The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
Earlier in the week, I posted a good set of guidelines for enterprise administrators from Microsoft for antivirus exclusions. Unfortunately, the page that I linked to got pulled. However, Rod Trent was kind enough to share the document with me, and you can download it here (MS Word).
Alex Eckelberry
If you’re trying to protect your brand, this is a great tool from DomainTools:
There are a number of typo generators out there, but DomainTools’ is the only one that makes it easy to find out who is typosquatting on your domain name. It also lets you know if someone previously typosquatted or tasted a typo of your domain.
To use the typo generator, go to domaintools.com/domain-typo and enter the domain name. Then choose your options including views:
Registrant View – see typos of your domain and the registrant’s name. Great for seeing if one person is aggressively typosquatting you.
DNS View – typos include nameservers and IP addresses. Great for seeing if typos of your domain are parked.
More here.
Alex Eckelberry
Hackers usually offer their services in the underground market, chatting in private forums, hidden behind various enigmatic aliases. However, a more enterprising bunch offers their services publicly, offering to hack into email accounts, Facebook, MySpace, ICQ or even Facebook’s popular Russian clone, Vkontakte.
However, you’d be an idiot if you actually used them. Doing business with black hats isn’t always the brightest thing to do — you might very well find yourself getting the bad end of the bargain.
Some recent research into one site dedicated to hacking Facebook revealed a number of dodgy sites all under the same IP (in the Cayman Islands, not surprisingly, and with a history). Let’s take a visual tour.
First, a more “general” site on hacking:
Or, hacking vkontakte:
(“vzlom” in Russian means “to break in” — of course, my Russian readers are sure to correct me.)
Or hacking ICQ:
MySpace:
And, of course, Facebook:
But this IP has a number of other questionable domains, such as a site seen in the past delivering malware, and one which looks suspiciously like a phishing site. I can only speculate at this point on the other sites listed in the IP range (“escrow services”, etc.).
The whole dammed lot should be taken down.
Incidentally, if you use these services, please do the obvious and use complex passwords, changing them regularly.
Alex Eckelberry
(Hat tip to Patrick)
Over a year ago, I published a rather stunning graph showing the growth of malware.
It needs updating. I asked Andreas Marx at AV-Test for some new data, and he’s been kind enough to share it with me.
First, the size of Andreas’ collection:
Then the monthly malware collection growth:
(Excel spreadsheet here.)
Andreas tells me an updated chart will be available in a few weeks, and I expect to post that as well.
Alex Eckelberry
I have a lot of respect for Anne Mulcahy, Xerox’s CEO who has announced her retirement.
One thing that I like about her is that she gets innovation:
To be sure, a company’s R&D investment pool looks tempting in tough times. And draining it might save a few jobs or help make the quarterly results less painful. However, if you fail to fund the future, all you’ll be left with is a really lean company trying to churn old ideas into new business…When Xerox went through a downturn of its own making earlier this decade, everywhere I went, lenders and investors were demanding I cut our R&D spending. But to me, Xerox innovation was sacred. Why avoid financial bankruptcy only to face technological bankruptcy down the road?
Some of the tech CEOs I know right now who are in trouble are, in many cases, the ones who have not spent enough on R&D — the core of innovation in a technology company.
There is an attitude often in financial circles (and among non-technical managers), that research and development is not the vital lifeblood of an organization. It can be off-shored, or outsourced, or heavily cost-managed. I know several companies where the financial backers are soaking the company for cash flow, but not investing heavily in new technology.
An organization starts with a product. It doesn’t start with a sales, finance or marketing department. It starts with something that’s produced. And in technology, the people who make your products are your R&D department. Without a product, you have nothing.
The sometimes painful truth is that the business of technology is very R&D intensive. There are cycles, where you make a new product, make money off of it, and then go into another major new R&D phase. This is an ongoing process.
However, what is commonly observed is a company spends on innovation, gets successful, and then doesn’t realize that it actually needs to keep spending on innovation. The companies that would qualify for this list are legion.
Simply straight-lining your R&D expenses at some magical percentage of total revenue is not the right approach. A company must invest in R&D with relevancy to its current situation. Right now, almost 40% of our staff is dedicated to R&D, a staggering figure for some people. But we’re at an absolutely essential time where innovating is the most important thing we can do, to remain competitive. It pays off — our growth is 70% year-over-year. So we keep investing, and investing. We’re making money, but we’re also spending money on making sure that two years from now, we continue to have the most innovative products. (Our percentage of R&D won’t always be this high, because as revenue goes up, the percentage dedicated to R&D goes down, but the current ratios are relevant to where we need to invest now.)
So to those developers out there facing budget cuts, fight back. Teach your managers that you need the money to make the products that the company will need in the future — so they will have jobs themselves.
