In the latest edition of the Microsoft Security Newsletter there was a link to a series of articles on CIO magazine that discuss a series of claims from FireFox that it is the safest browser and the analysis of that by Jeff Jones who is a director of security strategy at Microsoft. I went back and read the first 2 articles and some of the surrounding discussions. While I don’t consider myself qualified to make a critique of the bug reporting methodologies or how to know which browser is more secure. Overall I think that security should not be a marketing feature but something that every company is trying their best to provide to us as consumers. It is hard and I know I have made stupid mistakes in the past so I am in no position to throw stones at anyone else.

One thing that caught my attention was the comments on the articles. There was definitely a lot of passion from supporters of both browsers. Some of it might be attributable to “fan boys” but I think it goes deeper. With so much of our lives moving online the browser becomes the platform we use to interact with the world. As long as 10 years ago I can remember having discussions about whether Microsoft would be selling an operating system in 2 years. Certainly if everything moves into a browser the OS will become irrelevant to a large extent. I don’t see that happening any time soon since there are still many user experience reasons (like shortcut keys and the ability to keep client state) where “fat client” applications are easier to use. These problems are not easy to solve so I don’t expect to see a fix soon. However, I can certainly see where people are passionate about their computing platform because it influences so much of what they can and can’t do easily and to a large extent their thinking of how to write programs and interact with the online world.

Last night Microsoft Update prompted me to install an update. I thought it was the updated definition files for Windows Defender and told it to go ahead. A little while later I was being prompted to restart my machine. I thought “What in the world? I haven’t ever had to reboot after a Defender definition update.” After the reboot I looked and saw that it was a patch to IE. I realized it was out of band and therefore probably very important. Today I have had several e-mails that look like the one below. Microsoft seems to want us to patch our machines.

Download urgent security update for Internet Explorer

Today Microsoft released an urgent security update for Windows Internet Explorer. Because the flaw may expose computers to remote code execution, the severity rating for this security update is critical.
From the moment we learned of the issue, Microsoft has been working around the clock to respond to this situation and provide a security update that helps protect our customers.
If you have turned on Automatic Updates, your computer will install the security update automatically. If you don't use Automatic Updates, go to http://update.microsoft.com. This update might cause your computer to restart.
For more information on this update, see the bulletin summary. For more information on how to protect your PC, visit the Microsoft Security At Home site.

It hasn't really been a secret that Microsoft was going to change http://home.live.com to be more of a social network. There were more than just the two articles I reference below 

Sweeping Changes At Live.com: It’s A Social Network!

 http://windowslive.com/ComingSoon?ocid=EML_PROED_HM_Acq_WL_getbetter_112008

Now that I have had a chance to see it for myself and to be invited to some of my friend's networks I am not really sure how I feel about it. I like the look and feel but when I started digging into the settings for my profile I saw that the default was that everyone could see my network. I understand that social networks are built on sharing and for that reason I don't know that I have a problem with the default but it would have been nice to have been told that.

Another issue is that a lot of the invitations to join a network are coming with just the first name of the person. I understand this is also a setting in the profile but it is a little annoying to have to go and look to see which John or Andrew is inviting me to their network. I did find that if I go into my profile I can see the invitations and there it had the full name of the people who had invited me.

I already maintain contacts on Plaxo, LinkedIn, and Facebook besides my e-mail contacts so I am not sure how many other web sites I want to use for social networking but I will give live.com a try if for no other reason than I am always checking my hotmail accounts and it isn't that much more work to add in people to my network.

I know many of us are visiting friends and relatives for the Thanksgiving holiday and many more will be doing the same for Christmas. As the unofficial IT support person for my family there are several things that I try to do when I am with my family to make sure that they are protected.

1. Remove the useless programs on the computer. I spent some time yesterday removing all the trial and crippled versions of software from my parent's machine that they do not use. Some of the programs they didn't like, others they didn't understand, and some were installed by my nieces and nephews and they didn't want them any more. After freeing up some disk space I always defragment the hard drive.
2. Update the firewall and virus protection. I make sure the firewall is turned on and that they have good virus protection. On my parent's machine the free trial of the anti-virus software had expired so I removed it and installed AVG free from http://free.avg.com.
3. Run Microsoft Update. My parents rarely leave their computer on all night so the default time of 2 A.M. to install Windows Updates means that they don't all get installed in a timely manner. I make sure that I run through the update until there are no more high priority updates to any of their software.
4. Update other software. If Acrobat, Java, or other programs are reporting an update I will update them as well.
5. Prepare old machines for a better life. Well, I don't know that recycling is a better life but occasionally someone will have an old computer that they want to donate to charity or recycle. With the data on the hard drive being worth more than the machine itself I make sure that I clean off the hard drive. The tool I use for that is Darik's Boot and Nuke available at http://www.dban.org. It will erase the disk so bank accounts, tax returns, and other data that shouldn't be read by others is gone.

