Category Archives: security

Macro virus reborn: ACAD/Medre.A steals drawings using AutoCAD AutoLISP

Remember the Concept virus? Someone wondered if you could make a self-replicating virus with a Microsoft Word macro. It worked; and the proof of concept soon became a real virus causing the usual mayhem and spoiling our clever VBA templates.

Microsoft locked down Office macros fairly effectively; but the idea lived on and has re-emerged as an AutoCAD virus which runs automatically when a drawing is opened. It is not quite the same, as in AutoCAD the code has to be in an external .lsp file, but you can have code in the S::STARTUP function run when a document loads, as explained in the documentation here. The malware relies on the fact that when drawings are emailed, users often archive an entire folder rather than sending a single file. This is how the virus spreads.

Most of the actual malicious code is not in AutoLISP, but in the more familiar form of VBScript files to which the code calls out. The malware then emails AutoCAD drawings to addresses in China – a rather crude mechanism for stealing data, but apparently somewhat effective since on investigation the target mailboxes were found overflowing with messages.

The threat is serious though. Much intellectual property and many future product plans are contained in AutoCAD drawings.

Security vendor ESET’s white paper [PDF] describes the attack in detail.

According to ESET, the combined efforts of Autodesk, Chinese ISP Tencent, and the Chinese National Computer Virus Emergency Response Center have contained the virus for now. There is also a free clean-up utility here: http://download.eset.com/special/EACADMedreCleaner.exe.

The confusing state of Microsoft’s TMG and UAG firewall and proxy software

I have been trying out Microsoft’s ForeFront Unified Access Gateway (UAG) recently, partly because it is the only supported way to publish a SharePoint site for Windows Phone. This was my first go with the product, though I am already familiar with the Threat Management Gateway (TMG) and its predecessor Internet Security and Acceleration Server (ISA) – and before that Proxy Server, dubbed “Poxy Server” by admins frustrated with its limitations. All these products are related, and in the case of UAG and TMG, more closely than I realised.

Note that Microsoft has indicated that the current version of TMG, 2010, is the last. What is happening to UAG is less clear.

What I had not realised until now is that TMG installs as part of UAG, though you are not meant to use it other than for a few limited uses. It is mainly there to protect the UAG server. The product positioning seems to be this:

  • Use UAG for publishing applications such as SharePoint, Direct Access (access to Windows files shares over the internet) and Exchange. It is essentially a reverse proxy, a proxy for publishing and protecting server applications.
  • Use TMG for secure internet access for users on your network.

This means that if you want to use Microsoft’s platform for everything possible, you are expected to run both UAG and TMG. That is OK for enterprises but excessive for smaller organisations. It is odd, in that TMG is also a capable reverse proxy. TMG is also easier to use, though that says more about the intricate user interface of TMG than it does about the usability of TMG. Neither product can be described as user friendly.

The complexity of the product is likely to be one of the reasons TMG is now being discontinued. It is a shame, because it is a decent product. The way TMG and ISA are designed to work is that all users have to authenticate against the proxy before being allowed internet access. This gives administrators a high degree of control and visibility over which users access which sites using which protocol.

Unfortunately this kind of locked-down internet access is inconvenient, particularly when there are a variety of different types of device in use. In many cases admins have to enable SecureNAT, or in other words unauthenticated access, partly defeating the purpose, but there is little choice.

ISA Server used to be supplied as part of Small Business Server (SBS); but when I spoke to Microsoft about why it was dropped in SBS 2008, I was told that few used it. Businesses preferred a hardware solution, whether a cheap router modem from the likes of Netgear or Linksys, or a security appliance from a company like Sonicwall, Cisco or Juniper.

The hardware companies sell the idea that a hardware appliance is more secure, because it is not vulnerable to Windows or Linux malware. There is something in the argument, but note that all security appliances are more software than hardware, and that a Windows box will be patched more regularly. ISA’s security record was rather good.

My hunch is that ease of use was a bigger factor for small businesses. Getting ISA or TMG to do what you want can be even more challenging that working out the user interface of a typical hardware appliance, though perhaps not with the more complex high-end units.

