This from BetaNews (link opens in new window):

Giving a nod to developers who’ve apparently given a lot of feedback, as well as “certain commercials,” Microsoft’s platform chief Steven Sinofsky acknowledged that perhaps User Account Control in Windows Vista may have been…a little annoying. In turn, Windows 7 has additional UAC settings.

Fortunately for my own sanity, I haven’t had to jump through any hoops with UAC to get my code working, but that’s mostly because I deal with server-side code now.  While the developer perspective is interesting, it’s really the user perspective that’s important to me, as someone who is concerned with the overall state of desktop security.  Developers are not only in the minority, we also don’t have the option of just turning UAC off on client machines…we have to deal with it or simply not write software for Vista.  In the current incarnation of Vista, however, UAC is so obtrusive that many users opt to disable it entirely to get the warnings to stop.

Sinofsky said that with UAC, Microsoft had what he described as “the best intentions” in mind. But its attention to informing the user about what’s going on and getting consent “possibly went too far.”
...
For now, in the Pre-Beta version of Windows 7, there are now four settings for configuring how intrusive UAC will be: Never notify me, Only notify me when programs try to make changes, Always notify, and Notify and wait for my approval.

I think this is the right approach.  UAC doesn’t really bother me too much as an end user, but then again, I know what it means and what it’s actually doing.  I think that Microsoft took a big step in the right direction security-wise with UAC, but those pop up windows can be a real turn-off.  I’m glad to see that rather than abandoning the model and starting over from scratch, they’re trying to make the “security vs. usability” tradeoff for users less of an all-or-nothing proposition.

This week, reports have surfaced that spammer activity is increasing on Microsoft and Google sites that employ CAPTCHA. CAPTCHA is a method for distinguishing between human users and programs used to automatically enter information. Those who would like to create large amounts of e-mail accounts or efficiently add SPAM content to blog comments or message boards are constantly scheming new methods for circumventing CAPTCHAs. Meanwhile, web site administrators continue to invent creative techniques for detecting computers masquerading as human.

As the battle continues, though, it’s humans who are having more trouble reading CAPTCHAs. Speaking for myself, I find that many CAPTCHA challenges are not very easy to decipher. If it is case-sensitive, for example, there are many capital letters that can be mistaken for lower-case if distorted the right way, and there is no feedback that allows me to correct myself if I can’t read it.

Now, I’m not saying that I have ever been completely fooled by a CAPTCHA to the point that I wasn’t able to create an account or post a comment. Humans will eventually get through, but if users find them difficult, and they no longer effectively prevent spamming, maybe more thought needs to be applied to the problem. Here are some suggestions I have found for methods to weed out spamming programs. (more…)

In 2007 a handful of companies (including Google, Microsoft, and Yahoo) decided to draft a set of guidelines influencing the behavior of online businesses when it comes to the subject of policies and regulations dealing with human rights. It was to be a kind of unofficial voluntary code of conduct initiative thing.

According to this letter(pdf) from Yahoo to Senators Durbin and Coburn:

Principles on Freedom of Expression and Privacy [...] provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; Governance, Accountability & Transparency

Along with censorship and freedom of speech, the idea was also to provide general requirements for privacy. The idea also calls for a way to determine if a company is compliant with the code and a way to hold companies accountable if they violate it.

This is important because it shows that some of the most relevant internet-based companies are taking the rights of their users seriously. So seriously, in fact, that they are willing to sponsor a set of guidelines that help other companies protect THEIR user’s rights as well. If more companies get on board, this could be a step in the right direction in helping to strengthen the trust between service provider and user.

Smart security people learn from their adversary’s tactics, not shun them. Despite modern technology, broad operations, and publicity, the Mafia (particularly Italian mob) continues to survive. While the crimes they commit are deplorable, the security of the organization works using tried and true methods.

Here are some you can teach your employees and enforce without having a baseball bat.

• “Don’t Trust Nobody” – A good place to start; employees should never give any company information to anyone except the people they’re told to. Social engineering, spoofed emails, and enticing links all apply. Your firewalls should allow what you tell them to allow and nothing else. Start by having it lock down everything and work from there. Give your users the least amount of privileges they need to do their work and log as much as you can.

• “Talk to Me, Directly” – An email from some executive you’ve never heard of, being intimidated by someone in HR who wants your SSN (which they should already have), and any other strange requests should be verified. Employees should do directly to their immediate supervisor when in doubt. Unencrypted emails containing important information shouldn’t be sent – if possible get up and relay the message in person, refuse to send documents if they can’t be encrypted and signed with a digital signature (non-repudiation).

• “Keep Outsiders Out” – All business partner connections, 3rd party maintenance, and external developers should have an independent security assessment performed of them by security experts. Create separate network segments, monitor maintenance and hardware changes, and always escort visitors on your premises. Smaller companies, make sure to lock the doors to the office and secure any network closets and servers.

