LAWTECH GURU BLOG by Jeff Beard

Free "Shadow Explorer" Displays & Recovers Shadow Copies on Any Version of Vista

I've posted previously about Vista's Shadow Copy feature, and its security and e-discovery implications. Having explored it a bit more over the past several months, here are some things legal and IT professionals should know about it. Consider it a crash course in Vista Shadow Copies, and I'll share how to get a new utility program for accessing and restoring these hidden files.

Please keep in mind some of these items are based on information found online including unofficial sources, so it's best taken as my personal interpretation of that information (meaning that if I've unintentionally stated something incorrectly, don't hold it against me, and I would appreciate constructive feedback):

• Numerous postings online have stated that by default, all versions of Vista automatically create shadow copies of your documents and other user data files and folders as part of the "System Restore" feature.



• You can turn off "System Restore" to disable shadow copies, but it's a bit of throwing the baby out with the bath water. You see, "System Restore" allows you to roll back the clock on your system to an earlier (and hopefully more stable) state. This is incredibly useful whenever your Vista system experiences problems (such as after installing a problematic program, driver, or update, adverse registry changes, etc.). FYI, newer Apple operating systems offer a somewhat similar feature called "Time Machine".



• By default, Vista allocates 15% of the drive's size or 30% of available free space, whichever is smaller, for storing this data. In Vista, Microsoft removed the nice slider control available in Windows XP, so changing its space allocation requires some arcane text commands with administrator privileges. Thus most users will just leave it as-is. On larger hard drives, this creates a fairly large backup cache. For instance, on a new 200GB hard drive, up to 30GB would be dedicated to storing these hidden backups. When the allocated space fills up, Vista deletes the oldest backups as needed to make room for the new ones.



• However, only the Ultimate, Business, and Enterprise editions of Vista actually allow users to access and retrieve the hidden shadow copies via the "Previous Versions" feature in Windows Explorer.



• This means the Vista Home Basic and Premium versions create these hidden shadow copies but do not provide any way for their users to access or retrieve them. This results in potentially large amounts of wasted disk space and additional data retention concerns. Perhaps Microsoft intended this as a teaser to entice Home users to upgrade to Vista Ultimate, but they really should have disabled shadow copies on those editions or alternately provided the "Previous Versions" feature to access and restore them as needed.



• To help address these issues, Shadow Explorer is a free basic utility program (not affiliated with Microsoft) which allows these users of other Vista versions to access and restore these prior shadow copy backups. However, unlike "Previous Versions", it requires administrator privileges to run. (But see my caveat at the end of this post since it's a 0.1 release.)



• Even Vista Ultimate, Business, and Enterprise users and IT departments may find Shadow Explorer of use. I've discovered firsthand that Vista's "Previous Versions" feature is dependent on a number of system and service prerequisites, and the lack of any one of them will disable the ability to access and restore these Previous Versions. For instance, disabling a drive's administrative share, certain Windows services, or networking settings can all disable the "Previous Versions" listing in Vista Ultimate even though the backups are still present on the drive.



• Tip: If you have Norton Internet Security installed and have run its "Security Inspector", it may have reported and disabled several hidden administrative drive shares (such as C$) as security risks (which they are indeed). However, as mentioned above, these administrative shares are necessary for "Previous Versions" to function in Vista. So if you want to leave these shares disabled for better security, the Shadow Explorer utility program allows you to access and restore shadow backups even though Vista's own "Previous Versions" feature is disabled.

Organizations interested in migrating to Vista will need to explore these issues in more detail before crafting their security and group policies. I expect some will elect to disable System Restore altogether and rely upon other system restoration methods to address user support issues as they arise. Others may move user folders onto a separate disk partition or drive and simply turn off "System Protection" for that location. Such options may improve Vista's performance if it's not churning away saving hidden backup copies, and it's usually a good idea to separate documents from program files for a number of valid reasons.

So it's all the more puzzling to try to understand why Microsoft chose to disable access for Vista home users, as they are the ones most likely wanting to use and restore Shadow Copies. I seriously doubt informed businesses would want multiple hidden document versions floating around on their corporate laptops and desktops, particularly in light of numerous regulatory and litigation concerns.

Shadow Explorer Tutorials can be found at:
http://www.howtogeek.com/howto/windows-vista/recover-files-with-shadow-copies-on-any-version-of-windows-vista/
http://www.shadowexplorer.com/documentation/manual.html

Please keep in mind that Shadow Explorer is a very basic version 0.1 release. While it worked fine for me during my brief testing, it may contain bugs and other issues consistent with a new release. With that said, it provides an easy way to access, view, and restore the various shadow copies in Windows Vista. I applaud the author for providing such a useful tool, and for considering these additional planned features as it's developed further.

Word 2007 -- A Tale of Two Experts @ LegalTech NY

It was the best of times: While making my way through the vendor hall jungle at LegalTech NY, I had the pleasure of catching up with Donna Payne (Payne Group) and Sherry Kappel (Microsystems). I always find time to seek out these document technology savants, and this week's discussions were as helpful as ever.

My personal opinion is that Office 2007 is the clear winner from Microsoft this past year (definitively overshadowing Vista), and the massive improvements are well worth the office suite upgrade and third-party integration efforts. Sherry insightfully observed that with Word 2007's linked styles right out of the box, firms are likely going to need to pay even more attention, not less, on training and reinforcing solid style usage with their user base. As Sherry mentioned in a recent ILTA publication, if you're not automating your document practice, then how are you going to maintain your margins when your corporate clients demand a substantial rate cut? Also, she noted that the new XML format, while adding some needed document file stability, also adds a bit more complexity due to the XML intricacies.

Donna Payne and I had some techno.fun comparing and contrasting Word's built-in Document Inspector capabilities to a dedicated metadata scrubber such as Payne's Metadata Assistant. On one hand, it would seem that Word's built-in Document Inspector gets the job done. Both Donna and I have used it and found it to be effective, especially in a pinch where you're working on a simple document and just need a quick scrub before sending it off to someone. When you want to remove just about everything, it pretty much does the trick. But in comparing notes, we quickly agreed it has several fundamental weaknesses:

1) No Workflow: In other words, when using Word's Document Inspector, you have to remember to manually scrub and save the Word document before you start the e-mail process. Third-party scrubbers add the necessary workflow which allows you to scrub the file as part of the e-mail attachment process.

2) No Selective Scrubbing Within Each Category: For each of Word 2007's five scrubbing categories, it only offers you an "all or nothing" approach for the items in that particular category. There is no middle ground. So if you want to scrub only some of the document property fields, but keep a few like "Author" and "Title", you'll need to first remove all of that category's metadata, and then manually retype in the few you want to retain. And that's a bad thing, because you can lose useful or necessary metadata in the process if you're not careful.