As for UAG, I have abandoned the idea of testing it for the moment. One of the issues is that my test setup has only one external IP. UAG is too elaborate for a small network like mine. I am sticking with TMG.

Google and the UK Citizens Advice Bureau – an uncomfortable alliance

I picked up a Guardian newspaper today and could not miss the full-page Google+ advertisement. Or was it? The advertisement stated that it was from the Citizens Advice Bureau in partnership with Google. The Citizen’s Advice Bureau (CAB) is a well-respected (and genuinely useful) service which runs a network of offices in the UK where you can go for free advice for things like legal or financial problems. It is a charity funded partly by government grants.

What is it doing partnering with Google? Well, I presume it is because the theme is “how to be safer on the Internet” which is something that I am sure the CAB cares about. However looking at the advertisement it would be easy to conclude that the CAB is somehow promoting Google+, the social networking site that Google hopes will rival Facebook. Intriguing.

The advertisement says:

To find out more about how to manage your information online, pick up a booklet from your local Citizens Advice Bureau or go to google.co.uk/goodtoknow

I wanted to see this booklet, so I looked into the Holborn CAB in London.

image

I have to say that the aforementioned booklet was not exactly strewn about. In fact, the woman on the desk wasn’t sure if they had any. She went and looked though, and came back with the web address. Perhaps I could go there? I said I was keen to see the booklet the CAB was handing out – did it exist? Eventually I was told that they did not have any, but that the head office in Pentonville Road might. So I went there.

The man at the desk was not sure, but went away for a moment, and came back with one in his hands.

image

Page one says this:

We have partnered with Citizens Advice to provide tips and advice. You can get free, confidential and impartial help about everything from finances to staying safe online from your local bureau in person, on the phone or online. For in depth information on all of the topics in this booklet and more, visit the Good to Know website.

image

I think this is a PR triumph for Google, but I reckon the CAB has been sold a pup. It is not that I have anything against Google; but I would go to Google for impartial advice about staying safe online in the same way that I would go to a ferry company for impartial advice on cheap flights.

There is little sign of impartiality in the booklet. Personally I would say that a booklet on “how to manage the information you share online” that does not mention Facebook is in chocolate teapot territory. This booklet achieves this though; in fact the only web site mentioned is … Google.

“Keep your Google Account extra safe,” it says. But how about not having a Google account? No account, no personal details to lose.

This is stealth advertising – except that I am not sure about the stealth.

A substantial portion of the booklet is devoted to explaining why Google having my data is really good for me. “How knowing you better makes your internet better,” it says.

There is no mention of the benefits of using an ad-blocker to avoid sending data to advertisers. Nor does it include advice on simply not putting data online at all, if it might embarrass you or compromise your safety.

The reason is that Google cannot possibly be impartial about managing online information. Google wants your data, as much of it as possible, in order to target advertising. It is as simple as that.

Which is why Google is an uncomfortable partner for the CAB. I think the CAB could do with some impartial advice.

Parallels Desktop 6 for Mac: nice work but beware Windows security settings

I’ve just set up Parallels Desktop 6 on a Mac, in preparation for some development work. Installed Parallels, created a new virtual machine, and selected a Windows 7 Professional with SP1 CD image downloaded from Microsoft’s excellent MSDN subscription service.

The way this works is that you install the Parallels application and the create a new virtual machine, selecting a boot CD or image. Next, you have a dialog where you select whether or not you want an Express installation. It is checked by default. I left it checked and proceeded with the install.

image

The setup was delightfully smooth and I was soon running Windows on the Mac. I chose a “Like my PC” install so that Windows runs in a window. The alternative is to hide the virtual Windows desktop and simply to show Windows applications on the Mac desktop.

Everything seemed fine, but I was puzzled. Why was Windows not installing any updates? It turns out that the Express install disables this setting.

image

It also sets user account control to an insecure setting, where the approval dialog does not use the secure desktop.

image

The Parallels Express install also sets up an Administrator account with a blank password, so you log on automatically.

