Category Archives: security

Search for virus help highlights lack of authority in Google, Wikipedia

A contact suffered a trojan infection on his Windows XP machine the other day. He was alerted to the infection by Windows Defender, but the Remove or Quarantine actions offered by Defender did not work. If he removed the trojan, it reappeared on the next reboot. The installed AVG security suite sat there unconcerned.

I am not sure exactly what path he took, but he did some clicking of links and ended up at a site which offered software that promised to fix the issue. The software was called SpyHunter, from Enigma Software. He purchased and installed SpyHunter, which proved no more effective than Defender. At this point he asked me to look at his machine.

A person who has discovered a virus on their PC will be anxious about the attack and its unknown consequences, and will want to fix it urgently. That makes them vulnerable to ill-considered downloads and purchases; and searching the web for assistance with a virus can be like trying to cure alcoholism with drinking. That said, there is good advice to be had; but assessing the authority and reliability of the assistance offered is critical.

My advice in general is only to visit sites that you know to be trusted, such as official Microsoft support, major security software vendors, and only those community sites with which you are already familiar. It is difficult advice to follow though, particularly for non-technical users.

The best course of action after a confirmed infection is to flatten and rebuild the operating system. Larger organizations do this efficiently by restoring a pre-configured image to standardised hardware, but this too is difficult for individuals and SMEs who want to get on with their work.

I digress. My first question: was SpyHunter bona fide, or could it have made the problem worse? The only quick way to find out: back to the search engines, source of all good and all evil. The top entries for SpyHunter on both Google and Bing are the official company site and a Wikipedia entry. Bing has Wikipedia first, while Google puts the company site top.

Note the large role Google (or your favourite search engine) is playing here, both in leading users to possible solutions, and in assessing their value. Although the high placement of the company site is somewhat reassuring, in that Google would probably try not to give a high ranking to known malware, it would be a mistake to rely entirely on a detail like this. Google makes no guarantees concerning the content of the sites it indexes.

Naturally I was more interested in the Wikipedia entry. The entry is annotated with warnings that the article is near-orphaned (though the search engines find it readily enough) and that it reads like an advertisement. There is little detail and it is out-of-date. Further, the language seems strange:

In early 2004, SpyHunter was blamed for producing false positives and using aggressive advertising techniques. This resulted in a lot of bad SpyHunter reviews published. Some of them were harsh, but fair, while others were simply ridiculous. We confirm that SpyHunter was promoted aggressively by some affiliates, but all of them were eventually banned by program makers in late 2004. Early SpyHunter versions had some obvious drawbacks. The product’s version 2.0 resolved all these issues.

This is a quote from a supposedly independent review on a site called 2-software.com. I don’t like the site, which seems (as are so many) dominated by its affiliate links.

SpyHunter is probably harmless, though ineffective. I used the Sophos command-line tool to remove the trojan, and deleted some rogue registry entries; the machine seems OK now though that might just mean that the other trojans are doing a better job of hiding. I also removed SpyHunter of course.

The state of security on the Internet remains lamentable, and security software is a partial solution at best. What interests me here though is the combination of two things:

1. The inadequacy of Wikipedia as an authoritative source, particularly in its less trafficked topics.

2. The high ranking accorded to seemingly any Wikipedia article by the leading search engines.

It is a dangerous combination – not only for virus victims, but for kids doing homework, or anyone researching anything.

Windows 7: why you should keep User Account Control at the highest level

Windows 7 makes it easy to adjust the settings for User Account Control, the system protection feature introduced in Vista. You can access User Account Control Settings from Control Panel, whereupon you see a slider with four settings:

1. Always Notify

2. Notify me only when programs try to make changes to my computer – don’t notify me when I make changes to Windows settings

3. Same as (2) but without the dimmed desktop

4. Never notify

The default is (2). This means Windows 7 is not too annoying, but 3rd party applications still have to prompt in order to do things like writing to a location in Program Files.

Sounds good? Not really. Leo Davidson has an extensive write-up; but all you need to know is actually in the online help for option 2:

It is usually safe to allow changes to be made to Windows settings without you being notified. However, certain programs that come with Windows can have commands or data passed to them, and malicious software can take advantage of this by using these programs to install files or changes settings on your computer.

