Category: Security

Sony tries to stop the bleeding

When you shoot yourself in the foot, you can expect some bleeding. That, presumably, is why Sony and its partner in crime are rushing out a patch for the crapware that comes with their copy-protected CDs. CNET News.com has the details:

Sony BMG’s technology partner First 4 Internet, a British company, said Wednesday that it has released a patch to antivirus companies that will eliminate the copy-protection software’s ability to hide. In consequence, it will also prevent virus writers from cloaking their work using the copy-protection tools.

The record label and First 4 Internet will post a similar patch on Sony BMG’s Web site for consumers to download directly, the companies said.

“We want to make sure we allay any unnecessary concerns,” said Mathew Gilliat-Smith, CEO of First 4 Internet. “We think this is a pro-active step and common sense.”

This is a tiny, tiny first step, but unless they go a lot further, a lot faster, their reputation is shredded.

Free advice for Sony:

  1. Fire First 4 Internet immediately and publicly.
  2. Remaster the CDs with DRM-free versions.
  3. Offer free replacement CDs to anyone who purchased one of the rootkit-infected CDs.
  4. Provide toll-free tech support for anyone who experiences a problem with their Windows computer that they think is related to this software.

That would be a positive response.

Update: I’ve got one more idea…

Sony wants to hijack your PC

Mark Russinovich of Sysinternals.com has documented his experience with Sony’s new copy-protected CDs: Sony, Rootkits and Digital Rights Management Gone Too Far. It’s a bone-chilling story. According to Mark, just inserting one of Sony’s copy-protected CDs into your computer installs unwanted software on your computer. The software installs as a device driver that hides itself using techniques that are the same as those used by viruses and Trojan horses. It does this without any notification or any attempt to obtain your consent. Mark reports:

Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

Researchers at F-Secure were working on similar results at the same time and have now published their results:

Although the software isn’t itself malicious, the hiding techniques used are exactly the same that malicious software known as rootkits use to hide themselves. The DRM software will cause many similar false alarms with all AV software that detect rootkits.

The hiding techniques used by the DRM software can be abused by less technical malware authors to hide their backdoors and other tools. If a malware names its files beginning with the prefix ‘$sys, the files will also be hidden by the DRM software. Thus it is very inappropriate for commercial software to use these techniques.

According to Mark’s research, any attempt to remove this software will essentially disable their CD or DVD drive if they try to remove this crap.

This is beyond sleazy. Whoever approved this software should be forced into court and made to pay damages. I’m not a lawyer, but it also could violate several criminal statutes.

Screw you, Sony. You’re not getting another dime from me in any way.

Follow-up: Sony’s even sleazier than I thought and Sony tries to stop the bleeding.

Protect your privacy with Word documents

I’m hunkered down working on an updated version of Special Edition Using Office 2003 (this edition will be aimed specifically at people using the Student-Teacher Edition).

In the process of working on one chapter about Word, I ran across the Remove Hidden Data add-in. It’s a must-have for anyone who shares or published Word documents. It’s easy to use and very good at stripping personal and confidential information from Word documents.

Clueless commentary from a big name

John C. Dvorak’s latest column is a rant about Microsoft’s security software that includes this amazing paragraph. And by “amazing,” I mean “breathtakingly ill-informed and doesn’t PC Magazine have any technical editors anymore?”

I use a utility called Prevx [link: http://www.prevx.com], a host-intrusion protection system, as well as one or two other antispyware packages to keep the stuff at bay. And it still sneaks in once in a while. Most recently, I forgot to turn off my CUTEftp client and left it running all night. In the morning some system had loaded some weird software called “active skin,” and I had to use SpySubtract to remove 26 Registry entries. Exactly how anything manages to worm in through the open port and place items in the Registry is beyond me, but it happens all the time.

Oh, lordy.

Repeat after me: Leaving an FTP client open does not allow an intruder to install software on your computer. Cannot happen. Science fiction. Even if you were to run an FTP server on your computer, the only thing someone could do would be to upload files to your PC. They couldn’t run the program or edit your registry. And anyway, that’s completely irrelevant in this case, because Dvorak was running an FTP client.

So what about this horrible spyware program that had to be removed? ActiveSkin is a UI development environment from ShapeSoft. It uses an ActiveX control. I can’t find out much about it (and the company that owns it has gone dark), but I know that Symantec calls it “a non-malicious component that may be used by other applications.” I have seen hints that it is used with ICQ, with Ad Hunter, with the SigmaTel audio control panel, and with a number of homebrewed VB6 programs (like this one). Several well-known spyware and Trojan programs use this component, including Insecure Executable Downloader, but it does not appear to be harmful in and of itself.

In fact, given that the spyware scanner John is using is from Trend Micro, it wouldn’t surprise me if it’s a false positive. The ActiveX control (remember, Symantec calls it non-malicious) was probably included with a program that Dvorak installed. It registered itself at installation time (thus adding entries to the registry). It wouldn’t be the first time that Trend Micro had been guilty of identifying a perfectly legitimate program as spyware.

