Category: Uncategorized

This is just one of my all-time fave grumpy internet blogs.   The whole site is dedicated to finding out how consumers are getting ripped off from various companies.

For example:

Some things always come in quarts: milk, motor oil, and mayonnaise, for example.  You don’t have to look at the net weight statement, because a quart is 32 ounces, and that is what you always get.

Next time you go to the supermarket and pick up a quart-size jar of Hellmann’s (in the east) and probably Best Foods (in the west), you are going to be in for a little surprise.

*MOUSE PRINT:  The net weight statement now reads “30 oz.” instead of 32.

The site is MousePrint.org.  

Alex Eckelberry
(Hat tip to John Murrell)

(Note: An earlier version of this blog recommended some tools to delete duplicate files.  We have since removed these links pending further research.  Explanation here. )

Fix for some IE 7 rendering problems
IE 7 beta testers have noticed that quite a few web sites don’t work correctly in the new browser. In some cases, that’s because those sites are misidentifying it as an outdated version of the browser. This utility lets your IE 7 browser identify itself as IE 6, as a workaround to the problem. It didn’t solve my “tiny font” problem with IE 7, but it did seem to help with the text alignment problem I was experiencing with some pages. Link here.

Resize photos all at once
High megapixel digital cameras are popular and increasingly affordable, and that high resolution is needed when you want to print large copies of your photos. But when you’re sending them in email or putting them on a web page, it would be nice to be able to reduce them to a smaller size without having to do it one picture at a time. This handy little image resizer lets you resize or convert images from JPG, GIF or BMP formats in batch mode. Check it out here (also, if you have Microsoft Office, the Microsoft Office Picture Manager is quite a nifty little tool for this type of work). 

Can’t have your Java in a Glass?
If you pour hot coffee into a fragile glass cup, you may crack it. Likewise, Java-based applications don’t seem to want to play well with Vista’s Aero Glass interface. It seems running them causes the OS to revert to its non- transparent, non-3-D version. Not a huge problem, but it would be nice if that could be fixed before the final release. Read more about the problem here.

How secure are your credentials?
Is there a point at which requirements for increased length and complexity of passwords and random assignment of user account names – all in the name of better security – can backfire and result in a less secure system or network? That’s something I discussed last week in my technology and security blog. Scroll to the entry titled When “more secure credentials” aren’t.  Link here.

Vista Performance Information Feature
Vista has a new feature called the Windows Experience Index that lets you find out the base score for your system and individual scores for different components such as the processor, memory, hard disk, and graphics card. You find it in Control Panel, labeled Performance Information and Tools, and you can use the score to compare one system to another, to evaluate new PCs or the effect of hardware upgrades, and when buying software, to determine whether it will run properly on your PC. My system got very respectable 4 and 5 point something scores on processor, memory and hard disk, but my ATI Radeon X600 with 256 MB of RAM proved to be the “weak link” at 3.6/3.8. You can read more about it on the Vista team blog here.

How to Uninstall VTP or Get Rid of Aero (Transparent) Theme

Several of you who installed the Vista Transformation Pack asked how to get rid of the transparent background that’s installed by default as part of the VTP. Unfortunately, it’s part of the Aero Glass theme. You can get rid of it temporarily by switching to a different theme:

1. Right click the Desktop and select Properties.
2. Click the Appearance tab.
3. Under Windows and Buttons, choose the Windows Classic or XP Style theme.
4. Click OK.

To uninstall VTP completely, run the installer program again (Vista Transformation Pack 5.0 or 5.5.exe) and select “I want to enter Vista Transformation Pack – Maintenance Center,” then select “Uninstall Vista Transformation Pack.” From the Maintenance Center, you can also change the toolbar style, rebuild the icon cache, enable or disable themes services, or repair the transformation.

How to disable Remote Desktop using Group Policy
Remote Desktop is a great tool that allows you to connect to your XP Pro computer from another location, but for security reasons, you might want to prevent remote desktop connections. You can disable RD on the Remote tab in the Systems applet of Control Panel, but if you share the computer with others and don’t want them to be able to reenable it, or if you want to disable RD on a group of computers in a Windows domain, you can use Group Policy to disable it. Step by step instructions are in KB article 306300.

Can’t reconnect to a wireless network with a hidden SSID?
If your Windows XP SP2 computer is connected to a wireless network that doesn’t broadcast its SSID and you manually disconnect, you can’t reconnect either manually or automatically, unless you remove and re-create the SSID profile for the network in the Preferred Networks list. There’s a hotfix for this problem, but you’ll need to contact Microsoft Product Support Services (PSS) to get it. Find out how in KB article 907405.

