advertising
Link to jump to start of content The Seattle Times Company Jobs Autos Homes Rentals NWsource Classifieds seattletimes.com
The Seattle Times Business & Technology
Traffic | Weather | Your account Movies | Restaurants | Today's events

News, analysis and perspectives from the
technology team at The Seattle Times.
Have a news tip? Follow the links below to e-mail us.


October 15, 2007

More Seattleites fear online ID theft than physical crime

Posted by Benjamin J. Romano at 5:26 PM

Computer security and safety advocates are gathering Tuesday to promote Internet safety in Seattle. Didn't you know that October is National Cyber Security Awareness Month? Be careful out there. The event is at the Seattle Public Library downtown beginning at 10 a.m.

To draw attention to the shindig, which will include Microsoft and Washington Attorney General Rob McKenna, the National Cyber Security Alliance released a survey of attitudes toward online safety nationally and in select cities, including Seattle. Security software vendor McAfee teamed with the NCSA on the study, so take it with a grain of salt.

Some interesting findings from the Seattle survey, which polled roughly 200 people, ages 18 to 49, online:

-- 22 percent of respondents or someone close to them were victims of an Internet crime or identity theft in the past 12 months.

-- More people (42 percent) are concerned about Internet crime, such as identity theft, than physical crime, such as robbery or stabbing (29 percent).

-- Time spent online in an average day:

3 hours or more 51%
1 hour to up to 2 hours 21%
2 hours to up to 3 hours 17%
30-59 minutes 8%

-- Computers in the home:

1 computer 37%
2 computers 35%
3 computers 15%
4 computers 4%
5 or more computers 8%
I do not have a computer in my home 2%

-- Not surprisingly, most of us think we're either "intermediate" (54 percent) or "advanced" (10 percent) when it comes to knowledge about cybersecurity. About 36 percent described their knowledge as "beginner."

May 30, 2007

CRN test: Vista security marginally better than XP

Posted by Benjamin J. Romano at 1:50 PM

This does not appear to bode well for Microsoft's unrelenting security sales pitch:

"After a week of extensive testing, the CRN Test Center found that users of Windows Vista and Windows XP are equally at risk to viruses and exploits and that overall Vista brings only marginal security advantages over XP."

CRN took Vista and XP "into the wild, wild Web" with only the default security settings of both operating systems enabled. Here are some highlights from the report:

During testing, some 20 viruses were encountered. Neither OS blocked any of them.

"Vista's Windows Defender, which is designed to detect various malware, gives the new OS a slight edge over XP when detecting spyware and adware sites," CRN reported.

Vista blocked one trojan, but allowed another that was identified in September 2006, before Vista launched. XP let both trojans through.

In all, CRN performed six tests.


February 7, 2007

RSA: What's your secret password?

Posted by Benjamin J. Romano at 11:49 AM

SAN FRANCISCO -- Look around your computer. Chances are good there's a yellow sticky note somewhere with a password on it, especially if it's a long, complex password with numbers and letters and maybe symbols -- the kind that's typically assumed to be harder to crack or guess.

But that sticky note represents a greater risk to your company than the code-cracking attack that the long passwords are designed to defeat in the first place, said Dan Houser, principal architect for security at Huntington National Bank.

"The longer, more complex you make a password, the more likely it is the user will write it down," he said to an audience of information security professionals at the RSA Conference here.

A password breach is more likely to occur through disclosure ''with someone looking at the sticky note or 'shoulder surfing' as the user enters the password'' than through code cracking, he said.

Therein lies the rub.

He said 10 percent of users will write down their passwords no matter what.

"That doesn't mean they're sticking them on their forehead. They might be actually putting them in a locked file cabinet, but 10 percent of them are probably violating policy at any given moment and writing down their passwords," he said.

Another 45 percent never write them down. And the remaining 45 percent are more likely to write them down as they grow in complexity.

"Controls to prevent password cracking and guessing have an inverse relationship [to] disclosure, which is why there's a problem here," he said. "It's in the wet ware" --- as in software, hardware and you, the wet ware.

Houser's solution: simple, six-character passwords that the user can remember without writing down. He suggests acronyms instead of common words or sports teams that can be quickly found by dictionary programs.

Still, would-be password thieves lurk in every corner.

In a keynote speech yesterday, RSA executive Art Coviello complemented Bill Gates for his performance in leading the industry on this issue during a nationally televised interview last week.

