Checking Cables First

I went by my Mom's house yesterday. She was had no connection to the Internet. She had called the SBC support line, and told them she couldn't access her Gmail account. The support person told her that she would have to use the SBC mail instead of Gmail. Not really a knowledgeable answer.

Mom's not technical, and the phone support was no help, so I stopped by on the way home from work. After trying a few things, including an IPCONFIG command, some PINGing, and a 'repair' of the network connection, I decided to talk a look at the router and DSL modem.

And once again, found that one of Dr. Jerry Pournelle's Laws was once again proven true: most of all computer problems are related to cables.

It seems that my brother (still living at home) had moved the cables around, disconnecting the router from the DSL modem, using the one network cable connection on the DSL modem for his computer.

A quick correction of the cabling (DSL modem to router, router to each of the two computers) fixed that problem. Since my brother was asleep (long story), I left a diagram of the proper cabling.

So if you are working with a problem, check the cabling first.

Use Free Wi-Fi and Go To Jail

Is there a risk to using free wi-fi? There's one guy in England who is in jail because he used an open wi-fi connection. Police in West London arrested a guy using his laptop while he was sitting outside a house that had an unsecured wireless connection.

A Detective Constable said that "The practice, known as piggybacking, breaches the Computer Misuse Act and the Communications Act". (See the article here: http://news.zdnet.com/2100-1035_22-6204148.html .)

Now, this is in England, so may not apply to users here in the US. But another columnist at ZDNet wonders if using a Skype phone (connects via wi-fi) could get you in jail. As he explains here http://news.zdnet.com/2100-1035_22-6204148.html, he was testing his Skype phone, went to a new area, and was surpised to get an incoming phone call.

"After some further investigation I determined that the phone was automatically configured to connect any “open” (read unsecured) Wi-Fi network it can find. Of course the majority of users won’t ever bother changing the default settings and many won’t even know how to change it or what it implies if they don’t change it. Would this make them criminals in the eyes of the law since ignorance is never an excuse?"

Interesting question.

And then there's the issue of the use of your unsecured wi-fi connection at your house. What is an evildoer uses your wi-fi connection to download pr0n? Or make a threat to an elected official? Or downloads illegal/unlicensed music? Who are the authorities (or the RIAA) going to go after? Probably the owner of that broadband connection that has a wireless router.

Is your wi-fi connection encrypted? Perhaps it should be. It will only take a few minutes, and I'd bet that you could find the instructions on the wi-fi router manufacturer's web site.

"Rick's Best Computer Security Practice" : get your wireless network encrypted. You don't want give the bad guys a free pass into your network (or your computer) on your dime.





http://blogs.zdnet.com/Ou/?p=699

Storm Warnings

No doubt you have gotten several emails for ecards, membership, and other subject that contain just a short message and a link to click on. The Security Dawg previously warned about the 'ecard' spam here http://www.securitydawg.com/2007/08/greeting-card-virus-warning.html .

These emails are part of the "Storm" bot network, and the perp is quite cleverly adapting his emails to bypass spam filters and anti-virus programs. The actual program that is downloaded when you click on the link is changing every 30 minutes, according to one report at the Internet Storm Center.

The folks at F-Secure (anti-virus company) have a good writeup of the various permutations of this email here, with screenshots of the emails. The McAfee blog here is also a good source of current information.

This looks to be a widespread and prolific malware author, and it is gathering a steadily increasing 'bot-net' that can be used for many purposes.

Important note: many anti-virus products may not detect this one, since the downloaded program changes rapidly. And it's use of social engineering techniques is part of it's success. Anti-virus may not catch the initial infection, so continued awareness is important.

The Security Dawg recommends that you ensure that your anti-virus is current, run a full anti-virus scan, and be very wary of clicking on any link in an unsolicited email.

"Pass it on".

Your Disaster Recovery Plan

In the last post, we posited some questions about the security of your data, and the need for a Disaster Recovery (DR) plan.

A DR plan can be quite complex for a business. But let's think about your personal DR plan.

