MALICIOUS SOFTWARE REMOVAL TOOL

Microsoft's recent announcement that it will distribute free antivirus software was unexpected but in some ways it's just an expansion of efforts by Microsoft that have been ongoing for years. In 2006 Microsoft began including the "Malicious Software Removal Tool" in the monthly automatic updates for every Windows computer. Every month, your computer is checked for dozens of specific bits of malware and cleaned if necessary.

In the last couple of months, Microsoft has targeted the fake security programs that are prevalent now - here's my writeup about one variation that presents realistic, professional-looking warnings of viruses and insistently tries to convince you to surrender a credit card number for $49.95 of useless software.

The removal tool runs automatically and silently. It does not need to be run manually, although it's always possible to visit the Microsoft web site for the tool and download it as part of responding to any possible virus or malware attack. It's not a substitute for an antivirus program - it doesn't run continuously watching for threats and it is not directed at all of the malware out there, just a specific set of programs that represent the worst of the current malicious software.

Anonymous data is sent  back to Microsoft so it can track the effectiveness of the tool. In November, the removal tool cleaned bad stuff from almost a million computers in nine days, and in December, it removed the prevalent "Antivirus 2009" malware from 400,000 computers.

As always, the bad guys are getting better at imitating legitimate programs. Read carefully, be skeptical, and be careful out there!

Labels: Microsoft, security, software

posted by bruceb at 1/02/2009 12:05:00 AM | permalink

ANOTHER IE PATCH

This morning Microsoft released a patch for Internet Explorer to prevent an exploit that became publicly known in the last couple of days. The fear is that the bad guys will quickly come up with ways to demagnetize your credit cards and kill your pets if you don't install the patch. Your computers will be updated automatically tonight and might restart. The patch has a severity rating of "Critical."

You should install the patch. But the usual articles are appearing about how this demonstrates that Internet Explorer is unsafe and anyone using it deserves scorn or pity, depending on how generous the author is.

The bad guys move very quickly and this exploit will presumably start being used more widely but at the moment its only public appearance has been on a few hundred Taiwanese or Chinese web sites set up to steal online gaming passwords. It's not a good time to visit porn, hacking, cracking, serials and key-gen websites. I dunno, maybe I just know nice people, but I don't know many people who will have a problem with that. If you follow the rules at the bottom of this post, none of these exploits will ever mean much to you!

It's natural to be curious about using another program when there is so much coverage of IE's patches.

A lot of people talk about Firefox, which achieved quite a distinction this week when it was named the Most Vulnerable Software Program running on Windows. "In 2008, Mozilla patched 10 vulnerabilities that could be used by remote attackers to execute arbitrary code via buffer overflow, malformed URI links, documents, JavaScript and third party tools." Four of those vulnerabilities have a severity rating of "Critical," three have a rating of "Severe," and three have a rating of "Panic."

Perhaps you'll consider Opera, an open-source browser with a good reputation, which yesterday released an upgrade that fixed seven security problems that "could lead to remote code execution if an Opera user is tricked into surfing to a maliciously rigged Web page." Two of the bugs are rated "Oh My God," three of them are rated "Apocalyptic," and two of them are rated "Purple."

You'll want to look into Apple's Safari browser, whose last patch in November fixed 11 security problems - four were rated "Meltdown," and the rest were rated "Zesty."

A few of you are so tired of constant updates and security problems that you'll buy Macs for yourself this Xmas. This week Apple released Mac OS X 10.5.6, the sixth update since the Mac OS was released just over a year ago. Apple recently urged all Mac users to install antivirus software, but it's not because Macs are insecure! Don't be thinking that! It's because, um, antivirus programs can be used by the kids for fun and interesting science fair experiments. Yeah, that's it.

Wanna be safe? Use Internet Explorer, keep your computer up to date, and follow these rules.

Antivirus software will not always protect you against malware if you click OK at the wrong time!

Don't click on strange URLs! Follow links with carefree abandon to and from legitimate sites, but don't click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site.

Never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.

The bad guys are liars. They will say anything to get past your defenses, without conscience or remorse.

Please, be careful out there!

Labels: Apple, IE, Microsoft, security

posted by bruceb at 12/17/2008 11:31:00 AM | permalink

SBS 2008 - ONECARE POSTSCRIPT

One glitch in the SBS 2008 migration nagged at me - it didn't make sense that the computers with the individual version of Windows Live OneCare were not reporting in to the SBS 2008 console, which tracks the security status of all the workstations on the network.

This is a sample of the new console for managing workstations in SBS 2008.

A handful of the computers running OneCare were able to get through and the server reported they were secure. I looked in vain for firewall exceptions for ports or services that were different on those.

It took a while to track it down, and in the end it wasn't the firewall after all.

Many things on a Windows Server network are controlled by "group policy," a very extensive set of rules that can be applied from the server to the workstations to control everything from network communications to your browser home page. There are thousands of settings that can be closely controlled with group policy.

Windows Server 2008 and SBS 2008 introduced hundreds of new group policy settings, but the workstations do not recognize them until new Group Policy Client Side Extensions are installed (Microsoft KB 943729). The group policy extensions are available through the Windows Update system but apparently are never offered as anything other than an optional update - ignored by OneCare and apparently ignored by WSUS, the system built into SBS 2008 to keep workstations up to date.

Sure enough, most of the computers had never installed the Group Policy Client Side Extensions. When the update was installed, the SBS 2008 console reflected their secure status about an hour later.

One more thing for the SBS migration checklist!

Labels: computers, domains, network, OneCare, SBS, security

posted by bruceb at 12/08/2008 12:06:00 AM | permalink

SBS 2008 - MIGRATION GLITCHES

Let me leave a few notes behind about some of the glitches during the migration from SBS 2003 to SBS 2008. I don't have many answers but perhaps it will help someone to know that I'm able to commiserate with them. (Loyal clients - this is not aimed at you and it won't help you get your work done. I'll be back to general interest topics next week!)

As background: I was migrating an SBS 2003 server with a very basic configuration - no ISA, no use of Sharepoint, a single NIC and external firewall, and no particular pre-existing issues.

MIGRATION WIZARD

Microsoft provides a detailed guide to the migration procedure. (Have you noticed that Microsoft's documentation has been getting better and better lately? There's much less ambiguity about what to click next - each step is described in precise and accurate detail.) The guide was great.

