Month: July 2007

Over the last few years, I’ve read a number of news articles detailing how various web services have been or could be used by terrorists in plotting their attacks. The latest example was the claim that the terrorists who recently plotted to blow up the fuel tanks at JFK airport used Google Earth to pinpoint the coordinates and get aerial views of their target. Some security experts have suggested that such services should be shut down or restricted to exclude locations that might be likely attack targets from their databases.

Certainly none of us want to make it easier for terrorists to accomplish their missions – but I can’t help wondering where an all-out effort to do away with everything that might aid the bad guys will lead us. After all, it’s well documented that terrorists also use cell phones and email to further their plotting. Does that mean we should shut down those communications systems, as well?

If you think about it, it’s a slippery slope. Do you take away tools that have valuable legitimate uses by law abiding citizens just because criminals can use them to commit crimes? That’s the premise of gun control laws, but in the U.S., those laws have had dismal success records. Do we really want to extend that philosophy to Internet sites and services?

It’s true that too much information can be a dangerous thing. I admit that sometimes I wish it weren’t quite so easy for others to find information about me on the ‘Net. It makes me uncomfortable that strangers with some Internet research savvy can find out where I live, especially considering the hate mail I sometimes get for expressing my opinions in these editorials and in other forums. On the other hand, I’ve used those very same research tools and techniques to locate long-lost family members and friends, thus enriching my life.

In this country, we’ve always been willing to take some risks in the interest of freedom. For instance, you’ve long been able to find bomb-making instructions in most public libraries, but that hasn’t led to an epidemic of homemade explosions – at least, not in the past. One might argue, though, that we’re up against a different type of threat now, and that it has become necessary to restrict not only access to “dangerous” physical tools but also access to “dangerous” information. It’s not an easy issue.

It all comes down to a question of how far we’re willing to go in pursuit of security. Would you be willing to have the web censored by the government, as it is in China and some other countries, in order to keep terrorists from obtaining information they could use to hurt us? Would you be willing to have all your email monitored by the government in the interest of catching terrorists?

How about giving up paper money in favor of digital dollars and having all your financial transactions tracked and logged, so that the authorities can spot money transfers made by terrorists? What if the police “needed” to listen to all phone calls in order to catch criminals? Would you protest mightily or just grumble a little, or would you go along with it happily, if it’s “for the children?” Would you support having mandatory GPS tracking devices on all cars, so they could always be located if necessary? What about surveillance cameras on all street corners – or even inside private buildings and vehicles? Drastic measures, sure – but it beats being blown up by terrorists. Or does it?

Some people will say the above suggestions are ludicrous and could never happen in a free country. But who would ever have believed, twenty years ago, that one day we would have to take our shoes off before getting on an airplane, or that we’d ever need a passport for a quick jaunt to Mexico or Canada?

The idea of shutting down an Internet service that terrorists are using might seem like the prudent and patriotic thing to do, but how far do we go? Tell us what you think. Should there be restrictions imposed on the information that’s available on the ‘Net if that information could be used illegally? Or is freedom of information worth the risks? 

Deb Shinder

Terry Savage just covered the subject of using check cards in public places here.

With check cards (generally, hybrid ATM and VISA cards) having become a de facto currency these days, it’s important to be careful as to how you use them.

For example, if you’re going to use a check card, always choose the “credit” vs. the “debit” option. The idea of entering a PIN on a public terminal is unnerving enough, but you also don’t get some key protection in case the card is used fraudulently.

But at the end of the day, I strongly believe that these check cards should only be used for ATM withdrawals at bank ATM machines — not for credit transactions in general (even more so for online transactions).

Practically speaking, it’s more of a hassle to reconcile your bank statement at the end of the month with lots of little charges compared to the simplicity and hard copy backup of checks (and you do reconcile your bank statements, right?), but more importantly, the risk of fraud tied to your bank account is too great a risk.

Of course, I recognize that some people can’t get normal credit cards, because of age or credit history, and all they have access to is a check card. In that case, simply use caution and regularly stay on top of the charges as reported from your bank. And don’t choose the “debit” option when making a purchase.

