Internet Security Myths

Posted on July 1, 2011 by halberenson

eWeek recently published a nice article covering survey data that shows user understanding of PC security threats is outdated, which of course may lead to poor security practices.  Overall I like the article, but I take issue with what they claim as “fact” in response to Myth #2, that free antivirus software is as good as paid antivirus software.  Rather than being facts, they are at best half-truths.

The article claims that free antivirus (or more accurately these days, anti-malware) software is missing three things: anti-SPAM, Web Filtering, and Behavioral Analysis. It is true that each vendor makes decisions on how to differentiate their free offering from their paid product.  But those decisions are neither as clear-cut as claimed in the eWeek article nor as relevant as eWeek would have you believe.  Let’s address them in reverse order.

Behavioral Analysis is one of the more modern techniques being used to fight malware.  What it does is look for patterns of activity that seem inappropriate for normal applications.  For example, if an application starts to make changes to the Registry (the database of settings maintained by Windows) that a normal application shouldn’t be making then the application might be malware.  eWeek claims that free anti-malware software doesn’t include Behavioral Analysis while paid software does.  That is false.  Perhaps some vendors use this as a differentiator, but Microsoft includes Behavioral Analysis in its free Microsoft Security Essentials.  Immunet includes it in their free offering as well.  I haven’t looked at others to see if they are using Behavioral Analysis as a differentiator, but just the two examples I cite show that eWeek is at best spreading a half-truth and at worse an outright lie.

What about Web Filtering?  This may be a more accurate claim in terms of technical fact, but is it relevant?  Microsoft IE8 and IE9 already include the SmartScreen Web Filter and thus Microsoft sees no reason to include it in Microsoft Security Essentials.  Instead Microsoft continues to throw resources at improving SmartScreen.  Chrome, Firefox, and Safari use a similar service offered by Google.  In fact, in most cases the Web Filtering offered by paid anti-malware products is redundant and you don’t need it anyway.  So now you aren’t down to a free vs paid decision, you are making a decision on if SmartScreen is good enough or if another Web Filtering client does a better job of filtering malware distribution websites.  (There is one other reason for a third-party Web Filtering client, if you want to disable access to legitimate sites for some reason; for example a small business that wants to block its employees from shopping on Amazon, etc. during business hours).  Overall though, it is disingenuous to claim that lack of Web Filtering in free anti-malware products is a significant issue.

Lastly anti-SPAM.  It may in fact be true to say that free anti-malware software doesn’t include anti-SPAM components, but is it relevant?  Microsoft has included anti-SPAM directly in Outlook, Windows Live Mail, the older Outlook Express, and Hotmail.  Both Yahoo Mail and Google’s GMail also include anti-SPAM support.  Any enterprise mail system, and most ISPs, will use an anti-SPAM product such as Microsoft’s Forefront Protection for Exchange to filter mail before it ever gets to your account.  So once again installing a third-party anti-SPAM product on your system is redundant and almost always unnecessary.

So how do the two vendors I mention, Microsoft and Immunet, differentiate their free vs. paid products?  In Microsoft’s case it is Management.  Microsoft Security Essentials includes none of the multi-system monitoring and management capabilities that all but the smallest businesses demand.  Those features are only in the paid Forefront Endpoint Protection product.  This differentiation is totally irrelevant for consumers.  In the case of Immunet they reserve two features for their paid Immunet Plus product, Rootkit Protection and a second on-device anti-malware engine.  If you use Immunet as your only anti-malware product then this is a significant difference.  However, Immunet pretty much only markets their free offering as a supplementary anti-malware capability that works with your existing anti-malware software.

There are certainly tradeoffs involved in using free anti-malware software rather than paid software, but for most users they are irrelevant.  eWeek got this one wrong.

 

Posted in Computer and Internet, Microsoft, Security, Windows | Tagged , , , , , , | Comments Off on Internet Security Myths

The insanity of using public computers

Posted on June 26, 2011 by halberenson

I approached the public PC in the lounge of Holland America’s Eurodam as though it carried the plague, and perhaps it did. The anti-malware signature were out of date, victims to the PC only having Internet connectivity when a user signed on to the wifi network and was being billed Windows Update showed it had never been run. And oddly, it was kept logged in to an Administrator account at all times. Any of Eurodam’s over 2000 passenegrs could use the PC and infect it with whatever malware lurked in their email or visited websites. It was the mother of all infection carriers.