So while we've seen very substantial improvements in Word 2007, firms and companies will still need to assess their overall practice workflow and specific scrubbing needs, and it will likely take third-party add-ins to more fully address them.

FeedDemon is Now Free -- Read Why

NewsGator is now giving away several of their RSS or news reader programs for free. These include FeedDemon, NetNewsWire, NewsGator Inbox, and NewsGator Go at the free download page.

Many of you know FeedDemon has been my preferred RSS reader since I started using it at least 4-5 years ago. I've also played around with other readers, both PC client and web-based, but kept going back to FeedDemon. I also chose FeedDemon as the best RSS reader or news aggregator for a prior Law Office Computing Shootout feature article. It packs a ton of useful features into a very intuitive, fast, and polished package. But rather than extoll upon its many great features and advantages, MediaBlab has already done a fine job of that.

Lest ye think NewsGator is abandoning their client-based software programs, it's just the opposite according to Nick Bradbury, the programming genius behind FeedDemon. In a nutshell, they're making it free to expand their client software users. Why? Because we humble human beings seem to make an effective relevance engine. You see, when using one of these now-free NewsGator programs, it sends back information when one flags an article, saves a clipping, or e-mails it to a friend. By these simple actions, we're signifying that particular item was important or relevant. I'm quite reminded of how Google was founded upon ranking relevance via tracking a site's inbound links. Nick gets it.

All this aggregated information helps NewsGator determine which RSS feeds and articles are more relevant than others, and helps them "bubble it up" to the surface for their enterprise customers. That's where NewsGator is refocusing their efforts and attention. So in exchange for getting the software free, users help them by doing nothing more than they are already -- reading, flagging, searching, etc. As Nick says, "Your attention is valuable." Sounds very Web 2.0 to me.

To their credit, both Nick and NewsGator recognized that we're just a little concerned about our privacy. Nick covers that in his post, and points us to NewsGator's FAQ so we can decide for ourselves. Apparently, we can choose to disable the data collection and reporting mechanisms, albeit at the loss of features like data synchronization.

Also, since many of their enterprise customers use these very same programs, Newsgator appears to have a vested interest in keeping them updated rather than abandoning them.

I give them credit. In a very innovative way, they're providing value in offering a first-rate RSS reader for free and enabling us to see what news is popular with others. NewsGator is gaining value in return while being fairly transparent about it. Of course, the new free FeedDemon 2.6 specifically contains more "phone home" mechanisms for "attention reporting". While I would normally suggest staying with an earlier version for privacy reasons, if their FAQ is accurate and we can indeed disable those tracking and communication methods, then there's probably little harm. Besides, even if they could still track my RSS reading habits, there's nothing there that would make me miss any sleep. But I'd still hold them accountable so that all users have a clean choice.

I also really like Nick's attitude and customer focus in his other blog post:

"Sure, I enjoy making money as much as the next guy or gal, but I'm really doing this because it's fun. I like writing software, and I'm going to keep writing it until my fingers break off.

There's no point in creating software in a vacuum - you've got to make it useful, make it scratch an itch, for it to be truly rewarding. And to do that, you've got to listen. You've got to pay attention to what people are asking for and what they're complaining about.

So, regardless of whether you've paid for FeedDemon in the past or you're a new user now that it's free, I'm not going to stop listening. It wouldn't be fun otherwise."

Addressing Laptop Data Vulnerabilities

Law.com has an excellent article discussing several workable approaches for securing data on corporate laptops. A quick look at one list of data breaches illustrates how sensitive data continues to be compromised by unsecured storage on laptops.

It's a particularly savvy article because its first piece of advice is not to overreact and go overboard -- "Draconian laptop-use policies may, ironically, increase an enterprise's vulnerability." Consider that employees often respond by finding other ways of circumventing security to make their jobs easier, which usually means making the data more accessible (i.e., less secure). For instance, blocking file saves to the laptop's hard drive or limiting e-mail inbox sizes can result in employees saving the data to unsecured thumb drives or forwarding sensitive e-mail to personal e-mail accounts. Where there's a will, there's a way. EMC was quoted as opting for a more blended approach, depending on the sensitivity of the data.

Another interesting suggestion was full hard drive encryption, rather than just encrypting the documents folder. This is often a highly debated solution. In my experience, some IT professionals will quickly suggest that doing so will entail a performance hit on the user and cause additional support problems. I'd say that noticeable performance hits are more likely with older, slower laptops. If this presents serious problems, consider phasing in encryption or issuing new laptops to those accessing more sensitive data.

Also keep in mind that when you are working on a laptop, it is likely creating a number of temporary file copies on the hard drive, sometimes in places outside the document folders. Full drive encryption therefore provides more complete protection for these additional copies of sensitive data. Naturally, such a solution would need to be thoroughly tested to determine the real-world impact on users and the IT support organization. Another issue to consider is segregation of the master keys -- do you allow one person or group to have them, or do you segregate them between two entities within the organization to avoid unilateral and potentially undesirable actions? I liked the allusion to the missile silo two-operator requirement.

Removable storage continues to be a major concern, such as flash thumb drives and external hard drives. And let's not forget iPods, which are either the former or latter type of devices. On one hand, these drives are very useful tools for mobile users. When unsecured (e.g., unencrypted), they can represent a larger security threat due to their tiny physical size and increasing storage capacities. For example, an 8GB thumb drive goes for less than $100 and can store a staggering amount of information. The article mentions products that control which devices can be plugged into which computers, and the best ones allow exceptions to be set when needed. If thumb drives will be used and supported, I'd suggest issuing employees with the following: only those models which support high-end encryption, such as AES, and make its entire capacity encrypted before it's issued to the employee. While a savvy user will likely know how to reformat the thumb drive to make it unprotected, the default encryption status is in your favor for the majority of users.

Many new laptops have built-in fingerprint readers, which can make security a bit more convenient. But as the article states, users often forget a key step: Register more than one finger with the device, so if you cut or burn your primary finger, you can use another one to gain access via the reader. Also, without the back-end drive encryption, keep in mind that a fingerprint reader only locks the front door. There are other ways to get to the unencrypted data on the hard drive, such as removing it from the laptop and accessing it from another PC.

Lastly, the article mentions lojack services for laptops, which hopefully reduce their recovery time. However, once the horse is out of the barn, it's too late to employ any of the above security measures. An unprotected hard drive containing sensitive data can be copied very quickly to a number of storage devices. The data contained on missing laptops is often much more valuable and/or costly to an organization than the cost of the physical laptop itself. An ounce of prevention...

Test Your Phishing IQ

Think you can tell the difference between a legitimate and a phishing e-mail? Take the SonicWALL Phishing IQ Test, a collection of ten e-mail screens. Read the helpful hints before taking the test, as they explain the links displayed.

