Tuesday, November 03, 2009 9:21 PM/EST
Chester Wisniewski, senior security adviser for Sophos Canada, Nov. 3 published on his blog a rather damning account of Windows 7 security and User Account Control.
In his examination, he found that seven out of 10 malware samples tested were able to successfully run on a fresh Windows 7 installation employing the new, quieter UAC that is the default in the new operating system.
Ugly. Not a surprise, but ugly. Also, it's not a test designed to be passed.
In essence, the default setting for UAC in Windows 7 is, "Don't notify me when I make changes to Windows settings." So when Wisniewski downloaded malware samples onto the PC and ran them--simulating a user intentionally downloading and running a file obtained via e-mail or the Web--he was purposefully making changes to Windows settings, so UAC did not prompt him. The system acted as it was told to do, so it should come as no surprise that UAC did not block the malware installation.
The shortcomings in Windows' 7 UAC design have been apparent for quite some time. In my August review of the RTM of Windows 7, I postulated that "the new settings--including the new default--serve to worsen the security protections UAC affords," a theory that seems to be borne out by this study. Basically, with Windows 7's UAC, Microsoft decided to step back from trying to save users from their own mistakes--leaving that role primarily to third-party security solutions.
Indeed, Wisniewski comes to the same conclusion, that, "You still need to run antivirus on Windows 7."
Leaving that argument aside, what Microsoft should be doing is figuring out ways to change the way people compute. That default UAC setting is only the default setting for users who are part of the Administrators group. Users that only have standard User privileges instead, by default, get the strongest option--to be notified when the user or programs make changes. And since the standard user doesn't have rights to automatically elevate their tokens in order to make the change anyway, they would have to enter over-the-shoulder administrator credentials to make the change.
Certainly, I like to see security companies--or even Microsoft--publish the results of similar tests, focused on systems operated in a more secure manner. Malware running on an unprotected system with admin privileges is not news, while malware that runs and stays resident without admin rights certainly would be.
Thursday, September 03, 2009 5:03 PM/EST
With news of eBay's Skype sale out of the way, Skype employees are apparently free to start disseminating information once again. As such, Skype today in blog posts reacted to a pair of security concerns that I've written about recently.
One post outlined a new hotfix for Skype 4.1 that, among other things, takes the first baby step toward helping users deal with incoming invite spam. The hotfix purports to make unclickable any links presented within an invite request. While I'd rather see Skype work to change the way invite requests are currently commingled with real contacts within a user's contact list, or actually block the incoming spam, it's a start.
I'm actually waiting to apply the hotfix until I get my next spam invite so I can see the differences in action. I'll add a screen or video as soon as I have something to show.
In the second note, Skype finally responded to the recent news circulating about the Trojan PeskySpy, which aims to steal the audio of a Skype call and send the conversation to parts unknown. In the post, the author links to the Symantec post about the threat, rather than the less detailed post about the Trojan by Sophos that first captured my attention.
The post clarifies that the Trojan hooks into Windows APIs and uses these hooks to collect Skype output rather than directly attacking Skype code. Instead, the Trojan sits in between the audio hardware and Skype, intercepting the data payload after Skype decrypts it (or before Skype encrypts a transmission) on a Windows-based host.
As a side note, that second Skype post mentioned represents the first addition to the Skype Security blog since April.
Welcome back, fellas.
Friday, August 28, 2009 2:09 PM/EST
A couple weeks ago, I pondered what the future would hold for the current iteration of Skype, whether feature and particularly security enhancements would be put off until eBay launches a whole new system to work around their ongoing legal problems with Joltid.
At that time, my question revolved around the issue of Skype spammers, as I consistently found unwanted people had injected their profiles into my contact lists - or so I thought. Instead, as I later learned, my problem was more with Skype's presentation logic rather than the actual security. For while the spammers were displayed among my contacts, their presence there represented an invite to connect rather than an actual contact.