I backed away slowly. This was not a PC that I’d ever use. I slathered my hands with the nearby Purell hand sanitizer, not once but twice. As if I expected it to kill the deadly viruses in the public PC. Electronic death was waiting for someone, and there was little I could do to save them. But, YOU have been warned.

Posted in Security | Tagged , , | Comments Off on The insanity of using public computers

Microsoft to aquire {NVIDIA|Nokia|Yahoo|Whoever}

Posted on June 8, 2011 by halberenson

Over the last few weeks there have been rumors that Microsoft would acquire Nokia, which were completely denied, followed by rumors that Microsoft would acquire NVIDIA.  The latter were caused by a clause in a contract Microsoft has with NVIDIA that would allow Microsoft to acquire them if, basically, someone else tried to.  The existence of a “right of first refusal” or similar language in major contracts is not unusual.  I guess the press blowing it all out of proportion isn’t unusual either.  When you don’t actually want to acquire someone, but you want to take a bet on them that having them go out of business or be taken over by a competitor could do you material harm, you look for ways to protect yourself.  For example, when companies purchase software from a small to mid-size vendor they generally require that vendor to put a copy of the software in escrow.  Then if the vendor goes out of business the purchaser can take the software out of escrow to maintain it themselves.  Or, as in the case with NVIDIA, you can take measures to insure that a competitor can’t acquire them and deny you access to the technology.

I don’t know what the deal Microsoft has with NVIDIA really means.  Perhaps it is, as most press speculation focuses on, that NVIDIA is so important to the tablet market that Microsoft wanted to make sure Apple didn’t acquire them.  But frankly I find that one a little bit of a stretch.  It certainly is possible, but I would think it is in Microsoft’s best interest to provide encouragement for more competitors in this space rather than be defensive about one.  Not only that, it is the OEMs/ODMs who would really worry about losing access to NVIDIA’s chips more than Microsoft.  At least under this scenario.  So I think there is more here.  What would really justify this clause is if Microsoft and NVIDIA were engaged in a project such as the design of a chip for a next generation XBox.  That would be the kind of situation that demanded Microsoft protect itself from a competitor purchasing NVIDIA.

Today I saw one blog post expressing the idea that if Microsoft isn’t going to acquire Nokia then perhaps Samsung was preparing a bid.  Now that is probably 100% speculation on the bloggers part, though I could see Samsung considering it.  However, how much do you want to bet that there is some kind of “right of first refusal” in the Microsoft/Nokia contract as well?  In fact, I wonder if that was what started the Microsoft acquiring Nokia rumors a couple of weeks back!

The problem with both these wanna-be acquisitions is that neither easily fits into Microsoft.  There are two things to keep in mind.  The first is that Microsoft is neither a conglomerate of little or loosely related business nor a single business, it is a collection of mutually reinforcing businesses.  The second is that it has a really spotty record as a hardware company (the mouse/keyboard business aside) and doesn’t see itself wanting to become more of one.  The Zune was a failure.  The XBox 360 is hugely successful, but recall the “Red Circle of Death” teething problems it had and the $Billions that cost Microsoft.  The only reason Microsoft sells its own gaming console is that the business model doesn’t work for OEMs.

Microsoft could have responded to the iPhone by building its own phone.  After agonizing over this, Microsoft chose to stick with the OEM/ODM model that has been its strength since the company first entered the OS business (and is generally considered Bill Gates most significant business innovation).  Purchasing Nokia would be a reversal of direction, screwing half a dozen or more other partners in the process.  I have no doubt that Steve Ballmer would do this if he came to the conclusion that it was the only way to succeed in the smartphone market.  But as Android has already demonstrated that the OEM/ODM model still works, Microsoft needs to tweak its model (and product and marketing) rather than reverse itself.  On the other hand, if Microsoft found itself unable to get sufficient OEM/ODM commitment then it would have to get directly into the phone business.  So an acquisition of Nokia, which Microsoft has bet on to give it traction, by another phone maker would force Microsoft to reconsider its position.

