Special security note about the Dr. Watson Debugger

February 5, 2009 by bluecollarpc

A special security note about the Dr. Watson Debugger – part of Windows added. If there is one area of mobile malware – it can be borne from this area. On the Home PC, I was once had a registry cleaner – Iomatic – that had its own antivirus program in it (paid shareware). I was using – I believe it was the Zone Alarm firewall – and it very amaturely suddenly wanted to recognize a typical registry clean up as some malware intrusion into the PC system. It then used the Dr. Watson Debugger to run some sort of “kill bits” in the registry or something similar against the software itself to completely disable it and render it useless – even with multiple attempts to reinstall in several manners.

Since then, on my XP machine, I have never allowed Dr. Watson to run again, blocking the process with the firewall – a different one. I had already written both companies and very LOUDLY about what they did to Iomatic products and my good money I paid for them. They never repied on either side and may have been settled out of court.

But the alarming point was – of all the various and vast amounts of softwares out on the world web, and the many free and even obscure ones – it is too, too, too easy to “fake” a software bug/gliche to then run the Dr. Watson debugger “under the radar” of security products like antivirus and antispyware – when in reality acting like security-software-disabling trojans or same effect damage by viruses and worms threats are able to.

So in reality, with a new computer system like Vista was and kind of still is – with the software industry and individual programmers (software writers) and open source software projects and so on – well in the beginning they are all kind of emerging together to get all things running bug free with a new system. After the dust settles, it is pretty much a ghost town for the Dr. Watson Debugger. I have seen it run way less than a handful of times on my brand new XP computer in 2001 and even less now on the new Vista PC. The newer Vista system became a little more sophisticated in a sense with the “Problem Reports And Solutions” feature in Vista which sends out bug/crash reports with a click and will return solutions usually within 72 hours that are Updates or Fix to be applied at leisure – or will even be shipped automatically through Windows Updates as non-critical Recommended Updates.

My TIP is to launch your new PC or Mobile PC and have fun. Don’t forget somewhere down the line to put any type restriction on ANY debugger utility used so as to brute force User Permission. If and when the Debugger is attempting to run – you can ask yourself, “Was I just using so and so software, and did it just freeze up, crash, or need to be closed because of buggy behavior manually ?” If the answer was “NO” – you just caught yourself cyber crime in progress and you better backtrack to the last software or two you installed – because it is an afront being used in the commision and as crimeware itself.

Obviously it would be an attack against anti-malware products and/or the firewall, but can also try and run in the system under the wire to snoop on Files and attempt to send them out in another software simply by using he debugger to execute malicious script or programmer language or malware payload.

THIS IS THE ONLY REASON THIS TOPIC WAS POSTED – AS A HEADS UP TO CRIMEWARE AND CYBERCRIME BY ITS MISUSE !

 

Tips: Finding Windows CE bugs with help from “Dr. Watson” …..

Tips: Finding Windows CE bugs with help from “Dr. Watson”
http://www.pdamobilecafe.bluecollarpc.net/downloads/WindowsCE-bugs-help-fromDrWatson.rtf

(Files, these are files. When you click the link or ‘Open’ – the file will automatically open in your browser or Word Pad.)

The File extension is “.rtf” ….. this stands for Rich Text File which is a simple text file that also allows graphics / pictures. They have been created with the Word Pad on Windows XP.

SOURCE:
http://www.pdamobilecafe.bluecollarpc.net/pdafiles.html

Tags: , , , , , , ,
Posted in BCPCNet WebLog, SpyLerts | Leave a Comment »

Death Of A Sails Man: Pseudo 14 Teredo Trojan Botnet Attack

January 28, 2009 by bluecollarpc
I guess a good name for this one is “Death Of A Sails man” ….. in referring to all the fun years on my Windows XP Home Edition Personal Computer. Sailing, surfing – you get it.

“THEY GOT ME” is the only way to describe the only real nightmare and damage I have ever suffered in all my days on a PC. My XP machine was hit with a massive deadly payload by an unknown malware botnet botlord. I blame Al Qua-duhh people in the end because I am a Christian E-Minister not afraid at all afraid or unwilling to spread the love of God to the World in my Prophet Of Jerusalem Bible Studies posted. They have been around before. Problem is they bring down every cop in the neighborhood when they decide to attack someone. No one needs the aggravation or unwanted attention. Today, throw in Homeland Defense and the President.

Well gloves off here and no sense in adding to false senses of security – after suffering the cataclysmic lethal damages to a “client computer” on the network. I have always said to get the best and forget the rest when it comes to protection security softwares – antivirus, antispyware, and firewalls. People get duped too easy by inferior products. I mentioned again and again that Webroot Spysweeper and Trend Micro Antispyware are THE ONLY TWO that are in the same ballpark – detecting virtually everything wit NO False Positives (stuff that is not really there or actually valid system or software processes and files).

And here we are again. If it were not for the inferior PC Tools Spyware Doctor, whom I had always noticed in the past trials by self produced too many false positives and ALWAYS had to be checked for anything it found in the way of malware therefore, I would not have suffered the decimation of my XP computer system and files. You see PC Tools Spyware Doctor (although deserving credit for finding something here) was DUPED by a botlord running a botnet with a fake trojan and produced about 12 to 14 false positives for it including at least 4 registry entries for “teredo” entries that were simply not there. I know there was no rootkit present because I was using Trend Micro Internet 2008 security suite which had tested as perfect scores in antivirus and antispyware – beating more than 28 other top products including Norton, Kaspersky, NOD32 to drop a few names. So after continual full scans – there was no rootkit present. My one year subscription with them was ending and began this episode of re-trying some other products. This lead to the disaster…… read on.

FIRST UP… while we are here I am also dumping Trend Micro and Webroot from my recommendations any further. Trend requires you MUST uninstall ALL other security softwares to download and install theirs – or it will not install. This is the debacle that led to the damages – my PC was left without protection in attempting to install the new 2009 version – but without renewing ( a final sales point again and returned to the 30 day free full version trial package). So why do I dump them ? Number one, apparently when clicking “uninstall” for the McAfee antivirus and firewall package I was running- it did not perform this other than in a damaging way and after reboot of same procedure. Two, is the whole Vista out -of -the -box is the safest system in the world now (and is) as it has the new included Vista Firewall (replaces XP Firewall and better) and also Windows Defender antispyware installed and running when you launch your new Windows Vista PC, and as well you run the included 30 day free full version of Norton antivirus. Didn’t all the people scream all the XP Years about security. Didn’t Vista go over and above all the security with the new system including UAC User Account Control and Vista Internet Explorer 7 Protected Mode – as the safest “out of the box” PC ever released ? Didn’t this shut them up ? You bet ! Nobody is that naive that doesn’t know that cyber criminals ping the living be-jesus out of world computers continually looking for vulnerable ones. No one in security is that naive that does know that cyber crime now attempts hit lists from every new home computer sale – and enter the end of Bill Gates in the Vista release. The first ever Windows Home PC completely protected out of the box like they test antivirus for worldwide. It passed the test with flying colors. Unprecedented and simply amazing.

