Category Archives: security

F-Secure Sense: a success and a failure (and why you should not rely on your anti-virus software)

I am in the process of reviewing F-Secure sense, a hardware firewall which works by inspecting internet traffic, rather than scanning files on your PC or mobile device. This way, it can protect all devices, not only the ones on which an anti-malware application is installed.

I get tons of spam and malware by email, so I plucked out a couple to test. The first was an email claiming to be an NPower invoice. I don’t have an account with NPower, so I was confident that it was malware. Even if I did have an account with NPower, I’d be sure it was malware since it arrived as a link to a website on my.sharepoint.com, where someone’s personal site has presumably been hacked.

I clicked the link hoping that Sense would intercept it. It did not. Here is what I saw in Safari on my iPad:

image

(Wi-Drive is a storage app that I have installed and forgotten about). I clicked More and saved the suspect file to Apple’s iCloud Drive.

Then I went to a Windows PC, and clicking very carefully, downloaded the file from iCloud Drive. The PC is also connected to the Sense network.

Finally, I uploaded the file for analysis by VirusTotal:

image

Well, it is certainly a virus, but only 4 of 58 scanning engines used by VirusTotal detect it. You will not be surprised to know that F-Secure was one of the engines which passed it as clean.

image

Note that I did not try to extract or otherwise open the files in the ZIP so there is a possibility that it might have been picked up then. Still, disappointing, and an illustration of why you should NOT rely on your antivirus software to catch all malware.

Now the good news. I had another email which looked like a phishing attempt. I clicked the link on the iPad. It came up immediately with “Harmful web site blocked.”

image

While that is a good thing, 50% of two attempts is not good – it only takes one successful infection to cause a world of pain.

My view so far is that while Sense is a useful addition to your security defence, it is not to be trusted on its own.

In this I am odds with F-Secure which says in its FAQ that “With F-Secure SENSE no traditional security software is needed,” though the advice adds that you should also install the SENSE security app.

image

F-Secure Sense Firewall first look: a matter of trust

Last week I journeyed to Helsinki, Finland, to learn about F-Secure’s new home security device (the first hardware product from a company best known for anti-virus software), called Sense.

I also interviewed F-Secure’s Chief Research Officer Mikko Hypponen and wrote it up for The Register here. Hypponen explained that a firewall is the only way to protect the “connected home”, smart devices such as alarms, cameras, switches, washing machines or anything that connects to the internet. In fact, he believes that every appliance we buy will be online in a few years time, because it costs little to add this feature and gives vendors great value in terms of analytics.

Sense is a well made, good looking firewall and wireless router. The idea is that you connect it to your existing router (usually supplied by your broadband provider), and then ensure that all other computers and devices on your networks connect to Sense, using either a wired or wireless connection. Sense has 3 LAN Ethernet ports as well as wireless capability.

This is not a full review, but a report on my first look.

image

Currently you can only set up Sense using a device running iOS or Android. You install the Sense app, then follow several steps to create the Sense network. You can rename the Sense wifi identifier and change the password. The device you use to setup Sense becomes the sole admin device, so choose carefully. If you lose it, you have to reset the Sense and start again.

My initial effort used the Android app. I ran into a problem though. The Sense setup said it required permission to use location:

image

I am not sure why this is necessary but I was happy to agree. I clicked continue and verified that Location was on:

image

Then I returned to the Sense app but it still did not think Location was available and I could not continue.

Next I tried the iOS Sense app on an iPad. This worked better, though I did hit a glitch where the setup did not think I had connected to the wifi point even though I had. Quitting and restarting the app fixed this. I am sure these glitches in the app will be fixed soon.

I was impressed by the 16 character password generated by default. Yes I have changed it!

image

I was up and running, and started connecting devices to the Sense network. Each device you connect shows up as a protected device in the Sense app.

There are very limited settings available (and no, you cannot use a web browser instead, only the app). You can set a few network things: IP address, DHCP range. You can configure port forwarding. You can set the brightness of the display, which normally just shows the time of day. You can view an event log which shows things like devices added and threats detected; it is not a firewall log. You can block a device from the internet. You can send feedback to the Sense team. And that is about it, apart from the following protection settings:

image

The above is the default setting. What exactly do Tracking protection and Identify device type do? I cannot find this documented anywhere, but I recall in our briefing there was discussion of blocking tracking by advertisers and identifying IoT devices in order to build up a knowledgebase of any security flaws in order to apply protection automatically. But I may be wrong and do not have any detail on this. I enabled all the options on my Sense.