NVIDIA doesn’t fit Microsoft’s mutually-reinforcing businesses model, and it is a hardware undertaking, and it is a chip business (which Microsoft has absolutely no experience with).  I’m sure Microsoft has no interest in actually owning NVIDIA (not that someone hasn’t suggested it; name a company and I’m sure someone in Microsoft has said “why don’t we just buy them” at some point) other than protecting its access to technology.  In fact, if it ever was forced to buy them to prevent a competitor from doing so I’m sure they would look to spin it back out, or sell it to a friendly partner, pretty quickly.

I can think of a dozen companies Microsoft should acquire, but they are almost never the ones that hit the rumor mill.  So while NVIDIA and Nokia are all the rage, I expect the next actual Microsoft acquisition will be more of a surprise.  Just like Skype.

Posted in Computer and Internet, Microsoft | Tagged , , , , , | Comments Off on Microsoft to aquire {NVIDIA|Nokia|Yahoo|Whoever}

Is Symantec also in the Scareware business?

Posted on June 4, 2011 by halberenson

A few weeks ago I wrote about the Adobe/McAfee Security Scan Plus Scareware debacle.  Well, Symantec’s faux pas isn’t nearly as bad but I still think they need a slap on the wrist.  If you run their free web-based Symantec Security Check (SSC) on a system that has Microsoft Security Essentials (MSE) installed SSC reports you are at risk with an explanation of “WARNING! No known virus protection software found.”  And of course they then want to show you Symantec’s Norton products that you can buy to address this problem.  This is pretty low.

Let’s contrast Symantec’s approach with that of Microsoft.  SSC reports no Anti-Virus software installed when MSE is actually installed.  Microsoft/Windows Update only offers to install MSE when no other Anti-Virus product is installed.  And both Microsoft/Windows Update and the Windows 7 Action Center (Security Center in earlier Windows versions) consider Norton AV as a valid Anti-Virus product.

I consider what Symantec has done with the Symantec Security Check borderline Scareware.  Claiming that MSE is inferior to their offering and trying to sell you a Norton product would be perfectly valid, but denying that MSE is even a valid Anti-Virus product is not.

There are many times I wish Microsoft would “grow a pair” and go on the offensive against vendors like Symantec.  Microsoft could simply respond to SSC by removing Symantec products from the web page of Anti-Virus products it displays when you click on the Action Center link for finding an AV product for your unprotected PC.  The press will love the controversy and make a huge deal out of it, and Symantec will no doubt try to paint Microsoft’s action with the Monopoly brush.  But Symantec will be the ones wearing no clothes.   More aggressive moves like having Microsoft/Windows Update offer to replace Norton AV with MSE are also possible (and would no doubt be the chosen tactic if we were talking about  unapologetically aggressive  Oracle rather than relatively timid Microsoft) but those have much more legal risk.

Sadly Symantec’s behavior with SSC strains its credibility.  Legitimate security firms should not be using Scareware-like tactics to sell their products.  They shouldn’t need to as their products must have legitimate customer benefits they can tout.  Or don’t they?

Posted in Computer and Internet, Microsoft, Security | Tagged , , , , , , , | Comments Off on Is Symantec also in the Scareware business?

Launch a Cyberattack, receive a Cruise Missile as a reward

Posted on May 31, 2011 by halberenson

The Wall Street Journal has two articles today that are on-topic for Information Technology (IT) Security.  The first is that the U.S. Defense Department has concluded that a cyberattack can constitute an Act of War, and thus be responded to using conventional measures.  That isn’t a surprise at all, and I do think it is prudent to create a policy and set of rules in advance rather than wait for the “9/11” of cyberattacks to occur and then start debating about what our options are.  No doubt in most cases we would want to respond to a cyberattack in kind, that is with a cyberattack of our own.  But there will be cases where use of kinetic weapons is called for (e.g., a cyberattack by a state entity that causes significant loss of life) and we are just so much better off to think that situation through in advance.

