Category: Uncategorized

The headline is “Security rivals shut out of Microsoft meeting”. 

This meeting was under NDA, so what was actually discussed I can’t say. 

However, the not-secret part of it was that someone at Microsoft accidently sent out the LiveMetting presentation invites as “presenter”, which if you’ve ever used LiveMeeting, is an invitation to chaos.  Realizing their error, the meeting was rescheduled for 30 minutes later, and that didn’t all come together, because the meeting had been originally setup to end at 12:30, so we were promptly all kicked off.  Finally at 12:45 EDT the meeting went as planned.  Those who missed this meeting will have the ability to view another later today.

While I have my disagreements with Microsoft on the PatchGuard issue, I must defend them in this instance. It was a case of a few honest mistakes made by well-intentioned people, probably working under a tremendous amount of stress. No big deal people.  Like I’ve never made a few honest mistakes in putting together a presentation?

Alex Eckelberry

Another good one from Lance James.

A phisher may also use a Trojan or other Malware to watch for instances of a web browser and use the information contained in the title bar to search for various keywords referencing previously submitted data. By hooking directly into the IE Browser Helper Object, bypassing TLS/SSL encryption, malware such as berbew, mitgleider, haxdoor, and snapper will grab this post data and send it to a data collection server. The Secure Submission Transfer (SST) module of the DFP product seamlessly protects a banks login HTTP forms data from being potentially hijacked by malware without requiring a client-side software plugin.

Link here.

Alex

This is really cool.  Sun has released Project BlackBox, a “Datacenter in a box”, capable of supporting 10,000 simultaneous desktop connections all from a standard shipping container. 

I can see this being useful for all kinds of plug-and-play operations, from simple commercial uses to portable military command centers, disaster recovery or disaster assistance.

“Containerization”, using ISO-standard containers, revolutionized the cargo industry.  A standard container can fit on a train, boat or truck, anywhere in the world.  Using this existing and highly evolved logistics method makes a lot of sense.

Alex Eckelberry

Great blog posting by Mike Jagger on a badly setup alarm system.  If you have a home or business alarm, worth reading.

The image above summarizes, for me, everything that is wrong with the security industry (click on the image for a bigger version). The installation is absolutely criminal and how any company could charge a dime for monitoring a system like this is beyond my comprehension. In the race to offer the cheapest possible alarm in order to generate a monthly monitoring fee, far too many systems have been installed like this offering a false sense of security to literally millions of Canadians, Americans and other unsuspecting victims.

There are so many things wrong here that it is hard to know where to start. Here is a short list of the 3 most important issues…

Link here via Schneier.

Alex

Some financial institutions use “virtual keyboards” to authenticate users.

They are basically useless against today’s threats like Haxdoor.  Why?  Because certain keyloggers use form grabbing (grabbing POST submissions).  And since virtual keyboards do a POST submission, they’re useless against these malware threats.  Doh!

And phishing Uber-guru Lance James has done a writeup on it here.

Alex Eckelberry

 

Couple of examples of what I call “affinity spam” (fraudulently representing yourself as a company known to you in order to lure you into clicking on a link) seen today .

These purport to be from Earthlink and advertise RX or mortgage rates.

(The purported Earthlink-supported mortgage site)

(The purported Earthlink-supported RX site.)

These are all fake and are bad to install on your system.

IP: 85.255.118.195 
vccodec(dot)com     

IP: 69.50.188.109   
hqcodec(dot)com     

IP: 69.50.188.109   
powercodec(dot)com           

IP: 69.50.188.109   
medcodec(dot)com 

IP: 216.255.183.202           
ptproject.com   (currently offline) 

All of these sites, except for ptproject(dot)com, have installers confirmed on their sites, even if the main page is not loading.

Patrick Jordan
Sr. Researcher

Warning: Seriously geeky security humor.

Link here via SecuriTeam.

And a bonus link here.

Joe Wells, our chief scientist for security, is speaking at the Information Technology Security Awareness Day at the University of Florida.

The eighth University of Florida Information Technology Security Awareness Day will be held from 8 a.m. to 4:20 p.m. Nov. 8 in the University of Florida Reitz Student Union Auditorium. The event is sponsored by the office of the interim chief information officer and will be hosted by the UF IT Security Team.

ITSA Day is held annually to provide IT workers from UF, Gainesville and surrounding communities with exposure to current, upcoming and popular security trends. Esteemed experts in specific security fields are chosen as speakers so attendees are educated by a variety of peers and professionals. Bringing IT security awareness to campus IT workers and the community is a significant goal of the UF IT Security Team. ITSA Day will be streamed live and recorded for Internet viewers around the world.