Coviello showed a clip from Gates' appearance on "The Daily Show with Jon Stewart" in which Stewart asked Gates point-blank for his password.

"You don't have to answer that," Stewart said. "Is it Gates?"

Then he snooped some more.

"Do you have pets? ... Did you ever have a pet when you were young? ... What was the pet's name?"


February 6, 2007

RSA: Symantec chief on Microsoft security

Posted by Benjamin J. Romano at 11:04 AM

SAN FRANCISCO -- John Thompson, chairman and CEO of Symantec, took the stage here shortly after Bill Gates to deliver a keynote speech that included several digs at Microsoft and its new operating system, Vista.

Symantec, one of a number of large security companies to squabble last fall with Microsoft over access to elements of the Vista kernel used in building security software, makes products that compete directly with new security offerings from Microsoft. Microsoft made some changes in response.

Thompson, outlining his vision for the future of the industry, said new technologies will inevitably be needed to solve tomorrow's security threats. Referring to Vista, the operating system Microsoft is billing as its most secure ever, Thompson said:

We should also not assume that a less vulnerable operating platform provides adequate security against tomorrow's threats. Did you get that? Instead, we need to constantly innovate and develop new solutions to keep pace with the evolving risk to enterprises and consumers alike.

Thompson said it takes more than one company to provide the range of security solutions in demand today.

No one company is going to secure everybody and, certainly, no one can do it alone. No company is so dominant or so all-knowing that it can provide the level of confidence needed throughout the entire online world. ... More than that, who would trust one company to do all of this and everything for them? Think about it: You wouldn't want the company that is keeping your books to audit your books. That same logic should apply. You wouldn't want the company that created your company's operating platform to be the one that's securing it from a broad range of threats. It's a huge conflict of interest.

RSA: Super Bowl of security

Posted by Benjamin J. Romano at 8:17 AM

SAN FRANCISCO -- Overheard at the RSA welcome reception Monday night: "We would've had Bears jerseys if they'd won. Like, hey, defense, talk to us about defense."

But that defense didn't quite hold back the attackers, er, Colts, so it was probably a good marketing move to leave the jerseys in Chicago.

"There's always next year."

RSA: These guys can break the bank

Posted by Benjamin J. Romano at 7:44 AM

SAN FRANCISCO -- The RSA Conference 2007, a gathering of 15,000 of computer security professionals, is getting under way this morning with keynote presentations from Microsoft Chairman Bill Gates and Chief Research and Strategy Officer Craig Mundie. Their topic: "The Imperative to Connect: Advancing Trust in Computing." Also on the agenda: Executives of EMC's security division, RSA; John W. Thompson, chairman and CEO of Symantec; and a panel of cryptographers.

So who's here? Presumably, at least some of the attendees can step up to the consumer-facing Web site of a fictional bank -- Big Safe Bank -- and do some damage. The attackers in this fictional scenario are given some "helpful information," including customer ID numbers, account numbers and passwords.

Here are five tasks laid out as part of the conference's interactive testing challenge. I imagine most would attendees say they're here to stop people from doing these and other nefarious things.

Find a way to impersonate a user when sending a message using the "Contact Us" feature.

Create a new account and escalate user privileges by exploiting the Web site's vulnerability to a SQL injection.

Execute a phishing attack that would cause an actual user to unknowingly transfer money to a West Indies Bank account.

Transfer money to the West Indies account without any intervention from the victim user.

Borrow money past the user's allowed loan amount.


RSA: These guys can break the bank

Posted by Benjamin J. Romano at 7:44 AM

SAN FRANCISCO -- The RSA Conference 2007, a gathering of 15,000 of computer security professionals, is getting under way this morning with keynote presentations from Microsoft Chairman Bill Gates and Chief Research and Strategy Officer Craig Mundie. Their topic: "The Imperative to Connect: Advancing Trust in Computing." Also on the agenda: Executives of EMC's security division, RSA; John W. Thompson, chairman and CEO of Symantec; and a panel of cryptographers.

So who's here? Presumably, at least some of the attendees can step up to the consumer-facing Web site of a fictional bank -- Big Safe Bank -- and do some damage. The attackers in this fictional scenario are given some "helpful information," including customer ID numbers, account numbers and passwords.

