June 29, 2006
June 29, 2006 (Computerworld) -- A missing laptop and hard disk containing personal data on over 26.5 million veterans has been recovered, Department of Veterans Affairs Secretary Jim Nicholson announced this morning.
"The investigation continues to see whether or not this information has been compromised in any way," or whether copies of the data have been made, Nicholson said just before a scheduled hearing before the House Committee on Veterans' Affairs. He later said that initial FBI forensics tests indicate the data on the laptop and disk has not been improperly accessed.
This is excellent news, especially if they are correct and can determine that none of the information was copied or accessed improperly. This doesn't mean the VA can go back to business as usual, but this will take a great weight off the shoulders of millions of our veterans.
June 13, 2006
Before opening your email program/client/browser to check your email PLZ update your anti-virus software so that you can catch this worm. Please note, If you're a yahoo messenger or music subscriber it's also attempting to come in through the launch applications in those programs.
Since Yahoo and Symantec (and one assumes the rest of the AV community) now have signatures for this thing - it would be best to update yourself before you become infected.
So what does this do?
Yamanner arrives in a Yahoo mailbox bearing the subject header "New Graphic Site." Once the message is opened, the computer becomes infected and the worm spreads itself to people on the Yahoo e-mail contact list. The harvested e-mail addresses are also sent to a remote online server, which Symantec suspects may use the information for spam campaigns.
Gotta love a worm that works with no outside help except opening the email, very efficient.
It appears that the perpetrator of this worm may be harvesting email addys for spam purposes since it doesn't seem to cause any other problems on the system. If I'm reading this right, it will activate if opened from the Yahoo email screen. There is no information about what might happen if you (like me) pull your online emails down to an email client on your own system such as Outlook or Thunderbird. I have a feeling that negates the effect of this worm as it would not have access to the Yahoo email address book.
Please note this point from the excerpt above...
"the computer becomes infected and the worm spreads itself to people on the Yahoo e-mail contact list"
Yes, this is being sent around by people you know! I'm sure this gave it some momentum at first. Although I expect it to quickly die out with the Yahoo patch in place. (users of Yahoo don't have to do anything - they've patched it on their system and that's what was needed.)
Once again, it has been demonstrated that we are always playing catch-up in the world of worms and virii. When a new iteration of something is released, it will cause havoc of varying degrees until we can find a way to stop it. Even if you are diligent and are continually updating your virus signatures. You too may get stuck in what is termed the "zero day" effect. The attack is released, but it isn't yet known, nor is there a cure. This doesn't mean you shouldn't take precautions, it simply means to expect that even while doing all the right things... bad sh*t happens.
UPDATE: In the comments Harvey was wondering how this works. After all, you just open an email, you aren't opening an attachment, so nothing should be executed... right? Well, apparently not in Yahoo mail. From The Register we have just a couple of sentences that might clear things up to just slightly less opaque than mud.
The JS-Yamanner worm spreads when a Windows user accesses Yahoo! Mail to open an email sent by the worm. The attack works because of a vulnerability in Yahoo! Mail that enables scripts embedded within HTML emails to be run within a user’s browser instead of being blocked.[emph mine --ed]
Hope that helps people understand a little more about it.
June 12, 2006
In that old battle of the wills between young people and their keepers, the young have found a new weapon that could change the balance of power on the cellphone front: a ring tone that many adults cannot hear.
In settings where cellphone use is forbidden — in class, for example — it is perfect for signaling the arrival of a text message without being detected by an elder of the species.
"When I heard about it I didn't believe it at first," said Donna Lewis, a technology teacher at the Trinity School in Manhattan. "But one of the kids gave me a copy, and I sent it to a colleague. She played it for her first graders. All of them could hear it, and neither she nor I could."
Okay I have played two different online playbacks of this. In the first one which I found at The Register - I could just make out something very annoying amongst the crowd noise. I think part of the problem is that it's a recording within a room. Like most recordings, the quality isn't good. If I were in the same room with the phone - I would hear it clearly rather than "feel" it at the top of the range.
In the second one from the New York Times page (first link at the top) - I clicked on the mp3 link on the left sidebar under the picture... and the top of my head about came off. Best way to describe it? It's like having your eardrums pierced with a dental drill. (except the pitch is much higher).
I wonder how kids can stand that! This is the same hideous noise I hear in some jewelry stores. I've been picking up on it since I was a kid (yeah over 40 years ago) - and I seldom browsed those stores because the sound is worse than nails on a blackboard as far as I'm concerned. I always thought it was a poorly tuned alarm system causing the noise.
