Franci Penov : Security

Microsoft Windows Malicious Software Removal Tool

Franci Penov — Tue, 11 Jan 2005 18:33:00 GMT

In the slight chance you haven't seen this yet, Microsoft just released a Malicious Software Removal Tool targeting some of the most prevalent malicious software. For a list of the tool targets, check its official page.

The tool will be updated on the second Tuesday of every month. If you turn on Automatic Updates, you'll get the latest version automatically. Alternatively, you can always download it from Microsoft Download center.

I would strongly recommend you to run it at least once a month just to cover all your bases.

Official page: http://www.microsoft.com/security/malwareremove/default.mspx

Download: http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Update: This is different tool than the Microsoft Antispyware. The AntiSpyware is proactive tool that monitors constantly your system. The Malicious Software Removal Tool targets specific pevalent viruses and worms and scans and removes them.

My personal opinion is that this tool will be kept as a way to target specific known threats through Windows Updates. In other words - even if people choose not to run any antivirus and/or antispyware programs on their computers, there is a way for Microsoft to fight virus epidemics.

Btw, this tool is not an antivirus program. It's just a removal tool. You should still run antivirus and antispyware and proactively monitor your computer.

Microsoft AntiSpyware Beta 1

Franci Penov — Thu, 06 Jan 2005 19:25:00 GMT

Microsoft AntiSpyware Beta 1 was released to the web. You can download it here.

Malware, email scams and other...

Franci Penov — Mon, 25 Oct 2004 17:17:00 GMT

Unfortunately, everything is a target nowadays.

Malware for Mac: http://news.zdnet.com/2100-1009_22-5424883.html

RedHat security update email scam: http://www.pcpro.co.uk/news/65033/red-hat-hit-by-securityupdate-email-scam.html
Slashdot discussion: http://it.slashdot.org/it/04/10/24/2352234.shtml?tid=172&tid=110&tid=218&tid=106

Mobile phones attack vector Bluetooth: http://www.thebunker.net/security/bluetooth.htm
The Register article (take it with a pound of salt): http://www.theregister.co.uk/2003/11/17/bluetooth_is_attack_vector
Slashdot discussion: http://slashdot.org/articles/04/02/10/0654252.shtml

Google Desktop

Franci Penov — Tue, 19 Oct 2004 18:19:00 GMT

There are lot of people that think the new Google Desktop is great and revolutionary. However, there are several things wrong with it that make me stay away from it. Here's the short list (in no particular order):

It hooks up WinInet.dll. Hooking up system level component and intercepting all incoming/outgoing traffic on my machine has nothing to do with my desktop search. (Btw, it's amazing how many antivirus programs Google Desktop is incompatible with because of this)
They inject desktop search information in the Google web search results. While this might seem like a reasonable thing to do, it also means I should now be aware that when I do web search with somebody over my shoulder that I might be divulging private information.
Google desktop can be installed only as admin. The only reason I can think of for this limitation is the WinInet.dll hooking up. I want desktop search to search my files - files that belong to me and I have exclusive access to them. I shouldn't have to be admin to search my data.
It can be used only by the user that installed it. This means non-admins can't use it. That alone rules it out from my home machine, where admin user is logged only for Windows Updates and application installations.
It can be installed by one user only. Another reason I can't use it at home, where my wife and I have separate accounts. What, Google doesn't think people are entitled to their own privacy on computers?
It uses the browser as interface. Webpage is probably not the best way to list couple of thousand search results now, is it?
It uses the browser as interface. That means that any search strings in the Google Desktop will show up in the Google.com page if you double-click on the Search for text box and you have Autocomplete for Forms enabled in the browser.
It runs a webserver on your box. While it's supposedly listening for localhost requests only, it still means that every malicious webpage out there can possibly access it and do post back with the results to their server. A Java applet, for example, with 1px UI. Also, what are the chances that the desktop search page doesn't suffer from the same XSS exploit the main Google page suffers from? (You can search for Google Desktop Exploit on Google)
It makes copies of your browser cache without warning me about this or giving me any option to clear its cache as well when I want to clear the browser cache. I have not tried this with Outlook email, but I wouldn't be suprsied if they do it for email as well. Btw, if they do it, it might be in direct violation of the email retention policies of some companies. (Of course, IANAL disclaimer aplies)
It installs as a browser extension. Hm, I wonder why that is if it has hooked up WinInet.dll anyway.
There is no way to limit the size of the Google Desktop index.

