BitCrazed - Monday, January 07, 2008

Jeremy Clarkson's Bank Account Compromised!

Jeremy Clarkson, presenter of TV's "Top Gear" published his bank account details and home address in an article he penned for "The Sun", the UK's best-selling newspaper. Why? Because he wanted to illustrate his belief that the furore over reports of the loss of CD's containing a database of 25M people's personal details were much ado about nothing. He claimed:

"All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing"

Alas, this stunt has backfired on him! Clarkson subsequently wrote in his Sunday Times column that:

"I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account. The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again."

Clarkson, much chastened, had the good grace to admit that:

"I was wrong and I have been punished for my mistake.

He must be thanking his lucky stars that whoever managed to compromise his account didn't clean him out! Let this be a lesson to us all.

It is clearly all too easy for our identities to be abused and compromised and we should all take steps to do what we can to protect our personal identities.

Here are my top 5 suggestions on the absolute minimum steps we should all take to protect our personal identities:

Shred paperwork. Don't just throw away paperwork with your name, address, telephone numbers, account numbers, balances, credit details, etc., SHRED THEM! Document shredders are not expensive and take just moments to make it much harder for malicious third parties to abuse your identity.
Protect your passwords: Passwords are a pain to use and open us up to innumerable identity attacks such as phishing. However, until alternative identity exchange mechanisms such as Windows CardSpace establish a strong foothold, passwords are going to remain as the primary way we secure access to websites and online services. So we will need to more effectively manage our passwords. Key tips for password management:

Don't re-use passwords: Avoid using the same password at more than one site. If your password is compromised once, you're open to much broader attack if your password is shared across several other sites. It's quite easy to choose a unique password and to augment it with some site identifier so that you can easily remember the password to use on a given site.
Never write down your passwords, nor store them in an unsecured store (e.g. a spreadsheet on your laptop). If you must store your passwords, store them in an encrypted and/or password protected store, and rather than store the password itself, store a hint or reminder as to what the password is.

Avoid passwords: Lobby your bank, credit card companies, merchants, billing companies, and anywhere else online that requires to you create and maintain yet another password. Ask them when they plan to adopt identity selectors such as Windows CardSpace (or other identity selectors such as Novell's Bandit for example). We need to start moving beyond usernames and passwords and to enjoy a safer Internet.
Protect your Social Security/Tax/National IDs: It stuns and amazes me that most banks here in the US use a person's Social Security Number (SSN) as the primary identifier for their customers. I've lost count of the number of times I have been asked to provide my full SSN when speak to my bank, mortgage company, etc. I am even more astonished at how flummoxed the phone rep's are when I refuse to provide my whole SSN - they just don't know what to do or go out of their way to avoid performing the couple of extra steps necessary to look you up in their systems using other credentials (name, address, etc).
Monitor your bank / credit card transactions monthly: I am as guilty as the next guy of not doing this as regularly as I should. Until recently. A few weeks ago I decided to take a more proactive stance regarding my financial position and invested in a money management package (I chose Microsoft Money, but tools like Quicken are great too). Whilst categorizing all my uncategorized credit card transactions, I found that I had been billed over $120 by TFN*GreatFun (Trilegiant's well documented scam). I am in the process of jumping through the (quite unnecessary) hoops required to have these charges reimbursed. Without Microsoft Money, I would most likely not have noticed these charges and so it has already more than paid for itself!

Hope this helps you avoid getting compromised.

Posted: Monday, January 07, 2008 6:33:14 PM (GMT Standard Time, UTC+00:00)

Comments [0] -
Identity | Security

Wednesday, December 12, 2007

HaLOL

Sorry ... couldn't resist it! Just HAD to post a picture of our cat!

Posted: Wednesday, December 12, 2007 1:01:48 AM (GMT Standard Time, UTC+00:00)

Comments [0] -

Thursday, November 01, 2007

Running .NET EXE's from network shares by default? Just say No!

Brad Abrams is asking whether or not the default behavior of the .NET runtime should allow your machine to run .NET applications stored on network shares by default.

Today, you can run native EXE's stored on a network shares without having to do any security work at the desktop. .NET application on the other hand will fail with a somewhat unhelpful "[exename] has encountered a problem and needs to close. We are sorry for the inconvenience" error message.

This is, as Brad points out, a well known issue with some simple workarounds involving:

Configuring your machine to trust a given strong-named (i.e. signed) .NET EXE (using MSCORCFG.MSC; details here)
Alter your machine's Code Access Security Policy to trust a given network share (using CASPOL.EXE, as shown by Shawn)

I believe that softening the default Code Access Policy to permit .NET EXE's to run from default shares will introduce too many opportunities for malicious software authors to fool users into running apps that they think they trust.

Remember the ILoveYou virus which, as Dominick points out, copied itself to network shares as one of the avenues through which it spread its infection?

The only way I could accept such a sweeping change is if only EXE's that are Digitally Signed with a cert from a Certificate Authority in my trusted root store were permitted to run from a network share. Otherwise users WILL be fooled into running something that is less than desirable and which causes significant damage ... something I think we should all take steps to avoid.

In short, Just say NO!

Posted: Thursday, November 01, 2007 4:51:45 PM (GMT Standard Time, UTC+00:00)

Comments [0] -
.NET | Security

Wednesday, October 03, 2007

Releasing the Source Code for the .NET Framework Libraries - ScottGu's Blog

The wait is over and the prayers of many have been answered! From Scott Guthrie's blog this morning:

Today I'm excited to announce that we'll be providing [the source code to major parts of the .NET Framework] with the .NET 3.5 and VS 2008 release later this year.