Can’t change Windows wallpaper after removing spyware?
You may find that after you remove spyware from your Windows XP system, you’re still not able to change your desktop wallpaper. What’s up with that? The problem is that the malware has set the registry to hide or lock the display settings. You can fix the problem by editing the registry. Instructions are in KB article 921049. Note that this registry setting may also have been changed by an administrative policy, in which case you’re out of luck unless you can convince your system administrator to change

Deb Shinder, MVP 

Although studies show that young people are abandoning email in favor of text messaging and IM programs for social communications, businesses and many of us “oldies but goodies” continue to depend on email for exchanging messages with family, friends, co-workers, clients and others. Some of the information we put in email is personal, and some of it is even subject to laws such as HIPAA or the GLB Act that mandate we protect it from unauthorized disclosure. So the subject often comes up: just how private is email, and what can we do to make it more so?

In the past, we’ve discussed how the nature of email communications makes it easy for them to be intercepted. Sending an unencrypted email over the Internet is like sending a post card through the postal system – anyone who happens upon it along the way can read it. Of course, you can use encryption program such as Pretty Good Privacy (PGP) to make it more difficult for anyone but the intended recipient to open the mail.

But then another problem arises: how do you protect against the recipient him/herself divulging the contents of your mail to others, either intentionally or accidentally? Or what if the message goes awry; for example, you mistype one letter in the address and the mail is sent to the wrong address? It’s obvious that people are worried about this, because more and more companies are adding disclaimers to some or all of the messages sent from their networks. These messages usually read something like this:

“If you are not the intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it.”

Reader Kip M. recently wrote to ask what legal obligation this actually places on a person who receives such a message. I’m not an attorney, and this is by no means legal advice, but the attorneys I’ve talked to about this acknowledge that in most cases, companies do this primarily for the purpose of “covering their own behinds” in case a message ends up in the wrong hands. The appended disclaimer indicates that they took steps to make it clear that the message was confidential.

Of course, if an email containing national security secrets fell into your hands and you published it in a letter to the editor of the New York Times, you might face some serious legal repercussions. And of course, under the U.S. civil court system, anyone can pretty much sue anyone for anything (with some specific limitations), so it’s possible that a company could bring a lawsuit against you if you forwarded a copy of their confidential mail to the wrong person. In a world where big record companies sue elderly grandfathers who don’t own computers for music piracy, anything can happen.

From the point of view of those who want to keep information private, disclaimers are of dubious value in accomplishing that. I see forwarded messages all the time that contain the disclaimers. And of course, since the disclaimer is usually added to the end of the message, it’s a bit unreasonable to demand that the recipient not read the message that he already read before getting to the disclaimer.

If you do elect to use disclaimers, it might make more sense to put them at the beginning of the message instead of at the end. And if you’re really serious about it, put the disclaimer in the body of the email and put the confidential message itself in an attachment; at least then it’s possible for the recipient to do what you’re asking (not open the message). Better yet, password protect that attachment.

Yet none of this keeps the intended recipient from forwarding, copying or printing that message. There are ways to technologically control that to some extent, by using a software solution such as Microsoft’s Rights Management Services (RMS). With RMS, which is supported by the Professional version of Office, you can set permissions on messages you send in Outlook that prevent the recipient from forwarding, copying or printing the message. Those options are simply grayed out. You can even set the message to “expire” after a particular time; even the user won’t be able to open it once it’s expired.

RMS sounds great, and it does prevent easy, casual, often mindless “clicking and forwarding.” However, it requires an RMS server, and if the recipient is really determined to breach your privacy, RMS won’t stop it. He can just open the message and hit PrtScn to capture a screenshot that can be saved, printed and sent to others – or even take a picture of it with a digital camera, for that that matter.

Bottom line: it’s still wise to treat email as a non-private medium. There are a lot of things you can do to increase privacy, but as long as another person (the recipient) is able to open your messages – and what would be the point of email if they couldn’t? – there will always be a weak link.

What do you think? Do you pay any attention to disclaimers? Do you use disclaimers on your own messages, or does your company add them automatically to outgoing mail? Do you think they do any good? Under what circumstances, if any, would you consider suing someone for disclosing an email message you sent to them? If a service like RMS were available to you, would you use it? Do you encrypt some or all of your email messages? Should a law be passed making it illegal to read someone else’s email without permission (like the laws regarding opening postal mail) or would that create more problems than it would solve? 