SBS 2008 begins a migration when a USB stick with an answer file is inserted in the new server before the SBS 2008 installation starts. Several people have reported that the USB stick has to be present when the server is turned on or SBS 2008 is likely to miss it. After installation, the first and most important item on the SBS 2008 is the "migration wizard" that leads through all the steps required to be successful.

I was about two-thirds of the way through the wizard when I took a break and installed the Server 2008 updates that were waiting. When the server restarted, the migration wizard crashed with a mysterious error that proved impossible to fix. I researched it and got nowhere. I removed a couple of the updates that conceivably might have unsettled something and got nowhere.

The wizard never came back to life. Fortunately most of its steps only lead to help files that describe the process for actually accomplishing each task by going into AD or MMC consoles or the like. I think - I think - I was able to finish the migration and cover the remaining steps without the wizard. There is still room for some surprise glitch - I'm going to cross my fingers when I demote the source server.

MAIL MIGRATION

I expected the mailbox migration to be slow but was still surprised. The Exchange 2003 mailbox store was about 25Gb after I pruned and archived as much as I could from the biggest mailboxes. The mailbox move took just about ten hours.

PUBLIC FOLDERS

I had no luck moving the public folders, and didn't really expect to, given the reports I had read. That may have been the result of a pre-existing glitch on the source server - this server, like several other of my SBS 2003 servers, throws up an error message when I try to do anything to the public folders in Exchange Server Manager. I've researched that one, too; I've removed the SSL requirement from EXADMIN in IIS, and a few other things suggested in other places, to no avail. I exported the public folders to a PST and stored them for now, since public folders were not being actively used and may not need to be implemented at all on the new server.

BACKUP

The most mysterious problem involves the backup system. The firm had been using ShadowProtect to back up to an NAS and two rotated external Maxtor hard drives. The backup built into SBS 2008 looks like it will be just fine but it does not directly back up to an NAS. I connected a Maxtor drive, formatted it, and ran the backup wizard. Hmm. Error message at the very end.

Since the message says "Cannot configure backup schedule," I started trying every scheduling option - once a day, twice a day - as well as swapping in the other (identical) hard drive, and couldn't get anywhere. I couldn't find anything in the logs at all. I got the flavor that it might be caused by the server disliking the external hard drives.

I'd like to talk to the person who thought it would be helpful to write: "If this problem persists, contact the person who provides you with technical support." It made me irritable.

ShadowProtect claims that the current version will back up SBS 2008 servers. With any luck I'll be able to install that and never know the answer to this one.

PHONE PASSCODES

This isn't a glitch, just something to warn your users about. By default, Exchange 2007 enforces a new passcode requirement on Windows Mobile phones (and iPhones) syncing with the server. Users are forced to set up a four-digit password that will be tapped in every time the phone is used. I'm sympathetic to all the reasons that this is an important security measure, but I'm also sympathetic to the desire to keep my job and not be fired by the attorneys who began flipping out immediately. It's possible to turn the requirement off in Exchange Management Console / Organization Configuration / Client Access / Windows SBS Mobile Mailbox Policy, which then allows it to be turned off on the phones. The iPhone balked and refuses to relax, even after the policy was changed, which apparently is a known glitch.

SERVER CERTIFICATE

I was determined to allow my users to continue to use the familiar URL for remote access, even though it didn't match the naming scheme preferred by SBS 2008. The email domain is www.bigfirm.com, say, and my users have been reaching RWW at www.bigfirmnet.com for years. I have a GoDaddy SSL certificate for www.bigfirmnet.com and heck, I just like it. Plus I've got migrations coming up where I know it will be difficult to work with the web hosting company to set up a subdomain and MX records for the primary domain name.

The Internet address wizard insists on getting the primary address and only allowing RWW to be reached at the same address with a prefix - remote.bigfirm.com or something like it. I had to work around that by lying to the wizard that the primary domain name was bigfirmnet.com, which (in Advanced Settings) would then let www.bigfirmnet.com be the remote access address.

When that was in place, then I could set the primary email addresses back to @bigfirm.com in Exchange Manager / Organization / Hub Transport / Email address policies / Windows SBS Email Address Policy.

ONECARE

Windows Live OneCare has been a trusted friend but it does make me a little crazy sometimes. SBS 2008 expects to get feedback from each workstation about its security status and apparently OneCare isn't set up to let that happen. So far I haven't found the firewall port or other hack that will let the workstations report in, so they're all showing in the server console as "unknown." I can't even find a definitive statement that it's possible or impossible with the standalone version of OneCare. I'm not going to install OneCare for Server so I may just not get good feedback in the console until we switch to Trend Micro. I was hoping to procrastinate on that - everyone has been used to OneCare for a long time - but change happens.

DRIVE MAPPING

Drive mapping is supposed to be accomplished in Group Policy now. I was comforted that other people online said they had trouble with it, because I couldn't make a mapped drive appear on a workstation no matter what I did in Group Policy. After a fruitless half hour of researching and trying things, I put the nice simple logon script in the folder and assigned it to everybody. I feel kind of crude, but it works.

SHARED PRINTERS

Another little headache - it was easy to install 64-bit drivers for network printers and share them from the server. At least, it was easy once I stopped clicking on the "Add printer" button and getting an "Access denied" message when it tried to set up a TCP/IP port. Right-click in the Printers folder and click on Run As Administrator / Add printer - ah, that's intuitive! Sheesh.

Out at the first workstation, I was reminded forcibly that there were no 32-bit drivers around, so I downloaded the corresponding 32-bit drivers for a few of the printers (a couple of HP Laserjets and a Toshiba copier) and went to add them on the server using Additional Drivers on the Sharing tab. The server thought that was a terrible idea - it never agreed that the 32-bit drivers corresponded with the 64-bit drivers. (I read somewhere that it was known problem with some HP drivers but I had the same epxerience with the Toshiba drivers.) So I parked the 32-bit drivers where I could get to them, went back to the workstation, and browsed to the 32-bit drivers when the workstation tried to connect to the shared printer and rejected the 64-bit drivers. Nope! The workstation also didn't agree that it was a match. It was the closest match, trust me - these were the identical 32-bit and 64-bit drivers for the same model running the same PCL level.

Fortunately, we already had reason to be running a Windows XP virtual machine on the second server with Hyper-V. I've shared all the printers from there and I bet it's rock solid.

A migration is a complex project! I think it went smoothly. These are the kind of glitches that happen constantly, every day at every level. Some of them will happen to me the next time, others will come up that are brand new. It's the nature of IT today. With luck I'll bring good instincts and a lot of experience and use them both the next time I come to your office!

