A "Health Certificate" for the Internet? Hmmm…..

http://blogs.technet.com/b/microsoft_on_the_issues/archive/2010/10/05/the-need-for-global-collective-defense-on-the-internet.aspx

A few days ago, a Microsoft employee (in their Trustworthy Computing division) posted a blog entry discussing the need for a “health certificate” to allow computers on the Internet. In order to be considered “healthy” your computer must have all available updates (I’m assuming Security here), and updated antivirus, and an updated firewall. And be virus free.

On the surface it sounds good (and in some other levels also). But, there are some considerations that need to be made.

First, what if your operating system doesn’t have (and isn’t easily susceptible to) viruses? I’m looking at Mac OS, Linux, and other unix variants here. Will there be a provision that states only Windows computers require antivirus software? And if, at some point, the other OS’es find the need for antivirus software, will the provision be put in for them?

Secondly, the idea is that they will be completely blocked from the Internet. So, pray tell, how will they block the computer? Will they do it by MAC Address (the “Physical Address of the Network Card)? Or will they block it at the modem level? This presents two problems: If the computer has multiple NIC’s (wired and wireless for example), they can still get on the Internet for a brief time. Also, how will the user get the needed updates to get their “health certificate”?

Thirdly, what exactly would the “health certificate” be? Will it be like a Digital Certificate? Will it be like the Windows Activation? How will they prevent people from forging their certificates or stealing others?

Fourth, how will this keep me from screwing up my facebook with those stupid lolzvideo viruses that are floating around? (I don’t click those, but I know a lot of people who do) After all, no antivirus protects you from that. And I would imagine that for the average person, that is the biggest hassle. They don’t realize the other dangers, because they don’t play in the big park. They go to their email and surf facebook and youtube.

The Health Certificate is a good theory. If someone actually decides to implement it, it needs to be an independent party with NO interests in any operating system or security software. Because if you have an interest in a product that the health certificate affects, you’re inherently going to shift the balance in favor of your interests. In other words, Microsoft has a good idea, but they shouldn’t have anything to do with implementing it.

One telling thing about this is that between 1 and 10 million Windows PC’s are involved with botnets. The number of Macs, Linux PC’s/Servers, and other devices that run non-Windows code is closer to zero. Now that may change if virus creators figure out a way to hack through OS X or Linux. But the point is that right now, it’s more than likely a Microsoft product that is causing the problems.

All of this being said, I think the health certificates are a decent idea. And after skimming through the actual white-paper on the subject, it raises some good points that aren’t being covered in the media.

Personally I think that the “Health Certificates” should contain the following information:

1. All MAC Addresses in the computer (this should be the ONLY identifiable information)
2. Operating System information (Windows/Linux/OS/etc and version including build where appropriate).
3. A check to see if all required security updates are installed properly.
4. If the Operating System requires a firewall and antivirus, whether these are present, turned on, and updated completely.

The “Health Certificate” should be generated on the fly. This will ensure that the most current information is presented. Tools like Belarc Advisor already generate the information that I suggest (and could easily be incorporated into the Health Certificate program).

Let me know what you think of the Health Certificate ideas. Read the white-papers on the Microsoft site, and do a little research into the idea. Let me know what you’d like to see in one (if they’re implemented).

Have a great day:)
Patrick.

Too Good to be True—Probably Is

This post came to me because I noticed something interesting in my Junk mail.  A spam mail for Walmart (supposedly, but most likely not) that had “We want YOU: Walmart Workers 75/h Now.”  I don’t think Walmart pays their salaried people (except maybe at the Corporate offices) $75/h.  So, I thought “Why would they send this out, with such an outrageous salary listed?”  Then it occurred to me that someone clicked on it.  The old adage of “If they keep doing it, then obviously someone is falling for it.”

In these hard economic times, it’s easy to fall victim to something like that.  The hope for a payday or windfall tempts everyone.  In fact, just the hope for steady income tempts everyone (myself included).  The problem is the actual companies are not hiring like this (by sending out unsolicited e-mails).  And they definitely are not offering tons of money per hour. 

The point to this post is this.  If it sounds too good to be true (or sounds like it’s way more than you’d expect someone to make at the company) then it probably is.  It’s more than likely a scam.  They definitely will want your personal information, and maybe will want money.  Either way, you’re taking a chance that they aren’t going to steal your identity or rob you/kidnap you/kill you.  So, be careful.

If you are looking for work, check out the Regional Help Wanted site (http://www.regionalhelpwanted.com), Monster (http://www.monster.com), CareerBuilder (http://www.careerbuilder.com), or Yahoo HotJobs (http://hotjobs.yahoo.com). You can also try looking on Twitter, but the same rule applies.  Some of the jobs there are too good to be true.

Have a great day:)
Patrick.

Looking for Key Signings

This is just a short post about Open PGP keys. I’ve configured some for my e-mail accounts, and am looking for people to sign them. Preferably people who are within driving distance of either Muscatine, IA, Decatur, IL, or Fremont/Omaha, NE.

If you are not within driving distance, but still want to sign keys (and have your keys signed), we can work out some method of doing it. If you are in the United States, we can verify the keys over the phone using a predetermined passphrase, or via electronic means.

For the people who aren’t aware of what Open PGP is, it’s a form of digital certificates. Where the certificates from companies like Thawte and VeriSign are only verified by that company, Open PGP is verified by multiple users. In the past, there have been “key signing” parties, where groups of people gathered together and signed each other’s keys. However you don’t hear about those anymore– and there are none in my local area.

