Banks also use the supposed additional security of 3DS to shift liability for fraudulent use towards the customer.

What’s wrong with 3DS? The authors list a number of issues. The 3DS system throws up a request for additional authentication in a pop-up dialog or iFrame, which means you cannot easily check its source; it could be a phishing attack. The memorable pass phrase that is meant to prevent this is vulnerable to man-in-the-middle attacks, as well as impatient users who might not bother to read it. Password reset mechanisms are often poorly implemented, and may depend on semi-public information such as date of birth.

The authors suggest that a simple approval process, such as a text message to your phone asking for an authorisation code, would be more secure, even if only as a stop-gap before adopting a more robust solution.

I find it surprising that 3DS has been adopted so widely despite well-known flaws. As the authors note:

3-D Secure has received little public scrutiny despite the fact that with 250 million users of Verified by Visa alone, it’s probably the largest single sign-on system ever deployed.

Well, with this post I am doing my bit.

Related posts:

1. Thawte promotes security, insecurity
2. 15m UK bank details lost – but what’s the risk?
3. More on Debian’s OpenSSL bungle

Well, now the truth is out. Code Access Security was too complex for humans to configure. Buried deep in the documentation for .NET Framework 4.0 you can find Microsoft’s confession, under the heading Security Policy Simplification:

In the .NET Framework 4 Beta 2, the common language runtime (CLR) is moving away from providing security policy for computers. Historically, the .NET Framework has provided code access security (CAS) policy as a mechanism to tightly control and configure the capabilities of managed code. Although CAS policy is powerful, it can be complicated and restrictive. Furthermore, CAS policy does not apply to native applications, so its security guarantees are limited. System administrators should look to operating system-level solutions such as Windows Software Restriction Policies (SRP) as a replacement for CAS policy, because SRP policies provide simple trust mechanisms that apply to both managed and native code. As a security policy solution, SRP is simpler and provides better security guarantees than CAS.

The section below, headed Obsolete Permission Requests, is even more damning of the old system:

Runtime support has been removed for enforcing the Deny, RequestMinimum, RequestOptional, and RequestRefuse permission requests. In general, these requests were not well understood and presented the potential for security vulnerabilities when they were not used properly.

It goes on to explain why they did not work, with explanations like this one for RequestOptional:

RequestOptional was confusing and often used incorrectly with unexpected results. Developers could easily omit permissions from the list without realizing that doing so implicitly refused the omitted permissions.

The new .NET Framework 4.0 no longer enforces these obsolete permissions.

Microsoft is right. As far as I’m aware, few used the .NET Configuration tool, and I cannot even find it in Windows 7, even though Visual Studio and all the versions of the .NET Framework are installed. Developers feared, with justification, that tinkering with the settings would simply cause mysterious exceptions that were hard to resolve.

I recall though that Code Access Security was considered a highly strategic feature when .NET was first released. One of the promises of .NET was that applications would be more secure and malware less prevalent. The fine-grained permissions were a selling point versus Java.

The painful lesson is that simplicity is a feature. Of course some things are inherently complex; but technology succeeds when it simplifies rather than complicates the tasks that we face.

Related posts:

1. Microsoft Access needs a complete rethink – or retirement
2. No native code development on Windows Phone 7 says Microsoft – so what about Flash?
3. Buying a Microsoft code-signing certificate from Thawte? Don’t use Vista.

Although raising security awareness seems on the face of it to be a good thing, this is naïve advice and may do more harm than good. Security is a complex and multi-faceted problem, and it does people no service if they believe it can be fixed by switching browsers. Another common illusion is that running anti-virus software, or even up-to-date anti-virus software, makes you safe. It does not. Anti-virus software does not detect all viruses, and in particular it frequently fails on those that are most dangerous, in other words, those which are newest.

Another factor is that many of the most successful malware attacks come via social engineering. That’s not browser-specific, though there are attempts to maintain bad site lists, which don’t in my experience work very well.

The danger is that people think they are safe, and take fewer other precautions, ending up less safe than before.

Is FireFox, Chrome or Opera safer than IE? I’m not even sure about that. The latest versions of each are massively safer than IE6, for sure. But how does a fully-patched IE8 compare to the latest fully-patched versions of the other browsers? At least one test [pdf] says that IE8 is actually safer, though unfortunately it dates from March last year and does not cover drive-by downloads:

Microsoft Internet Explorer 8 (RC1) was the standout in our tests, achieving a best-in-class 69% catch rate against Malware. It is clear that Microsoft is making an effort to provide security to their customers with IE8.

Know a better one? I’d be interested in more recent tests.

