Guide to Speeding up your PCs Startup

As with every year for the past several years, lots of people and families got new computers in their homes this Christmas / holiday season.

Often, especially when there are kids in the family, the computers quickly go from being the fastest on the block to feeling like they're already obsolete as the kids have run around the Internet installing everything they could get their hands on--and a lot of things they didn't even intend to get their hands on.

One of the most common complaints is that, "it just takes too long to start."

This is often blamed on antivirus software--especially when you aren't running the best antivirus software.

Regardless of whether or not the antivirus software is even partly to blame, the real culprit is probably oddles of things set to autorun on Windows startup.

We found a great guide to Speeding up your Windows PCs Startup that's well worth a read. About the only thing not mentioned in the article is degragmenting your hard drive.

Now that decent disk defragmenter is built into Windows, there's really no excuse for not defragging your PC. We'll cover disk defragmenting ourselves in a future post.


Worms in Samsung Digital Picture Frames??

Contrary to some reports that some Samsung 8-inch digital photo frames had worms, the frames themselves don't have worms but the installer discs do. (How's that for an unwanted Christmas present?)

As far as consumers are concerned, there's no difference.

A virus is a virus, and this is an unfortunate black eye for Samsung with their vast electronics / computer empire.

Trend Micro discusses this digital picture frame virus at their blog, and what we've learned now is that the Samsung's SPF-85H 8-Inch digital photo frame disc was infected with the W32.Sality.AE / Sality worm straight from the factory.

The bad news isn't that it's just infected with the worm, but that it's infected with a particularly nasty variant that includes a keylogger according to the folks at Sophos antivirus.

From what we've learned so far, this looks like, while definitely a nasty virus, it's one that all the best antivirus software already detects, so just make sure your definitions are up-to-date and that your software is running, and that should keep your computer safe.

Samsung has posted a clean version here: Samsung SPF-85H drivers.

If you purchased this frame (or got it as a gift), you can find more details here: Amazon Samsung picture frame advisory.


Free Antivirus Software Security Problems

ComputerWorld.com brings notice today of problems with Trend Micro's free online antivirus scanner. Turns out there's a nasty little bug in the service that crackers can use to take over Microsoft Windows PCs via Internet Explorer.

The service, called HouseCall, is made available via ActiveX and exploits a particular vulnerability in the ActiveX control HouseCall uses.

'"The vulnerability is caused due to a use-after-free error in the HouseCall ActiveX control (Housecall_ActiveX.dll)," said Secunia's warning.

"This can be exploited to dereference previously freed memory by tricking the user into opening a Web page containing a specially crafted 'notifyOnLoadNative()' callback function."'

Trend Micro, in typically speedy fashion, has fixed the flaw, but we were very disappointed to read this in Trend Micro HouseCall ActiveX Control advisory,

'"This hot fix was developed as a workaround or solution to a customer-reported problem. As such, this hot fix has received limited testing and has not been certified as an official product update," Trend Micro said in its own advisory, published last Thursday.

"Consequently, this hot fix is provided 'as is'. Trend Micro makes no warranty or promise about the operation or performance of this hot fix nor does it warrant that this hot fix is error free."'

For a company like Trend Micro, who makes Trend Micro AntiVirus, who knows full well the issues with computer security, we were disappointed in them. They can do better.

We know they can. They know they can.


More web browser security issues. Opera this time...

Just when you thought it was safe to go back in the water after the last round of security alerts and news on Internet Explorer trojan vulnerabilities, Opera announced they have some bugs of their own to take care of, too, in versions prior to 9.63 of the web browser.

To date Opera has had one of the finest track records of computer security for any web browser. It also has a great reputation for reliable rendering and for overall speed and stability, but as with all software at any price, there are bugs.

In this particular case, there are several Opera security vulnerabilities. They range in severity from "Highly severe" to "Extremely severe" and cover the following issues:

Vulnerability   Rating   Details
Manipulating text input contents can allow execution of arbitrary code, as reported by Red XIII. Extremely Severe Text input manipulation, ID 920
HTML parsing flaw can cause Opera to execute arbitrary code, as reported by Alexios Fakos. Extremely Severe HTML parsing, ID 921
Long hostnames in file: URLs can cause execution of arbitrary code, as reported by Vitaly McLain. Highly Severe Long hostnames in file, ID 922
Script injection in feed preview can reveal contents of unrelated news feeds, as reported by David Bloom. Highly Severe News feed script injection, ID 923
Built-in XSLT templates can allow cross-site scripting, as reported by Robert Swiecki of the Google Security Team. Highly Severe Cross-site scripting (XSS), ID 924
Fixed an issue that could reveal random data, as reported by Matthew of Hispasec Sistemas. (Details to follow "at a later date".) N/A N/A

We salute Opera for their speedy response and (nearly) full disclosure, and lest it go unsaid, take a second to be certain you're up-to-date on your antivirus firewall software

Here are Opera's complete details of Opera 9.63 fixes.