Alex Eckelberry
(Hat tip to Marc)

DriveCleaner is known for its misleading marketing practices. And one example came to me today by an email from Robby, one of my three faithful blog readers:

I’ve attached two screenshots of Drive Cleaner popups happening within the Juno webmail client itself, including what appears to be a hijacked banner advertisement when I click on cancel. This has happened about three times now over the past few days and on different computers.

I don’t have Juno and can’t verify this. But what is likely happening is that Juno has contracted with a third party ad network to sell ads. DriveCleaner is displaying these ads, which are doing some fake animated “scan”.

It’s extraordinarily misleading advertising, and being served on Juno, is even worse, since Juno has a high degree of popularity among seniors, an audience that’s ripe for scams.

Let’s hope the folks at the FTC take notice.

Alex Eckelberry

Looks like some areas on the UMD site have been hacked. Lots of bad stuff there.

Don’t go to these links — they are not safe. Looks like the Gromozon gang… [Update: Actualy, this looks like the CallSolutions group using mpack.]

Alex Eckelberry
(Credit to Sunbelt researcher Francesco)

I have to see this:

[DAY] Trinexx: I saw the most awesome Windows error today: “A malicious program has attempted to shut down Windows. As a precaution, Windows was shut down.”

Alex Eckelberry

Player Codec, a variant of the Trojan DNS changer fake codec. The website is basic-codec(dot)com. Detection rates are poor on this one.

Alex Eckelberry
(Credit to Bharath)

We are in one of the tallest buildings in the area, and it looks over the Memorial Causeway, where the city launches its fireworks.  So, lots of employees come over on the 4^th to watch the fireworks, and of course, many also take pictures.   

John, our IT Manager, has some nice pics on his blog, Nick in spyware research put some up on Flickr and of course, our famous creative director, Robert LaFollette, took some great pictures as well.

Alex Eckelberry

Restore XP after upgrading to Vista
Okay, so you upgraded your XP computer to Vista and you don’t like the new OS. It happens. But you may be able to restore your computer to the previous version of Windows without having to format the hard disk and install XP from scratch – if your XP installation was saved in a Windows.OLD folder. It’s a fairly long process, but not too difficult if you carefully follow the step by step instructions in KB article 933168.

Low performance on high performance video card
If you have a Vista computer with a high end (and high dollar) multiple GPU video card but you’re not getting the kind of performance you have a right to expect from such a card, it might be because the OS isn’t forwarding driver- rend requests to the secondary GPU. Luckily, there’s a hot fix for this, but you have to call Microsoft Customer Support Services to get it. To find out more, see KB article 936710.

Deb Shinder

How to restore XP activation status information after a reformat

1. Double-click My Computer, then double-click on the “C” drive.
2. Navigate to the C:WindowsSystem32 folder.
3. Locate the files named “wpa.dbl” and “wpa.bak” and copy them to a safe location such as a USB key or CD.
4. Reformat your disk and reinstall Windows XP on your reformatted hard drive, click “No” when asked if you want to activate Windows.
5. Reboot your computer into SafeMode (press F8 as Windows is booting up to see the Windows Advanced Options menu and select SAFEBOOT_OPTION=Minimal)
6. Double-click My Computer, then double-click on the “C” drive again.
7. Navigate to the C:WindowsSystem32 folder again.
8. Locate the files named “wpa.dbl” and “wpa.bak” (if it exists) and rename them to “wpadbl.new” and “wpabak.new”
9. Copy your original “wpa.dbl” and “wpa.bak” files from your USB key, CD or DVD or other location into the C:WindowsSystem32 folder
10. Restart your system.

Spam of the Week
A couple of weeks ago, I was being inundated with spam messages claiming I had received a postcard from a family member. This past week, I’ve received literally hundreds of spams from the “United States National Medical Association.” There actually is an organization called the NMA but it’s not an online drug-buying organization, which is what the spam messages claim. Interestingly, my Outlook 2003 junk mail filter was not catching these – until I installed an update for the junk mail filters. Now they all go into my Junk Mail folder (I use a computer running XP/Outlook 2003 to filter my Exchange mail before I access it in Outlook 2007 on my primary Vista computer – but that’s another story for another day). If you’re getting these spams, check out how to get the update here.