Well here is Trend Micro and a few others TOTALLY circumventing this greatest of all security moves by Microsoft by requiring that this applauded and recognized security results and release gets ENTIRELY circumvented by requiring the User completely uninstall ALL protection to install theirs. You mean drop out of the box security and all enhancements I have added ? Yes, is their answer and why ? It makes no sense except perhaps hiding behind newbie ignorance. Turn off your security first. Where have we heard that before ? And while we are here – “industry leader” Webroot Spysweeper and/or suite STILL has the most ridiculous and system wide damaging potential settings that when an apparent suspicious process is stopped for User Approval – it AUTOMATICALLY BLOCKS THE PROCESS IN 45 SECONDS UNLESS YOU RESPOND ! What if it is a Windows Operating System Process such as explorer.exe (Windows Explorer). Too bad. Unless you continually peer at your PC screen the entire time it is on until the entire time you shut it off running Webroot – it can lock you out of your computer permanently like the worst worm or virus or destructive trojan package. Good luck trying to uninstall Webroot in that event or ever finding how to access it and where to remove the block to whatever it just blocked permanently that you had just missed out of the corner of your eye as you turned and looked too late to see the 45 second window pop up disappear into the sunset. How many newbies and computer dummies have no clue to this and what Webroot has done to their computer system and/or other files and softwares ? It makes you wonder – and the experienced ALL know the answer to that one. The only hope is that the experienced as well know that Webroot does indeed rarely produce a false positive. So I dump Webroot and Trend Micro as top products even though I am writing about my XP machine and not Vista – but clearly made the security reference to same and how Trend needs public ridicule as a “security product” circumventing Personal Computer Users safety out of what – vanity? The additional free computer user tutorial of you should not run two antivirus programs or it might slow down the pc bad or “seriously depreciate computer performance” ? No thanks for the dumb-ass lesson. Open mouth insert foot – because they are responsible as well to the destruction of my PC in this very procedure. Enter “NATO Security” – are you joining ? Well let me finish them both off while I am here as well for the laughing stock they are as advertised protection leaders. Did you know that continually A-Squared has had about double the malware removal definitions as both these products ? Currently (January 2009) Trend and Webroot have well under 1 million antispyware definitions. Guess how many A-Squared AntiMalware has ? OVER 1,500,000 – one and a half million spyware category threats definition removal signatures. If you do their 30 day trial or install the free version you will see currently they have over 2,500,000 – that is over two and a half million removal signatures as they have added the Ikarus antivirus which has the current just over 1 million known viruses removal signatures. Over 2 and a half million signatures. Which product you choosing for security ? Corporate commercial hyped whores or the “real deal” ? Let me guess….

THE DAMAGES…. can be found here at my Help Forum called Malware Adware Spyware Help (M*A*S*H*) at my BCPCNet Community Portal Forums http://bluecollarpc.net/smf/index.php  ….. and Help Topic BULLETIN: In-The-Wild DOS Threat targeting MSN Subscribers – Blocks Windows Updates http://bluecollarpc.net/smf/index.php/topic,1114.0.html

What happened was in the process of several tasks in the middle of a renewal year for security products I had a three ring circus going on in trying some older and newer products while I had the moment. I seriously considered A-Squared AntiMalware (and finally chose this product) over the Trend Micro Suite 2009 actually with a better firewall – the Comodo Personal Firewall which is about rated best for years. I was checking out PC Tools Spyware Doctor through the free Google Pack and found they have just over a half million definitions (still feel safe ? A-Squared has over 1.5 million spyware definitions, this is what I am talking about – about an extra million definitions in comparison) and also I was checking out the freeware Spyware Terminator which is really fantastic if you can stand aggressive softwares. I was and am truly amazed with Spyware Terminator. I would NEVER recommend this for a new user however. You must know and be familiar with Windows system processes by name and various softwares as well – because you are going to be asked to give permission for these to run. If you click block or no – you may not be able to actually restart your computer and/or other softwares ever again unless uninstalled. At least they don’t block things automatically like Webroot that doesn’t give you a chance to look something up which always takes a few moments. Hey, let me throw in that Webroot Spysweeper “married” Sophos Antivirus which is side by side with Symantec Norton in an unprecedented 40 plus VB 100 Awards for perfect scores in detection and defense. Sophos I believe is UK-Based but has always been a corporate level protection and where they earned their continual awards. Clap clap, praise. The Webroot marriage introduces their first ever personal computer application antivirus. Kind of a “beta” feel to me. If you are like me – in the straights and I need full absolute protection without excuses or rumors and now, I don’t have 24 hours to spare or waste on a venture – then you know why I am “dropping lugs”. As well you may be learning here things you never knew about two of the most popular names in the security industry.

So enter the “Pseudo 14 Teredo trojan” as I have dubbed it. Remember this is a botherder running a botnet launching a personal attack perhaps as being disguised as a DOS Denial Of Service Attack against MSN.com subscribers without Windows Updates Automatic checked “On” with the current Windows Zero Day Threat – now patch released as out -of -cycle. I declared it an unknown “in the wild threat” to the security industry and officials as that is exactly what it was/is. Obviously this would HAVE to be the report by PC Tools Spyware Doctor as falsely detecting this in the wild unknown botnet DOS as a teredo area trojan. I posted several security ware Logs. I discovered at least one non-traditional “kiddie script” changing many 15 values to 14 in “Shell No Roam” areas of the Windows Registry and thus the “Pseudo (fake) 14 teredo trojan” dub.

You see the MASSIVE PAYLOAD (see the A-Squared log posted at *M*A*S*H) included at least one downloader trojan, the Explorer.exe Worm and minimally one other crafted worm,  2 viruses, at least one adware and one spyware package, and at least one malicious script. This was altered worms and viruses. The Explorer.exe Worm was altered for specific damage. There was another altered worm for specific damage. Then of course there was the crafted fake trojan PC Tools Spyware detected as well that kicked the whole thing off.

Since the “teredo” area is SO CRITICAL to connectivity and security at all with a Windows PC in the IPv4 and IPv6 and pseudo tunneling areas – and I did not find the at least 4 mentioned teredo positives from PC Tools Spyware Doctor in my Windows Registry or anywhere in Files (Windows Explorer) – I immediately understood that it was a false positive for sure and remember I was running Trend Micro with perfect scores in rootkit detection – none present. Even though I had the about 14 item trojan package they declared with these several “teredo” registry items in their Quarantine Folder and the PC was running as if nothing wrong anywhere – I did know that indeed since they were false positives and this product is known for that – that they had no business deleting anything on my PC they thought was there and indeed was not. Like, what did they indeed intend to delete if clicked to do so and whatever mentioned by them was not even there ? You see ? Like one “typo” error in the Registry is fatal. So I clicked “Restore” with the intent do do full scans by Trend and A-Squared. There were associated temp files as well. This was “Death of a Sails Man”…. that’s all she wrote….

On reboot while concurrently (same time) installing Trend Micro Internet 2009 30 day trial – the PAYLOAD launched. It immediately attacked Trend Micro personal firewall successfully – disabling it. Trend failed in uninstalling my McAfee Antivirus and McAfee Personal Firewall and these were destroyed by Trend Micro itself as they had a click to “Uninstall McAfee Products and install Trend Micro on reboot ” Yes. Too bad. Their uninstaller did not perform properly and I could not reinstall the McAfee products. I am crapping bricks at this point because I am an advanced user and can see a worm running – about 5 to 10 seconds of damage – it is deleting files like no tomorrow. OH crap. Navigation is freezing because of the Trend blunder. I try and get to security softwares to scan. At this point I have No real time protection running and I have been had. Little did I know of the payload that it included malicious script and at least one virus. The rest was secondary. Going to System Restore and my god – it is GONE ! Can not access MSN to install their free full versions of Webroot Spysweeper and McAfee Antivirus and Firewall. All Blank White Pages EVERYWHERE ! For the first time in history to my knowledge the MSN.com software has just been destroyed that includes their MSN Browser. Internet Explorer was rifled into a complete circle jerk game that when the obvious tasks will then include rolling back to version 6 and undoing damages manually and reinstalling version 7. This would only apply to MSN Customers who get a special Run Once page to finalize Version 7. Can’t use it until then. Oh my god…. there is a current zero day threat and effects both versions 6 and 7 – 6 more critically and lower versions. You guessed it – Windows Updates – blank white pages, could not be accessed. OMG ! This definitely indicated and reveals it is a malware botnet attack in process (zombie network attack). OMG (oh my god) it was attacking IPv4 and IPv6 Connectivity and right at the only thing left running – the XP Firewall from Service Pack 2. It attempted to destroy the XP Firewall with further intent of the whole DNS Poisoning episodes of hijacking broadband connections. I have two firewalls activated in both the broadband Modem and Router – and these were intact but I was losing connectivity altogether with NO IP identification available in certain states of reboot. It was hit and it survived though. I could not use Mozilla Firefox Browser to access the free trial of Webroot Spysweeper with Antivirus..,, blank white pages as then it was when I realized the malicious scripts and “kiddie virus” had destroyed and rewritten malicious entries into the Windows Registry.

In the mean time I am looking at what appears to be Homeland Defense, Microsoft, and Verizon at a staff meeting on my screen and connection trying to purge the living be-jesus out of the connection to catch the son of a bitch (Al-Qua-duhh) on te other end. I am not kiding. Years ago I reported what was very, very, very visibly yahoo id code names that pointed directly to terrorist recipients of pirarcy mobile computer softwares. I got retaliated on in many ways (getting sent hundreds of viruses monthly for awhile in emails) and one other was an in the wild threat, I believe, and was called Trojan.Gema. Stopped.

