Online Security Alerts and Tips


The Cloudy Security of Cloud Computing

September 16, 2011 by Alan Wilcox

Microsoft, Google, and others are betting on cloud computing's future becoming the norm for the way we use the Internet, store our data, and even access operating systems. Of course, there appears to be some nice advantages to the concept. Among them are the ability to quickly adapt to an organization's needs as they expand or contract (in this economy it might tend to be the latter) and, at first glance, lighten the load on the organization's IT department for things like security and system maintenance. But, in the haste toward what seems like a quick solution to a company's variable server needs, it is possible they also sacrifice security. Let's take a look at this.

Two typical variations of cloud-based server technology are software as a service (SaaS) and infrastructure as a service (IaaS). A quick example of using someone else's online software to get your work done might be Google Documents or Microsoft's Office Online. In these, applications and, to an extent, infrastructure are designed and implemented outside of your control to provide you with the functions you require. A step beyond that is actually using someone else's infrastructure in place of your own localized network. Some of this is not exactly unfamiliar to many of us... many of us utilize things like hosting providers to serve up our Web pages and applications to our customers. As companies take these concepts to greater extremes, they may not really have much of an in-house server and data storage infrastructure at all. Instead, their data, applications, and security is mostly managed remotely from the physical location. In other words, you might have a need for a large amount of storage and server space, and the server you control could be located hundreds or even thousands of miles away from you.

The security of servers outside of our immediate control becomes a matter of also trusting an outside source. When you store data on someone else's servers, how will you know your customer's data is going to remain safe from prying eyes? Perhaps all of your IT employees are top-notch, all of your employees are happy in their jobs and compensation. But, do you have that same confidence in employees of the company that now stores and serves your customers or insider information about your company?

The September issue of Computer (www.computer.org) suggests a way to deal with these potential security lapses. The solution uses something called DepSky, a technology that scatters the data accross four different cloud computing providers. To give you an idea how this works, we could compare this, to some degree, to using a multi-disk drive computer set to use a striped RAID (redundant array of independent disks) configuration. What happens is that data is divided between the two disks. One advantage is reading and writing are increased because the system can work from two disks simultaneously. Another advantage, say if you could remove one disk drive, is that the data on the other disk is incomplete gibberish without the companion drive. So, if someone were to walk off with your computer and you had removed one drive, they would not have access to your data. The concept would be similar with the DepSky proposal, still basically not much more than a research project.

But, here is where I also begin to have some doubts about how far I would trust this approach. First, recall how I stated that, in a striped RAID setup, removing one of the disk drives make the data on the other disk essentially worthless? I would expect the same to be true for the DepSky approach. And, for security reasons, you would want it to be that way. By preventing someone, for example a disgruntled employee at one of the server providers, from accessing the data from the other three servers, the data that are able to access is worthless. In the RAID example, if one of the two hard disks dies, it is the same as if you had one hard drive with all of the data, operating system, an applications on it. You lose all of it. If that same disgruntled insider deletes the data on one of the four servers, it could make the data on the other three essentially worthless. While DepSky is supposed to take care of these potential data integrity issues in order to take advantage of this apprach to data security, being a research project means we do not know what the final product might look like.

Of course, we could have multiple backups and more RAID type setups to mitigate this within our own infrastructure. My point is that, perhaps, going to an outside provider does not always make things easier and let you sleep better at night. Every time I hear of another server crash at Google, Microsoft, and other providers I cringe just a little bit, knowing full well there are some businesses and individuals that absolutely depend on those systems to be up and running for them to get their work accomplished. It is not the same as if my Internet service provider were to go down for a day, even a week or two. If my software, applications, and customer data is all in-house, I can still access what I need to. Alternatively, if all of my apps, software, and data is in the Cloud, I might as well go home for the day.

Just as with so many new products and ideas, Cloud computing is fairly new to a lot of companies and providers; It will take some time to work out the kinks. While I am confident many of the concerns I have will be addressed in time, I would caution you to carefully evaluate any thoughts of moving your operation to the Cloud. Certainly, they say that every cloud has a silver lining. But a few also come with wind, rain, and lightning bolts.

Firefox 4, Chrome, and Safari Users; Beware of WebGL?

June 19, 2011 by Alan Wilcox

A quick bit of info for users of Firefox 4, Google Chrome, and Safari browsers about WebGL, the rendering technology for Web graphics used with HTML 5's Canvas.

First, there is some concern going around about WebGL's direct access to the graphics hardware in a computer. In the past, hardware has been somewhat shielded from direct access by software layers and applications that process graphics data first, then relay information to the graphics hardware. The concern is probably justified because graphics hardware has not been designed with security in mind because of this legacy of separation. With WebGL, this begins to change and there is the possibility that untrusted Web applications might be able to exploit this direct access to your hardware. An example of this might be to take a screenshot of whatever you are doing and possibly send it to someone.

