Friday, June 30, 2006

Worms in the Garden

Worms in your garden are one thing -- and generally considered good for aerating the soil and the song birds certainly like them. Computer worms, however, are another story entirely!

After having registered my displeasure with the Windows Genuine Advantage (WGA) Notification tool for computers that have passed validation (see "Garden Phone?"), I admin that I was not surprised to learn that there is already a worm that spreads through AIM (AOL Instant Messenger) and disguises itself as WGA. As reported by Jeremy Kirk of "IDG News Service" on Friday, June 30, 2006, in Worm Masquerades as Microsoft Antipiracy Program:
"Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot family of malware. The worm has a range of malicious functions. After it's installed, the worm immediately tries to connect to two Web sites, a sign it may try to download other bad programs on the machine."
Mr. Kirk also reported from Sophos PLC, a security vendor, that Cuebot-K can disable other software, shut off the Windows firewall, download other malicious programs, perform DDoS (distributed denial of service) attacks, and more.

Update Note: See Suzi Turner's analysis, "New malware poses as WGA validation and notification".

Wednesday, June 28, 2006

Privacy

Peter Cullen is the Chief Privacy Strategist at Microsoft. I certainly hope that Mr. Cullen realizes members of the "security community" prefer a high, solid privacy fence for our computers.

The good news in Joris Evers (Staff Writer, CNET News.com) interview of Mr. Cullen, entitled "Newsmaker: Putting privacy first at Microsoft", Published: June 28, 2006, 4:00 AM PDT, is that Mr. Cullen is
"working to make long privacy policies a part of history and helping to make Windows Vista the most privacy-sensitive operating system Microsoft has ever built."
Read the interview to see whether you think Mr. Cullen will be able to "undo the PR damage and mend fences with upset customers" resulting from Microsoft's Windows Genuine Advantage (WGA) Notification tool.

Building Permit Required

The rumor mill has it that some time in the future Microsoft will require a *building permit* for their Windows Genuine Advantage (WGA) tool or your garden will turn to dust. In "Ed Bott's Microsoft Reports" at Is Microsoft about to release a Windows "kill switch"? the following quote was included from Dave Farber’s Interesting People list:
". . . in the fall, having the latest WGA will become mandatory and if its not installed, Windows will give a 30 day warning and when the 30 days is up and WGA isn't installed, Windows will stop working . . ."
Ed Bott contacted Microsoft and reported the following response from a Microsoft spokesperson:
"As we have mentioned previously, as the WGA Notifications program expands in the future, customers may be required to participate. [emphasis added] Microsoft is gathering feedback in select markets to learn how it can best meet its customers' needs and will keep customers informed of any changes to the program."
I agree that software piracy is a serious problem and has been for a long time. However, someone needs to explain to me how my licensed copy of Microsoft software, which has already been confirmed as valid more than once, requires periodic re-confirmation of that validity. I do not want a telephone booth in my garden.

Tuesday, June 27, 2006

Garden Phone?

There's been a lot of discussion of late regarding Microsoft's "pilot" Windows Genuine Advantage (WGA) tool being used in their fight against anti-piracy. The discussions weren't limited to the press either. For example, there were two discussion threads at Scot's Newsletter Forum: WGA and WGA Notification Tool and Utility Nukes Windows Genuine Advantage Callbacks.

In a recent conversation with a friend, she told me that she just didn't get it. How many times did she have to prove to Microsoft that she paid for the license? When installing her licensed copy of Microsoft XP Pro, she had to validate. Then she had to validate again through the WGA Validation. Next, Microsoft was "calling home" every day to check with the servers on whether it was time to re-validate her computer yet again. This friend lives in a country where there is a service charge for every call made (on top of the telephone and ISP charges). That means that Microsoft was costing this person, who happens to be on a fixed income, a service charge every time WGA Notification called home.

Based on customer comment, today Microsoft released a new version of WGA. The new version does not include the daily configuration check (which is also a real nightmare for dialup users) but will "call home" periodically. Another significant change is a clearer EULA (end user license agreement) and instructions to opt-in. See "Windows Genuine Advantage Bolsters Frontline in Anti-Piracy Fight"

For instructions on how to disable or uninstall the pilot version of Microsoft Windows Genuine Advantage Notifications (Last Review: 27 Jun-06), see http://support.microsoft.com/?kbid=921914. Please note, however, that the uninstall instructions include a registry edit. It is always best to back up the registry before attempting any regedits. See this article on backing up the registry: Windows XP and Windows Server 2003: http://support.microsoft.com/default.aspx?scid=322756.