Well, this is certainly one of literally millions of these destructive episodes people like myself and many, many others try and warn people to listen and obey about having real time protection security softwares in place – updated and running continually. This type of damage can not occur in these cases. I got to see it first hand finally and understand all the horrors last night millions have suffered. It’s a shame as well all those that took advantage of them further with the “unscrupulous pc repair” guy (google it) – and I have written about that continually.

Bottom line for me ? I had a plug and play detachable 80 Gig drive with Full File Back Up and also a half decent Registry Cleaner Utility Software that had Full Registry Back Up and Restore capabilities. I ran them and all is well except for my Windows Installer which was successfully targeted. I am still trying to fix that at this late hour.

Thought I would share “Death Of A Sailsman”……

Webmaster www.BlueCollarPC.Net

Happy and Safe Computing. (Nobody’s perfect ! )

Tags: , , , , , , , , , ,
Posted in BCPCNet WebLog | 2 Comments »

Heads Up for fake WordPress sites

November 7, 2008 by bluecollarpc

Heads Up for fake WordPress sites….. READ:

Fake WordPress site distributing backdoored release

Can you find five differences between these two sites? Wordpresz.org may indeed look like WordPress.org, but the 2.6.4 release it’s distributing is on purposely backdoored in order to steal the content of cookies from those who have installed it, potentially leading to to hijacking of their WordPress blogging platforms for malicious purposes. Not only is [...]
11/6/2008 9:29 AM
Read more | Open in browser
http://blogs.zdnet.com/security/?p=2129

Posted in BCPCNet WebLog, SpyLerts | Leave a Comment »

Tips: A note about Radio Buttons and Active X

September 10, 2008 by bluecollarpc

Tips: A note about Radio Buttons and Active X
« on: Today at 12:44:42 AM » Quote Modify Remove Split Topic 
http://bluecollarpc.net/smf/index.php/topic,892.0.html

——————————————————————————–
Tips: A note about Radio Buttons and Active X
 

A note about Radio Buttons and Active X :
Here is a definition from community public Wikipedia:
 
Radio button
http://en.wikipedia.org/wiki/Radio_button
 
What is not mentioned here is that many times a radio button (and what I have referred to in older posts and as well in our new webcast/modcast) – a radio button
is also a term used to describe a shortcut “button” that is installed in the Internet Explorer navigation bar.

A very familiar one is the old Windows Messenger. Different special software package programs that are interactive with Internet Explorer also install these “radio buttons”,
and as they are not a full toolbar – thus the “button” term because of the small size – but are generally multi-functional, so not just a simple shortcut. They can also use java script.
 
A personal example is the Handstory program that installs a “radio button” in Internet Explorer that allows several functions….
copying text and pictures from a website being viewed to transfer to the mobile computer which plugs into the home pc, and as well making mobile computer bookmarks out of
the page being viewed to send to the mobile. So this radio button is like a full toolbar in that it is NOT a simple bookmark – but a working and operational “radio button” and
generally with multiple functions. These involve Active X in the installation programs with the Internet Explorer.
 
This is of interest in the malware circle because they are a “second city threat” aside of the amount of the malicious toolbars around – that may even add a button with a lesser
visibility, being all the way past the ones shown and as “hidden” from view and also as an extra item in the install – not being removed by any antispyware program that may have
detected the toolbar being a different named threat, and perhaps unknown or ignored mistakingly. Your top antispyware programs will no doubt detect and remove them easily – as
the malware toolbar package was examined thoroughly in their labs. (maybe not?). Just visually inspect your hidden items in the drop down menus to the side for all the extra buttons
not seen because of room. (They can be a phantom, invisible, as well – no doubt perhaps employing a “transparent image” language).
 
A worst example of a radio button added with a malware toolbar would be a very visible one that more than likely would give options to do with a website they have you at – and
probably to visit also some where else with a click – like some adult material toolbar with some gimmicks for displaying the webpage with some “vote for this, or rate this” and then
the added button would be a “show me more” button possibly with drop down menus of categories to go to . Another same scenario could be like a game website and so on. Of course
the whole time, the Internet Explorer is hijacked, and no doubt your every move is being spied on and most of the time for the next five websites you try to go to – it ‘brute force’ is redirecting
you to one from their package websites which in turn, doing a drive by, is adding more malware to the computer.
 
Inspect things time to time, especially if you have removed a bad toolbar… check for remnants.
 
Webmaster
http://www.BlueCollarPC.Net

——————————————————————————–
*****FORUMS MODERATOR*****
BCPCNet Community Portal Forums
http://bluecollarpc.net/smf/index.php

Posted in BCPCNet WebLog | Leave a Comment »

Freeware security was a solution – once upon a time…..

August 29, 2008 by bluecollarpc
Moderator Freeware security was a solution – once upon a time…..
 
What the problem is, is that professional polls were conducted recently (2008) and it is discovered that a large percentage of users thought they were protected – but in reality were not. THAT IS ALARMING !

The simple knowledge actually is that in the basic computer system security – viruses were invented. So the next logical step was to invent something to destroy or eradicate of safely quarantine and remove them as unwanted installations that are dangerous to computers. Of course that was in the 1990’s. Today, they are more sophisticated and are able to perform much more than simply destroying files or parts of the operating system (Windows).

With the antivirus industry in full swing at currently counted just over one million viruses now (2008) they have what is called heuristics and is real time protection. What ? That means not just scanning email. It means when you are browsing the internet, there are all sorts of viruses at all sorts of bad websites – or “malicious content websites”. When you hit the bad website and a virus launches to infect the computer system – antivirus software programs immediately quarantine the virus (and most trojans).

The difference between email viruses and viruses on the world web are your email itself – and also your files. With email and files, antivirus will attempt to “clean” the virus from the email or file to preserve the email or file content for the User. This works virtually always, as the industry has come a long way and are obviously more sophisticated then “e-street thugs”.

But with malicious websites – the virus (and most trojans) are just that – and have not touched anything on the computer yet being stopped dead in their tracks by the antivirus software program. There are no files to clean. With a malicious download as a software secretly infected intentionally with a virus, again it will try and clean that to protect the intended installation. Sometimes, as cyber crime is tricky anymore, it is just a bogus fake software anyway and you would get the antivirus program pop up “Can not Clean the File” and you simply delete it – if there was an installer downloaded to like “My Documents” or other destination (folder of your choice). And too, if it is in the antivirus program “Quarantine Folder” , in that case, it would generally be in the Temporary Files of the system and is not any actual file on the computer per se except the actual temporary files folder entry. If you would see that extension as part of the file name infected on the quarantined item – you just click Delete. It is no software at all – just malware (virus).

But there is only one way to do the above….. you have to have Real Time Protection. This is not available in free home versions (freeware) . You have to pay for it (shareware). Generally for just antivirus, it has been about 35 dollars (US) yearly. Now the free versions (and this is all basically the same with the antispyware programs – just different threat, malwares) will scan the computer, detect threats, and react appropriately as to whether quarantining for User action (attempt clean or just delete) or deleting trojans. Trojans are a like their own little program to do and control stuff as opposed to a virus infecting – merging into a file. Antivirus will always delete a trojan because there is nothing to clean to salvage. A trojan is malicious malware period.

 
EXAMPLE… of why free protection is worthless:
SEE
Security software disabler Trojan
http://www.webopedia.com/TERM/S/security_software_disabler_Trojan.html

The bottom line is to reiterate (say again) that it was just fine to use the free versions and they do great, but….. The problem and inconvenience used to be getting “hit” while browsing and everything was messed up, and you had to stop everything you were doing to scan the computer for threats to remove the bastard. Very, very time consuming. And you couldn’t do anything else until the system and files were cleaned and safe to use again – or you knew you were risking the spread of its intent – whether a virus or spyware.

So, said all that to say this – to reiterate that today’s malwares and their creators and the cyber criminals behind them have become very, very, very sophisticated. They can easily – in the blink of an eye – totally infect the system unprotected (no real time protection) and now have the ability to disable free security softwares and go further to restrict access to the Windows Registry and other navigation functions like Task Manager with the intent to block the User from attempting to manually remove the malwares (delete their files and registry entries by hand in Windows Explorer and Registry).