The list above is compiled from half a day looking at it. There might be other issues or plain wrong things with Google Desktop that I missed or overlooked. I'd be interested to hear what else people found out they don't like about Google Desktop.

Update: I was reading Fred's blog and stumbled upon another disturbing fact:

Everybody knows that Google Desktop index all messages from AIM. It’s not really news in itself. The thing that most people don’t know is that if you turn off the logging property of your AIM it seems that Google Desktop index your messages anyway.

I know I can turn off indexing AIM in Google Desktop Preferences. But I shouldn't have to make my privacy choices there. I am aware that I've already made the explicit chioce of allowing Google to index my AIM chats. However, that does not implicitly allow Google Desktop to search my whole network traffic. The privacy preferences of the primary program that produces the indexed data SHOULD be respected. It's that simple.

Update 2: Removed the rethorical question about adding a keyboard logger. I want to keep this post just as a list of things that bug me in Google Desktop. I can talk about my paranoia in other posts. :-)

PSSIR team is blogging...

Franci Penov — Thu, 02 Sep 2004 21:40:00 GMT

Tim Rains and Robert Hensing are members of the Microsoft Product Support Services Incident Response team. Their blogs are a must read, especially if you are interested in investigating system intrusions and compromises.

Port Reporter Parser v1.0

Franci Penov — Wed, 01 Sep 2004 17:37:00 GMT

If you use the PortReporter (download, KB article), there is a nice log parser for it. Go ahead and snatch a copy of Port Reporter Parser while it's hot.

Here's straight from the horse's mouth a short list of what the tool is capable of:

The Port Reporter Parser (PR-Parser) is a tool that parses the logs that the Port Reporter service generates. I have built some features into this parser to help identify Trojans/malware running on Windows systems and to provide some useful statistics on a system’s usage.

PR-Parser helps to identify data that is “interesting” and/or “suspicious”:

Identifies ports of interest that are used on the system.
Identifies “suspicious” processes running on the system.
Identifies “suspicious” modules (.dlls, .drvs, etc) loaded on the system.
Identifies “interesting” user accounts that are active on the system.
Helps to determine when IP addresses, fully qualified domain names (FQDNs), or computer names of interest are found communicating with the system.
Attempts to identify when a process using the name of a legitimate process is run from the wrong directory on a system.

PR-Parser provides some log analysis data as well. This data can help profile the system and/or how users use the system. This data includes:

Local TCP port usage - % of time a TCP port is used
Local process usage – what % of time each process is used
Remote IP address usage – how often the local system communicates with each remote host
User context usage – how often each user account is used to start local processes
Port usage by hour of the day – helps identify peek usage times for a Windows system
Svchost.exe enumeration – see all the services hosted by every instance of svchost.exe running on a system
Internet Explorer usage by user – see all the sites or firewalls that every user visits via Internet Explorer

There's lot more than the list above to make it even more useful. The download includes Readme file with more information about the tool capabilities.

Update: Added link to Tim Rains blog. Tim is the guy that came up with Port Reporter and Port Reporter Parser. He is also a Technical Lead on the Microsoft Product Support Services Incident Response team.

Excellent LUA/non-admin resource

Franci Penov — Fri, 27 Aug 2004 22:09:00 GMT

Aaron Margosis has excellent set of posts on why and ho to run as LUA (non-admin). If you wander what's in it for you or have particular problem while running as non-admin, you owe it to yourself to read his blog.

