The security software racket

In the middle of a post about Microsoft’s new Windows Live Messenger service, Dwight Silverman’s guest blogger Jim Thompson writes:

At home I don’t install IM software both because I have little need for it and because I see it as just another source of viruses and other malware.

One could make the same argument about e-mail, I suppose. Or networking. Or mobile phones.

And can anyone point me to the treasure trove of “viruses and other malware” that sneak in via IM products? Because I’m sure not seeing them out there in the real world. Googling the subject turns up a flurry of scare-mongering articles from 2003, 2004, and early 2005, all of which report on the alarming increase in IM viruses and predict that this year will be the year that IM-borne viruses finally take off. Oh, wait! Here’s yet another scare-mongering article from June 2006 – “a 500 per cent increase in IM attacks during last month alone.” Details? Bah! Who needs details?

I would take all these articles much more seriously except for the fact that every single one just happens to tout a new study from a security software company that just coincidentally happens to have the product that will solve this alarming new problem.

Nice racket.

Update: In the comments, Jim Thompson responds:

Look at my statement this way, Ed: IF I had a serious need for IM software THEN it would be worth dealing with the malware risk. In the case of networking and email, the need if the technology is worth the trouble of dealing with malware.

Maybe I’ve been duped by the security folks, but tell me: isn’t it true that IM can be used to send executables? And I know for a fact that *any* executable can contain a virus, rootkit, or trojan horse. Given that I’m not that familiar with IM software (something that I mention in the post) and that IM would be used mainly by my young daughters (something I didn’t mention), isn’t it prudent to simply not give malware another route onto my systems?

My reply:

There are three completely separate issues at work here, and conflating them just confuses the discussion.

1. If you don’t need a particular class of software, don’t install it. I’ve been preaching that gospel for years, and it’s still true. Any program can introduce possible security and stability problems, so why install something you don’t need? This argument isn’t unique to IM software.

2. Your kids are the ones who might use this software? Of course you should look carefully at it before installing it. Not just because they can download executables, but because they can communicate with strangers. In my opinion, this is a parenting issue, not a computer security question.

3. Can IM be used to send executable files? Well, yes, as can e-mail. In the case of Windows Live Messenger, there is a fairly easy to access setting that allows you to automatically block ALL known unsafe attachments, including types that aren’t normally considered executable. In addition, the software has an integrated and apparently free virus scanner.

I agree that you should evaluate any Internet-facing software carefully before installing it, but falling for the security industry’s fear tactics is a bad starting point for that evaluation process.

Update 2: Jim has posted an excellent follow-up here.

Windows Defender stops one

This surprised me today. As I was looking for an e-mail message from my 2005 archives, I ran across a message in my Junk E-mail folder that was clearly some sort of malware. It was from a sender I didn’t recognize, with a subject line that hinted it was a picture in a Zip file.

I opened the attachment to see what was inside and saw that is was an executable file with a filename designed to fool the recipient into thinking it was a picture. Standard stuff, right?

I extracted the file onto the desktop, where I was going to scan it using an antivirus program (on this test system, I don’t have real-time antivirus protection). But before I could do that, this dialog box popped up:

Windows_Defender

Windows Defender, included with a default installation of Windows Vista, had detected this copy of what turned out to be the Bagle worm and had blocked it with a blood-red warning message.

I don’t normally think of Windows Defender as an antivirus program, but clearly it has that capability, especially for well-traveled forms of malware. I certainly wouldn’t rely on it exclusively, but in this case it did exaactly what it was supposed to do.

More Vista Beta 2 antivirus options

The Microsoft Security at Home group has published a list of Windows Vista Beta 2 Antivirus Partners:

Although Windows Vista is still in beta, we realize that many customers are testing it in production environments. Microsoft has been working closely with our antivirus partners to ensure that Windows Vista Beta 2 has the same antivirus protection as previous Windows versions.

As an aside, I should point out the absurdity in that last sentence: Previous Windows versions have no antivirus protection, and neither does Windows Vista. Ahem.

Anyway, I previously mentioned the one-year free subscription to CA’s eTrust EZ Antivirus. This page now also lists a free trial of Trend Micro’s PC-Cillin 14.55, good through October 31, 2006.

