Chad's News

Here at the Chad’s News network command center, we use Avast! as our anti-virus program, because it’s free and is more or less mandated by our corporate masters for VPN access. The folks at Avast rolled out an update yesterday, at about 5:15pm Mountain Time, and it had severe problems. The update caused many false positives and crippled the programs that it incorrectly flagged as having the “Win32:Delf-MZG” virus. At 10:50pm Mountain Time, they released an update that fixed the problem.

If you are experiencing this issue, first update Avast! If you saved the corrupted files to “the chest,” you can safely restore them, and that will be that. Here at Chad’s News, however, we were caught by surprise and spent about 8-9 hours “fixing” the problem before finding out that it was all a mistake. Sigh… The linked article contains the official explanation and solution.

Link: http://support.avast.com/…

So you’ve protected your laptop by encrypting the hard drive. Are you safe? Not if you leave it in your hotel room where an “evil maid” can access it. All the maid has to do is boot the machine from an external drive (or even a CD), then overwrite your boot loader. This is yet another example of why physical security is so important.

Link: http://it.slashdot.org/story/…

A critical security issue has been identified in the free Adobe Shockwave Player used by many web browsers. Adobe recommends installing the latest version (11.5.2.602). Since the Shockwave Player is not something that’s automatically updated or even checked for the need to update, you’ll have to do it manually. Note also that it may be necessary to perform the install multiple times, as there are different installers depending on which browser you use to download the software. Yes, really. But I think you only need to do it twice, once for Internet Explorer and once for everything else (on a Windows system).

Link: http://it.slashdot.org/…

Long-term Chad’s News readers may recall this article, where a website was destroyed during a Google scan because the Google crawler doesn’t process JavaScript. And Firefox power users may be aware of the NoScript extension, which disables JavaScript for all websites by default (and which frequently shows up on “Top 10 Essential Add-ons” lists).

With all this in mind, you’d think web developers would know better than to design security measures that rely on JavaScript being enabled. But apparently not. Time Warner Cable distributed 65,000 cable modems that allow users to perform simple administrative functions via a web page interface. Advanced controls are hidden from the user, but they’re hidden via JavaScript. Disable scripting and poof! it’s a few easy steps to get the modem’s login credentials. To make matters worse, all 65,000 modems have the same username and password. Thus, a malicious hacker can reconfigure people’s modems from anywhere on the internet. Stupid, stupid, stupid.

Link: http://www.wired.com/…
(via Kim Komando)

Following in the footsteps of Microsoft this week, Adobe has released fixes for 28 security problems in Adobe Reader and Acrobat, including one for a vulnerability that’s in the wild. Since the web runs on PDF files, I suggest updating now.

Link: http://news.zdnet.com/…

Over the past several years there have been many cases of people and institutions getting in trouble because of poorly-secured wireless networks (e.g., the now-famous T.J. Maxx credit card theft). The linked article has another example, this time a home user whose network was used to illegally transmit child pornography. In these situations, the police confiscate your computer equipment with no warning. Then it’s up to you to get a lawyer, defend yourself in court, and try to get your stuff back.

While the official Chad’s News position is that there is no such thing as wireless security, it’s still possible to make intrusion difficult enough that you’ll be left alone. For starters, use the WPA2 security protocol. If your wireless router does not support WPA2, then consider getting a newer one. Also, be sure that your router has the latest firmware updates. Finally, there are a few additional steps you can take—none of which will work against a determined hacker, but which will make your system less tempting. The absolute worst situation is to have no wireless security at all. It’s the computer equivalent of leaving your car with doors unlocked, windows down, and keys in the ignition.

Link: http://www.komando.com/…

Long-time Chad’s News readers already know that using WEP security for wireless networks is about as effective as having no security at all [link1, link2]. The solution has been to use the more advanced WPA security. Unfortunately, researchers are now able to break a certain type of WPA encryption in about 60 seconds, opening your network to the world.

The solution is to use WPA with AES encryption or to use WPA2. Some wireless routers will allow you to choose AES or WPA2, so it doesn’t hurt to check and see what’s available on yours.

But even then, wireless security is an iffy proposition should someone really want to break into your system.

Link: http://www.networkworld.com/…
(via Slashdot)

The linked article lists 10 different ways to demolish a hard drive. Unfortunately, several of the methods don’t actually destroy the data, but they do incapacitate the drive and necessitate the use of special equipment to read what is left. For those that do wipe the data, item #3 (using a grinder) is probably the simplest, and item #10 (Thermite) is definitely the most satisfying. Also, I’m not sure that any magnet, no matter how powerful, is able to completely wipe a disk. Back in my military days, the only approved method for disposing of classified hard drives was to physically break the platters into pieces.

Link: http://www.pcpro.co.uk/…
(via Slashdot)

Peer-to-peer file-sharing programs are best known for their use in illegally distributing copyrighted music and video files. With some of these programs you host the shared files on your computer, and other users can search your computer for a particular file. This is a significant security issue. Some people have not configured the file-sharing program correctly and are unintentionally sharing private information. And in certain cases, a child installs the program on the family computer without the parents’ knowledge. The first linked article discusses how a man used Limewire to perform identity theft, and the second is about private photos taken from other users’ computers and posted on the internet.

Link #1: http://www.pcworld.idg.com.au/…
(via Slashdot)

Link #2: http://www.neatorama.com/…

Here’s a new type of computer attack that could catch the unwary user. The program, called Ippon, scans unsecured wireless traffic for software update requests, many of which are automatically performed by the programs on your computer. It then responds to the update request before the real site does, and your system is updated with malware that can take over your computer, steal personal information, or destroy data. There are ways to defend against this, but it takes a tech-savvy person to use them.

Link: http://blogs.techrepublic.com.com/…

Criminals placed a fake ATM in a Las Vegas hotel, hoping to skim card and PIN data. Unfortunately for them, the hotel was hosting the Defcon hacker conference. While normal people might not notice a problem, it didn’t take long for attendees to spot the fake ATM and report it to the authorities.

Link: http://www.computerworld.com/…
(via Slashdot)

Be careful when connecting to airport wireless networks, especially if they’re free or unsecured. Problems range from legitimate but poorly secured networks to fake networks designed to grab your login credentials. According to the linked article, this problem is very rampant, and you shouldn’t do anything sensitive or confidential on these networks. This would mean not entering any login information, even to check email.

Link: http://www.foxnews.com/…
(via Slashdot)