“Each year presents new security challenges and improved ways to protect against them,” said Kathy Bergsma, UF information security manager. “ITSA Day helps keep IT workers informed about current challenges and ways to mitigate them.”

Security experts from the Sunbelt Software, Cisco Systems Inc., Cenzic Inc., Secure Ideas and Forensics Strategy Services LLC will present popular security issues such as Web application security, malware prevention and forensics. ITSA Day is targeted at professional IT workers and others who need to learn current security trends.

ITSA Day is free and open to the public. No advance registration is required. Information about speakers and other details will be updated periodically at www.itsa.ufl.edu.

An optional live stream will be available at http://video.ufl.edu/wmstream.html.

Link here.

I was sent this story by a couple of people here and wasn’t going to bother to say much, until I saw this:

We recently discovered that a small number – less than 1% – of the Video iPods available for purchase after September 12, 2006, left our contract manufacturer carrying the Windows RavMonE.exe virus. This known virus affects only Windows computers, and up to date anti-virus software which is included with most Windows computers should detect and remove it. So far we have seen less than 25 reports concerning this problem. The iPod nano, iPod shuffle and Mac OS X are not affected, and all Video iPods now shipping are virus free. As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.

Careful Apple… remember that whole “stones, glass houses thing”.  

And as the folks at F-Secure said this morning “Whom do you think the people that bought those iPods will be more upset with?” 

Sunbelt writeup here on the Ravmone.exe trojan.

Alex Eckelberry

This is cool — a new website dedicated to all the agreements you “consent to”.

http://smallprint.netzoo.net/ via BoingBoing.

Alex Eckelberry

IE 7 readiness toolkit
Many of us have been using IE 7 in its various beta incarnations for many months, but it’s set to be released in final form within the next month, and if you create web sites, you’ll want to make sure they work properly with the new browser – especially since it’s planned to be an automatic update. You can get the IE 7 Readiness Toolkit to help you do that. For more info and the free download, click here.

Welcome to Windows Meeting Space in Vista
Windows Meeting Space is a cool new feature in Vista that replaces the old Microsoft NetMeeting application, with a spiffier and more professional- appearing interface. With WMS, you can have meetings with up to ten participants, where you can share your desktop or applications, connect to a network projector to view presentations, and pass notes privately to other participants. You can even distribute documents as handouts, and any participant can edit them with the changes automatically propagated to each particpant’s copy (while leaving the original unchanged). Unfortunately, it can’t be installed on pre-Vista operating systems, as it depends on Vista’s People Near Me peer-to-peer networking functionality and uses IPv6, which is installed and enabled by default in Vista. But it’s an easy, cost effective way to conduct small virtual meetings. For more about WMS, click here.

How to make XP launch Windows Explorer instead of IE from the Accessories menu
We’ve had a couple of instances where readers tell us that when they click Programs | Accessories | Windows Explorer, instead of launching Windows Explorer, Internet Explorer starts. That happens because the path in the program shortcut is incorrect. Here’s how you can fix it:

1. Click Start | All Programs | Accessories
2. Right click Windows Explorer
3. Select Properties
4. Click the Shortcut tab
5. In the “Target” field, type: %SystemRoot%explorer.exe

This also affects what program launches when you hit the Windows key + E.

What happened to the file names in Thumbnail view?
If you see thumbnails of pictures but not the file names when viewing the contents of a folder, you can do the following: Change to a different view, such as List or Details, and then hold down the Shift key while you click View | Thumbnails to switch to the Thumbnail view. Your file names should be back. You can toggle between displaying or not displaying them this way.

How to remove invalid entries from Add/Remove Programs
If you use the Add/Remove Programs applet in Control to remove a program, but there are still references to the program in the Currently Installed Programs dialog box, you can edit the registry to remove these invalid entries. As always, be careful when using the registry editor as incorrect use can render your computer unbootable. For step by step instructions on how to perform this registry edit, see KB article 310750.

Registry keys and values for System Restore
Want to know which registry keys and values contain information about the System Restore utility in Windows XP? Note that there are some values in these keys that should not be modified under any circumstances, but there are others you can change without harming your computer, including specifying how much disk space System Restore can use, the minimum amount of free space System Restore needs to function, and the amount of time System Restore waits before creating automatic computer checkpoints for elapsed time. To find out more, see KB article 295659.

How to turn on Remote Desktop automatic logon
By default, for security purposes Windows XP Pro asks users for a name and password when connecting to the Remote Desktop service to access its desktop from a remote computer. For convenience, you can allow automatic logon so that it’s not necessary to enter credentials, by editing the local Group Policy. For step by step instructions on how to do so, see KB article 281262.