J-Mac, A Special Teen

No, this isn't about security. Rather, this is about an autistic teen whose coach gave him a chance to play in a basketball game and he made the most of it -- scoring 20 points in 4 under minutes. J-Mac (Jason McElwain) is an inspiration to autistic children and their families all over the world and, in that regard, is a hero.

J-Mac has been nominated for ESPY Award. Read J-Mac's story and see the video in "J-Mac to go up against Kobe Bryant Greece teen to compete against his NBA idol for an ESPY award" by Rochester Democrat and Chronicle writer Scot Pitoniac.

You can vote for J-Mac at http://espn.go.com/espy2006/index.html . Click on "Vote Now," and go to "Best Moment."

The best of luck to you, J-Mac. You are a winner regardless of the outcome of the ESPY nomination.

Broken Fences

It appears that my thoughts on the potential dangers in the FON (Google/eBay) $5 routers to entice more consumers to Wi-Fi was on target. In "Does Wi-Fi security matter?", by Tom Espiner (ZDNet UK, June 27, 2006, 13:00 BST), he reported that according to researchers at Indiana University, a large percentage of Wi-Fi networks are "horribly insecure".

"In a study of almost 2,500 access points in Indianapolis, presented at the Workshop on the Economics of Information Security at the University of Cambridge on Monday, researchers found that 46 percent were not running any form of encryption.

"People just really don't care about Wi-Fi security, and open Wi-Fi at home is a nice big target," said Matthew Hottell, lecturer in informatics at Indiana University. "Defaults [settings] are king," added Hottell."

Now the story about the Google-eBay venture promoting free Wi-Fi with sale of $5 routers really puts a bad taste in my mouth. Of course money will win out over security. If you elect to participate in this endeavor, keep your system and security software updated and encrypt any confidential data. Broken slats in your computer's security fence can have disasterous results.

Community Gardening?

Jonathan Thaw of Blomberg News reported today in the Seattle Post Intelligencer that FON (a Google/eBay funded company) will be selling routers for $5 to promote Web connection sharing.

"Consumers buying the routers, which usually cost about $60, will need to let others use their Internet connections and in return will be able to connect for free to other wireless hot spots that are part of the network, said Juergen Urbanski, Madrid-based FON's U.S. general manager."
Community Gardens are one thing as is community-funded Wi-Fi. However, to my way of thinking, sharing a connection with computer users with "weak fences" (read firewalls, anti-virus software and security updates) will open up a whole new avenue of infections for the unsuspecting. See the complete story at Google-eBay venture promoting free Wi-Fi with sale of $5 routers.

Monday, June 26, 2006

Webhelper Digs out the Slugs

Patrick Jordan, aka Webhelper, is a long-time friend and top-notch researcher. My first post on this blog was about Patrick's new website: *Master Gardener* Webhelper has a new home! In order to easily maintain his site for research by the security community and others, Patrick was forced to relocate to greener pasteures. That happened quickly and now he has buckled down to dig out the DollarRevenue slugs!

His latest find is a new rogue antispyware application, AdwareFinder (which may also be known as Adware Finder). Screenshots and description are here on the Sunbelt Blog. Go get 'em, Webhelper!



Sunday, June 25, 2006

A flood in the Garden or . . .


"Why home firewall software is a leaky dike"

Indeed, as Dirk Averesch states,
A chain is only as strong as its weakest link. That's doubly true when it comes to protecting computers that are connected to the internet. Anyone who thinks that a virtual firewall is enough to protect a PC from the dangers of the internet -- such as hacker attacks and unwanted contact with damaging programs -- is making a mistake.

That level of safety requires a combination of several protective measures. Firewall software for home use is not much more than a leaky dike.
I think that Dirk Averesch is my new hero. He has a very common sense approach and his writing is easy to follow -- even for a backyard gardener like me. For example:

Surfers are better advised to take more achievable steps, such as keeping their operating system, browser and other programs constantly up to date. This is because software makers, like hackers, are usually spurred to action only in reaction to published security gaps, Wolf says. This is why anti-virus software armed with the most current virus signatures is the crucial last-gap defence on any computer.

Read the complete article, linked above. It is well worth the time.

Perennial Favorites

I have a number of favorite sites, blogs and resources -- too many to include them all here. The list is always evolving.

Let's
start with help sites. A safe place to go for help is to any of the ASAP (Alliance of Security Analysis Professionals) member sites.