After you identify each e-mail as "Phishing" or "Legitimate", the final scoring page includes links to explanations. In each e-mail explanation, the comments in green relate to legitimate e-mail indicators, while the comments in red highlight why that item may be indicative of a phishing e-mail. Be forewarned that several e-mails took more than a cursory look to identify them properly -- which is exactly why phishing works.

I happened to score 9 out of 10. I took some issue with Question #5 as it's not a particularly valid test in this format for the following reasons: The links matched in the example, but the static screen capture prevented any further investigation of the underlying link -- i.e., the html source code of the e-mail was not accessible. Also, you would be able to confirm the last four numbers of your own credit card matched those in the e-mail. With that said, I very much agree that you cannot rely solely upon what is displayed in the status bar due to scripting tricks. The explanation for Question #5 also failed to mention the lack of a secure "https" link as another potential indicator. It's important to note this example was the most subtle of the ten in my opinion, and therefore more likely to succeed in "phooling" people.

Overall, it's a good test, and ten minutes of your time could help you avoid disclosing sensitive information online. On a personal note, it's good to see that Outlook 2007 has more features to help users in this regard. It's not perfect, of course, but it's definitely a step in the right direction. Every bit helps.

Browser Beware: Web 2.oh.oh?

As the web has become more feature rich, new security exploits are popping up all over. CTO and Chief Researcher Roger Thompson over at Exploit Prevention Labs has posted half a dozen short videos showing how sites have been compromised or are otherwise serving up some bad content due to embedded advertisements.

The problem, as he aptly describes, is that most web traffic goes straight through your firewall. Some of the exploits use javascript to redirect to other sites. In another example, he shows how the Bank of India site was compromised to automatically download a frightening number of malware files simply by loading the web page in an unpatched browser. The scary part is that it was only detectable by running a separate debugger window -- meaning that the vast majority of web visitors wouldn't have seen anything amiss until it was far too late. He claims that anti-viral software isn't as effective in recognizing and stopping these types of exploits, and I tend to agree. (Please note I have not tried their LinkScanner Pro software, so this isn't an endorsement of that particular product.)

As the holiday season usually spurs a noticeable increase in spam, scams, and other exploits, remember to keep your PC and your information safe with updated patches, anti-spyware, ad blockers, etc. Also consider using a non-IE web browser, as IE's ActiveX helps to enable these drive-by downloadings. However, keep in mind that using alternative browsers could still expose you to some risk when javascript is enabled. Indeed, many web pages nowadays won't load or perform properly with javascript turned off, so exploits such as these will continue to crop up. Also keep a keen eye on your web browser's status bar (usually in the bottom left corner) when mousing over links and while web pages are loading, as sometimes they may be your only clue that you may be visiting a "Web 2.oh.oh" site.

More on Vista Shadow Copies & the Dreaded Index.dat Files

As I posted previously, by default Windows Vista enables shadows copies in Vista Ultimate, Business, and Enterprise editions. Shadow copies aid in recovering prior versions of files and are part of Vista's system restore points protection (which was also included in XP). So, basically, it appears the only way for a user to turn off shadow copies is to disable the system restore point protection. The problem is that the system restore point feature is incredibly helpful in troubleshooting and curing a system's ills by rolling back Vista's system files to a previous point in time. This is especially useful after installing a problematic program, driver, or update. In effect, turning off shadow copies is throwing the baby out with the bath water. Nice going Microsoft. If there's a way for enterprises to set a Windows policy to disable shadow copies but keep system restore points active, that would be a good solution. However, I haven't come across that yet.

Now on to Index.dat files. Windows has used these for many years as a way to store data histories, such as your complete URL browsing history. Since these Index.dat files were always kept open by Windows, it took special utilities such as the Index.dat Suite to view their contents, and even better, delete them at bootup before Windows fully loaded. It seems Microsoft has been aware of the problem and has changed the way that Windows and IE work to better clear out the contents of these tell-all files. This blog post from the Windows Core Networking MSDN blog has a greatly detailed discussion of how the WinInet's Index.dat files work under Vista, as well as this one about clearing tracks with IE7.

With e-discovery hot on everyone's plate with the new federal rules, these are additional reasons to have qualified and experienced professionals on your forensic team.

Windows Vista Security: Pros and Cons, Third Party Solutions Still Needed

Vista has a number of new security features, such as a two-way firewall, Windows Defender, UAC (User Account Control), BitLocker Drive Encryption, and more. These are certainly improvements over XP in terms of baking more security into Windows. My thoughts and experiences with them so far, along with recommendations for third-party security apps where needed:

Vista Firewall:
While Vista indeed comes with a two-way firewall, it's a mixed bag. While it blocks incoming requests (Windows XP does this too), it appears there's no easy way to configure Vista's firewall to block unauthorized outgoing communications (for example, spyware phoning home from your PC). A user would need to add blocking for each type of malware out there today, which as we know, numbers in the thousands. Not good, so I embarked on researching several of the Internet security suite products for easier and more robust protection, and posted my results below.

Windows Defender:
Windows Defender is basically the next generation of Microsoft's Windows AntiSpyware. For users that don't have any anti-spyware protection installed, this is certainly a step in the right direction. However, it's not an antivirus program. For that, you'd need to subscribe and pay for the Windows Live OneCare service, listing for $49.95/year on Microsoft's web site. The site lists OneCare's features as Antivirus, Antispyware, Anti-phishing, Firewall, Performance tune-ups, and Backup and Restore. It's interesting to note a number of these are already bundled in Vista, at least to some extent. Again, while I applaud Microsoft for offering additional security, they don't have a great track record in the security business, and for that price I found several Internet security suites that were more mature and robust for roughly the same price. Also, I still like having Spybot Search and Destroy installed to catch anything the other solutions missed, and vice versa.

UAC (User Account Control):
First off, if you haven't heard of or seen Vista's UAC prompts, you absolutely must view this hilarious Apple TV commercial. For certain types of actions, Windows will prompt you to confirm whether you want them to run or not. It's annoying and productivity-sapping as you're basically issuing commands twice. The idea behind it is to prevent malware from doing something unauthorized on your PC. As the commercial mentions, you could turn it off, but then it wouldn't provide any alerts or protection. I've read that Microsoft is looking to make it less intrusive and annoying in the future. One could only hope.

New User Account Types:
Vista helps address one of the support problems with Windows XP -- standard user vs. administrative rights. Under XP, it was common to have to log into Windows as a system administrator to install programs, make system changes, troubleshoot, etc. With Vista, standard user accounts can be temporarily escalated to administrator privileges simply by typing in an administrator password when prompted. Granted, I seriously doubt that corporate enterprises will allow their users such privileges, but for home use, it's a great feature that eliminates a lot of user swapping and logins back and forth. It also allows me to work as a standard user with limited privileges for better security, while providing me temporary superpowers when needed.