• “Be Respectful” – Too often in mob movies we see some underling getting picked on by his superiors. The result is usually “ratting out to the Feds”, equivalent to an employee changing jobs to a competitor or leaking proprietary information. Treating your employees poorly reduces the overall security of an organization since it undermines loyalty. As we learned in “A Bronx Tale” it is better to be loved than feared.

• Use Your Head Instead of A Notepad – Mob guys never write anything down for fear of leaving behind evidence. Users should be trained never to write down passwords, leave company documents out on their desks, or store unencrypted sensitive files on unprotected devices.

Security professionals and auditors should remember to learn from tactics and be cautious with methods. Make sure you have, in writing, the scope of any assessment/audit and make sure that the tools and techniques you use are OK with the company in question or you might get whacked. A good strategy with questionable tactics may make you the criminal.

What are some of the tricks you’ve learned from the bad guys?

We’ve all heard about the stories involving EIBKAC such as using the CD-ROM drive as a coffee mug holder, and erasing the C:\Windows folder to free up space on your hard drive. InfoWorld has an informative article which turns these stories on their head, and provides stories about stupid IT administrator actions.

The thing that struck me is that out of the six items they highlighted, four of them were directly security (or insecurity) related, and a fifth was related to disaster recovery, which is also a security concern.

• Preconfiguring PCs with stone-age malware
• Sending computers out from the factory with a virus circa 1994 which the built-in antivirus couldn’t repair
• Oh, you wanted to recover those backups?
• An entire issue of BusinessWeek was lost when a hard drive crashed
• Soup of the day: Social Security numbers
• A school’s database of folks to send the weekly cafeteria menu into was completely unprotected and contained SSNs
• The tool and the toolbar
• The Alexa toolbar was used to crawl and cache sensitive parts of a company website
• Paging Dr. Data Breach, please come to the IT morgue
• Company took down firewalls to ease (sensitive) data migration, and then inexplicably never turned them back on

Next time you blame users for lax security, remember that the IT staff can be brain-dead as well.

Information security implicitly goes against our evolutionary defenses. Humans, for much of their history have been concentrated in small groups and forced to defend external threats.

Disease, predators, other groups of people; internal threats were focused at the top. Leaders changed, but the pecking order or 20-50 hunter gatherers remained relatively constant.

A 13 year old couldn’t say, learn to wield a knife and kill the top guy simply by watching. Even if this were possible, it would be suicide for the individual and harm the groups chances of survival. Internal trust was built upon the fact that in order to survive, you had to trust one another…and carefully weigh your options.

All of this leads us to today, where we have several cyber users equivalent to God, who don’t even run the companies they reign over. A 13 year old can launch an attack capable of crippling an organization and without much personal risk.

So we approach our employees with cautious confidence. Most IT managers cite insider data leaks as their top fear. So why don’t companies perform more internal audits?

For starters it’s difficult – most people in positions of management have their own administrators perform internal audits. More importantly a poorly implemented audit can create their own trust issues.

You don’t want your administrators to feel untrusted, but you need to monitor what they are doing. A good way is through automation. Establishing a good log review policy and being transparent about the controls in place will help also.

In the end you want your administrators to establish a bond with your organization and ideals – not just your machines. Doing so leads to better security and efficiency and improves your external defenses at the same time.

Young Australians are learning about online security thanks to a new federal government program.

Under the program, e-security education modules aimed at students in years 3 and 9 that will address key aspects of safe online behaviour, as well as the use of appropriate computer defence systems.

As a network assistant in college, I was able to see just how little most people know about protecting themselves and being wary of what they are bringing onto their computers. Educating children on security will make things a little easier on the security experts of the future.

Recent trouble at the Sky News message board shows that a little common sense goes a long way in security development.

It seems Sky’s system had a simple defense mechanism against spam or DOS attacks. If it received a handful of invalid login attempts on an account within a short space of time, it suspended the account. Which was fine, until someone discovered this, and started using it to disable the accounts of active posters on the board. After someone posted how to do it on the board, others seem to have joined in the ‘fun’, and the social fabric of the board collapsed.

Sky News failed to inform their users as to why their accounts were suspended, and users began to wonder about the security of their account information. When a statement was finally released, Sky attempted to wash their hands of the mess.

But let’s be clear: it’s the troublemakers who are actually responsible for messing things up.

Sure, if there were no “troublemakers,” there would be no need for passwords, but there is a sort of Murphy’s Law of security. If you allow something to be misused, someone will misuse it.

Good blog post here about how to hack passwords. See if he mentions yours right-out.

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

He goes on to mention password crackers and how fast they do their jobs. A little scary, actually…

Dentists, doctors, lawyers and other professionals in the Pittsburgh area have been targeted by a “hit man” e-mail scheme, receiving messages that tell them to pay up to spare their lives, the FBI said.

No one has reportedly lost money or been harmed in the scam, but some recipients were unnerved by the messages, said Special Agent Bill Shore, who supervises the computer crime squad in the Pittsburgh FBI office.

“You think, ‘What did I get into? What do I gotta do to get out of this?’ “ Shore said.

Who worries about hit men ??

The more people learn not to click on links in emails, the more enticing spammers, phishers, and the like will have to make them.