Whenever I get stuck in a store with this type of sound I can barely concentrate and I certainly can't shop - my goal is to leave as soon as possible.
So, how about it - can you hear the tone?
June 10, 2006
Just thought I should add that after my post about the email services. If I get really ambitious I will put links to both of these on my sidebar.
June 09, 2006
Head on over and read all about it or too could be looking at errors instead of browsing your favorite web sites!
I was just over at blog brother _Jon's place reading his post about Gmail. And after writing nearly a book in his comments, I decided I should just make it into a post of its own. First go read his post and then come back here for my comments.
The first thing to remember about ANY web based email be it Gmail, Yahoo, Hotmail, or even through a provider like Comcast or Charter, they all keep backup copies of email - all of them. Mainly for restoration purposes in case of a crash, but nevertheless, there is always a copy somewhere. And these databases of email are searchable. They can and have been subpoenaed by law enforcement. Also, since you have no direct control over that database, there is no way to ensure that your email is not being scanned for keywords with ANY of these services.
That is a fact of life. Even if a company tells you flat out "we don't do that", you have no way to verify that this is true. NONE! I've said it before and I will say it yet again.
There is no such thing as "private email".
Even if you encrypt your email, the person at the other end must unencrypt it to read it - once the email is in plain text, there is always the possibility that it could be copied by anyone who can access the computer. This could be direct physical access or a compromised computer being accessed by a hacker (maybe even a "bot" making copies of your email and sending them to a server somewhere in the world for nefarious purposes)
With web based email, there are even more security issues. People can and do break into accounts and use them for their own purposes or read your emails, and maybe even send bogus emails to others. Yes it has happened.
Other security issues with web based email fly pretty much under the radar. For instance take this Gmail security flaw from back in 2005.
The programmers, part of a community site dedicated to the Unix-like FreeBSD operating system, found that an improperly formatted address allowed Gmail users to retrieve the message body of the last HTML-formatted email processed by the server.
"The result is a compromise of the privacy of communications over Gmail," the two programmers stated in their write-up of the problem. "Message content and address information are easily -- if somewhat randomly -- available to unintended recipients."
Oh yes, it was fixed, but there are always others and you seldom, if ever, hear about them. Gmail is not the only one that has security issues, here's a Yahoo problem also from 2005.
Yahoo has fixed a security flaw in its free Web-based e-mail service that opened the door to phishing scams, account hijacks and other attacks.
The flaw, known as a cross-site scripting vulnerability, existed because Yahoo's Web site did not detect certain script tags in combination with certain special characters, according to SEC Consult, which issued an advisory on the flaw Friday.
These and other security issues with email servers and clients are the primary reason why email is seldom if ever used in business contracts. While it's true that you can create secure signatures with products like PGP it is not in common use in the "regular user" world of the internet. Most people have never even heard of "digital signatures".
Email is simply not a secure medium. It is scanned and backed up for various reasons by the site where it is stored. It is used in court cases. The courts have also decreed that work email belongs to the company, not the sender or receiver - therefore any email you send or receive over workplace servers is automatically theirs to do with what they will. Never entrust sensitive data to any email you send out. It's just asking for trouble.
What does one do? Use an email service you feel comfortable using. If Google's dealings with China bother you, look for another provider, just remember that Yahoo, and Microsoft also have dealings with China that you might not like, they just don't make the same headlines Google does.
If you have any sensitive information, it should be mailed via snail mail or faxed or even sent out in a form on a browser SSL secured page. Never ever emailed.
That covers a little bit of this issue. Remember there are entire security books written about these things. One small post can not possibly cover everything or even make a dent.
What I want people to do is to look at email for what it is, a convenient yet insecure way of communicating with others. If you consider it to be the same thing as standing in a crowded store and having a conversation with someone else, you will be a little more careful in how you use it... or not... it's up to you.
June 02, 2006
Today I did some searching and I found this lovely blog post on getting Spellbound to work with Firefox 1.5.*
If you have an older version of Firefox, you can find Spellbound here.
If you have upgraded to Firefox 1.5.* and you would like to have a spell checker that works with it - much improved over the above version - head over here and follow Marc's directions.
Spell check doesn't catch everything, but it sure does help!
71 queries taking 0.0164 seconds, 255 records returned.
Powered by Minx 1.1.6c-pink.