Until next week,

Deb Shinder,

A reader recently suggested that I write an editorial about the psychology of returning emails. In other words, why is it that some people always seem to respond quickly to your email messages, while others wait a week or more to answer?

Most of us who send and receive a lot of email know plenty of people in both camps. For instance, one of the guys at Sunbelt I work with on the newsletter consistently answers my messages so instantaneously that I’ve accused him of being an “always on” artificial intelligence instead of a real person (Hi, Dan). No matter what time of the day or night I send a message, his response seems to pop up within a minute. On the other hand, there’s a guy I work with at another company who invariably takes days or weeks to write back. If I need info for an important matter, I often have to resend my message two or three times. While the “next moment” responders may be a little scary, the email procrastinators are downright frustrating, especially when you need their input to get your work done.

Of course, some folks have good reasons for their less-than-timely replies. They might have suddenly been taken ill or be on vacation, traveling on business, or having an Internet service outage. In today’s netcentric world, many of us have people we “know” only through the ‘net. We may work with them online on a frequent basis and even feel close to them, but we don’t even have phone numbers or physical addresses for them, may not know what state (or even what country) they live in, their race/ethnicity, how old or young they are, or in some cases even what gender they are if they have names that can be either male or female. I worked with an editor for one online publication for several years, all that time thinking I was dealing with a man, only to find out accidentally that “he” was actually a “she.” Oops. Because our online relationships are so compartmentalized, we don’t necessarily know what’s going on in a person’s “real life” that prevents him/her from answering the mail.

Another reason people sometimes don’t respond is because they never got our message in the first place. With unwanted commercial email posing such a big problem, almost every ISP or corporate mail server implements some type of spam filtering, and many computer users have their own client-side anti-spam software running, as well. Unfortunately, none of these spam filters are perfect, and there are always some “false positives” – email messages that get blocked by the spam filters even though they aren’t spam. If you don’t get an answer from someone you’ve emailed, you always have to consider the possibility that your message didn’t get through.

On the other hand, the spam filtering problem also presents a handy excuse for those who forgot or were too lazy or avoidant to answer messages. They can just claim to have never received the mail, and who can tell the difference? One solution to that problem is to request a receipt when the person receives or opens your message. Most mail clients make this easy to do.

Unfortunately, it’s not the greatest solution. In most cases, the recipient can choose not to send the receipt even though you’ve requested it, and many people find read receipts highly annoying. Even if you intend to answer, you may not have time to answer immediately, and you don’t necessarily want the sender to know that you read the message today at 8:00 a.m. if you may not get around to answering it until tomorrow afternoon.

And delaying a response isn’t the only way our email contacts can annoy us. Thinking about all this led me to the broader question of email etiquette in general. Sometimes the measures we take to try to avoid annoying others end up being annoyances themselves. For instance, if you’re going to be cut off from your email for a few days, should you set up an autoresponder to send a canned message telling those who write to you that you’re not in? Many people hate those “out of office” messages – especially when the recipient is on an email list and the autoresponder sends an OoO message to the list in response to every post. But is it more or less rude than just letting people think you’re ignoring their messages?

And just how long should you wait after getting no response until you try contacting the person again? A day? A week? Should you just resend the message as if it were the first time, or should you mention that this is the second (or third, or whatever) time you’ve sent it? Obviously, the correct answer may depend on your relationship with the recipient and the urgency (or lack thereof) of the message content.

Then there are those people who respond to your email message by calling you on the phone – without emailing back to say they’re going to call. That’s one of my pet peeves, but no doubt they believe they’re being especially responsive. And they probably think I’m rude for not answering the phone if I don’t recognize the number on Caller ID.

Which brings me to another issue. Many of us were conditioned, as we were growing up, to believe that if the phone rang, we had an obligation to answer it – even though we were the ones paying the phone bill, presumably to have a communications tool for our own use and convenience, not as a means for others to invade our homes when we didn’t want to be invaded. Answering machines came along and changed our attitudes somewhat; now we could “screen” our calls (although few would admit to doing so) and pick up only the ones we wanted to take. Caller ID took that even further – even if the caller chooses not to leave a message, we can see who’s calling (or at least, the number from which he/she is calling) before the call even goes to voicemail. With new technology, we can even program certain numbers to go directly to voicemail, or be blocked altogether, or to have a distinctive ringtone so we know instantly that it’s someone whose call we want to take.