Zune DRM

Question:

I recently signed up for the Zune download service and ran into a problem. I have two computers, a desktop and a laptop and installed the Zune service software on my desktop and created an account. I was able to buy songs and download them on my desktop without a problem. I installed the Zune service on my laptop and was able to buy songs, but they would not download! I was charged for the songs but the downloads failed. What can I do? – Tommy T.

ANSWER:

You’re not the first one to have this problem. The good news is that, since your account was charged for these songs, the Zune service has information about the download and the service is aware that the download did not complete (they have a mechanism to confirm whether the download was successful or not).

In order to download your songs, you can try again from the laptop, but I recommend that you go to your desktop first, since you know that downloads are working from there. Open the Zune interface and click the Zune Marketplace menu (it looks like a orange colored person sitting to the right of the Options menu). Click Account Management. On the Account Summary page, look in the Music and Purchases section. Click the Incomplete Transactions button. Click the Check Now button. If there are incomplete downloads, you’ll be able to complete the downloads from here. As for your laptop, you probably need to restart the computer to get your Zune download service to work.

[ed: A friend also dropped in with this comment: “I have had all kinds for problems with the Zune service. I purchased a 3 month service for all music and because I installed it on my laptop then on my home desktop it stop working. I had already uninstalled it on my laptop, but still no dice. I spent over an hour on the phone with Microsoft Zune tech support and it is still not fixed. Cost me $45. Microsoft’s DRM is POS.” ]

Chatty Trojan: This Trojan “tells” you that you’re infected.

Deb Shinder

An easier way to manage Vista’s boot configuration
If you want to make changes to your Vista computer’s boot configuration information without the somewhat technically complicated process of editing the Boot Configuration Data (BCDEdit) file, here’s a program that can help make it easier. It’s especially useful if you need to install a previous operating system, such as Windows XP, on a computer that is already running Vista. Last week, we answered a user’s question about how to fix the boot configuration in such a situation using the standard Microsoft procedure, but this third party product is another alternative that many will find friendlier – and it’s free. Thanks to several readers for this tip.

Readers sound off on desktop search
Last week, I asked which desktop search engine you like best. We got plenty of responses – but no clear consensus. Microsoft’s and Google’s engines got a roughly equal number of votes, with Microsoft gathering a handful more. Several voting for Microsoft express sentiments like those of Jakk: “I’ve never been an MS fan and I really wanted the Google search to be as good or better, that’s why I’ve kept downloading it after a new update to it, but in my experience the MS Search has worked better.”

A surprising number of you like Copernic, which came in a strong third. A few readers also pointed us toward X1 (http://www.x1.com/), which we’ll be trying out in the coming week (note, however, that it’s not free). Then there were a lot of messages like Jason M.’s: “The best search method that I prefer to use is called “organization!” If your files and folders are organized and you place new items where they ‘should’ go everytime, then there is no need to run a desktop search program, which saves the most computer resources.”

Vista Ultimate users are feeling extra deprived
One of the benefits of buying the Ultimate edition of Vista is – or was supposed to be – a steady stream of “extras” – software add-ons just for users of the most feature-laden (and most expensive) edition. So far, though, we haven’t seen very many. The Texas Hold ’em poker game is admittedly cool, as computer card games go, and there have been some enhancements for EFS and BitLocker that are useful, but only used by a small percentage of users.

The potentially coolest extra, the DreamScene add-on that lets you use a video as your computer wallpaper, is still in beta and in my own testing didn’t work all that well, even on my very high powered Dell XPS computer. On my lower powered laptop, well, “fugget about it.” I guess I’m not the only one who’s been wondering when all the neat new extras are going to be here. See this article in last week’s Windows Secrets newsletter.

