Editor’s Dossier

So How Private Is Private?

Greeting VSNers,

You hear a lot about Internet privacy these days. But what does that really mean
to you? Under President Jimmy Carter a commission was formed to explore personal
privacy. The result was Personal Privacy in an Information Society: The Report
of the Privacy Protection Study Commission transmitted on July 12, 1977. They
succinctly said:

“The real danger is the gradual erosion of individual liberties through the
automation, integration, and interconnection of many small, separate record-keeping
systems, each of which alone may seem innocuous, even benevolent, and
wholly justifiable.”
http://epic.org/privacy/ppsc1977report/

And if it was true then, it is incredibly true today. If you have ever wondered
about your online privacy, check out our Crash Course in Internet Privacy in
Operations.

This week in Deb’s Deep Dive, our Contributing Editor goes Under the Hood and
explores User Account Control in Vista and Windows 7. This is for Advanced
Users.

What do you think?

If you would like to comment or leave feedback about this week’s issue, feel
free to do so here: http://www.VIPRESecurityNews.com

Enjoy the latest issue of VIPRESecurityNews. And remember stay safe out there.

Best,

Larry Jaffe
Editor VIPRESecurityNews

P.S. You can write to me at any time, I want to know how you feel about Internet
security and if you have any ideas for articles or subjects you would like us to
cover. Email me feedback@SunbeltSecurityNews.com

Eyes Only Your Viewpoint on Security Issues

Passing the Password

I just *had* to email you again re: password security. Dennis O’Reilly’s piece
you linked to is all very well, but when are these security “experts” going to
understand that the gold standard of never writing down a password is in
practice completely impossible to make work? And it’s not just passwords either
- usernames come into the same category. And “memorable words”, etc.

Looking through my own book of passwords and usernames and memorable words I
counted over two hundred different sets. Even if it was possible to remember
half of them, which username refers to which site, and which memorable word to
that password?

And any system of generating passwords such as the ones he talks about is also
useless – sites vary so much in what is or is not allowed (alphanumeric, some
symbols but not others and so on) that *any* system will only be of use perhaps
half the time – so yet another thing to remember (which passwords have been
generated by which system!).

Of course, a large percentage of anyone’s usernames and passwords are for
trivial sites such as online helpdesks etc. – but here again you can’t use the
same system to generate passwords universally for the same reason.

I now use KeePass (freeware) which, as you will know keeps an encrypted file on
the HD containing all the information you need to check into your sites. I use
its password generator to dream up appropriate passwords and I don’t even
attempt to write them down. The key to the program I keep on a dedicated USB
stick – and I keep a copy of that kept on CD locked away in my safe!

When I am on vacation my wife keeps the USB stick in her handbag and I carry the
laptop/tablet, the rationale being of course that neither is of any use without
the other.

Now I have a question for your gurus: When I boot up my W7 computer, I pop in
the USB stick with the key, open the KeePass program and point the key request
to the USB stick. The program opens the series of folders with all the sensitive
data (blobs for password characters). I eject and remove the USB key. When I
visit a website requiring passwords and usernames I bring up the KeePass window
from the taskbar and drag the appropriate phrases into the site data entry
fields. Then I minimize the KeePass window until the next time I want to use it.
Is it a security risk leaving it minimized to the taskbar? Obviously using such
a program is exceptionally dangerous if it is compromised. – RW

Editor’s Note: We spoke to Trip Armstrong, our Supervisor, Security Response for
his take: “If the workstation is not locked when he leaves the computer, it
would be possible for someone to simply maximize the window and see the content.
Otherwise as long as he is not infected with a keylogger (which VIPRE has very
good detection of) there should not be any risk of compromise.”