The problem lies in what Microsoft means by “make changes to Windows settings”. In reality, this is just a whitelist of applications which get elevated permissions automatically, and as online help hints, these are “certain programs that come with Windows.” Davidson observes that it is possible for malware to inject data into one of these processes and have it do whatever the malware wants without a prompt.

Microsoft’s point is that malware shouldn’t be running on your PC in the first place. Very true; but the simple slider control is less than honest about the implications of the default option.

The solution is to move the slider to the highest level. I am sure this should be the default: Microsoft: even at this stage it is not too late to change it. Let the user relax the security if they want; though this stuff about “Windows settings” should be replaced with something which better describes what the option means.

I am not all that worked up about this. UAC will still be achieving its main goal, which is to make 3rd party developers follow the rules more often – though it is still possible for developers to subvert this. And even when fully enabled, UAC is nothing like a complete security solution.

Still, bearing in mind that Microsoft is unlikely to change the default, I’d suggest that users move the slider to the highest setting. It is not painful at all, and at least gives you the same level of protection as Vista.

Technorati Tags: ,,,

Microsoft disabling USB AutoRun in Windows 7 RC

It’s so easy. Install your virus or worm on a USB memory stick, set it to run automatically via AutoRun. An obvious security risk, and I’m surprised that Microsoft hasn’t already disabled the feature by default in a security update or service pack for XP or Vista.

The company is finally paying attention:

AutoRun entries on non-optical removable storage devices have been disabled to ensure that you are able to make a considered decision before running software from removable media such as USB drives. Worms sometimes attempt to use AutoRun as a vehicle to install malicious software onto your computer. CDs and DVDs, which are not subject to worm injection after manufacturing, will continue to expose the AutoRun choice to enable you to launch the specified software.

says the press release for Windows 7 RC. Personally I think it should apply the same logic at least to writable CDs and DVDs. I’ve disabled AutoRun on my PCs and don’t miss it. I agree though that USB sticks are the biggest risk today – though a little bit of social engineering will probably persuade many users to run a setup file on a USB stick anyway.

Technorati Tags: ,,

Kaspersky site hacked through SQL injection

There are millions of sites out there vulnerable to SQL injection; apparently one of them (at least until yesterday) was that of the security software vendor kaspersky.com. A hacker codenamed unu posted details – not all the details, but enough to show that the vulnerability was real. The hack exposed username tables and possibly personal details. Reddit has a discussion of the programming issues. According to the Reg, Kaspersky had been warned but took no action:

I have sent emails to info@kaspersky.com, forum@kaspersky.com, and webmaster@kaspersky.com warning Kasperky [sic] about the problem but I didn’t get any response," Unu, the hacker, said in an email. "After some time, still having no response from Kaspersky, I have published the article on hackersblog.org regarding the vulnerability.

The trouble with those kinds of email addresses is that they are unlikely to get to the right people. It’s still disappointing; and also disappointing that there is currently no mention of the issue (that I can see) on Kaspersky’s site. The company’s response to the security hole is equally as important as the vulnerability itself. When WordPress was hacked, founder Matt Mullenweg was everywhere responding to comments – on this blog, for example. I liked that a lot.

Technorati tags: , ,

Windows security and the UAC debate: Microsoft misses the point

Poor old Microsoft. When User Account Control was introduced in Windows Vista the crowd said it was too intrusive, broke applications, and not really more secure – partly because of the “OK” twitch reflex users may suffer from. In Windows 7 UAC is toned-down by default, and easy to control via an easy-to-find slider. Now the crowd is saying that Microsoft has gone too far, making Windows 7 less secure than Vista. The catalyst for this new wave of protest was Long Zheng’s observation that with the new default setting a malicious script could actually turn off UAC completely without raising a prompt.

Microsoft’s Jon DeVaan responds with a lengthy piece that somewhat misses the point. Zheng argues that Microsoft should make the UAC setting a special one that would:

force a UAC prompt in Secure Desktop mode whenever UAC is changed, regardless of its current state

DeVaan doesn’t respond directly to this suggestion which seems a minor change that would barely impact usability.

DeVaan also says:

There has been no report of a way for malware to make it onto a PC without consent. All of the feedback so far concerns the behavior of UAC once malware has found its way onto the PC and is running.

It’s an important point; though I wonder how DeVaan has missed the problems with autorun that can pretty much install malware without consent.