The problem with that presentation logic is that for obvious spam accounts, I never clicked on the account to see the difference. Instead I would just block it and move on. What would make more sense would be to present invites in a separate window or dialog box that requires a user's specific approval, rather than acting like users should and would automatically want every invite to be added to the contact roster.
Either way, Skype knows they have an increasing spam problem, as was addressed on one of their blogs recently. Unfortunately, while the blog tells of a company initiative to fix the problem, there are no details to be had on what the company will actually do or when they might do it. In a nutshell, Skype is saying "We're working on it, stay tuned." Meanwhile, the onus remains on users to identify and report spammers.
But my overarching question about ongoing security development on the current Skype still remains, as the company may face a more pressing test looking in the near term, as Sophos Labs today revealed some information about a Skype Trojan that has been written, and for which the source code is currently being distributed.
"The Trojan injects a dll component into a running process of Skype. The dll then hooks the "send" and "recv" APIs in this Skype process to the Trojan's own custom functions. This allows the Trojan to extract and save the audio and video data, and send it back to the attacker. We're detecting both the executable and the injected dll as Troj/Skytap-Gen based on samples we've seen so far."
The upshot of this Trojan is that, no matter how secure your system may be, if the caller on the other end is infected, your call gets recorded no matter.
Let's hope Skype has a more clear plan - and timeframe - to deal with this threat.
Update: Differing slightly from Sophos' report, Symantec research indicates this Trojan operates by "hooking various Windows API calls that are used in audio input and output" and that the problem doesn't lay within Skype itself. In other words, the Trojan hooks into Windows subsystems Skype utilizes, and the Trojan then listens for and records Skype calls specifically.
Thursday, August 20, 2009 7:56 PM/EST
By no means have I done an exhaustive check of all the anti-malware companies yet, but it looks like virtual machine licensing is going to be a major differentiator between various products as we move toward the release of all the 2010 software suites.
Today, Sunbelt Software touted via its blog that Sunbelt's licensing applies per computer, not per instance.
"Our company policy is a single-user license applies to one box, and any VM sessions on that box. A single-user license is set up to allow multiple installations on one box with W7 and XP mode both running."
This becomes a pretty important distinction once Windows 7 and XP Mode come into play for those running Win 7 Ultimate, Professional or Enterprise (or any other hypervisor for that matter). Personally, I quickly found that a migration from Vista32 to Win7 x64 necessitated that I run a VM only for my legacy Cisco VPN client, which won't work on 64-bit machines.
Unfortunately, not every security suite is going to license VMs in the same manner. I'm currently testing one product (I can't say which due to an embargo), and I just learned that protecting the host and the client will count as two licenses.
So, as you evaluate what security to put on your new Windows 7 PC come October, remember to weigh how much security is going to cost you, if you need to spin up an instance to support some legacy application.
Friday, August 14, 2009 8:19 PM/EST
One thing new with Windows 7 RTM since the Release Candidate -- is that the default administrator account is now disabled by default (the account was also disabled in Vista SP1 and SP2). When Windows 7 (Ultimate x64 in my case) is installed, the user creates a personal log-in and password, and this account is automatically made part of the local Administrators group. At the same time, a second Administrator user account gets created in the background with no password, but the account is disabled by default. In the RC this account was enabled, but no more. *
I discovered this little tidbit as I configured my system for least privilege user mode. After I slid the UAC (User Account Control) slider bar to maximum protection, I logged into the Local Users and Groups dialog to change the name of the Administrator account and add a password. Unfortunately, I failed to notice the account was disabled by default. As a result, once I deleted the Administrators group membership from my personal account, I found I had therefore locked myself out of the ability to access any UAC-protected tools -- such as Computer Management or Add/Remove Programs. As there was no active Administrator account in my case, both UAC and RunAs were useless and there was no active Admin account with which I could actively log on.
Then I learned Microsoft only went halfway with this significant change, and, man, the other half is really badly done.
