I am the on call PC expert for my entire family and most of my friends, this works for me most times but dealing with every single version and permutation of all those virus software products leads to an additional layer of discovery which has the unfortunate effect of wasting my time. So once the 6 month trials are up I quickly try to intercept my families attempts to go Best Buy and purchase software and gently nudge them onto a single virus protection source, namely Microsoft Security Essentials (MSE).

I switched to MSE less than a year ago, and that time I was a huge fan of AVG Free, however, I noticed that AVG would make it increasingly difficult to find free version of the software and the pop ups telling you about subsequent updates never pointed to the free version, I grew tired of that constant struggle. Additionally, in terms of performance, my anecdotal assessment of MSE is that it has less of a memory footprint while actually “idol” and also while running “Quick” and “Full” scans.

Today Microsoft announced the beta for the next version of Microsoft Security Essentials. New features in the beta include:

• Windows Firewall integration – During setup, Microsoft Security Essentials will now ask if you would like to turn the Windows Firewall on or off.
• Enhanced protection for web-based threats – Microsoft Security Essentials now integrates with Internet Explorer to provide protection against web-based threats.
• New protection engine – The updated anti-malware engine offers enhanced detection and cleanup capabilities with better performance.
• Network inspection system – Protection against network-based exploits is now built in to Microsoft Security Essentials.

I probably will not push everyone to the new beta yet, but I will try it out on a couple of PCs and see how it goes. You can download the beta here (you will need a Windows Live ID).

Related Posts:

• Rescuing a Friend

I saw this quite official looking opportunity to import yahoo contacts into my Hotmail account, I do not have a yahoo account but I wanted to check out what kind of transfer process they were going to initiate between yahoo and hotmail. Now I have seen this done before with OAuth, and with this technique you are basically redirected to the target site where you can safely put in your credentials. However with this process I was redirected to another site that seems to be under the auspices of TrueSwitch.

 

Now I have nothing personal against TrueSwitch, but I do wonder why would I trust any third party with not just one email and password but two. It begs the question why would Hotmail, a trusted name and brand, need to go to a third party for this kind of transfer when they have proven that they can use OAuth to fulfill this kind of information transfer.

I can only assume that TrueSwitch is providing additional services that the OAuth process does not cater to (may be the Email history, who knows), either way there is zero chance of me using this kind of service when I have to give over the keys to the email kingdom.

This is my final rant about transferring online information I promise, I just want to see a trusted standard implemented that does not encourage and involve password sharing!

 

 

Related Links:

• How OAuth helps us all!
• Social Networks - Who do you trust?

FriendFeed appears to be a Twitter clone that improves on the original, it allows you and your friends to chat about the minutia of life and get updates about each other regularly (not attractive to me, but it takes all sorts). I was looking through the API documentation just wondering what they may have available and this was the blurb they produced on authentication.

If you are publishing data to FriendFeed or if you are requesting the feed that includes data from a user with a private feed, your HTTP requests must be authenticated.

All FriendFeed users have a Remote Key to provide third party applications access to their FriendFeed. A FriendFeed Remote Key is just like a password, except that it is only used for third party applications, so it only provides access to the functionality defined by the API. Users can easily reset it if a third party application abuses the API.

 

All requests that require authentication use HTTP Basic Authentication. The username should be the user's nickname, and the password should be the user's Remote Key.

Now this fledgling company is being endorsed by some interesting bloggers, but I think the lack of an OAuth implementation is a real problem. They are getting around it by effectively giving you a public password (referred to as a Remote Key), this is quite separate to your actual password.

There are a few problems I foresee with this approach. Firstly you only get one Remote Key and if you want to stop access to your personal data for one particular app you must reset the Remote Key. Unfortunately when you reset your remote key you actually reset it for everyone and therefore need to update the key for everyone. They could get around this by providing management of multiple keys to multiple third party apps, that way you could cut access to any given app without disrupting others, but who would honestly want to do that.