No anti-virus is installed, which is not surprising since Windows does not come with anti-virus software by default.

These choices make a remarkable difference to the user experience. Set up was a pleasure and I could get to work straight away, untroubled by prompts, updates or warnings.

Unfortunately Windows in this state is insecure, and I am surprised that Parallels sets this as the default. Disabling automatic updates is particularly dangerous, leaving users at the mercy of any security issues that have been discovered since the install CD was built.

In mitigation, the Parallels user guide advises that you set a password after installation – but who reads user guides?

If you uncheck the Express Install option, you get a normal Windows installation with Microsoft’s defaults.

These security settings are unlikely to matter if you do not connect your Windows virtual machine to the internet, or if you never use a web browser or other Internet-connected software such as email clients. If you do real work in Windows though, which might well include Windows Outlook since the Mac version is poor in comparison, then I suggest changing the settings so that Window updates properly, as well as installing anti-virus software such as the free Security Essentials.

IE9 ActiveX Filtering causing tears of frustration

I have been assisting a friend who, she told me, could not get BBC iPlayer to work. Further, another site was telling her she did not have ActiveX, but she was sure she had it.

This was puzzling me. She described how she went to the BBC iPlayer site, and it said she needed to install Flash.

image

She clicked the link and got to Adobe’s download site. She clicked Download now and got a page describing four steps to install, but nothing happened, no download.

She clicked Adobe’s troubleshooting guide, which took her through uninstalling Flash Player and then a manual download. All seemed to work but at the end of it, it was the same. Go to the BBC site, and be told to install Flash Player.

You can understand how computers, at times, can seem downright hostile to the long-suffering user.

What was the problem? I logged on with remote assistance. Somehow, IE9 had ActiveX Filtering enabled.

image

This is actually a great security feature. ActiveX is disabled on all sites by default. A little blue circle symbol appears at top right.

image

Click this symbol and you can turn off filtering for this site only.

image

Yes, great feature, once you are aware of it – but too subtle to be noticed by the average user browsing the web. From the user’s perspective, no amount of uninstalling and reinstalling of Flash Player would fix it, and the PC was about to be flung across the room in frustration.

The other problem is that the feature is too new and too little used to feature in most of the troubleshooting guides out there. It is not mentioned in Adobe’s page on troubleshooting Flash on Windows and in IE, for example.

How the setting got enabled in the first place is a mystery. Maybe a mis-click. It is unchecked by default, and you can see why.

Conclusions? I guess it shows that security without usability is ineffective; and that minimalist user interfaces can work against you if they in effect hide important information from the user.

Incidentally, this is why  I dislike the Windows 7 feature that hides notification icons by default. It is user-hostile and I advise disabling it by ticking Always shot all icons and notifications on the taskbar.

It may be more secure, but I would not consider enabling ActiveX Filtering for non-technical users.

This is why people ignore security warnings: IE9 blocks official Microsoft update

Microsoft has released a Web Standards Update for Visual Studio 2010, with new HTML5, CSS3 and JavaScript support.

I look forward to trying it; but Internet Explorer 9’s Smart Filter was not keen.

image

What you cannot see from the screenshot is that the option to “Run anyway” is hidden by default. You have to click More Options; otherwise you just get the first two options, Don’t run, or Delete.

Note that this download is from an official Microsoft site, and has been downloaded, according to the stats on the page, nearly 6,500 times.

Developers can cope; but I think this sort of warning is extreme for a download from an official Microsoft site, whose main crime is being unknown, for some reason, to the SmartScreen database of approved executables.

Though maybe the Visual Studio team should have signed the installer.

The long term effect is that we learn to ignore the warnings. Which is a shame, because the next one might be real.

Update: How do other browsers handle this scenario? Here’s Google Chrome:

image

Mozilla Firefox – a prompt, not a warning:

image

same in Apple Safari:

image

Which is best? Well, IE9 wins kudos for being the only browser to point out that the package is unsigned; but loses it for its over-the-top reaction. Chrome has pitched the leverl of warning about right; Firefox and Safari are perhaps too soft, though let’s also allow for the fact that their filters may already have worked out that thousands had already downloaded this file without known incident so far.