Deb Shinder, MVP

All since August.  For your blacklisting pleasure:

IP: 85.255.117.51          
uptodateprotection(dot)com         
uptodateprotection(dot)net           
theuptodatesecurity(dot)com        
syssafetypage(dot)net     

IP:85.255.118.36           
thesecuritytool(dot)net     
givegate(dot)com
testonsecuritypages(dot)com       
thessecuritypages(dot)com          

IP: 204.13.161.33          
spywarequake2(dot)com   

Patrick Jordan

The folks over at SiteAdvisor have made a video on spyware, called Spyware Rubbernecking.   It shows a machine getting infected by WMF exploits and the like, set to opera.

Link here.

Just a little side humor, we’ve had a number of amusing emails from a malware author, Dark Omega.  Apparently, we’ve made grave errors in the classification of his product. 

It starts off with this (edited for clarity, as he’s using our web-based form to email us):

you got my website address wrong! it is http://www. dark-omega.co. uk not darkflame.tripod.com … you stupid people

Then:

i am only 15 and waz a bit drunk wen i sent the last message so soz 4 bein a bit of a tw*t, i created my trojan based on my schools remote admin tool.  nice to talk to you. if you want…more information on other security threats please email me…. p.s. you need a way of contacting you with out having to use the report virus form. 

Then:

one other thing… Dark-Avenged is a BackDoor!…u got it rong again

And finally:

actualy dark-avenged is classed as a RAT (Remote Administration Tool.) please change this….  i got it wrong last time! :S

Alex Eckelberry

 

“Music should flow freely…there should be an ability to get what you want when you want it…and I’m not sure you’re protecting that much with DRM…I think it puts a lot of obstacles up…the consumer is buying those files, and they have the right to do whatever they want with them…we [the industry] really have to think hard about what are we protecting… and are we really afraid of our consumers to the extent where we basically don’t trust them…”   —  Jim Sturgeon, CEO of Naxos USA

As an (albeit rusty) classically trained musician, I’m a big fan of this music genre and have a broad selection of classical music at the house.  Unfortunately, at maybe 4% of the overall market, it’s not a genre that most of the population cares much about.

So it’s even more unfortunate that the only significant record label that actually “gets it” is Naxos, the world’s largest classical music label — as opposed to the often reprehensible tactics of the rest of the industry (harassing people with idiotic lawsuits, using rootkits for DRM, etc.).  

And there’s a practical effect as well. As digital analyst Phil Leigh says:

…Classical is a disproportionately large share of digital music sales. Naxos finds that the classical genre market share doubles online.

Naxos endorses the advantages of DRM-free digital files. Their music is sold on eMusic in the dot-MP3 format with no DRMs. While some piracy may occur, Naxos feels that the enhanced user utility a DRM-free file provides outweighs the minimal piracy that may happen.

About 20% of Naxos revenues this year will be from digital music downloads or online subscriptions. That’s about three times the proportion for the major labels like Sony, Warner, Universal, and EMI. 

Now, taking the other side, it’s perhaps enlightened self-interest on the part of Naxos, since classical is probably less likely to be pirated than the latest pop hit.  Nevertheless, their pragmatic CEO does seem to have a good understanding of what the customer actually needs and wants.

You can listen to an interview with Jim Sturgeon, CEO of Naxos, here (MP3, approximately 33 minutes).

Alex Eckelberry 

Busy past few weeks … first the VML exploit (now patched by Microsoft), then the daxtcle.ocx exploit (not patched yet), and then last night, our friend Roger Thompson reported seeing another exploit, commonly referred to as “setslice” [since it uses the setslice() method to exploit] in the wild.

Mitigation methods are basically non-existent in Microsoft’s advisory, so the best source of information on mitigation is this SANS entry here. The SANS website links to a test page.  Run the test page, see if your browser crashes.  Then run the program they have made available to set the kill bits. 

Also, both ZERT and Determina have relead temporary patches against this exploit, here.  

Secunia advisory here.

Be safe.

Alex Eckelberry

 

It turns out that one of the methods HP investigators used was a service called ReadNotify.  It’s a tracker that tells someone when an email is open by a designated recipient.   Basically, it drops a small amount of html code into an email that reports back when you’ve opened the email (this is usually referred to as a web bug).

Email spyware?  Yes, and remember that if you subscribe to newsletters and the like, chances are that email’s delivery is already being tracked through web bugs.  And spammers have certainly used this trick to track what email addresses are live. But Readnotify is a little scarier — it’s not some nameless tracking of broad open rates on emails — it’s someone who is personally tracking the emails they’ve sent you. 

Creepy?  Yup.

Using ReadNotify is fairly straightforward (after you signup with their service):  You can either download a plug-in, or you can simply append “.readnotify.com” after the end of an email.

