Chad's News

Paramount is suing Russell Lee for more than $100,000, alleging that he obtained an illegal copy of a movie and subsequently uploaded it to a filesharing network. In defense, Mr. Lee claims the real perpetrator hijacked his (then unsecured) wireless network. The evidence is weak, and while Mr. Lee will probably be exonerated he will still have to pay legal costs and deal with the stress of a court case. This just underscores why wireless security is so important.

If you have a wifi network, here are the basic things you should do to secure it:

• Change the router’s default admin password.
• Change the SSID and disable SSID broadcast.
• Enable WPA2 security. If your wireless router does not support WPA2, then get a router that does. WEP security is easily cracked, and WPA, although better, is still vulnerable.
• Use MAC filtering.

These steps will not keep out a determined expert hacker, but the goal is to make it difficult enough that he/she will hijack someone else’s network.

Every so often the tech news community lights up about a gaffe related to document metadata. Some years ago Apple was running a fairly successful switch campaign where people gave testimonials about why they switched to a Mac. Microsoft responded with its own anti-switch campaign. The name of the person in the Microsoft testimonial was not given but was included in the document’s metadata. An AP reporter was able to track her down and discovered that, much to Microsoft’s embarrassment, she worked for a PR firm employed by Microsoft. To add further damage, the picture in the testimonial was a fake, taken from stock footage. Microsoft quickly pulled the ad from its site and pretty much abandoned the anti-switch campaign.

More recently, the United Nations prepared a report on the murder of Rafik Hariri, the former Lebanese Prime Minister. Some of the more damaging allegations were removed just prior to the report’s release, but they remained in the document as metadata. These politically-sensitive deleted portions were quickly discovered and publicized, to the UN’s embarrassment.

For most practical purposes, “metadata” refers to hidden information kept by Microsoft Word as part of a saved *.doc file. The most common type of metadata is information on the people who created/edited the document. Just pull up a Word document and go to File | Properties. You should be able to quickly find the name and company of the author. This is the type of metadata that caught Microsoft.

The UN situation was a bit different. They had enabled Word’s abililty to track revisions, because the document was being edited by multiple people. The author forgot to accept the changes, thus making the original draft and the full revision history available to those “in the know.”

Anyone in a business or professional environment needs to be aware of document metadata—the potential for damage is just too high. The following are some ways to properly deal with metadata:

• Use the Office add-in provided by Microsoft, or (recommended) purchase a commercial “scrubber”. There is also a free utility, Doc Scrubber™, that works pretty well.
• Save the file in the RTF format and then convert it to PDF for distribution. (You should be doing this anyway—distributing non-draft versions of *.doc files can bite you.) Be aware that Adobe Acrobat also retains some metadata, so just converting to PDF may not be enough.
• Turning off the “track changes” feature and/or selecting “accept changes” are not sufficient to remove your metadata.

Additional/Reference Links:

• http://www.denniskennedy.com/…
• http://www.lifehacker.com/…
• http://www.corante.com/…

For those who read my recent post on the perils of leaving an unpatched Windows computer connected to the internet, you may have noticed a slight problem. The typical home user would install Windows XP, then connect to the internet and run Windows Update to download/install Service Pack 2. In the time it takes to download the updates, however, your computer has a non-trivial chance of being compromised and turned into a zombie. So what’s the solution?

The first option would be to get a copy of SP2 on CD. Microsoft provides them for free (plus a shipping charge). But there is still a drawback. If you configure your network/internet as part of Windows setup, you could still be compromised in the time it takes to install SP2 from CD.

A better option is known as “slipstreaming.” If you have a Windows XP installation CD, you can combine it with Service Pack 2 to create an integrated installation. This, in turn, can be burned to disc—thus creating a Windows+SP2 installation CD. The slipstreaming process will also save the time required to install SP2 (and the required reboot).

The process is fairly straightforward and is described in detail at Tom’s Hardware. It does require you to download a very large (270+ MB) file from microsoft.com, so no dial-up allowed! The same file appears to be on the SP2 CD, however, so you could probably skip the download if you have the disc.

Copyright © 2005 by Chad Cloman

The bird flu has been in the news lately. I’ve been following it for nearly a year now (some of you may remember my mass email on the topic that I sent last February), and I’ve written an article discussing flu pandemics in general and the bird flu specifically. It contains important information that I think everyone should know, as well as the latest news on the subject. So check it out and let me know what you think.

http://www.sciscoop.com/…

I’ve been seeing a bunch of articles on a new type of spyware: keystroke loggers. A keystroke logging program will keep track of everything you type and then forward it to someone who will look for account numbers and passwords. This can be very bad when the information is for banking, credit cards, and such. A recent study found that 15% of all spyware is of the keystroke logging type.

Most of you reading this are quite tech savvy and know all about not opening attachments on incoming emails and not clicking through to web addresses given in emails (especially those purporting to be from eBay, your bank, or PayPal). But there are other ways to install malicious keystroke logging programs with which you may not be familiar.

Security Holes: Computer systems that don’t have the latest security updates are vulnerable for as long as they are connected to the internet. Malicious programs continuously scan the internet for computers with open ports to unpatched programs. Tests were run with a fresh installation of WinXP SP1, and it took approximately 4 minutes before the computer was compromised. The best way to protect against this type of attack is two-pronged: 1) Apply all patches and updates as soon as they are available, and 2) use a firewall.

Browser Vulnerabilities: Carefully crafted web pages or even web addresses can attain the ability to execute programs on your system. The best way to protect against this type of attack is to not use Internet Explorer. If you must, ensure that all of the latest patches are applied.

DNS Cache Poisoning: This is one of those cases where even if you do everything “right”, you can still be compromised. Essentially, a system that you use for DNS is given false DNS information and stores the data in its DNS cache. So when you type in www.paypal.com, for instance, you are redirected to a spoof site which gets your login/password information (and may also attempt to exploit browser vulnerabilities). The best way to protect against this type of attack is to minimize financial transactions online. In reality, you just have to trust that your ISP and upstream providers don’t let their systems get compromised—it’s really quite simple and comes down to having their DNS system correctly configured.

Internationalized Domain Names (IDN): IDN is a fairly new standard whereby non-Latin (non-English) character sets can be used in domain names. This is of greatest concern for Asian-language domains, but it was expanded to include all languages. It turns out that some languages have characters that are identical to the English language, but which are treated as different under IDN. This only works when you click through to a spoofed web site, via email or a link on another site. The best defense against an IDN attack is to use Internet Explorer 6, as it does not support the IDN standard. Other browsers, such as Firefox, have implemented security procedures to ensure the user is aware of IDN site names, but older versions do not have these measures in place and are vulnerable. More recently, researchers have found another IDN exploit in Mozilla/Firefox, and it seems like the best thing to do for now is to simply disable IDN.