BitLocker Drive Encryption:
Wouldn't it be nice to know that if someone stole my laptop, they couldn't get access to my confidential e-mails, documents, financial information, and more? Hard drive encryption was one of the reasons I wanted to purchase Vista Ultimate, as it's only available in Vista Enterprise and Ultimate editions (so don't expect it in any Home version nor the smaller business editions). With the staggering number of laptop thefts and inadvertent disclosures of confidential data and corporate data privacy debacles, this is a welcome addition to Windows. Just for "fun", take a look at the very long Privacy Rights Clearinghouse list of data breaches since 2005. In your browser, press CTRL-F and type "laptop" to find each occurrence involving a laptop computer breach. Scary, isn't it?

Sure, there are plenty of third party drive encryption products available, but it's nice to see one incorporated into the OS itself. I haven't tried it yet, and there is some drive preparation required. As I understand it, BitLocker needs to create two hard drive volumes. One is unencrypted for all of Vista's system files for better performance. The other is encrypted and contains all of the non-system files (including your data). FYI, Vista Ultimate users can download a free "Extra" via Windows Update that streamlines this preparation process and makes it more user-friendly. As I prefer to use Norton Ghost to backup Windows installations, I haven't enabled BitLocker until I know that Ghost can handle backing up and restoring these encrypted volumes. Symantec just released Ghost 12.0 for Vista compatibility, so I'll be checking up on its ability to handle BitLockered drives.

Data Execution Prevention (DEP):
Vista continues to support DEP as did WinXP SP2. Per Microsoft, Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In plain English, it prevents programs from running from memory marked for storing data, not programs. This is one way the system can stop malicious software exploits.

On my Toshiba laptop, I used SecurAble from Steve Gibson (of ShieldsUp! fame) to determine whether my new Core 2 Duo processor had hardware DEP capability and whether it was enabled. Sure enough, it had DEP, but Toshiba shipped the laptop with DEP disabled in the BIOS. After I enabled it, I have encountered a few instances where Windows closed Internet Explorer and other apps under DEP protection. As I have a clean system, I'm chalking these up to software bugs. As an educated guess, this is probably why Toshiba chose to leave it disabled -- less problems for users out of the box (but perhaps leaving them open for more problems down the road without hardware DEP protection). Most processors made in the past year or two support hardware DEP, which is preferable to the software-based DEP protection Vista will use if it doesn't detect it in the processor.

Why is DEP so important? I'll let Steve Gibson answer that by quoting from his site:

"Why would data or communications buffers ever contain executable code? . . . because so-called "Buffer Overrun" attacks are the predominant way Internet-connected computers have historically been remotely hacked and compromised. Hackers locate obscure software vulnerabilities which allow them to "overrun" the buffers with their own data. This tricks the computer into executing the hacker's supplied data (which is actually code) contained within that buffer. But if the operating system has marked that Internet communications buffer region of memory as only being valid for containing data and NOT code, the hacker's attack will never get started. Instead, the operating system will display a notice to the user that the vulnerable program is being terminated BEFORE any of the hacker's code has the chance to run.

The real beauty of this system is that it provides strong protection from UNKNOWN vulnerabilities in the system and user programs.

Anti-Virus and anti-malware software is useful, but as we know, virus signature files must be continually updated to keep A/V software aware of new threats. Significantly, A/V software is unable to protect against unknown viruses and malware intrusions because it searches for known malicious code rather than detecting and blocking potentially malicious behavior. Hardware DEP, on the other hand, when properly configured, hardens the entire system against both known and unknown vulnerabilities by detecting and preventing the behavior of code execution in data buffers.

Buffer overrun vulnerabilities are so difficult to prevent that scores of them are being found and exploited in operating system and application software every day. Taking advantage of modern processor XD/NX capabilities is a powerful way to fight back and prevent this most common class of Internet vulnerabilities."

First off, Toshiba had preinstalled a 30-day trial of McAfee's Internet Security Suite. I've never been a big fan of McAfee's antivirus software, having seen first-hand some clunky performance and other issues in the past. Keeping an open mind, it was a good opportunity to see if they've corrected prior shortcomings. Sad to say, the new version only confirmed my concerns. Every time I used Outlook 2007 to send/receive e-mail, I saw my dual-core processors peg at 100% usage continuously. It literally brought my new Vista system to its knees. The entire system was running in extreme slow motion. At first I thought it was an Outlook problem, but the trusty Windows Task Manager pinpointed McAfee's e-mail proxy service as the culprit. Killing it fixed the problem. No, actually, spending several hours uninstalling, rebooting, and then manually removing all of the McAfee remnants in my system and registry fixed the problem. Even McAfee's special uninstaller from their web site didn't do a complete job. Let this be a lesson.

Next, I looked at both ZoneAlarm's and Norton's Internet security suite offerings. This took a bit more research, as both have produced excellent products in the past. ZoneAlarm has one of the best personal firewalls in the market, while Norton's Antivirus has never, ever, let me down. The ZoneAlarm suite now uses Kaspersky's highly-regarded antivirus, which brings it on par with Norton Antivirus. Previously, ZoneAlarm used CA's antivirus, a less impressive solution in my opinion. So how did they fare against each other in security features?

Like Norton, ZoneAlarm has a network and program firewall. However, ZoneAlarm has an added OS firewall, providing even greater protection at the operating system level. Score one for ZoneAlarm. Both provide full stealthing of ports. Both provide an option to block all traffic. ZoneAlarm provides a nice big red button for one-click blocking. Norton's "Block Traffic" feature requires you to perform several clicks and type an administrator password to confirm. Apparently they're taking lessons from Microsoft's UAC above, and this is bad. When you have an intrusion in either direction, you need to be able to kill all traffic quickly and easily, so ZoneAlarm easily wins this round for ease of use. Naturally, with Wi-Fi laptops, another easy way is to just turn off your Wi-Fi card, as many new laptops provide a handy off switch. Also, both suites provided anti-spyware, anti-phishing, rootkit, and wireless network protection, so those were a draw.

However, it's extremely critical to note that the ZoneAlarm Internet Security Suite for Vista is missing important features compared to their XP program. ZoneAlarm's Vista version lacks spy site blocking and blocking of confidential data. ZoneAlarm also lacks parental control, IM (instant messaging) protection, and ad blocking. ZoneAlarm's customer service explained that they were not included due to the fact that Vista and IE7 already include many of these features. While plausible, it did not excuse the most glaring omission of all: There was no adequate e-mail security. The Vista version of ZoneAlarm Internet Security Suite could not scan or repair e-mail attachments, quarantine them, or block infected outgoing messages. This was the tipping point for me.

