Windows Patch Tuesday – September 2011

If you use Windows, it’s patch time.  Microsoft will address a variety of flaws across its Windows, Office and Server products. All five bulletins are listed as Important but not critical. One remote code execution bulletin affects Windows XP, Windows Vista and Windows 7. Microsoft does not detail the exact flaws until the security fixes are available on Windows Update. An updated security advisory Tuesday was also presented and it included six new DigiNotar root certificates, which were new additions to the Windows Untrusted Certificate Store.

Microsoft’s September Patch Tuesday is relatively quiet compared to August. The company issued 13 bulletins in August to address 22 vulnerabilities last month. Including some critical vulnerabilities in Windows, Internet Explorer, SMB server, MP3 codecs, Cinepak Codecs, Office, .NET and others.

This is the first patch Tuesday in recent times that does not have a single critical update. It is also a relatively small update and is consistent to the cycle of smaller patches every other month.

Top priority should be given to remote code execution Microsoft Office patches that affect Excel 2003 through Excel 2010 and Office 2003 through Office 2010. Another high priority is the Windows patch that fixes a remote code execution flaw in Windows XP, Windows Vista, Windows 7, Windows 2003 and Windows 2008. Other patches can be evaluated at a relatively lower urgency because attackers already need lower privilege access to the target system to execute the exploit. This includes the Windows 2003/2008 and SharePoint Server 2007 security update.

Watch out, sometimes patches add a mountain of stuff you do not want, in addition to fixing software which should never have been broken in the first place. So make a configuration system backup first, before inviting whatever comes with the patches.

Online Safety – 5 Secrets

In any given week, I get dozens of requests for help. The #1 question typical is this:  “How do I protect myself online?” These days I’m getting that question in equal numbers from PC and Mac owners who are concerned about the best way to avoid being sucker-punched by social engineering attacks.

Many people think that security begins and ends with antivirus software. I disagree. Should you run antivirus software? As I’ve said before, if you don’t know the answer to that question, then the answer is yes.

So let’s stipulate that you’re running a well-supported, up-to-date security program—whether you use a PC or a Mac. What else do you need to do? In this post, I share the five steps I teach to friends, family members, and clients who want to avoid malware, scareware, phishing sites, and other online scams.

If you’ve been paying attention to the current threat landscape, much of the advice in this post will be familiar, even obvious. A lot of it is just common sense, but some is unconventional wisdom. Yes, of course you should expect to be attacked if you download porn or pirated software. But just staying out of bad online neighborhoods isn’t sufficient anymore.

These days, threats can come from unexpected places: Google (and Bing) search results, compromised websites, deceptive ads, seemingly innocent downloads. You don’t have to be doing anything out of the ordinary to inadvertently stumble across one of these potential threats.

If I had to summarize my guidance in a single sound bite, it would go something like this: Pay attention to your surroundings, don’t be stupid and don’t run around on the web with full administrative rights on your computer. Better yet, give Linux Mint a try http://jet-computing.com/linux/linux-mint/

Alright then, let’s break that down.

Step 1: Don’t panic.

To borrow from a classic Monty Python sketch,  the two … no, three chief weapons of online criminals are “fear and surprise…and ruthless efficiency.” Their goal is to appear when you don’t expect them and convince you to act hastily. Online criminals often play on fear (your PC or Mac is infected with malware!) or simple social engineering (try these smileys! oh, and you need this codec—fake, of course—to play an enticing video clip).

The antidote to Monty Python, of course, is Douglas Adams, for whom “Don’t panic” was the secret of successful intergalactic hitchhiking.

When in doubt, stop. Think. Ask for help. If you’re truly worried, pull the plug on your Internet connection temporarily until you can call a knowledgeable friend or drag the machine in to a specialist for a thorough diagnosis.

You should, of course, have a regular backup routine. Mechanical failures (a crashed hard drive or a dropped notebook) can be even more devastating than a malware attack. With Windows 7, you can use the built-in backup program to save an image backup on an external hard drive; you can do the same thing on a Mac using Time Machine. Restoring a full backup is easy, especially if the alternative is spending hours trying to track down a well-hidden infection.

And don’t be paranoid. I can’t count the number of times I’ve heard from otherwise smart people who break out all sorts of terrible tools—registry cleaners and system optimizers being the worst offenders—at the first sign of trouble. Those snake-oil programs, in my experience, tend to make the problem worse.

Drive-by downloads and other sneak attacks are, fortunately, extremely rare. Yes, they happen, but the overwhelming majority of attacks aim at vulnerabilities that have been patched months or even years earlier.

