WashingtonPost computer security stories

The Washington Post is running a group of stories this weekend about
computer security and the problems a reporter went through with her
Windows 98 computer.

Interestingly, instead of ISPs the articles identify other sources
of frustration for even technically savvy home computer user with
software vendors and overzealous advertisers.

A Digital Doctor Treats Computer Contamination
http://www.washingtonpost.com/wp-dyn/articles/A64481-2004Aug14.html
By Glenn Paterson
Special to The Washington Post
Sunday, August 15, 2004; Page F01
[...]
Her PC was in such bad shape, it required 10 1/2 hours of surgery to
restore it to working condition.
[...]
Finally, I abandoned ship, reinstalling the entire Windows 98 operating
system to repair the damage to Internet Explorer and allow Kathleen's
computer to access the Internet and update the Norton AntiVirus
definitions.
[...]
So to sum up, I spent one day cleaning up problems created by
ne'er-do-well hackers and overzealous advertisers and four more trying to
resolve a known problem with a product that is supposed to help prevent
problems, not create new ones. Yes, some of the trouble could have been
avoided if Kathleen had kept her anti-virus and operating system software
up to date. However, much of the responsibility lies with Symantec and the
rest of the computer industry.
[...]

What a Tangled Web I Wove
Computer Naivete Cost Me a Bundle And a Bit of Sanity
http://www.washingtonpost.com/wp-dyn/articles/A64483-2004Aug14.html
By Kathleen Day
Washington Post Staff Writer
Sunday, August 15, 2004; Page F01
My problem began the last Sunday in July, when my nearly teenage daughter,
newly returned from a month away at camp, announced, "Something's wrong
with the computer."
[...]
In fact, her comment marked the start of a much larger headache, one that
launched an odyssey that has taken $800 and roughly 48 man-hours over
nearly three weeks to end.
[...]
I wondered if maybe some of the programs I was trying to kill weren't
really spyware but something essential to Windows that I shouldn't try to
delete. I called Microsoft and was passed from operator to operator as I
asked where I could find a list of legitimate Microsoft applications so I
would know what to kill and what to leave alone. But the only response I
got from one person after another -- most of them in foreign tech-support
centers like those in India I had been reading so much about lately -- was
that I needed to go to Microsoft's online sales. After 45 minutes of this,
I hung up. Then I gave up. I actually stood up and walked away from my
computer.
[...]

Oh how I agree! I have 3 computers at home and have lived through
rebuilding 2 of them multiple times due to everything stated. My personal
computer has never had to be rebuilt because I run with ZApro and CA AV,
but I came near to it when I took down ZApro for 15 minutes to run a
Retina scan on something and some virus/worm got in and it took some
registry editting and safe mode work to get it removed - and I know what I
am doing.

But my son's computer is now DOA and I refuse to take the 8-12 hours to
rebuild it from scratch - again for the 3rd time. He knows to run with
ZApro and CA AV but he loads up everything and runs all these P2P programs
and online games and downloads and it would appear that W2K with all MS
patches installed - even tweaked and hardened with a personal firewall and
an uptodate AV are no match for a 15 year to ruin it.

I put the blame not on the AV vendors but strictly on MS for building a
sieve.

-Hank

As far as I know, there is no remotely exploitable hole in windows that
doesn't have a patch for it, nothing majorly in the wild anyway. I run my
fully patched XP laptop without firewall directly connected to the
internet all the time and the above you mention doesn't happen to me.

A lot of the problems with windows that people complain about, isn't
Microsoft caused apart from them designing a bad driver/library/registry
model for how things are installed and ran. I usually run windows boxes
for two-three years without reinstalling them, other people have to
re-install every 3-6 months. Looking at their usage pattern and mine, they
install games and other programs and de-install them all the time, whereas
I usually stick to a fixed set of programs and rarely install new ones,
and I always apply new patches when they're available via Windows Update.
I can also run my machine for months without it crashing, which seems an
unobtainable feat for a lot of other people. I see a pattern.

