March 31, 2008

Geeky... Yes That's Me

So the class I'm taking on Mondays is a geeky computer prep class for a certification test. I enjoy taking classes - in person - NOT via computer.  It's been so long since I've taken a good class, I nearly forgot how fun it is. There's something about the give and take of conversation that adds so much to the learning.

And as it's been so long since I've taken a real "class", I forgot how much the people amuse me. There are 25 men and me. I must say I was surprised because I expected a few more women, but there it is. The guys range in age from 2 or 3 in their late 20's to mostly 30's and 40's with a couple of older ones. They all have interesting jobs - a few of which I rather envy.

We're in  a large room and everyone sits  well spaced (somewhat...) and pretty much heads to the same location each class.  Then (naturally) with all that space, someone has to sit directly behind me.  *sigh*

Of course we have all the accoutrements that might be expected with a classroom full of geeks. It should go without saying that there are several laptops fired up in the course of the evening - I have yet to figure out why as no one seems to be typing to take notes and they don't appear to be online browsing either - odd.  The guy who doesn't turn off the ringer on his phone until the 3rd time it rings, the guy who brings his dinner in with him and eats at his chair (instead of in his car) before class starts - munching away contentedly and loudly, the guy who brings snack food in crinkly cellophane and sits behind me, eating and kicking the back of my chair.  The guy who seems to be new to this area of computerese and thus asks many questions I find surprising.  I'm trying to figure out if he'll pass the test or not - oh what the hell... I'm trying to figure out if I'LL pass the test or not.  Heh.

As for me - I can't sit still.  I'm constantly moving about in my chair.  First of all because I am nearly always uncomfortable in conference room chairs (and this is basically a large conference room with chairs and no writing tables).  Second because it makes me jumpy when there's plenty of space in a room and someone sits directly behind me... don't know why this is and it doesn't matter if it's a man or woman.  If the room is crowded, it doesn't bother me. 

The guy teaching the class is good.  He's been able to get some of the people talking (a major accomplishment from guys who would much rather send email than speak to people). And he knows his stuff, even though he claims to have little knowledge of certain aspects.  He's "teaching to the test" which is exactly what I was looking for.  All in all, it's been fun and we're only half way through. 

I'll have to see how the test goes.  This has made me start thinking I might like to go back to school again for a while.  But we'll see.  First I have to figure out if my brain cells still work.  I'm not so sure at the moment - only the test results will tell. That's not until the end of May.

Posted by: Teresa in WebTech at 10:28 PM | Comments (4) | Add Comment
Post contains 581 words, total size 3 kb.

March 27, 2008

Maybe This Explains It

A while back I was doing an update of Quick Time and not paying close attention. So, I got iTunes too. Well... so be it. I use it to download free podcasts which is pretty nice with the subscribe feature.

In anycase, the other day I got a notice that I could "update iTunes for Safari".

What? I'm not running a Mac, so what's the deal?

Apple grants Windows PCs the right to run Safari for Windows

Ah, maybe they were preemptively trying to mess things up so I would have to run Safari or maybe it went out to everyone.  I have no idea. 

I wonder how many people without Safari installed the update.  I also wonder if it broke anything on machines not running Safari.  I'm gonna take a wild guess and say yes.   Mind you - it's only a guess - based on the experience of updates over lo these many years.  Update for software not on the system?  Nearly always a problem.

Well, I like my Firefox and have no wish to change it. Period.  I'll have to be careful and make sure I don't accidentally end up downloading Safari the next time a security update comes around.  *sigh*

Posted by: Teresa in WebTech at 11:26 PM | Comments (4) | Add Comment
Post contains 207 words, total size 1 kb.

March 25, 2008

This Is A Public Service Announcement

I have read a couple of posts today about some good people who have had bad things happen to them.  Therefore I decided maybe it was time for a post about these things as they both are related to computers and the internet and how easy it is for bad things to happen.

Please note - I don't know all the details of either dilemma. What I want to do is post a few general safety rules to follow using their stories as a jumping off point. 