I expect to add new perennial favorites as the Security Garden grows.

The Weed Barrier


Ok, you have this great computer with a firewall and up-to-date antivirus software. You've recovered from a major infection, have completed Windows Updates and still do not feel comfortable that you can keep the weeds out of your computer.

I am sorry to say, but you are right. It does take more to protect your investment. Let's start with Tony Klein's "So how did I get infected in the first place?" for important tips on how to prevent future infections. There is also a lot of helpful information in my friend, the Phantom Phixer's "Mitch's Good Stuff" with tutorials at "Ghosts Markers".


Install and update both SpywareBlaster & SpyGuard to prevent the installation of spyware and other potentially unwanted software. If you use Internet Explorer, IE-Spyad will add thousands of sites into your IE restricted zone. Then again, you may want to check out alternative browsers, such as FireFox or Opera. Another useful program is StartupMonitor, which will warn you when somethings tries to sneak in.

A favorite of mine is WinPatrol. It is hard to go wrong with Scotty on Patrol!

Maintaining the Security Landscape



There is only one way to maintain the landscape of your garden. That is to take preventative steps to keep the bugs and weeds out of it. The same goes for your computer. As with your garden, the best method for this is prevention. If you leave the gate open and your computer unprotected, you are bound to have problems.

So, how do you prevent the bugs and weeds from invading your computer? One word: Update!


Windows Automatic Updates finds all important updates for your computer, including security updates, critical updates, and service packs.


To access Automatic Updates do the following:

  1. Click Start > Control Panel > Security Center > Automatic Updates.
  2. Next decide how you want to receive the updates:
    a. Let Automatic Updates automatically download and install all updates
    b. Have Automatic Updates check with you before downloading updates and then automatically install them
    c. Have Automatic Updates both check before downloading and before installation
Another option is to navigate directly to the Windows Update Center and scan your computer for any needed updates. Individual security updates can be obtained from Microsoft TechNet.

Compost it!


To help get undetected files to the various spyware, malware, antivirus, and antitrojan vendors, we want to submit nasties to "all" vendors. If you run across an undetected security slug, here is the procedure to submit it for evaluation.

Please submit the files to "The SpyKiller" . Note: Registration is not needed to upload file(s).

A. Please start a new post of your own.
  • Click on "New Topic".
  • Use a descriptive title in the subject line.
  • In order to help the analysts and developers, please include a link to any thread you have in a help forum.

B. To upload the file(s):

  • If you have been provided the path to the file, copy/paste that in "Attach" box provided or
  • Click the "Browse" button at the bottom of the new post box, navigate to and select the file on your computer.

C. If you have more than one file
  • Press the "(more attachments)" option individually for each extra file, browse and select the individual file.
  • When all the files are listed in the windows click "Post" to upload the files.

D. There is a maximum size of 2 MB per file and 8 MB per post. If you have more than 10 files to upload, please zip the files and attach the zip file ( Create a Zipped File Archive ).



Saturday, June 24, 2006

About Garden Slugs

There's only one thing to do to get rid of the slugs -- Stand Up and Be Counted!

See what started it all in "Fighting back and Making a Difference". As Nellie2 explains here:

Basically, what is happening is that if you are unlucky enough to visit a malicious site then your browser will install some of the crud from this site and your dial-up networking settings will be changed to get you to dial a for-pay service. (And yes, a lot of people still have dial up modems installed). More info here at Spyware Confidential
This is defintely a topic to follow. If you run in to those slugs, please go to Malware Complaints and state your case.



Removing the Deadwood


As we use our computer, temporary files build up. In some ways, this can be good for those with a slow Internet connection. However, malware has been known to nest in various temporary locations. Although such a cleanup can be done manually, as described below, there are a couple of software programs that make it much easier to remove the deadwood.

A software that works well for Windows 2000 and Windows XP is ATF CLeaner by Atribune. Instructions for using ATF Cleaner:
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Another popular software is CCleaner. You can download CCleaner from this direct link: http://www.ccleaner.com/downloadbin.asp?f=2 .

Clean Temporary Internet files with CCleaner as follows:

  • Close all open programs, including Internet Explorer, Fire Fox and any instances of Windows Explorer.
  • Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
  • A pop up box will appear advising this process will permanently delete files from your system.
  • To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
  • Then select the items you wish to clean up.
  • In the Windows Tab:
    • Clean all entries in the "Internet Explorer" section.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section except Windows Log Files.
  • In the Applications Tab:
    • Clean all in the Firefox/Mozilla section if you use it.
    • Clean all in the Opera section if you use it.
    • Clean Sun Java in the Internet Section.
    • If you need assistance with a malware infection, please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)
  • Click the "Run Cleaner" button and it will scan and clean your system.
  • Click exit.