As it happens, I have a device which I know to be insecure, a China-made IP camera which I wrote about here. I plugged it into the Sense and waited to see what would happen.

Nothing happened. Sense said everything was fine.

image

Is everything OK? I confess that I did not attach Sense directly to my router. I attached it to my network which is behind another firewall. I used this second firewall to inspect the traffic to and from the Sense. I also disconnected all the devices other than the IP Camera.

I noticed a couple of things. One is that the Sense makes frequent connections to computers running on AWS (Amazon Web Services). No doubt this is where the F-Secure Security Cloud is hosted. The Security Cloud is the intelligence piece in the Sense setup. Not all traffic is sent to the Security Cloud for checking, but some is sent there. In fact, I was surprised at the frequency of calls to AWS, and hope that F-Secure has got its scaling right since clearly this could impact performance.

The other thing I noticed is that, as expected, the IP Camera was making outbound calls to a couple of servers, one in China and one in Singapore, according to the whois tools I used. Both seem to be related to Alibaba in China. Alibaba is not only a large retailer and wholesaler, but also operates a cloud hosting service, so this does not tell me much about who is using these servers. However my guess is that this is some kind of registration on a peer to peer network used for access to these cameras over the internet. I don’t like this, but there is no way I can see in the camera settings to disable it.

Should Sense have picked this up as a threat? Well, I would have liked it if it had, but appreciate that merely making outbound calls to servers in China is not necessarily a threat. Perhaps if someone tried to hack into my camera the intrusion attempt would be picked up as a threat; it is not easy to test.

On the plus side, Sense makes it very easy to block the camera from internet access, but to do that I have to be aware that it might be a threat, as well as finding other ways to access it remotely if that is something I require.

Sense did work perfectly when I tried to access a dummy threat site from a web browser.

image

If you disagree with Sense, there is no way to proceed to the dangerous site, other than disabling browser protection completely. Perhaps a good thing, perhaps not.

It all comes down to trust. If you trust F-Secure’s Security Cloud and technology to detect and prevent any dangerous traffic, Sense is a great device and well worth the cost – currently £169.00 and then a subscription of £8.50 per month after the first year. If you think it may make mistakes and cause you hassle, or fail to detect attacks or malware downloads, then it is not a good deal. At this point it is hard for me to tell how good a job the device is doing. Unfortunately I am not set up to click on lots of dangerous sites for a more extensive test.

I do think the product will improve substantially in the first few months, as it builds up data on security risks in common devices and on the web.

Unfortunately more technical users will find the limited options frustrating, though I understand that F-Secure wants to limit access to the device for security reasons as well as making it simpler to use. The documentation needs improving and no doubt that will come soon.

More information on Sense is here.


Passwords: time is being called

Prompted by a piece on Charles Arthur’s Overspill blog I took at look at LeakedSource which has a database of leaked usernames and passwords.

There are two main ways for passwords to leak. One is that a web site had its user database hacked and stolen. The other is that malware on a user’s machine steals all the passwords stored in your their web browser and sends them off to hackers.

This last has become a huge problem. Passwords and logins are an inconvenience, and many of us love being able to have the browser store them, giving near-automatic login for favourite sites. Thanks to the magic of cloud, we can also have them sync across all our devices automatically. Nice.

Unfortunately, if you ever had a nagging sense that this is not security best practice, you were right.

I have been on the internet since the late eighties and have hundreds of logins. Many were created under protest – you have to log in to read our article, or get support, or download our trial. The nature of my work is that I often need to research things quickly, and new logins come with the territory. I found several results when searching for my email on LeakedSource. Some I knew about: LinkedIn, Adobe, MySpace, Tumblr (this last only recently revealed); others I had not thought about. I signed up for Xsplit, for example, though I have not used it for years, and did not realise that the passwords had been stolen.

image

In my case, all the accounts are ones that either I do not care about, or for which the passwords were changed, or both. That is not the end of it though. There is potential embarrassment if someone logs into, say, a forum posing as you and starts posting spam or abuse. Further, if you use the same password elsewhere a determined hacker can attempt other logins, that have not been hacked, and try their luck. There may also be information stored with the logins, such as date of birth, address, secret questions and so on, which could help in password recovery attempts or identity theft. If someone manages to crack into your email account, the vulnerability is much greater since many passwords can be reset simply via emailed password recovery links.

