Spyware Sucks

What's that about Firefox being immune to malware?

A tale of woe:
http://www.vividreflection.com/blogEntry.php?id=16

A few observations:

"they were asking for too many personal details to download a free trial so I decided to see if there were any copies floating around on the file-sharing networks. This was a big mistake!" - I think this is where I should say "serve you bloody right for going down the warez path" but I'm too nice to say that ;o)

" it wasn’t long before I soon discovered that I couldn’t cut or copy stuff from Firefox." - ok... keep this in mind for later...

"I tried a lot of things, ran dozens of leading spyware destroyers and it still didn’t fix it." - reference my opening paragraph here.  Oh, and by the way, what *were* these "dozens" of "leading spyware destroyers".  I don't think there are "dozens" of legitimate "leading" spyware destroyers out there.  Sooner or later you have to get in there and get your fingernails dirty.  Automated products simply can't cut it with the latest and greatest malware.

"If anything, Firefox was the only browser that flagged up any problems and I doubt I would have worked it out otherwise…"  Um, ok, I must be missing something here.. how the heck did Firefox help him work things out? The guy spent weeks labouring under the misapprehension that he was dealing with a bug for chrissakes. 

Side note:  I find it an amazing irony that the guy would have spotted there was a definitive malware problem sooner if he was *not* running Norton Internet Security, which was so kind as to mask his problems for weeks.

Ok, so what have we learned here? 

First, STAY AWAY FROM FILE SHARING NETWORKS.  They are a primary source of malware infection.  If you're unwilling to share "personal information" for that free software then go without.  Quid pro quo. 

Second, running Firefox will not protect you if you do dumb things. 

Third, Norton Internet Security will not protect you if you do dumb things - hell, I don't think *any* software out there will give us complete protection if we do dumb things.

Buh bye Mini-Microsoft...

http://minimsft.blogspot.com/2006/05/all-good-things.html

"If doing something hurts, stop it. Same goes for something that's not fun. And, you know, currently, this oddly enough isn't fun. Thrilling certainly. Wildly educational, thanks to the comments coming in, absolutely. But not fun. There are other things going on in the world that I'm missing out on, and they are beginning to take a higher priority. For me."

Y'know, I've considered working for MS a few times - have even had a couple of interviews - but then a guy that I've known for years experienced a shock when his job of many years standing at MS was outsourced with little warning, I watched another friend working himself into the ground to meet various crazily unrealistic deadlines (I still worry about him) and another whose position "didn't work out".  I have another friend who is considering working for MS and I've had to really bite my tongue and sit on my hands to stop myself from projecting any negativity/concern as my friend moves in that direction - after all, although I know some people who are not happy at MS, I also know some who are happy, and who knows... maybe my friend will be happy there and he will be the one with a strong enough cattle prod to rouse the Behometh.  After all, we MVPs have been able to do so at times ;o)

I'll miss Mini (aka Who da'Punk)'s insights into employment life at MS (and the views of those who post comments in his blog).  Did he frighten people away from working for MS?  That is quite possible.  Did he do good?  I honestly don't know - it may be unrealistic for those on the blog to give him credit for the demise of the trended 3.0's and the return of the towels, or it may not be.  Only the upper echelon of the powers that be at MS know the answer to that question.

Of course, I may be way off the mark calling Mini a "he"... I just hope he/she never reveals his/her name .. let him/her remain anonymous ;o)  And before you ask, I don't believe that Mini is Bill Gates, or anyone else in the upper echelon for that matter (the head honchos, I hope, understand the difference between "breaks" and "brakes") {ducking and running for cover}

Now, if only I could work out how to turn off that flashing red 'message waiting' light on my new desk phone.. as far as I know, this new phone doesn't even *have* an answering machine built in.. there's no reference in the manual, and no buttons on the console - weird.

msmvps.com: All locally stored graphics lost.

Internet Explorer 7 in Windows Vista

Internet Explorer 7 has a slightly different name in Windows Vista - "Internet Explorer 7+"   There are extra features in Vista that will not be made available in XP, such as parental controls and protected mode, therefore it makes sense to differentiate between the two versions.