To manually clean the temporary internet files, do the following:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Pest Management - Routing out the Weeds


There are a number of safe software programs available to use to scan your computer for malware. Please be careful to select one or two known programs. If unfamiliar with the software, check the Spyware Warrior List of Rogue/Suspect Anti-Spyware Products and Web Sites.

Should you still require assistance, please visit one of the ASAP Member sites.

You can find me most frequently at Freedomlist and LandzDown Forums.


The most commonly used anti-malware software programs:

Ad-Aware® SE
ewido anti-spyware
Spybot S & D
Windows® Defender (Beta Software, use at your own risk)
Following is a list of online virus scanners to select from. Note that most require Internet Explorer and ActiveX turned on.

http://housecall.trendmicro.com/
- Trend Micro
http://www.ravantivirus.com/scan/ - RAV
http://www.pandasoftware.com/activescan/ - Panda
http://us.mcafee.com/root/mfs/default.asp - McAfee
http://www.kaspersky.com/scanforvirus.html
- Kaspersky (single file scan)
http://online.drweb.com/ - Dr. Web
http://www.commandondemand.com/eval/index.cfm - Command http://www.bitdefender.com/scan/licence.php - BitDefender http://security.symantec.com/sscv6/default...id=ie&venid=sym - Symantec

The Garden Fence


The best way to protect your garden is to fence it in. The same applies to your computer. A good firewall is the fence used to block the critters from entering your computer.

Microsoft Windows XP has a built in firewall. Although it is only "one way", (it will block incoming but freely allows outgoing traffic), this works well for many computer users. Just remember, only have one firewall operating, as you could otherwise have conflicts.

To turn Windows Firewall on or off, you must be logged on to the computer as an administrator.

  1. Click Start > Control Panel > Security Center.
  2. On the General tab, click one of the following:
    • On

    • Off


Most of the more experienced computer users prefer a "two-way" firewall. Some of the two-way firewalls have a built-in policy, allowing known applications access to the Internet. Other firewalls permit the computer owner to create rules fitting their preferences.

A few popular firewalls include the following:

Zone Alarm-Free
Sunbelt Kerio Personal Firewall (KPF)
Outpost Firewall Free



*Master Gardener* Webhelper has a new home!

My friend, Webhelper, is indeed a "Master". He is so effective at digging out the slugs that they've resorted to attacking his website. However, following the massive DDoS attack on Webhelper's site, he has relocated. You can find Webhelper, his CWS Diaries, and much more at http://www.webhelper4u.net/ .

Due to the June 2006 DDos attacks against webhelper4u.com along with the lack of security with my old hosting service, I have moved to a new hosting service that gives me the ability to fight against future DDos attacks.


In the words of Webhelper:


I am the Webhelper
I give no quarter
I take no prisoners
I will not retreat

About me . . .



My roots are at "Freedomlist" where I obtained my online start helping others. I am proud that Freedomlist was among the early sites to embrace the concept of ASAP (Alliance of Security Analysis Professionals), where I serve as Secretary, ASAP Admin Council.

After the closing of the volunteer-supported Lavasoft forums, the former "Team Lavasoft" regrouped at "LandzDown Forum" (LzD). Our Motto,
"Stronger than the past, united in our goal"
illustrates our close ties. With my teammates at LzD, we provide assistance in a wide range of computer security areas.


In addition to Freedomlist and LzD, I am Administrator or Moderator at many other security forums and help as much as time permits. Included in the list are Scot's Newsletter Forum, SpyWare BeWare, Castle Cops, Gladiator Security Forum, Malware Removal, and many others, including a new endeavor at Malware Complaints.


I am still overwhelmed at having been awarded Microsoft Most Valued Professional (MS MVP), Windows Security in January, 2006. To be recogized in this way for doing what I enjoy; that is, helping others, is very special.

Professionally, I am a long-time employee in the Legal Department at Eastman Kodak Company where I was recently promoted to the position of Systems Analyst. In that capacity, I am providing systems support for specialized applications as well as continuing as Legal Webmaster and designing and maintaining Lotus Notes databases for the Legal Staff.


My husband and I have two grown children and two beautiful grandgirls, Natalie and Nicole.