It's 2005. Do you know where your identity is?

Unless you have an e-mail account based in another solar system, you probably receive several "phishing" messages every week. Maybe you receive several per day. Or several per hour. The messages claim to be from a bank (maybe even your bank) or from Ebay or PayPal (even if you've never dealt with either) and they warn you about identify theft. To make sure your account is safe, they want you to visit a website to confirm your information. If you follow the link, they ask for everything they need to steal your identity.

But that's not the only way to get access to your money. Consider this account from the executive vice president of Strike Force Technologies, George Waller:

You receive a message that is a phishing spam, but doesn't really look like one. You own a dog and you subscribe to several Web-based newsletters that deal with dogs. The message invites you to visit a website about dogs and to register for a newsletter. New registrants, the message notes, will receive some free kibbles for their dog.

So you visit the site and look around. You see a lot of good editorial information (stolen from other websites, but you don't know that.)

Then you fill out the registration form. It wants the usual information – your name and address (to send the free kibbles for your dog). Because you're signing up for a newsletter, it also wants you to create a user ID and a password. You fill in the same user ID and password that you use for everything.
Of course, you'll never receive the kibbles, but you'll still receive a surprise. What you've just handed the owner of the site is your name and address, a user ID and password (far too many people have one user ID and one password that they use for everything), and a couple of other security questions that are the same kinds of questions other secure sites use to confirm your identity.

The operator of the website knows that you probably use a bank in the town where you live (you've told him where that is) so a quick trip to the websites of all the banks that do business in your town, armed with the user ID and password you obligingly provided, allows the crook to remove money from your account.

This is not a desirable outcome.

What's the next threat?

Waller says that, as bad as phishing is and as insidious as is the fake dog site just described is, something far worse will become prevalent in 2005: Keystroke loggers.

A keystroke logger is a small piece of software that someone tricks you into installing on your computer. It watches everything you type and, every few thousand characters, it sends a small text file to the person who sent you the logger. If you have a firewall and if that firewall watches outbound connections and if you pay attention to warnings from the firewall, you might catch the logger before it sends anything.

But given the fact that already there are hundreds of thousands – if not millions – of computers that have been compromised with malware that has turned them into "zombies" for the people who send spam and phishing messages, it seems naive to expect most users to notice an attack of this sort.

Keystroke loggers aren't the products of futuristic imaginations, either. They exist today. Hardware keystroke loggers have been around for years, but those require access to the computer. Software loggers also exist, and have for several years. Visiting a bad website with a browser that can run ActiveX applications and an operating system that doesn't have up-to-date security patches is all that's necessary to get one installed on your computer.

The real problem is people. Crooks can count on people to create passwords that can easily be guessed or that can be cracked by the most rudimentary dictionary attack. But they don't need to do any guessing or set up any password cracking applications if they can use social engineering to convince someone to hand over user IDs and passwords.

The solution omits human shortcomings

One of the largest problems involving user IDs and passwords is that they are sent and received "in band". In other words, when you visit your bank's website, the bank asks for a user ID. You provide that. Then it asks for a password. You provide that. Even if the connection is secure and encrypted, a keystroke logger running on your computer will see both the user ID and the password.

But what if you went to your bank's website, identified yourself, and they provided confirmation via a phone call – "out of band" where a keystroke logger can't eavesdrop. That's what Strike Force Technologies is working on. I asked George Waller to tell me about it ...
REAL AUDIO (1:40 q-user name and password)

I visited the Strike Force website and followed a link to an e-commerce demo. A website that uses Strike Force, will ask you only for your identification. When you submit an order, the screen will display a brief message explaining that your phone will ring in a moment and that you should enter your password there. A few seconds later, my phone rang, I entered the password on the phone keypad, and the "order" was completed before I could hang up the phone.

If you're the head of security for a company that makes sales on the Web or for a bank that provides access to customers via a website, this is technology you should investigate.

POPping GMail

G-Mail from Google is probably the best webmail client available. Users get a lot of storage space, automatic spam suppression, an elegantly simple (for webmail) interface, and a good way to search for information that's in received or sent messages. On the other hand, you get webmail and some people (me, for example) just don't get along with webmail.

Because you have to wait for things to happen on the server, webmail is almost always slower than using a standard mail user application (MUA) on your own computer. My favorite MUA is, and for a long time has been, The Bat. So my G-Mail account hasn't seen much use.

I'm probably not unique in having set up a G-Mail account that I rarely use and that's probably one reason why Google has recently changed how G-Mail works. Users can now choose to connect to the G-Mail server with a standard POP3 connection (it requires a secure sockets connection on a non-standard port) or to have G-Mail forward their messages to their regular e-mail account. In either case, users get to choose whether G-Mail retains a copy of the messages -- which makes them searchable -- or deletes them from the server.

I thought about using the POP3 setup and Google has made the process easy enough for anyone who reads beyond about 5th grade level to enable for Outlook Express and Outlook (Windows or Mac), Entourage, Eudora, Netscape Mail, Apple Mail, Mozilla, Thunderbird, and "other". The Bat isn't present on that list, so I selected "other". The instructions are clear, precise, and complete; unfortunately, they don't quite fit The Bat.

For all of The Bat's legendary powers, it doesn't support secure sockets (SSL) natively. There's a solution, but that involves downloading and installing a tunneling application that The Bat then uses for its SSL connection. So I decided to have G-Mail forward messages to my regular collector account -- one of two primary accounts that I use.