As a last recourse, I rebooted and hit F8 during the OS load to get to the Advanced Boot Options. I selected Windows 7's new "Repair Your Computer" option, which loads a slimmed-down user interface for the recovery tool. I selected my account with my limited rights credentials from a drop-down menu and was presented with a single option: Startup Repair. The tool ran a series of diagnostics -- it didn't say what at that time, but I later learned it was running file-system, disk and registry validation checks -- then presented me with the option to restore the computer using System Restore. I was not allowed to select which System Restore settings to use, although the system appeared to use the most recently saved settings.
The restore was completed, and voila, permissions were returned to a workable state.
Upon further investigation, however, I found that in the preboot environment I could also log in and effect changes using the otherwise disabled local Administrator account, but only under certain circumstances. Specifically, when no other local administrator accounts are present, the disabled Administrator account appears in the log-in drop-down box and can be suddenly be accessed. And as I mentioned above, even after all these years of Microsoft receiving criticism for this lack of attention to security, the Administrator account has no password by default.
An admin logging into the recovery tool has a lot more options at his or her disposal, too. As an admin, I could perform the same auto-fix tests, perform System Restores with the ability to select the settings to use, run a System Image Recovery event to restore from a disk backup, run memory diagnostic tests or access the command line for more possible actions. And from the command line I could change drives over to the main drive (from the pre-executable one) and read anything I wanted, even copy it to a USB stick and take it with me.
Certainly, we know that a data thief with physical access to the machine typically means game over. Boot to a LiveCD or a USB stick that can see into NTFS (NT File System), and thieves can take whatever they want. The usual countermeasures are then to block boot from CD or USB at the BIOS, and put a BIOS password on the system. But, heck, now Microsoft puts in the hacking tools for you -- no need for third-party boot media.
Users could protect themselves by fully encrypting the drive with BitLocker so the intruder only sees garbage. Oh, wait, that's only for Ultimate and Enterprise customers, not the vast majority of people who will use Home Premium. Never mind.
Honestly, it's hard to take Microsoft seriously about the security of its products when you can drive a bus through some of their holes. I know the circumstances of this case were a little unique (who among you plan to remove your admin rights?), but in my book, disabled should mean disabled. Microsoft should NOT be creating as default an admin account with no password, then opening up the account for use in certain situations.
Word to the wise: Even though that admin account is disabled, do yourself a favor and put a password on it. You probably won't regret it.
* Updated to correct some comparisons with Vista.
Wednesday, August 12, 2009 2:50 PM/EST
I've got Skype set to accept incoming calls, video calls or instant messages only from people in my Contact list. Yet every time I log into Skype, I see a few chat messages from obvious spam accounts, asking me to "rate my Webcam" or "meet in private."
Inevitably, when I flip over to my contact roster, I notice that the spammers have added themselves to my contact list, freeing them to bother me in other ways if I don't immediately block them.
I first noticed this problem with one of the first non-beta builds of Skype 4.0, but it certainly continues through to the latest builds of 4.1. And I'm hardly the only one experiencing this, and it doesn't seem particular to whether the user is on a Mac or a PC.
A PR guy working with Skype suggested that accounts accessing Skype from multiple computers may find the security settings differ slightly from instance to instance -- which may lead to this problem. I access Skype from two different Windows PCs, a MacBook and my iPhone. On the computers, I've found the privacy settings all match. If those same privacy settings exist on the iPhone, I've yet to find them, so perhaps the hole lies there. But if so, Skype needs to add those settings to its iPhone instance.
One can't help but wonder if the potentially pending divorce of eBay from the underlying Joltid technology Skype uses has led to a stoppage or massive slowdown of development on the Skype we all currently use. eBay recently announced a development initiative for a replacement peer-to-peer technology to replace the existing technology, in case the legal wrangling between eBay and Joltid goes south.
If eBay is investing in a massive project to reinvent Skype for release sometime in 2010, it stands to reason the company is not actively working to improve the current Skype much. And it remains unclear whether Joltid will or can undertake that work in eBay's stead.
But if Skype security problems are not addressed, and the network devolves into a morass of spam and illicit contacts, will users stick around to see whether the new technology is even worth their time?