The other article is far more conventional and points out that hacking of organizations is on the rise.  While the article suggests that CEOs/CIOs are starting to pay more attention to IT Security, I have my doubts.  They’ll give it lip service, but will they really make significant tradeoffs in IT spending or practices to favor security over productivity and ease of use?  I doubt it.  Will IT Security updates become regular parts of CEO staff meetings and corporate Board meetings?  Will we start to see statements added to quarterly and annual earnings reports about steps organizations are taking to protect their information assets?  I have my doubts.  I guess one of the first things we can  look for is if the CSO/CISO position is elevated to report directly to te CEO rather than to the CIO (or CFO, or even lower in the organization)).  That would tell me the CEO is serious about taking responsibility for the organizations information security.

Posted in Computer and Internet, Security | Tagged , , , , , | Comments Off on Launch a Cyberattack, receive a Cruise Missile as a reward

Why you need more than one Anti-Malware product protecting you

Posted on May 23, 2011 by halberenson

I recently downloaded a file that I knew would be Malware.  It was called document.zip and was attached to a piece of mail that allegedly came from someone at FedEx.  The email headers were forged, and the mail itself wasn’t very convincing, so I knew it must be Malware.  This mail was sent to a Yahoo account, and Yahoo uses Symantec Norton AV as its anti-Malware scanner.  On download Norton failed to detect this as Malware (and when I submitted the file for multi-engine analysis through Virustotal.com it confirmed that Symantec fails to detect this Malware).  Fortunately, I have Immunet installed and it indeed caught this one on download.  Overriding Immunet I was able to download the file despite having Microsoft Security Essentials (MSE) installed, but when I tried to execute the download.exe contained within the zip file, Microsoft Security Essentials detected it as TrojanDownload:Win32/Chepvil.K.  In this case both products would have protected you, but I like that Immunet protected me earlier in the download cycle than Microsoft Security Essentials.  It may be that Immunet is better than MSE at unpacking ZIP files.  But, fully 45% of Anti-Malware products fail to detect the ZIP file, and 40% fail to detect the EXE file, as Malware.

All that isn’t as interesting as Symantec’s failure to protect me from this threat.  It detects neither the ZIP or EXE files as Malware.  I got lucky in having different Anti-Malware software on my PC than is used by Yahoo to scan its email.  If the PC was protected by Symantec, and that was the only Anti-Malware product on the PC (recalling that little-used Immunet is the only real-time product that can co-exist with other Anti-Malware), then my PC would have been infected.

I think this leads to two recommendations for consumers and a related one for organization system administrators:

1) Whatever Anti-Malware product you choose to run on your PC, you should also run Immunet.

2) If possible, use a different Anti-Malware product on your PC than is used by your email provider to scan email attachments.  If you use multiple email providers then this becomes difficult,  or impractical, and installing Immunet alongside your chosen Anti-Malware product becomes more important.

3) If you are running an organization’s email system, use a multi-engine Anti-Malware scanner to scan incoming attachments.  Or if you use a single scanner, make sure your organization buys Anti-Malware for email and for endpoints from different vendors!

Posted in Computer and Internet, Security, Windows | Tagged , , , , , , , , , | Comments Off on Why you need more than one Anti-Malware product protecting you

Malware or Not?

Posted on May 19, 2011 by halberenson

I’ve been doing an interesting experiment, in a virtual machine on a separate PC with no personal information  at all on it.  I’ve been going through SPAM emails and clicking on every link to see what happens.  It is an interesting exercise.  For example, I recently wrote another blog entry about how time cures much in the way of SPAM-based malware attacks because the offending web sites are typically blocked or taken down within 24 hours.  Now on to a little anatomy of one piece of SPAM I’ve been getting, and how it continues to be an issue.

I’ve seen a number of mails for different on-line gambling sites, and they all lead to the same URL in Russia.  In order to participate you have to download an app.  Can you guess what an app being offered up by a gambling site in Russia that draws in people via SPAM is likely to be?  You got it, Malware.  So I downloaded the installation file (GrandDollar_setup.exe) and submitted it for analysis by most of the anti-Malware engines out there via the Virscan.org website.  About 30% of the engines, mostly obscure ones, flagged this installation file as Malware.  The majors, including Microsoft, Symantec, McAfee, etc. , don’t find anything wrong with the file.   You can check out what the different engines think of this setup file at http://file.virscan.org/report/5ce4eac19f478b99a3ee95f7a077f373.html

We are left with the question of if the detections by the more obscure anti-Malware engines are false positives, or are the major anti-Malware vendors just exceedingly slow to respond to the threat (i.e., apparently people have been looking at this since January)?  I think the answer is neither.  I think that analysis of the Setup file continues to show no clear sign of actual malware, but that a number of engines flag it as such because there just seems to be so much about it that is fishy even if they can’t find the smoking gun.