Here's a short list of Aaron's posts on the topic:

First the “Why” posts:

Why you shouldn't run as admin...
http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx

"Zero-day" attacks and using limited privilege
Expect to see more malware predating the patches - and how you can protect yourself. (Or, "Why you shouldn't run as admin, Part 2")
http://blogs.msdn.com/aaron_margosis/archive/2004/06/25/166039.aspx

And then the “How-To” posts:

The easiest way to run as non-admin
This is the really important one for your non-techie friends and relatives ...
http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx

"RunAs" basic (and intermediate) topics
A whole lot of detail about how to use "RunAs" to run programs under a different account.
http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx

RunAs with Explorer
How to get Windows Explorer to work with RunAs (and why you might want to).
http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx

MakeMeAdmin -- temporary admin for your Limited User account
How to quickly and temporarily give your non-admin account administrator privileges, without having to log out.
http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx

PrivBar -- An IE/Explorer toolbar to show current privilege level
A toolbar for Explorer and Internet Explorer that shows you broadly at what privilege level that particular instance is running
http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/195350.aspx

This is a bad idea...

Franci Penov — Thu, 05 Aug 2004 19:54:00 GMT

The new FirstTech Credit Union page puts the logon dialog on an unsecured page. Their explanation [1]:

Why This Is Secure
Using the Online Banking Login on the 1sttech.com pages is safe, even though you do not see the lock in your browser as your Account ID and PIN (Personal Identification Number) are not transmitted until you click on the "login" button. Upon doing so, a secure session is established between your browser and our systems. Your information is then encrypted using 40-bit or 128-bit encryption algorithm (128-bit is used if your browser supports it) and sent to our systems for authentication into Online Banking. Please note that First Tech never transmits your information without it being encrypted first.

We recognize that most of the internet public has been wisely trained to look for the lock in their browser when submitting sensitive data online, this is why we created the “why this is secure” message and added the lock icon to the login button. The design of our website made it difficult to include the popular member request of offering a Home Banking login box to every page on our www.1sttech.com site. Our solution was to verify that the process was secure, then communicate this to our members via the hover text and the “why this is secure” page.

It's good they have thought about the security part of the problem. It's bad that with this implementation they are training people to not rely on the browser's notification about the status of the connection security, but on a webpage icon. Once trained, people would blindly accept the same icon on another page as sign of secure transport layer, even though it might be there just because the page designer decided it's a good “Login“ pictogram. Not to mention all the phish emails that will start doing the same to lupe people to trust their links.

People should never trust the web page content about the status of the connection.

[1] http://www.1sttech.com/home/security/online_banking/online_banking_security.html

"Why I run as an Admin" or A story of a Wrong Attitude

Franci Penov — Fri, 30 Jul 2004 00:03:00 GMT

Recently I stumbled across a posting named “Why I run as an admin”. As you can deduct from the title, it is a small rant from a guy about why he runs as an admin. There are lot of rants like this flying aroun in the blogosphere (and not only there), so what makes this one interesting?

It's the attitude. Or more precisely - the wrong attitude of the post. The message that the author conveys is “Security is hard; running as regular user is hard; I won't do it”. And that is coming from somebody that is in our industry. So with this attitude, why do we even expect to get the regular users run as regular users on their computers?!

Let's take a look at the complaints:

“Can’t see calendar as non-admin” – This is the only legitimate complaint that really is a problem. I've been given this argument countless times, when I ask somebody “Why don't you run as non-admin?“. I would argue that this is the single most stupid reason to run as an admin. Yes, this is known limitation of the os and it should be fixed. But please, get over it and be secure! There are miriad of other ways you can see the calendar. Besides, if this is one of your critical tasks – you most probably are one of the people that have Outloook (or any other calendar application) always open anyway.
(I don't want to discuss the scenario, where one doesn't use PIM and needs to see the calendar every half an hour. If one can't even remember the current date, they definitely should NOT be running as an admin)
“Can’t install anything” – How often does one need to install new programs? You can always switch to admin account when you need to install a new program. But wanting to run as admin so that you can install anything at anytime? This is like wanting to run as admin because you might need to change the permissions for one of the users at any time.
As for Windows Update not being able to run as limited user - this is very arguable point. In the big enterprises, installing OS updates is often a matter of IT department policy and is not at the discretion of the computer users. Even at home, not all the regular users need to be able to do it. (I am sure I don't want my wife to be able to do it :-)).
“XP SP2, the firewall” – I have not run XP SP2, but I can imagine that the problem here is with the firewall blocking outgoing connections in various programs. This is not a reason to run as admin. The proper procedure is – log on as admin, configure the applications you know and want to enable to connect to outside world and be done with it. If you install new application, you do it as an admin (see the previous point) and at the same time you configure it in the firewall. Regular users shouldn’t be able to drill holes in the firewall anytime they open the new “I love you” email.
“On my home computer, I once changed my account and my wife’s account to be a limited user without telling my wife. Let me tell you, that’s a mistake that I will only make once.” – Even though this wasn't a numbered argument, it sounded like a major issue for the author. Definitely, the WAF (wife acceptance factor :-)) can be a serious roadblock for anything. However, the only mistake that this guy did was that he did it without telling his wife. But that has nothing to do with the whole “running as admin” problem, it’s just a question of “marriage smarts”. :-)
(As an example - at home my wife is running as a limited user for more than a year. I am also running as limited user for everyday tasks. I use the admin account for admin tasks. Everything works and my wife didn’t hit any problems so far.)

