GuruNews, Volume 8 Number 39, 10-23-08

Thu Oct 23 20:56:00 EDT 2008

Welcome to GuruNews

Brought to you each week by the PC Gurus, a loose collection of volunteers from around the Kentuckiana region.

You can interact with the PC Guru team via our Web site, located at http://www.thepcgurus.com.  On our site you can post your computer questions, comments and rants on the forums, e-mail the PC Guru

team members and chat one on one in our nightly IRC chat beginning around 8:00 PM EDT.  You can also subscribe to our RSS feeds so you can get the latest news and forum updates from the PC Guru Web site directly on your computer.

If you're new to the Newsletter you can read back issues at Team member JP Durbin's website at http://www.jpdurbin.net.  There are links to all the old 84 Online issues as well as the new GuruNews missives.

The WHAS Crusade for Children provides year round support for needy children throughout the Kentuckiana region.  Visit http://www.whascrusade.org to make donations online.

USS Rover's list of streaming computer shows is now available for download in Excel, Open Office and Linux ready formats from http://sheet.zoho.com/public/ussrover/shows. 

To subscribe to this newsletter just drop by www.thepcgurus.com and sign up!

Vol. 8, No. 39                 

10-23-08

1 Hacking Sarah Palin II  

2 Where are the pumpkins?       

3 Emergency patch, virtual stupidity, LOLcats, security tool?

4 Spell checking

5 Routers

Last week's hacking article led to quite a healthy discussion amongst the Gurus.  It would seem there are facets of both this incident and the very definition of "hacking" that are debatable.  This week, we look at a couple of those facets.

Palin had two personal email accounts on Yahoo, gov.sarah and gov.palin.  Authorities looking into "Troopergate" had already accessed the first account but an outside party accessed the second.  Contents published on the web indicate that both accounts were used for official government business, which violates several state and federal laws.

Artman points out that the illegal access exposed an even larger case of illegal activity by a government official, offsetting the offense.  There's actually a certain logic to that argument.

As an example, let's say you're a tech savvy user who accesses your bank account online.  While browsing your transactions you notice that the URL of one of the buttons looks wrong (if you hover over a button or other "hyperlink" device on a web page a little bubble displays the target URL, or address).  You click the button and find yourself on the master account page, where you can access every account at your bank and get each users card numbers, balances, credit lines etc.

As a good guy you naturally call the bank right away to report the security breach.  Guess what, for purposefully clicking that button you likely violated computer access laws and might well go to jail or suffer a heavy fine.

Stupid?  Yes.  Fair?  Nope.  But is it the law?  You betcha.

This "violation of privacy" certainly belongs in the same category.  Call it criminality for the common good and, in reality, it can conceivably have a beneficial impact on the common man.

Kyle Harmon comes in from a different direction with a much more inclusive definition of hacking than I'm accustomed to but Kyle, being younger and more knowledgeable about email servers and email security (he owns the servers and graciously provides hosting for our humble presence), provides his definition.

"Hacking is, at its core, finding vulnerabilities in computer systems and exploiting them for some sort of personal gain.  (Sometimes, in the case of "white hat" and "gray hat" hackers, that personal gain is just the satisfaction of finding the problem and letting the appropriate people know how to fix them.)  In my opinion, there are four basic areas where a hacker might find a vulnerability:

1.     Hardware: Sometimes physical hardware, such as memory, hard drives, and processors have vulnerabilities.  For example, security researchers recently discovered that they can retrieve secret decryption keys documents secured by Microsoft's BitLocker drive security feature in Windows Vista by super-cooling a computer's memory while the computer is on, then retrieving them by removing the memory and reading it in another computer. 

2.     Software: Bugs in software sometimes allow an attacker in to a vulnerable system.  Anyone who has ever visited Windows Update has encountered multitudes of software downloads aimed to fix these vulnerabilities that are discovered in software. 

3.     Logic: Even when software is running as intended, there are still flaws in how the software was intentionally designed which can allow unauthorized access.  The password reset tools on many websites are full of these flaws.  For example, many only ask for a date of birth.  In that case, there are only a little over 16,000 possible birthdays of people between the ages of 15 and 60.  A hacker automatically trying 1 birthday every second would spend less than 5 hours trying every single possible combination, thereby gaining access to the account. 

4.     Human: Computer systems are only as secure as the people who use them.  Renowned hacker Kevin Mitnick is well-known for saying that "social engineering", or the practice of tricking people in to voluntarily revealing sensitive information, is by far the most powerful tool in his arsenal.  Hackers often send out "phishing" emails which claim to be from your bank in order to try to trick you in to giving out your online banking information.

Most people who are not familiar with computer security only really consider the first two possibilities, but the truth is that the logic and human vulnerabilities are generally much more easily and successfully exploited. As a hacker, why would I try to find vulnerabilities in complicated software when I can just reset your password by looking up some information in your Facebook profile, or calling you, pretending to be your bank, and asking you for that sensitive information?