When is an exploit not an exploit?

When it has already been patched... take the brou haha triggered by Symantec's "alert" to its subscribers about an alleged unpatched vulnerability in Windows 2000's file sharing protocol.

Scary words were used by various parties who picked up on the alert, and ran with it, including "unpatched vulnerability"... "zero day bug"... "Immunity will make the exploit public in June"...

"By Immunity" said "the exploit leverages a flaw in the operating system's kernel that can be triggered through SMB, and will give an attacker full access to the PC"
(cite: http://www.informationweek.com/news/showArticle.jhtml?articleID=188500259)
(cite: http://www.itnews.com.au/newsstory.aspx?CIaNID=33055)

"Symantec said "Immunity is considered to be a reliable source and we are of the opinion that this information should be treated as fact," and "An official security update from Microsoft will likely not be in development until after June when the information is released.""
(cite: http://www.informationweek.com/news/showArticle.jhtml?articleID=188500259)
(cite: http://www.itnews.com.au/newsstory.aspx?CIaNID=33055)

But then.... Microsoft said:

"We just want to let everyone know that we've investigated this claim and found the vulnerability being discussed is fixed by MS05-011, a security update released almost 16 months ago. We contacted our partners on this and made sure they understood this is not new. What *is* new is that someone reportedly has found a different way to exploit the vulnerability. But if you have the update, you're protected."
(cite: http://blogs.technet.com/msrc/archive/2006/05/25/430278.aspx)

Oops....

Fix for Outlook Express users

Update for Outlook Express 6.0 on Microsoft Windows XP (KB918651)
http://www.microsoft.com/downloads/details.aspx?familyid=86b68a78-f325-4a95-98c2-98af2256ccc3&displaylang=en

This update does two things:

1) A backup of your DBX database is made before compation of the database occurs, just in case something goes wrong.  The backup DBX will be moved to the Recycle Bin once compation completes successfully.  Also, if compaction is dome manually via File, Folder, the compaction counter will reset.

2) It gives us back the ability to save and use emails as templates.

Qantas and Windows CE ... who would have thought...

I simply cannot resist sharing this little gem.  Qantas International has an "on demand" entertainment system which is, apparently, newly installed on the particular aircraft from within which I was writing this blog post.  Sadly, the entertainment system was experiencing problems, so the pilot had to reboot the system (Captain: "I ask all passengers not to press any controls for 20 minutes" - frazzled mother of disobedient toddler: "Don't touch those buttons.... I said don't touch those buttons... Its broken, don't touch those buttons")

So, guess what I see on the entertainment screen while the system is rebooting - Windows CE!!!

Who would have thought...

International Business Class Rocks... except for when there's a crying baby and disobedient toddler in the row behind you.. so much for getting some work done, and some sleep, in peace and quiet during the flight.  The overwhelming sound in the cabin as the plane was positioning for take-off and even the cabin crew were seated and buckled in, was: "Sit down and put on your seatbelt... sit down and put on your seatbelt.. sit down and put on your seatbelt"... (for chrissakes mother, PICK THE KID UP, PUT HIM IN HIS SEAT, BUCKLE HIM IN AND HAVE DONE WITH IT!!!)

Even as a Gold Status Frequent Flyer, it can be hard to get a points upgrade to Business Class but I got it this time (which is just as well, considering I have over 130,000 points to get rid of despite upgrading to business every time I fly).  Fantastic food - Chivas Regal all the way - a Qantas Skybed - power for my laptop - a very swish toiletries pack (despite the flight being only 5 hours).

While we're on the topic of international travel, I see in my latest CES Smartbrief email that regulators are considering lifting the ban on using cell phones in flight - I sure hope they don't. 

http://money.cnn.com/magazines/fortune/fortune_archive/2006/05/29/8378024/index.htm

Oh, and by the way, somebody's phone did turn on in the plane today... how do we know that?  When the Captain made an announcement over the intercom the whole plane could hear the too-familiar sound of mobile phone interference that we all know and hate - see, they're not telling porkies when they say that mobile phones can interfere with electrical equipment. 

I am *so* glad my CDMA phones don't generate that sort of interference.  I am so *not* looking forward to CDMA being phased out in preference to 3G in a few years time.