The IE9 issue is mainly because the installer package is unsigned, which is probably an oversight that will be fixed soon.

Cloud is identity management says Kim Cameron, now ex-Microsoft

Kim Cameron, formerly chief identity architect at Microsoft, has  confirmed that he has left the company.

In an interview at the European Identity Conference in Munich he discusses the state of play in identity management, but does not explain what interests me most: why he left. He was respected across the industry and to my mind was a tremendous asset to Microsoft; his presence went a long way to undoing the damage of Hailstorm, an abandoned project from 2001 which sought to place Microsoft at the centre of digital life and failed largely because of industry mistrust. He formulated laws of identity which express good identity practice, things like minimal disclosure, justifiable parties, and user control and consent.

Identity is a complex and to most people an unexciting topic; yet it has never been more important. It is a central issue around Google’s recently announced Chromebook, for example; yet we tend to be distracted by other issues, like hardware features or software quality, and to miss the identity implications. Vendors are careful never to spell these out, so we need individuals like Cameron who get it.

“Cloud is identity management,” he says in the interview.

Cameron stands by his laws of identity, which is says are still “essentially correct”. However, events like the recent Sony data loss show how little the wider industry respects them.

So what happened at Microsoft? Although he puts a brave face on it, I am sure he must have been disappointed by the failure of Cardspace, a user interface and infrastructure for identity management that was recently abandoned. It was not successful, he says, because “it was not adopted by the large players,” but what he does not say is that Microsoft itself could have done much more to support it.

That may have been a point of tension; or maybe there were other disagreements. Cameron does not talk down his former company though. “There are a lot of people there who share the ideas that I was expressing, and my hope is that those ideas will continue to be put in practice,” he says, though the carefully chosen words leave space for the possibility that another well-represented internal group do not share them. He adds though that products like SharePoint do have his ideas about claims-based identity management baked into them.

Leaving aside Microsoft, Cameron makes what seems to me an important point about advocacy. “We’re at the beginning of a tremendously complex and deep technological change,” he says, and is worried by the fact that with vendors chasing immediate advantage there may be “no advocates for user-centric, user in control experience.”

Fortunately for us, Cameron is not bowing out altogether. “How can I stop? It is so interesting,” he says.

Sony PlayStation network hacked, some disclosure, questions remain

Sony has posted information about the “illegal intrusion on our systems” that has caused the PlayStation Network (PSN) to be closed temporarily. PSN is necessary for playing online games and downloading music and videos.

Sony has disclosed that:

Between April 17 and April 19 2011 an attacker gained access to “user account information”

The information includes:

name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

The information might include:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained

The remainder of the information is mainly generic advice on fraud prevention. Many comments to the blog post make the reasonable point: why were they not informed earlier?

How many users are on PSN? The number 75 million is widely reported. In January Sony claimed over 69 million PSN members.

It is easy to say that Sony should have operated a more secure system. Making a judgment on that is hard because there is a lot we do not know. Was this information encrypted? Sony says passwords were stolen, which may mean they were unencrypted though that is hard to believe; or that they were encrypted but likely to be easily decrypted, which is perhaps more likely. On the other hand the fact that encryption is not mentioned in the post tends to suggest that none of this information was encrypted.

The scale of the incident makes it remarkable but the fact of network intrusions and personal data being stolen is not surprising, and likely much more of this happens than is reported.

The state of internet security overall remains poor and what we see constantly is that security best practices are ignored. Convenience and the desire of marketers to grab as much personal data as possible constantly trumps security.

Here is Kim Cameron, Microsoft’s identity architect, writing in 2005:

We should build systems that employ identifying information on the basis that a breach is always possible. Such a breach represents a risk. To mitigate risk, it is best to acquire information only on a “need to know” basis, and to retain it only on a “need to retain” basis. By following these practices, we can ensure the least possible damage in the event of a breach.