Bad guys prey on the weak, technically unsophisticated, and ill-informed who don’t update regularly. You really,really want to avoid being a part of that group. It’s easy:

• If you use Windows, turn on Windows Update and set it to automatically download and install updates. Those updates include Windows components like Internet Explorer. If you use other Microsoft software (Office, Silverlight, Windows Live Essentials, and so on) enable Microsoft Update, which is available from the Windows Update configuration screen.

 

• If you use OS X, turn on Apple Software Update and set it to automatically download and install updates.

 

And don’t overlook potential attacks from third-party software. On any platform, it is essential to regularly update not just the operating system and its components, but also any popular Internet-connected program.That means browsers like Chrome and Firefox, utilities like Adobe’s Flash and Reader, runtime environments like Java and Silverlight and Adobe AIR, and media players like iTunes and QuickTime (on Macs, the latter two programs are included with system updates).

To make the process a little easier, I enthusiastically recommend Ninite, which automatically updates third-party software using the same URL you use to install the originals. It keeps unwanted add-ons and third-party programs at bay, too.

 

Since I wrote that post, Ninite has introduced a new product, the Ninite Updater, which “alerts you when any of the 92 Ninite-supported apps become out of date. It doesn’t matter if your apps were installed with Ninite or not.”

Alas, this utility is not free. The single-user package is $10 per year, and a 5-PC family pack is $30 a year. But it might be worth it for the peace of mind.

Home users can find a free alternative in Secunia Personal Software Inspector (PSI). Although it’s nowhere near as comprehensive as Ninite’s offering, it’s a good way to cover the most important threats.

3. Learn how to make smart trust decisions.

As I mentioned at the beginning of this post, social engineering is the weapon of choice for online criminals these days. Attacks can take all sorts of forms, from conventional phishing e-mails to sophisticated and convincing malicious download sites. The best countermeasure? Education.

You’re asked to make trust decisions many times every day. Some of those decisions involve programs, people, and businesses with whom you have lots of experience already. But others involve complete strangers, and still others ask you to decide with only limited information.

Any time you open an e-mail message or visit a web page, you face a possible trust decision.

Should you trust the sender of an e-mail?

Spam is one of the primary vectors for phishing attacks and financial scams, but it’s also a way to lure unsuspecting PC and Mac users to sites that deliver malware.

Spam filtering services have become very effective and can do a credible first pass on your inbox. The better your spam filter, the more likely it will recognize a fraud that could have sucked you in.

Based on my recent experience, both Hotmail and Gmail use extremely accurate spam-blocking technology. If your e-mail provider can’t properly filter spam, consider forwarding your e-mail through a Hotmail or Gmail account.

And don’t overlook the client program you use. Microsoft’s flagship e-mail programs, Outlook and Windows Live Mail, display HTML-formatted messages differently when they are in the Junk folder.

Here’s a crude but unremarkable phishing message as it appears in the Outlook Inbox folder. An unsophisticated recipient might be tempted to overlook the bad grammar and click.

 

But in Outlook’s Junk E-Mail folder that same message is displayed in plain text, without graphics or HTML formatting. In addition, the hyperlinks show the actual target address in the message window. That turns the once-slightly-convincing message into a laughable mess, complete with bogus hidden text.

 

If the message appears to be from a friend or other known contact, it’s possible that the sending account was hijacked. If you have even the slightest doubt about the actual target of a link, don’t click it. That’s doubly true if it’s from a social network.

Should you trust a web page?

When using a browser, you need to learn how to read the address bar, especially at two key decision points.

First, anytime you are asked to enter your login credentials, your Spidey sense should tingle. You need to be able to spot a website that is trying to masquerade as someone else. If you have any doubt that a login page is legitimate, close the browser window and open a new session by manually typing the domain name and navigating to a login page from there.

Both Internet Explorer and Chrome provide important information in the address bar, displaying the actual domain name in black and muting the rest of the address to a still-readable shade of gray. Here’s how it appears in Internet Explorer 9:

Second, learn how to identify a secure connection, where traffic is encrypted from end to end. Every modern browser displays visual cues (including a padlock icon) when you’re using a secure SSL connection. For sites that use Extended Validation certificates, you get additional feedback in the form of a green address bar, as shown here for Chrome.

The final online trust decision people make regularly is so important it deserves its own page…

4. Never install any software unless you’re certain it’s safe.

The biggest trust decision of all arises when you’re considering installing a new piece of software on a PC or a device. If you have any doubts about a software program, you should not install it. Period.

One great way to remain safe online is to set a high bar for software. You need solid, up-to-date information to help you decide whether a file is safe, unsafe, or suspicious. Then you need information about whether the program is reliable and useful, whether it’s compatible with other software you use, and whether it can be easily removed.