Here are five tasks laid out as part of the conference's interactive testing challenge. I imagine most would attendees say they're here to stop people from doing these and other nefarious things.

Find a way to impersonate a user when sending a message using the "Contact Us" feature.

Create a new account and escalate user privileges by exploiting the Web site's vulnerability to a SQL injection.

Execute a phishing attack that would cause an actual user to unknowingly transfer money to a West Indies Bank account.

Transfer money to the West Indies account without any intervention from the victim user.

Borrow money past the user's allowed loan amount.


December 4, 2006

Washington spyware scam

Posted by Kristi Heim at 2:14 PM

So what exactly is Washington's spyware law? The law "makes it illegal to induce computer users to download software by falsely claiming the software is necessary for security purposes," according to Attorney General Rob McKenna's office.

But the company that McKenna's office investigated didn't stop there. Its free scan always detected spyware, even on a clean computer (then pitched a $50 software download to remove it). But when tested on a computer infected with spyware, its cleaner failed to detect it. Then the program erased the file needed to store blocked Web addresses, making the computer even more vulnerable.

As a result of the investigation and lawsuit, McKenna reached a $1 million settlement with New York-based Secure Computer to resolve the state's first spyware case on behalf of the estimated 1,145 state residents who purchased the products Spyware Cleaner and Popup Padlock. More information is here.

Secure Computer has agreed to send information on refunds to its Washington state customers. The message will be titled "Secure Computer, LCC Refund Program." While that message sounds suspiciously like spam, victims of the spyware scam will need to reply to this email to get their money back.

One last word of advice from McKenna: Ignore requests for personal information when replying to the e-mail. Oh, and if your computer is frozen because of all the viruses Spyware Cleaner allowed in, you can call 1-800-551-4636.

November 22, 2006

AG announces pop-up settlement and refund

Posted by Kim Peterson at 12:00 PM

People in Washington who bought the software program QuikShield Security may be getting some money. The attorney general's office has settled allegations that a New York man sold the software through pop-up advertising that appeared to look like alerts from Internet Explorer -- a method that is illegal in the state.

After a three-month investigation by a high-tech unit within the AG's consumer protection office, the man -- James Lane -- has agreed to fully reimburse Washington consumers who bought the program. Lane hasn't admitted to any fault in the agreement, though.

Here's what the smarmy pop-up ad said: "Security alert -- your computer is vulnerable to receiving excessive popup ads. Would you like to install a popup blocker to prevent popup ads from appearing on your screen?"

As if that wasn't bad enough, any attempt to close the ad launched a Web site offering to install QuikShield free. Anyone agreeing to that opened their computers to numerous additional pop-ups that resembled critical system warnings.

If you purchased QuikShield, you can request a refund in the next 45 days by filing a complaint with the AG's office. (You can file that online). You can also call 1-800-551-4636.

AG announces pop-up settlement and refund

Posted by Kim Peterson at 12:00 PM

People in Washington who bought the software program QuikShield Security may be getting some money. The attorney general's office has settled allegations that a New York man sold the software through pop-up advertising that appeared to look like alerts from Internet Explorer -- a method that is illegal in the state.

After a three-month investigation by a high-tech unit within the AG's consumer protection office, the man -- James Lane -- has agreed to fully reimburse Washington consumers who bought the program. Lane hasn't admitted to any fault in the agreement, though.

Here's what the smarmy pop-up ad said: "Security alert -- your computer is vulnerable to receiving excessive popup ads. Would you like to install a popup blocker to prevent popup ads from appearing on your screen?"

As if that wasn't bad enough, any attempt to close the ad launched a Web site offering to install QuikShield free. Anyone agreeing to that opened their computers to numerous additional pop-ups that resembled critical system warnings.

If you purchased QuikShield, you can request a refund in the next 45 days by filing a complaint with the AG's office. (You can file that online). You can also call 1-800-551-4636.

November 16, 2006

Russian bots causing increase in spam

Posted by Kim Peterson at 10:11 AM

Have you been seeing an increase in spam lately? That may be because Russian hackers have gained control of 70,000 computers to create a vast bot network through which to send the messages, eWeek reports.

Those computers are infected with a virus that, remarkably, cleans other bad viruses from the machines so it can have full run of the place.

