Anti-virus – is there really any point?

Last weeks epic FAIL by Mcafee brings the entire Microsoft platform into perspective. It’s all broken:

  • Symantec says that it has detected botnet infections on more than 1,100 separate computers spread across multiple subnets within the UK National Health Service (NHS) network
  • Criminals are increasingly attempting to conceal malware embedded in hacked websites from search engines such as Yahoo! and Google
  • Tom Köhler, Information Security Director at Microsoft Germany, said that, “Users who still have Internet Explorer 6 installed on their systems are taking an unnecessary risk and should urgently update to the free version 8, which offers a significantly higher level of protection.” [ agreed, but IE8 is at risk from other vulnerabilities ]
  • McAfee has said that it will offer compensation to home and home office users for losses arising as a result of last week’s flawed signature update [ would any of those affected be happy with Mcafee’s offer of security software that combs through their systems? ]
  • Microsoft has withdrawn patch MS10-025 for Media Services under Windows 2000 Server, which was published last week, because it is ineffective
  • a third update for Internet Explorer 8’s cross-site scripting (XSS) filter will aim to fix yet another vulnerability, one which actually makes web sites that weren’t vulnerable, vulnerable
  • “People can launch attacks without even knowing a line of code, and the infrastructure now exists to pay the attacker per exploit achieved,” said Bradley Anstis, vice president of technology strategy at M86 Security.

These are a small sample of  issues from this week.

The Windows ecosystem has been broken since the dawn of time and it facilitates the dissemination of spam, viruses, and spyware that together result in a world of financial and other losses that are too great to tally. 1 in 4 machines with up-to-date Anti-Virus software, can still be hacked. So what use is AV you may ask?

It’s a stop-gap, a temporary shelter through which one hopes one can evade malicious code for a period of time. Hope: not very reassuring in circumstances such as these.

Question: when have you had enough? Time to make a choice …

Critical FAIL: Mcafee update cripples Windows machines

McAfee pushed out a virus definition update, 5958, today that causes false positive identification of the critical Windows system file svchost.exe. Machines running Windows XP Service Pack 3 using the 5958 definitions will delete the file, causing many key Windows services to fail to start. The Windows file is being mistakenly detected as W32/wecorl.a. Failure to start svchost.exe causes Windows to automatically reboot making repair a difficult process.

Mcafee’s support seems to have gone into meltdown as a result of this issue so don’t expect much help there. The following procedure may do the trick:

  1. Boot the system into safe mode
  2. Drop the attached extra.dat in c:/program files/common files/mcafee/engine
  3. Reboot into normal mode

The broken update should no longer be available so non-affected users should be safe now. The new update is 5959 which is the same as the previous update but without the problematic definition.

Reports of tens of thousands of affected machines ( including Intel ) will leave a lot of egg on Mcafee’s face for the immediate future. What’s interesting is that rudimentary QA would uncover something like this, so how did this get out?

ProPublica and This American Life team up to expose investment bankers and hedge fund managers

A fascinating look into the financial crash in America and world wide:

http://www.thisamericanlife.org/sites/all/play_music/play_full.php?play=405

For seven months a team of investigative journalists from ProPublica looked into a story for us, the inside story of one company that made hundreds of millions of dollars for itself while worsening the financial crisis for the rest of us.

A hedge fund named Magnetar comes up with an elaborate plan to make money. It sponsors the creation of complicated and ultimately toxic financial securities… while at the same time betting against the very securities it helped create. Planet Money‘s Alex Blumberg teams up with two investigative reporters from ProPublica, Jake Bernstein and Jesse Eisinger, to tell the story. Jake and Jesse pored through thousands of pages of documents and interviewed dozens of Wall Street Insiders. We bring you the result: a tale of intrigue and questionable behavior, which parallels quite closely the plot of a Mel Brooks musical.

What is Linux? and software confusion …

A recent posting on the Blog of Helios prompted me to write a short and simple definition of Linux that might be useful for current non-users of this operating system. It is however a difficult definition in the context of what people already know. And the fact of the matter is that what the general computer-using population knows about operating system platforms, is limited.

I often get calls from Windows desktop users about something not working. What is not working? “Well it’s something in Microsoft” they might say. Microsoft? Is that Microsoft Office, Windows, something else? Well they’re not sure, but it’s when they are trying to type a document. Ok, so that’s Microsoft Office Word then. What browser are you using? It’s the one with the blue e on the icon. Internet Explorer. What email client do you make use of? Microsoft. Is that Outlook or Outlook Express? Note I’m just using the Windows platform as an example, however this problem is not limited to that platform.

If general Windows users have difficulties on that platform, what chance do they have with Linux? And why the confusion in the first place?

Let’s try to answer these 2 questions …

What is Linux

Linux is a software platform that includes a kernel which controls and manages the computer itself, utilities which allow you to perform general tasks like file management and application launching, and applications themselves which allow you to get actual work done ( eg. word processor, email client, web browser ).

The original operating system ( to be exact the kernel ) itself was started by Linux Torvalds, a Finish student in 1990 who was frustrated with the licensing of another OS called Minix. Together with the GNU toolset ( a bunch of OS-independent user tools ) and development tools, GNU/Linux as a complete operating system platform was born.

