I told you so

About some recent defensive computing suggestions

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

Disclosure.

See full bio

Michael Horowitz

July 9, 2008 8:29 p.m. PT

3 min read

Yesterday, was Patch Tuesday and a bug fix released by Microsoft caused a problem for ZoneAlarm firewall users - they could no longer get online. Oops. Except, if they followed the advice offered earlier on this blog, which is to wait until Thursday or Friday before installing the patches Microsoft releases on Tuesday. This is exactly the sort of situation for which that advice was intended.

On July 2nd, I wrote about Flagfox, a Firefox extension that displays a small flag in the corner of the browser window. Three days later I expanded on this saying that Flagfox can serve a very important service, displaying the IP address of a website. For financial institutions, or anywhere you do sensitive transactions, this is very important. There are many ways that malicious software can fake out things such that even using a browser bookmark/favorite and even seeing the name of your financial institution in the address bar, you can nonetheless be at a phony, scam copy of the website, one designed to steal your password. Typically this is the result of an attack on DNS, a system that I described back in December when I suggested using OpenDNS.

Yesterday, it comes to light that there is a huge bug in DNS. Massive repercussions. But, not for Flagfox users. They can see the IP address of their bank website and verify it. If, for example, a bank website is supposed to be at IP address 1.2.3.4 and a DNS poisoning attack results in your ending up at 5.6.7.8, Flagfox users won't be faked out. Of course, the banks have to publicly verify their IP addresses and so far only Bank of America has done so. Chase outright refused to say anything. I'm still working on this.

On June 11th Brian Krebs at WashingtonPost.com wrote about a version of the "Zlob" Trojan that tries to zap the DNS settings on your router (a totally different type of DNS attack). But, anyone who took my March posting, Defending your router, and your identity, with a password change to heart, had already changed their router password and was immune to this attack.

On July 6th I discussed Still more reasons to avoid Internet Explorer. The very next day, we learned of another security problem with IE, this one having to do with an ActiveX control related to Microsoft Access. By my count, this brings the number of known bugs in Internet Explorer without fixes to six. I read my fair share of articles on this latest IE bug, none said anything about a Microsoft commitment to fix it, despite the fact that bad guys are currently exploiting it. In fact, Elinor Mills said Microsoft "may" provide a fix in the future. It must be nice to be a monopoly.

Back in April, when Windows XP Service Pack 3 was released, I advised against installing it at a time when others said it was good thing. In retrospect, the problems it caused far outweighed the trivial benefits it offers. I still haven't installed it and don't plan on doing so in the immediate future. Neither should you.

Watch this space for more Defensive Computing and, if you missed it, let me suggest reading The pillars of Defensive Computing.

See a summary of all my Defensive Computing postings.