The email looks normal, so the only way you can tell if you’re being tracked is by looking in the message header. 

Or, if you read messages in plain text, you’ll see the web bug they put in the email, and can readily see if you’re being tracked (and also, if you’re in plain text, the tracking won’t work).  The emails will also ask you for a Return Receipt (which I routinely ignore, despicable things that they are).

However, if you prefer to keep reading email with pretty fonts and graphics (as opposed to plain text, which is always the safest method), you can create a simple Outlook rule to look for Readnotify.

For example, you could create a simple rule in Outlook which puts a colored flag or some time of visual cue whenever someone sends you a Readnotify message.  It’s not perfect, but it’s a start.

Simply create an Outlook rule, select “with specific words in the message header” and then add the following strings:

readnotify.com
readnotify
emsvr.com

(If you need help creating rules, twclark has a nice explanation of creating x-header rules — at least for spam — here.)

Also, turning off images in your email program should stop the notification to Readnotify as well..

As a side note, Emsvr.com, related to readnotify.com, has one of the creepier websites, using “The great leap forward” to describe their service.  Never mind that the term “the great leap forward” is generally associated with Mao Tse Tung’s disastours attempt to rapidly advance China, leading to the deaths of, oh, about 14–20 million Chinese.   The site also inserts “We hope you enjoyed your www.emsvr.com site visit” persistently into your clipboard.”.  Like I said, creepy.

I’m sure some enterprising fellow will think up a better Outlook rule than me, so feel free to drop a comment if you’ve got a better idea. And keep in mind these rules will only work for Readnotify, and not other email tracking services — and will only work as long as Readnotify puts that domain into the email.

Alex Eckelberry

If you’d like to test our new beta 2.0, please follow the instructions in this post.

I think it’s a pretty cool new product and we’d really appreciate any feedback you might have on it.

To my competitors:  Hey, you’ll just have to wait until we release it 😉

Alex Eckelberry

 

Faithful blog reader Jack Duggan sent me this little example of greeting card malware:

Date: Tue, 26 Sep 2006 18:37:33 +0000
From: Abigail <Lewisqure@voltronik.pl>
Subject: You’ve got an “e-card” at .greeting-cards.com..
Reply-to: Abigail <Lewisqure@voltronik.pl>
X-Virus-Scanned: by amavisd-new at voltronik.pl
User-Agent: Mozilla 4.73 [en]C-SYMPA  (Win98; U)
Original-recipient: rfc822;jxduggan@optonline.net

Dear recipient !
sender at Abigail sent you an “e-card”
“Here’s the Rub” from ‘greeting-cards’ !
Click_here_to_view_the_”e-card”.

This ecard will be stored for one week, so
print or save the “e-card” as soon as possible.

Hope you enjoy our “e-cards”! Spread the love and send one of our “e-cards”!

Brought to you by ‘greeting cards’ – a better way to greet!

If you happen to click on “Click_here_to_view_the_e-card, you’ll get sent to this site below (made to look like a legitimate greeting card site, but using stolen graphics), which tells you that your flash player is outdated.  If you install this fake flash player, you get two Haxdoor variants — really nasty stuff.  

 

We were able to access the website where the malware author is counting the installs done using this scam, and we see about 2,500 installs so far on this.  Maybe not a large number, but that’s 2,500 users who may be facing a very unpleasant time.

Alex Eckelberry

Just a reminder to do the following before patching your system from Microsoft with the VML patch:

If you’ve unregistered the vgx.dll, you will need to re-register it.  This can be done by typing the following command in the StartRun dialog:

regsvr32 “%CommonProgramFiles%Microsoft SharedVGXvgx.dll  

This will also work to rollback the ZERT patch.

 

Alex Eckelberry

Out of cycle…

Typical download size: 250 KB , less than 1 minute
A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.  

Check Windowsupdate.

Alex Eckelberry
(Thanks F-secure)

Bad hard drive sounds
If your had drive is making a funky sound, you can go to this useful website. For example, a slow spindle motor sounds like this.

Vista Sidebar and Gadgets
One new feature in Vista that beta testers seem to either love or hate is the Sidebar, which appears by default vertically aligned on the right side of your monitor screen and contains a variety of “gadgets,” little quickly-accessed applications like a notepad for typing or pasting quick notes, an RSS feed display, weather forecasts, CPU and memory monitors, a slideshow that displays the photos in your Pictures folder, a stock ticker, clocks, a calculator and much more. See the sidebar here.  