Secondly this practice still plays into the basic problem of the password anti pattern, even though this is a a public password the level of control given means that this is still the basic user name and password paradigm. Either way we look at this it still better than the Twitter security option, where Basic Auth rules supreme, real account passwords are given out, and session cookies last forever, I will not go into detail about Twitter as this method is appropriately lambasted here.

I have had a series of posts recently about various, supposedly responsible, Social websites asking for my username and passwords (email), and another post about not so trustworthy sites asking for Live Services passwords. I had resolved to only be concerned about sites that were clearly not taking advantage of the OAuth security pattern, however, it is quite difficult to explain to a layman if a site is using OAuth or taking short cuts of storing your password, logging in and doing some kind of screen scraping. I hope to address this here.

Why do we even need something like OAuth? Well if you are, like me, a user of the something like Live services, but you would love to be able to import all your contacts from a social network like LinkedIn. You have a couple of options, hope that LinkedIn allows you to export the contacts in some common format (csv, xls, etc) and also hope that Windows Live offers a compatible import solution … or … you need an Open secure API which both services can comprehend, vis-a-vis OAuth (I will not go into the details of the OAuth pattern, except to say that it overcomes the need to send user id and password with every request sent to a third party, like BasicAuth).

In short when a site is responsible enough to employ the OAuth open protocol you can gain access to secure areas (contacts, photos, etc) of other sites without spreading your password everywhere. A good example of this pattern can be seen at work in the Windows Live Services. I go through the steps of selecting the import process from LinkedIn, as shown below.

This is the really important part here! After clicking next I am redirected to the LinkedIn web site for authorization. What you should not be doing at this point is adding your LinkedIn credentials into the Windows Live site. This is always a bad idea! To be clear I trust both LinkedIn and Windows Live, I just do not believe they need the keys to each others houses.

Any system that teaches users that it is ok to put passwords from one site into another is really doing us all a disservice, this password Anti Pattern teaches people that it is ok to give away your password. This bad habit ensures that people will be more likely to be caught in Phishing scams the world wide web over. Many social networks have spread like this and LinkedIn is as guilty as any of them.

For me the design of this LinkedIn import page is really problematic. While it appears to redirect authentication for Windows Live and Yahoo,  for Gmail, AOL and the Others options it relies on you putting user names and passwords directly into the LinkedIn site.

I am sure that LinkedIn is being above board and responsible with my information (am I) but this pattern is doing the overall security of the web no good. They are teaching a whole generation of Social network users that this type of password sharing is ok.

What is more confusing is that AOL and Gmail appear to have OAuth implementations (AOL OpenAuth, Google AuthSub) yet LinkedIn seems to disregard this and teach bad habits to its users.

Hopefully in a future post I will go through some code that complies with the OAuth pattern.

 

 

 

 

I got some random text from a relative asking me to go this website, at which point I was confronted by the following web page…

Ha … they want my email and password … really … why don’t I just give you my SSN, credit card numbers and keys to the house and car (I overstate but you understand the point). The Terms and Conditions was honest enough to reveal the following:

     We may temporarily access your MSN account to do a combination of the following:
          1. Send Instant Messages to your friends promoting this site.
          2. Introduce new entertaining sites to your friends via Instant Messages.

Let me forgo all the obvious concerns about giving my password and look at the storage of my password by unqualified and un-vetted third parties. The only real way they can use my password effectively is by storing it in plain text in their database, the above T&C extract also implies that they are keeping this information indefinitely.

There are a metric ton of API’s for online services that allow applications access to user resources without the need for this type of password scamming. This includes but is not limited to:- Windows Live DelAuth, Google AuthSub, Yahoo! BBAuth, Facebook Authentication API, and the AOL OpenAuth.

The T&C for this site concludes:

”This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.”

…enough said.

The recent stir in high profile security issues has got me real paranoid about my computer habits. Trying to secure myself from the marauding hordes of criminal hackers has always been a cat and mouse game. I just try to make sure that I have as much information as possible.