Bad hardware and application software cause a lot more problems than
the operating system itself.

Well, then bad hardware and application software are a lot more prevalant
under Windows than Linux. I install/deinstall games and other application
software all the time under Linux. I have the usage pattern you describe
for others (except the part about patching my system regularly), and I just
don't have any difficulty keeping the system up for months at a time,
not having to reinstall the OS until I choose to upgrade major versions,
and, generally, it just keeps on ticking.

Admittedly, it's even better under MacOS with Apple hardware, but, given
the extent to which Linux is more reliable than Windows in the same usage
pattern as you described, I find it hard to blame the hardware.

Windows is a poorly designed operating system, which, although they have
plugged lots of holes, is constantly discovering new ones. Worse yet,
Micr0$0ft has always chosen a "functionality at any cost" approach to
their software, so, if they want to implement a feature and it can't
be done securely, they implement rather than scale back. Yes, their
current default settings are more secure than ever before, but, they're
still pretty leaky.

Owen

Retina scan on something and some virus/worm got in and it took some
registry editting and safe mode work to get it removed - and I know what I
am doing.

As far as I know, there is no remotely exploitable hole in windows that
doesn't have a patch for it, nothing majorly in the wild anyway. I run my
fully patched XP laptop without firewall directly connected to the
internet all the time and the above you mention doesn't happen to me.

I agree with Mikael here. If your box is fully patched you need not worry about that much -- if you are still having problems, check your assumptions. Windows 2003 Web Servers are up unfiltered out there, there isn't a real reason why a Windows XP laptop wouldn't be [exploita du jour excepted].

My only reason for liking a hw firewall for use with my laptop is that the network chatter/probe attempts on cable internet keeps the thing from staying asleep without it.

A lot of the problems with windows that people complain about, isn't Microsoft caused apart from them designing a bad driver/library/registry model for how things are installed and ran. I usually run windows boxes for two-three years without reinstalling them, other people have to re-install every 3-6 months. Looking at their usage pattern and mine, they install games and other programs and de-install them all the time, whereas I usually stick to a fixed set of programs and rarely install new ones, and I always apply new patches when they're available via Windows Update. I can also run my machine for months without it crashing, which seems an
unobtainable feat for a lot of other people. I see a pattern.

Bad hardware and application software cause a lot more problems than the operating system itself.

This meshes for me too. A handful of utilities [NAV, putty, Mozilla, etc] and the Office suite is about it. My laptop [with frequent standbys, hibernates and the rest] doesn't need to be rebooted even monthly. The Verizon BroadbandNow software is the only thing that prefers a restarted machine with hardware changes [insert card/remove card] --- hopefully they will fix that, but I'm not confident.

I find it interesting that those who claim their machines are soooo important and soooo vital are the ones who spend many hours screwing around with the reinstalls, the upgrades [without knowing what features they are getting] and then being frustrated and uninstalling, etc.

Not all software vendors are equal, not all software packages from the same vendor are equal. I think this is the key point. Symantec [IMO] does fine with Windows, Microsoft's own stuff is pretty good, Mozilla is improving, etc. Installing some random software, no matter how well intentioned is usually the problem for most folks. One suggestion that seems to help. When you buy a machine from scratch, uninstall or forcibly remove all the unnecessary software the vendor puts on. Lots of them install chatty support agents and self-diagnosis tools. I have never seen anything but trouble from these. Purists would say just install from fresh media and don't trust the uninstalls, ymmv.

Deepak Jain
AiNET

:
: I put the blame not on the AV vendors but strictly on MS for building a
: sieve.
:
: -Hank
:

I blame the miscreants who are malicious enough to want to cause as much damage
as they can.
MS software has tried for too long to be everything for everyone.

