An article in today’s New York Times reports that some university researchers have found a Flaw in Google’s New Desktop Search Program. This does seem like a legitimate concern, but here’s the part that troubles me:

An attack would require a user to visit the attacker’s Web site first, and any type of Web browser could make a user vulnerable. Google said there was no evidence that any such attacks had occurred.

The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user’s search information. The program was able to do anything with the results, including transmitting them back to the attacking site.

OK, so in order to take advantage of this security exploit, you, dear Google user, have to visit a Web site run by some nasties, where you have to download a Java program and allow it to be installed on your computer. Presumably, the nasties would disguise this Java program as a game or screen saver or something equally shiny and appealing.

Which is the entire point. I’ll say it again: If a bad guy can convince you to install a program on your computer, it’s game over. Don’t install software from untrusted sources on your computer. And assume that any source is untrusted until you are certain that the opposite is true.

By the way, as the story makes clear, this exploit would work with any browser on any operating system.

FirstAdopter.com points to a CNET News story today:

Starting today Microsoft is going to use Trend Micro instead of McAfee for anti-virus on Hotmail. The reason for the change is unclear although an Austrialian Microsoft executive said Trend Micro’s products offer “deeper virus protection.”

Excellent move. I don’t recommend McAfee software at all, and I am an enthusiastic supporter of Trend Micro. I use Pc-cillin Internet Security 2005 myself. I’ve installed this package on several clients’ machines in the past year and have heard nothing but positive reports. If you follow the link (I have no relationship with Trend Micro and get nothing for the referral), note that you can save some money by choosing the Upgrade option ( you qualify if you have any AV software at all). If you have multiple computers, check out the Home Security Pack, which is an excellent deal.

CNET News tries to spread some panic about desktop search technologies and misses the point completely:

Security experts are warning that virus writers could use new desktop search tools to make their malicious software more efficient.

Foad Fadaghi, senior industry analyst at Frost & Sullivan Australia, said that most viruses are designed to harvest e-mail addresses and other personal information from an infected system. He warned that because desktop search tools such as those recently announced by Google, Microsoft and Yahoo can index and categorize that information, virus writers are likely to start exploiting the technology.

“Desktop search products are very efficient at harvesting data, so it wouldn’t be surprising if exploits are sought by malicious coders. Any software that can index and capture data on a user’s PC will be subject to virus and Trojan exploits. It is just a matter of time,” Fadaghi said.

And how exactly would they do this? If you install an untrusted piece of software, someone else owns your PC. They can do anything they want, with or without the help of an indexing engine. (Oh, and by the way, Windows XP already has an indexing engine, and has since Day 1.)

The implication of this story is that you are somehow safer if you allow a virus or worm to be installed on your computer but don’t have desktop search software running.

Do you believe that? I didn’t think so.

Carl Siechert and I are currently updating Windows Security Inside Out for a second edition due early next year. One promising new development that can really help you keep your online identity secure is to use a fingerprint reader manage your logons. Amazon has the Microsoft Optical Desktop with Fingerprint Reader on sale right now. I’ve been told that it does a great job of logging you on automatically to your computer, remembering all your saved passwords, and entering them automatically when you browse to associated Web sites.

The best part of a system like this is that you can safely use strong, unique, truly random passwords for every site you visit. In fact, I generate a separate random password for every site and store them in Roboform. I keep the encrypted master list of passwords stored in an online drive and on a second system. That’s a big improvement over what most people do, which is to use one easy-to-remember password for every Web site. The trouble with that strategy, of course, is that if someone gets hold of your Amazon password, they can get into your Ebay account, and your PayPal account, and so on and so on.

Anyone tried this device yet?

BigUnix has a fascinating article on computer security. Well, I found it fascinating. If you read it all the way through, then you may be a geek, too:

If a system has bugs, sometimes those bugs can be exploited in order to inject new code for the processor to execute. This can be a hardware, Operating System, or application bug. Almost always, the bugs tend to be a software bug. Those software bugs are usually the result of an unchecked boundary for some input data. When that boundary is passed, or overflowed, some of that input data mingles with execution code. This problem is a very old one. The naive solution, which has been tried for years, is to just fix all the broken code. The OS vendors may be realizing that this is too hard. Is there another solution?

If we look at the most common platform on the net for common users, it is the Windows Platform. According to the Google zeitgeist for May, this is probably at least 50% of the internet. This platform has also been the most popular for viruses as well. Recently, Microsoft has stated that security is an important focus for them, and they have been taking great strides to redeem themselves from a long history of security issues.