While these might keep you safe, you must be looking for other ways bad things can happen... because if there's one thing we know for sure - things are always changing. It would be impossible to list everything that might go wrong and cause you no end of headaches to get fixed.

Also, do not take this to mean that it's too dangerous to do business over the internet.  If done properly, it is pretty safe and in some cases even safer than via the post office.  (in the case of the US Mail though, you have many laws on your side to help keep crime at bay)

First we find out that Fausta has been hit with a Skype hijack.

Today at 7AM Eastern I received a message saying that my Skype password had been changed. I immediately went into my account, reset the password through my email faustaw@yahoo.com and signed into Skype again.

About half an hour later I received another Skype message saying the password had been changed again, but this time my faustaw@yahoo.com password had been changed also and now I can not use either that email address or my Skype account.


I'm not quite sure if she went to her yahoo account from the email she received or not... but here are the rules - please read them and try to follow them.  I know we all forget (I've even forgotten them a time or two and gotten away without a problem).  As I wrote in Fausta's comments - with a couple of additions:

  • - NEVER click on a link sent via email telling you to change your information - EVER... this can not be stressed strongly enough! Even if you trust the sender!
  • - have a bookmark (in your own bookmark folder) available for all places you do business. (example skype's home page) Use it every time you want to contact the business, even to pay the bill
  • - if you don't have a bookmark, then type in the url directly for the homepage of the business, if you know it, or Google it!
  • - Never retype a link sent in the email itself it could be one that is "close" but not quite spelled the same and you might not catch it, thus even typing it in you can be redirected.
  • - if you receive an email telling you something on your account has changed - look on the business web site and find the email address to report abuse, send the email to them (as an attachment so the headers are not lost) and ask if the email is from them!
  • if your account password has been changed and you did not do it - contact the company directly through their website.  Your account has already been compromised so there is nothing you can do at this point. They need to clean it up.
Yes, it's all a royal PITA. 

Then we have Gayle who had money taken from her bank account...

...Finally, in frustration, I canceled the DirectTV Service and went with Cox Cable.

Imagine my surprise when I checked my bank balance this morning and discovered that the money needed to pay for my car repairs which had been resting quietly in my bank account, was suddenly GONE due to DirectTV, without authorization and without my foreknowledge, raided my bank account for $257+!


As I told Gayle in her comments, never set things up so that a business can directly deduct money from your bank account - "automagically". 

Take the time once a month and pay the bills.  If you must, then use a direct ONE TIME withdrawal to pay that month.  A better idea, if possible use a credit card that you can then pay off via a bank direct payment.  This way, if there is a disputed charge, you can get the credit card company to help settle things.  It's also much easier to tell a credit card company that a payment should be stopped... and get it stopped!  With a bank, most people have to close the account they were using and reopen under a different number.  It's a tremendous inconvenience. 

Once you give a business the ability to deduct money from your account - you've given them the keys to the kingdom.  As in Gayle's case, if you have a dispute, they'll simply take the money without your consent. 

With more people paying bills online, this is definitely an issue of the moment. 

Posted by: Teresa in WebTech at 08:17 PM | Comments (5) | Add Comment
Post contains 838 words, total size 5 kb.

March 21, 2008

How Does Your Brain Work?

I ran across 2 stories today. It's rather odd how the world works at times. As if it was meant...

From Bruce Schneier we go

Inside the Twisted Mind of the Security Professional

Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it.


While my brain is not quite as devious as Mr. Schneier's, I can switch back and forth in my view of the world. I am able to walk into stores without checking out the various glaring security lapses... but if you ask me to think about it, I can most certainly jump directly into that mindset. I may not pick up quite as many vulnerabilities as he does (I am willing to concede I am not anywhere near him in terms of brilliance) but I bet I could find a goodly number.

As it is, I have gotten sighs of "geeze lighten up, you're worried about nothing" far too often in my life. I've always (even as a child) tried to have plans and back up plans and even double back up plans in case something fails.

It is definitely a mindset. It's one I find most people do not possess and they don't understand.

Which leads me to the big breaking news of today.

