New Top 20 Internet Security Vulnerabilities

Up on SANS.org, the latest edition of The SANS Top 20 Internet Security Vulnerabilities.[*1]

The “Top 20” is actually two top 10 lists, one for Windows users, the other for Unix users. Obviously the Windows list has little impact on Unix and vice versa. Also, some of the Windows vulnerabilities are focused on Windows servers (which I imagine few people actually run at home).

The short recommendations for Windows users:

1. Stay current with the latest versions of operating systems and software, especially web browsers and anti-virus software.

2. Don’t use peer-to-peer software (i.e. Napster, GNUtella, KaZaa) unless you know what you’re doing (both technically and legally).

3. Implement a firewall between yourself and the Internet–either a software firewall on your computer, or a firewall on your network at the Internet connection point–preferably both (i.e. “defense in depth”).

4. Avoid using the Microsoft products Internet Explorer (the web browser), Outlook, and Outlook Express (the mail clients) if at all possible. The Bad Guys target these programs, and they have a long nasty history of serious vulnerabilities.

5. Don’t open any e-mail (the message itself or an attachment) from anybody you don’t recognize. Delete suspicious e-mails immediately. Don’t use the “preview feature” — that’s the same as opening the mail message. Turn on e-mail checking in your antivirus software. It will slow you down a bit. Getting infected will slow you down a lot more.

6. Don’t use instant message unless you know what you’re doing.

More on the SANS Top 10 for Windows: W1. Web Servers & Services.[*2] Most home users don’t need to worry too much about this, unless you’re running a web server at home. If you are, then read, understand, and implement the SANS recommendations, for pity’s sake!!!

W2 Workstation Service[*3] . Stay current with your software and use a firewall (recommendations 1 and 3 above).

W3 Windows Remote Access Services[*4] . As with the previous one, stay current and use a firewall.

W4 Microsoft SQL Server (MSSQL)[*5] . Some programs install this software for you as “MSDE” for use as an internal database for the program. If you’re using software which uses MS-SQL or MSDE, you really, really need to read and understand the SANS recommendations. Otherwise, choose software which doesn’t require MSSQL/MSDE.

W5 Windows Authentication (i.e. passwords)[*6] . Pick passwords which are difficult to guess. One of the best recommendations is to pick an easy-to-remember phrase and use the first letters of each of the words. Adding numbers makes better passwords. Some systems don’t allow them, but using “special characters” makes passwords much stronger. An example would be something like “My Dog Is 4 Years Old & Has A Black Tail” which would be the very strong password “mdi4yo&habt”. The longer your password is, the harder it is to “crack” (and of course the harder it is to remember.) Passwords should be at least 6 characters long.

W6 Web Browsers[*7] . See recommendation 4 above. All browsers are vunerable, but users of Microsoft’s Internet Explorer are at the highest risk. As SANS says, “If you are using Internet Explorer on your system, there is no current way to know if you are vulnerable, due to the large number of unpatched vulnerabilities which exist.” If you don’t have to use Internet Explorer (some sites require it), then use something else–Firefox, Opera, Mozilla.

W7 File-Sharing Applications.[*8] Just don’t, if you don’t need to. If you just simply have to run this stuff, read and understand the SANS recommendations.

W8 LSAS Exposures[*9] . This one is pretty obscure–stay patched (#1 above) and use a firewall (#3 above) will help to keep you out of trouble.

W9 Mail Client[*10] . Oh, my. This one is where people get into real problems really, really fast. See recommendations 4 and 5 above, and view all e-mail you receive with some suspicion.

W10 Instant Messaging[*11] . This one is coming on strong, and defenses are weak right now. Don’t use unless you abolutely have to.

Vote For The Worst

Doing my part to keep culture jamming[*1] alive, here’s the link to votefortheworst.com,[*2] the site which spawned the current rage of voting for the worst American Idol[*3] participant.

Go for it, guys, Scott Savol rules! Woo-hoo! An-Ark-EEEEEEE!

Snap Generations[*4] -style analysis: Boomers think culture-jamming is “sticking it to the Man,”, GenX’ers just think it’s funny.

Dark Chocolate: Heart-Healthy?

Oh, please . . . don’t try to tell me that dark chocolate candy[*1] is in any way heart-healthy. Blah blah blah “flavonoids” blah blah blah.

Have you ever tried to eat dark chocolate without using about a metric ton of sugar per ounce of chocolate?

For a huge segment of the population (including Filbert, but Snookums not so much), “It’s the carbs, stupid!”

Go ahead and enjoy dark chocolate, but good luck convincing me that it’s good for you.

KC Royals made a profit last year

The Royals[*1] may be miserable on the field, but by golly, they’re finally making money.[*2] Don’t you feel better now about that $6.25 beer?

Now that I’ve got the knee-jerk cynicism out of the way, this is actually very good news. Maybe the Royals can figure out a way to keep their stable of young players and grow the team’s income and the players’ salaries together. Everybody knows that pro baseball is seriously broken from a financial as well as a competitive point of view. The two are directly related to each other.

More Robert Pozen on Social Security

In this editorial[*1] in the Wall Street Journal, MFS Financial Advisors Chairman (and Dem.) Robert Pozen answers some of the critics and nay-sayers of Social Security reform.

Some excerpts:
If the litmus test of a reform plan is not cutting scheduled benefits for any significant group of workers, then no viable plan to restore Social Security’s solvency will pass muster.

. . . median workers would be able to buy 14% more in goods and services with their monthly checks from Social Security under progressive indexing in 2045 than they can with these checks today. That does not sound like a “benefit cut” in terms of real purchasing power.

And the money paragraph:
If Congress is attracted by a package of Social Security reforms combining a milder form of progressive indexing with a 2.9% surtax on earnings above $90,000, it must provide high earners with retirement benefits attractive to them. One possibility would be to devote 1.45% of the surtax to Social Security solvency, and to allow the other 1.45% to be allocated to a personal account invested in market securities. Since such an account would not divert existing taxes away from Social Security, it would not involve any increase in government borrowing. In short, the combined approach would let both parties win–Democrats would get a mix of higher taxes and progressive benefit changes, while Republicans would get personal investment accounts and constraints on benefit growth. And the solvency of Social Security would be restored for all American workers.

If you think you have an opinion on Social Security, you need to read and understand this article. It may change your perspective on the issue.

Morning Whip, 5/3/05

This should make it easier for readers to comment (please comment!) on articles as they’re posted.

Did I say “please comment” yet?