More news on the IE security flaw

BBC News covers the IE security flaw and brings these details:

'"In this case, hackers found the hole before Microsoft did," said Rick Ferguson, senior security advisor at Trend Micro. "This is never a good thing."

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said. (We just covered these Internet Explorer security issues.)

"What we've seen from the exploit so far is it stealing game passwords, but it's inevitable that it will be adapted by criminals," he said. "It's just a question of modifying the payload the trojan installs."

Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."' (emphasis ours)

The article goes on to quote another security pro, PC Pro magazine's security editor, Darien Graham-Smith, who added,

"The message needs to get out that this malicious code can be planted on any web site, so simple careful browsing isn't enough."

For anyone reading this who isn't running:
   1.) antivirus software
   2.) a hardware firewall

This is your wake-up call.

Finding the right antivirus software for your money isn't hard to do. Some versions even include both, making them antivirus firewall software in one.

We know we beat the same drum day-after-day here, but we do so because it can't be said enough: run antivirus software, which can often stop attacks like these in their tracks.

We also saw this in a related Computerworld article on the IE flaw:

'Carsten Eiram, chief security specialist at Secunia, in a post to the security company's blog early Friday. "It turned out that a lot of available information and assumptions were wrong."

Among those, said Eiram, was the belief that the vulnerability existed only in IE7 and was related to XML processing -- as some, including Secunia, first thought.

Also incorrect, or at least partly so, is the idea that setting IE's Internet security zone to "High" and disabling scripting will keep one safe from attack, added Eiram. "Technically no ... it is still possible to trigger the vulnerability," he said. "However, it does make exploitation trickier as it protects against attacks using scripting."'


The long-story-short: This means even if you've cranked your settings up in IE, you're still at risk.


NoScript: A tool for securing your computer against web browser-based attacks

For those of you that haven't (yet) switched from Internet Explorer to Firefox, there's a tool to significantly improve computer security. It's called: NoScript.

The beauty of NoScript is that it allows you to completely disable javascript, java, flash, shockwave, silverlight, and any other scripts on a site-by-site basis.

"What's the significance of that?" you ask? "Don't I just need an Internet security suite with a good firewall?"

Um, no. Many of today's attacks are able to "pierce" firewalls. Antivirus software is a must. A good firewall is a must. But that's just the beginning.

NoScript is part if the package. It means you can choose the scripts you want to allow to run on a given web page. The beauty of it is that you get the same net effect as completely disabling javascript in Firefox without the pain. Let's face it, if you disable javascript in your browser altogether, it can make surfing the web a total chore.

What's the big deal with javacript (and other scripts, too, for that matter)?

As Swa Frantzen of Sans.org discusses in his post on javascript security from over a year ago, that's still very valid:

"Frequent readers will know that we often recommend to ease up on allowing scripting as it's used by the bad guys. XSS bugs are basically so bad, not for the example alert('XSS') (spaces added for the overly paranoid web content filters) you might see, but for much nastier things starting with capturing your cookies (read credentials, session keys etc.).

Keyloggers aren't impossible either and making you unknowingly upload files from your hard disk to malicious websites etc. is all quite possible in javascript."

Long story short:

  1. We recommend Firefox.
  2. We recommend NoScript for Firefox.

Interested in learning more? Here are links for more information:

Download Firefox   Download NoScript


New IE7 security exploit in the wild

News yesterday from our friends at MSMVPs.com and WebSense, who bring the latest news on an IE7 Zero Day security exploit.

Looks like some folks have already taken advantage of a Taiwanese search engine "look.tw," which has apparently had at least several hundred pages infected, and are trying to use that site download a file called ieupdate.exe

For those of you who think you're not affected because you only surf "trusted" sites, think again:
"This issue could impact you even if you avoid surfing questionable sites. Over the past few months, we've seen a surge in SQL injection attacks which enable miscreants to inject content onto trusted sites (we even blogged about the technique a few months ago). This class of attack, along with other more classical forms of website intrusion mean that even trusted sites can end up serving malicious content causing you to get infected."

Concerned readers should have a look at the official Microsoft Malware Protection Centre report for details as well as recent Clarifications on the workarounds from Microsoft on the IE advisory.