Microsoft is not always competent; read this blog for evidence. But it has made genuine efforts to improve security and has a comprehensive update mechanism that mostly works. IE now has protected mode on Vista or Windows 7, which is no panacea but helps a little.

But what about the known zero-day vulnerability in IE? Isn’t that enough to make switching browsers necessary, if only temporarily?

I’m not so sure. Frankly, it would surprise me if there are not known multiple vulnerabilities in all the major browsers, if you move in the right (or wrong) circles.

How then do you do secure computing? Don’t connect to the internet. OK, how else? The risk cannot be eliminated but it can be reduced … don’t run with local admin rights, don’t run unknown executables, only enable plug-ins and scripting for web sites you know to be safe, keep your operating system patched and up-to-date, and so on.

Another thing you can do is to browse the web in a virtual machine – a sort of super protected mode – not perfect, but would prevent some attacks at the expense of convenience.

If you are really serious you can use AppLocker, or another whitelisting technique, to control what can run on your box.

And passwords … one thing I do hold against Microsoft is that the company has a brilliant authentication mechanism called InfoCard that is almost never used, even by Microsoft. Unfortunately that’s not something any individual can change; but it is possible at least to use more complex passwords and not to pass them over the internet in plain text.

I’m not sure, even today, that many people realise that when they use Twitter on an airport or hotel or conference wi-fi, or collect email via POP3, that they are likely passing their credentials in plain text over the internet for any smart hacker to read.

I am also depressed how often I see “security questions” on registration forms, asking for things like mother’s maiden name to be used in case of lost password. It is obvious that these are actually insecurity questions; they lower security while easing the burden on support desks. All too often, these organisations then lower it further by emailing your password back to you in plain text. It also sometimes turns out that the password itself is stored in plain text on their web-connected databases, accessible to hackers.

Overall the IT industry is desperately bad at security, and by and large convenience has won. Yes, I think that should change. No, after years of reporting on IT I am not optimistic that it will, certainly not soon. And knee-jerk instructions to switch browsers may please Mozilla and Google, and web developers for whom Internet Explorer is a constant irritation especially in old versions, but will do little else to improve the situation.

Related posts:

1. Don’t just blame users for woeful security online
2. UK Government resists Peer pressure on internet security
3. Unanswered question: how’s Vista’s real-world security compared to XP?

For comparison, the cheapest current Apple Mac is the Mini at £499 – it’s not directly comparable since its neat compact size is worth a premium, but it is slightly less well specified with slower processor, 2GB RAM and 160GB drive. As for an iMac, this comes with a screen but costs more than twice as much as the HP Compaq.

A good deal then; but have Microsoft’s efforts to make Windows 7 “quieter” and less intrusive been wrecked by OEM vendors who cannot resist bundling deals with 3rd parties, otherwise known as crapware?

I draw your attention to my interview with Microsoft’s Bill Buxton last year, when I raised this point. He said:

Everybody in that food chain gets it now. Everybody’s motivated to fix it. Thinking about the holistic experience is much easier now than it was two years ago.

I was interested therefore to see what sort of experience HP delivers with one of its new home PCs. Unfortunately I forgot to keep a list, but I removed a number of add-ons that the user agreed were unwanted, including:

• EasyBits Magic Desktop
• Norton Internet Security – replaced with Microsoft Security Essentials
• AOL toolbar

I also removed a diagnostics tool called PC-Doctor and an HP utility that stuck itself prominently on the desktop, HP Advisor Dock. It is possible that these tools might in some circumstances be useful, though I’m wary. I have no idea why HP has decided to supply its own Dock accessory after Microsoft’s efforts with the Windows 7 Taskbar.

We left in place an application called HP Games which is a branded version of WildTangent ORB and includes some free games.

The short answer is that the Windows ecosystem has not changed. The deal is that your cheap PC is subsidised by the trialware that comes with it. Another issue is OEM utilities – like HP’s Advisor Dock – which jar with the careful design Microsoft put into Windows 7 and offer overlapping functionality with what is built in.

In mitigation, Windows 7 runs so well on current hardware that even this budget PC offers snappy performance. I also had no difficulty removing the unwanted add-ons. The speed of setup – number of restarts – was much better than I recall from the last Toshiba laptop I set up.

Nevertheless, on the basis of this example there is still work to do if the experience of starting with a Windows PC is to come close to that offered by the Mac. Further, bundling anti-malware software that requires a subscription is actually a security risk, since a proportion of users will not renew and therefore end up without updates. I would be interested in other reports.