[Source: Releasing the Source Code for the .NET Framework Libraries - ScottGu's Blog]

I know that this news is going to make a lot of people VERY happy indeed. :)

There is much debate about whether open or shared-source projects truly deliver enough benefit versus the cost of potentially giving away the crown jewels. However, I think it safe to say that it's generally universally accepted that it's a heck of a lot easier to successfully build apps and systems on top of a framework if you're able to peer down into the framework to see what's going on inside.

Remember the old days when we used to write apps on top of Borland's TurboVision, OWL and Visual Component Library or Microsoft's MFC and ATL? It was immensely useful to be able to single-step down into the framework in many cases.

Whilst we published portions of the BCL in the Shared Source CLI (I highly recommend the SSCLI/Rotor book to better understand what's going on in the CLR itself), you now get to delve around within a significant superset of the .NET Framework library's source code:

.NET Base Class Libraries
- System, System.IO
- System.Collections
- System.Configuration
- System.Threading
- System.Net
- System.Security
- System.Runtime
- System.Text,
- etc...
ASP.NET
- System.Web
Windows Forms
- System.Windows.Forms
ADO.NET
- System.Data
XML
- System.Xml
WPF
- System.Windows

Keep your eyes peeled for follow-up details of this news :)

Posted: Wednesday, October 03, 2007 10:16:24 PM (GMT Standard Time, UTC+00:00)

Comments [0] -
.NET

Monday, September 24, 2007

Halo 3 - Master Chief is waiting for you!

For anyone who's played and/or followed the previous two Halo games, tomorrow marks the release of one of the hottest entertainment releases to date. Halo3, the final chapter in the Halo trilogy is on general release tomorrow.

If you can't wait until tomorrow to begin the final saga, then you might want to attend one of the Midnight Madness events at one of the 10,000 retail outlets across North America who are opening early for Halo 3 fans! In particular, the following four special events will enjoy live coverage on SpikeTV and G4 cable networks:

Best Buy, 457 120th Ave NE, Bellevue, WA -- Seattle fans are invited to join the celebrations at Bellevue's Best Buy, which will open its doors at 12:01 am on September 25. To commemorate the release of Halo 3 in the game's hometown, fans will be able to celebrate the occasion with product giveaways. People in line may also get a chance to play against Bungie team members and local professional athletes.
Best Buy, 529 5th Ave, New York, NY -- Located in the heart of 5th Ave. and only a few blocks from Times Square, the Best Buy store on the corner of 5th and 44th Ave. will be the first to provide consumers in the U.S. with Halo 3.
GameStop, 1000 Universal Studios Blvd, Universal City, CA -- From the entertainment capital of the world, GameStop's flagship store at Universal CityWalk in Los Angeles will host the Halo 3 West Coast launch.
Circuit City, 8575 Northwest 13th Terrace, Miami, FL -- Hosted by Circuit City, Miami's Midnight Madness event of choice will feature product giveaways and contests.

Go checkout http://www.halo3.com for more details.

... And when you play Halo3 online, if you get attacked by someone called BitCrazed, you know who it is! ;)

Posted: Monday, September 24, 2007 8:28:22 PM (GMT Standard Time, UTC+00:00)

Comments [0] -
Games

And now for something completely different!

Do you TRULY LOVE what you do? If not, why do you do it?

This are two of the most important questions we should all (regularly) ask ourselves and have the courage to answer honestly. If you hear yourself answer "no" or "not really" too often, then you know it's time for some change.

For those that don't know me, I work at Microsoft. I was, up until a few weeks ago, Product Manager for Windows CardSpace - an incredibly exciting product that will revolutionize how we authenticate ourselves and exchange sensitive information online. Before that, I was a Product Manager for Windows Communication Foundation (WCF) and before that was a Program Manager for WCF. Before that I worked as a Principal Consultant and then Solution Architect at Microsoft UK. Before Microsoft, I formed and ran my own specialist software consulting business and built some pretty hard-core systems for customers throughout Europe. More on this in another post.

I asked myself the questions at the beginning of this post several times this last year and I heard my replies go from "yep, sure" to "yes, but ..." and then "no, because ..." too often. I began to ask myself "when am I happy?" and "what do I love to do?". The answer was always "I am happiest when I am designing and building great software".

Time then for a change!

It turns out that, whilst I am a little rusty, I still have the chops ;)

Following my first developer interview for over 10 years, I recently started my new role as a Software Development Engineer for (get ready for "Product Name Gone Wild" ) Visual Studio 2005 Team Edition for Database Professionals ... or "DataDudes" as we prefer to call ourselves! :)

It's only been a few weeks now, but I can't even begin to express how excited I am now to wake up and get into work in the morning. I even look forward to Monday mornings now, eager to get in and create an elegant solution for another pressing problem.

I'll be posting more about this transformation in role from marketing to developer over the next few weeks while I settle in to the role and learn to navigate the huge amount of code in this powerful product we're building!

So I ask you once again: Do you TRULY LOVE what you do? If not, why do you do it?

Answer yourself honestly now!

Posted: Monday, September 24, 2007 6:38:59 PM (GMT Standard Time, UTC+00:00)

Comments [0] -

Amazon.com Widgets