As spam and e-mail attachments continue to be critical security threats, I opted for the excellent e-mail antivirus protection Norton provided. While the Norton Internet Security suites from 2005 and 2006 received a lot of negative feedback for being bloated and slow in scanning, the new NIS 2007 suite has been mostly recoded from the ground up. Increased scanning speed performance and reduced CPU usage were two of their main goals, and it shows. The installation went flawlessly, as did the initial scans and live updates. As for configuration, it was mostly automatic. By default, Norton Antivirus ignores all low-risk items, not something I like to see in a security program. It can be changed to prompt the user for those items, which I heartily recommend.

As further justification, I recently perused a copy of Windows Vista Magazine while killing time in an airport. They reviewed something like the top 7-8 Internet security suites including Norton, ZoneAlarm, and McAfee. They also concluded that Norton Internet Security 2007 was the top pick. While no suite is perfect, I've always liked the die-hard protection that Norton provides with virtually no false positives, easy updating of both programs and virus definitions alike, and that it just plain works. On the downside, if you should encounter a problem, Norton's customer service and support isn't what it used to be, and they tend to force you to buy new versions instead of solving problems with their installed user base. Something to consider if you aren't a power user.

FYI, Symantec has also just released Norton 360, an even more comprehensive suite that provides backup and performance tuning features in addition to the security features. While it sounds nice, all these additional features just seemed reminiscent of Norton SystemWorks -- a fairly bloated, invasive, and problematic suite for many users, and one which I strongly recommended against to friends and colleagues. Frankly, I just needed the Norton Internet Security suite features, and didn't want to overload my new Vista system with potential bloatware. Norton 360 may indeed prove to be a valuable package, but I emphasize the word, "prove", before recommending it.

Concluding Thoughts:
As you can see, Microsoft has beefed up security in Vista and IE7 to some extent. How effective these new features are, well, that remains to be seen. I still recommend installing a separate security suite with good firewall, antivirus, anti-spyware, and other features to more fully protect your system. Yes, they cost a little more, but they're worth it.

BitLocker hard drive encryption sounds promising. As faster dual- and quad-core processors and faster hybrid hard drives (those with added flash memory) hit the market, we may indeed see a mobile data security solution with reduced performance lag. For once, I'd love to read this headline: "Laptop with Critical Data Stolen -- Encryption Saved Company, Customers, and Employees From Yet Another Identity Theft and Data Privacy Fiasco." However, I have to wonder why Microsoft omitted BitLocker from other Vista versions that will obviously be installed on business and personal laptops? It just seems to lessen their stance on security by making it subordinate to profitability.

Overall, I like the attention on added security. I think that over time, with additional service packs and updates, Vista will surpass XP's popularity -- particularly as newer and faster hardware will put its performance on par with XP.

On the Ball with Vista

Thanks to Dennis Kennedy commenting on my last post, I came across the link to Craig Ball's Vista overview. As usual, Craig does a great job of walking the uninitiated through Vista's enhancements and their impact on EDD. Of course, Craig left me feeling like I just took a trip though Willie Wonka's Chocolate Factory with a rockin' Stones soundtrack. (Did you really want to know what the Vista Oompa Loompas are doing with your data?)

I also mention it since it supplements my comment about considering encryption pros and cons. He introduces the new BitLocker encryption in Vista's Enterprise and Ultimate editions and the challenges it presents.

Vista Shadow Copies -- Helpful to Users, Even More to EDD Recovery?

Microsoft has billed Vista as their most secure operating system to date. However, there's a little-known feature that could cause some data security concerns. Amidst the flurry over EDD and the new rules, Microsoft included a feature to certain versions of Windows Vista that may aid in recovering prior versions of files.

From Microsoft's Vista site:

Have you ever accidentally saved over a file you were working on? Accidental file deletion or modification is a common cause of data loss. Windows Vista includes a useful innovation to help you protect your data: Shadow Copy. Available in the Ultimate, Business, and Enterprise editions of Windows Vista, this feature automatically creates point-in-time copies of files as you work, so you can quickly and easily retrieve versions of a document you may have accidentally deleted. Shadow copy is automatically turned on in Windows Vista and creates copies on a scheduled basis of files that have changed [...] It works on single files as well as whole folders.

However, now consider the difficulty in trying to rid a system of shadow copies for legitimate security and confidentiality concerns. A laptop user may need to work on a confidential file while traveling. Since laptops are easily stolen, accidentally left behind, etc., it may be desirable to wipe the file later to maintain security and confidentiality. Consider some of the recent news stories covering thefts of laptops containing considerable amounts of personal data. It's a good bet that most file wiping utilities can't handle wiping the Vista shadow copies, at least not yet anyway.

Note that Shadow Copy is enabled by default in Vista Ultimate, Business, and Enterprise editions. So if data security and confidentiality is paramount to file recovery, organizations should consider disabling this feature in their Vista rollouts. On-the-fly encryption is another consideration, recognizing it has pros and cons as well.

[P.S. Seeing as I'm posting this on April 1st, I thought I'd emphasize this information was gathered directly from Microsoft's site. Also, Ars Technica has a post on this from as far back as last summer. Now if you're looking for an April Fools gag, Google got their hands dirty this year with Google's TiSP Beta. More on the gag at USA Today.]

NextGen Security Threats

News.com has an interesting article on what the next security threats may be. Botnets and phishing are featured prominently, as intruders are becoming more interested in the money angle than just seeing if they can cause some mischief.

In another News.com article, rootkits are on the rise per McAfee.

Frankly, I was expecting something much sexier and well, "nextgen". However, I think stealthier, and thus perhaps more persistent, system level intrusions will be the norm for awhile, as remote manipulations provide very powerful and useful tools.

iPod Used as an Identity Theft Cache -- Only the Beginning

The San Francisco Chronicle reported yet another use for iPods: storing lots of stolen identity-related information. iPod users have known for quite some time that they can be used as portable storage for computer files, just like a thumb drive. Perhaps more troubling than a criminal using it that way is that the San Francisco police sounded surprised and considered this novel -- and that was the fraud division. They got their man through a sting operation, though, and I'm glad to hear it given the details of the identity thefts and other crimes perpetrated.

But it underscores the need for law enforcement and security professionals to consider new uses for everyday tech tools and gadgets, especially when theft of data with iPods is nothing new. As the Tech Law Prof Blog correctly pointed out on this issue, at least four years ago we learned that one could walk up to demo Macs in stores, plug in an iPod, and copy entire software programs for use on other Macs. I remember reading about this on Wired.com ("Have iPod, Will Secretly Bootleg") at the time. So why is this considered something "new"?