Well, we have known for years that passwords alone are a poor way to protect security. The situation has escalated though, with huge databases of email addresses, usernames and passwords widely available.

What does that mean? A few observations.

  • The only sane way for anyone moderately active on the internet to manage their passwords is with a password manager. You should create an unique password for every login and store them in an encrypted password manager. It’s not perfect; someone may manage to hack your password manager. But it is the best you can do for most sites.
  • Using a Facebook, Google or Twitter login for small sites that support it is probably better than creating new credentials, if those new credentials do not follow best practice. On the other hand, this means the consequences of losing the master login being hacked are greater; and the site may cajole you into posting links on Facebook, Google or Twitter to promote itself. I do not like the idea of building dependence on one of these advertising giants into my daily internet usage; but there it is.
  • Follow a de minimis approach in completing information when registering for sites. In my case, nothing that is not a required field normally gets completed.
  • Do not rely on your fancy system for creating unique passwords for each login, like three letters from the site name plus your first telephone number or whatever. If you can work it out, a hacker can as well.
  • Be aware of the risks of saving passwords in the web browser. Personally I rarely do so. In particular, it’s probably a bad idea for sites where you can spend money, Amazon, eBay, PayPal and the like.
  • Secret questions are not there to help your security. They are there to undermine your security and to reduce the chance of you calling support. They are in effect supplementary passwords. I suggest making up new secret questions for each site that insists on them, and storing them in your password manager. Example: best gibber: flogalot. Putting stuff like mother’s maiden name, first school and so on is identity theft heaven.

How do we fix this? Nobody seems to know. Some things are improving. 2-factor authentication is more widely available and you can use it on many of the main sites now. Unencrypted logins (ie HTTP rather than HTTPS) are now a rarity though I still see them.

Still, if the problem gets worse, there is more incentive for it to get better.

Ransomware like CryptoLocker is a game changer in the malware wars – and not in a good way

The rapid spread of CryptoLocker, an example of a malware category known as ransomware, is upping the stakes in the cyber security wars. I think it is a game changer.

Ransomware is malware that steals your data by encrypting it, and then demands a ransom to decrypt it. The latest breed of ransomware uses strong encryption, and the key to decrypt it is only held by the criminals. I have not heard of any successful decryption without paying the ransom.

Why a game changer? The first reason is that the consequences of infection are more severe than was the case with most previous attacks. Previously, your infected machine might send out spam and cause you problems by getting your genuine email blacklisted as well. Or you might have passwords to online accounts stolen, leading to fraudulent transactions where in most cases you can recover the cost from your bank. Or your machine might have to be be wiped and applications reinstalled, which can be expensive if you need professional help as well as inconvenient when you have many applications to reinstall.

Malware like CryptoLocker is different. If the infection succeeds in encrypting data for which you do not have a usable backup, it gives you a difficult decision. Pay up, thus financing the criminals and perhaps making yourself a more attractive future target, or do not pay, and suffer the loss of whatever value that data has to you or your business.

That value may well exceed the ransom amount, which suggests that the rational thing to do in these circumstances is to pay up. That is risky though, not only because of the long-term consequences but also because there is no guarantee that it will work, or that the cost will not escalate. You are dealing with criminals after all.

Some people are paying. For example:

We paid as our client did not have new enough backups of the files. It encrypted 90,000 files in 5 hours, silently and then announced itself.

For reference, we researched this for 15 hours straight before paying and it really was the last resort.

Since this type of attack is highly profitable, it seems likely that we will see increasing frequency and variety of attacks, until the industry figures out the best way to counter the threat.

The best defence, of course, is not to get infected. The second best defence is to have a reliable disconnected backup. In general, data on servers or in the cloud is more likely to be protected, because it is more likely to be backed up or have a file history so you can revert to an earlier version; but bear in mind that malware executes with the same rights as the user, so in principle if you have the rights to modify data then the malware does as well.