I suspect it’s this relatively new “pick and choose” attitude that’s spilled over to email, and may explain why so many people respond slowly, or not at all. Just as they no longer feel an obligation to answer the phone just because it rings, they feel no obligation to send a reply just because they get an email message. And the sheer volume of email reinforces those feelings.

What do you think? Are you an email procrastinator or an instantaneous responder, or somewhere in between? Do you use OoO messages when you’re going to be out or just keep ’em guessing? Do you get annoyed when you get back an Out of Office notice, or do you like knowing why your message is going unanswered? Do you ever pretend a message was “eaten” by your spam filters when you just didn’t answer? Do you request read receipts? Do you click “Yes” or “No” when asked if you want to send a receipt? What are your pet email etiquette peeves? 

Deb Shinder, MVP

The issue of PatchGuard is a vitally important one, and we’re as concerned as the rest of the security community about what exactly will be available from Microsoft.

My post yesterday on Symantec VP Rowan Trolloppe’s comments on PatchGuard garnered interesting responses (I also received an email from a CEO of another security company, quite confused).

Trollope responds as follows:

1. Patchguard prevents security vendors from patching into the OS.  
2. Microsoft says that if you want to patch the OS, you should only use supported APIs.  
3. We use all APIs available to us, but there are still areas where MS has not provided APIs.
4. Therefore, with Patchguard, security technologies which rely on patching the operating system will no longer work.

So the next question is WHAT security relies on patching the OS?  The simplest example is a technology we call Tamper Protection.

So what is Tamper Protection, and why is it important?  A couple of year ago, hackers realized that the best way to be effective on a system was to first shut down the security software, then go about business.  Symantec created a feature called Tamper Protection to protect our application against attack from these retro-viral threats.  Because there were (and are) no available APIs to do this sort of thing, we had to patch the Kernel.  We have done so, and it is working very well.  

However, Tamper Protection is just one example which is easy to explain.  We presently have other technologies such as Behavior Blocking and HIPS which rely on patching the OS.  The more general problem illustrated by the Tamper Protection example is as follows:  Currently when a security company needs to provide security against a certain class of threat, we are able to do so even if Microsoft does not offer an API.  With PatchGuard Microsoft is stepping in and changing the rules.  Adding insult to injury, they haven’t even provided APIs for all the security that we have today.

Next, can Symantec get around Patchguard?  Of course we can, in fact we have already published a whitepaper on the subject.  Here is the problem: Microsoft has told us that IF we put in code to circumvent Patchguard, they will release a patch which will go out through Windows Update which will cause our workaround to bluescreen the computer.

We of course cannot pursue a path when Microsoft tells us that they will bluescreen our customers machines.  Hackers on the other hand have no such issues.  Once they workaround patchguard (which they already have), they don’t really care if the system becomes unstable or bluescreens or anything else.  So in fact Patchguard works in favor of hackers in this case.

Folks, this is a real issue.  Microsoft has created a PR coup by “agreeing” to give APIs to security companies.  It’s a red herring.

The security industry needs full access to the kernel.  Period.

Alex Eckelberry

Readers of this blog have no doubt heard about the battles between the security community (vocalized through the efforts of Symantec and McAfee) and Microsoft on the issue of PatchGuard.

Believe me: It’s a serious issue.  

PatchGuard effectively locks out the kernel, ostensibly to hackers, but also to other vendors.  As security vendors, it is absolutely vital that we have access to the kernel.  And considering that the chances are high that hackers will break PatchGuard, security companies need access even more urgently.

Rowan Trollope, Symantec’s VP of Consumer Products and Solutions has strong words on this issue. Trollope is the guy in charge of all the development of products like Norton Antivirus, Norton Internet Security and the like. 

If anyone has to deal with this problem, it’s him.

And he doesn’t mince words. I’ve had some email traffic with him, and he was kind enough to allow me to reprint some of his comments:

On PatchGuard:

“PatchGuard hamstrings security providers, and leaves customers exposed to many of today’s scariest threats.  These threats, such as Infostealers, Backdoors and Trojans are built to disable security products.”

So, really, which threats specifically will customers potentially be exposed to with Microsoft’s Patchguard policy?

“Well, I have a list here of 25 recent malware samples just from the last few months.  To name just a few: Infostealer.Wowcraft, Backdoor.Beasty.J and Trojan.Rootserv.  Today, Norton Antivirus and Norton Internet Security protect customers against these types of threats with advanced protection technology.  On Vista 64-bit, Patchguard disables this advanced technology, leaving customers exposed.”

Have you been working with Microsoft on this, and what do you want them to do about it?