Heads in the Sand

I have my own business repairing computers and I am appalled at the attitudes of
MOST of my customers. Like you said, they must believe that it will never
happen to them. But, it does, and then they want me to fix it immediately and
with no loss of their precious data. I try to warn them, and always push
running backups, but few do. Boy could I tell some heart breaking, SCARY
stories. I have run into some who don’t even try to block the crud. They don’t
have ANY protection. I usually recommend your software and try to get them to
run backups, and then the fateful day comes and they seem to blink and think it
is just going to go away. Recently, my wife ran into the problem head on. She
lost quite a bit of important data. When the dust settled, Thank God, she is
now running backups. Why doesn’t MS include something in their software to fix
this, or can they? It doesn’t seem to be a problem for the MAC crowd. Oh well,
just had to vent some. Thanks for the great job with your software, AND a
really refreshing WORTHWHILE newsletter. Thank you, thank you, thank you! – DD

Internet Cops

Just a note of thanks for your newsletter. The information has been most helpful
and I appreciate the playful writing style. I have a subject you may want to
feature. On occasion, I receive a suspicious e-mail masquerading as a message
from AT&T asking for my e-mail and password. With your support recommendation,
I manage to contact AT&T and they say it is bogus. Is there an Internet Police,
or militia? Or a group of Vigilantes where I can report obvious fraud? – WM

Editor’s Note: Here are several sites that you can report scams and frauds.

http://www.usa.gov/Citizen/Topics/Internet_Fraud.shtml
http://www.ic3.gov/default.aspx
http://www.consumerfraudreporting.org/reporting.php
http://www.fbi.gov/scams-safety/fraud/internet_fraud
http://www.fraud.org/info/repoform.htm
http://www.reportinginternetfraud.com/

Operations: What You Need To Know

Crash Course in Internet Privacy

Wikipedia describes Internet privacy as “the desire or mandate of personal
privacy concerning transactions or transmission of data via the Internet. It
also involves the exercise of control over the type and amount of information
revealed about a person on the Internet and who may access said information.”
http://en.wikipedia.org/wiki/Internet_privacy

There are those that claim that Internet privacy is a myth and that we must get
over it. And then there are those that sell you identity protection kits to
profit from the loss of privacy. However, there are things that you can do to
protect your privacy, right from the comfort of your own home… imagine that?

The Privacy Rights Clearinghouse is a nonprofit consumer organization with a
two-part mission — consumer information and consumer advocacy. Two of its main
goals are to raise consumers’ awareness of how technology affects personal
privacy and empower consumers to take action to control their own personal
information by providing practical tips on privacy protection. It is well worth
your while to visit their site. https://www.privacyrights.org/

The Federal Trade Commission has a number of guides on how to protect the
privacy of you and your family. Additionally, they have a very comprehensive
site devoted to identity theft. It is a one-stop national resource to learn
about the crime of identity theft. It provides detailed information to help you
deter, detect, and defend against identity theft. Consumers can learn how to
avoid identity theft – and learn what to do if their identity is stolen.
Businesses can learn how to help their customers deal with identity theft, as
well as how to prevent problems in the first place. Law enforcement can get
resources and learn how to help victims of identity theft. It is a very
comprehensive web site.
http://www.ftc.gov/bcp/edu/microsites/idtheft/

Privacy.Org is the site for daily news, information, and initiatives on privacy.
This web page is a joint project of the Electronic Privacy Information Center
(EPIC) and Privacy International. This site has anything and everything to do
with your privacy from body scanners to Facebook.
http://privacy.org/

I found a very interesting site created by California Attorney Timothy Walton
who states on his site: “The United States Supreme Court has stated that
American citizens have the protection of the Fourth Amendment (freedom from
search and seizure absent warrant) when there is a reasonable expectation of
privacy.” That’s where it starts to get tricky. You can check out his site here:
http://www.netatty.com/privacy/privacy.html

So to answer our question about how private is private? It would seem not very
private at all. But you can do things to protect yourself, your family and your
information.