For more information about Open PGP, check out http://www.gnugpg.org. And if you have keys and are interested in signing mine (and having yours signed), send me an e-mail at sales at patscomputerservices dot com. Or feel free to leave a comment below, and we will make the arrangements after.

Have a great night:)

Patrick.

Video: Stealing identities on the street is easy | Graham Cluley’s blog

Video: Stealing identities on the street is easy | Graham Cluley’s blog

I saw this on Twitter yesterday, along with a recommendation to retweet it.  I posted it to my facebook also because I have friends on there who have lots of information listed as public.

I was amazed in watching the video, just how many people were willing to give out their personal information.  And it makes me wonder if they asked for Social Security Numbers (or the equivalent in the United Kingdom), would the people have given it too?

Either way, the most important point from the video is near the end—when they ask people “What is Identity Theft?” and most of them realize that the very information they gave out (Full name, Date of Birth, e-mail address) is enough to make them a victim… 

So now I ask you…  How many of you have this information public on your facebook, twitter, or myspace account?

Have a great day:)
Patrick.

Digital IDs for Secure Email from VeriSign, Inc.

Digital IDs for Secure Email from VeriSign, Inc.

This is an update to an earlier post I did about the paperless office.  It took a while, but I finally got the information from Verisign about their Digital ID’s for e-mail.  And this is the page that you’ll go to in order to buy one.

It will work in Outlook, Outlook Express, Thunderbird, or even Safari.  That’s good, since they cover the major e-mail clients as well as one web browser.  You can purchase the certificate using Internet Explorer, Mozilla Firefox, or Safari.

When you click the Buy Now button, you’ll be presented with a screen asking for your First and Last names, and a challenge phrase.  Below that, you see that you have the option of purchasing the full Class I Digital Certificate, or doing a 60-day Trial certificate.  You’re prompted for your billing information and the type of security that you want to use.

The cost is $19.95/year, which isn’t a bad price for digital security.  So, since the cost to the user isn’t very high, it’s time to push the companies that we do business with to implement their end of the pipe.  Push them to implement a system, where if you have a digital signature on file with them, they will send your statements and other important information directly through e-mail to you.

I’m trying out the signature for 60-days to see how it works.  As of right now, I’m not sure that I’ll purchase it—only because I don’t know how often I would need to use it.  That, and the fact that I have multiple e-mail addresses, so I have to decide whether I want to spend the money on certificates for each one or do some more organizing in how I deal with my e-mail.

An early suggestion that I will give to people with multiple e-mail addresses is this.  Pick one e-mail address and use it for all of your business and financial dealings.  This should be the single e-mail address that you use for all online bill paying, and your banks or other financial dealings.  That way, you only “need” to purchase one certificate—others are optional.

Have a great day.:)

Patrick.

SecuriTeam Blogs » Microsoft Windows RPC Vulnerability MS08-067 (CVE-2008-4250) FAQ – October 2008

 

SecuriTeam Blogs » Microsoft Windows RPC Vulnerability MS08-067 (CVE-2008-4250) FAQ – October 2008

SecuriTeam has a post up that clears up a lot of the questions about the emergency patch released on Thursday.  Why you should update, what active worms are exploiting this, and information about files that may be infected (or part of the exploit).

I urge you to check this site out for more pertinent information about this and other vulnerabilities.

Thanks to the Internet Storm Center for posting about this in their daily diary.

Have a great day:)

Patrick.

US-CERT Cyber Security Tip ST04-002 — Choosing and Protecting Passwords

 

US-CERT Cyber Security Tip ST04-002 — Choosing and Protecting Passwords

Hey everyone,

This article is about choosing and protecting your passwords.  They describe why you should have passwords, and why it’s important to make sure those passwords aren’t easily guessed.

A couple of more things to add to this article are these.  Make sure the minimum length of the password is at least 6 or 7 characters.  Along with this, the longer the password, the better.  One of my coworkers has a password that’s about 20 characters long.  It’s probably something easy, but the time it would take to crack a 20 character password is astounding anyhow.  Unless it’s the first 20 letters of the alphabet.

The second thing I would add is to change your passwords every 90 days or so.  Even if the site or program doesn’t require it.  The longer you have the same password (no matter how strong it is) the more chances someone has to crack it.  Windows can be configured to force you to do this, in certain cases.  So can Linux and Mac OS.  Or, if your company requires you to change it every 90 days, then you should change all of your passwords at that time.  I wouldn’t recommend using the same password for work and everything else, for the exact reasons given in the article.

So, you’re probably saying to yourself “I’ve got 50 things that I use password for.  How do you expect me to keep track of them all?”  We don’t.  Well, I don’t at least.  There are programs out there that keep track of them for you.  They require you to remember one single password (the vault combination) in order to get in.  Then you pick the password that you need, and it copies to your clipboard.  One main concern that you should have is how long the password remains in the clipboard.

Some of these programs are Symantec’s Norton Confidential, McAfee Privacy Service, KeyWallet, or Password Safe (which is the one that I use).  I won’t recommend one over the other.  I’ve dabbled with an older version of Norton’s inside of their System Works Software, but never actually used it.  The other two are ones that I just found while researching this article.  If you’re a fan of Symantec or McAfee, then I would say use theirs (especially if it comes inside of a suite that you’ve bought).  Otherwise, I would say try KeyWallet or Password Safe.  Or research “Password Managers” and see what’s out there.

My next article is going to be over “Shopping Safely Online”.  Have a great weekend everyone.

Patrick.