Synchronisation services, now popular with applications like Dropbox and SkyDrive, can work against you if your encrypted documents are dutifully encrypted across all your devices.

Here are my immediate questions:

  • What is the most effective way to prevent infection? We are confronted with the failure of anti-virus products to protect effectively against new and rapidly mutating threats.
  • How much safer is a Mac? How much safer is Linux?
  • How much safer is Windows RT (a lot)
  • How much safer is an iOS or Android tablet?
  • What action, if any, should system administrators take now to protect their users?
  • What will Microsoft do to protect its users?

It would not surprise me if this kind of threat drives the industry more towards locked-own operating systems, whether Windows RT, iOS or Android, to the extent that a full operating system like OS X or Windows x86 is only used by those who specifically require it.

For more information about CryptoLocker see for example:

Sophos: Destructive malware CryptoLocker on the loose

Adobe’s security calamity: 2.9 million customer account details accessed

Adobe has reported a major security breach. According to the FAQ:

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems.

We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.

A few observations.

  • If the criminals downloaded 2.9 million customer details with name, address and credit card details the risk of fraud is substantial. Encryption is good of course, but if you have a large body of encrypted information which you can attack at your leisure then it may well be cracked. Adobe has not told us how strong the encryption is.
  • The FAQ is full of non-answers. Like, question: how did this happen? answer, Our investigation is still ongoing.
  • Apparently if Adobe thinks your credit card details were stolen you will get a letter. That seems odd to me, unless Adobe is also contacting affected customers by email or telephone. Letters are slow and not all that reliable since people move regularly (though I suppose if the address on file is wrong then the credit card information may well be of little use.)
  • Adobe says source code was stolen too. This intrigues me. What is the value of the source code? It might help a criminal crack the protection scheme, or find new ways to attack users with malicious PDF documents. A few people in the world might even be interested to see how certain features of say Photoshop are implemented in order to assist with coding a rival product, but finding that sort of buyer might be challenging.
  • Is the vulnerability which enabled the breach now fixed? Another question not answered in the FAQ. Making major changes quickly to such a large system would be difficult, but it all depends what enabled the breach which we do not know.
  • I’d like to see an option not to store credit card details, but to enter them afresh for each transaction. Hassle of course, and not so good for inertia marketing, but more secure.

Does anti-virus work? Does Android need it? Reflections on AVG’s security suite

I’m just back from AVG’s press event in New York, where new CEO Gary Kovacs (ex Mozilla) presented the latest product suite from the company.

image

Security is a huge topic but I confess to being something of a sceptic when it comes to PC security products. Problems include performance impact, unnecessary tinkering with the operating system (replacing the perfectly good Windows Firewall, for example), feature creep into non-security areas (AVG now does a performance tune-up product), and the fact that security software is imperfect. Put bluntly, it doesn’t always work; and ironically there was an example at a small business I work with while I was out there.

This business has AVG on its server and Microsoft Security Essentials on the clients, and somehow one of the clients got infected with a variant of a worm known as My little pronny which infects network shares. It may not be the exact one described in the link as these things mutate. Not too difficult to fix in this instance but a nuisance, and not picked up by the security software.

IT pros know that security software is imperfect, but uses do not; the security vendors are happy to give the impression that their products offer complete protection.

Still, there is no doubt that anti-malware software prevents some infections and helps with fixing others, so I do not mean to suggest that it is no use.

AVG is also a likeable company, not least because it offers free versions of its products that are more than just trialware. The freemium model has worked for AVG, with users impressed by the free stuff and upgrading to a paid-for version, or ordering the commercial version for work after a good experience with the free one.

Another key topic though is how security companies like AVG will survive the declining PC market. Diversification into mobile is part of their answer; but as I put it to several executives this week, Windows is particularly vulnerable thanks to its history and design, whereas operating systems like Android, iOS and Windows RT are designed for the internet and locked down so that software is only installed from curated app stores. Do we still need security software on such devices?

My further observation is that I know lots of people who have experienced Windows malware, but none so far who have complained about a virus on their Android or iOS device.

What then did I learn? Here is a quick summary.

AVG is taking a broad view of security, and Kovacs talked to me more about privacy issues than about malware. Mozilla is a non-profit that fights for the open web, and the continuity for Kovacs now with AVG is that he is working to achieve greater transparency and control for users over how their data is collected and shared.