Travelling to Singapore...

I'm heading off to the aiport in a few minutes to travel to Singapore for a Windows Vista lab.  Hopefully I'll have some really cool stuff to blog about over the next few days.

I see the Office 2007 *public* beta is out as well (check out www.microsoft.com/office).  Office 2007 is *really* different but worth having a look at.

See you in Singapore.

Oy vey... these guys are getting TOO smart

http://www.viruslist.com/en/weblog?weblogid=187189654

BTW, a matrioshka is a Russian nesting doll.

MS Word Exploit - Administrator Rights - Oh my...

Some areas of the net are in a flap about the MS Word exploit that has been the focus of some publicity recently.  Some sites are even advising that we should consider dumping MS Word in preference to OpenOffice.

Come on guys.  We shouldn't even be thinking about fighting this thing by moving to a different programme.  Why?  Because it does not address a core problem.  The thing about this exploit is that it will only succeed if the user has administrator privileges.  We all know that we shouldn't be running our machines with administrator privileges, but all of us also have clients that absolutely insist that they must run as admin because a mission critical application will not run without it.

So, what can we do under such circumstances? How do we protect our clients from this exploit and other admin dependant exploits if they have a mission critical application that will not run without administrator privileges? 

Preferred option - reduce their rights anyway, and use RunAs - stick a shortcut on their desktop that grants only the mission critical application administrator privileges:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_runas.mspx?mfr=true

Your user still isn't happy?  They just don't like non-admin?  They're telling you its *their* machine and they want administrator rights?  Well, short of washing your hands of any responsibility and walking out the door never to return, there is another trick you can use.  What if you could let your stubborn client run as admin, but bump down particular applications to limited user rights *at the same time*?  Sound interesting?  Read on... :o)

Michael Howard has posted an article to the Security Developer Centre that is of especial interest to those who are faced with "I must be Admin" users who also wanted to be protected from the Word exploit:
http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure01182005.asp

You'll note that by using Software Restriction Policies you can stop a programme from running at all, or force it to run as a limited (basic) user.  If you want to really lock things down you can use Constrained or Untrusted. 

There is one very important limitation to this trick that we must be aware of.  Software Restriction Policies are path dependent.  That is, you must set a specific target path to the application for this to work.  If, for example, an executable is moved or copied to another directory, the restriction policy will fail.

IE7 and RSS - refresh all feeds

Do you want to refresh all your RSS feeds at the same time? Run the following command (thanks Jean-Marc, a French Windows/Shell User MVP, who discovered it) - I've tested it, and it works a treat - wish I'd known about it right from the start.

msfeedssync forcesync

MS Word Zero Day Exploit - its real but there's some misinformation out there...

I spend *far* too much time chasing after false positives in antivirus and antispyware applications, and too much time shouting down misinformation - do a search for the words "false positive" in this blog and you'll see what I mean.  (Note: please do NOT assume that just because Trend is highlighted so often in my blog that they are have more false positives than anybody else - they're don't - its just that I use it more than any other product.  In addition, I have developed an excellent working relationship with Trend over the years in the area of false positives and work closely with them to try and get such problems resolved as quickly as possible.  I find them to be very responsive.  Some members of the online community have come to realise that I can generally get quick action on Trend problems and therefore I am more likely to hear about Trend FPs than problems affecting other products.)

Ok, so now that I've made sure that Trend will still respect me in the morning ;o) let's have a look at the MS Word Zero Day exploit - it is real and has been given various names, including:

Backdoor.Ginwui and TrojanMdropper.H (Symantec)
BackDoor-CKB!cfaae1e6 (McAfee)

Y'know, I wish the antivirus companies would get their act into gear and start ensuring that there is some consistency when they give nasties names.

Now, so far I see no reason to panic.  The exploit that was reported and has some areas of the online community in a tizz seems to have been a limited, targeted attack - think low-level industrial espionage.  That's not to say that others, thanks to this publicity, won't try to do the same thing, but at the moment, incidents of use of the exploit are not running rampant.