So my whole point is as webmaster of www.BlueCollarPC.Net and our groups and lists and forums – I am engaged to warn new and intermediate users that this is simply NOT an option anymore – the freewares as your Security Solution.

Did I make that point well enough ? Even though this is a brief one page writing….

Happy and Safe Computing
www.BlueCollarPC.Net and the dial up friendly www.BlueCollarPC.Org

 
NOW you can read this article to make informed choices…. don’t forget – the free versions are great as back ups and may discover what others miss. Just remember they do not protect the computer – they attempt to clean it.
 
Article For Reference…..
Build your own free security suite
http://www.networkworld.com/nlsecuritynewsal156270 
Do-it-all suites are the name of the security game these days. Sure, you
can gather free programs that cover the bases much as a suite
would, but who wants to bother with finding out which apps work
together and which ones might leave you pulling your hair out?
 

Tags: , , , ,
Posted in BCPCNet WebLog | 1 Comment »

BCPCNet Community Portal Forums Newsletter 08-24-2008

August 24, 2008 by bluecollarpc
BCPCNet Community Portal Forums Newsletter
August 28 2008
All Members
Visitors…
 

Welcome again all Members and OuR VisitorS. This has been an Olympic Summer with everyone enjoying the Summer Shows. Sorry for missing our July Newsletter. This August 2008 Issue is a couple weeks late as well. My ApolOgiEs….
 
Beginning Labor Day (USA Holidays) 2008, Our Newsletter will be sent out the tenth (10th) of each month, which is the monthly anniversary date of Our Launch Date – June 10th 2008.
 

These past two months, July and August 2008, things have been moving along well for the BCPCNet Community Portal with much content added in the way of Vista-In-The-News type sub forums here at the BCPCNet Portal – for instance – which were posts transferred from our up-and-running Vista Groups at Yahoo and Google already.
 
The various Forums here at the Portal are a wide array of interest. Of course there is plenty of room to grow because we are still new – only 2 months old. We have achieved a modest handful of Members since launch, which is normal – everything is a little slow on new internet destinations on the world web. Word gets out, posts are picked up in search engines gaining more visits, and sharing our Bookmark web address with others. So, hopefully, we will gain more and more Members over the first year as a new Portal of mutual interest forums.
 
As webmaster of both the www.BlueCollarPC.Net and the www.BlueCollarPC.Net – I may begin a new Security Podcast segment as a weekly podcast security round up broadcast – and if so will announce it and the MP3 podcasts will be loaded right here in the Portal. Suggest others ! If you podcast – definitely add them here at the BCPCNet Community Portal…. you will need permission to upload the files as a New Topic post from the Moderators. No biggie !
*Our Portal Guidelines are towards security prime most, and we do not just allow anyone to join and upload anything harmful to our Members and Visitors (malwares).
 
Well, Happy Summer to all Members and to all our Visitors who have not joined yet and we hope to see you back after Labor Day !
 

Regards,
The BCPCNet Community Portal Forums Team
 
- – - – - – - – - – - – - – - – - – - – - – - – - – - >
 
Keep Up with your Community, Our latest activity in RSS….. NEW !
 
Portal Link:
http://bluecollarpc.net/smf/index.php/topic,141.0.html
 
Catch the latest activities of our Portal anytime in any RSS Reader of your choice. …..
 
RSS FEED url: (Paste This in Reader)
 
RSS FEED :::::> Copy/Paste the full URL In Reader:
(Beginning with “http” and ending in “.xml” ….. 
 
http://www.dapper.net/transform.php?dappName=BCPCNetCommunityPortalForums&transformer=RSS&extraArg_title=Title&extraArg_description[]=Title&extraArg_description[]=Description&extraArg_description[]=Publication_Date&extraArg_description[]=Item_Link&extraArg_pubDate=Publication_Date&applyToUrl=http%3A%2F%2Fbluecollarpc.net%2Fsmf%2Findex.php%3Ftype%3Drss%3Baction%3D.xml
 

If that looks a little long – it was just created from existing Simple Machines Forums RSS features available to webmasters and with the Mozilla Firefox add-on “Dapper”
 
INFORMATION:
User Info for Dapper :: Firefox Add-ons 
DapperFox
https://addons.mozilla.org/en-US/firefox/addon/4632
 
Check out our Widget at main domain http://www.BlueCollarPC.Net/ or our sister site http://www.BlueCollarPC.Org/ (dial up friendly) here: http://www.bluecollarpc.org/_mgxroot/page_10749.html …..anytime. Our Portal Widget displays latest Forum posts with public view as sort of “Latest Headlines”…. You can also view our BCPCNet Community Portal Widget at the webmaster personal homepages here: http://www.myphillypa.bluecollarpc.net/index.html
 
A direct entry button to the Portal is also available in our BlueCollarPC Toolbar (download at www.bluecollarpc.net ) or here: http://bluecollarpc.communitytoolbars.com/
 

We strongly recommend the updated genuine freeware RSSReader.Com software as your RSS Reader. It is an independent browser with many, many features. It has been continually updated from the .NetFramework Versions 1 to 2 and also now supported in Version 3 in new Vista. The .NetFramework free from Microsoft.com through Windows Updates Optional Downloads or at their site comes pre-loaded in the newest Version 3 in Vista. If you do not have some security software installed (antivirus, antispyware, and a firewall) I would hesitate to install since it is an actual independent browser almost like downloading Firefox or Internet Explorer. Features include clicking a feed article to either “Open in Default Browser” or “Read” which displays the webpage right in RSSReader. That is the same as browsing the internet and is why you should have at least real protection antivirus installed. I have used this through the XP years and now in Vista for over 5 years or back to Version 1.1. ….. I have NEVER hit a web page link to read in it and detected malware, but I never took chances since my first computer and never will. The content is all from respectable feeds you choose across the Net so it is rarer than getting hit by lightening is probably why it is so safe as “safe browsing”. The same could happen anyway with the browser plug in Readers anyway like on Internet Explorer (IE) or Firefox, but a zillion plug ins is what will slow down navigation. So this is one of the main reasons as well this actual independent browser RSS Reader program is recommended. It is very, very durable and light and fast with many options and features: Get….
 
RssReader – free RSS reader displays any RSS and Atom news feed Free RSS reader is able to display any RSS news feed. Requires Microsoft .NET Framework 1.1.
http:www.rssreader.com/
 
Currently setting up the List of which Forums will be public on our RSS Widget on the main websites pages….
 

Portal Administrator and Webmaster
www.BlueCollarPC.Net
www.BlueCollarPC.Org
 
Regards,
The BCPCNet Community Portal Forums Team
 
 
 
—————-PREVIOUS NEWSLETTER——|> – - -
 
BCPCNet Community Portal Forums Newsletter
June 13 2008
All Members
 

Welcome. This is the very first news letter as sort of a first draft. Along the way it will be dressed up and include the Community Portal news and events here at the Forums.
 
The Portal was launched June 10 2008 – so we are brand spanking new and recruiting membership !
 
Stay tuned for updates !
 
Moderators

BCPCNet Community Portal Forums
TOPIC# http://bluecollarpc.net/smf/index.php/topic,792.0.html
VIEW ANYTIME AT ANNOUNCEMENTS FORUM

Posted in BCPCNet WebLog | Leave a Comment »

Manually identify/remove: Mystery web attack hijacks your clipboard

August 18, 2008 by bluecollarpc

Manually identify/remove: Mystery web attack hijacks your clipboard ….. my first attempt at this:
 
 
Posted: Mon Aug 18, 2008 2:36 am    Post subject: Removals….    
http://www.thornsoft.com/phpBB2/viewtopic.php?p=12642#12642
 
bluecollarpc wrote:
Hi… I have posted from this news article:
Mystery web attack hijacks your clipboard
http://www.theregister.co.uk/2008/08/15/webbased_clipboard_hijacking/
….at my forum here:
http://bluecollarpc.net/smf/index.php/topic,740.0.html
…..I am researching and cam across the possible way to backtrack this to origin perhaps in a rudimentary way that is not too hard. It is strange and is attracting the security news rooms. Hope this helps in the least as a starting place of a manual removal of a malware. Most likely, quality antivirus and antispyware will have it nailed within weeks tops.
 
From the idea of like a browser hijacker always setting its own Homepage, this is like tracking to the source of the “ownership”….
 
Apparently this may be an “in the wild threat” assuming these persons use quality antivirus and also have scanned with quality antispyware.
 