Unlike Microsoft Windows, which comes in only 2 forms ( desktop and server ), Linux is packaged in the form of  distributions, which put the Linux kernel, GNU utilities and other useful applications together. There are many distributions, some which cater for general use, some orientated towards audio-video use and others for supercomputing purposes. There are about 10 to 20 distributions which are used in mainstream desktop and server environments, the most popular of these being Ubuntu, Mandriva and Fedora ( for desktop use ), and Red Hat Enterprise Server/RHEL, Centos and Suse Linux Enterprise Server/SLES ( for server use ). An important difference vs commercial OS platforms is that Linux distributions typically provide all the day to day applications that you would use, therefore it’s fundamentally different to something like Microsoft Windows, where you only get the operating system and some utilities.

The Linux kernel itself and the GNU toolset are FOSS – free and open source software. This means that although they have a license and are copyrighted, the style of the license means anyone is fee to copy, use and alter this software, as long as one keeps to the terms of the license. Typically this includes something as simple as making sure the license is transferred with each copy, and that original and subsequent authors are acknowledged.

But how can you give something away for free if it’s copyrighted? I’ve been paying for my Windows and Office software all along …

Copyright fundamentally means that someone can assert the right to be acknowledged as the author of a particular creation. It does not infer that something can’t be given away for free, as much of the bumpf from music, movie and publishing concerns would have us believe. So yes you can have copyrighted software that is free.

There’s also the misconception that Linux is difficult to use. From a server perspective, this may have some validity ( although not much ), however, from a desktop point of view, Linux is as easy to use as competing platforms like Microsoft Windows and MacOS X. It’s just different – and it’s this difference that many confuse with difficult. There’s also the matter of change – human beings are comfortable with what they know; change is never easy because of this.

One important point to remember though is that because Linux is a different platform to Microsoft Windows, it will not run Windows applications natively. Most Windows applications have an equivalent in Linux so this is not a big problem. There is also the possibility of running Windows applications under emulation.

Some examples of FOSS application equivalents:

  • Microsoft Office = OpenOffice
  • Internet Explorer = Firefox
  • Outlook = Thunderbird
  • Photoshop = Gimp

Linux has some distinct advantages over other platforms:

  • very secure and low attack surface for viruses and other malicious code
  • good stability and reliability
  • OS-integrated application installation/management system
  • good performance on old equipment / low resource requirements
  • free / low cost

How do I get support for something that is free? FOSS support is provided by the same community that develops the software as well as the user community around it, through forums, newsgroups, mailing lists and other methods. If that is not suitable, then many of the larger FOSS projects have commercial support options available.

FOSS in general

The Helios project is a group of volunteer Linux users in Texas, USA who refurbish old donated computers, install Linux and other FOSS applications on these machines, and deliver them to needy, impoverished and foster kids in that state. The financial cost to these volunteers is low because FOSS allows them to have an almost zero product cost. This is something that’s not possible with commercial software. And there are many other groups around the world that do work similar to the Helios group.

FOSS lowers the entry barriers to less fortunate people and communities, removing what is arguably the biggest cost of owning a computer – commercial software. This helps with social development, upliftment and education, by giving less fortunate people access tools they would not have had before, allowing them to create, communicate and distribute.

While FOSS and Linux are typically ‘free’, this does not mean that the quality of this software is compromised in any way. In fact it’s well acknowledged that FOSS software is generally of a higher standard than commercial software, due to the nature of the Open Source development process. A study by Coverity ( a commercial software vendor of code analysis tools ) in 2009, found that the Linux kernel and some other notable FOSS projects, had 10x less code errors than competing commercial equivalents.

Why the confusion?

At the start of this article, I asked why users were confused about what OS or applications they were using. An analogy: to drive a car on a public road, one needs to do a drivers test. This involves theoretical and practical training, after which one has a reasonable grasp of the concepts involved as well as some baseline experience to use in the act of driving itself. Using a computer is an altogether different proposition – one goes to the computer store, buys the computer and starts using it. This does not mean however that one is proficient in the use of that computer, and therefore the lack of general knowledge amongst casual computer users.

This issue is platform-independent, yet the stigma remains that FOSS and Linux are more difficult to use. Difficulty is not necessarily determined by what platform you use, but rather the training you receive in the use of that platform.

So take the time to learn something new today, about whatever platform you are using …

Net Neutrality – South Africa

Net Neutrality is currently, and has been for some time, a raging hot topic in the US. The FCC recently took Comcast to court for throttling customers’ bandwidth – and lost. NN basically means allowing data to flow from source to destination without interruption or alteration. But the big ISPs and carriers in America would like to control everything you do on the Internet, and charge for it. This is anathema to the original concept of the Internet of being a free network for innovation and growth.

Lobbying is the method that big industry in the US uses to get laws passed that allow and promote their own causes. Formerly the music and movie industries were the main culprits in this area but it looks like ISPs and Telcos are now joining that lot. And typically they get their way if they throw enough money around.