In short: Innovate or perish.
Alex Eckelberry
Last year, I met with a prominent journalist who I respect, and he let on to me that some Microsoft execs had been telling him that they don’t run antivirus because Vista is so secure.
Oh really? Hmm… Give me Steve Ballmer’s email address… I could have fun with this.
The idea that you can’t run security software just because you’re running Vista is flat out wrong.
So no offense to the writer, but here’s an article that really needs a retraction:
• Turn off Vista’s overly protective User Account Control. Those pop-ups are like having your mother hover over your shoulder while you work.
• Uninstall your anti-virus software. I’m serious. Symantec Norton 360 spent so much time trying to protect me from problems I don’t have that it dragged my Toshiba’s performance to a crawl. So I uninstalled it. Instant speed boost.
Surprisingly, the article didn’t get much attention when it came out last week, except for some mentions (like this ComputerWorld blog post). Unfortunately, it’s now spreading through syndication.
But really — this is just terrible and dangerous advice.
If you’re fed-up with the bloat of your AV product, get a leaner one. I make one. And there are others as well.
Want reasonable performance tips? I posted some similar advice a couple of years ago on optimizing the performance of your PC, and this LifeHacker article from a while back debunks some common performance myths.
But no way — no way — should you not be running an antivirus product. This is not my self interest speaking, as I’ve blogged about free tools you can use.
It’s just a simple fact.
Alex Eckelberry
Presto TuneUp is the new rogue security suite from the makers of
VirusDoctor rogue security application.
Sites involved:
64.213.140.69 Prestotuneup com
64.213.140.69 update1.prestotuneup com
64.213.140.69 update2.prestotuneup com
You can also find traces of other rogue security product left on Presto TuneUp product web site.
Bharath M N
Johnny Long (one of my favorite whitehack hackers) has an entertaining video about his life. Worth watching/listening to.
The Long Journey To Africa from Johnny Long on Vimeo.
Alex Eckelberry
(Thanks Mubix)
Alex Eckelberry
(Thanks Donna)
Well, it’s a start. PDF and SWF exploits are a major infection vector right now. Getting security updates rapidly and proactively are essential.
Vulnerabilities are no longer an opportunity to bash Microsoft. All software vendors (and even more for ubiquitous developers, like Adobe, Winzip, etc.) have to be extremely proactive on this front.
Blasted three months ago for being slow to fix a zero-day vulnerability in its popular PDF viewer, Adobe today promised it will root out bugs in older code, speed up the patching process and release regular security updates for Adobe Reader and Acrobat.
Link here.
Alex Eckelberry
This is so creepy I don’t really know what to say. It’s also a great way to keep lots of security people employed, picking up the phone.
But if you happen to know what to say, you can create your own billboard here!
Alex Eckelberry
(Thanks Rob)
You may have noticed a bit of a different voice here in the blog. Tom Kelchner, our recently-hired research manager, is now guest blogging.
Tom has worked for many years in the anti-virus industry, as an Information Security Analyst with ICSA Labs, and then as Senior Threat Engineer with the EarthLink Threat Research Group in Orlando, Fla. He is a former newspaper reporter in Harrisburg, Pa., and government public relations specialist, having served as Deputy Press Secretary to former Pennsylvania Governor Robert P. Casey. He also served as an electronics technician on various submarines during a six-year enlistment in the U.S. Navy.
He does not, however, blog about surfing, commodities pricing or blown CPUs.
Alex Eckelberry
Microsoft has rather quietly announced on the Microsoft Software Developer’s Network blog (link here) that the memcpy(), CopyMemory() and RtlCopyMemory() commands will be retired soon in an effort to eliminate the threat of memory overwrites.
The blog piece said, “I am ‘proud’ to announce that we intend to add memcpy() to the SDL C and C++ banned API list later this year as we make further revisions to the SDL.”
The command, available in Microsoft and many C-related languages, has been responsible for the problems that led to a number of Microsoft Security updates including:
• MS03-030 (DirectX)
• MS03-043 (Messenger Service)
• MS03-044 (Help and Support)
• MS05-039 (PnP)
• MS04-011 (PCT)
• MS05-030 (Outlook Express)
• CVE-2007-3999 (MIT Kerberos v5)
• CVE-2007-4000 (MIT Kerberos v5)
Developers can easily update code by replacing calls to memcpy() with a safer call to memcpy_s(), which requires an extra parameter: the size of the destination buffer.
Sunbelt Software Vice President Michael St. Neitzel said: “That’s what I’ve been doing for years. When you’re dealing with buffers, you really have to make sure you don’t overwrite them. A string that is not null terminated can easily override string buffers, since in Windows they typically have a defined size such as the fixed path length.