I am sure you have other tasks that you perform regularly. If you think I have missed something leave me a comment to let me know. I might just add it to my list of things to do next time I am visiting relatives.

I have been getting more phishing e-mail lately that points me to "bad" files on what would normally be "good" sites. Last week I got a message that pointed to index1.htm on a site. Index.htm was the valid home page and appeared to be the personal site for a young lady in Brazil. I couldn't read the page but it didn't look malicious. When I went to the index1.htm page it had a flash application that would tell me that I needed to download a new viewer to view a news article.

The message today pointed me to a web site for a doctor. The link went directly to a .exe file in the URL so I knew better than to click on it. The interesting thing about this message is that I supposedly got an e-card from "a friend". At the bottom of the message was a link to www.greetingcard.org which has a section for an "Email Scam Alert!" on the lower right of its home page. You would think that the phishers would not put in clues that their e-mail is bogus right in the e-mail. Then again, maybe I should be thankful that they are not better as it would be harder to figure out which e-mails are legitimate and which ones I can blog about.

I read the article at http://redtape.msnbc.com/2008/08/almost-everyone.html about the "Forgot your password" link to reset your password as being a possible attack vector. I think they discussed the security issue quite well and also pointed out that there are no reports that this method has been used widely to attack accounts. I know that in all the time that I have had a Hotmail account I have twice gotten e-mails about a password reset that I didn't initiate. The first time I ignored the e-mail until I got a reminder about 10 days later that it was about to expire, the second time I immediately clicked on the link stating I hadn't started the password reset. I also went and changed my password just in case someone had compromised my account.

The article has some good advice about not using obvious answers to the reset questions. I think this might be one case where my generation has a lot more latitude in choosing a non-obvious answer. While my birth date and mother's maiden name might be easy to find on the Internet, when I was a teenager there was no blogging so I would assume outside of the people that I went to school with and a few close family members nobody would know the name of my first girlfriend. It might be easy for a hacker to guess the answer to that question but hopefully it would take them a few tries and the back end systems would be alerted well before they guessed the correct answer.

Another tactic that I have used is to pick an "obvious" question but then give it a false answer. As was pointed out in a recent issue of the RISKS digest, they aren't validating the answer, just that you can type in the same value twice. I use the name of my pet as a question but rarely if ever use Max which was the name of my dog but instead make up other "names". The best are a semi random set of number and letters that aren't even a name so if someone is running a dictionary attack of the most common pet names your answer will not be in the dictionary.

To help me not forget the password in the first place, or to remember the answer if I need to I can always look at my Password Minder file. The thing I like is it will automatically generate random passwords for me and has a notes area where I can write down my secret question and answer. The data (both passwords and comments) is encrypted on the disk so I feel pretty safe about it not being stolen from me.

Yesterday I got an e-mail saying it was and open letter from United Airlines to its "best customers" about the high cost of fuel and how it is causing problems in the industry. The gist of the e-mail was that speculation on the cost of oil is what is driving up the cost of oil and that the government needs to regulate the market to save us all from high fuel prices. I was immediately suspicious because I have flown United Airlines but do not have enough miles to be awarded any status in their frequent flier program. The e-mail was "signed" by the executives of several airlines asking me to  I didn't click on the link for several reasons.
1. I was busy and didn't think I had the time.
2. The text on the link and the actual link didn't point to the same web site. The link goes through unitedoffers.com which could be a web site by United Airlines but I didn't want to spend the time to check it out.
3. As I already stated I was a little suspicious of the "best customers" claims.
4. I generally don't click on links in unsolicited e-mail but instead prefer to go directly to the web site linked to.
5. The emotional nature of the subject. When I get an e-mail that gets me fired up and angry I always try to stop, calm down, and think a little before I do anything with it. This was drilled into me early on in my career by a VP of Software Engineering who would talk a lot about Carreer Shortening Moves.