Contractors Fired Over Candidate Passport Breach Worked for Va. Firm

Hillary Clinton and John McCain were informed that their files were improperly accessed not long after Secretary of State Condoleezza Rice apologized to Obama for a similar incident. The two contractors were fired, and a third was disciplined, after his records were inappropriately accessed on three separate dates this year.


This is a failure of security in multiple areas.  Of course we don't want anyone and everyone snooping around in our records.  I can also see many people saying "well what's the big deal... so someone looks at passport records... so what?"

I'm not in a huge panic (they aren't my records after all - how's that for cynicism) that the passport records of "the big three" have been compromised, I'm concerned. The glaringly obvious point is that we have a security problem tied into the passport records of everyone, not just those running for President.  I highly doubt, if someone snoops my records, I'm going to get a call of apology from Condi  Rice.

Think about how you secure this. It's not as easy as you might think.  All of the people caught were cleared to work with passport records.  It's not like someone broke in from the outside. They had the ability to look at any record - the tacit assumption was "they will only look at the records they are supposed to look at". 

McCormack said the Clinton breach occurred in summer 2007 during a training exercise in which employees were asked to search the electronic file by entering a name. While the employees were encouraged to enter family names, one employee entered Clinton’s name.


This was bound to happen.  You have training going on and instead of using a training database, or ordering them to use specific names, they "saved money" by using the real database and counted on the people they were training to conduct themselves in a certain way.  Why would they do that?

Because, in the same circumstances, the people doing the training would follow instructions and enter a family member's name.  For any one of a number of reasons, it would never occur to them to enter the name of a celebrity or government official.  Like most people in the world, they believe everyone thinks the same way they do and everyone will act the way they do.  To a security person, this is a glaring affront to any type of logic or reason, yet it happens all the time. 

The real questions we should be asking are the following: What about the passport information of people who are not high-profile enough to warrant a flag?   What if one of these employees  has an ax to grind with a relative or other acquaintance?  All they have to do is find them in the database and viola! They can get all their information in one fell swoop.  What if they have an unknown affiliation with "bad guys"?  How easy is it for the "bad guys" to get them to tap into certain records and pick up or even change information?

Perhaps it would be a good idea to go over the types of data classifications. 
  • unclassified
  • sensitive but unclassified
  • confidential
  • secret
  • top secret
The way it's supposed to work is you can access data at your level of classification or below - but only on a need to know basis.  The need to know is what failed in this instance. These people were cleared to look at data in this category, but they had no need to know and therefore they should never have looked at the records. If you think about it for a moment, they have no need to know the information about family members either!  Yet the training uses "family members" as if they are fair game.  I see no reason why this should be the case.

Once again - what are the checks in place to keep this from happening to regular everyday citizens?  I'm going to take a wild guess and say that there are none.  I might be wrong about that - but this one little sentence tells me there is no protection for any American who is not considered important:

McCormack said the Obama violations were detected by internal State Department computer checks, which flag certain records of high-profile people when someone tries to access the records improperly.


You will note the term high-profile. I'm not even sure what they mean by that.

Of course there is a security report card on government computer security... it comes out every year.  Every year the "grades" are terrible.  Every year nothing happens.  We shouldn't be surprised about any security breach.   We should be surprised it's not seen more often!

I fully expect there will be hearings with indignant Senators hogging microphones and getting inches of news print (not to mention television air time).  I also fully expect NOTHING will change. Because there is no change in mindset.

This is a flash in the pan outrage - taylor made for television, blogs, and guaranteed to get sympathy for Presidential candidates.  That's all it will ever be.  And next year this will all be forgotten.  Your records will remain just as safe as they are now.

Doesn't that give you a nice warm squishy  feeling.

Posted by: Teresa in WebTech at 08:13 PM | Comments (6) | Add Comment
Post contains 1141 words, total size 8 kb.

March 17, 2008

While We're On the Subject

Of computerized exploits. This one just came to my attention.

Second mass hack exposed

Not that I expect you will run across this, but it's still a good lesson.

begin class

The infected pages bring up what appears to be a pornographic web site. Upon loading the page, a 'fake codec' social engineering attack is attempted. The user is told that in order to view the movie on the page, a special video codec must be installed.