“A bad programmer will manage to do this insecurely. It’s like giving a powerful sports car to an amateur. The anti-lock brakes, electronic stabilization program and automatic speed reducing aren’t going to protect him from having an accident. But an experienced driver can disable all of those things and not scratch the car. Driver, developer – both may make mistakes.”
Tom Kelchner
It’s tonight. Readwriteweb has a pretty good overview of the event, including this:
Article Link.
Alex Eckelberry
This might be one of the first indications of a not-so-good trend.
In the “Gadgetwise” column of the N.Y. Times, under the title “Five Controversial Ways to Speed your PC” (link here) writer Paul Boutin suggests uninstalling anti-virus applications as a way to speed up a PC. He also said the threat from viruses and malware was overhyped.
Well, we don’t think it’s ever been overhyped and we REALLY don’t suggest turning off malware protection.
Yes, in recent years, many malware scanners have slowed down, largely because of the vast, exponentially rising surge of new threats. Some of the big name scanners seriously need to be rewritten.
Boutin specifically mentioned in his column that Symantec’s Norton 360 “dragged my Toshiba’s performance to a crawl.”
There is nothing more frustrating than a really slow machine when you’re trying to get something done, and, yes, I remember turning off an anti-virus application many years ago. It was the days before the World Wide Web. Boot-sector viruses were a problem. My machine had no contact with the outside world except for an internal email system and occasional disks. I did turn the scanner back on before I shut down the machine for the day and I didn’t leave disks in the drive. So, I don’t think that was a badly reasoned choice. But, that isn’t true today.
One not infrequently sees estimates that a huge percentage of all the traffic on the Internet is devoted to, well… ahem… viewing photos and videos of people with no clothes on. That means a lot of people are visiting sites that are notorious for the distribution of malware. Even sites where the people in the pictures keep their clothes on have been loaded — intentionally or by hackers — with malware that you can download accidentally. Wanna buy a completely useless AV Scanner for $49.95? Can I interest you in a nice browser plug in that will give you just loads of advertising and show you what a slow machine REALLY looks like?
And, God, don’t even get me started on the crap that people (or botnets) forward in e-mail. A good estimate is that more than 90 percent of e-mail is spam and a frightening amount of that is intended phish your bank account or Paypal account login or anything else with a monetary value that might be on your PC or in your head.
It’s here, it’s weird and it’s coming to a PC near you in a couple of new ways every day.
So, if you’re thinking of joining a trend and turning off your malware scanner to squeeze some more speed out of the old Toshiba, just consider a faster scanner, like Vipre.
Sunbelt Software’s Vipre was written from the ground up last year and achieves its lightening speed from some rad new technology. (Check it out here).
Tom Kelchner
Dear Lord. One wonders how many lives may have been or will be potentially ruined by this:
“As a matter of public safety, the Alcotest should be suspended from use until the software has been reviewed against an acceptable set of software development standards, and recoded and tested if necessary. An incorrect breath test could lead to accidents and possible loss of life, because the device might not detect a person who is under the influence, and that person would be allowed to drive. The possibility also exists that a person not under the influence could be wrongly accused and/or convicted.”
Link here (via /.). Further commentary by Schneier here.
Alex Eckelberry
Actually, a very good article in this issue of Processor. Nothing radically new here, but the writer understands the problem and states it clearly.
“The day of the [AV] scanner being the main line of defense is dead . . . it’s just that most people don’t know it yet,” says AVG’s Thompson. Last year alone, AVG added more than 650,000 signatures to its antivirus engine. “There are 20,000 to 30,000 unique binary samples every day. The bad guys know how to beat a scanner.”
It’s also worth noting that tests that focus on virus detections are completely useless in evaluating an anti-malware solution. Today’s malware is a totally different, vicious animal — and detection is also only part of the picture. Remediation is as important as detection to enterprise customers.
More here.
Alex Eckelberry
The so-called “Google tax”, where an adwords vendor pays for traffic that would have gotten to them anyway, is a long-running problem that most marketers simply pay as a cost of doing business.
To understand the problem, you can simply search for a popular corporate name like “delta airlines” — the “first” result is a paid adword (“sponsored link”) from Delta. Many people click on the paid link, not realizing they just cost Delta some money. Delta very likely knows this but takes it as a cost of doing business — they do want to make sure you go to their site.
These types of problems are a part of any marketers cost of doing business. Years ago, we had the problem of adware pushing affiliate links to sites which a user would have gotten to anyway (like someone searching for “Dell” and getting a popup for a Dell affiliate — Dell ends up by paying a commission to someone they didn’t even need to).
Ben Edelman came out with an interesting piece yesterday which expanded on the problem. If you’re involved in PPC marketing, it’s worth reading his article.
Alex Eckelberry