I am not one of those journalists whom Zheng lambasts:

This is dedicated to every ignorant “tech journalist” who cried wolf about UAC in Windows Vista.

Rather, I’ve been an advocate for UAC since pre-release days; see for example my post If Microsoft doesn’t use UAC, why should anyone else? which I later discovered upset some folk. One reason is that I see its real intent, best articulated by Mark Russinovitch, who writes:

UAC’s various changes and technologies will result in a major shift in the Windows usage model. With Windows Vista, Windows users can for the first time perform most daily tasks and run most software using standard user rights, and many corporations can now deploy standard user accounts.

and Microsoft’s Crispin Cowan:

Making it possible for everyone to run as Standard User is the real long term security value

In other words, UAC is a transitional tool, which aims to bring Windows closer to the Unix model where users do not normally run with local admin rights and data is cleanly separated from executables.

The real breakthrough will come when Microsoft configures Windows so that by default non-expert home and SME users end up running as standard users. Experts and system admins can make their own decisions.

In the meantime, I don’t see any harm in implementing the change Zheng is asking for, and I’d like to see Microsoft fix the autoplay problem; I believe users now understand that there is a trade-off between security and convenience, though they become irritated when they get the inconvenience without the security.

Update: Microsoft now says it will fix Windows 7 so that the UAC settings are better protected.

Technorati tags: , ,

Gears of War certificate expiry a reminder to developers: always timestamp signed code

Users of the PC version of Gears of War have been unable to run the game since yesterday (29th January 2009). If they try, they get a message:

You cannot run the game with modified executable code

Joe Graf from Epic has acknowledged the problem:

We have been notified of the issue and are working with Microsoft to get it resolved. Sorry for any problems related to this. I’ll post more once we have a resolution.

The workaround is to set back your system clock. An ugly solution. Of course, some users went through the agony of full Windows reinstalls in an effort to get playing again.

So what happened? This looks to me like a code-signing problem, not a DRM problem as such, though the motivation for it may have been to protect against piracy. Code signing is a technique for verifying both the publisher of an executable, and that it has not tampered with. When you sign code, for example using the signwizard utility in the Windows SDK, you have to select a certificate with which to sign, and then you have an option to apply a timestamp. The wizard doesn’t mention it, but the consequences of not applying a timestamp are severe:

Microsoft Authenticode allows you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the browser validates the timestamp. The timestamping service is provided courtesy of VeriSign. If you use the timestamping service when signing code, a hash of your code is sent to VeriSign’s server to record a timestamp for your code. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code that was signed with a Certificate that was valid at the time the code was signed but which has subsequently expired … If you do not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.

Unfortunately, there is no timestamping for Netscape Object Signing and JavaSoft Certificates. Therefore you need to re-sign your code with a new certificate after the old certificate expires.

I don’t know if this is the exact reason for the problems with Gears of War, and I’m surprised that the game refuses to run, as opposed to issuing a warning, but this could be where the anti-piracy measures kick in. Epic’s programmers may have assumed that the only reason the certificate would be invalid is if the code had been modified.

I blogged about a similar problem in February 2006, when a Java certificate expired causing APC’s PowerChute software (a utility for an uninterruptible power supply) to fail. That one caused servers to run slow or refuse to boot.

As far as I know, there is no way of telling whether other not-yet-expired certificates are sitting on our PCs waiting to cause havoc one morning. If there are some examples, I hope it does not affect software running, say, Air Traffic Control systems or nuclear power stations.

If you are a Windows developer, the message is: always timestamp when signing your code.

Why are web sites still storing passwords? Monster, USAJobs blunder highlights the risks

Sophos informs us that job sites Monster and USAJobs (an official US Job site) have been hacked. Messages on Monster and USAJobs confirm this. I’d like to draw attention to the fact that passwords were stolen:

We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords.

says Monster. And USAJobs says:

We recently learned that the Monster database was illegally accessed and certain contact and account data were taken, including user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.

Same wording – because Monster is the “technology provider” for USAJobs.

Sophos observes:

There is even more potential for danger, however, because passwords have been stolen. We know that too many people use the same password for every website that they access.

Right. But why is Monster even storing passwords? It is not necessary. All you need store is a one-way password hash, so the site can verify a password without recording it. This is easily done in every web platform out there.