In the SA context, Net Neutrality is not something that’s been overly spoken about. Yet we’re subject to some severe limitations from our ISPs in the form of caps, bandwidth throttling ( shaping ) and other mechanisms. This is not what the Internet was meant to be about. On any other day, I would hesitate at involving the government in issues like this, however perhaps we need some regulation to make sure that the local Internet market does not end up like one that’s starting to form in the US.

Lawrence Lessig is best known for his legal work for the Software Freedom Law Centre and as a former member of EFF. For an insight into Internet freedom, take a listen to his take on this charged subject – this is highly recommended for anyone with a hand in the Internet pot..

Click-jacking 2.0

Click-jacking involves a crafted web site inserting a transparent iFrame underneath the cursor. Believing themselves to be clicking on the displayed web page, users in fact find themselves clicking on control elements (e.g. buttons) on a transparent iFrame from another website.

Security expert Paul Stone demonstrated a new generation of click-jacking attacks at the recent Black Hat Europe event in Barcelona. Stone’s demos are not limited to clicks – he can also enter text into forms or read documents opened in the victim’s browser or the page source. Stone makes use of the drag and drop API provided by modern browsers such as Internet Explorer, Firefox, Chrome and Safari. Rather than getting victims to click on specific locations, Stone gets users to drag objects or text from visible windows into an invisible iFrame.

This could, for example, become relevant where a user is logged into a social networking site and opens another page from the site in an invisible frame, into which the user then unknowingly places content. According to Stone, the browser’s same origin policy would not spring into action in this scenario, as elements would be being moved from one site to the next with the user’s involvement. Using this method, Stone can circumvent restrictions such as those aimed at preventing cross-site request forgeries.

Java and JavaScript can increase the potency of these attacks further by only requiring a click rather than a drag. Most high-traffic sites ( read social ) have protected themselves against click-jacking however the mobile versions of these sites may still be vulnerable.

Microsoft’s April Patch Tuesday

As part of its regular update cycle, Microsoft has released five critical, five important and one moderate risk update to fix security holes in Windows, MS Office and Exchange. The most prominent among them is the “F1 hole” in the VBScript engine for which exploits are already available on-line.

Microsoft Security Bulletin Summary for April 2010, security advisory from Microsoft.

Adobe Acrobat Reader unpatched hole

According to several reports by anti-virus vendors, criminals have attempted to exploit an unpatched hole in Adobe Reader disclosed about two weeks ago to infect Windows PCs. The relevant malware includes the particularly dangerous ZeuS bot. The specially crafted documents are apparently sent to users as email attachments.

The “Launch Actions/Launch File” function in Adobe Reader allows the execution of scripts or EXE files embedded in PDFs. Although Adobe Reader asks users to agree to the execution of the file, this dialogue can be designed in such a way that users have no idea they may be allowing an infection in to their systems.

Microsoft, patches and Blue Screens

Microsoft had a large Patch Tuesday in February – with an unintended side effect: large amounts of blue screens. This turned out to be due to an interaction between the Alureon rootkit and the patch for KB977165 which updates the Windows kernel. This month’s patches also contain kernel updates, and so have the same incompatibility with the rootkit. As the bulletin for MS10-021 states, “This security update includes package detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems. These abnormal conditions on a system could be the result of an infection with a computer virus that modifies some operating system files, which renders the infected computer incompatible with the kernel update.”

So Microsoft is deliberately not installing the newer kernel updates if the rootkit is detected – and at the same time leaving vulnerabilities unpatched. There are no active exploits for the problems the newest kernel patches are trying to fix, however this situation is far from acceptable.

Microsoft also can’t just remove the rootkit as this would require entitlement; there’s also a risk to the stability of the system with removing something like a rootkit.

This particular rootkit is removed by Microsoft’s Malicious Software Removal Tool however this tool is not installed through the standard Windows Update mechanism which only does ‘Important’ updates. One has to specifically install the Tool or allow Recommended updates to be installed as well.

This problem is only likely to grow worse with time. Until cleaned, the infected machines will be vulnerable to an increasing number of kernel flaws, leaving them exposed to new threats. With little chance that owners of affected computers will clean them up of their own volition, Microsoft might yet be forced to take some more aggressive action to get them clean and up-to-date.

Google hacks affect local SA users

So it seems that some South African users have been bitten by the GMail hack bug. Big Whoopy Ding! They’re not honestly using a free on-line email service for anything critical, are they? They are?!?!?! Well serves them right. I’ve written a number of articles on the security of cloud or internet-based services – my point of view being that these services can not guarantee the security and integrity of your data.

Per ITweb today:

Manoj Bhoola, HP’s enterprise storage networking country manager, says with cloud computing becoming a reality locally, concerns around security really need to be addressed and fast.

Agreed …

He says hacks like those experienced by Gmail users definitely hamper the roll-out of cloud-based services in SA. “But it will have to happen, it just makes more economic sense,” he notes.

No it does not make economic sense if your sensitive company data gets hacked… Cloud services are an option, not a necessity!

Moral of the story – do not use on-line services for critical or sensitive data, unless you’ve vetted the security of that service. And you certainly should NOT be using GMail and similar apps in a business environment.