Related posts:

1. Apple Dock vs Windows 7 taskbar
2. Will your laptop run Windows 7?
3. Miserable user experience continues with Windows 7

We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft’s claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.

Unfortunately Chester Wisniewski from Sophos is vague about his methodology, though he does say that Windows 7 was set up in its default state and without anti-virus installed. The UAC setting was on its new default, which is less secure (and intrusive) than the default in Windows Vista.

My presumption is that he copied each virus to the machine and executed it – and was apparently disappointed (or more likely elated) to discover that 8 out of 10 examples infected the machine.

It might be more accurate to say that he infected the machine, when he copied the virus to it and executed it.

I am not sure what operating system would pass this test. What about a script, for example, that deleted all a user’s documents? UAC would not attempt to prevent that; users have the right do delete their own documents if they wish. Would that count as a failure?

Now, it may be that Wisniewski means that these executables successfully escalated their permissions. This means, for example, that they might have written to system locations which are meant to be protected unless the user passes the UAC prompt. That would count as some sort of failure – although Microsoft has never claimed that UAC will prevent it, particularly if the user is logged on with administrative rights.

If this were a serious study, we would be told what the results were if the user is logged on with standard user rights (Microsoft’s long-term goal), and what the results were if UAC is wound up to its highest level (which I recommend).

Even in that case, it would not surprise me if some of the malware succeeded in escalating its permissions and infecting system areas, though it would make a more interesting study. The better way to protect your machine is not to execute the malware in the first place. Unfortunately, social engineering means that even skilled users make mistakes; or sometimes a bug in the web browser enables a malicious web site to install malware (that would also be a more interesting study). Sometimes a user will even agree to elevate the malware’s rights – UAC cannot prevent that.

My point: the malware problem is too important to trivialise with this sort of headline-grabbing, meaningless test.

Nor do I believe the implicit message in Wisniewski’s post, that buying and installing Sophos will make a machine secure. Anti-virus software has by and large failed to protect us, though undoubtedly it will prevent some infections.

See also this earlier post about UAC and Windows security, which has links to some Microsoft statements about it.

Related posts:

1. Delphi developer virus exposes weakness in anti-virus defences
2. Anti-virus failure leaves XP broken, DNS hijacked, user frustrated
3. Microsoft plans free anti-malware

Installation was smooth, guided by a simple wizard with a castle logo:

The trickiest moment comes when the installer recommends that you “remove other antivirus and antispyware programs”:

I am glad that Microsoft is confronting this issue, since running multiple antivirus applications is terrible for performance. It does make the point that this free software will not be good for competitors at this end of the market. The other issue is that removing other security software will probably mean a reboot as well as passing one or more dialogs pleading with you to reconsider. Do this before running the installer.

Once done, Security Essentials – a terrible, unmemorable, tongue-twisting name – announces that your computer is at risk while it goes off and downloads updates:

When the update completes, it does a quick scan, which took around 30 minutes on my machine. I let this complete – nothing was found – and then had a poke around the tabs and settings.

The user interface is nicely designed and there isn’t much to see. Be default Security Essentials will scan your PC once a week on Sunday night. You can specify quick or full scans. The software also monitors all file activity looking for malware. I get the impression that Microsoft has tried to make Security Essentials as unobtrusive as possible, which is most welcome.

One thing that did annoy me is the settings for recommended actions:

In patronising style, Microsoft offers “Recommended action” as the default when malware is detected, but does not tell you what that action is. It is explained here – for severe or high alerts, it attempts to remove the malware, while for medium or low alerts it quarantines it. However, it does seem to ask first, which is important in the case of false positives.

I couldn’t find any way of setting the frequency of updates, which surprised me.

I gave Security Essentials an easy test by downloading eicar, a harmless file which for testing antivirus software. Security Essentials sprang into life:

I clicked Show details and got another red dialog offering to perform the recommended action, which was Remove. Another click, and it claimed to have done it, with the dialog turning a reassuring shade of green.

Is it any good? That’s a tough one. I don’t have high expectations of any security software based on scanning for known malware. Such software tends to fail when new viruses appear, as they do constantly. Another problem is that the bad guys can run the same security software as you, and design their malware to avoid its effects. In general, it is obvious that antivirus software has failed to prevent the spread of malware. I rate other things as more important, such as keeping systems up-to-date with patches and observing best practice concerning what you allow to execute. Unfortunately clever social engineering can often defeat good intentions.

Still, if you consider antivirus software a necessary evil, this one impresses by being nicely designed and mostly staying out of the way. If you are looking for the highest detection rates, you will have to wait for statistical analyses to be done. I am sure the commercial security companies will be quick to report on failures.