The Options for minimizing risk offered by MSMVPs.com recommends several things that are a good idea generally but especially so right now:
  • TURN UAC BACK ON (Available in Vista)
  • Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones (Tools >> Internet Options >> Security
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone (Tools >> Internet Options >> Security)
  • Enable Data Execution Prevention for Internet 7 (Tools >> Internet Options >> Advanced >> then turn on "Enable memory protection") to help mitigate online attacks.
  • Use ACL to Disable OLEDB32.DLL.
  • Unregister OLEDB32.DLL (Technet security bulletin has details).
  • Disable Data Binding support in Internet Explorer 8.
Their post goes on to say:

"You can also try blacklisting the bad domains (details here and here) but to be honest, using blacklist protection is like playing an unwinnable game of whack-a-mole.  Do what you can to mitigate risk by adjusting your browser settings, and for heavens sake turn UAC back on!!"

Thanks to MSMVPs for putting together this excellent list of recommendations.


DNS Trojan on the loose. . .

The cheeky folks at The Register bring us this news of a new Trojan DNS attack, DNSChanger that can compromise multiple different OSes.

The upshot isn't that Mac and Linux/Unix users need to be worried per se, but that they should still be concerned if they're using DNS servers set by their DHCP provider. Why?

When your get your IP address from a third party DNS server, as is the case with most cable modems, DSLs, and dial-ups, you rely on the DNS server settings passed down to your machine.

This is the case no matter what operating system you're running (unless you manually override these settings and hard code them) [N.B. This is trivial to do in Mac/Unix/Linx by editing /etc/hosts, but that's beyond the scope of this blog.]

So in any case, if a Windows machine is compromised, other machines sharing the same DHCP server as the compromised Windows machine can be thus attacked via settings given to it by the Windows machine that has been victim of the DNSChanger Trojan.

For the kids in the cheap seats and anyone else not paying attention, this means if you're using:

  1. a cable modem
  2. DSL
  3. dial-up
  4. corporate network using a DHCP server

YOU my dear reader are susceptible to this nasty bugger of a trojan. (You're also vulnerable if you're on another type of network we can't think of that assigns IP addresses and DNS settings via DHCP.)

For everyone out there, for the record, we do encourage you to hard code your DNS settings. (Look to your favorite search engine if you're unfamiliar with how to do this.) And, as always, we certainly encourage everyone to compare antivirus software and choose one with the right features and price for your needs.


Facebook Koobface virus

120,000,000 people use Facebook, and we're all being targeted by "Koobface" that leverages Facebook.com's instant messaging system to infect PCs.

The target according to Yahoo?

Your credit card numbers.

Not surprisingly, the Koobface/Facebook story showed up on Yahoo! News today [editor's note: the article has been removed since this blog was written, so the link to it has also been removed], and according to Facebook's spokesman, Barry Schnitt, few people were affected (so far).

A few things about this story (and the McAfee Antivirus blog) caught our attention:

  1. The fine folks at McAfee already have a security blog on Koobface of their own up. Hopefully, that will help spread the word.
  2. The virus, like many, is really a social engineering attack and not a worm that spreads willy-nilly on its own.
  3. Don't open links you aren't expecting--no matter how juicy they may be. It's really not worth it.
  4. According to McAfee's blog, the purpose of the virus is to push you through a proxy server to enlist you in click fraud. (More on this later.)

The original Yahoo! story goes on with this quote, with wise words we couldn't agree with more:

"'Facebook requires senders of messages within the network to be members and hides user data from people who do not have accounts, said Chris Boyd, a researcher with FaceTime Security Labs. Because of that, users tend to be far less suspicious of messages they receive in the network.

'People tend to let their guard down. They think you've got to log in with an account, so there is no way that worms and other viruses could infect them,' Boyd said."

Well said, Mr. Boyd. Well said, indeed. But, meanwhile back to the click fraud.

We all know how vigilant the various search engines are working on preventing it (or at least they claim to be), but what's odd is that the Yahoo! story explicitly mentions the McAfee blog yet it fails to mention anything about click fraud and instead mentions the theft of credit card numbers.

Once again, we smell a rat. (Actually, there are probably a couple here, but we're splitting hairs.)

This component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and Live.com for the purpose of hijacking search results. Search terms are directed to find-www.net. This enables ad hijacking and click fraud.

Hmmm. How is it the precise mechanism is so clearly articulated in the McAfee blog, but some other excuse is fashioned up in the Yahoo! story? We all make mistakes. Perhaps an oversight. Funny though, isn't it, that their very search engine is one caught up and targeted for click fraud by the fraudsters.