Labels: computers, domains, mail, Microsoft, mobile, network, OneCare, printers, SBS, security, software

posted by bruceb at 12/05/2008 12:09:00 AM | permalink

SBS 2008 - SSL CERTIFICATES

Let me give you a quick overview of the kind of issue that makes it fun to be a consultant.

When you go to a web site where any personal information is going to be exchanged, you're likely to see the web site address change from http:// to https://. The data is encrypted (has a "Secure Sockets Layer" or SSL) and is reasonably well protected against eavesdroppers. You'll see it at banking sites or almost anything involving money or payment, as well as on web sites for access to company networks and other places where data should be confidential.

When you go to http://www.wellsfargo.com/, the bank's web server presents its security certificate from a known certificate authority, a big company that has done some checking to ensure that the server actually belongs to the company whose name is on the web site. Your browser examines it and agrees that it looks authentic, then it does some cryptographic things that convince it that the certificate was really issued by the big trusted authority. When it's satisfied, it proceeds automatically to https://www.wellsfargo.com/ and shows you a happy padlock icon in the address bar.

Until recently, SSL certificates were only used by big companies: they were expensive, required annoying paperwork, and the whole process was technically difficult.

Small Business Server 2003 wanted remote users to log into its great Remote Web Workplace over a secure SSL connection but couldn't saddle small businesses with the headache of buying expensive certificates, so it used a workaround. By default an SBS 2003 server presents a "self-signed certificate." Essentially the server vouches for itself and tells your browser that it's safe and trustworthy.

That sounds a bit flaky but it worked well enough for a long time, until security concerns began to trump everything else. Business people began buying Windows Mobile phones to sync their Outlook folders over the air and for a while it was possible to convince them to accept the SBS server's self-signed certificate, but it got harder and harder to accomplish - it required finding the right tool to install the certificate on the phone and the manufacturers were nervous about giving people access to the depths of the phone's operating system to do that. Now it's almost always impossible.

Meanwhile Microsoft began to add new security warnings to Internet Explorer as part of its hardening over the last few years. Now when you go to a site with an SBS 2003 certificate, you get this ominous warning:

If you go past the scary warning to the company's RWW site, you get the unhappy red IE address bar instead of the happy padlock:

Fortunately, a few companies began offering inexpensive SSL certificates with a minimum of fuss. GoDaddy.com offers SSL certificates for only thirty dollars per year that are accepted by most computers, phones and other devices. SBS consultants began to work out elaborate documentation for installing them on SBS servers. Many consultants made it a standard part of setting up a server running SBS 2003.

SBS 2008 still begins with a self-signed certificate but a wizard is included in the initial setup checklist to help purchase a third-party certificate.

The wizard wasn't helpful to me in a migration where I already had a domain name with an existing certificate. I found myself burrowing deeply into IIS and feeling my way through the process. I was successful but it took some interesting tricks to get everything to work correctly.

The experience exposed another interesting feature of Exchange 2007. If a company runs the web site http://www.bigfirm.com/, it can set up http://remote.bigfirm.com/ as a subdomain that leads to their internal company network. Set the company's MX record for incoming mail to http://remote.bigfirm.com/ and give that address to the business people for remote access. SBS 2008 has wizards to help get the domain names registered and set up in Exchange.

Then if a business person goes home and sets up Outlook 2007 for an Exchange Server at http://remote.bigfirm.com/, Outlook will configure itself automatically with the settings to connect over the Internet to Exchange Server at the office. It's not necessary in that case to configure the deep proxy settings that have been required until now to set up Outlook for RPC over HTTP. Microsoft thinks the technology is so cool that it blessed it with a new brand name, "Outlook Anywhere." (SBS 2008 does some of the magic to accomplish that, thank goodness - otherwise it requires deep surgery in ADSIEDIT and the Exchange command line console.)

That works fine, I'm sure, but I used a different naming scheme when I bought domain names for all my SBS clients for their remote access. SBS 2008 does not like that arrangement one little bit. And it's only easy to set up a subdomain and manipulate MX records if you have full DNS control over the ISP for http://www.bigfirm.com/. A small business will frequently have set up their web site with small hosting companies and web site designers that are, shall we say, not always easy to work with.

You see what I mean, I'm sure - it's fun!

Labels: domains, IE, Internet, mail, Microsoft, mobile, Outlook, phone, remote, SBS, security

posted by bruceb at 12/03/2008 12:46:00 AM | permalink

ONECARE FOLLOWUP

Information will be coming out rapidly to fill in the details of Microsoft's surprising announcement yesterday. Over in the OneCare forum, someone pointed out to me that the OneCare blog post says: "Microsoft has committed to making sure you are protected for the life of your subscription."

That probably means that OneCare will be kept current and fully updated at least through June 2010. I'll be watching for confirmation about that.

Labels: OneCare, security

posted by bruceb at 11/20/2008 09:15:00 AM | permalink

MICROSOFT PROMISES FREE SECURITY SOFTWARE, KILLS ONECARE

That rumbling you feel is a seismic shift in the field of security software. This will affect every single one of you and cause major changes in the entire industry.

Microsoft announced today that it will deliver free antivirus and anti-spyware software for all Windows computers, beginning in the second half of 2009.

Windows Live OneCare will be phased out and it will no longer be sold after June 30, 2009.

From the press release:

"Code-named "Morro," this streamlined solution will be available in the second half of 2009 and will provide comprehensive protection from malware including viruses, spyware, rootkits and trojans. This new solution, to be offered at no charge to consumers, will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs. As part of Microsoft's move to focus on this simplified offering, the company also announced today that it will discontinue retail sales of its Windows Live OneCare subscription service effective June 30, 2009."

Here's the Microsoft press release, and the post on the OneCare blog. There are a few more details in this interview with Microsoft's senior director of product management.

As far as I know, this is completely unexpected. No one seems to have had a clue it was coming. There have been rumors about an imminent new version of Windows Live OneCare; now there's no word whether it will ever be seen. When Microsoft officially released Small Business Server 2008 last week, one of its features was a new product, Windows Live OneCare for Server, and central management for up to 25 workstations running OneCare. To me, that was one of the compelling features of the new SBS, but it is now dead on arrival; it should not be installed and will not be supported after June 30, 2009.

