bugs that are being actively exploited online. If you are using any version of Flash Player, other than the latest, you should update to version 9.0.124.0 as soon as possible.

Early reports from Symantec said the bug being exploited was a new one. Turns out this is not the case. On Thursday, Adobe said

"Despite various reports that have been circulating, the Flash Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 are NOT vulnerable to the exploits discussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest update on their Threatcon page indicates, they have now confirmed this issue does not affect any versions of Flash Player 9.0.124.0."

You can see which version of Flash Player is being used by your Web browser at the Adobe Flash tester page. You need to check every Web browser installed on your computer.

For instructions on updating Flash Player, see Time to update the Flash Player. Here's how. If you use the portable version of Firefox, see Portable Firefox and the Flash Player for instructions on updating Flash Player.

See a summary of all my Defensive Computing postings.