All those pictures, financial files, writings, etc are stored on your computer at home. The loss of some of that information can be devastating. Think of all the pictures that you have of you children or important events in your life.

At my house, we have piles of printed pictures. And we are slowly digitizing them with a scanner (a Canon M600, an excellent scanner and color printer, by the way). They are stored on the hard drive, and we use Picassa (along with Photoshop Elements) to manage and print the pictures. My wife creates a lot of scrapbook pages with those scanned pictures. (In fact, all of her 'scrapping' is taking up more space in the home office each day. Another story.)

So, thinking of how to back up that data, we got a DVD writer (external USB version at first; then an internal version next). Since all of our data is stored in the "My Documents" folder on our Windows computer, we just copy all of that folder to a DVD (it takes several DVDs, and a bit of time). The DVDs are then labeled, and I bring them to the office and stick them in a locked drawer.

So, in case of the unthinkable (fire, theft, hard disk failure), we've got a fairly current copy of all those important pictures and other data. And it is stored off-site at the work office. If the hard drive goes 'south', we can replace it, reinstall all the applications, and restore the backed up data. That will take some time to do, but the data will not be lost.

What is your Disaster Recovery strategy? Comments welcomed.

Skype and Microsoft Updates

If you are a Skype (voice over IP) user, you have probably had problems with your service over the last several days. Skype claims that it was caused by Skype user's computer systems rebooting after the latest Microsoft patches. Skype says that all those restarts overwhelmed the system as it tried to reconnect everyone.

The result was no phone service for Skype users. And if that is your only phone access for your business or home, then you have been feeling the pain.

No matter what the cause of the outage (and I am not convinced that the MS updates are the real reason), it brings to mind a Disaster Recover (DR) plan. You got one?

A DR plan is not just for businesses (small or large). It applies to home users. Sure, you might be able to go without your home computer for a while. And you may have cell phones you can use as backups.

But what about your Disaster Recover plan for your data? What about all those family pictures on your computer's hard drive? What if your computer or hard disk dies? Or get stolen? Or an even worse disaster, such as a house (or business) fire that destroys everything? Hurricanes? Tornadoes? Floods?

Do you have a data backup plan? Is your important data (personal or business) stored off-site? How often do you backup your data? Is the backup location secure or safe? And is the backup data encrypted if necessary? (Remember all those stories about tape backups with personal data that were lost? And the business expense of notifying your customers?)

Even at home, a backup plan is good. What's yours? And how do you start?

We'll give you some ideas in the next post.

Smart Banking Malware

Over on my "Digital Choke" web site, this entry discusses some smart banking malware that uses a multi-stage attack to get your financial/banking information.

Link is here: http://digitalchoke.com/digitalchokeblog/2007/08/smarter-malware.html .

"Safe Computing" practices will help protect you.

Greeting Card Virus Warning

There's another "You've been sent a greeting card" spam mail making the rounds. In some cases, it may get through your spam filters.

The message includes a link to click on to get your card. Clicking on the link will result in an attempt to download a virus on your computer.

If your anti-virus is current, it should block the viral install attempt. But "Safe Computing Practices" are that you should be very wary about clicking on links in emails. And greeting cards emails are a common malware-distribution technique.

Our recommendation is to just delete greeting cards messages.

Emergency Texting - Part 3

We started out this series reminding you that, during emergencies, cell phones may not work very well due to overloading. But sending text messages will almost always work.

(Part one is here http://www.securitydawg.com/2007/08/cell-phone-overload-during-emergencies.html, and part 2 is here http://www.securitydawg.com/2007/08/emergency-texting-part-2.html)

We ended up with suggesting a code "777", which means "OK, details in our private blog". That will require a bit more advance setup, and a few more skills, it may be quite effective.

The concept is that your family/circle of friends has access to a private blogging area. Since this place lives at Blogger, we'll use the features of Blogger to get started.