The issue of spam is still a really big one, most of the time I get about 20-30 unsolicited mail, mostly harmless, but once in a while I get a piece of mail that gets past my safe guards and makes me worried for all my friends that are little less cautious than I am.

So here are my golden rules for spam detection ... be suspicious if the email sent to you is not able to identify you by first and last name (or maybe your login ID). There should be sufficient hints in the email that let you know that the company emailing you knows enough about you to warrant your trust. For example every email that I get from PayPal has my full name in the email. So I feel d less suspicious that this is a random spamming campaign. When an email begins "Dear <youremail>," then this is a clear indication that I should treat the contents with a healthy dose  of skepticism.

So I recently received an email from "NatWest" the bank, not the real one of course. Some unscrupulous rascal attempting to masquerading as NatWest.

 

Of course they wanted my banking details account numbers, PIN even my credit card information. Thankfully there has been significant adoption of layered security which allows you to setup additional personal questions, and there are some sites that allow you to select personalized pictures that make your login experience uniquely identifiable.

So I noticed that when I open up the phishing site in FireFox 3, I got no indication that it was a spoof site (as above). However, IE immediately let me know that the website was really a poorly disguised phishing attack (below) and warned me to go no further. I am not sure what mechanism keeps track of phishing sites but FireFox was a little slow on this one.

Banks never want you to update security information by email and in fact go to great lengths to only use emails for account related alerts and\or marketing. The easy to use golden rule I have established for my wife and I is to always use our predefined browser favorites to browse to our financial\sensitive information. If there is a legitimate need to ask me to update my details it will have to start and end at our favorites list.

DISCLAIMER: Please do not follow any of the links in the images I show, I am quite certain that are meant to hurt honest hard working people like you and me. Also due to the nature of the post I feel the need to reiterate that all the content I post on my site constitutes my own opinion and is not a reflection of my employer or any of their policies.

I am a member of only one social network, and that is LinkedIn. Contrary to popular opinion I think it is a great way to get in touch with professional contacts both past and present and it really fills a gap that my email contacts cannot by itself. I actually got a hold of an old high school classmate who I knew was in the technology field.

I recently encouraged my wife to get in on the LinkedIn network, as we have recently moved into a new area, and she is looking for work.  I thought this could be another way to found out what is available in Central Ohio area. As she was getting ready to fill out the form we were confronted by this form that requested my email address and password. As much as I admire and even trust LinkedIn there was exactly zero chance of me providing them with the password to my email inbox.

This is like giving someone permission to get a a copy of my house keys because they need to fix the sink, it is just not going to happen. I mean really think about it, how many of your various online accounts can be reset via your email and password combination.

I would much prefer to type each email address by hand, which is exactly what we did. There must be a better way to do this kind of thing ... OpenID anyone!

 

 

 

 

I have been doing a fair share of security related audits and programming over the last few years, and the following is a list of my favorite faux pas.

I always feel that giving specific details of errors encountered on your site is a sure fire way to attract trouble. So my first defensive tip is to always use custom error pages.

<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />

Secondly, always ensure that you are capturing application level errors in your application, there are many errors that do not show up within any error handling that you place at the web form level.

void Application_Error(object sender, EventArgs e)
{
   //get reference to the source of the exception chain
   Exception ex = Server.GetLastError().GetBaseException();

   //log the details of the exception!
   EventLog.WriteEntry("PoppaString",
     "MESSAGE: " + ex.Message + 
     "\nSOURCE: " + ex.Source +
     "\nFORM: " + Request.Form.ToString() + 
     "\nQUERYSTRING: " + Request.QueryString.ToString() +
     "\nTARGETSITE: " + ex.TargetSite +
     "\nSTACKTRACE: " + ex.StackTrace, 
     EventLogEntryType.Error);
}

The threat of cross site scripting is real one and could performed in a variety of ways. While most developers tend to check for text input validation I have also seen omission in the the validation of cookies and URLs, these inputs are as open to attack and should be validated before using.