Second, I'm seeing some potential misinformation about the symptoms of this infection - we'll lie blame at McAfee's door for this - the problematic knowledgebase article is here:
http://vil.mcafeesecurity.com/vil/content/v_139539.htm

The article states, in the "Symptoms" section:

"Presence of *one or more* of the following Windows Registry key(s):

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gui30svr
• HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\ {8ecc055d-047f-11d1-a537-0000f8753ed1}
• HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\ legacy_gui30svr\0000\driver = "{8ECC055D-047F-11D1-A537-0000F8753ED1}\0024"

The problem lies with the reporting of the (highlighted) second registry key as evidence of infection. 

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\ {8ecc055d-047f-11d1-a537-0000f8753ed1} seems to be a standard registry key appearing on every XP Pro machine that I have examined so far.

Now, the first key, referencing gui30svr is suspicious.  The third key, referencing Enum\Root\legacy_gui30svr is also suspicious.

If you have the first key, or the third key, I would have a closer look at your machine.  If you only have the 2nd key (highlighted in red) I would not be worried.

Apparently the problem with the McAfee article has been reported to the powers that be and, hopefully, will be changed soon.  In the interim, PLEASE do not go into a panic and reformat your PC or delete that key on the McAfee article's say-so.

Cool - I'm almost famous - quoted on InfoWorld :o)
http://weblog.infoworld.com/securityadviser/archives/2006/05/zero_day_msword.html

Why would somebody want to hack into my network?

That got your attention, didn't it...  :o)

Just yesterday I was having a discussionwith some powers that be about physical and network security.  Overall, they were dismissive of the need for such things - "there's nothing we have that hackers would want" and "nobody's going to be interested in our stuff - it'll put them to sleep".

My primary nightmare is that, one day, a disgruntled client will walk in and start attacking their servers with a baseball bat or axe or just take the whole damned box. Yet, whenever I voice my concerns about unlocked doors and unfettered access to servers I'm told that  "if we put a lock on the door we'll have to walk the long way around to get to the comms room".  Umm, guys, let's get your priorities right.

Ok, so let's imagine that somebody walks in to your office and walk out with that backup tape which contains your entire network.  Or they walk in and plug one of those tiny wireless access points into an unused network outlet in some quiet corner of your office.  I don't think your insurance company will be very sympathetic if the worst happens and your company gets sued.

Y'know, putting convenience before security is a real bad idea.  Thinking that there is nothing that the bad guys would want is worse.  What can we do to convince people to be cautious about their security *before* they're hit with a worst case scenario?

Here is a real world this-is-actually-happening example of what can go wrong if your computer or server is unprotected:
http://www.viruslist.com/en/weblog?weblogid=186949288

Guess who is going to be blamed for damage caused by the hostile Web site hosted on that "home PC located in Herndon, Virginia".  How much do you want to bet the *owner* of the "home PC" doesn't even realise that his machine is being used to attack people on the Internet.

Last week somebody set up an unsecured wireless network close to my home.  When I went on to a business site I was shocked to discover that their wireless access point was also unsecured (personally I think that company should have sued the IT providers that set up the servers and wireless network - security was a foreign concept - how can *any* reputable IT company walk in, make all users domain admin, plug in a wireless access point, leave it completely unsecured, and say that that was a job well done??  How can their staff be working on the servers, go to lunch or disappear whatever other reason, and leave the server screens unlocked??). 

*Anybody* could connect to those networks and download whatever they wanted **including illegal stuff**.  And here is something else that was really scary.  The business site being discussed is located in a building right next to a hotel run by a major international chain.  Guests in that hotel were able to detect and use the business's unsecured broadband connection.  Why pay a hotel to use their broadband when you can simply hook into that nice unsecured network right next door?  I shudder to think how many hundreds, or thousands, of business travellers with laptops that are wireless capable have stayed at that hotel over the past few years...

Do you want your computers to be used to host phishing sites or as a virus vector?  Do you really want to the bad guys to be using *your* internet account to download warez or kiddy p0*n?  Law enforcement is not going to believe you when you say it wasn't you if those downloads are traced to your hardware. 