Here are some of their solutions to code injection:

# They are pushing .NET CLR which will dramatically reduce the possibility of an exploit

# They are turning on the firewall on as the default and re-securing all of their network exposed systems (code reviews)

# They are implementing new stack checking systems into Visual C and other compilers for future programs

# They are utilizing the No-Execute (NX) feature from the AMD64 architecture to provide memory protections in a finer granularity within a Win32 process

Of all of these, the No-Execute feature is by far the most interesting. It is a simple hardware enhancement to the x86 architecture that arrived with the introduction of the AMD64 system. It is interesting to note that it has been present in other non-x86 CPU architectures (like MIPS) for years. Microsoft is going to give users the ability to use the NX feature under the name Data Execution Prevention (DEP) via XP Service Pack 2. So, what is it, and why did it take so long to get here?

The bad news is you’ll probably need all-new hardware to take advantage of this. But it’s coming.

This
is just too true. Thank goodness I don’t have to work in a corporation and try to explain this stuff to people in suits.

I just received a lovely piece of e-mail from someone who claims his name is David Van Nuys, President of e-FocusGroups.com. Of course, he wants me to take a survey, in exchange for which he will enter my name in a contest where I will have a chance to be one of five lucky people to earn $200. It’s a common racket, of course, and I ignored it, as I always do. But my favorite part of the e-mail was this:

Your privacy is extremely important to us. You are receiving this promotional message as a member of Permission!
[URL deleted] By continuing to receive emails from Permission! you agree to the Permission! Privacy Policy at [Web site address deleted].

Imagine that. By continuing to receive their e-mail messages, I agree to their privacy policy, even though I never asked to be put on their list. Takes some nerve, doesn’t it?

I decided to visit David’s Web site, where I read this profile of David Van Nuys:

David’s skills are not only technical. He is, even more importantly, a “people” person. A professional psychologist, David has extensive training and experience in such areas as organizational development, group dynamics, and psychotherapy. Having led groups of one sort or another all his professional life, he is good both at creating a supportive atmosphere and at “cutting through the bull” to get at key issues.

Guess what? I’m pretty good at cutting through the bull, too. David, you’re an asshole. And a spammer. I’d love to tell you that via e-mail, but your e-mail address isn’t on your Web site. Isn’t that ironic?

Microsoft released this Windows 2000 Update Rollup Announcement last week:

To make it as easy as possible for customers to maintain the security and stability of their Windows 2000 systems, Microsoft will produce an Update Rollup for Windows 2000 Service Pack 4 (SP4), with a planned release in mid-2005.

The Update Rollup will contain all security-related updates produced for Windows 2000 between the time SP4 was released and the time when Microsoft finalizes the contents of the Update Rollup. The Update Rollup will also contain a small number of important non-security updates.

No more service packs for Windows 2000. And while it is still an excellent operating system, it’s beginning to show its age. By the time this update is released, Windows 2000 will be more than six years old.

Mike at Techdirt has a perceptive rant on the current state of anti-spyware software:

As spyware becomes a bigger and bigger issue for users, it’s
becoming clear that the current crop of anti-spyware tools is, in no
way, keeping up with the spyware writers. A test of a variety of
different anti-spyware tools shows that none of them work particularly well,
and most do an awful job protecting your computer. In fact, it appears
that some of the fee-based anti-spyware tools do even worse than the
free ones. Still, even the best tool missed quite a bit. Considering
the amount of spyware out there, and the overwhelming nuisance it
causes, it’s about time someone tried to take a much more holistic
approach to stopping spyware, rather than simply trying to solve each
case on a one-by-one basis.

He’s absolutely right.

Problem #1: No one seems to quite agree on what spyware is. Some zealots insist that cookies are spyware. Others want to label as “spyware” programs that I think are completely legitimate and desirable.

Problem #2: Makers of anti-spyware software have a vested interest in making you believe the problem is bad and getting worse. So when you scan your system, you’re certain to find something, thus fulfilling their prophecy.

Problem #3: The people who make hostile software go to great lengths to make it hard to detect and remove, raising the ante dramatically for anyone who wants to fight it.

I’ll have more thoughts in a follow-up post.

Over at Ars Technica, Adam Baratz and Charles McLaughlin have produced an interesting article entitled Malware: what it is and how to prevent it:

You can get infected by malware in several ways. Malware often comes bundled with other programs (Kazaa, iMesh, and other file sharing programs seem to be the biggest bundlers). These malware programs usually pop-up ads, sending revenue from the ads to the program’s authors. Others are installed from websites, pretending to be software needed to view the website. Still others, most notably some of the CoolWebSearch variants, install themselves through holes in Internet Explorer like a virus would, requiring you to do nothing but visit the wrong web page to get infected.

The vast majority, however, must be installed by the user. Unfortunately, getting infected with malware is usually much easier than getting rid of it, and once you get malware on your computer it tends to multiply.

If you’re a security expert, you won’t find anything particularly insightful in this high-level overview. However, I still recommend it because of the clear explanations and the screen shots that the authors included to illustrate some common adware/spyware programs. If you’re in charge of keeping unwanted software off a home PC or a small business network, this might be a good educational tool.

Part 2 of the series covers Spyware removal tools. Again, no great insights but good descriptions and illustrations of how five popular tools work.