With all due respect to our police departments (I mean that sincerely), it sounds like they would benefit from a "Tech Culture 101"-type class. Give them some freebies to go play with -- iPods, thumb drives, camera phones, Treos, BlackBerries, Bluetooth devices, digital cameras, flash cards, etc. Show them how they work, how they capture, store, and transfer information, and perhaps most importantly, how easy it is to hide information on them "in plain sight". I hate to say this, but "you gotta think like a teen".

For example, it would not surprise me to hear one day very soon that someone was caught smuggling confidential information on one of the tiny flash cards inserted into innocuous-looking devices like a cell phone or a PSP (Play Station Portable). In fact, the PSP is quite a useful computer in its own right, well beyond playing games. Heck, you can already remotely control your home with it, not to mention all of these cool uses. Sony is also empowering it with the LocationFree console to stream all kinds of digital media to your PSP at any hotspot.

There's also a new project for porting Linux over to the PSP. As any hacker knows, once you've got Linux running on a capable device with Wi-Fi (yup, it's a Wi-Fi Finder too). . . well, it doesn't take much imagination, does it? Now that makes toting stolen info on your iPod très passé.

Why IP Phones (VOIP) Needs Encryption

On Wired News, crypto expert Bruce Schneier sums up why encryption is a necessary ingredient for VOIP usage. Here's why I'd want crypto for any VOIP solution, but I'd want it baked in as a seamless function:

I use a cable provider for Internet access, which is simply described as a neighborhood network. Although it would take some skill, who wants their neighbors being able to listen in?

Think the Government isn't listening in? Think again.

Just as importantly, sometimes I provide confidential information over the phone, such as a credit card number or my SSN -- many times when I'm asked to verify my identity. You know where I'm going with this -- criminal activity and identity theft. Bruce agrees. Organized crime has simply gone high tech, although a single hacker can also do a lot of damage with identity theft.

Per Schneier: "My greatest worry is the criminal attacks. We already have seen how clever criminals have become over the past several years at stealing account information and personal data. I can imagine them eavesdropping on attorneys, looking for information with which to blackmail people. I can imagine them eavesdropping on bankers, looking for inside information with which to make stock purchases. I can imagine them stealing account information, hijacking telephone calls, committing identity theft. On the business side, I can see them engaging in industrial espionage and stealing trade secrets. In short, I can imagine them doing all the things they could never have done with the traditional telephone network.

This is why encryption for VOIP is so important. VOIP calls are vulnerable to a variety of threats that traditional telephone calls are not. Encryption is one of the essential security technologies for computer data, and it will go a long way toward securing VOIP."

Along those lines, Phil Zimmerman (of PGP fame) has just released the public beta of Zfone, an encryption tool for VOIP. I used PGP for e-mail back in the 90's. While effective for use with a small number of people willing to configure and learn it, it was just too burdensome for many others. While I applaud Phil's efforts, it will be interesting to see if Zfone will be easier to use and ultimately adopt. Regardless, consumer-facing VOIP still needs shoring up in the security department, beyond encryption, but still has to remain easy to use.

Jigsaw & Web 2.0: The Return of Privacy Concerns

As a market trend, Web 2.0 has been getting a lot of buzz, particularly on the social networking slant. Voluntary social networks such as LinkedIn have enjoyed a lot of success (at least in mindshare and user volume, anyway). I've long considered blogging to be a form of networking, and of course Wikis too, especially in the collaboration department.

While Web 2.0 is many different things to many people, one could say that social networking and collaboration are rivers that run straight through it. The main idea has merit: Lots of people contributing their individual knowledge to the whole to create something bigger and more useful than just the sum of its parts. Sounds great, doesn't it?

But just like Web 1.0 in the 90's, along comes something that gives one pause as to what direction the Brave New World will take. Back then, it was emerging privacy concerns from web usage tracking, and plans to link online and offline activities and data (DoubleClick, anyone?). For better and worse, Commercialism invaded the pure collaborative energy of the Net, and things began to take off in a different direction. Spambots, adware, spyware, and other controversial technologies came into existence and changed our online experience, probably for a long, long time.

Most recently, Jigsaw seems to fated to play the role of the privacy heavy. The WiredGC's post, "Hold on to Your Business Card", links to TechCrunch ("Jigsaw is a Really, Really Bad Idea") to get recovering attorney Michael Arrington's savvy take on it. Adding my own opinion, that makes three technically-inclined and informed attorneys who think this is a bad idea. The posted comments at TechCrunch are also a good read.

Basically, people are being paid $1 per business contact they upload into Jigsaw's online database, whether the referenced individual likes it or not. This service aims to provide salespeople, recruiters, and marketers with inside contact information they can't obtain (or as easily obtain) elsewhere. The tagline on the home page states, "Buy, Sell and Trade Business Contacts".

While one can easily see the value proposition, thus far it sounds like there is no way for a person to delete their originally-uploaded information. One can only annotate it, and that's a big difference. This lack of "Opt Out" mechanism runs counter to commonly accepted data privacy principles. One could also dive into a discussion about the business ethics and why an "end justifies the means" rational is usually a slippery slope. I note with mixed feelings that I found my contact information in their database, and if given the option, I'd probably remove it. Again, most of the comments posted at TechCrunch were resoundingly negative.

Thus If Jigsaw wants to play in the Web 2.0 sandbox more for than a brief stint, I seriously suggest they learn to play nice with others' data. Public opinion, particularly in the blogosphere, can make or break a startup, and it would be unwise for them to ignore this reality, even if this generates a "buzz". To me, Web 2.0 is about voluntary collaboration. I could see where some may want their business contact information available, say for new business development opportunities or recruitment. Others may view it much more darkly, and that's their prerogative. For a good discussion of these issues, see Release 1.0's article "Anti-Social Networking", which interestingly I found linked on Jigsaw's site.

In my mind, Jigsaw needs to better sort out the puzzle they've created, and fairly soon. They need to better balance the competing interests. Most importantly, providing an easy and visible Opt Out option should ease some of the tensions and perhaps build back some of the lost goodwill and integrity. Even better: Send an e-mail notification to each person when their contact information has been uploaded to Jigsaw, and give them the option to correct or delete the information. Then Jigsaw could truly boast they have the most accurate information, since the contacts themselves would correct it. Now that sounds much more like Web 2.0 to me.

Enhancing Mobile Security - Feature Article

Organizations usually focus more heavily on protecting the castle by fortifying its defenses. However, mobile technology security can be a bit more challenging, in no small part due to the plethora and complexity of devices, user mobility, and increased risks outside the firewall. Sometimes it doesn't receive as much attention, or perhaps is perceived as less securable. Thus I've recently written a feature article on effective mobile security techniques, strategies, and policies, entitled "Enhancing Mobile Security". The downloadable PDF is compatible with Acrobat 5 or higher.