One of the first impulses is to disable WebGL on these browsers. In Firefox 4, this is fairly simple, and the Mozilla Security Blog talks about how to do this. In Chrome, it gets a little more complicated for now. The disabling tactic for Chrome only applies to whatever shortcut you set it up for. The problem here is that, if the browser gets opened through some other path-- say from within a PDF file, email link, etc. --the disable command does not apply and WebGL will be set to be accessed by default. So far, I have not read anything about how to disable WebGL in Safari... that does not mean there is not a way. I just have not looked for it, yet.

But is this really that big of an issue? Well, yes and no. In the long run, yes, it is a problem and has to be fixed. For the near term, it really is not a big deal and I will tell you why; At present, the use of HTML 5, Canvas, and any other technologies that would use WebGL is nearly non-existent on the Web. The average user will unlikely visit any sites that use these newer technologies. However, a malicious page creator could decide to specifically craft a Web page and send you to it using the typical social tactics (Hello-Friend-Please-click-on-my-link emails, for example). So, as usual, I again caution you about just clicking on any ol' link you see in an email from an untrusted source.

Yet, one other advantage to browsers like Firefox and Chrome is that the development process is typically quick. For example, Mozilla already has their beta version Firefox 5, that addresses the WebGL threat. I imagine Google will take care of the problem in Chrome very soon as well. For now, Firefox 4 users can pretty safely go ahead and upgrade to the beta 5 version. I have been using it for awhile now and it has worked flawlessly thus far. And, from what I hear, the final release of Firefox 5 will be out by around June 21-22, just a few days away.

The real solution to security problems, for the user of any browser, is to first avoid habits that are high-risk (opening attachments, links, or willy-nilly visting just any site or clicking on any pop-up without stopping and thinking for a moment). Next, keep your operating system and applications updated. Even though I have found IE9 to be a very capable browser, that does not mean you have to flock back to it just because of this latest issue.

Third-Party Widgets; to use or not to use...

April 20, 2011 by Alan Wilcox

Should you use that new Web gizmo you just found on the 'net? That is a question with answers both for and against.

Sites that promote widgets tend to focus on a common theme; Widgets add functionality and interest to a Web page to keep visitors coming back for more. Users will find weather information, a news feed, or a cool game on someone's site and automatically come back to your site because the widget is there.

But, are these claims true? Well, that depends on several factors. Among those are whether your site is quality enough to get people there in the first place or get them to return after they have been there. However, I don't think we can count on a widget to bring customers back to our sites. In fact, it is much more likely the opposite. Even if a site visitor likes the widget, most of these have links built into them to get your page visitors to click and... guess what?... LEAVE your site to go to the widget creator's. And, who could blame the widget creator for wanting people to visit their site? Still, that runs contrary to why you wanted to put the widget on your site in the first place. We wanted the visitor to like OUR site, not someone else's.

Perhaps one of the biggest concerns you should have about that new third-party app you are about to place on your site is whether it is secure. Further, even if the app itself is safe, are we sure that the pages a visitor would visit by clicking on a link in the widget are safe? While a large corporation might have the resources available to persistently monitor the behavior of a widget, many of us smaller businesses might not. With that in mind, consider whether it is worth the security risks to your visitors by placing a third-party widget on your Web pages. Instead, I would suggest that focus be placed on creating and maintaining your own fascinating content to keep your visitors coming back for more.

Online Attacks Prevalent Due to Interactivity

April 18, 2011 by Alan Wilcox

It comes, really, as little surprise that online attacks have become more prevalent. After all, Web designers and their clients who demand interactive applications have put a welcome mat at the front door. They may have locked the door, but the key is easily enough found under that mat, the fake keyholder rock in the bushes, above the door frame, or hanging on the railing post. And so it is the same with the myriad "necessary" blogs, chat rooms, and wikis on so many sites we visit. Whenever a site visitor is granted the ability to enter anything they want into an online application, there are bound to be problems.

A recent breakin at WordPress highlights the issue. In their case, by letting someone enter their site for login or other purposes, users could enter in a username, maybe a password, modify site content, or worse... enter a set of server commands that released information to an unauthorized user. The article states that only those sites actually posted at WordPress.com are affected in this intrusion. Others, hosted elsewhere, were not included in this attack.

Does this mean other WordPress site owners, hosted elsewhere, can collectively breathe a sigh of relief? Well, maybe a short one. The reality is, while WordPress.com may have made sure they plugged vulnerable parts of their application, other users may not do the updates and take the steps needed to ensure the same does not happen to them. But this isn't just a WordPress issue. It is, instead, that many Web designers and their clients feel they need to jump on board the interactivity bandwagon in order for their site to be useful.