Granted, there are problems with a lot of programs when installed as an admin, but run as regular user. There are also other problems with running as regular user. But running always as admin is not the answer. And telling people to do so is a bad thing. It's hard enough to try to educate the users to run as regular users, when lot of software companies support/FAQ says something in the line of: “So, Mr. Joe User, you are saying that our latest and greatest game Unreal Quake 2011 doesn’t run? Check our FAQ, that’s known problem, you have to be an admin on your machine.”.

The message “I will not attempt to be secure, because it’s too hard” coming from an IT professional is just plain wrong.

What's your lifestyle?

Franci Penov — Fri, 28 May 2004 16:04:00 GMT

I'll make this one short. If you are doing all you stuff on the computer as admin - stop it now! Get through the pain and switch as a regular user once and for all. Here are the reasons why and some tips on how to ease the pain.

PortReporter

Franci Penov — Thu, 18 Mar 2004 17:03:00 GMT

Have you ever wanted to find out about any of the following:

The ports that are used
The processes that use the port
Whether a process is a service
The modules that a process loaded
The user accounts that run a process

Yes? Good. Because Microsoft has a new toy for you - PortReporter. It logs all the information above on Win2K3 and XP. The tool also works on Win2k, but it logs less information.

Anyway, go can read more about it in KB 837243. Then download it and play around.

Security Readiness Kit

Franci Penov — Thu, 29 Jan 2004 18:51:00 GMT

Another great tool to have handy - Security Readiness Kit. Here's what TechNet says about the tool:

“The Security Readiness Kit (SRK) CD and its companion web site at http://www.microsoft.com/technet/security/readiness are designed to give you easy access to the documentation and tools you need to ensure that your network operates with the best security possible.”

If you have TechNet, I believe you should have it in there (but don't quote me on that :-)). There is upcoming web page to order the CD as well.

Microsoft Baseline Security Analyser (MBSA) V1.2

Franci Penov — Tue, 20 Jan 2004 03:51:00 GMT

Check out the Microsoft Baseline Security Analyser site. There is new version available for download - MBSA v1.2. The tool is now localized in couple other languages, support for additional products was added, IE custom zones support and few other things were thrown in.

Can a printer be a security threat for your computer?

Franci Penov — Sat, 17 Jan 2004 04:59:00 GMT

Everybody has printer at home. Well, mostly everybody. Chances are if you have computer at home, you most probably have a printer as well. It is just sitting there on the shelf or on your desk and silently (or not so - depending on the model) waits for you to use it. You open an email from your significant other or a page on the internet, hit the Print button and there it is - a hard copy of whatever you need. However, in all the years you did that, have you ever thought about the privacy and security implications of using a printer?

Yes, that is right, you read it correctly. By the fact of using your printer, you might actually disclose private information to anybody that can access you computer. You might even disclose information that can help other people to compromise your system security.

Case in example - my HP 7150. The drivers for the printer create a log file. Nothing unusual, almost any software on the planet creates some type of log, where it stores information about what happened. Anyway, the log files can always be deleted. Besides, the file is on the local disk and is protected by the file system security, so it is not a big problem. Furthermore, the file is in proprietary binary format, thus, it cannot be read easily. So we are safe, right?