HttpUtility.HtmlEncode(Request.Form["name"]);

note: This is by no means an exhaustive list and is really only meant to represent a few low hanging fruit in coding securely for ASP.NET.

As I become more and more comfortable with Vista the number of unsigned software that I am using is starting to grate on my nerves. I am not sure if I am more annoyed with the developers or the OS that keeps reminding me (even when I tell it not to remind me).

There is quite comprehensive article on signing of .NET applications, however, what the article does not go into is that getting a valid certificate from a 3rd party is not free. I can create a test certificate, but the application will have a test certificate that is not verifiable. What, pray tell, is the point of that!

The perfect scenario for me is to use a Uri that I own as the point of verification, that way I can have and own a certificate that is publicly accessible! So as long as you believe that my site is mine, by extension you can trust that I own and control the certificate at that Uri!

Please submit all ideas for this scenario here!

After a fielding a few questions about security in some recent projects, I was looking at couple of ways that security is handled within the .NET framework. I wanted to figure out how you could define, method by method, whether a user had permission to run a method within their security context..

The two methods I focused on are Windows Principal and Principal Permission.

Windows Principal
At a basic level we could implement code that verifies what role the current user is based upon. This method is clean and simple! Throw this at the front of each method and your golden ... but that is not very elegant.

WindowsIdentity ident = WindowsIdentity.GetCurrent();
WindowsPrincipal user = new WindowsPrincipal(ident);
if(user.IsInRole("Admin")){
    //Do stuff here...
}

The Principal Permission
In the following example we have applied PrincipalPermissionAttribute which declaratively requires the user running the code to belong to a specific role or to have already have been authenticated. I learned the hard way that you also need to explicitly set the Principal Policy before calling the method or class with a permission attribute.

    using System.Security;
    using System.Security.Permissions;
    using System.Security.Principal;
    using System.Threading;

    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

                MyTest mt = new MyTest();
                Console.WriteLine(mt.GetMessage());
            }
            catch(SecurityException ex)
            {
                Console.WriteLine(ex.Message);
            }
            Console.ReadLine();
        }
    }

    class MyTest
    {
        public MyTest() {Console.WriteLine("Start MyTest"); }

        [PrincipalPermissionAttribute(SecurityAction.Demand, Name = @"Domain\Admin")]
        public string GetMessage()
        {
            return "My Message";
        }
    }

I am still a big IE7 fan, but I find it a little strange when Microsoft IE phishing filter mistakes spaces.live.com for a suspicious website. Or maybe the filter was right, we should be extremely careful, is the great Microsoft kingdom divided upon itself ;)

Irony ... I just love the irony!

This morning I was sent some news about our company which apparently was extremely sensitive. As I was reviewing the document I was given the option of installing the Windows Rights Management software. Curious about where this was going I clicked next and completed the installation.

Apparently what I just agreed to was the Information Rights management of Office 2003. This apparently allows granular control of Office related files and emails.

Using IRM in Office 2003

IRM in Office 2003 relies upon Windows Rights Management Services to provide core functionality. Nonetheless, IRM is fully integrated into Office 2003 applications, and it is a simple and natural extension of the content creation and collaboration process with which users are already familiar.

Consumption – The recipient opens the document or file as usual. Behind the scenes the application communicates with the RMS server to determine if the recipient has been given rights to access the file. RMS validates the user and issues a use license. The application renders the file and enforces the rights.

IRM in Outlook 2003 E-mail Messages

IRM can be used in Microsoft Office Outlook® 2003 to prevent e-mail forwarding, copying, editing or printing. Protected messages are automatically encrypted during transit, and when rights are assigned to the message by the sender, Outlook 2003 disables the restricted commands. Office 2003 documents attached to protected messages are automatically protected as well.

