The formula here attempts to explain a paradox in security analysis:

If it is true that security is only as strong as its weakest link, why are not those who use insecure passwords, skip installing security patches, avoid updating or using antivirus software, and in general act insecure - not hacked and exploited continuously?

Because they do not!

A thought-provoking attempt to explain this puzzle, is presented in by Dinei Florêncio and Cormac Herley from Microsoft Research in the paper "Where Do All The Attacks Go?…

Earlier this week I read an extremely interesting and impressing blog item by Daniel Amitay: Most Common iPhone Passcodes.

Amitay has analyzed more than 200 000 passcodes used in an app with a similar passcode setup screen to iPhone. His findings are astonishing and scary.

Let me go through some of his findings. Keep in mind that there are 10 000 different passcodes that users have to choose from when they select their four digits code.

The 10 most commonly used codes are

1. 1234
2. 0000
3. 2580…

Last week in the "JoshMeister On Security" blog, the topic was about Apple's Mac App Store, and the fact that software available from this store may not be the latest version.

The blog's author - Joshua Long - uses the web browser Opera to illustrate his point. While Opera software recently published version 11.11 of Opera, the version available from Mac App Store is version 11.9. The JoshMeister blog points out - correctly - that this may jeopardize those who purchase Opera from App Store, as they will not get the latest version, which often has incorporated new security updates.

From the blog:

Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser.

The reason for this delay seems to be that Apple needs time to perform its approval procedures before any product is placed on its Mac App Store.

However, this issue is not restricted to Mac App Store. The point the blog makes is just an example of a more general problem, which includes software for all popular operating systems: 

This may be the case for downloads from

• resellers' web pages,
• software webshops,
• popular download sites,
• result pages from web searches,

and perhaps the one source that you can be almost certain that is outdated:

• program installers available from CDs/DVDs.

The reasons for why the software is outdated may be perfectly legitimate, and in some instances a sound part of the provider's quality control regime. Nevertheless, it will often be some delay between when the vendor makes the latest installer available as an Internet download and when this is populated among other entities that distribute the software installer.

Using older versions of software is a dangerous activity. Most malicious software exploits vulnerabilities that are known and usually patched by the vendor. If you are running a previous generation of popular application, there is a high probability that this has vulnerabilities known to cybercriminals and exploits exist. Exploits may even be available for purchase from the many commercial malware kits; see e.g. this security article from Norman.

In order to avoid running outdated and vulnerable software, you should follow some easy procedures:

1. Check if there is a "check for new version" option in the application.
   If yes, run this immediately after installation. 
2. If the application has any kind of "check for updates by regular intervals" option, you should turn this on.
3. If there is no update option available from within the application, you should visit the software vendor's web site to check if you are using the latest version.
   If there is a newer version available, you will most likely have a safer Internet presence if you update to the later version (by following the vendor's updating instructions). 

It is a fact that cybercriminals and other persons who attempt to trick you react quickly when a new product or service enter the market. The latest example shows that these individuals react even before release - in the beta phase.

Google Music is a new offering from Google, released as a beta service a few days ago. It is currently only available in the United States.

Google Music is a service, which in the beta phase allows users to upload as much as 22 000 songs free of charge. Whether the service…

During the years, Norman has written several articles about the danger of using and having unsecured wireless networks. Some selected articles are at the end of this blog item.

A news story from Associated Press reveals a horror story about a person with a new wireless router, which was not password protected.

Suddenly he found himself lying on the floor surrounded by assault weapons, accused of being a pedophile and a pornographer. The family's computers, iPads and iPhones were confiscated and it took days before investigators established that downloading illegal material was done by others using the unprotected wireless network.

It turned out that the police used the IP address or router id belonging to innocent owner of the router, to identify the owner (through information obtained from his Internet Service Provider). This then became the reason for the actions taken against the router's owner.

This story is just one in a series of similar incidents where innocent people are suspected for criminal activity because others used their unsecured wireless routers.

At least two lessons should be focused upon regarding this:

1. If you do not secure your wireless router with a password it may (read: will) be used by others.
   Illegal activity going through your router may be traced back to you.
2. Law and order representatives should not a priori assume that the stream of data that goes through an unsecured router belongs to the owner of the router.

It is tempting to suggest that "all problems" will be solved if everyone secure their wireless routers. Persons (most?) with illegal intent will then be unable to use the router for their activities.

An article from Electronic Frontier Foundation (EFF) 27 April this year, however, makes some interesting points, worth contemplating.

The author advocates the view that wireless networks as such are for the common good. When we are in e.g. public places like parks, airports, restaurants, it is useful to have access to an open wireless network. There may be lots of perfectly legitimate reasons for this; for example the need to find the nearest sports store (by use of your smartphone), checking if the email you waited for has arrived (using e.g. your laptop), checking the weather forecast before you buy tickets for the sightseeing trip by boat (using your smartphone again).

The EFF article points out that the root of the problem is not the open wireless network itself. The problem is that the communication through the network is open. This can be solved by introducing secure (encrypted) communication protocols as a standard method even in open wireless networks.

Interesting point of view!

Selected security articles from Norman about issues with wireless networks 

• Firesheep - an eye-opener or a tool for criminals (2010)
• Data harvesting by mistake (2010)
• Public wireless access points - the world at your fingertips or risky business (2007)
• Security in wireless networks (2005)