Let’s try a manual clearing of the Clipboard…
 
EmptyClipboard Function
http://msdn.microsoft.com/en-us/library/ms649037(VS.85).aspx
The EmptyClipboard function empties the clipboard and frees handles to data in the clipboard. The function then assigns ownership of the clipboard to the window that currently has the clipboard open.
 
Syntax
BOOL EmptyClipboard( VOID
);Parameters
This function has no parameters.
 
Return Value
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks
Before calling EmptyClipboard, an application must open the clipboard by using the OpenClipboard function. If the application specifies a NULL window handle when opening the clipboard, EmptyClipboard succeeds but sets the clipboard owner to NULL. Note that this causes SetClipboardData to fail.
 
For an example, see Copying Information to the Clipboard.
 
Function Information
Minimum DLL Version user32.dll
Header Declared in Winuser.h, include Windows.h
Import library User32.lib
Minimum operating systems Windows 95, Windows NT 3.1
 
See Also
Clipboard, OpenClipboard, SetClipboardData, WM_DESTROYCLIPBOARD
————NEXT:
 
A clue here to back track to whatever is repeatedly entering the information to the clipboard may be here as the “Clipboard Ownership” …..
 
 
The clipboard owner is the window associated with the information on the clipboard. A window becomes the clipboard owner when it places data on the clipboard — specifically, when it calls the EmptyClipboard function. The window remains the clipboard owner until it is closed or another window empties the clipboard.
 
When the clipboard is emptied, the clipboard owner receives a WM_DESTROYCLIPBOARD message. Following are some reasons why a window might process this message:
 
The window delayed rendering of one or more clipboard formats. In response to the WM_DESTROYCLIPBOARD message, the window might free resources it had allocated in order to render data on request. For more information about the rendering of data, see Delayed Rendering.
 
The window placed data on the clipboard in a private clipboard format. The data for private clipboard formats is not freed by the system when the clipboard is emptied. Therefore, the clipboard owner should free the data upon receiving the WM_DESTROYCLIPBOARD message. For more information about private clipboard formats, see Clipboard Formats….
http://msdn.microsoft.com/en-us/library/ms649013(VS.85).aspx
 
The window placed data on the clipboard using the CF_OWNERDISPLAY clipboard format. In response to the WM_DESTROYCLIPBOARD message, the window might free resources it had used to display information in the clipboard viewer window. For more information about this alternative format, see Owner Display Format.
————-NEXT:
 
So you may try to discover the ownership by….
 
Clipboard Sequence Number
The clipboard for each window station has an associated clipboard sequence number. This number is incremented whenever the contents of the clipboard change. To obtain the clipboard sequence number, call the GetClipboardSequenceNumber function….
http://msdn.microsoft.com/en-us/library/ms649042(VS.85).aspx
—————–
 
It would help if persons may try a HiJackThis Log and post it, may reveal a start up process involved. Grab that info at my alternate www.BlueCollarPC.Org site here:
Submit HiJackThis Logs (Information)
http://www.bluecollarpc.org/_mgxroot/page_10736.html
 
I am webmaster of both www.BlueCollarpC.Net and www.BlueCollarPC.Org
 
you can email here bluecollarpc at yahoo.com (my Yahoo ID)
You’ll find my groups/lists linked at my sites. Hope this may help and this is the strangest occurrence in security world I have seen since year 2001 on my first PC. Very strange and has some dark possibilities of greater attacks obviously. Let’s hope the whole heads up gets the security software industry’s help and removal signatures if indeed even a new category “Clipboard Hijacker”. What a first… What next ? yuck !
 
gerald philly pa usa
(Administrators may contact my registration private address for sure)
 
If anyone comes up with anything they can paste as the actual installation – do indeed enter that at CounterSpy, Webroot Spysweeper, Trend Micro, others. As well – here at this product site which has the largest definitions database probably in the world at over 1 Million Definitions currently. Industry leader Webroot is above 300,000 as comparison…. SCAN WITH THIS (most aggressive roto router ! ) :
 
a-squared trojan remover (Free Working Version for life and Proactive Premium Version)
http://www.emsisoft.com/en/software/free/
a-squared (a-squared) is a complementary product to antivirus software and desktop firewalls on MS Windows computers. Antivirus software specializes in detecting classic viruses. Many available products have weaknesses in detecting other malicious software (Malware) like Trojans, Dialers, Worms and Spyware (Adware). a-squared fills the gap that malware writers exploit. Automatic updates: In a-squared Free the updater must be run manually. The auto-update feature of a-squared Personal checks hourly for new available updates and installs them automatically. a-squared Free is freeware! You can download and use it completely for free.
 
…..If indeed it is detected in the Microsoft Free Malicious Software Removal Tool monthly through normal Windows Updates on ‘Patch Tuesday’ (second Tuesday each month) surely the removal definitions will be added to Windows Defender (antispyware) or One Care and should be worth the scan….
 
Microsoft AntiSpyware is now Windows Defender
[working-freeware from Microsoft]
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it’s detected, and a new streamlined interface that minimizes interruptions and helps you stay productive.
 
gerald philly pa usa
_________________
Webmaster www.BlueCollarPC.Net

 

Tags: ,
Posted in BCPCNet WebLog, SpyLerts | 2 Comments »

Alerts: Do Not Use Trusted Sites Settings (casually, otherwise)

August 17, 2008 by bluecollarpc
Alerts: Do Not Use Trusted Sites Settings (casually, otherwise) …..
 
This is done at …. Open the browser (Internet Explorer) …
Tools > Internet Options > Security > Trusted Sites
 
Below is this typical Settings “advice” you see at many “security gurus” sites…..
Thwart the Three Biggest Internet Threats of 2007
Protect yourself against the three gravest Web dangers: IE, phishing
attacks, and malware.
Scott Spanbauer
Wednesday, January 24, 2007 01:00 PM PST
http://www.pcworld.com/article/id,128538/article.html?tk=nl_spxhow
 
“”QUOTE”"
To disable ActiveX in IE 6 and 7, choose Tools, Internet Options,
Security, Custom Level, scroll to ‘Run ActiveX controls and plug-
ins’, and select Disable (see Figure 1). Click OK, Yes, and OK to
close the dialog boxes. To enable ActiveX on a known and trusted
site, click Tools, Internet Options, Security, choose Trusted Sites,
click Sites, enter the site address in the text box, and click Add.
Uncheck Require server verification (https:) for all sites in this
zone, and click Close and OK.
“”UNQUOTE”"
Let’s take a closer look to security suggestions:
“”…enable ActiveX on a known and trusted site… click… Trusted
Sites.. click Add… Uncheck Require server verification…”"
 
Teaching security “hack classes now (Uncheck Require
server verification) ? Isn’t that special. This is definitely NOT
RECOMMENDED – - – adding any websites to “Trusted Sites” – don’t do
it. Why? …..
When you add a website to your Trusted Sites – number one it is only
for “Secure Sites” with the little padlock icon appearing. The rest is from
caveman days and defunct Intranet security. That could be enough in itself
to call these persons across the web recommending this a complete fool
and dunce and giving injurious guidelines to the public – but let’s read on.
 
Again, when you add any website to your Trusted Sites list it places
them in that zone – Trusted Sites. When you go to the website now,
all security settings are taken down a notch including allowing
malicious cookies onto your computer. Your Firewall is reading all
interaction as “okay” by you the operator and is down a notch in
security settings at your request. Privacy information is allowed
back and forth. Interaction with your computer is now allowed back
and forth – even as far as “Sharing Files” on your computer with the
website and theirs – servers.You are basically setting up a Peer To
Peer file swap without interdiction from your security software -
Firewall, Antivirus, Antispyware. If the website wishes to set up a
proxy server, it will most likely be allowed to and can have your
computer act as a server for FTP transfer to download everything from
your computer into theirs. ….. Granted, the guy did say “if you
trust the site and if it is ‘known’ ” … right?
Case in point here easily – as everyone has just heard about the
Miami website being hacked at the Super Bowl. It was stealing
passwords and personal information (and installed spyware?) on the
visitors computer….. still want to click okay for the Active X and
add it to your “Trusted Sites” ?!? Be an idiot then “gameboy” and listen to
this advice because it’s from a “professional” “in the field”.
The sad truth is that the internet has became a cyber ghetto of thugs
and aside from that, any commercial website is being hacked and
broken into and malicious malware added – anyone’s – including any
bill pay or card pay websites that are Secure Websites. Just pick up
the news right here at our groups/lists at www.BlueCollarPC.Net .
It is shocking and alarming and very, very, very dangerous. The last thing
you want to do is give any “elevated” security clearance or permission
to ANY site on the world wide web. The last thing you want to do is listen
to idiots like this preaching “game boy in the dark areas of the internet
ease of navigation solutions” to use at all – even if you are one.
 