The user then downloads a trojan program which installs a malware package on the users system then delivers a fraudulent error message telling the user that the supposed codec could not be installed.


Now class... what do we do when we go to a website and it tells us we must "download this" to view something???? Hmmmm??????

We don't do it. Right??? Right.

That is all.
/class

Posted by: Teresa in WebTech at 10:59 PM | No Comments | Add Comment
Post contains 149 words, total size 1 kb.

Do You Live In New England or Florida?

UPDATE:  After talking to my bank this morning, I was told that no pin numbers associated with debit cards had been accessed.  Since I only used my card as a debit card (not credit), I should be okay.  They weren't sure yet whether the bank would reissue cards to everyone or not.
*****

If you haven't heard the news...

Update: New retail data breach may have affected millions of Hannaford shoppers

In one of the first official confirmations of something that has been rumored for the past few days, the Massachusetts Bankers Association (MBA) today issued a statement warning consumers about a large retail data security breach that occurred between Dec. 7 and March 10.
...
According to Hannaford, the breach affected customers at the company's supermarkets in New England and New York as well as at stores that it operates in Florida under the name Sweetbay. Transactions conducted at some independently owned retail stores in the Northeast that carry Hannaford products also were affected, the company said.


They don't specifically say the Florida  stores were hit. (I should learn to actually read what I'm posting... yes they did say Florida!)  In any case, if you have shopped at Hannaford's and used a card (be it debit or credit) check your statements carefully - get in touch with your bank and any other card company.

Wouldn't you know, I have used my debit card only few times at a store... it was at Hannaford's. In general I only use my debit card at the ATM. So I have some extra leg work tomorrow to see what might need to be done.  Although I don't see any suspicious activity as yet.  I will also be calling my one credit card to tell them. 

*sigh*  Oh what jolly fun.

I hope they catch the bastards and hang 'em high. 

Posted by: Teresa in WebTech at 10:02 PM | Comments (3) | Add Comment
Post contains 315 words, total size 2 kb.

March 12, 2008

A General Answers Questions At Slashdot

This is interesting

Here are the answers to your questions for Major General William T. Lord, who runs the just-getting-off-the ground Air Force Cyber Command. Before you ask: yes, his answers were checked by both PR and security people. Also, please note that this interview is a "first," in that Generals don't typically take questions from random people on forums like Slashdot, and that it is being watched all the way up the chain of command into the Pentagon.


There are even a few thoughtful comments (although I didn't read them all by any means).  Check it out.

Posted by: Teresa in WebTech at 11:02 PM | No Comments | Add Comment
Post contains 104 words, total size 1 kb.

March 05, 2008

Do You Use Voice Over IP for Your Phone Service?

You may want to check it with the local police and be sure that your 911 service works correctly!

The family's telephone service was Vonage -- a portable or nomadic Internet telephone service.

"It's generally a service where you actually can pick up your telephone equipment, terminal adapter, bring it with you and plug it in down the street, and you have your service," said Tom Ashe, of the Statewide Emergency TeleCom Board.

Skype is another example of an Internet-based service that requires consumers to report a change of address or location, otherwise, the 911 service you need during an emergency may be sent to the wrong location.


Of course it's so easy to move your phone with a service like Vonage or Skype, some people may simply forget at least in the immediate time of moving.  And police/fire/ambulance services don't have ESP, if the wrong address is tied to your phone number, you may end up with some real problems if you need help.

The best insurance policy if you use a nomadic Internet service provider for telephone service is to call your local police department to arrange a 911 test.

This also insures you'll receive any reverse 911 calls if there's a town emergency.


Call the police non-emergency number and see what you need to do to test things out. 

Posted by: Teresa in WebTech at 11:35 PM | No Comments | Add Comment
Post contains 232 words, total size 2 kb.

<< Page 1 of 1 >>
58kb generated in CPU 0.04, elapsed 0.0503 seconds.
71 queries taking 0.0223 seconds, 252 records returned.
Powered by Minx 1.1.6c-pink.