I can easily imagine that Microsoft is frustrated. Windows is frequently blamed for the onslaught of viruses and malware but computer users around the world have resisted buying subscriptions to security software for a variety of reasons: they can't afford it; they don't understand that it's necessary; they don't keep it current or they never activate an expired trial subscription; or their computers are underpowered for the security suites that are currently available. It's a particular problem outside the United States, where the percentage of unprotected computers is much higher. The press release suggests that Microsoft particularly wants to provide protection for emerging markets and the new low-powered netbooks and OLBCs.

Microsoft claims that it will deliver new software (not a repackaged version of OneCare) which includes only the security protection, with the simplest, least intrusive, and smallest footprint possible. It will not be automatically included with every copy of Windows but it will be free and presumably so easy to obtain that it might as well be built-in.

I assumed that Microsoft had not done this up to now because it would be attacked as "anticompetitive" by the other security software companies. Apparently Microsoft thinks it can avoid those claims - or who knows, maybe it thinks it's the right thing to do and is willing to see how it plays out. Norton, McAfee and the rest will have to adapt - maybe by criticizing Microsoft's software, maybe by adding value to it with other features, maybe by exiting the field and finding something else to do.

ONECARE SUBSCRIBERS: Do not let your subscriptions lapse! OneCare will be fully supported and updated through June 30, 2009 and we will have much more information before then about our options. If your subscription expires on April 30 and you have to pay $49.99 for two months of updates, I'm going to insist that you renew without hesitation. I don't want anyone running a PC without current anti-malware protection - this is not an excuse to procrastinate!

COMPUTER BUYERS: If you buy a new computer, get it protected! If you have to pay $49.99 for OneCare and you don't get a full year out of it, so it goes. You'll get three months or six months or eight months, and that's just fine. Or get another product, I don't care. As long as your security, backup and update needs are covered, I don't care - but this is not an excuse to procrastinate.

[Update 11/20: It's likely that Microsoft will keep OneCare updated for the entire subscription term. See this post and watch for more information to follow.]

A few more points:

Microsoft Equipt was the ill-fated subscription package bundling OneCare with Microsoft Office 2007 Home and Student Edition, sold only through Circuit City. Microsoft never committed to it, Circuit City is defunct, and Equipt is being withdrawn from the market.

How could this major decision be made with so little notice that it kills a key feature of a major product launched last week? Is the SBS team angry, embarrassed, or resigned?

OneCare includes features that its users depend on - printer sharing, backups, system maintenance, attention to Windows and other Microsoft updates, control over the firewall, and control over startup programs. Everything that needs attention is reported by a single icon, and necessary actions are described in a consistent interface. If OneCare is discontinued, will something else be developed to provide those functions? Don't tell me that products from third parties will take over - I'll cry, really I will.

Will the new software run on servers? Small businesses really need easy software to protect servers and provide centralized security management. The choices now are difficult and expensive.

This is a remarkable change that will affect all of us. I hope it's for the better but boy, are there a lot of questions left to be answered. More to come!

Labels: computers, Microsoft, OneCare, SBS, security, software, Vista, WinXP

posted by bruceb at 11/19/2008 12:05:00 AM | permalink

SPAM HOST CUT OFF

The volume of junk e-mail sent worldwide plummeted on Tuesday after a company providing the servers for the spammers was taken offline.

The bad guys install malware on computers that they can control in vast networks, primarily to send spam for counterfeit pharmaceuticals and designer goods, fake security products and child pornography. Approximately 190 billion spam messages are sent every day from more than 1.5 million hijacked computers. The spammers set up servers to control the hijacked computers and to display web pages offering illicit goods for sale.

The spammers don't buy their own servers. They buy server space from hosting companies, which are shielded from liability in many cases and not directly responsible for the actions of their customers. That has made it difficult to find the spammers and prosecute them, leaving law enforcement frustrated and frequently ineffective.

Reports were published recently identifying McColo Corp., a San Jose company, as the hosting company of choice for virtually all the top botnets blasting out spam or malware attacks. The company has offices in a 30-story office tower in downtown San Jose and apparently its entire business is devoted to providing a platform for bad guys and diverting any attempt to pursue the spammers by refusing to cooperate with law enforcement and shifting the spam networks around to help them evade detection. Researchers estimated that networks run through McColo servers were responsible for 75% of the world's spam.

In an interesting twist, security researchers contacted the two companies providing the Internet connection to the building. Both companies became convinced that McColo Corp. was evil and decided to cut off the company's Internet connections on Tuesday without fuss or delay.

The volume of spam worldwide dropped by more than forty percent immediately.

Lots of companies monitor spam and all of them noticed the huge decline, with estimates of drops in global spam from 40%-75% when McColo was forced offline.

This won't permanently reduce the volume of spam. It won't take long for McColo to find other Internet connections or for other companies to step up in its place. Trying to shut down the bad guys is like playing Whack A Mole - a law enforcement victory here, a broken Internet connection there, but they keep popping up.

It's always nice to have a moment of triumph, though, and this was a particularly dramatic one.

It was reporting by Brian Krebs of the Washington Post that got the carriers' attention - here's his article about the effect of the disconnect.

Labels: business, Internet, mail, security, spam

posted by bruceb at 11/13/2008 12:03:00 AM | permalink

HOW SPAMMERS MAKE MONEY

Spammers can turn a profit even if they only get one response from every 12 million emails they send. When you see a ridiculous spam message and think, who in their right mind would respond to that?, the answer is, almost no one - but it only takes a handful of responses for the spammers to think their campaign was worthwhile.

Last year researchers from UC Berkeley and UC San Diego infiltrated a spam network and took over a portion of the network, diverting the spam sent out by over 75,000 hijacked computers (out of more than a million in the entire spam network). They set up a fake pharmacy web site, similar to the ones operated by the spammers, and sent 350 million spam messages in about a month inviting people to buy drugs online.

They only got 28 responses in a month from people who pushed the button to make a purchase. The researchers are good guys, so they didn't capture the credit card details or take any money, but they measured how much they would have made, about $2,700.

The interesting part happens if you scale that up to the size of the full spam network, where the same miniscule rate of return would net $9,500/day or about $3.5 million dollars in a year. That's not a huge amount but it's probably sufficient to earn a profit after subtracting the cost of developing the code to exploit security holes and hijack computers, and to run servers worldwide to sell Viagra and process credit card payments.

Meanwhile, the researchers saw 10% of recipients clicking on a link to download and install the malware that hijacks computers and turns them into bots sending out those spam messages night and day. Ten percent! The researchers estimate that would allow the spammers to add between 3,500 and 8,500 new hijacked computers every day.

