Larry Seltzer

Digital certificate problems are much in the news, owing to the scandal over compromised certificate authority DigiNotar, but the more common certificate problems are much simpler and more confined. Large, complex organizations often have trouble keeping track of all their certificates.

It's surprisingly common to find management of external CA-issued digital certificates to be decentralized and unorganized. Different groups buy them for different sites and some guy keeps track of them, including minor details like the private keys and expiration dates, in an Excel sheet. One day when he falls through a manhole or leaves for another job, what's going to happen? You may not even remember about it until one of the certificates expires and users start getting errors. "I think that file was somewhere here in his network folder..."

Continue reading →

It's received wisdom in software development generally that you don't write your own code when a perfectly good implementation is there for the taking. It's the old saw about reinventing the wheel. But it's especially true of cryptographic code. Windows programs that utilized the OS standard crypto functions got fast and automatic protection from the rogue certificates distributed during the DigiNotar scandal.

Over the last couple weeks, as stories about the hacking of certificate authority DigiNotar increased, various companies retracted their trust and the Dutch government stepped in. Given that the criminal who did the hacking announced the fact, it was potentially too late for anyone to protect themselves, but still time is of the essence in such matters.

Continue reading →

The security requirements for certificate authorities have, so far been, well, there haven't been any. Mozilla is attempting now to impose some and giving CAs precious-little time to come up to standard. Could the Mozilla "death sentence" be imposed?

Moailla's letter to certificate authorities demands some significant information by September 16, 2011, the end of next week. While it shows nothing about breaches, we know from the EFF's SSL Observatory project that many certificate authorities aren't sticklers for detail when it comes to security issues.

Continue reading →

The hacker who breached the DigiNotar certificate authority has come out, or at least claimed to. He appears to be the same hacker who breached Comodo, another CA, several months ago. (Hat tip to F-Secure.) "COMODOHACKER" seems to have a problem with the Dutch government.

He claims to have gotten past numerous sophisticated protections in DigiNotar's systems, the details of which he will divulge later, and that he retains inside access to four other "high-profile" CAs and can still issue rogue certificates from them. He also claims that the password for the PRODUCTION\Administrator account (the domain administrator of certificate network) is "Pr0d@dm1n".

Continue reading →

It has been obvious for some time that Google's app standards for Android are lenient to say the least. That's why Android is the favored platform for mobile malware. But it turns out that Chrome extensions are a huge, and similar problem that I'm beginning to really worry about.

When Android phones started coming out Google had a lot of catching up to do. Back then there was a lot of mindless talk about how many tens of thousands or hundreds of thousands of apps a phone had. Obviously 200,000 apps is twice as good as 100,000, right? The way Google structured their app system for Android seems to me to be designed to maximize the number of apps by making it cheap and easy to create and distribute them. And this happens at the expense of security.

Continue reading →

If only there were a way to keep up to date automatically on vulnerabilities and have Windows apply patches to the important ones. Secunia's Corporate Software Inspector (CSI) 5.0 lets you do that, applying even your 3rd party software updates through Microsoft's WSUS (Windows Software Update Services) and SCCM (System Center Configuration Manager).

I've been complaining for years that Microsoft should open up the Windows Update process to third parties. Secunia has filled in most of this gap with their Personal Software Inspector (PSI) for individuals and CSI for managed networks.

Continue reading →

Businesses are concerned about security, but which are the biggest and what are their strategies. Symantec explores these questions in their 2011 State of Security Survey.

Symantec commissioned Applied Research to conduct the survey in April and May of 2011. Thirty-three hundred organizations worldwide, across a range of industries and sized from 5 employees to many thousands were surveyed. Sixty-five percent of the organizations had 500 or more employees, weighing the survey heavily towards large organizations in terms of total seats.

Continue reading →

Fourth in a series. I remember something from the Windows XP rollout in New York City. At the Marriott Marquis in Times Square, Gateway gave out these. Mo-o-o-o-o.

I recall that it was common to criticize XP early on as being a minor update to Windows 2000, as in Windows 2000.1. There may have been something to that, but the operating system developed into much more.

Continue reading →

It was probably a slip-up and appears to have been taken down, but a Chinese documentary on cyber-warfare shows attacks being performed against US-based Internet properties of Falun Gong and other organizations banned in China. Thanks to F-Secure for passing this on, although they appear to have picked it up from the Epoch Times.

The video was entitled "Military Technology: Internet Storm is Coming" and was published on the Government-run TV channel CCTV 7, Military and Agriculture (at military.cntv.cn). According to F-Secure the specific URL was:

Continue reading →

What, another major Firefox release? Tuesday will see the release of Firefox 6.0, eight weeks after the release of 5.0 and less than 5 months after the release of 4.0 which they have already end-of-lifed.

It's all Google's fault. Version 1 of Chrome released on December 11, 2008. Here we are, less than 1,000 days later, with version 13 as the stable release. Of course Mozilla is the descendant of Netscape which invented the idea of releasing products formally designated as beta, which Google extended to having some products never leave beta. Together the two have taken any meaning out of version numbers.

Continue reading →

When you set up a new Windows system, especially an XP system, you may be faced with a titanic load of updates to apply to it in order to bring it up to date. If you don't have a loaded-up WSUS server or similar system this means pulling potentially hundreds of megabytes over your Internet connection, and multiple reboots. Microsoft could make it a lot easier.

F-Secure just brought this up by asking for an "update rollup" for Windows XP SP3. A perfectly reasonable request if ever there were one. When they set up a minimal install of XP SP3 (e.g. no calc.exe) in a VM they have to apply 157 updates after SP3. As they point out, SP3 itself was basically just an update rollup. So why doesn't Microsoft do more?

Continue reading →

If the security of your system depends on users making intelligent security decisions then you're basically doomed. After all these years of experience with end users on the Internet we know that they can't be trusted to make those decisions correctly. At least not often enough.

That's why the best security technologies are the ones that happen in spite of the user. These have been a focus for Microsoft over the last 10 years and remain the last, best hope of userdom.

Continue reading →

Amazon can't keep running away from states that require sales tax collection. Even they are now supporting a Democratic proposal to create an interstate agreement for standardized and simplified collection of taxes. Everyone's a winner except for those of you who have not been paying the use tax you're supposed to pay. It's a good and fair idea and it has no chance whatsoever of passage.

The remote buyer sales tax problem is an old one going back to the days of mail order and catalogs. The Internet has made it worse for states because the volume is so much greater, but the nature of the problem hasn't really changed. In that sense, the established court precedents might seem to close the books on the case.

Continue reading →

According to Xinhuanet (the official Chinese news agency) "Taiwanese technology giant Foxconn will replace some of its workers with 1 million robots in three years to cut rising labor expenses and improve efficiency, said Terry Gou, founder and chairman of the company, late Friday".

This is an old story and you could see it coming for Foxconn. A few months ago when I talked about the problem of labor conditions at Foxconn, where products for Apple, Sony, Nokia and others are made, I suggested that a need to improve labor conditions might end up with a lot of jobs being eliminated. This seems to be the case.

Continue reading →

Bigfoot, the Loch Ness Monster, aliens with anal probes, and Mac malware: long-rumored, but short on confirmed sightings. Until recently.

In May we had our first genuine Mac malware outbreak with Mac Guard a.k.a. MacDefender and a bunch of other names. It followed the tried-and-true Windows malware method of fake anti-malware software. Once installed, it caused a lot of problems and then demanded money to solve them. Apple created a signature check system that can't really work in the long run, but within a few weeks the attacks ran their course. They weren't followed up, at least not in a big way.

Continue reading →