Panda’s Cloud Antivirus (Beta) is a Winner!

I’ve been using Panda Security’s free Cloud Antivirus for awhile and I must say I’m impressed. It’s there, but you’ll never know it unless you look (the little panda icon in the system tray). I rarely get malware of any kind, but Cloud AV has caught a couple of things that were probably drive-bys. It’s so transparent that I actually had to go check on it before I noticed that malware had been caught. This is a perfect set-it-and-forget-it AV for the regular user. It’s free, self-updating and doesn’t require any decisions on the part of the user. You can believe what they have to say:

Are YOU a Hacker?

Are you? It’s not necessarily a derogatory term. Neither is “geek.” But what does “hacker” really mean? Here’s one opinion:

Someone that is looking to work outside the normal parameters. The media grabs the term and turns it into something bad. Like all hackers are evil and looking to steal your identity, your money and bring down the system in some [sort of]  anti-government/corporate protest. Sure there are always extremist[s] on the either side of nearly any issue…For a true hacker, statements like, "Never do this…" or "one use only" or even better the golden "authorized users only" tend to get us thinking. What is behind that interface, that door, that piece of tape that will void my warranty if removed you are trying to keep me from learning.

Folks, I’m a hacker. I hack computers and networks—it’s part of my job—I  don’t do anything malicious, but I dig into things I probably shouldn’t. I’ve always been the kind of guy who takes things apart to see what makes them tick. Usually, I get them back together the way they were. Sometimes, I break them; but, I always come away with a better understanding of how things work.

If more people were “hackers,” if more people knew how things work, if more people *understood* how this universe is put together, if more people even cared to look, this world would be a better place.

I’m a hacker. Are you?

Search for Screensavers at Your Own Risk

Enter “screensavers” into any major search engine and there’s better than a fifty percent chance that any result you click on will land you on a malicious website. According to McAfee’s recently released report “The Web’s Most Dangerous Search Terms,“ that search term carries a maximum risk of 59.1 percent. Furthermore, lyrics and anything that includes the word “free” have a high risk of exposing users to malicious or fraudulent web sites. Health-related search terms have the lowest risk profile. Check out The Web’s most dangerous keywords to search for on ZDNet.com.

One of the biggest problems is that the bad guys, using Black Hat SEO techniques, grab onto the trending search terms of the moment and use their popularity to get links to compromised sites placed high in the search engine rankings. This, coupled with the fact that 77% of Websites carrying malicious code are legitimate sites, make for an increasingly dangerous environment for the casual surfer.

This is yet another reason to continue to beat my drum: If you use IE, disable scripting and ActiveX (IE8 has increased security, so consider upgrading). Better yet, switch to Firefox and use the NoScript plugin. Tell the users who trust you to do the same, will you? And make sure they have the latest security patches on their systems. Most people are trusting souls; on the web, they shouldn’t be. Let’s instill the “trust no one” (except for us white hats, of course) mentality into everyone we can.

It’s Not Your Fault

I’m going to take a lot of heat for this post. Maybe. Unless I’m right (which I usually am). So, let me just get it out of the way: The state of security on the Internet today is NOT YOUR FAULT. Neither is it the fault of the clueless surfers who click on any and every link in their email and say “yes” to every popup on their screen. It’s not the fault of those who love to install the “little bitty kitty” screensavers that are loaded with adware and the ones who use the “fun web products” emoticons and stationery with similar bent. No, it’s not your fault.

It’s M….no, it’s U….no, it’s…hell,  it’s the software developers who don’t have a clue on how to write a secure application. The end user—be she a geek or a regular consumer user—has no way of knowing that there are security holes on the software she uses. And she shouldn’t have to be concerned about it, now, should she? NO.

The more I have to deal with the malicious–and sometimes just crappy–stuff that people manage to get on their systems, the more I want to grab the programmers, web app developers, and insecure software purveyors by the throat. Conspiracy theorists speculate that since the anti-malware software industry is a multi-billion dollar cash cow, we don’t have a chance of ever seeing truly secure software. I don’t think that’s true. There’s enough crap out there to keep the anti-malware industry busy for a long time.

But it does make one wonder, doesn’t it?

Another Little Known Tool to Securely Delete Files, Folders, and Volumes

Why, all of a sudden, is everyone concerned about secure file deletion? I hesitate to say it’s a sign of the poor economy, but perhaps people consider it even more important to protect their personal information when the idea of losing control of their assets—and their lives–through the incompetence of corporate “managers” and well-intentioned but clueless politicians is more abhorrent than losing control through the outright thievery of Internet gangs. It’s weird. I harped on people about securing their data all along and mostly, my advice fell on deaf ears. Now people are worried. And it’s not because they see more spam email phishing attempts, it’s because they feel they can’t trust anyone anymore, not their formerly respected captains of industry, and certainly not their elected officials.

But, I digress. This post is about security tools, not politics, so I’m now officially off of my soapbox.

I recently posted an article about SDelete, a tool that can be used to securely delete files and folders on a hard drive. There’s another little known, useful tool that has been built into the OS since Windows 2000: cipher.exe. Microsoft provides the following in Knowledge Base article 315672:

How to Use the Cipher Security Tool to Overwrite Deleted Data

To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:

1. Quit all programs.
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type cipher /w:driveletter:\foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.

One more tool you can use to mollify your paranoid clients.

Will They Ever Learn to Patch?

The latest mass infection to hit the Internet is the Win32/Conficker/Downadup Worm, estimated to have already infected between 500,000 and 8.9 million PCs, depending on whose numbers you believe. This is astounding, considering that the worm exploits a vulnerability in Windows that Microsoft Security Bulletin MS08-067 addressed back in October 2008. Microsoft issued an emergency out-of-cycle patch to address the vulnerability. Windows users who have automatic updates enabled would have received the update so the hole is patched. But there are plenty of people and organizations who, for one reason or another, have automatic updates turned off.