Here's a Washington Post article about the UC study, and here's another summary from the BBC.

Meanwhile, security analyst Jesper Johansson wrote a followup to his study of "XP Antivirus," one of the prevalent bits of malware circulating now. Here are my notes about his study. In this scam, you are led to a web site that puts up a very convincing display about viruses on your computer that need to be cleaned off, with details that make the process look genuine and convincing. Almost any click anywhere on the screen leads you to a request for a credit card payment, and one wrong move will install popup bubbles and screens that insistently take you back to the payment demands. Most variations of this malware are not destructive but I've seen it several times and the bubbles are incredibly annoying, making it almost impossible to use your computer until deep surgery is done to remove the offending files. Some variations of the this adware can be removed with a reasonable amount of effort, but some come along with the kind of malware that can only be dealt with by reformatting the hard drive. If you pay the fifty bucks, you'll get some software that claims to have successfully removed the infected files, but the infection was fictitious and the software doesn't do anything.

Recently a hacker broke into an accounting computer run by one of the scammers responsible for distributing XP Antivirus and posted some internal accounting details online. There's a lot of money at stake! Believe it or not, the software is distributed through an affiliate program that pays a significant portion of the sale proceeds to affiliates spreading the malware. The most successful affiliate earned $158,00 in a week, and even the small-time affiliates were making hundreds of thousands of dollars a year. Here's an article about the financial details.

I've cleaned up several computers recently with XP Antivirus and other bits of malware. At the risk of being a nag, let me reiterate:

Antivirus software will not always protect you against malware if you click OK at the wrong time!

Don't click on strange URLs! Follow links with carefree abandon to and from legitimate sites, but don't click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site.

Never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.

The bad guys are liars. They will say anything to get past your defenses, without conscience or remorse.

Please, be careful out there!

Labels: business, computers, mail, security, spam

posted by bruceb at 11/11/2008 01:31:00 AM | permalink

CRITICAL WINDOWS UPDATE

Microsoft rushed out a critical security update today that should be installed without delay on every Windows computer. It will have been installed overnight on Wednesday on many computers.

Please make sure this update is installed on your computer!

If you use Windows Live OneCare and it is green on Thursday, the patch was installed.

Otherwise, please check your computer! Go to Windows Update and check for updates. If any critical updates are listed, install them.

This is discussed in Microsoft Security Bulletin MS08-067 ("Vulnerability in Server Service Could Allow Remote Code Execution (958644)").

Apparently a vulnerability was privately reported to Microsoft, which realized it was "wormable" - capable of propagating across multiple computers very quickly. There was already evidence that it was being exploited in the real world, raising the spectre of a global attack like the SQL Slammer Worm that had a devastating impact in 2003.

The security problem, and the patch, apply to virtually every version of Windows. I'll be patching servers tonight. It may not be a direct threat to many of you but it's difficult to evaluate that, since details of the exploit are not being published for obvious reasons. As near as I can tell, it does not get through firewalls but once it's inside a network it can spread to any unpatched system with printer sharing turned on, which is virtually every computer.

Windows Live OneCare was updated to stop the exploit this morning, and I assume the other security vendors have issued updates as well. But don't count on security software - get the patch installed!

Labels: SBS, security, Vista, WinXP

posted by bruceb at 10/23/2008 09:45:00 PM | permalink

WINDOWS LIVE ONECARE FOR SERVER

Microsoft Small Business Server 2008 will be released on November 12. Veterans of SBS 2003 are finding many things to like in the new version; I'll have more to say about it in the next few weeks. Here's an early look at the features and changes in SBS 2008.

At about the same time, Windows Live OneCare will be upgraded to version 3. If you already use OneCare, the new version will presumably be sent to you automatically, it will restart your computer, and it will cause enough glitches that I'll be busy on the phone for a few days. I don't have any details about the new version yet but I'll keep you posted about what to expect.

(Loyal OneCare users - I've spent some time in the last few days with the latest security suites from Symantec/Norton, ZoneAlarm, and TrendMicro. Trust me - OneCare is the very model of decorum and politeness and looks angelic by comparison.)

The big news for Windows Live OneCare is the addition of Windows Live OneCare for Server, which will be included with SBS 2008 as an optional choice for security. The new server product will provide simple virus and malware protection, which in itself is a welcome addition for small businesses.

But apparently it will also allow up to 25 workstations to be managed centrally and covered by a single OneCare license, which is good news indeed! I've needed better monitoring and management for my clients' computers. It also allows the data on the workstations to be backed up centrally, which might be sufficient to protect the Outlook .PST archives that are piling up everywhere. Here's some info about the new server product.

Pricing is pretty reasonable:

• OneCare for server only: $189.95/year
• OneCare for server plus a "site license" (apparently up to 25 workstations): $399.95/year.

There is a big caveat, though - OneCare for Server will only work with SBS 2008. I can't install it on my clients' existing SBS 2003 networks.

In my mind, this is a big selling point for an upgrade to SBS 2008 as we replace aging SBS 2003 servers!

Labels: domains, network, OneCare, SBS, security

posted by bruceb at 10/23/2008 12:37:00 AM | permalink

KEEPING UP WITH UPDATES

Microsoft released security updates on Tuesday night, following its normal monthly schedule. Your computer should have restarted during the night.

We're all overwhelmed by updates but we're stuck with them. The holes fixed today are the ones that the bad guys will be hammering on tomorrow. You should be installing the updates for Windows and other Microsoft products when they're released. Some of them will not be installed automatically - it's up to you to take care of the ones that require extra clicks!

Take a minute to check your settings!

(1) If you're running Windows Live OneCare, the icon should be green. If it's not, it may be waiting for you to install updates manually. Open OneCare and follow the instructions and keep the icon green!

If OneCare is green, you're covered for everything else I mention here. Go be productive.

(2) If you have a little gold shield (Windows XP) or update icon (Vista) by the clock, it's waiting for you to download and/or install updates.

• The Vista update icon is supposed to look like the figure at the left. I wondered about that! I couldn't have told you that by looking at the little blob down by the clock.

(3) Click on Control Panel / Automatic Updates (Windows XP) or Control Panel / System and Maintenance / Windows Update (Vista), and make sure your computer is set to automatically install new updates.