So how do you protect yourself?  For hardware and software vulnerabilities, the answer is easy, and we have discussed it at length in the past: keep your software up-to-date, use a good antivirus and keep it up-to-date, use a good firewall and keep it up-to-date, and use good anti-spyware and keep it up-to-date (notice a theme here?).

Regarding logic vulnerabilities, such as the one that bit Sarah Palin as Kevin discussed in the last newsletter, the good news is that it is very unlikely that you will ever have to deal with such a problem.  Exploiting logic vulnerabilities usually requires a hacker to take an interest in you personally, so unless you've made yourself a target, you probably don't have much to worry about.  Nonetheless, you can still protect yourself: the best thing to do is to not answer any "security questions" honestly unless there is some reason you have to.  Treat the answers to security questions like passwords.  When PayPal asks your mother's maiden name, enter something fake-something that someone couldn't look up or easily guess.  When a website asks your favorite color, enter something like "Fuzzy Wuzzy Brown" instead of "blue".

Finally, to protect you from the human vulnerabilities in hacking, think twice before entering any sensitive information, especially if you arrived at that address from an email that you were not expecting.  Also, be careful about giving out such information over the phone unless you initiate the call yourself.  While viruses and worms cause the majority of computer problems out there, many more serious problems, such as identity theft, start when someone gives out his personal information voluntarily.

-- 
Kyle Harmon
kyle at thepcgurus.com"

As you can well imagine, in a group of intelligent people all working in the same field there are often debates.  I thought you might enjoy seeing a couple of them.

Kevin Mefford, Editor

pcguru at microdome.net

Terry Wise

www.ratland.com

Tech News of the Week

For as yet undisclosed reasons Microsoft will be releasing an emergency patch overnight Thursday, breaking out of the usual Patch Tuesday schedule:

http://blogs.zdnet.com/microsoft/?p=1658&tag=nl.e589

Japanese woman, incensed over virtual divorce, commits virtual murder:

http://tinyurl.com/6npxj4

LOLcats for Literacy:

http://blog.wired.com/underwire/2008/10/lolcats-pounce.html

They call this thing a "security" tool?

http://www.enterpriseitplanet.com/security/news/article.php/3777556

Download of the Week

Anyone using Outlook Express who doesn't have Microsoft Office installed will notice the lack of access for the spell check feature.  This of course will scan an email message for spelling errors and suggest proper spellings.  I give you Spell Checker for OE, a free standalone program that activates the feature, allows for custom dictionaries, allows for addition of new words etc.  Oh, did I mention it was free?  If you need it, grab it from:

http://www.geocities.com/vampirefo/

Email Question of the Week

Q:  The following was in you rnewsletter:

I will never say that any computer is safe if it's connected to the Internet but if you have one you can take precautions.  Operate behind a router, use a quality antivirus program, do frequent scans for spyware, and don't click every little thing that pops up on the web.  That's all it takes.

What do you mean by "operating behind a router?"

A:  A router is a device that takes an incoming broadband signal like DSL or cable Internet and reroutes it to multiple computers.  Wireless routers allow laptops and other wireless equipped devices without stringing cables everywhere.

The way the router does this is called Network Address Translation (NAT) and from a security standpoint it serves as a type of hardware firewall that doesn't require user intervention.

A lot of modern broadband modems are actually hybrid devices that are both modem/router so you may already have one.  You can check stickers on the back or bottom of the modem to see if router is actually mentioned anywhere.  If so, you have one.

The idea is to allow homes with more than one computer to be online simultaneously.  They are superfluous in a way if you only have one PC but they still add a layer of security if you're hooked directly to a modem-only device.

They run anywhere from $30-150 for home use, depending on what features you want.  A standard Linksys or Neatgear for around $60 will be fine and do the job.

If you're on dial-up you don't need one, nor are they available.

Hope that helps and keep us posted...

Kevin Mefford

pcguru at microdome.net

Contact info and legal stuff

If you have tech support questions or ideas and/or submissions for our newsletter please submit them by visiting www.thepcgurus.com and click on the "Email the Team" icon. 

Copyright 2001-2008 The PC Gurus, all rights reserved.  Publication, rebroadcast or storage is prohibited without prior consent, however you may freely forward this publication to friends as long as A) it is forwarded in its entirety and B) no fee is charged.

Information provided in this publication is provided "as is" without warranty of any kind, either expressed or implied.  Although the information provided is known to work on most systems, it may not work on ALL systems.  Make use of any information supplied at your own risk.

The PC Gurus are a group of volunteers who provide support for the PC, Mac and Linux users in the Kentuckiana region.

To unsubscribe from this newsletter visit http://thepcgurus.com/mailman/listinfo/newsletter_thepcgurus.com or send an email to microdome at seidata.com with the words "unsubscribe newsletter" (without the quotes) at the top of the body of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://thepcgurus.com/pipermail/newsletter_thepcgurus.com/attachments/20081023/8790fd3c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 67745 bytes
Desc: not available
URL: <http://thepcgurus.com/pipermail/newsletter_thepcgurus.com/attachments/20081023/8790fd3c/attachment.jpe>