MICROSOFT…
“”QUOTE”"
Trusted Sites Zone
This zone contains Web sites that you trust as safe (such as Web
sites that are on your organization’s intranet or that come from
established companies in whom you have confidence). When you add a
Web site to the Trusted Sites zone, you believe that files you
download or that you run from the Web site will not damage your
computer or data. By default, there are no Web sites that are
assigned to the Trusted Sites zone, and the security level is set to
Low. “”UNQUOTE”"
 
Windows Updates Trusted Sites:
Add Windows Updates to “Trusted Sites”…
Open Internet Explorer…
Click > Tools (top) > Internet Options (drop down menu)
> Security (tab up top) > click once Trusted Sites > Sites (click sites box) > ….
…..type in the following sites one at a time and click “Add” with each one…
EXACTLY:
Type “http://” in front of these and Add
*.update.microsoft.com
download.windowsupdate.com
update.microsoft.com
Type “https://” in front of these:
*.update.microsoft.com
windowsupdate.microsoft.com
READ THIS IDIOT –> QUOTE:  ”"TRUSTED SITES …. AND THE SECURITY LEVEL IS
SET TO LOW “” !!!!!
Unbelievably Microsoft themselves have required that the Windows
Updates websites be placed in Trusted Sites to even access them
anymore. This was about 18 months ago and sure enough about two years
ago the Microsoft Windows Updates site itself was hacked blocking
patches to stop the a–wholes hacking it. Yes – EVEN MICROSOFT
WEBSITES HAVE BEEN HACKED WITH MALICIOUS MALWARE ADD ONS !!!
Still feel safe to add any websites to trusted Sites ???
You keep all bill pay and card pay and all and any websites where
they belong – normally – in the Internet Zone where all your security
software (Firewall, Antivirus, Antispyware) is working at top peak
security levels. The entire Internet is to be treated with “extreme
prejudice” is the attitude to have and use with anything and
everything to do with it. Because of that – having that proper
attitude – I am able to write this about such a reckless abandon of
safety to machine and person that was advised here as “Safe Settings”
prescribed by these persons.
Ironically the “ease of navigation” hack here prescribed is generally
associated with the “Game Boy” stereotype hanging out in the dark
areas of the internet – and that is exactly the area that was hacked
for ID Theft at the Miami website at the Super Bowl – when they
entered the game area.
Trusted Sites is an archaic defunct and extinct function in Windows
and Internet Explorer back from Windows 95 days before perhaps
virtually all malware even existed, save viruses. Wake up – what rock
did you just crawl out from under ? Really !
So the whole point is that there are NO SAFE AND TRUSTED WEBSITES
LEFT…. You read about American businesses as suffering break ins all the
time in this past two years. What websites are safe anymore ? Why add any
to “Trusted Sites” – grow up and get a life… no I mean don’t get a life.
Perhaps this will cost them their jobs as it should for teaching hacking to circumvent
personal security. It is assumed IT Security would definitely be fired over these
recommendations as well. Note, I would have posted this at their webpage but
the registration to do so required all personal information including
name and address and so on which is absurd for a simple message
board reply – so I didn’t bother and never would. Why is that
required to post ? None of your or my business.
SEE:
How to use security zones in Internet Explorer
http://support.microsoft.com/kb/174360
 
LET’S LOOK AT THE BAD NEWS THIS FOOLISHNESS IS SETTING YOU UP FOR…
 
SEE ANYTHING BELOW YOU WANT TO ADD TO “TRUSTED SITES” ? ….
 
Facebook
Anti-Virus Companies Investigating Facebook “Court Jester” Virus
CTV.ca – Canada
Computers that were successfully infected by the first virus were turned into “zombie” computers that automatically logged onto a botnet and in turn began …
http://krisabel.ctv.ca/blog/_archives/2008/8/7/3828849.html
 
Security shocker: 75% of US Bank websites have flaws Insecure by design
The vast majority of US bank websites jeopardize the security of their online customers by including design flaws that expose passwords and are susceptible to tampering by attackers, researchers say..
 7/25/2008 7:13 PM
Read more | Open in browser
http://www.theregister.co.uk/2008/07/25/bank_sites_insecure/
 
DoJ: Credit card thefts helped by ‘well designed’ software 
The intruders whom the U.S. Department of Justice alleges stole tens of
millions of credit and debit card numbers were bold, global, skilled and
making millions of dollars, according to details in charging documents.
….MORE
http://www.networkworld.com/news/2008/080608-doj-credit-card-thefts-helped.html?nlhtsec=rn_080708

Online social networking sites are hacker playgrounds (AFP)
AFP – Computer security researchers on Thursday warned that online social networking websites are playgrounds for hackers who can easily take advantage of people’s trust. …. 8/7/2008 10:37 PM
Read more | Open in browser
http://news.yahoo.com/s/afp/20080808/tc_afp/usitinternetcrimesocial 

HEY HERE’S A KILLER (below) …. Still listening to Idiots ?

Most “Legit Sites” Host Malware (Web Host Industry Review)
July 31, 2008 — A new study shows that 15 percent of malware is from legitimate sources with “Good” reputations, and 60 percent of the 100 most popular websites have either hosted or been involved in malicious activity in the first six-months of 2008. 7/31/2008 10:42 AM Read more | Open in browser
http://www.thewhir.com/marketwatch/073108_Most_Legit_Sites_Host_Malware.cfm

MORE….

TrafficLoader.com to Infect BitTorrent Users with Malware
TorrentFreak – USA
A new BitTorrent site has appeared which will allow scammers and spammers to infect its users with spyware, malware and viruses. …
http://torrentfreak.com/trafficloadercom-to-infect-bittorrent-users-with-malware-080809/
 
 Botnet Worm Spreading Through Social Networks
Overclockers Club Wed, 06 Aug 2008 1:11 PM PDT
Adobe, the makers of Flash and security firm Kaspersky have warned of worms, named Koobface.a and Koobface.b that are
spreading using social network sites Myspace and Facebook . The worms spread by sending messages to friends of an already
infected user, encouraging them to click links. If the links are followed they direct a user to a site that includes a video clip, which cannot be viewed …
http://www.overclockersclub.com/news/22872/
Security Alert: CNET Networks site compromise
http://securitylabs.websense.com/content/Alerts/3151.aspx
Websense® Security Labs(TM) ThreatSeeker(TM) Network has discovered that a CNET Networks site has been compromised. The main page of the CNET Clientside Developer Blog contains malicious JavaScript code that de-obfuscates into an iframe that loads its primary malicious payload from a different host. 
 
SEE ANYTHING YOU WANTED TO ADD TO “TRUSTED SITES” YET ? ME NEITHER….
Americans feel safe online, says poll (StopBadwareOrg)….
SC Magazine US – USA
Despite phishing schemes, spyware, and other internet security threats, an
overwhelming majority of Americans claim to feel safe online, according to a …
FULL
http://www.scmagazineus.com/Americans-feel-safe-online-says-poll/article/108583/
(comment: — OUCH !!!! )
Web browsers face crisis of security confidence
Good enough for Donald Rumsfield. But not for you
User beware. Today’s web browsers offer more security protections than ever, but according to security experts, they do little to protect people surfing the net from some the web’s oldest and most crippling threats.…
 6/23/2008 5:56 PM
Read more| Open in browser
http://www.theregister.co.uk/2008/06/23/marginal_browser_security_protections/
 