(4) Visit the Microsoft Update web site (Windows XP) or Control Panel / System and Maintenance / Windows Update (Vista), and make sure your computer automatically installs updates for Windows and other Microsoft products. The updates for Microsoft Office are just as important as the ones for Windows.

Updates for other programs can also be important but keeping up with the security fixes for Windows is a fundamental requirement of using a computer today. Be safe out there!

Labels: Microsoft, Office, security, Vista, WinXP

posted by bruceb at 10/16/2008 12:05:00 AM | permalink

INCREASE IN BANK PHISHING ATTACKS

There are reports of increased phishing attacks purporting to be messages from various banks. Be alert! The bad guys create email messages that appear to be from banks, with links to malicious web sites that attempt to install viruses or adware or fool you into entering account information. The messages and web sites are increasingly professional, to the point that they are indistinguishable from the real thing.

The current wave of bank activity might make it plausible that your bank would contact you by email, but I don't want anyone fooled. In today's environment, no bank or other company will ever send you an unsolicited email message about your account; the only communication you will receive from any company will either be advertising or a response to something you initiated. If you're unsure, always doublecheck by phone, or by going to the company's web site directly instead of by clicking on a link in a message.

Be safe out there!

Labels: mail, security, spam

posted by bruceb at 10/08/2008 12:05:00 AM | permalink

WON'T GET FOOLED AGAIN

Make a firm commitment not to be fooled into installing malware on your computer!

In this study, researchers created fake popup windows that should have been alarming, and put them in front of people at unexpected times. Most of the people clicked the OK button so quickly it was clear they didn't give it a moment's thought - they just wanted the dialog box to get out of the way as quickly as possible, with no thought to the consequences.

It's up to you to protect yourself. It doesn't matter what security software you're running - if you click OK, you have given the bad guys permission to kidnap your family and empty your bank accounts. Researchers find too many people who would click Yes in any window, even if it looks like the one on the right, with nothing more than a snort of annoyance at the distraction.

Vista adds "User Account Control" as a critical security feature. Before any significant change is allowed, Vista greys the screen, stops the change from occurring, and asks you if you want to allow it to happen. When a laboratory tried to research rootkits (the latest name for "bad programs that hide themselves on your computer," since "virus," "adware" and "spyware" weren't confusing enough), they had to disable User Account Control because the rootkits were stopped in their tracks by it.

If you're a Vista user, then, you have an important security tool built into the operating system, and it will protect you unless you click OK on the User Account Control window without thinking about it. Rootkits are the most dangerous kind of attack and Vista can stop them dead, regardless of your security software, but only if you say No.

And if you turn off User Account Control and complain about how oh so annoying boo hoo it is to have to click OK an extra time, I have little sympathy. Responsibility for your computer is in your hands.

Labels: computers, security, Vista

posted by bruceb at 9/25/2008 12:05:00 AM | permalink

ANATOMY OF A MALWARE SCAM

Jesper Johansson has been working in information security for more than 20 years and has earned a good reputation for doggedly identifying and chasing the bad guys. He's written a fascinating article about his attempt to track down the details of a bit of malware. It starts as a simple link in a blog comment but leads to IP addresses in Singapore, servers in Kuala Lumpur, domains registered in the Ukraine, and payment centers in Barbados.

He picked this malware at random. It's the variety that presents warnings that your computer is at risk and insists that you purchase its antivirus software. The dialogs and screens are professionally done and the grammar is correct - there is nothing obvious that gives away that every single thing is faked - the "scan," the progress bar, the lists of infected files, and the dialogs purporting to give you options but in fact leading always to a demand for payment.

There are even phony coverups for the Windows XP Security Center, designed so that every link will bring you to another payment demand. (Real one on the left, phony on the right. If you click through to the full-size version of the phony one, you'll see the first place where some grammatical errors creep in. There are also some shockingly well-designed web pages and dialogs.)

In this case, the bad guys appear only to want the $49.95 and your credit card number - Johansson didn't detect any other evil payload, although he mentions ways it could have been disguised.

Your security software - OneCare, AVG, or the rest - probably update themselves several times a day. OneCare gets virus updates every four hours, I think. Understand this carefully: the bad guys change things so fast that they see four hours as an opportunity. Johanssen found hundreds of variations on the software payload for this scam alone, just one of the many malware scams out there, and he spotted changes happening literally while he was writing the article.

Your daily reminders:

Antivirus software will not always protect you against malware if you click OK at the wrong time!

Don't click on strange URLs! Follow links with carefree abandon to and from legitimate sites, but don't click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site.

Never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.

The bad guys are liars. They will say anything to get past your defenses, without conscience or remorse.

Please, be careful out there!

Labels: security

posted by bruceb at 8/23/2008 12:06:00 AM | permalink

FAKE FLASH UPDATE - SPYWARE ALERT!
There is a massive spam attack underway masquerading as messages from CNN.com. The first set of messages had links to the "Top 10 Headlines" and "Top 10 Videos"; now there are new variations presenting a "custom news alert." Clicking on any link in the messages will bring up a dialog that says an incorrect version of Flash Player has been detected that needs to be updated to a newer edition.

You will be caught in an endless loop - if you click "Cancel" another box will immediately appear, over and over. The only way to get out is to force your browser to close with Task Manager, or shut down your computer.

If you click OK, malware is installed. You will immediately get a blizzard of popups, advertisements for fake "antivirus" software, and the likelihood that something more sinister is happening on your computer behind the scenes. It is increasingly difficult or impossible to remove this stuff once it gets on your computer!

At the malicious web sites, you'll see something like this:

Antivirus software will not always protect you against malware if you click OK at the wrong time! Sorry, that's just the way it is.

Here's an article about the spam blitz. Links to the malicious web sites are also being left in comments on MySpace and Facebook, according to this article.

Don't click on strange URLs! Follow links with carefree abandon to and from legitimate sites, but don't click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site. Be paranoid and surf carefully!

Labels: IE, Internet, security, spam

posted by bruceb at 8/11/2008 12:05:00 AM | permalink

SECURITY EXHAUSTION

Labels: humor, security

posted by bruceb at 8/09/2008 12:53:00 PM | permalink

DROWNING IN JAVA

There are frequent updates for Java, the technology used by many web sites to make interesting things happen in your browser. You've probably seen the Java update bubble popping up far too often down in the lower right corner of the screen.

The updates are issued to fix security problems, problems that are being exploited by the bad guys. If you're fooled into visiting a malicious web site, there's a chance that your computer might load some malware through a security hole in an old version of Java, even after you've installed a more recent version. Here's an article from the Washington Post about the security hole caused by these leftover versions.