For instance the SP2 for XP now being released even breaks some of the
expensive MS applications, because they are learning to start turning stuff
off, by default, and removing much of the backwards compatibility that leaves
them so wide open for assault.

It is a rare Linux box that has as much stuff installed and running at the same
time as the average Windows box does.

I have learned to ghost an image of the installed box, and burn it to DVD which
makes it a no-brainer to rebuild a box that has gone south due to mis-use by
the uninitiated.

Bad hardware and application software cause a lot more problems than
the operating system itself.

--
Mikael Abrahamsson email: swmike@swm.pp.se

Bad users cause more problems than everything else combined. Doesn't matter if you're running windows, bsd, linux, OS X, or whatever. When a dumb user does a dumb thing, dumb things happen.

Doesn't matter really, if it's an OS that gets asked to run malware, and then is blamed for corrupting itself, or an SUV who's airbags and crumple zones fail to keep the driver alive that was spacing off and talking on a cell phone when they crossed in front of a semi. The end result is the same: Technology, and the intelligent individuals that create it can only do so much to prevent a stupid individual from causing damage to themselves and others.

If anyone wants to argue against this, I beg of them to read

http://www.mentalsoup.com/mentalsoup/basic.htm

first.

-Jerry

Assumptions are a funny thing. Its amazing how many patched systems with
firewalls are compromised. Understanding how and why that happens is
important.

Speaking of computers fubar'ed by spyware, I just found a particularly
nice example of a phishing attempt. SpamAssassin had tagged it with the
astronomical score of 136.3 thanks to SARE.

The mail originated from 68.77.56.130 (an ameritech.net DSL connection,
right now not pingable) and loads some images from www.citibank.com.
It links to http://61.128.198.51/Confirm/ - an IP address hosted by
Chinanet (transit to there supplied by Savvis from my point of view).

That page does something interesting: it meta refreshes itself to
Citibank's corporate homepage but also pops up a window
(/Confirm/pop.php) requesting the user's card#, PIN (twice) and a
new PIN. The main page being citibank probably lends some credibility
to the scam.

This attack won't work if your browser blocks popups, or if you remember
that the padlock icon in the status bar is what tells you the status of
a connection, not a "128-bit SSL" or "Verisign trust-e" or whatever logo
inside the webpage.

It's disheartening to see that this website is still online after
several days (I received the scam mail received Friday morning).

I'm thinking that Citibank will cease to be a target if they give (ok,
it's a bank - sell) their subscribers a hardware token that requires
presence of the ATM card when the customer wants to use online banking
facilities... as several banks here in the Netherlands do.

  -- Niels.

How strange, I received that in my email too..

-Henry

out of curiosity, you did send in a complaint to CitiBank's proper alias
for spoofing/phishing/blah, and a followup to Savvis who is providing
transit as you see from your perspective? and a sprint+sbc as it's their
customer 'hosting' the original page?

If no complaint is lodged citibank/sbc/sprint/savvis are non-the-wiser to
the problem, eh?

Christopher L. Morrow wrote:

It's disheartening to see that this website is still online after
several days (I received the scam mail received Friday morning).

out of curiosity, you did send in a complaint to CitiBank's proper alias
for spoofing/phishing/blah, and a followup to Savvis who is providing
transit as you see from your perspective? and a sprint+sbc as it's their
customer 'hosting' the original page?

If no complaint is lodged citibank/sbc/sprint/savvis are non-the-wiser to
the problem, eh?

> /dev/null

passing to abuse, sorry for missing missing the original comments neils.

mark

Why don't write out a generator of credit cards / pins and flood out this
site by false information?

(I saw a few better examples, btw).

I'm thinking that Citibank will cease to be a target if they give (ok,
it's a bank - sell) their subscribers a hardware token that requires
presence of the ATM card when the customer wants to use online banking
facilities... as several banks here in the Netherlands do.