Free AV for Vista beta testers

If you’re experimenting with Windows Vista Beta 2, you’ve probably already noticed that many antivirus programs are incompatible. Computer Associates has just announced that it’s offering a free one-year subscription to eTrust EZ AntiVirus for Vista beta testers. I’ve installed it here and it appears to be working just fine.

I tried posting this entry using the new Publish to Blog feature in Word 2007. No luck. It’s able to communicate with the WordPress back end, but the posts just go off into the ether, never to be seen again. Bummer.

Update: Trend Micro has a free Vista-compatible beta version of its PC-Cillin software, too.

Next, they’ll be telling us Clippy is the Antichrist

I’m sure by the time you get to this entry at Digg, the number of Diggs will have gone up. But still…

Word_exploit

I don’t want to make light of this issue, but I haven’t really had a chance to look closely at it yet. One big reason is that every one of my e-mail accounts has server-based virus protection and anti-spam filtering, which strips any infected documents or completely blocks the messages containing them.

In addition, every antivirus software provider appears to have updated its signatures to stop these attachments from getting through. ZDNet and eWeek are reporting that Microsoft recommends running Word in Safe Mode until a patch is available. That’s a pretty extreme solution.

Everything you wanted to know about User Account Control

I’ve got a pair of posts up at ZDNet that deal with the controversial User Account Control (UAC) feature in Windows Vista. Due to an unfortunate editing error, a big chunk of the second post was inadvertently left out of the original post (which was Slashdotted). So if you read that second post and found it a little fuzzy, well, go back and take another look.

A fresh look at Vista’s User Account Control shows the dialog boxes you’re likely to see when you try to install a program or configure a system setting in Windows Vista.
A fresh look at Vista’s User Account Control, Part 2 explains why you may encounter UAC consent dialog boxes when you perform seemingly innocent file operations. (This is the one that was inadvertently munged in its initial posting.)

Eb_uac_file_operation_3

The conclusion to this three-part series lists ways you can work around UAC (some safe, some stupid and – alas – already widely publicized). I’ll also offer Microsoft some suggestions on how to make this feature work better in Vista’s final release.

If you’re thinking of ~~playing with~~ evaluating Windows Vista Beta 2 when it’s released to the public (maybe sooner than you think), be sure to save a link to this page.

Are AmEx customers being scammed by a new virus/phish hybrid?

What do you get when you cross a phishing e-mail with a virus? I don’t know exactly, but the thought makes my blood run cold.

A bright red alert that I first saw this afternoon reports that some visitors to the American Express secure website are seeing the following pop-up dialog box, which asks them to enter their Social Security number, mother’s maiden name, and date of birth – enough information, in short, to open dozens of credit accounts and steal an identity:

Security_measures

Let me repeat the really chilling part: According to American Express, people are seeing these pop-ups when they’re on AmEx’s secure site!

The AmEx page that warns about this scam is very short on details, but it suggests that they first received notice of this attack around March 29, 2006. The security alert also contains this hint that the culprit is a piece of malware:

Please note that this fraudulent activity may be the result of a computer virus and is not a part of the American Express website. If you received this pop-up box, your computer may have this virus.

In recent years, malware distributors have been mostly interested in setting up bot networks for relaying spam and hosting phishing messages. Some trojans with keylogging capabilities, like those in the PWSteal family, attempt to spot web-based forms where you enter credit card or banking information and scrape their contents to send to an outside source. Attackers running phishing scams have mostly worked via e-mail, and the tools for detecting and blocking phishing attacks are getting better. So this represents a significant escalation. When you see a pop-up dialog box while logged onto a secure site run by a reputable financial institution, you might be fooled.

I haven’t seen this documented elsewhere, and a search at some leading AV sites turns up nothing. If American Express is alarmed enough to put out a public warning, it must have hit a significant number of their clients. Anyone have any further information on what this thing could be?

Robert X. Clueless

Mark Stephens, the PBS pundit who goes by the pseudonym Robert X. Cringely, is modestly famous for his bomb-throwing anti-Microsoft screeds. He’s also famous for being flat-out wrong, often, even when it comes to his own professional credentials. His latest column, A Whole New Ball Game, reaches new heights of misinformation. Here’s a snippet:

Last week, a Microsoft data security guru suggested at a conference that corporate and government users would be wise to come up with automated processes to wipe clean hard drives and reinstall operating systems and applications periodically as a way to deal with malware infestations. What Microsoft is talking about is a utility from SysInternals, a company that makes simply awesome tools.