Free Malware Removal

Malicious software is tricky and sometimes, these critters get through all your
layers of protection. However, did you know that we will remove malware that has
gotten into your computer for free? All you need is a valid subscription to
VIPRE and our team of malware removal specialists will get the bad guys out. Our
team will assist any customer that becomes infected while under VIPRE’s
protection. Just go online and fill out the support form and a member of our
Malware Removal Team will get back to you right away. You don’t have to pay for
this incredible service.
VIPRE Antivirus Support

Free Support

Like our Malware Removal Team above our Support Team is also at your service.
You don’t have to call in or send emails or wait in line, just fill out our
support page and you will automatically create a support “case”. So should you
be experiencing technical issues with your GFI product please feel free to fill
out a support request and a technician will be happy to assist you.
VIPRE Antivirus Support

Stay on top of all the real-time threats: GFI Malware Research Labs

Deb’s Deep Dive

Under the Hood: User Account Control in Vista and Windows 7

If you’re still using Windows XP, you might not be familiar with the security
feature called User Account Control (UAC). It was introduced in Windows Vista,
and became one of the main “pain points” that caused the OS to be the most
maligned Microsoft operating systems in history. Although the intent was good -
to protect you from malware running with administrative privileges – it was far
too “in your face” for comfort. Consequently, many Vista users turned it off,
negating the security benefits. In response to the complaints, Microsoft made
UAC much more user-friendly in Windows 7 and more easily configurable by the
user. But what’s really happening under the hood with UAC, and how can you
control its behavior? That’s what we’ll look at this week.

In XP and earlier operating systems, you logged on with a particular account
(administrative or standard user) and programs ran in that context. User were
advised to log on with standard user accounts unless they absolutely needed to
perform administrative tasks, but many always logged on as admins so they
wouldn’t be restricted in what they could do. Malware, then, could run with
these elevated privileges and do much more harm. UAC lets the same user account
run with standard privileges until administrative privileges are needed, and
then elevates privileges without logging off and back on with a different
account (or using the “Run as” command).

Since user privileges are granted based on tokens assigned to an account, admin
accounts get two different tokens, one with standard privileges and one with
administrative. User applications are started with the standard privileges
token. If an application needs higher privileges, you’re prompted for permission
to continue. In Windows 7, fewer routine tasks prompt you for permission by
default. You no longer get hit with UAC prompts when you use most Control Panel
applets. Internet Explorer 7 and above work together with UAC to run in
Protected Mode, whereby it can’t write to any files other than those in the
Temporary Internet Files folder without requesting elevated privileges via UAC.
Protected Mode doesn’t work if UAC is turned off.

The Secure Desktop is a function of UAC that can still be annoying. When you get
a UAC prompt, the whole desktop goes dark and you can’t interact with any of its
elements until you respond to the prompt. While the Secure Desktop is in effect,
most processes won’t run (only trusted ones that run as System). This prevents
malware from being able to respond to the prompt and elevate privileges for
itself. You can disable Secure Desktop without disabling the rest of UAC, but
that leaves you open to spoofing of the UAC prompts.

Before you make any changes to the default UAC settings, be sure you understand
the security implications. If you still want to do it, it’s much easier in
Windows 7 than in Vista (which required you to use Group Policy or edit the
registry). In Control Panel, open the Action Center and in the left pane, click
“Change User Account Control settings.” You’ll see a slider bar with four
settings. Select the top notch if you want to always be notified (with a prompt)
when programs try to install software or make any changes to the computer,
including when you make changes to Windows settings. Select the second notch
from the top if you want to be notified when programs make changes, but not when
you make changes to Windows settings (this is the default). Select the third
notch to get the prompt when programs make changes, without dimming the desktop
(this disables Secure Desktop). The bottom notch, which is definitely not
recommended, is for the “never notify” option and disables UAC.