Why any individual PC user would put themself at risk by having automatic updates turned off is beyond me. Organizations are another story; they want to test patches before deployment to ensure they don’t break critical applications or disrupt the network. But in this case, the patch should have been applied without question by every sys admin on the planet. Had this happened, the furor surrounding Conficker.A–the original worm–probably would have died down. Instead, enough sys admins left the hole open that a particularly ferocious variant–Conficker.B–surfaced; it’s the one responsible for the current mass infection.

You can read all about Conficker.B and its blended threat in this post at the Microsoft Malware Protection Center, so I won’t burden you with all the gory details about its blended threat here. I will, however, burden you with my informed opinion: Sometimes you have to heed the warnings and go ahead and patch, regardless of what problems that patch could potentially cause. A network taken down by a malware infection is much worse and potentially more costly to repair than a couple of broken apps here and there.

No More Security Updates for Firefox 2

Security Fix reports that on December 16, Mozilla released its final update to Firefox 2, and plans no further updates for this version. From the Firefox 2 Release Notes page:

Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3. Firefox 2.0.0.19 does not include Phishing Protection.

Despite mixed reviews at its initial release, Firefox 3 is now stable and should now be your browser of choice for safe surfing on the web. Besides using far less system memory than previous versions, Firefox 3 “includes strict anti-phishing and anti-malware measures, plus easy ways to tell the good guys from the bad like [the] new one-click site ID info” according to Mozilla.

If you’re not already using it, be sure to install the NoScript add-on. Firefox 3 with NoScript is the simplest, safest browser setup you can get at the moment. And just to be sure, I deliberately went to a really bad site to see what would happen. Firefox delivered. Take a look at the screen shot below.

So, if you’re still using any earlier version of Firefox. Upgrade now to Firefox 3. And if (heaven forbid!) you’re still using Internet Explorer, stop putting yourself at risk and switch to Firefox 3 now.

Have a safe and happy holiday season, both on and off the web!

Internet Explorer Targeted by Zero-day Attack

Even though Microsoft released the biggest batch of patches ever on Tuesday–28 flaws affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player, 23 of them rated “critical”–there’s no fix for a zero-day XML parser vulnerability that surfaced the same day. This was first reported by Robert McMillan of IDG News and was picked up quickly by other media. According to McMillan:

The code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about “one in three times,” Huang said in an instant message interview. For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw. …

In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations.

According to a blog post by Symantec:

The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0×0A0A” value in it,” Elia Florio, a security researcher at Symantec, wrote….

Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users against this exploit.

I recommend that anyone using Symantec’s antivirus or IPS products, immediately perform an update. Furthermore, Symantec recommends blocking the following hosts which are apparently being used by the exploit to download and install other malware:

• wwwwyyyyy.cn
• sllwrnm5.cn
• baikec.cn
•  oiuytr.net
• laoyang4.cn
• cc4y7.cn

In its security advisory 961051, Microsoft presents the following mitigating factors:

• Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.

•By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.

•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

•Currently known attacks cannot exploit this issue automatically through e-mail.

Nevertheless, users should avoid using Internet Explorer and should instead use Firefox with the NoScript extension installed until Microsoft issues a patch. We may see an out-of-cycle patch on this one according to the security advisory:

We are actively investigating the vulnerability these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Well, since I’m forced to use IE for certain applications in my job, this customer needs a patch as quickly as possible.

But Wait! Apple Says it’s Just Kidding About Antivirus

If you tried to click through to the link in my December 2d article, you probably saw this page:

Apple has taken down their notice recommending that users install multiple antivirus programs on their Mac computers. They said it was “because it was old and inaccurate.”

Could the real reason be that they can’t afford to compromise their expensive ad campaign?

SANS Editor Eugene Schultz says: “Apple needs to quit flipflopping re. whether anti-malware software needs to run on Macs. Many serious malware-related threats against Macs exist. Apple’s waffling with respect to recommending what to do about these threats is a huge disservice to the Mac user community.”

C’mon, Apple. You’ve just lost a ton of credibility with this one.

Own a Mac? Get Anti-virus, says Apple

The Mac vs. PC ads are always funny, but this one’s even more of a hoot, especially since Apple quietly snuck out an advisory on November 21 that Mac users should use multiple antivirus programs:

“Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”

Needless to say, this is getting a lot of play in the media.

From The Register:

“Long something of a phantom menace, strains of malware capable of infecting Mac machines have gradually been increasing in prevalence over recent months. In addition, VXers are making more use of web-based attack and applications specific vulnerabilities to infect PCs whatever their underlying operating system might be.”

From the Washington Post:

“This is news to me. Just under three months ago, I asked an employee at our local Apple store whether I needed anti-virus for my MacBook, and was told not to bother, that it was not necessary. I wonder if this means Apple will stop running television ads saying Mac users don’t have to worry about malicious software?”

It had to happen sooner or later. The Mac user base may be much smaller than the PC’s, but it’s still significant and enjoyed a 38 percent market share growth, going from 6.4 percent of the market in 2007 to 8.5 percent during the second quarter of 2008. Even more significant is the little known fact that Apple’s market share of the so-called “premium” computer market — machines that cost more than $1,000– hit a whopping 66% in the first quarter of 2008. Maybe, just maybe, people who buy “premium” stuff have more money which can mean a bigger payday for the Internet criminals.

Just my opinion, but if you could steal a Jaguar with no more effort than it takes to steal a Chevy, which would you take?