Worst Windows Features
Many computer users enjoy a love/hate relationship with Windows. Even those who complain about it all the time don’t, for the most part, switch to Linux or Mac. And even those who generally love the OS have to admit that there have been some “features” introduced in various versions of Windows that we found less than user friendly. PC World unveils their own “20 Worst Windows Features” in this slideshow.

See if your favorites (or less than favorites) are included.

Deb Shinder

The term “computer dependency” is often used to describe so-called “Internet addiction,” or the excessive use of personal PCs by individuals who spend a great deal of their time online. However, there’s another kind of computer dependency that we, as a society, all suffer from today. That’s the ever- increasing dependency of all our essential systems, from public utility services to privately operated companies, on computers. Most of these would no longer be able to function at all if their computers went down.

And that’s not just a theoretical statement. Occasionally those computers do go down, and we get to see the world (or at least a little part of it) grind to a halt. A couple of weeks ago, United Airlines’ computer system that handled the dispatching of flights from one airport to another – the main flight operations system – suffered a “glitch” (as described by news stories) that grounded hundreds of flights for a few hours and left passengers stranded or delayed.

The system also provides maintenance information, crew scheduling and flight plans for pilots. You’d think such a mission-critical system would have a backup, and it did – but apparently that system failed as well.

Of course, it’s not the first time something like this has happened. Back in December 2004, some will recall that Conair cancelled 1100 flights on Christmas Day because of a computer problem, disrupting the holiday plans of thousands of people.

And of course it’s not just the airlines that are vulnerable to computer-caused troubles. If you stop and think and about it, almost important area of our lives is now controlled to some degree by technology. The banking system is dependent on computers; as money becomes more and more a matter of bits and bytes rather than pieces of paper backed by gold, a major computer malfunction (or a major hack) carries the possibility of wiping out all evidence of your life’s savings in one fell swoop. Sure, there are still paper records and you’d probably eventually end up getting it back, but there is a very real chance that you might be denied access to your funds for days, weeks or even longer.

A few years ago, a Canadian bank was hit by a software problem that caused withdrawals, deposits and transfers of some customers to be replicated, so that if, for example, you took out $100, it appeared twice on the transaction record, showing a total withdrawal of $200. Although the bank assured everyone that their money was safe and all errors would be corrected, no details were given as to what caused the problem.

Just last month, another “glitch” at a regional bank in the northeastern U.S. delayed the posting of deposits to customers’ accounts, causing problems for some people who needed to make withdrawals immediately.

As scary as it may be to consider the possibility that a computer problem could leave you financially destitute, at least temporarily, there are even more frightening aspects to our dependency on computers. Only a few weeks ago, Russian computers on the International Space Station went down. These include the computers that maintain the station’s position in orbit as well as the ones that provide oxygen and remove carbon dioxide from the air – an essential system if ever there was one.

No one’s life was immediately imperiled, but in the worst case scenario, such a problem could result in the necessity to abandon the station.

Coming back down to earth, there are people whose lives lie in the “hands” of computers every day. The healthcare industry now uses computers for everything from scheduling patient appointments to running life support equipment to performing surgery. In 2005, officials in Calgary, Canada discovered a glitch (there’s that word again) that affected a web site used by doctors to view lab test results. It was reported that around 2000 patients could have received incorrect treatment because of the erroneous information posted to the site.

Surgeons today can operate on patients without even being in the same room (or the same country) through robotic arms controlled over high speed data links. An Italian surgeon has even developed a software program that can use the data collected from prior surgeries to perform operations without any human intervention. It was used to perform unassisted heart surgery for the first time in 2006.

Much more common are artificial pacemakers and implanted cardioverter- defibrillators (ICDs), which contain small computers that monitor heart rhythms and apply an electrical shock when necessary. Thousands of people are walking around with these in their chests. Early models sometimes suffered from software errors and had to be reprogrammed

It’s not just in life threatening situations that hospitals and doctors’ computer problems can cause grief for patients. Only a week ago the L.A. Times reported that a computer error caused a hospital to send a bill for $962,120 for a four day stay to treat minor injuries. The correct billing amount (which is bad enough) was $48,106.