Here are the three key questions to ask about any program before clicking Yes on the installer:

Did it come from a trusted source?

It’s hard to believe that someone would actually say yes to a software installer that randomly appears when they visit a web page. But people do, which is why fake antivirus software is a thriving business. The simple act of clicking No—or forcibly closing an installer window if necessary—can save you hours of cleanup.

Is it signed with a valid digital signature?

In developing the SmartScreen technology used in Internet Explorer 9, Microsoft security researchers discovered a startling fact about the dangerous downloads they were blocking.

[T]he IE9 version of SmartScreen includes a new set of algorithms designed to test the reputation of this executable file. Has it been seen before? Is there anything about the file name or the domain that looks suspicious?

In fact, one of the most important questions to ask is this one: Is the executable file digitally signed? Microsoft’s researchers found that roughly 96% of all those red warnings are attached to unsigned, previously unseen files. The algorithm assumes that a file—signed or unsigned—is untrustworthy until it establishes a reputation. No domain or file gets a free pass—not even a new signed release from Microsoft or Google. Every file has to build a reputation.

In Windows, you can check for the presence of a digital signature by right-clicking a file and choosing Properties. Here, for example, is the digital signature information for the officially released Xvid codec installer, the rogue version doesn’t have a digital signature.

 

A digital signature doesn’t mean a file is safe. It does, however, mean that you have important information, and a chain of trust, about the person or company who created the file. A digital signature also guarantees that the file hasn’t been tampered with since it was signed.

In some cases, you might be willing to trust an unsigned file. You should only do so if you are confident that it is exactly what it claims to be and nothing more.

What does the security community say about the download?

If running a possible program through one antivirus scanner is good, then checking with 43 separate scanners must be, well, 43 times as effective. That’s the theory behind Virustotal (VT), a free and independent web-based service. In a matter of minutes, you can upload a questionable file and have it checked by a large cross-section of scanning engines using up-to-date definitions.

Here’s what a Virustotal report looks like:

 

One detail worth looking for when you submit a program is whether it’s been analyzed by VT before. If the executable file you’re analyzing is a well-known, established program, you can bet it’s been examined already. Here, for example, is what I saw when I submitted a signed Xvid codec installer, obtained from a well-known and trusted site:

If you’re uncertain about a file, one option is to set it aside for 48 hours and then resubmit it to Virustotal. That’s usually enough time for antivirus engines to identify a new strain of malware and add it to their definition files.

5. Be smart with passwords.

Has your favorite website been hacked lately? These days, it might be easier to make a list of the high-profile web sites that haven’t been broken into.

Thanks to LulzSec and Anonymous, millions of people have had the dubious pleasure of seeing their usernames and passwords posted publicly on the Internet. Last month, LulzSec snagged more than 1 million accounts from Sony Music and Sony Pictures servers. The usernames, passwords, and personal details stored there were posted on the Internet for anyone to see.

You might not be too concerned that someone can log on to your Sony account and pretend to be you. But what if someone goes to Google Mail or Hotmail and tries your email address and that same password? If you used the same password as the one on your Sony account, the bad guys are in. They can send and receive messages that appear to come from you. They can download your email archives, which can include correspondence from your bank and from online shopping sites like Amazon.com. In a very short period of time, they can do a very large amount of damage.

Repeat after me: Never use the same password in multiple places, and be especially vigilant with passwords for e-mail accounts.

It’s a royal pain to create and remember unique, hard-to-guess passwords, but that is nothing compared to the misery you will experience if a determined thief starts messing with your identity and your finances.

Sadly, an awful lot of people reuse passwords, as software architect and Microsoft MVP Troy Hunt found when he grabbed those leaked Sony files, extracted 37,000+ pairs of usernames and passwords, and did some quick analysis. The entire analysis is a good read, but I zeroed in on this part:

When an entire database is compromised and all the passwords are just sitting there in plain text, the only thing saving customers of the service is their password uniqueness. Forget about rainbow tables and brute force – we’ll come back to that – the one thing which stops the problem becoming any worse for them is that it’s the only place those credentials appear. Of course we know that both from the findings above and many other online examples, password reuse is the norm rather than the exception.

Hunt compared the contents of the hacked Sony database with identical addresses from the Gawker breach of last year and found that two-thirds of the addresses on both lists used the same password. This ratio doesn’t surprise me, and I suspect it might even be a little low.

If you’re guilty of this offense, it might seem overwhelming to try to fix your entire collection of passwords at once. So start small, by creating new, unique, hard-to-guess passwords for your e-mail and bank accounts.