'Til next time, fair readers, keep your firewalls up and your antivirus software scanning.


Connecticut Teacher - Spyware Trial

For anyone not tracking this spyware story, you should be.

It's the tale of Julie Amero, 7th grade Connecticut substitute teacher.

Ms. Amero had taken charge of a language class (not even hers, mind you, but that of another teacher) and wanted to integrate, as teachers are supposed to do, technology into the classroom. Regrettably, when she did, the computer, probably infected by spyware of some kind, began displaying porn pics.

She tried to block students from seeing the screen and pictures; she tried to get help (none came).

What happened next will make your head spin: she found herself not just charged, but guilty, of four counts(!!) of "injury to a minor" or "impairing the morals of a child"!

Now I ask you, good reader, if you were using someone else's computer for the first time--even if you were literally an antivirus / anti-spyware programmer, how could you possibly know the computer was free of such malware?!

Answer: you can't. It's literally impossible.

In a school, business, or industry setting especially, one has reasonable expectations that the computers are in proper order and safe to use. If not and if everyone were responsible for running their own virus scans with each use, the world as we know it would grind to a screeching halt.

It would be akin to having to run your own diagnostic checks your own brakes, engine, and transmission before starting your car each day. For those of you familiar with running antivirus software, when you're running a scan manually, it takes--at a minimum--a few minutes for a scan to complete even for the best antivirus software on the market.

Imagine Ms. Amero had to say to her 7th graders, "OK, class. Everyone sit still in your seats for 10 minutes while Ms. Amero runs an antivirus check so we can use the Internet." We're joking, right?

That's not what the biscuitheads in Norwhich, Connecticut, would say. Oh, no. They fault Ms. Amero fully for the children being exposed to the pictures.

Needless to say, charges should have never been brought.

  • If they were, they should have been dropped.
  • If they weren't dropped, it should have been tossed out by the judge.
  • If they weren't, the jury should have had sense to bounce the charges out themselves.
  • And, for that matter, the prosecution should have realized this was truly a case of someone being caught up in a dragnet that shouldn't have been.

    Sorry, kids, no dice. On all counts.

    Apparently, though, this is a something akin to a situation as portrayed in the Mel Brooks' movie "Spaceballs", when Dark Helmet, played by Rick Moranis, just about sums it up.

(Warning: what some consider "adult" language is shown in this clip. Local, state, and federal laws and such might just apply. This means don't watch it if you're not 18.)

That no one anywhere at these various checkpoints had the presence of mind to "just say no," is truly staggering to me. Staggering. What's most offensive of all to me perhaps is, as the writer puts it so well in Asia One, the source of this story,

"Ms. Amero appears to have been let down by the school. The computer had a program installed on it that was designed to filter out trash. But the license had not been renewed, so the filter had not been updated.

"The porn may have got through anyway. No filter is ever going to keep the bad guys out. But if you're going to install software like that you really need to make sure it's updated.

"I've seen enough of this to know how easy it is to get infected by this stuff, and how hard it is to get it off."

Wait just a cotton pickin' minute here, she's being blamed, and:

  1. The very software designed to block porn had been allowed to expire!?
  2. It's not even her classroom.
  3. She did her best to block the screen from the class.
  4. She called for help from the school and none came
  5. She wasn't an IT professional but a teacher

And she's still guilty?!?!

Please, please, please, someone is joking. right?

If your hair isn't already on end, let me add this little ditty about, Julie Amero in PCWorld.

Turns out

  1. Most of her expert witness' testimony was blocked
  2. her defense attorney failed to disclose the expert's findings to the prosecution pre-trial
  3. the judge disallowed a "A milk crate full of Microsoft documentation on how the Internet Explorer worked"
  4. Laptops to recreate the scene were disallowed because the judge refused to grant unrestricted access of the Internet to the defense

Calgon take me away. Someone stop this runaway train before someone gets really hurt here. Nope.

And, as the last insult to injury here (from the PCWorld story):

"He had come to the same conclusion that both I and the defense team did....The bottom line: If the state used the forensic examiner and not Lounsbury it would have been readily apparent that Julie was not surfing for porn."

Thanks, justice system for failing. Everyone involved at this point gets an F-

Thankfully, last summer after a new defense team took over and presented their evidence, the conviction was overturned.

What stinks about the whole thing most--aside from the travesty of justice along the way--is that it really means no matter how obscure something may be, it's now up to you to protect you computer (and in doing so yourself!): apparently true ignorance of something is no longer an acceptable defense.