Of course, we encounter less serious, but nonetheless aggravating computer “glitches” all the time. Who hasn’t, at some time over the last two decades, received an incorrect bill for something and called in about it, only to be told it was the computer’s fault? Sometimes I think that’s become an awfully convenient excuse.

After all, according to some later reports, it was “human error” that caused United Airlines’ computer failure – and somehow that doesn’t make me feel a lot better. All of these gigantic computer systems have hundreds or thousands of humans operating them, and that may well be the weak link. People always make mistakes, but when those mistakes are input to a powerful networked computer system, the results can be much more damaging.

So maybe it’s not the computers themselves, but the humans sitting at their keyboards, that we really should be worried about. What do you think? Have we become too dependent on computers? Would a world-wide EMP (electro-magnetic pulse) that wiped out all the computer systems bring our society to its knees – or would it teach us a valuable lesson? Or are computers actually more reliable than people, and will things be better when the computers can handle everything without human intervention? Tell us your opinions at feedback@wxpnews.com

‘Til next week,

Deb Shinder

Of interest to security wonks:

Activation in the iPhone works in a similar manner to windows activation (standard signature handshake).

iTunes gets three things from the phone, the DeviceID, the IMEI, and the ICCID. This is called the token and is unique to every iPhone. This token is then sent to the apple server (alfred.apple.com) via SSL. Apple uses their private key to sign the token and transmits it back to iTunes. iTunes then calls AMDeviceActivate with this signed token. The device gets the token and checks whether or not the signature matches the token. If it does, the device is activated.

{
 "UniqueDeviceID" = "aabbccdd......";
 "InternationalMobileEquipmentIdentity" = "1234....";
 "IntegratedCircuitCardIdentity" = "1234...";
}

Link here.

Alex Eckelberry
(thanks Eric)

Happy 4^th everybody.   For you history buffs, here’s a fellow liveblogging the Continental Congress.

Alex Eckelberry
(Hat tip)

Yesterday, I blogged about one security expert Winn Schwartau’s blog being compromised. Today, he responds:

Laugh, cry…whatever. Welcome to the Internet.

When I heard about this a few days ago I sort of ignored it because I have been using the InfowarCon blog instead and thought we had closed this one down.

Alas, we didn’t for either technical or social reasons. Whatever.

A bit of research shows that these attacks were openly reported in March of this year and it seems folks are getting blasted everywhere.

2 Points. Maybe more.

1. Blogger is an SaaS, a web application. If any of the bloggers get nailed, it’s because (a) the servers and or its code got nailed or (b) the software allows the publishing /installation and perhaps operation of active code.

Either way, an SaaS should provide adequate protection against such obvious types of attacks. Perhaps there is a rooting going on? I don’t know and don’t have the time/inclination to figger it out. That’s there job.

2. Anyone, anywhere, anytime can get hosed. Even we ‘security experts’ screw up. Yup. It’s true. We are human. Should I have noticed earlier? Perhaps, but it wasn’t on my radar screen. Should I freak out? Nope. Not a damn thing I can do about it but bitch, and it seems that blogger is now appropriately blocking it for the good of the preservation of the species.

3. It’s going to happen again. Applications and operating environments need to have security built in from the very beginning, not as a multi-billion dollard post O/S afterthought from poor initial design and specifications.

SaaS, as we move more apps to the Net are going to get hosed, as seems to be happening with the social networking sites of infinite flavor.

Rant almost over…

Thanks for the notice and update. I don’t really mind being a victim here… it teaches me something, keeps us experts humble (I hope) and provides a very clear lesson for non-technical users.

Thanks
Winn

Winn, we all understand and thanks for the clarification.

Alex Eckelberry

Good reference site by Xeno Kovah. Link here (via Bugtraq) 

Alex Eckelberry

I got a note last week from a friend that Winn Schwartau’s blog (http://securityawareness(dot)blogspot.com) had been compromised.  I checked it — and sure enough, it had been taken over by Malware Alarm, a rogue antispyware app.  Basically, you went to the site and got the typical Malware Alarm warning message, which no matter what you do, brings up the fake MalwareAlarm scanner (basically, a web page designed to look like it’s actually scanning your system, designed to scare the bejeezes out the unsuspecting user).