“On behalf of our customers, we have made this clear to Microsoft for well over two years.  While it has been made painfully clear that customers will be exposed to these nasty threats by Microsoft’s choices, they continue to dig in their heels and refuse to work with the security industry.    We have proposed alternative, specifically, we do NOT want Patchguard removed or disabled; we have asked Microsoft to provide security vendors with a secure API which allows Patchguard to function as designed, but allows us to do our jobs as well.  With this API, customers will be allowed to choose best of breed security technology, and continue to enjoy the same level of protection they have come to expect.”

But hasn’t Microsoft said that with Patchguard, they are simply asking for Security companies to use the supported security related APIs, and not undocumented system hooks?

“There has been a lot of confusion based on what Microsoft has said publicly. 

First, to be clear, Symantec already uses all available security related APIs provided by Microsoft. 

The key word here is “available”; there are no available APIs for these advanced protection technologies we offer today.  

Second, Microsoft has said that this is not anti-competitive behavior since they themselves are also limited to the supported APIs.  This is a convenient position since Microsoft themselves do not offer any of the advanced protection technologies which go above and beyond the available APIs. 

If and when they get around to protecting customers against today’s threats, they alone can add the APIs necessary.”

So what happens when 64-bit Vista comes out?

“Unfortunately for customers, this will be too little too late.  When Vista 64 gets released, we will not have the APIs we need, and Microsoft expects customers to stand-by, unprotected, waiting for “multiple upcoming Windows releases as we understand the exact requirements”.  

In summary, this issue is simple and the facts speak for themselves; Patchguard hamstrings security providers, and leaves customers exposed.”

Believe me, this thing ain’t over. 

Alex Eckelberry

Ryan Naraine at eWeek just wrote a story on botnets and spent some time with our research team as we purposely infected a machine to see a botnet in action. 

In a bland cubicle on the 12th floor, Eric Sites stares at the screen of a “dirty box,” a Microsoft Windows machine infected with the self-replicating Wootbot network worm.

Within seconds, there is a significant spike in CPU usage as the infected computer starts scanning the network, looking for vulnerable hosts.

In a cubicle across the hall, Patrick Jordan’s unpatched test machine is hit by the worm, prompting a chuckle from the veteran spyware researcher.

Almost simultaneously, the contaminated machine connects to an IRC (Internet Relay Chat) server and joins a channel to receive commands, which resemble strings of gibberish, from an unknown attacker.

“Welcome to the world of botnets,” said Sites, vice president of research and development at Sunbelt, a company that sells anti-spam and anti-spyware software.

“Basically, this machine is now owned by a criminal. It’s now sitting there in the channel, saying ‘I’m here, ready to accept commands,'” Sites explained.

Link here and pictures here.

Alex Eckelberry

We’ve been doing a lot of work to our research center recently (http://research.sunbelt-software.com) and I encourage you to check out some of the newer things. 

First off, there’s the real-time threat report.  This is powered by Threatnet, our user community, and is a list of the top threats being removed from user’s computers.

Then, there’s a section which provides the latest threat definition information for our antispyware products:

Under Submit a Threat, you can submit malware to our research team.

And an extraordinarily powerful tool is our automated malware sandbox.  This tool will provide you with an exhaustive summary of what a piece of malware is doing, along with a brief listing showing what some other engines are detecting it as.   It will also be accessible in the near future at http://sunbeltsandbox.com.

There’s more to check out, so feel free to browse the site.

Alex Eckelberry

 

Microsoft will allow security developers access to the kernel in Vista 64:

In another change, Microsoft had planned to lock down its Vista kernel in 64-bit systems, but will now allow other security developers to have access to the kernel via an API extension, Smith said. Additionally, Microsoft will make it possible for security companies to disable certain parts of the Windows Security Center when a third-party security console is installed, the company said.

Link here.

Microsoft’s attempt to lock the kernel through PatchGuard was very worrisome to the security community.  It would have been a significant handicap to the security community against the battle against malware authors.

Alex Eckelberry

Zango under attack by none other than adult webmasters — for cookies, of all things…

More here at VitalSecurity (note, a lot of the links in this post are to adult webmaster forums with pornographic images — to avoid potential issues, simply turn off images in your browser.)

Alex Eckelberry

Our peripatetic creative director, Robert LaFollette, just got back from Portland, Maine for a photography workshop and took some beautiful photographs. 

Link here. There’s lots of additional photos here and you can even pick up the blog post here where a few weeks back, Robert, his wife and I ventured out by boat to the beautiful desolation of Caladesi Island.

Enjoy.

Alex Eckelberry