You can choose from the gadgets included in Vista, or download new ones from the Microsoft Windows Live Gallery web site. You can move the sidebar to a secondary monitor or to the left side of the screen, and you can turn it off if you don’t like it taking up screen real estate.  Link here.

How to get the look of Vista without giving up XP
Some have written me to say that they tried the Vista beta and love the new interface – but went back to XP because their computers had hardware peripherals (usually sound cards or video cards, but sometimes NICs and other essential components) or software applications that wouldn’t work with Vista.

A couple of you have told me that you’ve found a way to get the Vista look on your XP machines by installing the Vista Transformation Pack. Although you don’t get the “under the hood” changes to Windows (such as the new Explorer), it does make XP look and feel more like Vista – including adding the Sidebar. Best of all, it’s free. You can download it from here. (Note that we were unable to download the program from its vendor’s web site. We kept getting an error when we downloaded the file there. Also, there’s a rather silly little dialog box you have to go through to get to the installation program.  Alternative link here.)  

However, strong disclaimers apply — use this software at your own risk.  For example, this dialog box doesn’t engender a great deal of confidence:

I would stay away from and wait for Vista.

Files that are automatically skipped by the backup program
If you use the backup program built into Windows XP, it’s important to note that certain files are skipped by default during the backup and restore process. These include files that are locked by other applications, as well as other files depending on permissions, temporary nature and remote registry files. To find out more about this, see KB article 104169.

Description of Windows File Protection Feature
All editions of Windows XP include Windows File Protection (WFP), which prevents programs from overwriting critical system files, such as .DLL, .EXE and .SYS files that are installed as part of Windows. If you want to know how WFP works and how protected system files can be replaced, see KB article 222193.

Saving files from Office programs resets security settings
If you’re running Windows XP Pro, you can protect your files by setting file level (NTFS) permissions to specify what users or groups can access them, both across the network and on the local machine. However, if you save a file in Microsoft Word, Excel or PowerPoint XP/2003, you may find that the NTFS permissions get reset because of the way Office programs create temp files when you edit them and delete the original files when you save the changes. Luckily, there are some workarounds to this problem. Find out about them in KB article 102888.

Deb Shinder, MVP  

Ben Edelman has just published an exhaustive study on TRUSTe:

…What do I find? In short, nothing good. I examine a sampling of 500,000+ top web sites, as reported by a major ISP. Of the sites certified by TRUSTe, 5.4% are untrustworthy according to SiteAdvisor’s data, compared with just 2.5% untrustworthy sites in the rest of the ISP’s list. So TRUSTe-certified sites are more than twice as likely to be untrustworthy. This result also holds in a regression framework controlling for site popularity (traffic rank) and even a basic notion of site type.

Link here (and a basic understanding of the economic term Adverse selection is useful).

Alex Eckelberry

WebSense writeup here.

We are starting to see mass mailing lures for websites that are hosting VML exploit code. Most of the sites are using updated Web-Attacker code. A recent example that came to us from Message Labs appears to lure users to the site by claiming they have received a Yahoo! Greeting Card. The site downloads and installs an Internet Explorer Browser Helper Object that directs all HTTP posts from forms to a third party, and then collects information on end-users.

Alex Eckelberry

 

Interesting, a group of lawyers have filed an Amicus brief in the New York Attny General’s case against Direct Revenue.  More here via David Fish.

Alex Eckelberry

Juha-Matti Laurio does the hefty lifting, with an extensive FAQ here.

Alex Eckelberry

VML exploit in a fake ecard:

On our test system, the greeting card in question downloaded a number of pieces of executables: is.exe, ie.exe and cpu.exe.

One assumes this will be sent via spam, but we have not seen any samples.

Credit goes to Roger Thompson over at Exploit Labs and Alex Shipp at MessageLabs.

Alex Eckelberry

The daxtcle.ocx exploit is the “other” zero day exploit, which to our knowledge hasn’t been seen in the wild.  However, Adam Thomas in our security research team has just discovered a website with a modified version of the exploit that downloaded malware to a fully patched XP SP2 machine.  The malware site was in a redirect script off of a porn site, in the same area as we discovered the VML exploit.

The exploit downloaded a fake version of svchost.exe, and a DLL was created in %system%hehesox.dll which is receiving commands from a malware site.   The browser did crash, but malware was successfully installed. 

Mitigation: The DirectAnimation Path control can be disabled by setting the kill bit for the following CLSID:  {D7A7D7C3-D47F-11d0-89D3-00A0C90833E6} More information about how to set the kill bit is available in Microsoft Support Document 240797. More at CERT.

This story is developing and research is ongoing.   Security professionals can contact Eric Sites for collaboration or further information.

 

Alex Eckelberry