Wrong. Open the file in notepad and the first thing you notice is that it contains the names of every single document you printed. Now, this would not be that big of a problem, were it not for a couple of bad choices the developer made:

The log file is not per user, it is a single log file for the whole system. Most probably, the arguments went on like: “This particular printer targets mostly home users. Most home users run Windows 98 or ME, or if they run Windows XP, they do not use separate users. If the majority of the computers to run this software are going to be “single-user” systems, why bother with multiple log files? “
Once the choice one was made, it is very easy to make the second bad choice - put the log file in the root folder. Arguments: “It's the only folder which is predictably on place on any computer. So why bother with complex logic of attempting to figure out where the Windows folder or the Temporary folder is? “

On default NTFS disk, the permissions for the root are admin - full, users - read-only. If you are logged on as regular user (you are, aren't you?), you cannot delete the file but you can still read it. In addition, if you have multiple users, all the documents every single one of them printed are in there. Moreover, if they print web pages, the name of the document is the web page.

One can argue that the amount of information that can be found this way is very small. However, any information can be used in some way. Here is an example - let us assume that every user on the machine has printed only one document from their documents folder and let us say that both documents are named test.html. If there are two users, the log file will contain two document names, both of them test.html. There is no way you can get any useful information from such a log file, is there? Yes, there is - the document names in the log file are given to the printer driver by the program. It just so happens that Internet Explorer gives names that contain the full path of the file and the full path to your documents folder contains the account name. Therefore, by looking at the file, you now have a list of all the user accounts on the system. Share the printer with your peers on the dorm over the network and you could probably see their user names on their machines. If you open a web page that reads the file and sends it back to the server, somebody else can have this information.

I am sure you can think of other ways in which this could be used by malicious people, so I will stop here with the examples. Besides, I think I already made the point of the post - next time you decide to store some information, be smart about it and think not only what, where and how you store, but also who has access to it and how can they use it. And for Pete's sake - please, do not put log files in the root folder...

Airport security

Franci Penov — Mon, 29 Dec 2003 08:19:00 GMT

My wife and I spent the holidays in L.A. Turns out after three years, the place we lived is exactly the same. It's like we left yesterday...

Anyway, the post is not about this. It's about the airport security. You know, all the lines and the endless waiting and the strip search... oh, wait, that's another story. But you get the picture.

Last Monday, Sea-Tac, we are flying to L.A. Mih doesn't trust me and thinks I am unreliable and anything important should be handled by her. Not that I blame her or anything - most of the times she is right; not this time though - she lost the boarding passes. Not sure what to do, we tell the attendant at the gate we lost them and “Can we please get on that plane for LA?“.

With alert level at orange, I expect a sirens to start and at least two SWAT teams to jump from the roof. I wouldn't be even surprised by a black helicopter landing on the plane outside.

The attendant just smiles at us and asks if we are on the flight and what our names are. I tell her my name, she checks in the computer and nods us in.

At that point I figure out L.A. is not that big of target anyway. I mean, it's not like anyone would want to drop a bomb on JLo's or Britney Spears' house, right? Umh, strike that; still, apparently L.A. is considered a safe place to fly to. On the other hand, you never know when someone will try to sneak a penguin to Seattle and let it loose in Building 8. So the security on the flight back should be better.

Saturday morning, LAX, we are going back to Seattle. Two miles before the airport half the lanes are closed because of a security check point. At the check point I learn why it is called so when I notice the police officers are checking out the hot chick in the next lane. We pass by, get to the airport, check in (no IDs required), go through the metal detector, get to the gate. Mih hands the boarding passes and our IDs to the attendant there. Quick glance and we are let in; meanwhile, I notice that Mih was showing the documents so that my ID was under hers and only the picture was showing.

Total amount of attendants and security personel we passed by at the two airports: something around 60 or so.
Total amount of IDs required to fly Seattle-LA and back: one and a half.
Total time we lost because of the heightened “security“: two hours.

Moral of the story - having too many eyes look at something does not ensure it's secure...