BCPCGroup ~ The BlueCollarPC.Net Website Security Group
——————————————————————————————
MEMBERS AREA:
http://www.bluecollarpc.net/joingroup.html
Mail domain bluecollarpc.net
Live List Owner: bcpcgroup-listowners@bluecollarpc.net
Service List Owner: bcpcgroup-owner@bluecollarpc.net
Post to Group (Members Only): bcpcgroup@bluecollarpc.net
Help address bcpcgroup-help@bluecollarpc.net
Subscription address: bcpcgroup-subscribe@bluecollarpc.net
Unsubscription address: bcpcgroup-unsubscribe@bluecollarpc.net
#Sender Policy Framework (SPF, http://spf.pobox.com) Protected
#ALL Posts Moderated and List Protected with Antivirus Service.
Some List Features enabled:
*Guard archive (message digests). Archive access requests from unrecognized SENDERs will be rejected.
*Subscription requires confirmation by reply to a message sent to the subscription address.
*Unsubscribe requires confirmation by a reply to a message sent to the subscription

Tags:
Posted in BCPCNet WebLog, SpyLerts | Leave a Comment »

August 2008 Vista Security Hack – Now Useless ? (ASLR and DEP technologies)

August 12, 2008 by bluecollarpc

August 2008 Vista Security Hack – Now Useless ? (ASLR and DEP technologies)

« on: Today at 09:45:13 PM »
http://bluecollarpc.net/smf/index.php/topic,716.0.html
——————————————————————————–
There has been a major problem found as kind of the alarm of a “zero day” hole in Vista apparently. It will be covered and discussed here. This may lead to up to 50 percent of Vista Users computers becoming infected depending whether they observe the use of security products (firewall, antivirus, antispyware) and Windows Updates. Unpatched and unprotected computers – here Vista – have NO chance in the cyber crime enviroment the Internet is in today. If you are not running paid subscription security products your computer is wide open to attack and take over to be used in criminal ways – SEE malware botnets or commonly called “zombie networks”.

Unfortunately, ALL polls show up to 50 percent of Users are just not on the ball at all.

————————-MORE….

As much as I as Webmaster of the www.BlueCollarPC.Net and our several Groups/Lists Owner have been on the bandwagon to completely ban all negative publicity from a rogue enviroment and insincererity and cyber criminals et al — I think the other shoe has hit the floor with Vista. Uh-oh looks like….

One was here:
http://bluecollarpc.wordpress.com/2008/06/11/vista-bashing-read-this-now/

And our two Vista Groups:
http://groups.google.com/group/Vista-PC-Group
http://tech.groups.yahoo.com/group/Vista-Group/

In all honesty the only two things I found “wrong” with Vista were the apparent Vista Windows Media Player as kind of a work in progress unfinished but as “going commercial” and the worst was the Windows Mail (formerly Outlook Express) Client was completely unattended and riddled with corruption of email so that it could not even be deleted from the client. On the phone with MSN.com when I got my new Vista PC in Fall 2007 – they explained that Windows Mail was not being supported to my shock and advised me to install their featured new client Windows Live Mail instead. I was thinking you are kidding right ? Vista is not going to have the Vista version of Outlook Express (SWindows Mail) ? Ouch !

But in the last 2 months or more this has all been rectified and Windows Mail (Outlook Express and Windows Makil are POP Mail Clients and part of the Windows Operating System) is working great as expected and the corrupted blank background emails were FINALLY successfully able to be deleted. It seemed the Windows Mail was a work in progress as well on a Windows OS released for over a year at the time !

ALL in all, Vista is a big “Wow” still as compared with Windows XP which was also that gfreat big “Wow” as compared to Windows 98 OS (Operating System).

These reports are dealing with the whole software side debacle with the Private Industry and not Microsoft Windows Vista actually and apprently. So here again the Negative Publicity is going to take this to the bank for all it is worth and we wonder why ? Java is the culprit in one instance. Other softwares are the culprits in the others. AGAIN… they all slam Vista and why ? Why are they not slamming the Private Industry and Sun Java ? ….. So one-sided in opinion – and many “respected sources” as you can see.

Through the remainder of this week and month let’s see if we can pull this apart for the average consumer and even attempt a few stop gap measures if neccessary – like the “ultimate paranoid settings” of even disabling Java which will not permit many websites to be viewed across the world web – or most actually. It sounds like a giant “zero day” hole not being worded as such. Dangers ? Sure sounds like it and stay tuned….

Most dangers ? Unpatched and Unprotected computers running Vista without security sharewares as minimum protection – but here your ONLY protection again (personal firewall, antispyware, antivirus softwares).

gerald philly pa usa
Webmaster http://www.BlueCollarPC.Net

Good, bad, and ugly….

Vista Blown Open By Unstoppable Hack
TrustedReviews – Bracknell,England,UK
This code attacks Vista’s Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) technologies and allows the hackers to load any …
FULL<http://www.trustedreviews.com/software/news/2008/08/11/Vista-Blown-Open-By-Unstoppable-Hack/p1>
Vista’s Security Rendered Completely Useless
Slashdot – USA
I doubt that sentence was really intended to say that, though. it probably means specifically the ones new to Vista over XP that were listed. by …
FULL<http://it.slashdot.org/article.pl?sid=08/08/08/1155208>
Security pros completely bypass Vista’s now “useless” security
Yahoo! Tech – Sunnyvale,CA,USA
About all those fancy security measures Microsoft put into Windows Vista… well, they’re now pretty much useless, according to security experts from IBM …
FULL<http://tech.yahoo.com/blogs/null/101568>
Vista security discovered to be even more useless
Inquirer – Harrow,England,UK
The methods employed have enabled the researchers to bypass Vista’s Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other …
FULL<http://www.theinquirer.net/gb/inquirer/news/2008/08/08/vista-security-rendered-usless>
Alarmed about Vista security? Black Hat researcher Alexander …
ZDNet – USA
In fact, they put us in touch with the people who designed the [memory protection] defenses [in Windows Vista] and sent us a few minor corrections. …
FULL<http://blogs.zdnet.com/Bott/?p=513>

—–AND MORE:

Mature conclusion about this latest “Vista Bashing” (DEP, ASLR technologies hacked ? – Vista Worthless?) …..
 
 
A mature article that calms things bringing the situation into focus can be found here:
 
The sky isn’t falling: a look at a new Vista security bypass
By Peter Bright | Published: August 11, 2008 – 07:30AM CT
http://arstechnica.com/newsars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html
 
Some points to understand this all: (Quoted from the article) ….
*Buffer overflows are a particular kind of programming error that occur when a program attempts to store too much data in the buffer allocated for the data. This causes anything following the buffer to be overwritten.
*Buffer overflows are exploitable when it’s possible to insert arbitrary executable code into a process and then make that code run. If an attacker can do this then the attacker has gained the ability to do whatever he likes to the victim’s computer.
*Although there are languages that make such flaws impossible-Java and .NET are both immune to such flaws-the unfortunate reality is that a large proportion of the software that we run (including our operating systems, web browsers, and browser plugins) don’t use these safe languages, and so are susceptible to this ancient problem.
*This is why Microsoft included a number of protection schemes in Vista to try to reduce the exploitability of buffer overflows.
*One of these protections was introduced in Windows XP Service Pack 2; Microsoft calls it Data Execution Protection, DEP.
*They discovered ways by which DEP could be defeated, for example by passing control not to their own executable code, but instead to one of the system DLLs loaded into the process and getting that to do their dirty work.
*Vista therefore introduced several mechanisms to try to reduce the impact of these DEP bypasses. One of these is Address Space Layout Randomization, which randomly organizes the location of the system DLLs so that an attacker no longer knows where they are.
*Vista also inserts extra checks into the operating system code to detect that certain kinds of overflow have occurred and crash the program (although crashing might seem a bad thing to do, it’s safer than continuing to run after a buffer overflow).
 
 
Uh-oh….
*Internet Explorer 7 and Firefox 2 both opt out of DEP, and many third-party libraries such as the Flash plugin opt out of ASLR (and other protection mechanisms).
*Internet Explorer 7 and Firefox 2 both opt out of DEP, and many third-party libraries such as the Flash plugin opt out of ASLR (and other protection mechanisms).
*Plugins can also do things that can deliberately defeat the OS’s countermeasures; Java, for example, marks all of its memory as executable, meaning that a Java applet can place into memory executable code that’s immune to DEP protection.
*The final trick is to use scripting or plugins to file large amounts of memory with the malicious executable code, so that even when ASLR is in effect, an attacker can still be sure that the malicious code is where he needs it to be.
 