A fellow MVP, Rocky Heckman, has put together a SOHO security video, in flash format, that is available here (scroll down if you are using IE7) that helps get the point across, discussing the risks that SOHO face, and what should be done to minimise risk.

Sanity prevails - Google complaints about IE7 rebuffed

Some may recall that Google complained to the European Commission about the IE7 Search Box.

I am pleased to report that the U.S. Department of Justice will not be pursuing Google's complaints, saying that the opinion of it and the other plaintiffs in the ongoing U.S. anti-trust case is that:

"Plaintiffs studied the new search feature in Internet Explorer 7 and discussed its implications with Microsoft months before it was included in the beta versions released to consumers. Internet Explorer 7 will include a new search box where users enter a query and then view the search results in the web browser using the selected search engine (e.g. Google, Yahoo, MSN Search, or a host of others). OEMs are allowed, under the Windows OPK, to set the default search engine when the machine is first sold to a user, and Internet Explorer 7 itself includes a relatively straightforward method for the user to select a different search engine from the initial system default. Recent news reports, however, have focused on the selection of the default search engine when a user upgrades an existing computer to Internet Explorer 7. Because Internet Explorer 6 does not contain such a prominent search engine box, in some cases the user or OEM may never have set a default search engine; in other cases, the OEM may have set the default search engine to Google, Yahoo, MSN Search, or another provider, or the user may have done so by installing one of the toolbars offered by these companies. In this upgrade situation, Internet Explorer 7 preserves the user's existing search engine default or else uses MSN Search if no default has been set. As Microsoft's implementation of the search feature respects users' and OEM's default choices and is easily changed, Plaintiffs have concluded their work on this matter."

Quote taken from:
JOINT STATUS REPORT ON MICROSOFT'S COMPLIANCE WITH THE FINAL JUDGMENTS

What was that about Firefox being safe?

http://isc.sans.org/diary.php?storyid=1327

Now, I'm sure that Rocky's 'Killer Coding Ninja Monkeys' could make something of this...

What is the mantra?  No Web browser is *safe*.  No operating system is *safe*.

What do you need to do?  You patch your system.  You practice safe hex.  You use a non-admin account.  You do NOT assume that just because you are using <operating system other than Windows> or <Web browser other than Internet Explorer> that you are somehow safe from the bad guys.  You are NOT SAFE!!!

Oh, and by the way, this cartoon is *way* too close to home for comfort.  My family reckons AJ is me dressed up to look human:
http://ars.userfriendly.org/cartoons/?id=20060511

Guys.. you have to read Rob's blog...

Go... now.. read it.. take something away from it.

Specifically, read:

http://scobleizer.wordpress.com/2006/05/08/bad-news-my-mom-is-in-hospital/ then
http://scobleizer.wordpress.com/2006/05/10/from-billings-mt/ then
http://scobleizer.wordpress.com/2006/05/10/bad-news-gets-worse/ then
http://scobleizer.wordpress.com/2006/05/11/balling-over-bowling/ 

Its so sad that Rob is going through this, but it is something we will *all* have to go through at some time or other.

I acknowlege that I am the *last* person that I and many others would consider worthy to advise on the creation and nurturing of close human relationships - but I'm aware of who and what I am - my strengths and my weaknesses - and I am reconciled to same - so let's put that aside... 

Please think about this - some of us have close connections with family, some of us have very loose/distant connections, and that is fine as long as we can survive the application of one important rule... if that family member or associate died tomorrow, would we be happy about our interactions with that person?  Would we have any regrets? It bears thinking about.

Hmm, somebody has a brand new wireless network...

And...it is unsecured <sigh>  You'd think that such products would come with warnings now.  Oh, yeah, they do, but you've got to **read the installation manual** to know to run the wizard.

When I started work at my current job I was shocked to discover our wireless access point was unsecured, AND the power and network cables were squashed in the cable cabinet door - an extremely shoddy installation.  I have no idea *why* the previous IT company did not bother to secure the access point, but you can bet *that* situation has been changed, and the physical installation environment is also much improved.

That is a very strong signal; I reckon the new network is right next door.