Right now, the page is being blocked by Blogger:

However, you can still find the malware link in Google’s cache. And only the main page is blocked — permalinks will steal spew these fake security popups.

I can only assume that Winn knows what’s going on and is working it out. 

Alex Eckelberry
(Thanks, Doug, for the heads up and the pics)

Update:  Winn responds.

Nice little milestone, we just broke a million threat traces this week in CounterSpy. We’re currently processing one or two gigs or so of the bad stuff daily through our sandbox.

Alex Eckelberry

It’s worth noting that (at least from everything we currently know), security cameras in the UK didn’t play a significant role in apprehending the terrorists involved in the recent car bombing attempts. Perhaps tracking cell calls helped. Or, perhaps suspicious people who noticed the smell of gasoline. But we have yet to see one report where surveillance cameras played a part in capturing the terrorists or stopping the attacks from happening.

Don’t tell that to Joe Lieberman, though. He wants more surveillance cameras in the US:

Sen. Joe Lieberman (D-Conn.), the chairman of the Senate Committee on Homeland Security and Governmental Affairs, said Sunday he wants to “more widely” use surveillance cameras across the country.

“The Brits have got something smart going in England, and it was part of why I believe they were able to so quickly apprehend suspects in the terrorist acts over the weekend, and that is they have cameras all over London and other of their major cities,” Lieberman said.

The idea of having ubiquitous UK-style surveillance cameras in this country is of significant concern in terms of protecting our privacy.

While there are those who will argue (and attempt to justify) broad and encroaching governmental powers to examine our personal lives, history teaches us that the death knell of a society is when it abdicates its civil liberties in the name of protection against real or imagined threats, empowering and trusting that universal vessel of irrationality: government.

Alex Eckelberry

Workshops: Last week, I was up in Cambridge for the Antispwyare Coalition Public Workshop in Boston, held at Harvard Law School. I moderated a panel on “New Market Trends in Responding to Spyware”. A quick rundown of the panel is on the StopBadware blog.

(Credit to Paperghost for the pic).

There’s video coverage of this workshop, here. If you want to see my panel, click here (I know, sorry, it’s Real Player).

The laptop controlling the presentations was having fits, and the lectern had a fixed microphone positioned that was rather difficult for me (so I’m stooped over for much of the time). However, we managed and it was a mildly interesting presentation — if you’re interested in this subject. If you’re not into in this type of stuff, use it to go to sleep. It will work just fine for that.

There were a number of other panels. One of the most interesting presentations was by Paperghost (Chris Boyd), on Internationalization of Spyware. You can view it here, at about the 1:54 mark. As someone concerned with public policy, I also found the Public Policy discussions interesting, but if you’re not into that, well, you can use that to get your kids to sleep.

Dinner with Julie: I also took the opportunity to have dinner with Julie Amero and a number of her supporters.

The people in this picture are (left to right) standing:

Chad Loeven of Sunbelt, Paperghost (Chris Boyd), Joe Scalia, Ari Schwartz (CDT), Eric Howes of Sunbelt, Alissa Cooper (CDT), and Eric Davis of Google. Seated: Herb Horner, me, Julie, Wes, and Judy and Chip Neville.

All of these people played a role in helping Julie with her case and I’m truly grateful for their help (there’s still the specter of a new trial, so it’s not all over yet).

Julie got me a wonderful gift of a crystal star, which I thank her for profusely. Unfortunately, the photographer got me just as I was blinking — despite my obvious resemblance, I’m not trying to be Cool Hand Luke here.

All in all, a very pleasant trip.

Alex Eckelberry

PC World honors this blog as one of the “Top 100 blogs we love”.

All jokes aside, we’re quite honored by this mention.   Thank you PCW. 

Alex Eckelberry