First, someone (that's you) create a blog in Blogger. That's quite simple to do; you can get that done in just a few minutes. Go to www.blogger.com , sign in (create an account if you need to), and just follow the easy on-screen instructions.

Next, create the first entry in your blog, so there will be something there initially. Doesn't have to be fancy, just get something there.

Now go into the Settings screen, click on Permissions, and then Add Authors. Get out your family email address book, and invite your family as authors of the blog. Send off the invitations, and wait for their response. (Make sure that you put your email address in the Email tab on the Settings screen.)

Once your family responds to the invitation, they should be able to add to the blog. Have them try it out.

Now you are all set. Let everyone know that a '777' code means "Everything is OK, but go to our family blog for more info".

All you need is Internet access to use this process. You can use your computer, the one at the local library/community center, or any computer you can get to. Keep in touch via your blog.

Whatever process you use, make sure your family and friends know about it. And practice sending your text messages (teach others).

"Be Prepared".

Emergency Texting - Part 2

The previous post (http://www.securitydawg.com/2007/08/cell-phone-overload-during-emergencies.html) reminded us that sending text messages during emergencies (when there is heavy cell phone use) will get your message through faster than a voice call. This is because text messages are smaller and don't take up the bandwidth that a voice call makes.

We recommended that you learn how to send text messages on your cell phones, perhaps enlisting your children or one of the teenagers nearby to teach you how to send text messages.

Most phones have just a numeric keypad. Sending text with these phones requires pressing one key up to three times to select a letter. For instance, press the "2" key once for "A", twice for "B", three times for "C". Sending a detailed message will take quite a few keystrokes.

Of course, if you have a cell phone with an actual keyboard it's easier. But with standard cell phones (numeric keypads only), 'texting' is harder.

Some phones have some built-in text messages; and may allow you to create your own. That might be useful as you get more familiar with texting. And there's abbreviations you can use.

But I propose something quite simple. Start with some standard 3-digit codes. Here's some ideas; you can think of your own. Just make sure that your family knows what the codes mean. (And make sure that you are in text mode, not in phone mode.)

111 - All OK here
411 - Will call later with more info
911 - Emergency, meet at pre-arranged location (assuming that you have one)
511 - Stuck in traffic, all OK
777 - check in via the blog

Not very imaginative, but you get the idea.

That last one ('777') deserves an explanation, and a bit more planning. More about that in the next post.

Whatever technique and secret codes you use, spend a few minutes practicing. Remember that texting costs, so check out your calling plan. But if your family plans ahead, and if you take a few minutes practicing (there's nothing good on TV, so have a texting session), you'll be ready in case of an emergency.

Cell Phone Overload During Emergencies

The recent and tragic bridge collapse in Minneapolis (MN/USA) reminds us again of the fragility of the cell phone system.

During a calamity, many people turn to their cell phones to contact loved ones. But that overloads the cell phone system, and calls don't get through, often for many hours.

So the alternative to remember is to send text messages. Text messages get sent differently, and don't take up much bandwidth, so they will get through much easier when the cell phone system is overloaded.

The lesson here is to learn how to send text messages on your cell phone. And learn how to receive them from others.

We suggest that your next family meeting around the dinner table be used to learn to text message. Ask your kids to help out, if necessary. Set up your contact list so you can send text messages to your family. Practice until you can easily do it.

It's worth the time to learn how to send text messages.

Knock-Knock--ICE Calling

Did you get a knock on your door from ICE (US Immigration and Customs Enforcement)? You might have if you have some devices that let pirated video games play on Sony's PlayStation 2, Microsoft's Xbox and Xbox 360, and Nintendo's Wii.

There were 32 warrants served in 16 US states. They were looking for the illegal chips and devices used on those gaming consoles, which violate the Digital Millennium Copyright Acto f 1998. The Entertainment Software Association trade group says that these devices cost the gaming industry US$3 billion globally.

Be careful out there. I suspect that, if you have purchased such items, your purchase is in a database somewhere.

Unless you paid cash from the guy in the alley behind the video game store.