Robert Scoble.. sad news

IE7 crashes whenever I try to post a comment to Rob's blog, so I'll use the trusty trackback.. I know Rob will see it.

http://scobleizer.wordpress.com/2006/05/08/bad-news-my-mom-is-in-hospital/

All good thoughts and vibes are heading your way for you and your Mom...  I may have introduced you to quality single malt scotch whiskey, but you introduced me to car seats with bum-heaters built in (totally foreign to an Aussie).  I remember being introduced to your (then) very new love (now your wife), getting drunk with you and Mark Ferguson and  myriad other moments.  This hits way too close to home.

I'll be watching for you on IM.. don't hide my friend.

Sandi etc

The illusion of invulnerability (Linux)

There is an excellent, albeit short, article about security for Linux users that is worth a quick read:
http://www.viruslist.com/en/weblog?weblogid=186275723

I'll leave you to read the entire article, and will only highlight pertinent quotes here:

"Pretty soon, it dawned on us exactly what the biggest threat to Linux systems is: the almost overwhelming belief in the invulnerability of Linux."  This is dangerous.  If you think you are safe, you are more likely to do dangerous things - to take risks.  I've always said that no browser is safe; nor is *any* operating system safe.

"The number of new malicious programs for an operating system isn’t related to the number of known security flaws, but to the number of installations." That's right, the bigger that target is on your butt, the more likely it is the bad guys are going to think you are worth going after. The really bad guys aren't bypassing Linux because its invulnerable, they're bypassing it because the number of users out there doesn't make it worth their while.

Also, don't be fooled into thinking that because its Linux, and its geeky, and you have to be 'smart' to use it, that writing malware targetting Linux will be beyond the means and ability of the bad guys that are out there now.  They *can* do it, and they *will* do it, as soon as they decide that the Linux user head-count is big enough.

"To access a system, a virus writer doesn’t need 300 vulnerabilities - one is enough."  Write that one down and stick it on the side of your monitor.

"... coming to the conclusion that your own system is practically invulnerable will make it easy for malware to spread on Linux systems in the future. ... when the day comes, will users and companies have enough time to choose and install a reliable virus scanner before their systems are hit?"  Enough said.

Oh, and while we're on the topic of Linux vulnerabilties:
http://blogs.technet.com/security/archive/2006/05/09/427849.aspx

This is the mantra:  No web browser is *safe*.  No operating system is *safe*. 

Symantec joins the phishing fight .. for a price

Symantec are patting themselves on the back again.  Their latest "Symantec Enterprise Security News Clip" has proudly announced that "Industry Leaders Back Symantec Phish Report Network"
(cite: http://www.symantec.com/about/news/release/article.jsp?prid=20060501_01)

So, let's have a look at Symantec's new service at http://www.phishreport.net/.  A nice, professional looking site - very pretty. 

"Senders" can submit URLs for free only after agreeing to the Data Provider Agreement which allows Symantec to, among other things, publicise your involvement in the service as a sender.

"Receivers" must sign an agreement as well, and pay Symantec $50,000 per annum for a "Network Maintenance Fee".

What the???? $50,000 per annum???

Let me tell you something; Castlecops already has a very effective service, called the "Phishing Incident Reporting and Termination (PIRT) Squad" aka Fried Phish

Anybody can submit URLs for free, and without having to sign an agreement:
http://castlecops.com/pirt

Wiki here: http://wiki.castlecops.com/PIRT

Unlike Symantec, CastleCops DO NOT CHARGE A FEE to share information gathered, and those being spoofed do not have to subscribe and sign an agreement to be given information about phishing that affects them and their customers.

I have been receiving email reports about phishing sites that are reported to PIRT since the service's inception and I can tell you that every single URL reported is blocked by Microsoft's Phishing Filter within hours.  Often they are blocked even if I check the URL within minutes of the email being received.

PIRT reports phishing sites to an average of 20 different parties per phish and including the company being targeted and the ISP hosting the site.

I fail to understand how a $50,000 per annum "network maintenance fee" can be justified for Symantec's "service".

I say stick with CastleCops.  They'll accept the same reports as Symantec, but unlike Symantec will pass the information on to *all affected parties* WITHOUT CHARGE and without expecting recipients to sign agreements.