The most striking product we saw is a free browser add-in called PrivacyFix. This has an array of features, including analysis of social media settings, analysis and blocking of ad trackers, and reports on issues with sites you visit ranging from privacy policy analysis to relevant information such as whether the site has suffered a data breach. It even attempts to rate your value to the site with the current settings; information which is not directly useful to you but which does reinforce the point that vendors and advertisers collect our data for a reason.

image

I can imagine PrivacyFix being unpopular in the ad tracking industry, and upsetting sites like Facebook and Google which gather large amounts of personal data. Facebook gets 4 out of 6 for privacy, and the tool reports issues such as the June 2013 Facebook data breach when you visit the site and activate the tool. Its data is limited though. When I tried it on my own site, it reported “This site has not yet been rated”.

AVG’s other announcements include a secure file shredder and an encrypted virtual drive called Data Safe which looks similar to the open source TrueCrypt but a little more user-friendly, as you would expect from a commercial utility.

AVG PC TuneUp includes features to clean the Windows registry, full uninstall, duplicate file finder, and “Flight mode” to extend battery life by switching off unneeded services as well as wireless networking. While I am in favour of making Windows leaner and more efficient, I am wary of a tool that interferes so much with the operating system. However AVG make bold claims for the efficacy of Flight Mode in extending battery life and perhaps I am unduly hesitant.

On the small business side, I was impressed with CloudCare, which provides remote management tools for AVG resellers to support their customers, apparently at no extra cost.

All of the above is Windows-centric, a market which AVG says is still strong for them. The company points out that even if users are keeping PCs longer, preferring to buy new tablets and smartphones than to upgrade their laptop, those older PCs sill need tools such as AVG’s suite.

Nevertheless, AVG seems to be hedging its bets with a strong focus on mobile, especially Android. We were assured that Android is just as vulnerable to Windows when it comes to malware, and that even Apple’s iOS needs its security supplementing. Even if you do not accept that the malware risk is as great as AVG makes out, if you extend what you mean by security to include privacy then there is no doubting the significance of the issue on mobile.

Hands on with Microsoft’s Azure Cloud Rights Management: not ready yet

If you could describe the perfect document security system, it might go something like this. “I’d like to share this document with X, Y, and Z, but I’d like control over whether they can modify it, I’d like to forbid them to share it with anyone else, and I’d like to be able to destroy their copy at a time I specify”.

This is pretty much what Microsoft’s new Azure Rights Management system promises, kind-of:

ITPros have the flexibility in their choice of storage locale for their data and Security Officers have the flexibility of maintaining policies across these various storage classes. It can be kept on premise, placed in an business cloud data store such as SharePoint, or it can placed pretty much anywhere and remain safe (e.g. thumb drive, personal consumer-grade cloud drives).

says the blog post.

There is a crucial distinction to be made though. Does Rights Management truly enforce document security, so that it cannot be bypassed without deep hacking; or is it more of an aide-memoire, helping users to do the right thing but not really enforcing it?

I tried the preview of Azure Rights Management, available here. Currently it seems more the latter, rather than any sort of deep protection, but see what you think. It is in preview, and a number of features are missing, so expect improvements.

I signed up and installed the software into my Windows 8 PC.

image

The way this works is that “enlightened” applications (currently Microsoft Office and Foxit PDF, though even they are not fully enlightened as far as I can tell) get enhancements to their user interface so you can protect documents. You can also protect *any* document by right-click in Explorer:

image

I typed a document in Word and hit Share Protected in the ribbon. Unfortunately I immediately got an error, that the network location cannot be reached:

image

I contacted the team about this, who asked for the log file and then gave me a quick response. The reason for the error was that Rights Management was looking for a server on my network that I sent to the skip long ago.

Many years ago I must have tried Microsoft IRM (Information Rights Management) though I barely remember. The new software was finding the old information in my Active Directory, and not trying to contact Azure at all.

This is unlikely to be a common problem, but illustrates that Microsoft is extending its existing rights management system, not creating a new one.

With that fixed, I was able to protect and share a document. This is the dialog:

image

It is not a Word dialog, but rather part of the Rights Management application that you install. You get the same dialog if you right-click any file in Explorer and choose Share Protected.