There is a disadvantage. It means the site cannot email your lost password. Instead, it must reset your password. Since email passes in plain text, emailing passwords is a bad idea anyway, and I hate to see sites doing this; it’s a useful alert though that the site places a low value on security.

Any site can get hacked, but what isn’t stored can’t be stolen.

Technical blunders like this can be costly; there’s no excuse for it that I can think of.

Technorati tags: , , , ,

10 steps to a well-behaved Windows application

I wrote a short summary of Microsoft’s latest (I think) guidelines for well-behaved Windows applications.

It is a significant topic. A large part of the thinking behind Vista’s contentious User Account Control (which is being continued in Windows 7) is to push app developers into writing applications that conform more closely to the guidelines, especially in respect of where they write data. If all applications conformed, there would be little need to log on as local administrator, and Windows would be more secure.

JavaFX warns against itself on Macs

If you navigate to JavaFX.com on a Mac, you get this warning – at least, I do, and so does at least one other:

In case you can’t read it, it says:

This applet was signed by “JavaFX 1.0 Runtime,” but Java cannot verify the authenticity of the signature’s certificate. Do you trust this certificate? Click Trust to run this applet and allow it unrestricted access to your computer.

I trusted it anyway. Why? Mainly because it is on Sun’s site, and I doubt Sun was hacked. Second, because I clicked Show Certificate and it said everything was fine. Third, because on balance I think it is more likely that either Sun, Apple or a.n.other messed up either the cert or some other aspect of digital security programming, than that this particular bit of code belongs to a bad guy.

Nevertheless, I mention it because it illustrates the continuing hopeless state of Internet security. How on earth am I meant to know whether I should trust a certificate that “Java” has rejected? Who is this Java guy anyway? Why should I give any applet “unrestricted access” to my computer?

I see this all the time. We are confronted with impossible decisions, where one set of training tells us to click No – the certificate is out of date, the application is unsigned, the requested permissions are unwarranted – and another set of training tells us to click Yes – this is a reputable site, I need this installed to get on with my work, I’ve seen dialogs like this before and not come to any harm.

It might be better not to have the choice. In the scenario above, if the applet just refused to run, then there is a better chance that the problem would be treated as a bug and fixed. As it is, there is little chance that we will always guess right.

Technorati tags: , , ,

Microsoft plans free anti-malware

Microsoft will be offering a free anti-malware suite codenamed “Morro”, from the second half of 2009, according to a press release:

This streamlined solution will … provide comprehensive protection from malware including viruses, spyware, rootkits and trojans. This new solution, to be offered at no charge to consumers, will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs.

It’s a good move. Here’s why:

  • The current situation is calamitous. Even users with fully paid-up anti-virus solutions installed get infected, as I recently saw for myself. PC security is ineffective.
  • The practice of shipping PCs with pre-installed anti-virus that has a trial subscription is counter-productive. There will always be a proportion of users who take the free trial and do not renew, ending up with out-of-date security software. A free solution is better – several are available now – if only because it does not expire.
  • Microsoft wants to compete more effectively with Apple. It is addressing an extra cost faced by PC users, as well as (possibly) the poor user experience inherent in pre-installed anti-virus trialware.
  • The performance issue is also important. Anti-malware software is a significant performance drag. Microsoft is the vendor best placed to implement anti-malware that minimizes the drag on the system.

Counter-arguments:

  • Only specialist companies have the necessary expertise. I don’t believe this; Microsoft’s investment in security is genuine.
  • Single-supplier security gives malware a fixed target, easier to bypass. There’s some merit to this argument; but it is weakened by the fact that the current multi-vendor scenario is clearly failing. Further, the Mac is a fixed target that does not appear to be easy to bypass.

All of this is hot air compared to the real challenge, which is securing the operating system. Vista is progress, Windows 7 not much different according to my first impressions.

Why not just use another operating system? There’s a good case for it; ironically the theory that a large factor in Windows insecurity is its dominance can/will only be properly tested when an alternative OS is equally or more popular. If people continue switching to Macs perhaps it will happen some day. Windows is still hampered by its legacy, though my impression is that Vista’s UAC is having its intended effect: fewer applications now write to system areas in Windows, bringing us closer to the day when security can be tightened further.

What about business systems? This is one area that needs clarification. Microsoft says Morro is only for consumers. Why should businesses have to pay for a feature that consumers get for free? On the other hand, some equivalent initiative may be planned for business users.