Next I ran the setup file, and once installation is complete you have a new app on your PC called Crazy Slots Casino.  I run Crazy Slots Casino and it proceeds to run for five minutes updating files and downloading new components.  Hmm, could this be where Malware gets on your system?  Well, I notice is that the app doesn’t have a way to exit (e.g., no [x] on the upper right of the Window).  The shortcut placed on the desktop lacks an icon, indicating a rather sloppy setup program.  The App also uses Adobe Flash, which has been a major source of vulnerabilities over the last year.  This is all very suspicious.  But anti-Malware scans continue to find nothing wrong.  Next I see you have two choices, you can play for fun or you can play for money.  If you select to play for money then you have to enter your personal information (name, address, BIRTHDATE, etc.).  Then you have to go to the Cashier and put money in your account using a credit card.  Ok, so even if this app places no Malware on your system you are being asked to provide all your personal information by an app you downloaded from a Russian website that a piece of SPAM took you to.  This sounds bad; Very bad.  I would guess there is a 99% chance this is identity theft.  But does that make it Malware?

Perhaps GrandDollar_exe/Crazy Lots Casino isn’t a Virus, Rootkit, etc. but it certainly seems to meet the definition of Malware.  So why then are all the major anti-Malware vendors failing to classify it as such?   I think it is because this app has skillfully skirted the boundaries.  It doesn’t appear to do anything nasty to your system, and there is no real evidence that they are gathering the personal information for any purpose other than to facilitate on-line gambling.  This causes the “big boys” to let it pass, while smaller more aggressive anti-Malware players take the chance that it is a false positive.

I do want to put in a plug for IE9’s Reputation-based filtering on this.  IE9 doesn’t report this as Malware, it reports it as a file that is not commonly downloaded (because it doesn’t have a positive reputation) and tries to keep you from downloading it.  I jumped through the appropriate hoops to download it, despite IE9’s best attempts to stop me, so I could see what happened.  It will be great if Windows 8 just refuses to install or run an application (unless you jump through hoops) that doesn’t have a good reputation.  Imagine how much Malware that will stop dead in its tracks!

Where does this leave you as a user?  Well, I’m going to have to invoke Darwin here.  Anyone who follows a link in some email that has been flagged as SPAM, to a site in Russia, then downloads software from that site despite warnings it is suspicious, then gives that software a wad of personal information including a credit card, deserves what they get.  There is only so much that software or the law can or should do to protect you.

For those who would prefer a higher level of protection than they are currently getting even if it means more false positives I do have a recommendation.  Immunet is the only vendor I know of who makes a real-time anti-Malware solution that can be installed alongside existing anti-Malware such as Microsoft Security Essentials (MSE).  In my experience they do have more false positives than MSE but also seem to catch some real issues that MSE (and others) miss.  For example, Immunet does consider GrandDollar_setup.exe to be Malware (W32.Trojan.a9b9) and prevented it from running on my machine.  For years email anti-Malware filtering solutions such as Microsoft’s FOPE have used multiple engines in their filtering of email as a way to increase the odds of detecting Malware.  By installing Immunet alongside your existing anti-Malware solution you can now get the same benefit on your PC (or as security people sometimes call it, Endpoint).

Posted in Computer and Internet, Phishing, Security | Tagged , , , , , , , , | Comments Off on Malware or Not?

Expect a slow Q3 for Windows Phone 7 Apps

Posted on May 19, 2011 by halberenson

I fully expect the pace of new apps coming out of the Windows Phone 7 marketplace to decline over the summer before accelerating wildly this fall.  The reason is pretty obvious, developers are going to be turning their attention to the forthcoming Windows Phone 7.5 (aka Mango) rather than continuing to develop for Windows Phone 7.