This was originally published as the cover feature in the February/March 2006 issue of Law Office Computing. I am greatly honored by Amanda Flatten, LOC's Editor and Publisher, for granting me permission to publish it here. Amanda, you're the best. If you're in the legal field and have any interest in improving your practice via savvy use of technology and keeping abreast of new developments, then I highly recommend a subscription to LOC.

80 Super Security Tips

PC Magazine has done the world of average PC users a favor by publishing 80 Super Security Tips in fairly understandable language. While it was published some time ago, it's still darn good advice that's actually usable -- besides, where else are you going to find 80 very good security tips in one place that isn't a load of geek-speak?

New Google Desktop: Configure It Carefully, or Forget It

I've been meaning to post this: That's the warning from the EFF, as reported in The Register. I know many people think Google Desktop is the coolest thing for personal info management, but I've previously posted my concerns here. It just keeps getting more complicated for maintaining control over your personal data, unless you are very committed to learning exactly what the software does and knowing what escapes out through your firewall.

Thus one should question using a number of these free tools. It's not paranoia when others have confirmed it. If you do, then in addition to the configuration suggestions, see if you can configure your software firewall to block all its traffic requests, particularly outgoing traffic to try to limit its phone home capabilities. If you don't have a firewall that can block outgoing traffic by software program, get one, pronto. It never hurts to add a second layer of protection, but don't rely on any single precaution as absolute.

It also makes me wonder about the effect on client confidentiality when used on a PC with access to sensitive documents and other data. Even if the privilege isn't waived, if one is representing a client with questionable or confidential activities, then you aren't exactly helping to keep them confidential with tools such as this, right? It's a bit difficult to unring the bell, food for thought. Not professing any legal advice, just good old-fashioned common sense. Let's be careful out there.

Anonymous Online Annoyances Outlawed?

You may want to read this CNet News.com editorial, as this post will make more sense if you do:

Perspective: Create an e-annoyance, go to jail
By Declan McCullagh
Published: January 9, 2006, 4:00 AM PST

From the article:

"Annoying someone via the Internet is now a federal crime.

It's no joke. Last Thursday, President Bush signed into law a prohibition on posting annoying Web messages or sending annoying e-mail messages without disclosing your true identity.

In other words, it's OK to flame someone on a mailing list or in a blog as long as you do it under your real name. Thank Congress for small favors, I guess."

Even if the blogger is ultimately proven innocent, one could still be charged and would have to defend against it to show there was a different intent. I've always thought anonymous blogging was a fairly bad idea -- it's only a matter of time before your identity is discovered, and you'd be instantly accountable for all of your online remarks (just ask the recently unveiled "Underneath Their Robes" blogger, who was, ironically, a federal prosecutor). This could also put a serious chill on free speech, as there could be very good reasons why someone would want to post anonymously for fear of reprisal. Yes, there is prosecutorial discretion, but how well does that spell out the boundaries for us?

Here's a much more common occurrence I see nearly every day, especially in online forums and comment sections: Flame wars or biting remarks directed to another poster, usually resulting in a long, drawn out thread comprising numerous posts (i.e., not just a single passing flame). Many times they are the result of miscommunication and/or different perspectives, some are emotional knee-jerks, but others are just downright nasty. In many forums, participants use screen names, nicknames, aliases, etc. to protect their identity for legitimate reasons. Heck, many people don't post their real e-mail address just so they won't be spammed by spam bots. Will this become the anti-flame law? The "Let's just all get along online" law?

Yes, some cases of online harassment will likely be quite clear due to the pattern, number of incidents, content, etc. In others, well, it's rather like the old Tootsie Pop commercial: How many biting retorts does it take to get to the center of intent? Don't get me wrong, as I've received an e-mail or two from people who related an online harassment incident -- it's scary and it's real, and they would likely be the first to applaud such a law if it did them any good to prevent cyberstalking and harassment. Thus I like the underlying idea, which seems to mirror the telephone harassment laws, but where does one draw the line?

It also doesn't bode well when a law has to be piggybacked on another bill politically, just so no one would shoot it down. One wonders: how well would it have stood on its own? So despite perhaps some good intentions (pardon the pun), I think this is yet another Internet-related law that will be challenged on Constitutional and other grounds. I think I'll stick with the age-old parental advice, "If you can't say anything nice..."

Mighell on Metadata and User Error

Tom Mighell has a great reference post on Inter Alia that links to several informative metadata articles, including discussions of ineffective PDF redactions. Be sure to check out the comments following the Washington Post article, as it features an interesting post by none other than the metadata diva, Donna Payne.

IE Flaw + Lax Google Desktop Security = Very Fast Phishing

Now here's a very clever hack, using your own software tools against you:

Phishing with Google Desktop
The Register
Published Saturday 3rd December 2005 01:24 GMT

IE flaw lets intruders into Google Desktop
CNET News.com
Published on ZDNet News: December 2, 2005, 1:31 PM PT

From CNET:

"This design flaw in IE allows an attacker to retrieve private user data or execute operations on the user's behalf on remote domains," Gillon wrote in his description of the attack method. He crafted a Web page that--when viewed in IE on a computer with Google Desktop installed--uses the search tool and returns results for the query "password."

From the articles, the flaw is in definitely in IE, but Google isn't above reproach: The Register reports, "The weight of responsibility for this flaw falls on Microsoft. But Google shares some blame too, for failing to take the integrity of your personal data seriously." "...this particular flaw wouldn't have been possible without careless programming by Google, which amazingly, fails to obey the Google Desktop security model on its own site."

Of course, other search phrases are possible. Call me a rebel, but it's times like these I'm thankful I've resisted the strong urge to install some of these free goodies, for exactly the privacy and security concerns that have abounded since a number of free desktop enhancement tools have been released in recent years. Yes, it's mainly an IE flaw, and desktop productivity software has its uses, but I've always thought it a good idea to be a bit leery of anything that wants full access to all my personal files and e-mails and is Internet-enabled. Today, it's IE and Google Desktop. Tomorrow, it'll be something else, but I guess that's what keeps it interesting.

Public PCs Expose Confidential Information

Here's something to consider before you use a "convenience" PC at an airport, hotel, or other public place:

"Airport PCs stuffed with meaty goodness"
The Register, Sept. 25, 2005

Even if you just use a public PC to check e-mail, at the minimum you're probably risk the following (particularly as the average user doesn't clean up their information afterwards):

• Leaving behind a cached copy of e-mail messages.
• Unopened attachments are iffy, depending on the e-mail client's method for working with attachments -- but if you open one, there's very likely a local copy left behind.
• Having a keylogger or other piece of malware record your login name and password, and anything else you've typed on that PC, including e-mail replies. These types of programs often transit this information to another web site or server via the Internet.
• Even if no malware is present on the PC, you may still be leaving cached copies of this information, as well as cookies, completed web forms, etc.