Personally I’m delighted that users can now get the Windows security center (Action Center in Windows 7) to stop bugging them without installing third-party software. Another advantage is that the software won’t stop updating when the user fails to subscribe or renew. Microsoft has plenty of incentive to get this one right, and to deliver something at least as good as the competition without slugging performance or annoying the user with advertisements and/or  constant exhortations to upgrade. I think it is worth a try.

Related posts:

1. Unanswered question: how’s Vista’s real-world security compared to XP?
2. Microsoft plans free anti-malware
3. Windows security and the UAC debate: Microsoft misses the point

Here’s the reason. Let’s say you are logged into some site – could be Facebook, or Google, or the admin screen on your router, and you’ve left checked the option that says “keep me logged in”. Then you visit some other site. The vast majority of web pages today run JavaScript code in the background, and these scripts execute on your computer, not on the web server. What if one of those scripts sends a request to a site where you are logged in? The request comes from your computer, so it looks like you to the web site. If you are unlucky, the script will be able to perform any action you could perform, but without your awareness – such as changing your password, or reading confidential information.

For this hack to work, a couple of things need to have gone wrong:

1. You are running a malicious script. This implies that the site you are visiting has been hacked, or has a vulnerability such as forum software which allows users to post content that might trigger a script. Even a link to an image in a forum post might be sufficient.

2. The site where you are logged in doesn’t make any additional checks on the source of the script. Although it is running on your computer, the HTTP request generally includes referrer data, revealing the URL of the page from which the script came. By checking this value, the site can figure out that there is something wrong. Another idea is to have unpredictable URLs for sensitive data.

Still, you’ll notice that neither of these things are under your control, whereas generally the option to log out of a site is under your control. Even that might not always be true – a developer could code a site without an option to log out – but that is unusual.

The O2 attack referenced above exploits this flaw to get into your router admin, if you are running an O2-supplied broadband router. It is a huge vulnerability, since if the router is re-configured a wide range of further attacks are possible. One example is DNS poisoning, where familiar URLs might take you to malicious destinations. It could also disable firewall protection and redirect external requests to one of your home or small business PCs – very nasty.

Here’s a couple of things that will improve security:

1. Don’t use the broadband supplier’s equipment, if it is not entirely under your control. Use your own; turn off universal pnp, change the admin password, don’t stay logged into the admin.

2. Don’t stay logged into any site which matters. Even sites which don’t appear to matter can be a security risk, if they expose passwords or security questions that you use elsewhere, for example. Personally I always log out of Facebook, Google and Twitter, for example, even though sites like these should be aware of the risks and be coded appropriately – they mostly are, but mistakes happen.

Unfortunately many sites encourage you to stay logged in, because it reduces the friction of using the site. Still, there are compromises which work. I notice with Amazon for example, that it uses cookies to give you personalized information even when not logged in, but displays password prompts with boring regularity for actions that spend money – though Amazon also advises you to log out completely if using a public or shared computer.

Related posts:

1. Is Google Gears safe?
2. Why are web sites still storing passwords? Monster, USAJobs blunder highlights the risks
3. MySpace account hacked

I am not sure exactly what path he took, but he did some clicking of links and ended up at a site which offered software that promised to fix the issue. The software was called SpyHunter, from Enigma Software. He purchased and installed SpyHunter, which proved no more effective than Defender. At this point he asked me to look at his machine.

A person who has discovered a virus on their PC will be anxious about the attack and its unknown consequences, and will want to fix it urgently. That makes them vulnerable to ill-considered downloads and purchases; and searching the web for assistance with a virus can be like trying to cure alcoholism with drinking. That said, there is good advice to be had; but assessing the authority and reliability of the assistance offered is critical.

My advice in general is only to visit sites that you know to be trusted, such as official Microsoft support, major security software vendors, and only those community sites with which you are already familiar. It is difficult advice to follow though, particularly for non-technical users.

The best course of action after a confirmed infection is to flatten and rebuild the operating system. Larger organizations do this efficiently by restoring a pre-configured image to standardised hardware, but this too is difficult for individuals and SMEs who want to get on with their work.

I digress. My first question: was SpyHunter bona fide, or could it have made the problem worse? The only quick way to find out: back to the search engines, source of all good and all evil. The top entries for SpyHunter on both Google and Bing are the official company site and a Wikipedia entry. Bing has Wikipedia first, while Google puts the company site top.

