Digital Choke Daynotes

I planted the new flowers yesterday morning. Just looked out there now, and they are still alive. A good sign, I'd guess.

The grandkids came over in the afternoon, so I got out the wading pool. That was fun, along with the trip to the neighborhood park.

The usual stuff today. Don't see anything exciting while surfing around the 'net. I have been working on a checklist for safe home computing. It should be ready in a few days.

In the meantime, make sure that you install the latest Windows update. This one fixes the problem with the 'download.ject' attack of late last month. More details about the attack in my report here.

I usually do these things on my laptop, which sits on my lap. (Imagine that!). But it gets quite warm. I still haven't found a reasonably-priced laptop tray. Any recommendations?

Here's a couple of interesting items. Were you lucky enough to get an email from the John Kerry campaign asking for donations? No, not the first one, but the second one:

Phishing has moved into the political arena: http://www.msnbc.msn.com/id/5581739/

"In a world awash in fake e-mails designed to steal personal information, it was probably inevitable. This weekend, researchers discovered a near perfect imitation of a recent solicitation sent by the Kerry-Edwards campaign. The notice was a hoax, sending users off to a Web site controlled by a computer hacker. ....

"The Web site designed to collect the stolen information was disabled on Sunday. And a clever tactic employed by the Kerry campaign's Webmaster also foiled the e-mail -- effectively hacking the hacker.

"The original version of the fake e-mail referenced a genuine image of Cam Kerry that was hosted on the legitimate campaign Web site. Over the weekend, that image was replaced by a statement from the Kerry campaign indicating the e-mail was a fraud. Because the fake e-mail used the Kerry campaign site as the source for its image, when users called up the e-mail, instead of Cam Kerry's face, they saw a notice saying "Do not donate using any link in this e-mail."

Perhaps an example of a new game: "Phish and Counter-Phish".

We've mentioned it here before, but a good site for phishing information is the Anti-Phishing Organization. Lots of examples, some of them quite clever. And take the Phishing Test, to see if your score is better than mine.

Brian C., my unofficial editor, noticed that some of the links on these pages have pointed in the wrong direction. Turns out they've been wrong for a couple of weeks, pointing to an article at "Wired" magazine. Which is not surprising, since when the new week rolls around, I just make a copy of the last week's file, then remove the content, and adjust the links. And that's how I keep a consistent look here.

So, I spent some time tonight checking the links. I think I got them all. Hopefully.

Last night, we watched "Hidalgo". Good flick, but when it was done I was too tired to think of any words of wisdom, not to mention write them. Got home late tonight. After work, we met Christine and family at one of the local Best Buy's, where Jared picked out a new 36" TV, along with a DVD/VCR combo, and a home theatre receiver. (They got an unexpected check to pay for it.) Since they have a van, and I have a small truck, I got to schlep it to his house. We got it all set up, and it looks a lot nicer (and bigger) than his old 19".

Brian also reported that he got a 9 of 10 on the phishing test. Some of them are a bit sneaky. If you've tried it out, use the mailbox icon up (or down) there to let me know your score.

Unless the link points to that "Wired" magazine article.

Security warnings up front:

Let's start with the "Brador" virus, which is meant for your Pocket PC PDA (or Pocket PC Phone). It arrives via an email attachment. When executed, it installs a back door on your PDA on a port that anyone could use. The back door will allow file transfer (read or write), or command execution. It's fairly new, but reported to be in the "wild". Details here .

The implication is significant, as expressed by the folks at the Internet Storm Center:

"The PDA, though, could prove to be the perfect soft target. They're usually highly insecure by default, and are allowed to waltz right past the firewall and join the network, no questions asked. Add innate wireless capabilities, often via 802.11b, Bluetooth, and infrared, and a little-known autorun "feature" (highlighted at last week's Black Hat and DefCon security conferences) and you've got an easily owned vector for $CODE_OF_YOUR_CHOICE. "

More of these are inevitable.

Moving on to the next item, we all know about 'phishing' on IE, and how to fool you with an link that is not what it seems. (In fact, I've got a demonstration of it here, although it won't work if your patches are installed.) There is a similar problem with the Opera browser. If exploited, it can allow the attacker read access to files on your computer, just by you visiting a web page. It's a javascript exploit, but a bit hard to do. It appears that the vulnerability has been around for a while, and only partially fixed. Not sure if there is a new update for Opera, but if you are using it, you should keep your eyes open.

On the prevention front, I found a good writeup of the changes in XP's Service Patch 2 (XP/SP2). It was scheduled to be released today, but was delayed for a last-minute compatibility fix. I haven't played with this, but have followed the news about it. Looks like this one will be very important to install, even if it causes some minor problems.

I spent most of the day working with a test install of Windows 2003 Server. I want to get a standard security policy file to use on all servers at work. So I started out with an install into a vmWare partition. I used a standard installation, then applied the current updates. Then I spent some time with the Management Console and fine-tuned the security template file. Now I just need to document things and do some verification. One of the nice things about using a vmWare partition is that I can 'snapshot'. I can make changes, test things, then restore the snapshot to get back to the previous version. The server installation takes up about 4GB of space, so you can get quite a few test installations on a standard sized hard drive. Very convenient, and worth the price of admission.

And a report from Paul H on his Anti-Phishing test:

I got a 7, my answers to 2 of the misses were very nearly coin tosses - but this isn't horseshoes. Fortunately, in real life I can also remember the few places that have any reason to send that stuff and can discard the rest without thought, so there are fewer judgements to be made.

Here's the link to the test. Report back when you are done (use the mailbox icon).

IMPORTANT NEWS

Microsoft has released the long-awaited Windows XP Service Patch 2 (XP/SP2) to manufacturing. Highlights so far:

• The best way to get it is to enable Windows Update (and the best way to ensure staying correct). Full instructions at http://www.microsoft.com/protect , including a 'wizard' that will configure things for "Aunt Millie".
• You will be able to order a CD later this month, and it will be free. Here's the link, but they aren't taking orders yet. http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
• OEM's will be getting the patch. I suspect that it will take a short time for the OEM's to get it onto their system 'builds'. One report says that Microsoft will let OEM's tape the update CD to the box (not confirmed).
• Corporate users should contact their support staff...there will probably be some minor problems.
• Home users should set up for Automatic Updates (daily checks, download and install without asking).
• It's not clear if users of the patch's Release Candidate should uninstall the Release Candidate before installing the update, but it might be a good idea.
• One report (ComputerWorld) said that Microsoft will allow Best Buy, CompUSA, and Micro Center to have free update CD's in their stores. (Great marketing ploy to get more people in your store, as I have mentioned before.)
• The total size of the update is 265MB, but most users will only need about 100MB. Even though that is a large size, the download and install will happen in the background (with Automatic Updates enabled) to reduce the impact on your system while you use it. For dial-up users, that will take some time, so I recommend that you start it before you go to bed so it will be done by the morning. This update is built to be smarter about downloading only the parts that it needs, not the whole thing.

I found a good writeup/review of the update here , and additional info is available at that site. That review is quite interesting in its' details. One can conclude that there are some very important and needed features in the update.

This "security dweeb's" recommendation: set up your home computers for Automatic Updates. Do it now so that you'll get this (and future) updates automatically installed. We'll be here when you get back.

... more later ...
LastWeek	Next Week	Prior Weeks	mail	bookmark	The Digital Choke story