While Windows Phone 7 was certainly a competent entry into the consumer SmartPhone arena, it is Mango that looks truly compelling.  For developers of both consumer and enterprise apps, Mango just has so many goodies that continuing to develop for NoDo doesn’t make a lot of sense.  Weak Windows Phone 7 sales means there is no need to stake out your territory now, while failure to have an app that fully exploits Mango when it ships this fall could leave you in the dust.  So developers are going to tend to finish up apps that were nearly done anyway and get them into the Windows Phone Marketplace over the rest of May and into June, but new starts or apps that are in the early stages of development will choose to target Mango.  That means we’ll see few new app submissions in Q3 (July, August, September).  Not only will new app submissions accelerate once Mango becomes available in Q4, I think the floodgates will open and the submission rate will dramatically exceed the peeks Microsoft as seen so far.

By the way, for those who wonder why Microsoft apparently won’t call Mango Windows Phone 8 there are essentially two clues.  The smaller one is that the OS kernel isn’t changing significantly, and that is a key historical justification for a new major release number.  The more important one is that Mango is more of a completion of the original Windows Phone 7 vision than a “what’s next” release.  You can even see this clue in the original name Microsoft announced, “Windows Phone 7 Series”  That proved to be so unwieldy that the “series” was dropped from the name.  But the concept wasn’t.

Sadly the next few months are going to be kind of boring for Windows Phone 7 owners.  But they are going to be extremely exciting for developers, and pundits.

Posted in Computer and Internet, Microsoft, Mobile, Windows Phone | Tagged , , , , , | Comments Off on Expect a slow Q3 for Windows Phone 7 Apps

Adobe Reader installing McAfee Security Scan Plus Scareware

Posted on May 17, 2011 by halberenson

When I recently upgraded a couple of computers to the latest version of Adobe Reader I discovered something very disturbing.  The download installs software from McAfee (of all people) that amounts to Scareware (a type of Malware that tries to scare you into downloading software).  This software (McAfee Security Scan Plus) is useful in that it performs a security scan on your system, but how it does so and presents itself to users is quite objectionable.

After installation McAfee Security Scan Plus runs and presents a screen that is basically intended to scare you into switching your anti-malware solution to McAfee.  For example, I rely on IE9’s SmartScreen rather than a 3rd party solution to protect myself from malware-infested and phishing websites.  As a result, McAfee Security Scan Plus reports my system as not having URL-filtering software installed and presents the same insistent warnings and button to upgrade as one finds in Rogue AV Scareware.  If you press the button it will uninstall your current anti-malware software and install McAfee (of course).  And it will re-run automatically and do this every week by default.  You can change settings to have this Scareware run every day or every month, but there is no option to disable it!  To make matters worse, I just had a random pop-up trying to get me to purchase McAfee software.  So this ugly beast is not only Scareware it is Adware as well!

The Adobe Reader download page does have an opt-out of the McAfee Security Scan Plus Scareware download, but it is very hard to notice (it is in the upper right corner).   The requirement that you must  opt-out (rather than opt-in) of this download just adds to Adobe’s reputation as a distributor of unwanted software.  They do the same thing with the Google Toolbar, although at least in that case the opt-out is positioned so you can more easily find it.  But every time you patch an Adobe product you have to make sure to uncheck the box (now boxes) for any unwanted products they’ve attached to their distribution.  This is not only a pain (because if you miss them you have to go uninstall the unwanted software), it is also slowing the deployment of security patches.   Because Adobe’s “patches” are actually re-installs with significant user interaction I see users ignoring/deferring them for long periods of time.

Shame on Adobe for their horrible practices of distributing unwanted software.  It makes me align with Steve Jobs in wanting Flash obliterated from the web so I can eliminate one Adobe download.  I’m also happy to see the growth in alternative PDF rendering engines so that hopefully soon we can also eliminate Adobe Reader from the list of near mandatory downloads as well.

And Double Shame on McAfee for designing McAfee Security Scan Plus to behave and look like Malware.  Having a (formerly?) legitimate security vendor adopt the techniques of the Rogue AV vendors is a sad milestone in the software industry.  And frankly, anyone looking to buy security software should now seriously question the appropriateness of having McAfee as their vendor.

Posted in Computer and Internet, Security | Tagged , , , , , , , , | 7 Comments