The document in question was detailing information on future mergers and acquisition. My curious nature got the better of me this time ... never again. I actually printed the attached document, and now I wonder if big brother now knows there is a rogue copy in the wild.

The online industry, both banking and retail, appear to be taking our security much more seriously. One trend that appears to be gaining in popularity is the idea of a series of security questions. This layer of caution provides for situations like a forgotten password or logging in from unusual places like Nigeria, Romania or Solihull :) when in fact you live in Portland ... or wherever!

These additional security questions are useful but I have a real problem with concept based on one fact ... the questions are too obvious!From the samples I have seen these questions resemble the kind of things that close friends would always know about you, or even worse the kind of things people put in a public profile on Live Spaces or MySpace. Here is a sample of useless security questions in order of redundancy:

1. Date of birth
2. Place of birth
3. Favorite food
4. High school graduated
5. Pets name

IMHO any question that serves as an ice breaker between strangers or would be found in any reasonable public profile in the Web 2.0 sphere needs to automatically eliminated as a security question. Certainly if you have a choice of security questions avoid the obvious ones!

"There is no other way of guarding oneself against flattery than by letting men understand that they will not offend you by speaking the truth; but when everyone can tell you the truth, you lose their respect." - Nicolo Machiavelli

As is the case with most developers we serve the dual purpose of tech support and help desk for our extended family, for me that has extended to most of the people in my Church. I burned the lion share of today disinfecting a laptop that would barely boot and that I simply refused to give access to the Internet.

The owner of the laptop is notorious for infecting machines but I think on this occasion all records were broken. I was able, this time round, to identify the source ... Morpheus!! (notice I have not even put a link to this site as it should be considered the gateway to the lower levels spyware). Morpheus is a file MP3 sharing software popular with people who know no better. It is easy to install but is almost impossible to get rid of and it attracts and\or purposefully spreads several variations of viruses and Trojan horses. During the trouble shooting stage I noticed that I was unable to run CMD.exe or TaskManager, it was pretty bad in there!

After a lot of research and about 6 hours, I was able to not only rid the machine of the Trojans (all 1500+ of them), but I was also able to get the machine up to a decent level of security.

To all friends and family out there who happen to read this blog I am going to provide the following links that will allow all of you to empower yourself with a reasonable level of security to any PC for FREE ... so here goes.

AVG Free Edition - AVG Anti-Virus Free Edition is a free anti-virus protection tool developed by GRISOFT for home use.
Spybot - Detects and removes spyware, a relatively new kind of threat not yet covered by common anti-virus applications.
Adaware - Popular anti-spyware product for computer users around the world, with nearly one million downloads every week.
ZoneAlarm - Automatically makes your computer invisible to anyone on the Internet, Systematically identifies hackers and blocks access attempts.

I have been using some combination of the above software for the past 4 years and I have had zero infections during that time. Coupled with just avoiding crapware like Morpheus and not going to suspect website's ... and Gmail's spam filter is the best I have ever seen. It catches more than 99.9% of all spam without blocking friendly email, not sure how! My Hotmail account treats everything as suspect until I send or respond to the email address.

Safe Surfing!!

"Silence is a source of great strength."- Lao Tzu

OpenID is a digital identity system where users identities are defined by a URI. Its chief concern appears to remove the need for individual sites to maintain and provide disparate authentication methods (userid, password, etc). Instead, the various sites will authenticate with a trusted site that supports OpenID, called an Identity provider (IdP).

With Microsoft announcing support for OpenID within CardSpace I think we are going to see a heavy shift towards OpenID very soon, this is good for all of us. I personally have over 30 user names and passwords, or at least 30 that I can remember.

Anyway writing about this topic is not as useful as seeing it in action, so visit this screen cast by Simon Willison. There is also a Hanselminutes podcast that mentions this stuff but the screen cast is much more direct (Karl Franklin just interrupts far too much).