Note the large role Google (or your favourite search engine) is playing here, both in leading users to possible solutions, and in assessing their value. Although the high placement of the company site is somewhat reassuring, in that Google would probably try not to give a high ranking to known malware, it would be a mistake to rely entirely on a detail like this. Google makes no guarantees concerning the content of the sites it indexes.

Naturally I was more interested in the Wikipedia entry. The entry is annotated with warnings that the article is near-orphaned (though the search engines find it readily enough) and that it reads like an advertisement. There is little detail and it is out-of-date. Further, the language seems strange:

In early 2004, SpyHunter was blamed for producing false positives and using aggressive advertising techniques. This resulted in a lot of bad SpyHunter reviews published. Some of them were harsh, but fair, while others were simply ridiculous. We confirm that SpyHunter was promoted aggressively by some affiliates, but all of them were eventually banned by program makers in late 2004. Early SpyHunter versions had some obvious drawbacks. The product’s version 2.0 resolved all these issues.

This is a quote from a supposedly independent review on a site called 2-software.com. I don’t like the site, which seems (as are so many) dominated by its affiliate links.

SpyHunter is probably harmless, though ineffective. I used the Sophos command-line tool to remove the trojan, and deleted some rogue registry entries; the machine seems OK now though that might just mean that the other trojans are doing a better job of hiding. I also removed SpyHunter of course.

The state of security on the Internet remains lamentable, and security software is a partial solution at best. What interests me here though is the combination of two things:

1. The inadequacy of Wikipedia as an authoritative source, particularly in its less trafficked topics.

2. The high ranking accorded to seemingly any Wikipedia article by the leading search engines.

It is a dangerous combination – not only for virus victims, but for kids doing homework, or anyone researching anything.

Related posts:

1. Anti-virus failure leaves XP broken, DNS hijacked, user frustrated
2. Bing’s disappearing search share gain in the US
3. Bing, Blind Search and electoral fraud

1. Always Notify

2. Notify me only when programs try to make changes to my computer – don’t notify me when I make changes to Windows settings

3. Same as (2) but without the dimmed desktop

4. Never notify

The default is (2). This means Windows 7 is not too annoying, but 3rd party applications still have to prompt in order to do things like writing to a location in Program Files.

Sounds good? Not really. Leo Davidson has an extensive write-up; but all you need to know is actually in the online help for option 2:

It is usually safe to allow changes to be made to Windows settings without you being notified. However, certain programs that come with Windows can have commands or data passed to them, and malicious software can take advantage of this by using these programs to install files or changes settings on your computer.

The problem lies in what Microsoft means by “make changes to Windows settings”. In reality, this is just a whitelist of applications which get elevated permissions automatically, and as online help hints, these are “certain programs that come with Windows.” Davidson observes that it is possible for malware to inject data into one of these processes and have it do whatever the malware wants without a prompt.

Microsoft’s point is that malware shouldn’t be running on your PC in the first place. Very true; but the simple slider control is less than honest about the implications of the default option.

The solution is to move the slider to the highest level. I am sure this should be the default: Microsoft: even at this stage it is not too late to change it. Let the user relax the security if they want; though this stuff about “Windows settings” should be replaced with something which better describes what the option means.

I am not all that worked up about this. UAC will still be achieving its main goal, which is to make 3rd party developers follow the rules more often – though it is still possible for developers to subvert this. And even when fully enabled, UAC is nothing like a complete security solution.

Still, bearing in mind that Microsoft is unlikely to change the default, I’d suggest that users move the slider to the highest setting. It is not painful at all, and at least gives you the same level of protection as Vista.

Related posts:

1. Windows security and the UAC debate: Microsoft misses the point
2. Miserable user experience continues with Windows 7
3. Sophos Windows 7 anti-virus test tells us nothing we don’t already know

The company is finally paying attention:

AutoRun entries on non-optical removable storage devices have been disabled to ensure that you are able to make a considered decision before running software from removable media such as USB drives. Worms sometimes attempt to use AutoRun as a vehicle to install malicious software onto your computer. CDs and DVDs, which are not subject to worm injection after manufacturing, will continue to expose the AutoRun choice to enable you to launch the specified software.

says the press release for Windows 7 RC. Personally I think it should apply the same logic at least to writable CDs and DVDs. I’ve disabled AutoRun on my PCs and don’t miss it. I agree though that USB sticks are the biggest risk today – though a little bit of social engineering will probably persuade many users to run a setup file on a USB stick anyway.

Related posts:

1. Windows security and the UAC debate: Microsoft misses the point
2. Hands On with Microsoft Security Essentials – terrible name, but product looks good
3. Don’t tell me to turn off Vista’s UAC