THE OTHER SHOE HITS THE GROUND? …..
*Together, these techniques allow all of the protections found in Vista to be defeated.
*This is certainly unfortunate. The great thing about these protection mechanisms is that they provided a degree of safety even when applications contained bugs.
*That will no longer be the case, at least for web browsers (programs that do not support third-party plugins (or apply more stringent checks to those plugins) might continue to benefit from the protections).
 
Good News?
*Unfortunate, yes, but not-as was reported in the immediate aftermath of the presentation-evidence that Vista’s security is useless, nor does this work constitute a major security issue.
*And it’s not game over, either.
*Sensationalism sells, and there’s no news like bad news, but sometimes-particularly when covering security issues-it would be nice to see accuracy and level-headedness instead.
*Alarmism helps no one.
*Furthermore, these attacks are specifically on the buffer overflow protections; they do not circumvent the IE Protected Mode sandbox, nor Vista’s (in)famous UAC restrictions.
*DEP, ASLR, and the other mitigation features in Vista are unlikely to ever be unbreakable, especially in an application like a web browser that can run both scripts and plugins of an attacker’s choosing. Rather, their purpose is to make exploitation more difficult.
*Microsoft has a solution for those wanting to make it impossible-use .NET.
[NOTE -The .Net Framework comes pre-installed as version 3.0 in Vista which is also available for XP which was up to version 2 through Windows Updates or at Microsoft.com. An example of software that runs on this which enhances much is the genuine freeware www.RSSReader.com independent browser rss reader software - a superb featured rss reader and not a browser plug in. I have been using it since the version 1.1 of .Net Framework and which is also available and often necessary in Windows Mobile PC as the Compact .Net Framework - mobile pc or Microsoft PocketPC.]
*These protections are there for when that’s not an option, to reduce-but not eliminate-the vulnerability caused by such programming errors.
 
Bottom Line…
*Even with DEP and ASLR, the coding errors that result in buffer overflows still ought to be fixed; it is only through fixing the errors that the flaws can truly be eliminated.
*Vista has many worthwhile security improvements compared to XP. Internet Explorer on Vista runs in a highly restricted environment, so that even when it is running malicious code it cannot harm the system. Stories suggesting that Vista’s security is now irredeemably broken are far off the mark; the truth is merely that some of its automatic security protection is less effective than it was before.
*What Microsoft will do in response remains to be seen.
*Some of the specific features of the attacks can be resolved by Microsoft itself-preventing IE plugins from opting out of the protection schemes, by improving the way that .NET interacts with the protection, and by making Windows default to enabling all the protection schemes-and others can be minimized by third parties-by writing plugins that enable with all the security mechanisms, by being more careful with executable memory, and so on.
*Longer term, a switch to 64-bit programs might allow considerably more randomization to be applied; while making large allocations is enough to fill up a 32-bit program’s memory (which allows attackers to defeat randomization) the same is not true of 64-bit processes-they’re simply too big.
 
SO LET’S RECAP….
The alarming “lit up like a Christmas Tree” news articles are just that – over blown negative publicity hounds AGAIN !!! How true ? ….. Let;s review.
They say Vista is a bomb, it’s dead, it’s the worst insecurity sieve of Operating Systems, Micro$oft has done it again, we told you so, yep – Vista IS A White Elephant, Let’s re-petition Microsoft top get back XP, …. and on and on – is the flavors of the headlines out here. The worst comments are Vista is “useless” and “dead”. Why is this negative publicity ? Read…..
 
))) Number One, they blame Windows which above clearly has instituted free DEP technologies for all users of XP in Service Pack 2 release. Is the buffer overflow Microsoft’s fault ? Hell no – it is the software’s. You’ll remember in the article item here:
“Buffer overflows are a particular kind of programming error that occur when a program attempts to store too much data in the buffer allocated for the data. This causes anything following the buffer to be overwritten.” ….it says the “program” and “programming error” and that is independent softwares – not Windows. Where is all the programming errors of Windows causing this ? Yeah a few through all the years but all the other “bug reports” concerning this are virtually ALWAYS independent softwares and certainly not Windows and much less Vista itself. Check any publication and they are posted at our lists/groups. It is a blue moon when it is the Windows OS listed there for this practically in comparison.
 
))) Number two, again read: “Furthermore, these attacks are specifically on the buffer overflow protections; they do not circumvent the IE Protected Mode sandbox, nor Vista’s (in)famous UAC restrictions”….. see it ? It is NOT Vista at all with anything “broken” and so on. Criminal hacker engineerings will NOT circumvent Vista because of Vista Internet Explorer (Protected Mode) and Vista User Account Control (UAC) – you know, that “annoying thang” bad and uninformed people keep telling you to turn off and even software writers have created software utilities to do so because you don’t know how to access “Users” on Vista in your Start > Control Panel yet as a new user ? Right ! They probably tell you antivirus is “snake oil” too, right ? Hmmm…(another story). You might be getting “socially engineered” bubba !
 
))) Again – it is independent software and NOT Vista that is everything the negative publicity says Vista is obviously and read again….. “Although there are languages that make such flaws impossible-Java and .NET are both immune to such flaws-the unfortunate reality is that a large proportion of the software that we run (including our operating systems [outdated 95,98, ME, XP SP1 and so on], web browsers, and browser plugins) don’t use these safe languages, and so are susceptible to this ancient problem. ” And then more… “Plugins can also do things that can deliberately defeat the OS’s countermeasures” And also Java: “Java, for example, marks all of its memory as executable, meaning that a Java applet can place into memory executable code that’s immune to DEP protection.” …. Did you read it ? Above it says Vista is protected anyway because of UAC and Protected Mode [Vista Internet Explorer 7] and here it says not Windows but that “a large portion of softwares” and “Plug Ins” are the problem and NOT Vista as the articles roar.
 
))) CONCLUSION….
If we trust the author at arstechnica.com then once again this is ALL unfounded negative publicity slamming Vista unrighteously and they should be held for libel in a court of law by Microsoft period. The one foot note to that is that it is almost possible to do the malware attack and most likely through flash formats which have been the next greatest web presentation since perhaps HTML graphics and is not that old really. Remember it was said…. “….many third-party libraries [software applications] such as the Flash plugin opt out of ASLR and other protection mechanisms”
 
 
))) SIDEBAR …. current cyber crime activities possible …..
From the article, “…Internet Explorer 7 and Firefox 2 both opt out of DEP..” – - – and this means XP Users (not Vista) and read the circle of current events:
 
Article: 600 million idiots endanger their data by using outdated Web browsers
http://techblog.dallasnews.com/archives/2008/07/600-million-idiots-endanger-th.html
 
 
….So that the rogue elements will tell everyone who has not upgraded to Internet Explorer 7 (IE7) on their XP PCs are smart then because IE7 “opts out” of DEP Protection – but they lose Microsoft IE7 anti-phisher technologies and a couple billion dollars (See BBB) and all of a sudden IE 6 is being attacked and nailing them…
 
Researchers warn of IE6 zero-day bug
http://www.networkworld.com/nlsecuritynewsal146475
 
 
Hmmmm…. Oh well, I love my Vista !
 
u know who
gerald philly pa usa
www.BlueCollarPC.Net
 
gerald_309 www.icq.com msgr#222611982
Webmaster: www.BlueCollarPC.Net
Groups/Forums Computing Safety, Threats Removal
 
BCPCGroup ~ The BlueCollarPC.Net Website Security Group
——————————————————————————————
MEMBERS AREA:
http://www.bluecollarpc.net/joingroup.html
Mail domain bluecollarpc.net
Live List Owner: bcpcgroup-listowners@bluecollarpc.net
Service List Owner: bcpcgroup-owner@bluecollarpc.net
Post to Group (Members Only): bcpcgroup@bluecollarpc.net
Help address bcpcgroup-help@bluecollarpc.net
Subscription address: bcpcgroup-subscribe@bluecollarpc.net
Unsubscription address: bcpcgroup-unsubscribe@bluecollarpc.net
#Sender Policy Framework (SPF, http://spf.pobox.com) Protected
#ALL Posts Moderated and List Protected with Antivirus Service.
Some List Features enabled:
*Guard archive (message digests). Archive access requests from unrecognized SENDERs will be rejected.
*Subscription requires confirmation by reply to a message sent to the subscription address.
*Unsubscribe requires confirmation by a reply to a message sent to the subscription
 

Tags: , , , ,
Posted in BCPCNet WebLog | 2 Comments »

« Older Entries
Newer Entries »