Friday, July 31, 2009 4:21 PM/EST
Responding quickly to the SMS-based vulnerability to the iPhone demonstrated this week at the Black Hat conference in Las Vegas and first revealed earlier this month at a conference in Singapore, Apple released version 3.01 firmware for their fleet of mobile devices on Friday.
The vulnerability research, performed by Charlie Miller and Collin Mulliner, demonstrated ways that an attacker could crash the connectivity or telephony subsystems of the iPhone through a series of invalid SMS messages, or even introduce exploit code to the device.
According to the limited information Apple provided about the fix, version 3.01 only addresses the SMS vulnerabilities and it apparently does not include other features or fixes at this time. Specifically, the Apple knowledgebase article says:
Available for: iPhone OS 1.0 through iPhone OS 3.0
Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution
Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue.
I've downloaded the new code via iTunes, finding the updated firmware (for the 3G and 3GS models) weighing in at 297.9 MB. After downloading, the install went smoothly and took about 10 minutes. In a quick scan around the device, I've yet to see any changes in the user interface other than an acknowledgment that the update was successful.
Given the potential severity of the SMS vulnerability now that the exploit has been discussed in a public forum, I would advise users and mobile administrators undertake the update as soon as possible. However, I feel that corporate administrators particularly will feel the pain of this update because of the lack of attention Apple has paid towards true enterprise management tools for the device.
While Apple has made some strides towards enterprise friendliness with version 2.0 of their profile tools - allowing administrators to push out certificates, usage policies, and VPN settings - Apple has done nothing to address remote firmware management on a device fleet.
Blackberry administrators can turn to their BES servers to deploy critical firmware updates. Android and WebOS administrators (however few of those there may be at this time) can expect the carrier to deliver patches (albeit in a staggered and somewhat unpredictable fashion). Windows Mobile and Symbian administrators can turn to 3rd party tools for the same functionality.
But iPhone administrators have to email all their users to tell them to do it themselves - presuming the users have access to iTunes and some decent bandwidth - or run a time-inefficient depot station and demand the users bring the devices in for immediate upgrade. Neither solution is effective for large deployments because neither ensures the work will get done.
Because we haven't yet seen any in-the-wild attacks on the SMS vulnerabilities, time to patch may not be critically important in this particular instance. But quite possibly in the near future, Apple will find themselves facing a critical vulnerability with a zero-day remote exploit in the wild, and they will find their delivery methods failing a most important segment of their customer base.
Friday, February 20, 2009 3:58 PM/EST
One of the more frequent comments that I have gotten from readers in reaction to my January look at the first beta of Microsoft's forthcoming Windows 7 desktop operating system was that Windows Vista and--guilty by association--Windows 7 got in the way of people doing real work.
Only a few have bothered to elaborate on what they mean by this, but I suspect that those with this complaint fall into two camps: those uncomfortable with the new UI and menu structure introduced in Vista, and those who have run afoul of the User Account Control security functions.
UIs are not natural things. They are artificial constructs borne out of committee and group think, and are therefore never what any one specific person wants. They're a consensus. Whatever is left is something most people essentially memorize and get used to. Personally, I stuck with the Windows 2000 interface for the last nine years, but Windows 7's new taskbar and start menu really appeal to me.
On the other hand, I tend to view UAC in the same way I view public urination laws. Yeah, following the rules of either may slow me down from my daily appointments, but for the sake of health (staying free from malware), sanitation (keeping the registry and file system uncluttered), and social mores (not spreading a worm or botnet to others), the laws--and the feature--are worth having on the books.
I've been using Vista on my work machine for a full year now, utilizing UAC the whole time. Not only is UAC active, but I require an over-the-shoulder password in order to make a change (as in, I am not an admin and therefore need a secondary admin account for approvals). In that time, I've learned exactly which applications behave as I think they should under UAC, which applications have idiosyncrasies or problems (with security products being among the worst offenders due to their constant need for updates), and when I can expect to need those admin credentials.
My count of UAC prompts over the last seven days? Six, and all occurred as I intentionally upgraded software. I wonder if six in a week qualifies as getting in the way of real work?