That's why it's so frustrating that the updates do not uninstall the older versions of Java, resulting in a complete mess of Java versions on almost everyone's computer. Take a look in Add/Remove Programs and see if you have a list that looks something like this:

That's just dumb.

Each of those can be removed individually, which is a pain in the neck. An annoyed blogger created a script to remove all versions of Java from a computer in one operation. He sounds like a reasonable person so I ran it on my computer; it appeared to do what it promised. I can't vouch for it - we should never run software from an unknown source - but if you run it and wind up being sold as a slave by the Russian mafia, at least you know I'll be there too.

After running the script, you'll have to reinstall the latest version of Java from here.

Remember, as Windows becomes more secure, the bad guys are increasingly using programs like Flash, Java and Quicktime to deliver malware to our computers. The free Secunia Online Software Inspector is a very helpful tool to identify updates that might be needed on your computer. Here's more information about the Secunia Inspector. Upgrades are a pain but keep your computer up to date!

Labels: IE, security, software

posted by bruceb at 8/08/2008 01:18:00 AM | permalink

SECURITY PROGRAM RANT

An interesting perspective on the state of security programs, from Susan Bradley's invaluable blog:

"Anti-virus, you have lost. You sit there filling up our system trays with your little icons and flashing bubbles, constantly seeking attention with your false positives and pleas for updates and money. Your ugly self-advertising user interfaces make us feel physically sick. You cripple our machines' performance and stability with your hundred processes and services loading at bootup and klunging up the system hooks. It takes a lot to bring a modern, powerful PC to its knees with swapping and bluescreens, but you manage it.

"Yet despite all this, you still don't protect us. Oh, sure, AV is still effective against old-school viruses and the more widespread mail worms. But come on, what idiot still gets infected by those? No, the bulk of today's infections - including my neighbour's - are driven by web browser-based exploits and related fake-software downloads, against which today's AV tools are woefully ineffective.

"The payloads involved are enormous in quantity and range, and are mutated constantly. Against this, signature-based AV has no chance to keep up. Woollier signatures and heuristic-based detection increases the chances of detection a little, but at the cost of so many false positives the user can't trust it any more. Or worse, they do trust it and end up deleting a bunch of random files that happened to be compressed using an application compressor (packer=virus, according to stupid AV). Oh, and Windows Explorer.

"Oh sure, you might get an alert from your AV when visiting an exploit, because it peeks into your Internet cache folder and manages to recognize part of the payload, or an intermediate downloader file, or the original exploit itself. 'I've removed a virus for you!' it says, 'aren't I super! It's 'Delf', or 'Agent', or 'Small', or one of the other names we give to specimens we don't really know what they are but they're probably not good?.

"By that point it's far too late; either your browser wasn't vulnerable, and the AV has valiantly protected you from nothing at all, or the suspect code has already been run, downloading a whole bunch of other bad stuff. Even if it did miraculously catch all of those (and the odds aren't looking good), how could you possibly know for sure you were still clean? There are some very hard-to-spot rootkits out there that your average PC-using clod hasn't the faintest hope of detecting."

I've lost a couple of nice computers in the last few months, reformatting hard drives when malware got onboard and could not be cleaned off economically, even though security software was running and theoretically up to date. I've got no answer here, just a bad feeling that the problem will get worse.

Labels: security

posted by bruceb at 8/02/2008 12:05:00 AM | permalink

WHAT I USE

On the assumption that my choices are endlessly fascinating to an ever-growing number of people - really, really bored people - I've added a page with details about the hardware and software that I use here at the high-tech headquarters of bruceb consulting. I'll try to keep it up to date. Heck, my computers are happy - you could do worse than follow my example in precise detail.

Click here for all the prurient details!

Labels: audio, backup, broadband, bruceb, computers, file_sharing, hardware, mobile, phone, photos, printers, SBS, security, software, video, web_services

posted by bruceb at 7/30/2008 01:02:00 AM | permalink

UPS SPAM

The latest outbreak of virus-laden spam purports to be a message from UPS about an undeliverable package. The attachment is a ZIP file with an executable program inside that does something evil - blows up a cruise boat or something.

These messages appear and morph and tomorrow this might be a message from FedEx or the IRS or anything else. Your first defense is your common sense: never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.

Never.

Many of my clients use Exchange Defender to filter out spam and viruses from incoming mail. Here's the update on ED's struggle with this new outbreak.

"It has been quite an evening at ExchangeDefender as we continue to fight the outbreak of the UPS trojan. You may have seen this:

Subject: UPS Tracking Number 6431834482

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient's address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

"What is interesting about this is that the message does look fraudulent to the casual observers and people that do domestic business with UPS. However, we have encountered this format (with attachments and all) being used by UPS Commercial shipping departments in the past, which is why messages with the specific patterns received lower SPAM scores and were allowed through.

"We still stripped the attachments but the attachments inside the ZIP file are passing through AV scanners as the variants change. We are now up to over thirty definitions used to track this specific worm and have taken the following steps:

UPS messages are only processed if they come from UPS.

UPS Tracking numbers are only accepted as valid if they start with 1Z.

UPS messages instigate a callback function against UPS servers.

"Dealing with these extended rulesets and checks has made mail move a little slower today as we've dealt with onslaught of messages while this worm becomes more prevalent. UPS is also issuing a warning on their behalf:

"We currently have this issue under control and it should not pose any further problems. However, expect the UPS messages to be taken with higher scrutiny and always warn users not to open executable attachments."

Labels: mail, security, spam

posted by bruceb at 7/24/2008 09:50:00 AM | permalink

SMALL BUSINESS SERVER 2008 IS COMING

Small Business Server 2008, the successor to SBS 2003, will ship on November 12. The first few months will reveal any lingering issues and clarify the procedure for migrating to the new platform from SBS 2003. In early 2009, I'll be talking about it to my clients with SBS 2003 running on servers that are more than three years old - it will be time to refresh the hardware that runs the business, part of my long-time belief that it is always preferable to replace a computer on your schedule rather than the computer's breakdown schedule.

In some ways, SBS 2008 sounds similar to SBS 2003 - a single server for small businesses to handle file storage and Exchange mailboxes, plus remote access and some other nice features. Many of the differences result from six years of progress on the underlying products - Windows Server 2008, Exchange Server 2007, Sharepoint Services 3.0, and more. That steps up the hardware requirements - new 64-bit boxes with lots of memory are required. Existing SBS 2003 servers will be relegated to backup roles or retired. Here are some notes I wrote about SBS 2008 a few months ago.