Here is a list of the IdP's I have found:
MyOpenID.com
Videntity.org
GetOpenID.com
TypeKey
MyLID.net
VeriSign's
claimID.com
idproxy.net
ProtectNetwork
openid.nabber.org
ideelabor.ee/openid

"Eighty percent of success is showing up." - Woody Allen

I know I have already blogged about corporate data protection and one easy thing companies can do to protect user data. However,  I thought it prudent to include information about protecting personal data. I unfortunately was the victim of identity theft a couple of years back, I thought that I was fine as I have been shredding my information for several years before then. The numbers on identity theft in the US are quite astounding.

Anyway's this is a neat Fact Finder from MSNBC, it lists things you can do to protect personal data. This is a very lucrative business for the bad guys so it is important that you know as much as possible!

"By all means marry; if you get a good wife, you'll be happy. If you get a bad one, you'll become a philosopher."  - Socrates

When it comes to security there are certain companies that simply cannot afford a high profile snafu. My company for example is into eBanking and so we have really strict security requirements. While I believe in the real world nothing is 100% safe, not even the bank vault that holds the money, it is important to at least rid yourself of low hanging fruit! Most thieves want maximum impact with minimum effort/time. Having previously worked for an IS company in the Health Care Industry, patient information was by law suppose to be treated like nuggets of gold and we, the IS department, were to act like leprechauns running from all the people that would wanted to make a quick buck.

In industries such as these it not always the Social Security Number that allows the bad guys to do bad things, it is a composite of apparently mundane information that can provide enough of a foothold for someone to get even more critical or damaging data. A manager I once had described it in military terms. For example, if the army started stock piling socks and army boots for 2 month, this information by itself would appear harmless. Well what if we also found that they were stockpiling rations, and that they expected an increase in water per soldier. The pieces of data may lead to a conclusion that should have been classified e.g. increase infantry troops in the Middle East, or wherever, or even whatever. The point is information in all its forms should be secure.

Use of notebooks and laptops have ballooned over the last few years and while our connections are secure, and passwords 20 characters long, simple theft is still an issue. Pointec provides industry leading encryption software, some of their sale info suggests that "60% of information theft results from lost or stolen equipment; only 25% from network intrusion. In short, every laptop, PC, PDA or smart phone is a potential weak point - unless you have Pointsec encryption software."

Something to think about!

"The secret of getting ahead is getting started." - Agatha Christie

 

A while a go Sony made a poor attempt at securing the intellectual rights of its artists and only managed to alienate itself further from the patrons that have made it so wealthy. I think it is always dangerous when you automatically assume that your customers are criminals. Anyway, the firestorm is concluding with litigation of course and it looks like a settlement is close.

Thank goodness for super geek's who have the time discover that we are letting a Trojan right in through the front door, albeit a great sounding Trojan, that you can dance to!

p.s. I wish everyone a prosperous new year!

"Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws." - Douglas Adams

Technorati tags: Sony, Root Kit, Music, CD, settlement, Trojan Horse

I was sent an email today that briefly described a job that I thought might be useful for a close friend. This email contained basic information on the job description, location, pay etc ... normal job listing kinda stuff. As I use Gmail email I was given a couple of ads suggesting that I also go for a job or two, and a Map this option.

At first I thought this was useful and harmless enough, until I started to look at the fact that Google was looking into my email and trying to take out information that was relevant to anything it owns. This might be fine as a long as it did not store that kind of information permanently?!

Wrong! Google is storing it ... in fact it stores every single query I have done in Google Search History. Imagine my surprise as I was able to review every query I have run in Google since January of this year. Which coincidentally was the time that I decided to sign up for more Google services. The definition of free email service has just changed for me.

They do provide you with the ability to pause and even switch off the service I am just wondering if they will still be collecting the data somewhere. I did not realize that I need to assume someone else is actually capable of reading my emails, searches, and spreadsheets. Google is still the darling of the press but I think, just one mistake with this kind of information could be quite bad on public relations. AOL is still reeling from its little information snafu.