I ran into another problem there: Forwarding can send messages that have been filtered or it can send all messages. Even though approximately a dozen people know my G-mail account's name, it's already regularly collecting spam. The good thing is that G-Mail has recognized every spam message and has put it in a special spam box; the bad thing is that I can see no way to set up a filter that omits spam and there's no check box that says not to forward messages identified as spam.

My workaround is a temporary fix. So far, virtually all spam for the account has arrived with my G-Mail account name in the "bcc" part of the message. That means the "to" line contains something other than my G-Mail address. I've told G-Mail to forward only messages with my address in the "to" line. This has two shortcomings, though. First, some spam will surely have my name in the "to" line, so it will be forwarded. Second, legitimate mail might have my address in the "cc" or "bcc" field, so it won't be forwarded.

Perhaps these shortcomings are ones that Google will address in future enhancements. G-Mail also doesn't support the (newer) Internet Mail Application Protocol (IMAP) but Google hints that IMAP support may be added later.

Nerdly news

Hanukkah, Christmas, Kwanzaa, Boxing Day, New Year creeps

Holidays always seem to bring creeps out from whatever rocks they live under and the year-end holidays, when a lot of people take extra vacation days seem to be prime time for the low-life writers of viruses and worms.

The Full Disclosure mailing list describes some of the current problems that face users of Microsoft's Internet Explorer: "A full remote compromise of Microsoft's Internet Explorer has been developed for SP2." Alarmingly, this exploit "requires no user interaction." It is based on several previous vulnerabilities and can be used to write an executable to a user's hard drive and then run it. All the user has to do is visit a rouge website.

Full Disclosure notes that "Microsoft was able to reproduce the issue and has agreed that the severity is indeed critical. Because the vulnerabilities (3 total, each based on different technologies) have been known and unpatched for quite some time, we have decided to release the information on this exploit in hopes that in the future Microsoft will work faster towards patching vulnerabilities that we security researchers disclose to them."

The most common use for these vulnerabilities will be to install spyware. Full Disclosure notes that users can avoid all consequences of this exploit by disabling hta files and disabling active scripting, or by switching to a different browser altogether such as the Mozilla Group's Firefox.

For Mac users, OS X 10.3.7

Apple has released a minor update to OS X, version 10.3, but some users have encountered enormous problems as a result of installing it. Instructions on Apple's website are clear about the installation procedure, but not everyone reads the instructions on the website before installing an upgrade.

Apple's instructions:

• If you have a third-party FireWire hard drive connected, disconnect it before installing this update. Reconnect it and turn it back on after installation is complete and you've restarted.
• You may experience unexpected results if you have installed third-party system software modifications, or if you have modified the operating system through other means. (This does not apply to normal application software installation.)
• The installation process should not be interrupted. If a power outage or other interruption occurs during installation, use the standalone installer (see below) from Apple Downloads to update.

It's that first bullet point that gets people. Some users who didn't disconnect their external drives found that they can no longer mount the drives or that they have lost large amounts of data. No system upgrade should ever be undertaken if the user doesn't have a full backup, but that's something too many users forget about.

I've installed 10.3.7 without any problems on several Macs. However, given the potential for severe problems and data loss, wouldn't it make sense for Apple's software engineers to write their application to look for mounted external drives? If they can't figure out how to do that (I don't know for sure that there is a way to determine whether a mounted OS X drive is connected by FireWire) couldn't they at least display a terse dialog box that would look like this:

Adding a dialog such as that to the installer would take only a few minutes and could avoid serious problems for users. It's easy for Apple to say the users could have read the instructions and that the should have read the instructions, but one of Apple's big sales pitches (starting in the mid 1980s) was the lack of documentation for their products because those products were so easy to use.

Sometimes documentation is needed.

Let us know what you think. Write to:
Bill Blinn --
Joe Bradley --

Have a question? Ask it and you might pick up a prize for stumping the chump. Send your question to . And ... good luck!

Privacy Guarantee:

I HATE SPAM and will not sell, rent, loan, auction, trade, or do anything else with your e-mail address. Period.

Is this information useful?
If so, consider making a contribution, please.

Joe

(Photo by Sally)

Bill

(Photo by Scampi)

As if you didn't already get enough weather on the radio!

If you do not see a Weather Underground banner above and you use ad-blocking software, please set your application to allow images from "www.wunderground.com" to appear.

This is the only ad you'll ever see on this site. It's for my website host, BlueHost in Orem, Utah. Over the past several years, they have proven to be honest, reliable, and progressive. If you need to host a website, please click the banner below to see what BlueHost has to offer.

TechByter Worldwide receives a small advertising payment for each new client that signs up with BlueHost but I would make the same recommendation even if the affiliate program didn't exist. (If you don't see a banner ad above and you would like to know more, this link takes you to BlueHost.)

Annoying legal disclaimer
My attorney says I really need to say this: The Technology Corner website is for informational purposes only. Neither Joe nor I assume any responsibility for its accuracy, although we do our best. The information is subject to change without notice. Any actions you take based on information from the radio program or from this website are entirely at your own risk. Products and services are mentioned for informational purposes only and their various trademarks and service marks are the property of their respective owners. Technology Corner cannot provide technical support for products or services mentioned on the air or on the website.