Later in the day yesterday I got my monthly notice from Delta Airlines about my frequent flier account. Since I fly with Delta and have a lot of frequent flier miles I was sure they would mention this open letter since they were one of the signers. They didn't so I was pretty sure it was a phishing e-mail. I went on my way smug in my assurance that I had done the right thing.

As I was watching the local news they ran a story about the open letter. The story was more about the rising cost of fuel for airlines and the number of layoffs each airline had announced for this year but they did mention the open letter. So then I got to thinking that maybe the letter was legitimate.

This morning I spent a few minutes looking around for the answer to the question on whether the e-mail is valid or not. Here is what I found out.

When I went to the TV station's web site I couldn't find the article in the list of most recent articles. I also tried their search on the site but it couldn't find the article either. That makes me wonder why other stories from last night are on the web site but not that one. [+1 for phishing e-mail]

I checked the United Airlines, Delta Airlines, and Delta Airlines blog sites but didn't see the open letter mentioned on any of them. [+3 for phising e-mail]

Unitedoffers.com redirects back to the United Airlines web site. [+1 for legitimate e-mail]

I typed in the address of the link in the e-mail. The site looks like it is calling for reform of the oil speculation market. I haven't clicked on any other links. [+1 for legitimate e-mail]

Doing a Live search and Google search for the web site bring up the web site, a lot of people asking in forums if this is a real site, and some descriptions like this one:
"Go to the web site and enter your zip code so your representatives can be identified. Next, enter some personal information and emails get sent to the peeps that made an oath to serve." [Neutral since I don't know what personal information they are collecting]

In the end analysis I decided that I wasn't curious enough to go to the web site and enter my personal information (or even get to the page where I could see what the information they are asking for is) so I may never know if this is a legitimate e-mail or not. If I start seeing it posted to the official web sites of the airlines that supposedly signed the document I will probably decide that it is legitimate and then see if I want to sign the petition. The other thing that I have decided to do is to give into the emotion that I felt when I first read the e-mail and look up the e-mail address of my Senators and Representative and ask them if they have seen this and if there is anything that they can do.

I am sure you have had a time in your life when it seems like everyone gives you advice. It might be graduation, marriage, the birth of a child, a change in jobs or something that prompts the people around you to offer advice. Most of the time you are forced to smile pleasantly, act like you are going to take the advice, and then wait until the giver of the advice is out of earshot to mumble to yourself about how you wish people would leave you alone. Occasionally you really need advice and go looking for it. One of those cases might be if you thought that your personal information had been stolen. You would expect that the government that had issued the identity claims would have the best advice on how to fix the problem.

I read an article about the web page at http://www.hmrc.gov.uk/manuals/nimmanual/NIM39140.htm that will tell people in the UK how to handle the case of their National Insurance Number has been abused. (The original article likened the National Insurance Number to the US Social Security Number but whether they are similar or not isn't really important here, just that someone thought you should have a way to report/fix fraud of the National Insurance Number.) The web page has a title that boldly proclaims:

NIM39140 - National Insurance Numbers (NINOs): Format and Security: What to do if you suspect or discover fraud

You can see from the formatting that there are several paragraphs and bullet points that should give you the information that you need. However each and every paragraph and bullet point is replaced by the text:

(This text has been withheld because of exemptions in the Freedom of Information Act 2000)

This leaves you wondering what you should do if you suspect or discover fraud. I haven't looked around to see if there is any information on another web site or if you are just stuck going back to the people who always give you advice and asking for some. This time, however, you will need to listen closely and follow their advice.

I got this from an issue of the RISKS digest. The real problem is that we don't know what OS is used when we purchase a certificate. It might be a good idea to contact the vendors you have purchased certificates from and make sure that you are not affected by this.

DSA-1571-1 openssl -- predictable random number generator Date Reported: 13 May 2008 Affected Packages: openssl

Vulnerable: Yes

Security database references: In Mitre's CVE dictionary: CVE-2008-0166.

More information:

Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

This is a Debian-specific vulnerability which does not affect other operating systems which are not based on Debian. However, other systems can be indirectly affected if weak keys are imported into them.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation. ...

http://www.debian.org/security/2008/dsa-1571