In computers we trust.

But the funny thing is, we shouldn’t.  We really really shouldn’t.

So what’s the latest in security news to remind us how insecure computers can be?  Right.  Let’s get crackin’…

Gone in 60 Seconds, WPA Key On A Silver Platter:

To start with, let’s hear it for wireless networking!  Never has hacking been easier.  You don’t even need to connect a wire.  Often, you don’t even need to be in the building.  Just drive by, park nearby, walk along with a laptop, whatever your evil little heart desires, and you can begin the computer equivalent of breaking and entering at your convenience with no real worry of strange looks or calls to security.  That in itself makes wireless networking so very dangerous.  But then there’s the encryption protocols…

The absolute worst, most rubbish ever to use, would be WEP.  Don’t even touch it.  If you think you’re secure using WEP you might as well just not even bother trying.  Now WPA was at least  better.  Key word here however is “was”.  As in past-tense.  Yes, that’s right.  A system of hacking WPA was developed by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University that is based on the established Becks-Tews method and can hack WPA in as little as one single minute.  Yes.  Sixty seconds or less and your WPA key is handed over on a silver platter.  This is of news because one of the formerly best hacks of WPA, the aforementioned Becks-Tews method, takes more than ten minutes.  You can look deeper into these methods if you care to, but the simple point is WPA is dead to us.  As dead as WEP.  Now the minimum to be secure wirelessly is WPA2.  Which, being old itself, you should have been using already anyway.

Hot List – Snow Leopard Insecurities:

So you just upgraded your Mac to Snow Leopard, Apple’s latest Mac OS X.  Congratulations!  But did you know that Show Leopard comes with an older version of Adobe Flash?  Yes, that’s right.  Even if you had upgraded to the latest and safest version from Adobe before (which would be 10.0.32.18 at the time of writing), you’re downgraded now.  Back to version 10.0.23.1.  And that means exposure to old exploits and attacks on your shiny new and “secure” Mac.  All without a hint of warning from Apple.  Isn’t that nice of them?  So if you upgraded to Snow Leopard, be sure that one of the first things that you do is update your Adobe Flash … again.

But that’s not all.  Oh no.  Apple’s far too unconcerned with security for that.  Apple has kindly included malware protection built in to Snow Leopard.  (Why is it when Microsoft does this, it’s anticompetitive, but when anyone else does it, it’s heralded as genius?)  Which you’d think is good.  Bundled protection means more people are safe.  If you download and install some Big Nasty Snow Leopard pops up a warning and recommends that you toss it in the Trash before it harms your computer.  How nice.  It sounds good, except that so far Apple’s protection is very … limited.  It hardly identifies any baddies at all.  And this is the problem, because it lulls you into a false feeling of security.  You’re protected, right?  Wrong!  So until Apple does a much better job of identifying malware it is highly suggested that you also install your own protection software.

Microsoft IE – Something Rotten in Denmark England:

And speaking of Microsoft and bundling, Microsoft’s SmartScreen Filter, built/bundled into Internet Explorer 7 and 8, has decided to protect a lot of folks from those dangerous blokes across the pond by blacklisting every uk.com top level domain!  Um, come again?  Yes, that’s right.  To protect you from phishing attacks, IE blocks Blighty.  As one would imagine, this has caused a great deal of problems and phone calls from concerned web surfers over there.  Of course Microsoft fixed things fairly quickly.  After all, blacklisting entire countries on a whim is kind of bad press.  But it just goes to show, sometimes “security” works as much against you as it does for you.

O2- Something Else Rotten in Denmark England:

Customers of O2, a British internet service provider, may want to disconnect.  O2 has been handing their customers faulty routers.  The O2 Wireless Box II (a rebranded Thomson TG585) and the O2 Wireless Box III (a rebranded Thomson TG585n) are vulnerable to cross-site request forgery (CSRF) attacks, allowing pretty much anyone to easily log into your router itself, at will, no questions asked.  This in turn lets them steal your encryption key, even if you use WPA2, and do all sorts of other not-so-nice things to your computer.  Needless to say, this is bad.  But after badgering O2 about it, security champion Paul Mutton has finally convinced O2 that it actually is a problem.  And O2 has promised to look into it and remedy as necessary.  If you’re an O2 customer, make sure you keep on top of this, as at-will hijacking of your router is A Bad Thing.