The concept of “least identifying information” should be taken as meaning not only the fewest number of claims, but the information least likely to identify a given individual across multiple contexts. For example, if a scenario requires proof of being a certain age, then it is better to acquire and store the age category rather than the birth date. Date of birth is more likely, in association with other claims, to uniquely identify a subject, and so represents “more identifying information” which should be avoided if it is not needed.

Cameron’s thoughtful and excellent “laws of identity” lack take-up within Microsoft as well as elsewhere; the CardSpace system that was built to support it was scrapped.

An example of the low priority of security around the web is the prevalence of “password security answers” as Sony describes them. This is additional information that allow you to recover an account if the password is forgotten, especially if the email address associated with the account is no longer in use. Contrary to the impression given by the forms that require the information, these questions and answers reduce your security in order to ease the burden on support. They break Cameron’s laws of identity by providing the third party with information that it does not need, such as mother’s maiden name, though of course you can provide fictional answers and in fact I recommend this.

Personally I am also one of those people who never tick the “save credit card details” box. I am happy to enter them every time, rather than hand them over to a system of unknown security. Some sites do not let you make purchases without saving credit card details; as I recall, Amazon is one of them, and Apple another. This means the consequences of security breaches at these companies are greater, though I imagine they also make more sales since the friction of the purchasing process is reduced.

I am not optimistic that internet security will improve in the near future, though I guess that major breaches like this one are a force for reform.

Update: In a new post Sony says that credit card data was encrypted but personal data was not. I am surprised if this included passwords; but the IT world is full of surprises.

How an RTF file can install a virus when opened

There is an analysis by Rob Rachwald over on the Imperva Data Security Blog of how an RTF document can carry a virus, in this case a trojan executable. RTF (RIch Text Format) is generally considered safer than the Microsoft Office .DOC format since it cannot include macros; but the vulnerability in this case is in the software that parses the RTF when it is opened in Microsoft Office on Windows or Mac – though in this case the actual payload is Windows-only so would not normally affect Mac users.

Unfortunately this code may run when previewing a document in Outlook, which normally embeds Word, so it is potentially rather damaging.

Rachwald traces how the embedded trojan evades anti-virus, installs itself into the Windows system32 folder, and creates a remote shell application.

It does appear that the vulnerability was patched in November 2010. Still, it is interesting that the insecure code survived in Microsoft Office at least back to Office XP Server Pack 3 in 2004 and probably earlier.

I mention it partly because the analysis is a good read, and partly to highlight the fact that even RTF documents may not be safe.

Microsoft’s BPOS password madness driving users to Google Apps

A friend uses Microsoft’s Exchange Online service for his small company. All was going well until one day he found himself locked out of his email. He had no idea why.

The reason, it turned out, was the password policy set by Microsoft and outlined here:

To help maintain security, you must periodically change your password. When you change your password, be aware of the following:

  • You cannot repeat your previous 24 passwords.
  • You must change your password at least once every 90 days.

In addition:

Microsoft Online Services uses an account lockout policy to help protect the accounts of service administrators and end users. The user can try to sign in to the Administration Center or the Sign In application five times. After five failed attempts with an invalid user name or an incorrect password, users are locked out for 15 minutes. This condition cannot be manually reset.

In this case, Microsoft’s PC sign-in applications prompted the user to change his password. He did so. All seemed well, except that his mobile – in which email settings are deeply buried – did not know about the password change and made repeated attempts to collect email. Result: lock-out, and a horrible user experience.

According to this thread, Microsoft has been so besieged with requests to remove the expiration policy that it solved them at a stroke: by refusing them all.

I find this curious. First, it is doubtful whether frequent password changes really enhance security. Users in this case need new non-repeating passwords every 90 days, which means they are more likely to be written down. Remember, you cannot repeat your previous 24 passwords.

Second, it is odd that BPOS admins do not have the ability to disable password expiration policies in their online management tools.

It may seem a small issue, but for some it is a deal-breaker:

At this moment it is not possible to disable password expiration at all. I opened a ticket and technical support told me multiple times they won’t offer that option anymore… It’s disappointing since I lose customers who choose Google Apps over Microsoft Online just because of the password issue.

Apparently this may be fixed in the forthcoming Office 365.