But, is a useful site one that always has a blog, wiki, or forum? Well, that depends entirely on the goals of the site owner. However, to keep a site useful, it is necessary to take the steps to ensure security vulnerabilities do not allow client or organizational data to be leaked, servers to be shut down, or Web pages maliciously changed. In some cases, plugging every possible problem could be a daunting task... a bit like an archer trying to hit an erratically moving target.

Instead, I recommend designers and site owners take a long, hard look at, first, whether this kind of interactivity is actually required to accomplish their goals and, second, if they have enough ability and time to secure these add-ons and applications properly. If the answer to both of these is yes, by all means, do it. If not, don't do it just because it is the popular thing to do.

Adobe targeted again

April 12, 2011 by Alan Wilcox

Adobe System has issued this warning: "A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems."

Currently, there are incidences of exploits targeting this vulnerability. The attacks come from a Flash file embedded in a Microsoft Word file and arrives via an email attachment.

Aside from getting the latest updates from Adobe, Virtual Nexus still advises its clients to remain vigilant about opening email attachments.

Even more details can be found at Adobe's security bulletin.


Beware Adobe upgrade offer email

March 31, 2011 by Alan Wilcox

I have continued to warn users about blindly clicking on links in emails they receive. Here's yet another reason why I'll continue to warn users to think before clicking.

An email "phishing" scam advises recipients there is an Adobe Reader update available. Clicking a link brings them to a bogus site that asks for credit card information and more. Even the Web address for this site contains the word "adobe", a feeble effort to make the link appear credible.

Remember, think before clicking on links.


Are you an OS snob?

March 25, 2011 by Alan Wilcox

Browse around in various Web forums and you will likely come across several postings from people having the belief that the operating system (OS) of their choice is the perfect, impervious defense against malware, viruses, and hackers. Are you one who believes their Mac, Linux, iPhone, Blackberry, or Android based device will never become susceptable to a malicious software writer's attempts? Perhaps it is time to rethink that position.

A bit of research reveals that those with nefarious intentions like to maximize their efforts. One best way to do this is to target devices and software that are quite common. Doing so helps to ensure the highest number of successful intrusions or most payoff. That means, as non-Windows devices become more common, they become a more attractive target. Continuing research reveals that no OS is completely safe. Linux users typically state that, due to the architecture of the OS, malware is ineffective. However, this article at the Register points to a malware app that specifically targets network devices running under Linux. Apple's Mac users commonly mention the safety of their OS, and even suggest there is no need for anti-virus protection. Understand, though, that the "impervious" Mac is a Linux-based OS. The default browser, Safari, is Webkit based. Yet, I hear howls of consternation about Google's Chrome vulnerabilities... also a Webkit based browser. Combine that with the fact that most Linux and Mac users use Firefox... unfortunately recently considered as being the most UNsecure Web browser in comparison to IE9, Chrome, Opera, and Safari... it leaves the door open a crack further for the mischievious types.

The real point is, if you are concerned about the information and investment in time and money you have in whatever device you have, it might be worthwhile to take reasonable precautions against possible problems. Of course you want to be proud of the new, shiney computer you just bought. But it only took someone five seconds to remotely take over a Mac computer using its Safari browser against it at the latest Pwn2Own event (Pwn2Own 2011: Blackberry falls to Webkit browser attack). Blackberry had its share of trouble there, as you can see by the article title. And, they are all in good company with the likes of IE8 on Windows 7.

As I once was told, "Pride can be a dangerous thing."


Update your Web browser

March 22, 2011 by Alan Wilcox

Why should I update?

Are you one of the users still using IE 6, Firefox 2, or even some tired remnant of Netscape Navigator? Seriously, the time has come to dump that old, rusty hulk for a new model. Here are a few reasons why and a bit of my own perspective thrown in for the heck of it.

First and foremost, I have no idea why anyone would still be using IE 6. Okay, yes, I hear some businesses talk about how their in-house applications may not run well on later browsers or how their company Website does not work well on newer browsers. I do not mean to insult anyone, but that is a bit like saying we should all continue to drive 1972 Chrysler Newports around to get from one place to another because we still have a bunch of 8-track tapes. Well, okay, you can insert your own analogy here if you don't like mine. The point is, it is time to get a new browser that has updated security and the ability to take advantage of new Web trends... time to get rid of the 8-track tapes AND the Newport.

If that has not convinced you (or your IT department) it is time to get with the times, considering that many of the new security threats are targeted specifically at this ancient relic and the vulnerable Web applications that it runs. IT departments retort that they do not have time to run tests to see if their applications will run successfully on IE 7 or later. I will counter that with this; If you do not have time to do testing, where are you going to find the time to sort out the mess remaining after a security intrusion leaves your home page maliciously changed, customer and vendor data stolen, or your company's financial or technological secrets stolen?