I entered a Gmail email address and sent the protected document, which was now wrapped in a file with a .pfile (Protected File) extension.

Next, I got my Gmail on another machine.

First, I tried to open the file on Android. Unfortunately only x86 Windows is supported at the moment:

image

There is an SDK for Android, but that is all.

I tried again on a Windows machine. Here is the email:

image

There is also note in the email:

[Note: This Preview build has some limitations at this time. For example, sharing protected files with users external to your organization will result in access control without additional usage restrictions. Learn More about the Preview]

I was about to discover some more of these limitations. I attempted to sign up using the Gmail address. Registration involves solving a vile CAPTCHA

image

but got this message:

image

In other words, you cannot yet use the service with Gmail addresses. I tried it with a Hotmail address; but Microsoft is being even-handed; that did not work either.

Next, I tried another email address at a different, private email domain (yes, I have lots of email addresses). No go:

image

The message said that the address I used was from an organisation that has Office 365 (this is correct). It then remarked, bewilderingly:

If you have an account you can view protected files. If you don’t have an Office 365 account yet, we’ll soon add support…

This email address does have an Office 365 account. I am not sure what the message means; whether it means the Office 365 account needs to sign up for rights management at £2 per user per month, or what, but it was clearly not suitable for my test.

I tried yet another email address that is not in any way linked to Office 365 and I was up and running. Of course I had to resend the protected file, otherwise this message appears:

image

Incidentally, I think the UI for this dialog is wrong. It is not an error, it is working as designed, so it should not be titled “error”. I see little mistakes like this frequently and they do contribute to user frustration.

Finally, I received a document to an enabled email address and was able to open it:

image

For some reason, the packaging results in a document called “Azure IRM docx.docx” which is odd, but never mind.

My question though: to what extent is this document protected? I took the screen grab using the Snipping Tool and pasted it into my blog for all to read, for example. The clipboard also works:

image

That said, the plan is for tighter protection to be offered in due course, at lease in “enlightened” applications. The problem with the preview is that if you share to someone in a different email domain, you are forced to give full access. Note the warning in the dialog:

image

Inherently though, the client application has to have decrypted access to the file in order to open it. All the rights management service does, really, is to decrypt the file for users logged into the Azure system and identified by their email address. What happens after that is a matter of implementation.

The consequences of documents getting into the wrong hands are a hot topic today, after Wikileaks et al. Is Microsoft’s IRM a solution?

Making this Azure-based and open to any recipient (once the limitation on “public” email addresses is lifted”) makes sense to me. However I note the following:

  • As currently implemented, this provides limited security. It does encrypt the document, so an intercepted email cannot easily be read, but once opened by the recipient, anything could happen.
  • The usability of the preview is horrid. Do you really want your trusted recipient to struggle with a CAPTCHA?
  • Support beyond Windows is essential, and I am surprised that this even went into preview without it.

I should add that I am sceptical whether this can ever work. Would it not be easier, and just as effective (or ineffective), simply to have data on a web site with secure log-in? The idea of securely emailing documents to external recipients is great, but it seems to add immense complexity for little added value. I may be missing something here and would welcome comments.

 

 

 

 

 

 

 

 

 

 

had to sign in twice since I didn’t check “Remember password!"

image

If you try recursion, it will package the already packaged file.

Ubuntu forum hack sets same-password users at risk

Canonical has announced a comprehensive security breach of its forums.

  • Unfortunately the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database.
  • The passwords are not stored in plain text, they are stored as salted hashes. However, if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.
  • Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach.

If someone impersonates you on the Ubuntu forums it might be embarrassing but probably not a calamity. The real risk is escalation. In other words, presuming the attacker is able to work out the passwords (they have all the time in the world to run password cracking algorithms and dictionary attacks against the stolen data), it could be used to compromise more valuable accounts that use the same password.

Password recovery mechanisms can work against you. Businesses hate dealing with password reset requests so they automate them as much as they can. This is why Ubuntu’s warning about email accounts is critical: many web sites will simply email your password on request, so if your email is compromised many other accounts may be compromised too.

A better approach in a world of a million passwords is to use a random password generator alongside a password management database for your PC and smartphone. It is still a bit “all eggs in one basket” in that if someone cracks the password for your management database, and gets access, then they have everything.