This is a social engineering attack. As long as you can convince the user
to cooperate, you can subvert technological counter-measures. When you
add the ability to subvert the communication device (computer, telephone,
etc) it gets even more interesting. The scam may even occur in multiple
parts using different forms of communication (email, web, fax, phone,
mail) for different parts of the scam.

Yes, it is possible to subvert smartcards, one-time hardware tokens
(securid), biometrics, etc. They are not just academic attacks,
they have been successfully attacked in the wild. Brute force isn't
needed when you can subvert other parts of the system, which includes
the human.

Scams also use other mediums. Here is an example:
http://www.fincen.gov/stoporder.pdf

As far as I know, there is no remotely exploitable hole in windows that
doesn't have a patch for it, nothing majorly in the wild anyway. I run my
fully patched XP laptop without firewall directly connected to the
internet all the time and the above you mention doesn't happen to me.

i'm sure there are plenty, and not just in windows. just because you dont know
about them or theres nothing published doesnt mean it doesnt exist. the hole
used by sapphire didnt 'exist' until sapphire infected all the open windows
boxes within a couple hours

even with your firewall you're not safe, stuff can get through if you either
allow it with a listening port (eg webserver) or by malicious trojan data (eg
javascript embedded in webpage, crafted response to dns/ping/snmp/ssh/whatever)

Bad hardware and application software cause a lot more problems than
the operating system itself.

i think they're all major things you should include in any security assessment,
the exact order of importance is irrelevant

Steve

Alexei Roudnev wrote:

Why don't write out a generator of credit cards / pins and flood out this
site by false information?

(I saw a few better examples, btw).

Because fighting abuse with abuse is never a good idea?

Pete

The mail originated from 68.77.56.130 (an ameritech.net DSL connection,
right now not pingable) and loads some images from www.citibank.com.
It links to http://61.128.198.51/Confirm/ - an IP address hosted by
Chinanet (transit to there supplied by Savvis from my point of view).

It's a 1 line rule with mod_rewrite and apache to block nonexistant or off-site http referers attempting to display GIF/JPG/PNG images... Sometimes I wonder why Citibank, Paypal and others don't do this. It would cut down on the displayed authenticity level of many basic phishes.

Because many (broken) browsers/proxies/"firewalls"/etc block or forge
referrer headers "for security" and they'd quadruple their tech support
load with all their idiot customers using Norton Internet Security or
other similar products calling in saying "why don't I get any images on
the site? waah!" This simply isn't an option in the real world.

>>The mail originated from 68.77.56.130 (an ameritech.net DSL connection,
>>right now not pingable) and loads some images from www.citibank.com.
>>It links to http://61.128.198.51/Confirm/ - an IP address hosted by
>>Chinanet (transit to there supplied by Savvis from my point of view).

It's a 1 line rule with mod_rewrite and apache to block
nonexistant or off-site http referers attempting to display
GIF/JPG/PNG images... Sometimes I wonder why Citibank,
Paypal and others don't do this. It would cut down on the
displayed authenticity level of many basic phishes.

<cookie-foo>: 31-Dec-2014 00:00:00 GMT; path=/; domain=.usbank.com
Server: Microsoft-IIS/5.0

Citibank.com returns: Server: ""

Perhaps the 1-line mod_rewrite isn't available to them because they don't
have mod_rewrite?

Date: Tue, 17 Aug 2004 09:06:30 -0400 (EDT)
From: Tim Wilde

Because many (broken) browsers/proxies/"firewalls"/etc block
or forge referrer headers "for security" and they'd quadruple
their tech support load with all their idiot customers using
Norton Internet Security or other similar products calling in
saying "why don't I get any images on the site? waah!" This
simply isn't an option in the real world.

Ughh. Some "security" products cause more trouble than they
solve. Norton Internet Security is obnoxious enough to "filter
ads" by nuking graphics based on pixel dimensions. (After having
to alter some sites to get around this, we have a much harder
time recommending Symantec products...)

Eddy