• Assume the PC is not safe, and has already been compromised.
• Assume everything you access from that PC will be compromised in some fashion from tracking your actions, so only access the minimum necessary.
• Assume installed keyloggers will record and transmit everything you type, including e-mail replies, login names, and passwords, so exercise extreme caution (general web surfing to open sites is okay).
• Remember that encryption (e.g., VPN) isn't much protection if your keystrokes are recorded.
• Learn how to properly clean up after yourself, which includes:
• Clearing the web browser's multiple caches for web pages, passwords, forms, history, cookies, and other information But clearing these items can't unring the bell if a keylogger was installed, as your information is now in another's hands -- clearing these items just helps prevent later users from accessing the information from the PC.
• Deleting files and emptying the Trash or Recycle Bins (but remember, deleted files can recovered using special programs)
• As soon as you gain access to a secure PC afterward, change your passwords.

Opera Browser: Now Free & Why You Should Care

The Opera 8.5 web browser just became free, offered without the ads. As Opera's site is fairly scarce on details, BetaNews and CNet provide a few more tidbits as to why Opera is now offered without ads, licensing fees, or registration. (Premium support is still available at $29 per year.)

Interestingly, the timing could be fortuitous, given this CNet article published two days ago: "Symantec: Mozilla browsers more vulnerable than IE". (Yes, that's not a misprint.)

According to CNet's summary of Symantec's Internet Security Threat Report, "25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, 'the most of any browser studied,' the report's authors stated. Eighteen of these flaws were classified as high severity. 'During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity,' the report noted." [...] "There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor."

With this said, Symantec adds that only IE has experienced "widespread exploitation" so far, but "expects this to change as alternative browsers become increasingly widely deployed." In other words, IE is just more squarely within hackers' sights -- at the moment.

The article goes on to cover the Secunia statistics for the browsers. Secunia is a well-known security monitoring company that tracks security issues of various applications. Just to provide a more apples-to-apples comparison between IE, Mozilla, and Opera, I looked up the latest version of each browser to see how many Secunia "advisories" (i.e., security risks, exploits, etc.) were reported for each. As of today, Opera indeed appears to fare the best among the three, and Mozilla doesn't look so bad with just a few outstanding issues (although "none" would be better):

Total Secunia Advisories (I believe these are cumulative):

However, given that Opera is on version 8.5 and was more commercially developed compared to Mozilla's open source efforts, one could make a very good argument that it's more mature and has more built-in features. Mozilla requires many third-party plug-ins to achieve its functionality. One area I've always thought Opera was a leader was its mouse gestures for quick navigation -- a great feature that once you master, you don't want to use a browser without. And, as a market trailer, it's far less likely that hackers would find any meaningful return in their efforts to exploit it. That could change now that it's free, as there's a lot to like.

Is it too late for Opera to compete in the browser wars? Hard to say. Fairly recent surveys show people are much more aware of security issues relating to Internet use (adware, spyware, browsers, spam, phishing, etc.). People like choices. People like free choices even more, especially if it's a good product and the pain to change over from a competitor is fairly low. I do think that by now, most people have "settled in" with their browser of choice, and don't want to migrate their bookmarks/favorites yet again. However, there are many who always want to try the latest and greatest, and I have no doubt they are already downloading Opera, willing to give it a whirl.

After Microsoft has dominated the browser scene for so long (amazing considering its lack of releases to keep pace), it's nice to see the pendulum swinging back the other way.

Zotob & Security Best Practices

With the rapid spread of the Zotob virus and its variants this week, I thought I'd direct others to my comprehensive article on making your personal wireless network more secure: "Wireless Networking Best Practices: Version 2.0".

Why? Because the vast majority of home and SOHO (Small Office/Home Office) wireless networks are notoriously insecure by many estimates. The tips contained in this article provide critical defenses to the techniques and mechanisms used by Zotob and its variants.

By some reports, even if your version of the Windows OS cannot be infected by Zotob, the virus may still run on it as a host. This effectively turns your PC into the electronic equivalent of Typhoid Mary, so it can seek out and infect other unprotected PCs.

Please also note the article's section on disabling the UPnP (Universal Plug 'n' Play) feature of your router. UPnP is the main exploit used by Zotob. A year ago, I stated: "UPnP is used for some devices like the Xbox game system. If you don't have a UPnP device, then make sure it's disabled. Otherwise, it's another potential security hole for your network." For instance, I noticed that some versions of Linksys' wireless router firmwares left the UPnP feature enabled by default where previous versions had it disabled. This, in my opinion, was a bad decision by Linksys. Leaving UPnP enabled in the router may have been required for gaining the Microsoft Xbox certification. However, it's still a really bad security decision considering that many people using those routers don't have an Xbox or use the UPnP feature.

Anyway, I hope you find these security best practices helpful. All of the information is still current and valid.

Hotel Systems Hackable Through Room TV's

Just when you thought others hacking into your hotel room's Wi-Fi access was annoying, here's one to up the ante: "Hacking the hotel through the TV".

Basically, a knowledgeable person can hook up a laptop with a USB TV tuner and hack into hotel systems that expose other guest information.

Speaking about Adam Laurie, who presented this at the recent DefCon event, the article states: "He can't look into their rooms (yet), but depending on the system he can see what they are watching on their TV, look at their guest folios, change the minibar bill and follow along as they browse the Internet on the hotel television set. To tease his fellow guests, he can also check them out of their room and set early wake-up calls via the TV."

If that wasn't bad enough: "And the situation isn't getting better. 'They are starting to do things like allowing you to put credit card numbers in through the TV,' Laurie said. Also, he said, some of the makers of these hotel systems are looking at adding Webcams, perhaps to let people chat over the Internet." Now doesn't this sound just like, oh, I don't know, Big Brother watching people via television in "1984"? Life imitates art.

He can do all this because of the "inverted security model" of these types of systems. Per Laurie, "The TV is controlling which content I get to see. The hotel in most cases is streaming all content without any control." Talk about a dumb terminal. So he substitutes his own laptop-based TV as the control mechanism to hack the content. He also uses a special infrared remote to hack the remotes codes used to communicate via the TV. (He obviously has waaaay too much time on his hands, but what's a hacker to do when he's bored and stuck in a hotel room?)

So on your next stay, cover up or unplug any courtesy webcams (and their microphones if they have them), don't enter any sensitive data into the TV, and be aware of all your activities through your room's TV. Don't feel strange about doing so -- you're not being paranoid if others are actually accessing this data. For similar reasons, I haven't used public or kiosk PCs in ages due to keyloggers and other spyware.

Hey, after all these years, there's finally something good on cable TV -- your personal information. As Dana Carvey would say, "Now isn't that special?"