November 1, 2006

Pure Networks gets Symantec to sell its products

Posted by Kim Peterson at 2:34 PM

Seattle's Pure Networks, which makes home networking software, has nabbed a big sales partner in Symantec. The security software company said it will sell Pure Networks' Network Magic software to its users.

Network Magic helps people set up and maintain their home networks as well as keep them secure, according to Pure Networks.

October 3, 2006

How safe is your browser?

Posted by Mark Watanabe at 1:35 PM

Chris Borowski, who is contributing to The Seattle Times' D.C. coverage as part of Northwestern University's Medill News Service, went to a Symantec news conference this morning on the company's most recent Internet Security Threat Report. Here's Chris' report:

WASHINGTON -- Firefox may not be as safe as many users had hoped, according to a report released by Symantec and discussed at a news conference here today.

In the first half of 2006, Firefox and its Mozilla siblings had the highest number of possible vulnerabilities, or potentially exploitable holes in its software, with 47, the report said. That's almost three times the number reported in the second half of last year. Symantec mostly blamed the rise on Firefox's growing popularity.

The number of vulnerabilities in Microsoft's Internet Explorer, used by more than four of five Internet users, rose 52 percent to 38.

Apple lovers also have reason to worry. There were 12 holes reported in the Safari browser.

But vulnerabilities do not necessarily lead to security breaches and are usually fixed with patches. Here's where Mozilla stands out. Mozilla's window of exposure -- or the time between the announcement of the vulnerability and a vendor-supplied patch (minus number of days before an appearance of an exploit) -- was just one day. Microsoft lagged behind with nine days, still a great improvement over the 25 days it took to patch holes in the second half of 2005.

There is another bright spot for Microsoft in Symantec's report. Among operating system vendors, it had the shortest patch development time with 13 days, tying Red Hat. Sun trailed far behind with a whopping 89 days, according to Symantec.

For the full report, click here.

August 9, 2006

AOL searcher #4417749 revealed

Posted by Kim Peterson at 10:33 AM

The New York Times took the list of user searches that AOL briefly made public this week and tracked down one person based on their search terms.

Searcher #4417749 is Thelma Arnold, a 62-year-old widow in Lilburn, Ga., who had researched topics like "numb fingers" and "dog that urinates on everything."

The mini-investigation shows how easy it could be to pin down someone's identity based on their searches. It might give the other 600,000 or so users whose searches were posted something to be alarmed about. AOL has taken down the data, but other sites have archived the data and made them available online.

August 7, 2006

A hard lesson for AOL

Posted by Kim Peterson at 12:11 PM

Search researchers are meeting in Seattle this week for the SIGIR conference, and in advance of the event AOL researchers decided to release the search logs of about 650,000 users over three months.

Bad move.

Although the search logs were ostensibly anonymous - users were identified only by a number - the move raises questions about whether you can get information about a user based purely on the content of their searches. AOL has removed all the data that caused the the uproar, but one person who reviewed the file said there were searches for specific names, addresses and telephone numbers.

This blog reports the searches done by User #17556639. The queries include: "how to kill your wife," "photo of dead people," "murder photo" and "steak and cheese."

Barry Schwartz of Search Engine Watch says this isn't the exact type of information that the Department of Justice requested from search engines over the past year year. The DOJ just wanted to see a list of searches, and not a list of searches that were tied to a specific user.

Zoli Erdos wonders what the potential is for identity theft among the 650,000 AOL users whose searches were included in the data.

AOL spokesman Andrew Weinstein didn't mince words in the company's response to the issue this morning: "This was a screw up, and we're angry and upset about it," he told Reuters. "It was an innocent-enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant."

April 11, 2006

Microsoft patch time

Posted by Mark Watanabe at 4:18 PM

It's the second Tuesday of the month, meaning it's time for the monthly security bulletin from Microosoft. This month's collection consists of five updates involving several products, including Windows and Internet Explorer.

CERT, the federally funded security research center operated by Carnegie Mellon University, released details about the Windows and IE vulnerabiilities.

Tricia Duryee
Tricia Duryee
E-mail|Bio


Angel Gonzalez
Angel Gonzalez
E-mail|Bio


Kristi Heim
Kristi Heim
E-mail|Bio


Benjamin J. Romano
Benjamin J. Romano
E-mail|Bio


Mark Watanabe
Mark
Watanabe

E-mail|Bio

Marketplace

December 2007

S M T W T F S
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

RSS FEEDRSS

advertising

advertising