If Secure Desktop isn’t disabled in Control Panel but the desktop isn’t dimming
when you get the UAC prompts, the registry key that controls this setting might
have become corrupted. This TechNet article explains what to do:
http://technet.microsoft.com/en-us/library/ee844168(WS.10).aspx

‘Til next week,

Deb Shinder, Contributing Editor

Dirty Tricks

Going Chrome

Editor’s Note: I have been a dedicated Firefox user since day 1. I always preferred it over Internet Explorer because of the features and my perceived lack of security in IE. But these days I am starting to use Chrome more and more. I have found the fast track Firefox to be rather unstable. This was brought home to me by the article by Steven J. Vaughan-Nichols in ZDNet:

“It’s odd. When Firefox moved into its accelerated development path, Firefox really didn’t get much better. In fact, it’s been getting less stable. Google’s Chrome Web browser though just keeps getting better with every new release. Chrome 14, in my opinion, is now clearly the best Web browser for any operating system available today.” Read More >>

Call It Your Online Driver’s License

The plan, called the National Strategy for Trusted Identities in Cyberspace and
introduced earlier this year, encourages the private-sector development and
public adoption of online user authentication systems. Think of it as a driver’s
license for the Internet. Read More >>

New Senate Bill Aims To Prevent, Deter Data Breaches

A bill introduced in the U.S. Senate on Thursday aims to quell the ever-increasing
tide of data breaches by requiring businesses to follow guidelines
for the safe storage of data and imposing large fines to violators. The 100-page
measure, introduced by Sen. Richard Blumenthal, D-Conn., and called the Personal
Data Protection and Breach Accountability Act of 2011, would require businesses
with data of more than 10,000 customers to implement privacy and security
programs to ensure the information is protected. As part of such programs,
businesses would be required to conduct risk assessments and regularly test key
controls and systems. Read More >>

Another Round of Bad Ads in Bing

Note: Do you use Bing? I think I used it the first week it was out but that was
about it.

We’re seeing some more bad adverts popping up in Bing – just like the original
attack, these results are served with very basic search terms so it’s pretty
easy to stumble into one of the bad URLs. Read More >>

Zone – Cool Products & Other Stuff

I am always looking for some hot stuff to share with our readers maybe you are
too. Hit me back at feedback@SunbeltSecurityNews.com.

First 1K House Prototype Built In China

The first prototype to emerge from the 1K House studio at MIT is a modular home
constructed in the Sichuan Province of China. The Pinwheel House features
standardized construction and assembly to build basic, affordable housing in
rural areas of developing countries.  Read More >>

Google Wallet Launching

Note: It was bad enough if you lost your wallet, now look what happens if you
lose your phone. Better protect it with VIPRE Mobile.
www.VIPREMobile.com

Google Wallet is an Android app that makes your phone your wallet. It stores
virtual versions of your existing plastic cards on your phone. Simply tap your
phone to pay and redeem offers using near field communication, or NFC. It will
eventually hold many if not all of the cards you keep in your leather wallet
today. And because Google Wallet is a mobile app, it will be able to do more
than a regular wallet ever could, like storing thousands of payment cards and
Google Offers but without the bulk. Eventually your loyalty cards, gift cards,
receipts, boarding passes, tickets, even your keys will be seamlessly synced to
your Google Wallet. Read More >>

And you will enjoy the video! Watch Video >>

Google Opens Its Social Network To All

Google+, the search giant’s bid to boost its relevance in the socially networked
world of the Web, is now open to the masses. Read More >>

What’s a GrubHub?

With over 15,000 delivery and pickup restaurants, GrubHub helps you find and
order food wherever you are. How it works: you type in an address; we tell you
the restaurants that deliver to that locale as well as showing you droves of
pickup restaurants near you. Want to be more specific? Search by cuisine,
restaurant name or menu item. We’ll filter your results accordingly. When you
find what you’re looking for, you can place your order online or by phone, free
of charge. Oh, and we also give you access to reviews, coupons, special deals
and a 24/7 customer service team that tracks each order and makes sure you get
exactly what you want. Read More >>

Jazz For Cows

The “New Hot 5″ plays for a herd of cows in Autrans, France. I’ve never seen cows
look so enthused: Watch Video >>

Remote Controlled F-16

A camera installed in a remote-controlled F-16 model airplane transmits live video
to the pilot on the ground, who is wearing video goggles and flies the plane in real
time as if he was in the cockpit: Watch Video >>

Tiger And Dog

The tiger and dog have been raised together since they were nine weeks old, they have
become inseparable friends. They play together all the time and neither one of them
has ever been injured. Watch Video >>