From that false premise, Dvorak then reaches the sweeping conclusion that Microsoft is unwilling and unable to “fix” Windows so that it’s perfectly secure.

Sigh. There ain’t no such thing as a secure operating system. Sensible security precautions can be built in, development processes can be improved, reaction time for fixing security issues can be cut down. But “fixing” Windows does not mean creating a code base that has no more security issues ever.

This is yet another reason why I stopped reading PC Magazine. The trouble is, several hundred thousand people still do, and after reading this column they’ll come away with the mistaken belief that hostile software can attack their computer using a simple FTP client. Who knows what other ridiculous technical errors are in this same issue?

As Dvorak would say, sheesh.

Phish with high irony content

Well, two weeks after installing Service Pack 2 for Office 2003, with its new Outlook anti-phishing filter, I finally received the first message that Outlook suspected might be a phishing attempt but didn’t move to the Junk E-mail folder. I didn’t notice the Info bar message at first, but when I clicked on a link in the message, this dialog box appeared.

Outlook 2003 phishing warning

That’s when I looked at the info bar and saw this message.

phish alert

Nice of Microsoft to protect me from those potential evildoers at microsoft.com! Of course, all I had to do was click to add this domain to my safe list.

add domain to safe list

This is the sort of stuff that Microsoft watchers like to point to as evidence that the company is clueless. However, I see this from a different perspective. In this case, at least, Microsoft doesn’t get a free pass. The algorithm might have tripped up, but the user gets to make the decision whether to trust this message or not. That’s the right set of defaults.

Still, the irony is noteworthy.

Tip of the day: Get free antivirus tech support

Think you (or someone you know) has contracted a virus or been afflicted with spyware? According to Microsoft’s Security Help and Support for Home Users page, you can call 1-866-PCSAFETY (1-866-727-2338):

This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada.

If you live in another region, there’s a link to find the phone number for your area.

(Thanks to Suzi Turner at Spyware Confidential for the pointer.)

Outlook’s new phishing filters

I installed Office 2003 Service Pack 2 and the latest junk e-mail filters for Outlook. The process was painless. And the anti-phishing features are interesting.

Details about bug fixes are in this KB article. After a five-minute search I can’t find any documentation of how the new anti-phishing features work. But these are my observations:

  • All messages that appear to be phishing attempts are moved to the Junk E-mail folder.
  • All HTML-formatted messages in the Junk E-mail folder are displayed in plain text. This is a crucial change, because it denies the scammer the opportunity to steal the look and feel of a legitimate site. Even if the scammer tries to steal a site’s graphic, the effort is in vain, because all you see is a link to the graphic.
  • Links are broken up into the link text and the link target, which appears in brackets. As this screen snippet shows, it’s pretty easy to spot the phony links. As a bonus, the link text is not clickable. You have to copy the URL and paste it into a browser’s Address bar to actually visit the site.

Phishing attempt in Outlook 2003

The forced conversion to plain text also renders a lot of spam unreadable, which is good. So-called online drugstores that try to disguise their content by burying the message text in a bunch of pseudo HTML just turn into so much gibberish.

What if the junk/phishing filters catch a legitimate message by mistake? No problem. Drag it back into the Inbox or any other folder and it’s displayed in its original format, complete with clickable links.

This is a simple but very effective fix. If you use Outlook 2003, go get it!

Update: Thanks to Rick in the comments for finding this link to Microsoft’s brand-new Help topic: Block or unblock links in suspicious phishing messages. In addition to the features I noted above, there’s a new link-blocking behavior that applies to messages that contain suspicious links but aren’t moved to the Junk E-mail folder. Here’s a screen from the Help topic:

Outlook 2003 blocks suspicious links

Unlike the spam filtering, this classification isn’t retroactive; it applies only to new messages as they’re received. So I won’t be able to see it in action (and show it to you) until I receive a new, suspicious phishing attempt that doesn’t get classified as spam. We’ll see how long that takes.

Office 2003 Service Pack 2 is out

If you subscribe to Microsoft Update, this should show up automatically in the next few days, but you can download it here:

Office 2003 Service Pack 2

The most interesting change is the addition of a new Phishing Protection feature to the Outlook 2003 Junk E-mail Filter. If you have Office 2003 SP2 and the latest Outlook 2003 Junk E-mail Filter Update, this feature will be turned on by default. I’ll get a screen shot and more details after I’ve had a chance to look at it.

Toolkit for a shared computer

Microsoft’s Microsoft Shared Computer Toolkit for Windows XP is now available. It looks like a nice collection of tools that a parent can use to keep kids (and other “untrusted users”) from monkeying with disks and system settings.

I haven’t tried it yet, and I wish we had known about this when we were putting the finishing touches on Windows XP Networking and Security Inside Out!

If anyone wants to post a review here, feel free to use the comments section.