World of Warcraft – Gone Phishing Again?:

Yes, same as always then.  The official Blizzard WoW forums are being used to distribute malware to steal your passwords, blah blah blah.  If you play World of Warcraft and have somehow not heard of all of the phishing and malware trying to steal your account information so that hackers can sell your loot for real money, then you must be oblivious.  To everyone else, same s___, different day.  This latest phish is pretending to offer you exclusive access to a new service.  Just click on their invitation, bend over, and take it from  behind.  I guess these things must work, because hackers keep doing them.  But honestly, if there isn’t a group of people that should be extremely aware of security by now…  Welcome to the World of Phishcraft.

What’s This?  Good News?  Google Polishes Chrome:

If you use the newest web browser darling, Google Chrome, then congratulations, you’ve got a patch to fix a couple of severe vulnerabilities.  The update to 2.0.172.43 protects you from a known attack on Google’s V8 JavaScript engine, and from a known attack on webpages using XML-encoded information.  If you  haven’t patched your Chrome yet, it is highly recommended.

Well, that’s it for now.  Be wary.  Be safe.

Last night my thumb was all itchy, red, and a little swollen. But I was exhausted and managed to get to sleep anyway. This morning it was down to a little itchy bump. An itchy bump with two little holes. I’d been bitten!

Most likely it was a spider. Dastardly little critters! It’s no wonder I hate them. And wasps. Both for the same reason. They likes to hurtses us. They hateses us, my Precious…

But as annoying as a little spider bite is, and obviously it couldn’t have been all that poisonous of a spider if I’m still alive to talk about it, there are worse things biting innocent people out there.

Take, for example, the UK’s most popular Wi-Fi router, the BT Home Hub. Now, GNUCITIZEN has already found in this router a VoIP hijacking vulnerability and the ability for hackers to bypass password protection. Both of these vulns were rapidly fixed by BT upon discovery. Still, not a great sign of secure gear.

But now, GNUCITIZEN has found yet more insecurity in this ever so popular wireless networking product. Now WEP is normally a rather insecure form of encryption anyway, but in the BT Home Hub it’s apparently even worse than that. Thomson/Alcatel (the equipment manufacturer) uses such a weak algorithm for generating keys that they can be guessed in an average of 80 attempts. GNUCITIZEN has even written a simple program to prove this point, which requires no special hardware or software to crack this UK’s favorite Wi-Fi router, which is set by default to use WEP encryption. Does anyone see a problem here?

Right. Well, standard practice for security-minded people is, of course, to go to the highest security encryption possible. In this case only WPA. (There is a WPA2 which is far more secure, just not on this device.) But wait. Remember that weak key-gen algorithm? Yep. You guessed it. When using the default encryption key, the WPA setting is just as easy to crack. Oops.

Fortunately, the WPA setting has other modes for encryption keys. You can enter your own. You can set it to a random key. Whatever, just so long as it isn’t the default key. Which is sound security advice anyway, but rather awful that the BT Home Hub is such an insecure device that you actually need to do this. As always, security starts with an intelligent user. Never settle for default.

While we’re on the subject of things that bite, let’s jump back across the pond to the “wonderful” state of New York. Or perhaps they’re trying to change their name to New Pork?

The New York Pork legislature has approved a frightening new law that would force big online retailers like Amazon.com to collect sales tax on all goods shipped to NY. Yes, you read that right. And no, these businesses don’t have any physical presence in the state, but they would be forced to collect taxes for the state anyway.

You see in 1992 a Supreme Court case against a mail order business ruled that businesses with a physical presence in a state must collect sales tax for orders delivered to that state. And anyone receiving delivery outside of that state must declare their out of state purchases on their income tax return for that year. And so life went on to the point of today where most people never pay their taxes for online purchases as they conveniently “forget” to declare that printer ink, book, or sun dress when taxes come due.

New York, apparently, has grown tired of not receiving their due. So in spite of common decency and the way things are done in every other state across the entire United States of America, New Pork is passing a law that says that even businesses that don’t have warehouses or offices in the state must still collect taxes for them. So now, in theory at least, every resident of New York will always pay sales tax for online purchases. And by that same theory, every mail-order catalog will also have to charge citizens of New Pork a sales tax.

Call me crazy, but I expect this one to be fought.