This is pure horseshit. One surefire indicator that something is rotten in this particular pulpit is that Mark’s … oops, sorry … Bob’s column contains no links. In fact, his columns never link to any external sources of information. Isn’t it remarkable that someone who writes a weekly column for the Internet never links to anyone else? If you want to actually check the facts about something Mark/Bob has written, you have to go dig it out yourself.[*] In this case, the quote is from a presentation at the InfoSec World conference by Mike Danseglio, program manager in the Security Solutions group at Microsoft. The story was originally reported by Ryan Naraine of eWeek. (Read the whole thing here, and see some additional remarks of mine here.)

Did Danseglio really say that corporate and government users should “periodically” wipe and reimage systems? No, not at all. He said that’s the most effective way to deal with a system that has been compromised by a rootkit or an infestation of some advanced spyware programs. And he’s right. When you let someone else take over your operating system, it’s not your PC anymore. You could spend hours or days trying to find and remove all traces of the intruder, but you’d never know for sure whether you were successful.

So, wipe and reimage as a last resort. But the smart, safe strategy that Danseglio recommends is prevention. In fact, if you click to the second page of the eWeek story, you read this conclusion:

According to Danseglio, user education goes a long way to mitigating the threat from social engineering, but in companies where staff turnover is high, he said a company may never recoup that investment.

“The easy way to deal with this is to think about prevention. Preventing an infection is far easier than cleaning up,” he said, urging enterprise administrators to block known bad content using firewalls and proxy filtering and to ensure security software regularly scans for infections.

That’s good advice, and it’s consistent with the “defense in depth” strategy that the Microsoft Security Response Center has been advising for years. But you’d never know that if you read only Cringely, who preaches to an audience that’s eager to sop up anti-Microsoft propaganda, no matter how ill-founded or factually challenged.

And then there’s this:

The crying shame of this whole story is that Microsoft has given up on Windows security. They have no internal expertise to solve this problem among their 60,000-plus employees, and they apparently have no interest in looking outside for help. I know any number of experts who could give Microsoft some very good guidance on what is needed to fix and secure Windows. There are very good developers Microsoft could call upon to help them. But no, their answer is to rebuild your system every few days and start over. Will Vista be any better?

Given up on Windows security? Yeah, I guess Windows XP SP2, Windows Defender, Windows Live OneCare, Microsoft Client Protection, and the many security improvements built into Windows Vista don’t really exist. No internal expertise? That’s ludicrous, as anyone who’s spent even 10 minutes with the Windows team would know. No interest in looking outside for help? As Scoble points out, all you have to do is look at the attendee list of Microsoft’s BlueHat Security Briefings to know that conclusion is not supported by any facts.

Or you could just look at the by-line. If it says Cringely, you know it’s wrong.

Update: Dwight Silverman is skeptical about some unrelated parts of the same Cringely column.

[*] As some commenters point out, a separate page, unmentioned in the original column, includes a link to the eWeek article. I’m a little baffled at the idea that a columnist who writes a weekly column for the web hasn’t learned how to create hyperlinks. It is 2006, after all. But technically, he did provide a link to this article, if you know where to look.

Windows Defender beta is out

Windows AntiSpyware is now officially Windows Defender. Dwight Silverman has more details here, and Windows Connected has a gallery of screenshots here.

I’ll have some thoughts after I’ve had a chance to work with the new beta.

A new old security flaw

It’s really, really misleading for the Washington Post to use the headline Another Critical IE Flaw to describe a newly reported vulnerability that:

Affects only people running Windows Me or Windows 2000 and
Was patched more than three years ago in Internet Explorer 6 Service Pack 1.

Although the vulnerability may be newly discovered, the underlying problem was fixed long ago. In fact, anyone still using Internet Explorer 5 on either of those two aging operating systems is vulnerable to a whole pack of other security problems as well. According to my stats, about 4.4%[*] of all visitors to this site are using one of those browser versions. The few recent stats I can find suggest that number is about accurate for the web population at large.

If you know someone who still has IE 5.x installed on their computer, do them a favor and install the IE6 upgrade for them. This is an essential step even if they already use Firefox or another browser, because the Internet Explorer components are used elsewhere in the OS and in some third-party applications.

[*] Update: For the first week of February, only 3.3% of all visitors to this site are using IE 5.x. By contrast, about 3.5% are using IE7.