Enough. If I have not convinced you, yet, I probably won't. For those still with me, let's take a look at some of my first choices.

Browser roundup

IE 9 is, of course, Microsoft's latest offering. I have been using it since early Beta testing and found it functional, efficient, and provides a clean interface. Speaking of the interface, the first thing new users notice is the lack of the familiar menu tools top. Though these items are accessible through new buttons on the tool bar, be aware that the menu can be turned back on from the default "off". I prefer it gone because it gives me more viewable area for an actual Web page without going to Full Screen mode. The best things I like about this browser is it gives quick access to "Compatibility Mode" for those Websites that were written for older browsers... again, I have to mention the time has come for those developers to get rid of the older design ideas... and it has support for HTML 5. One thing I do not like is the rendering for auto page scrolling (click the middle scroll wheel on your mouse and move the mouse slightly to get the page to automatically scroll up or down). IE 9 is jerky and overly sensitive to mouse movements, making it hard to actually watch the page content. For some, this is not a big deal; for me, it ends up being a deal breaker because of the amount of time I spend online doing research. Yet, as a developer, I am quite happy to see that IE 9 finally adopts Web standards such as HTML 5!

With auto-scrolling rendering in mind, I have to mention both Firefox 4 and Opera. Both of these browsers do an exceptional job of providing smooth frame rate rendering during auto-scroll. I can actually read a page without my eyes bleeding and sending me into convulsions. Of course, the question always pops up about which browser is the fastest at displaying page content. For the most part, I personally do not find it matters all that much. If you frequently visit the same pages, I think Firefox and Opera do a better job of caching pages so they load quicker. IE 9, it appears, does a great job of fast page loading during the initial Webpage view. Now, the problem I had with Opera is that its browser interface had begun to get too cluttered (sorry to you Opera lovers; that was my own perspective). Opera has managed to do a good job of improving this, so I may spend a bit more time on this browser again. Overall, I use Firefox quite a bit because I like the rendering and clean interface combination. For those of you that like all sorts of additional gadgets, Firefox has tons of free add-ons available.

I did mention clean interfaces, right? With that, I would be amiss in not mentioning Google's Chrome browser. It is quite minimalistic, yet overall functional. Again, I do not use it as much because of my annoying little quirkiness about the auto-scroll rendering. This browser is better than IE 9 at this but is still not up to my standards as of their latest release. Other than that, I like this browser a lot. After all, do I want to look at a browser interface or the actuall Webpage I am visiting? For those of your that answered, "browser interface", BZZZZZZZZZZT! You are incorrect. Again, it is about viewable screen real estate for me. I actually want to see the page.

Browsers; a developer's tool

From a Web Developer's Perspective, I really like Firefox 4 and Chome 10. All of the new browsers support HTML 5 and Web 2.0 standards. But what I really like is that I can take a look at source code using either a pop-up window in Firefox or a new full page tab in Chrome. Mostly, I like that it displays the source code in a readable manner, instead of text all jumbled together like Opera does. Worse, IE either wants to open it in Notepad or some other application. Then again, I could tell it to open the code in Dreamweaver or Code Lobster, but that just takes additional time for another application to load. It is nicer if I can just have a separate window I can drag over to my second monitor.

In the end, any of the new browsers is improved significantly over the old IE 6 in terms of security. Even if you are completely content with the tried and true functionality of that old interface, you should at least take a look at what the newer models can do for you. Oh, and did I mention they are free?

Ready to update to one of these? Here's where you can get them:

Chrome 10
Firefox 4
IE 9
Opera 12

Create strong passwords

March 17, 2011 by Alan Wilcox

Are you curious about what it takes to create strong passwords, those that are hard to guess or break using a variety of tools? Check out the advice and the tool and see if you'll rethink your existing password strategy.

Microsoft's Safety and Security Center--Create strong passwords
Microsoft's Password Checker

Usual hoaxes follow disasters

March 13, 2011 by Alan Wilcox

As usual, there are those in our world who like to take advantage of other's misery, and the recent Japanese earthquake is no exception to this apparent rule. As I have warned users for years, now, be wary of unexpected emails asking for donations or other links promising intriguing disaster-in-progress footage. These latest variations promise Facebook users access to a video of a whale being thrown through a building by the force of the tsunami to lure visitors to click on a link. No doubt, we will see more of these types of practices in the coming weeks and months at the expense of the real victims of this event.

Source: Bogus CNN video scams Facebook users. Cluley, G. March 13, 2011.

Critical Apple device updates

March 13, 2011 by Alan Wilcox

According to Apple's own knowledge base article HT4564, there are numerous patches to plug security vulnerabilities for iOS 4 users. It is highly recommended you install and apply these new patches immediately. Sorry, iOS 3G users, no fixes for you at the moment.