A lot of people hate UAC because the feature breaks legacy applications. But this is not the fault of Windows really, but of the third-party software. It's bad code, written by lazy, hurried, or unconcerned developers adhering to development standards 10 years in the rear view mirror. I can't tell you how many product vendors I have talked to who have given me the same spiel about their software, saying in essence, "We'll get the features right, then fix the security later." And I am galled whenever I read about developers with the temerity to complain about the new security features in Windows getting in the way of the fast development of their code.
Always operating your computer with full administrative permissions has always been a broken model. No other mainstream operating systems encourage operating as root, and with Vista, Windows finally is trying to join everyone else. But users continue to balk, because they have grown accustomed to working by the rules of their broken model.
Stated plainly, sticking with Windows XP because later Windows break applications only serves to reward and enforce those sloppy development practices. In truth, it is not just Vista (or Windows 7) breaking those applications. Windows XP, like Windows 2000 before it, could certainly be operated by limited rights users, and a whole cottage industry has sprung up in the Windows eco-system just to solve permission problems for limited rights users on those systems.
To make an apples-to-apples comparison, whether Vista/Windows 7 is to blame for your loss of productivity, or whether it is actually due to bad software, I ask those steadfastly sticking to Windows XP to remove your administrative credentials from your user account. Get familiar with the "Run As" command, with multiple logins, and dealing with application permissions. Then make your assessment.
Alas, I admit I have been complicit in furthering these bad practices with shortcomings in my own testing and analysis for eWEEK. Therefore, I make this pledge -- from here on, in my reviews, I will ensure all software I test designed to run on Windows desktops operates as advertised with only limited user rights. And I will call out those that fail this litmus test.
Maybe together we can put a stop to the garbage foisted upon us.
Wednesday, February 04, 2009 4:41 PM/EST
Rules: Once you've been tagged, you are supposed to write a note with 20 tech-related things, facts, habits or ideas about yourself. At the end, you will tag no one, since you should have forsworn chain letters years ago. However, if you want to share your tech idiosyncrasies, you can reach me at agarcia@eweek.com or leave a comment below.
1. Come July, I will probably ditch my iPhone. Not because of the device itself, but because AT&T's network gives lousy coverage in my house, in my office and along my commute route--even though I live in the heart of technology country. Those 4,490 available rollover minutes say it all.
2. I used to be a zealous advocate of building one's own PC. Now it seems like a lot of trouble, and maybe not such a great way to save money.
3. I built a telephone conference server to use at work out of old PCs, open-source software and a bunch of analog lines off our corporate PBX. The building and testing were infinitely more interesting than the meetings.
4. At home, I've been steadily digitizing all my media, mostly because I hate all the shelf space it takes up. I still can't cut the cord to physical media, though, as I like having it around. This is an annoying conundrum for me.
5. I am as baffled as anyone by Microsoft's phalanx of Windows 7 versions. I'd prefer to see two versions--Home and Corporate--with software add-on packs (for media, security and management). Unfortunately, I suspect this would make things harder for everyone somehow.
6. Despite my years of experience with wireless technology, I still can't make 1080p video stream consistently well without throwing thousands of dollars at the cause.
7. I hate running anti-virus software, and until last year, I never did on my personal systems. The rise of drive-by Web threats secreted on normally trusted sites really freaks me out, though.
8. I use Windows XP, Vista, Seven and CentOS Linux on a regular basis. None of them have changed my life. Perspective, people.
9. I pretty much never back up my personal data.
10. I got my start in IT because I kept accidentally cracking into a Unix server at work. I like to think the IT director saw something in me, but really, I think she just wanted to keep an eye on me.
11. During my first server crisis as an IT staffer, I spent the night on the floor next to the server with a bunch of manuals and Chinese food. The next morning, when everything was working properly, I thought that maybe, just maybe, I could do this for a living. The problem was something like, "Novell 3.12, when running on a server with an EISA bus, loads all memory-resident programs under 640K, no matter how much memory you have." Adding the OS2 namespace had pushed me over the limit. Or something like that--it's kind of a blur now.