What makes a good password?

• It’s at least 8 characters long, preferably 14 characters or more.
• It is not a word that can be found in any dictionary or list of common names.
• It uses at least three of the four available character types: capital letters, lower-case letters, numbers, and symbols (such as punctuation).
• It’s easy for you to remember and difficult or impossible for someone else to guess.

And one more tip: if you anticipate that you will be entering a password regularly on a handheld device, consider how the virtual keyboard on that device works. Instead of a password like Rh1ZJk#U, consider grouping the different types of characters together for quicker input: RZUUJ1hk#.

The best way to create and manage strong, unique passwords is with the help of a utility tailor-made for that job. To start I visit, https://www.grc.com/passwords.htm and picked a 8-character block from the 63 random alpha-numeric characters (a-z, A-Z, 0-9) block.

Then, to manage I use a free program called KeePass, http://keepass.info/

What is KeePass?
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website’s FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem… A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

Is it really free?
Yes, KeePass is really free, and more than that: it is open source (OSI certified). You can have a look at its full source and check whether the encryption algorithms are implemented correctly.

Your Computer Appears to Be Infected

Google has begun warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software.

Google security engineer Damian Menscher said he discovered the monster network of hacked machines while conducting routine maintenance at a Google data center. Menscher said when Google takes a data center off-line, search traffic directed to that center is temporarily stopped. Unexpectedly, Menscher found that a data center recently taken off-line was still receiving thousands of requests per second.

Menscher dug further and discovered the source of the traffic: more than a million Microsoft Windows machines were infected with a strain of malware designed to hijack results when users search for keywords at Google.com and other major search engines. Ironically, the traffic wasn’t search traffic at all: The malware instructed host PCs to periodically ping a specific Google Internet address to check whether the systems were online.

Menscher said the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software. He suspects that the fake AV program either ships with or later downloads the search hijacker component.

The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites.

Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification at the top of victims’ Google search results; it includes links to resources to help remove the infection.

Google should be applauded for alerting users, but the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools.
Here is the link with explanation: http://www.google.com/support/websearch/bin/answer.py?answer=1182191

A warning appears at the top of the search results page when we believe that the computer you’re using is infected with malicious software, also known as “malware.” Malware can be used to intercept your computer’s connection to Google and other sites. When Google’s system detects that a connection has been intercepted, it’s likely that the computer was previously infected with malicious software.

An infected computer can result in deleted data, stolen personal information, and a slower connection to many websites. We showed you the warning so that you can scan your computer and take any necessary action to protect yourself.

I understand how the link on Google’s warning essentially goes against all the things we’ve been taught to ignore online. It may not be a pop-up, but it’s also not something we went looking for. However, if I saw the warning… knowing that it’s not wise to click anything. I might be more prone to run my anti-virus or go to a security site to see if I could find anything on it. Naturally, having the warning on a Google search page would make me leary of searching for the information on that page.

The other thing we have to remember – is that these users are most likely ones that don’t know to not click on things. They’ll happily click it – and, for a change, be directed to something that will help them. Now yes, this can start to be spoofed and lead to bad things too – but again, remember, these people are already clicking links they’re told to… they’re going to be infected regardless. So what’s wrong with actually getting them to click something that will actually help them for a change?

Honestly, I think more of these types of things should be done. Users need to be better educated and learn how to protect themselves online. However, it’s nice to see others trying to make the internet safer instead of leaving all the responsibility on the user (who in most cases doesn’t even know the basics when it comes be online security).

While I’m grateful to Google for making the effort, the malware I’ve seen causing Google search redirections is _not_ simple to remove. Suggesting to users that they can just download a tool and get rid of it is doing them a disservice.

Despite Google’s intent, I have to side with the argument for consistency in dealing with my users. I have invested a lot of time and energy in getting them to not click links that appear to promise to solve problems–especially problems that are not apparent or that users might not understand.

So, I have just sent a notice to all users on my list that, should they see the Google alert message, to NOT click the clink, but to close the browser and then call for IT help. And no telling how quickly the scareware writers will mimic Google’s message, with their own destination to other malware embedded in the learn-how-to-fix-this link.

Everyone who gets this warning also needs to be aware that every password they’ve typed since infection now belongs to the criminals – e-mail, banking, etc. If Google has to inform users that they’re infected, what do you think the odds are that they have clean, restorable backups?

The ONLY way to guarantee that all bots are eliminated is to re-install the OS and apps from scratch. Take time to think about what you are doing and what can go wrong. Be particularly careful not to infect other systems or flash drives as you work.