There are architectural differences based on the increasing need that all businesses feel for 24/7 reliable computing. Small businesses have frequently relied on a single server, creating a single point of failure that can paralyze the entire business. That will still be true in part, but the Premium edition of SBS 2008 will include a license to run Windows Server 2008 on a second server and will include SQL Server 2008 Standard Edition, making it far more cost-efficient to run a line-of-business application on a second server. Law offices, for example, will be more likely to move their case management or accounting programs onto a second server, leaving the SBS 2008 server free to focus on file and printer sharing and running the huge, active mailboxes that we're all accumulating.

SBS 2008 will integrate deeply with Office 2007 and Microsoft's online Office services, making it easier for small businesses to begin using online file storage and collaboration tools.

Windows Live OneCare for Server is a new product that will be included with SBS 2008. Details are hazy but at a minimum it will provide antivirus and spyware protection for the servers, currently difficult to accomplish with SBS 2003 (third party products are available but they are quirky and frequently too complex for a small business relying on an offsite consultant). Apparently the server OneCare program will finally allow central management of OneCare on the individual desktops and facilitate backups of files on the individual computers.

It's going to be an interesting year. Now that a nearly final version of SBS 2008 is available for testing, I've just ordered a server that I'll be using for learning and breaking things and in general, feeling that my brain is too small.

Small businesses that have not yet installed a server do not have to wait; it's possible to buy a license for SBS 2003 with "Software Assurance" that will minimize the cost of the licenses to upgrade to SBS 2008 next year. Adding a server with SBS 2003 can be a tremendously important step for a growing business! In a slowing economy, though, businesses that want to postpone taking that step would be well advised to plan on next spring for their new servers.

Labels: business, computers, hardware, Microsoft, SBS, security

posted by bruceb at 7/18/2008 12:56:00 AM | permalink

COMPUTER SHOPPING 2008

[Originally posted November 26, 2007]

Thinking about a new computer - home, home office, small business? Let me give you some generalizations that will help you get started. (As always, gamers will be looking for faster processors and hard drives, more memory, and - particularly important - choosing from an array of high-end video cards. Notebook computers also require consideration of size and weight, which will trump some of the considerations below.)

• PROCESSOR Intel's Core 2 Duo processors are significantly better than the other Intel and AMD processors. Within the Core 2 Duo line, at some point there's a step up to a 4Mb L2 cache, another bit of technical wizardry that's worth a hundred dollars or so. That being said, all of the processors on the market will serve you well - processor speed is no longer the defining point of a computer.
• MEMORY 2Gb of RAM is mandatory for a new computer - it's required for a satisfying experience, and it's sufficient for most people.
• VIDEO It is essential to look for a video card with 256Mb of RAM! There are many more differences between video cards than that but you'll get what you need if you just focus on that single number. If your new computer doesn't have a 256Mb video card, you'll be disappointed in ways large and small - perhaps you might just not be able to turn on Vista's eye candy, but at worst the computer's entire performance will be compromised.
• HARD DRIVE You'll get lots of storage space with any new computer, but the speed of the hard drive is a new and important consideration. The speed is measured in RPM; you want a speed of 7200RPM or above. If you see 5400RPM, avoid it - the whole system will be slow regardless of the other specs. (You'll run into this problem more often on notebooks.)
• OPERATING SYSTEM Vista Business is the best choice for most people; get Vista Home Premium if you're interested in one of its specific features, but be aware of what you're missing. Vista Ultimate is a safe choice because it includes all features.
• The general answer to your question about Vista is: Yes, it will ________. (Fill in the blank: work; run your programs; network with your other computers; work with your printer/scanner/camera; etc.)
• OPTICAL DRIVE Make sure you get a drive that can read DVDs - software is being distributed on DVDs now.
• SOFTWARE If you're ordering from Dell, you can get Microsoft Office preinstalled at an attractive price. Other manufacturers almost never include MS Office. Make sure your budget is ready for the $150 Student Edition of Office if the computer will be used at home, or $300 and up for the standard versions.
• SECURITY Your first job with a new computer is removing unnecessary software installed by the computer maker - and the most important products to remove will be any preinstalled software from Norton or McAfee. Windows Vista has a very capable firewall and adware/spyware protection, so you're safe while you decide what to install instead. I continue to recommend Windows Live OneCare for comprehensive protection.

Happy shopping!

Labels: computers, hardware, Office, security, Vista

posted by bruceb at 7/01/2008 12:19:00 AM | permalink

ROUTER PASSWORDS

You probably have a router or firewall device on your network - the little box that your DSL or cable modem plugs into. Make sure you've changed the default password on the router!

Virtually every router is designed to display a control panel when you put in its IP address. When you set up the router, it probably asked you to change the default password. It's a chore that needed to be done; you should double-check your records to be sure.

You can check for yourself. Click on Start / Run, type in CMD and hit Enter. In the black window, type in

ipconfig

and hit Enter. Make a note of the Default Gateway - something like 192.168.1.1, right?

Then open Internet Explorer and type that address in:

http://192.168.1.1 (or whatever your gateway address is)

You'll be prompted for a login name and password. If it's your network, you should know what that is! Here's two common defaults:

• Linksys: user name blank, password admin
• Netgear: user name admin, password password

Naturally, it's easy to find lists of default passwords for hundreds of routers.

This comes to mind because the researchers found a new twist in some malware recently: if you run the malware by an ill-advised click on a popup window on the Internet, the malware tries to log into the router using a memorized list of default user name and password combinations. If it's successful, the malware changes the router's DNS configuration so all your Internet traffic is passed through the bad guys' network. Here's a Washington Post blog about the exploit.

I haven't run into this in the real world, and you might be protected against it - the malware won't get a chance to run on a system with up to date security software. But it's a precaution that deserves a couple of minutes of attention - just one more way for inventive bad guys to make life difficult.

[Note to my clients: if I set up your network or your router, I took care of this. Go back to work.]

Labels: hardware, network, security

posted by bruceb at 6/26/2008 02:02:00 AM | permalink

A TOOL FOR UPGRADE OVERLOAD

I wrote a few months ago about the difficulty of dealing with the endless flood of software updates that is slowly draining our will to live. Microsoft's system of