12. My first PC was a Texas Instruments TI-99/4a, the second an IBM PC Jr. To keep my parents from using the systems, I wrote an authentication program that, when wrong credentials were entered, would match the onscreen text color to the background, then reboot the machine.
13. I got my first e-mail account in 1991, accessing it using Pine. Seven years later, when they forced everyone on the server to start using POP3, I lost interest in that account.
14. I find helping someone buy a smartphone is much harder than helping them choose a PC. It's simply too personal a preference to impose your will on. I ask three questions: "What carrier do you want to use?" "Can you type on a touch-screen?" "What three things do you want most to do with it?" I point in the right direction, then I get out of the way.
15. My personal domain name is an obscure Simpsons reference. It's not as cool as it once was. Or, it was never cool.
16. I use many VOIP services--mostly Skype, GrandCentral and Raketu. I still have a land line, although I never use it.
17. I loved the hands-on expertise and great customer service of my old DSL ISP, but I love even more the lower price and fast pipes provided by the local cable conglomerate. This makes me very sad.
18. While I suspect that I could easily replace my cable subscription with over-the-air HD, Netflix Watch Now, Hulu and Amazon.com services, I am not quite ready to make that leap.
19. On many occasions, I have stood in a Best Buy or Fry's looking for geek inspiration. More often than not, I will pull out my iPhone and order whatever inspires me online (usually at Amazon.com) while still standing in the store.
20. I think everyone should learn how to do bare-metal virtualization. Find instructions online on how to load VMware's ESXi on a USB stick, plug it into a computer with a lot of RAM and give it a shot. It will be worth the effort. Bonus points if you make an iSCSI server to use with it.
Wednesday, October 29, 2008 7:28 PM/EST
The NBA season kicked off last night, and while my hometown Golden State Warriors quite probably will be awful this year, I am nonetheless stoked that the season is here. HD telecasts, fantasy hoops and NBA League Pass are the kind of things that make my week go by just a little faster.
This year, I decided to check out NBA League Pass Broadband, the online equivalent of the subscription service I sometimes get through Comcast. At $85 for the season, it seemed like a no-brainer to get the subscription over the PC this year. I can watch three games at once (and track how my fantasy squad is doing), and it didn't seem like I needed to install anything additional (other than Adobe Flash and a browser).
After signing up for the free preview, however, I discovered there was software to install—a plug-in for Flash called Octoshape Grid Delivery enhancement. And that plug-in has the following nugget in the terms of service:
You hereby acknowledge that the Software utilizes a grid streaming technology. With grid streaming technology, parts of the video and audio stream you watch may be delivered to your personal computer system via the personal computer systems of other end users of the Software, and the personal computer system on which you install the Software may also be used to deliver parts of the video and audio stream to other end users of the Software.
Accordingly, you hereby grant permission for Octoshape and other end users of the Software to utilize and share the processor and bandwidth of your personal computer system for the limited purpose of facilitating the communication between you and other end users of the Software, including Octoshape.
You are responsible for any telecommunication or other connectivity charges incurred through the use of the Software.
From a technical perspective, I like the cool use of peer to peer for streaming purposes, but as a network admin, I'd be more than a little concerned with this popping up on my network and chewing up both network and computing resources.
And admins should be aware that standard desktop security procedures aren't going to thwart this thing from showing up. I operate my Windows Vista-based laptop as a limited-rights user, so I have to input system administrator credentials whenever I want to install something (yes, I use UAC and I don't mind it all).
But I never got a UAC pop-up when I installed the plug-in, nor when I uninstalled it from the Programs and Features Control Panel. At least it was easy to uninstall. And apparently easy to update because Octoshape will take care of that itself:
When installed on your computer, the Software periodically communicates with Octoshape. Octoshape reserves the right to remotely provide updates or upgrades to the Software installed on your computer. Octoshape has no obligation to make available to you any subsequent versions or updates of its software applications.
|
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=338c8899-df64-444c-a551-23b04dbdac23)