Back up important data files. Make a drive image which can be searched for data files you forgot to back up. In general, do not recover old program files. Be sure to bring up the new system behind a hardware firewall / router until you get your security patches in place.

Allow me to repeat for emphasis the fact that: A FULL OS RE-INSTALL IS REQUIRED TO RECOVER FROM MODERN MALWARE and as I know very well, OS re-installs can be confusing and tedious. No, there is no easy way around this.

While the Microsoft Malicious Software Removal Tool has “removal” right up there in the title, and older malware might be removed, expecting that is a bad bet. Many or even most modern malwares simply cannot be “removed” in the sense of returning the original computer state. Once a bot is in place, it can modify any file, and there is no way to know what has been done, so there is no way to reverse it.

It’s usually some variation of the TDL4 bootkit/rootkit, and careless attempts to clean it up can leave a computer unbootable or result in irretrievable data loss. I’ve never yet seen a PC with this infection have just _one_ malware kit installed either, since they generally keep downloading botnet components.

The correct response to malware is to re-install the OS and apps. Remember that the malware in question is malicious because it modifies search results returned by Google. So we can assume that it has 100% control over the DOM presented by Google. In fact, it wouldn’t surprise me if the malware gets an “update” to simply hide this message.

Stay safe!

Recover from errors on your hard drive using SpinRite!

In the past week, I have had to deal with two failing hard drives. One personally and another from a paying customer’s machine.

My recently new Seagate hard drive on my desktop, started throwing errors and being noticeably sluggish at times. Not broken but just noticeably slow.  This might indicate some drive damage I thought.

So I pulled the log file and find:

[68489.756311] ata3.00: status: { DRDY ERR }
[68489.756314] ata3.00: error: { UNC }
[68489.951583] ata3.00: configured for UDMA/133
[68489.951604] ata3: EH complete
[68492.671124] ata3.00: exception Emask 0×0 SAct 0×0 SErr 0×0 action 0×0
[68492.671133] ata3.00: BMDMA stat 0×24
[68492.671140] ata3.00: cmd c8/00:08:55:e8:8d/00:00:00:00:00/e2 tag 0 dma 4096 in
[68492.671142] res 51/40:00:56:e8:8d/00:00:00:00:00/02 Emask 0×9 (media error)

Looking at some SMART data from the drive, I find more information. Seems that I have some uncorrectable errors that the drive itself cannot remedy and running a FSCK command from the terminal, does not fix it either. So, there is only one thing to do in a case like this, and that is SpinRite.

SpinRite is the industry standard system for hard and floppy disk care, maintenance, and data recovery. SpinRite utilizes deep analysis technology to recover loss and unreadable data to locate and lock unsafe areas from use, to move endangered data to safety, and to repair areas of the drive which have become damaged or bad through use. SpinRite should be reused periodically to aid in the prevention of hard disk loss.

The first three images are from a program used to pull technical details, from the drives being used on my Linux system, the software is called “GSMART”. The remaining images (blue DOS looking) are from the SpinRite CD itself.

So after booting the CD, SpinRite detects some sector errors on my “/” partition and proceeds to read and repair. Typically this may take hours or days on larger hard drives. Mine was completed in a  few hours. I’ve been using SpinRite to repair hard drives, for years now and find it indispensable. I am not guaranteeing a 100% recovery rate, but I wager to guess is at least 95% or more.

A word of warning here. If a hard drive is nearly “dead”, SpinRite often will warn against running anything except a basic data recovery; this warning should be heeded. If a drive is marginally readable, or is physically damaged to the point that heat or wear would kill it, SpinRite may very well be the last thing the drive sees.

This is because SpinRite is best used preventively. In my experience, running SpinRite every few months is a good way to detect far in advance that a drive is going to die.

SpinRite performs the following:

• Reads a sector of data.
• Checks for errors.
• Inverts the data.
• Writes the data back.
• Checks for errors
• Inverts the data again.
• Writes the data back.
• Checks for errors.

… and this happens several hundred million times. If SpinRite finds an error, it tries re-reading the data for a very long time to attempt to get just one good read. If it gets one, it turns on the hard drive’s own error correction so the drive will smack itself in the forehead and say, “Oh, dear, a bad sector! Let’s get a good sector to fill in and hide this bad one.” Then the data–or a statistically computed “best guess” (rather “better than anyone else’s guess”) at the data–is written to a safe(r) sector.

The end result is that SpinRite forces a hard drive to read and write every bit twice at this setting, which ensures the data is as safe as reasonable

Remember, computer hardware requires vigilant maintenance, just like one’s conveyance. SpinRite is no substitute for regular backups. Still, having the software around for maintenance–and knowing it’s there in an emergency–makes it worth it.