It is a dreadful mess. Two-factor authentication, which involves a secondary mechanism such as a security token, card reader, or an SMS confirmation code, is more secure; but best reserved for a few critical accounts otherwise it becomes impractical. Two-factor authentication plus single sign-on is an even better approach.

Another reason to use tablets: desktop anti-virus does not work

The New York Times has described in detail how it was hacked by a group looking for data on Chinese dissidents and Tibetan activists. The attack was investigated by security company Mandiant.

Note the following:

Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

Apparently the initial attack method was simple: emails with malicious links or attachments.

Symantec made an unconvincing defence of its products in a statement quoted by The Register:

Advanced attacks like the ones the New York Times described … underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behaviour-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.

Could the New York Times hack have been prevented by switching on more Symantec features? Count me as sceptical; in fact, it would not surprise me if these additional features were on anyway.

Anti-malware solutions based on detecting suspicious behaviour do not work. The task is too difficult, balancing inconvenience, performance, and limited knowledge of what really is or is not suspicious. Further, dialogs presented to non-technical users are mystifying and whether or not the right response is made is a matter of chance.

This does not mean that secure computing, or at least more secure computing, is impossible. A Windows desktop can be locked-down using whitelisting technology and limited user permissions, at the expense of inconvenience if you need to run something not on the whitelist. In addition, users can avoid most attacks without the need of any anti-virus software, by careful avoidance of malicious links and attachments, and untrustworthy websites.

Aside: it is utterly stupid that Windows 8 ships with a new mail client which does not allow you to delete emails without previewing them or to see the real destination of an URL in the body of an email.

This kind of locked-down client is available in another guise though. Tablets such as those running iOS, Android or Windows RT (mail client aside) are designed to be resistant to attack, since apps are sandboxed and normally can only be installed via a trusted app store. Although users can bypass this restriction, for example by enabling developer permissions, this is not such a problem in a corporate deployment. The users most at risk are probably those least likely to make the effort to bypass corporate policies.

Note that in this context a Windows 8 Professional tablet such as Surface Pro is just another desktop and no more secure.

Another approach is to stop believing that the endpoint – the user’s device – can ever be secured. Lock down the server side instead, and take steps to protect just that little piece of functionality the client needs to access the critical data and server applications.

The key message though is this. Anti-virus software is ineffective. It is not completely useless, but can be counter-productive if users believe that because they have security software installed, they are safe from malware. This has never been true, and despite the maturity of the security software industry, remains untrue.

New types of client devices hold more promise as a route to safer personal computing.

Windows 8 defeats booking.com virus

Someone trying out Windows 8 release preview brought her machine to me to look at. She was having trouble with an email attachment. The email was in fact carrying a virus, one that purported to be from booking.com though it had nothing to do with that company. The supposed booking is in an attached zip file which the victim is invited to open. My contact had opened the zip and attempted to run the contents, a windows executable. She could not remember exactly what happened but said that a dialog had appeared and she clicked OK.

Clicking OK is normally the wrong thing to do with a virus but not in this case. I had a look at the virus and uploaded it to Comodo’s online virus analyser.

image

This detected API calls that copy a file to the All Users folder and sets it to autorun. Comodo pronounced the executable “Suspicious+”.

But did it run? I tried it on an isolated virtual instance of Windows 8 Release Preview. Running the executable throws up this dialog:

image

If you click OK nothing happens. If you click More Info, it says that SmartScreen does not recognise the file and offers a Run Anyway option. However the user in this case did not click More info, but instinctively clicked OK, therefore not running the virus.

As a final experiment, I tried running the virus on the isolated machine. It deleted itself but did not seem to succeed in infecting the machine. It is hard to be sure though, so the virtual machine has now been deleted.

Observations:

Windows 8 did not detect the file as a virus. SmartScreen merely did not recognise the file. It would do the same for any unrecognised file, and I have seen this dialog appear for files that I do want to run.

Even when I ran the file, Windows Defender did not (as far as I can tell) detect the virus. The test machine was offline (for isolation) but fully up to date.

What interests me most is how SmartScreen interacts with the social engineering behind the malware. The user actually wanted to run the file, being convinced that it was genuine, but clicking OK simply did nothing. This behaviour is annoying if the application is not in fact malware, but clearly it can on occasion save the day.