Recently in Security Category

Seeing Paul's post on Microsoft's live.com webapp offerings prompted me to pen some quick thoughts on something related to this that I came across a bit ago.

I read about the new live.com webapps and figured I'd give them a try (hear something about it on a blog or podcast or something). Going to get.live.com presents me with a nice overview and a big 'get' button. This in turn sends me over to a page where I can select one or all of the apps and options. Very cool, but with one, teeny glaring oversight.

I have no idea what they do.

Some are obvious, messanger, toolbar, and the "take over my computer with microsoft options" selections for the default search, homepage and so on.

However, the options for mail, photo gallery, writer and the onecare family center don't give me any indication of what they are. Will they install something on my system? Convert all my document options to open in Writer (which I thought was a web based app)? Will mail install a new mail client on my system or will it just set up my system to point all mailto: links open in the live.com webmail page?

I was wanting to compare Microsoft's offerings to those from Google. I was under the impression that Writer was like Google documents, Mail was like GMail (and if you go to mail.live.com it is....), and photo gallery was something like Google's Picasa.

With just the option to download a single .exe file though.... scary. Not to say I don't trust Microsoft of course, but lets be honest.... I don't trust Microsoft :) Hey, if I was in their position I'd use this to fill up the users computer with all my own software and options, and eclipse whatever google offerings are there.

That said, it's true that Google also provides a download pack, but last time I looked at it, it seemed fairly obvious what it did, and the programs were all fairly separate. Antivirus, toolbar, etc. Yes, some of them are a bit ambiguous as to what they do, but less so (to me) than Microsoft's offering. It might be familiarity though.

Deciding to take a leap for journalistic integrity (hehehe), I actually downloaded and clicked the Windows Live installer thingy. It took a long time to get itself going, but when it finally did appeared to not give me any options, and just had a progress bar (checking for installed applications) and text that made it look like it was just going to install whatever it was going to install regardless of if I'd changed my mind.

There is a cancel button, but that didn't work. It asked if I really wanted to cancel, then continued downloading and installing, and even after I hit the 'close' button again, it still left a WLSomethingSvc.exe in the process list.

Not nice :( Why the change from a standard installer with a bit of an explanation of what it'll do, where it'll install things, and give you the chance to cancel if you decide you don't like what it's doing.

You can make the best firewalls, or the coolest piece of security software, but as this experiment shows you still have the very big factor of human nature to overcome. Basically these guys wrote a trojan and put it on a bunch of those small USB memory sticks that are the latest give away gimick. Scatter the drives in the parking lot of the bank (who are on alert that there is a security audit happening) and watch. Soon enough the data and passwords start flowing in. Simple and easy. And hard to protect against using technology without a very rigid security policy (possibly bad enough to prevent users from doing legitimate work) or just pure faschism. Other than that it's up to training of users, but it's very hard to train someone about the unknown, especially with software install sites giving instructions all over the place to 'just ignore the security warning and hit ok' (paraphrased).

I know that this isn't a threat, but messages like these have been showing up in my nightly logwatch email for a few months now:

Failed logins from these:
   admin/password from 218.8.127.193: 9 Time(s)
   backup/password from 218.24.205.20: 3 Time(s)
   computer/password from 218.24.205.20: 3 Time(s)
   guest/password from 218.8.127.193: 7 Time(s)
   info/password from 218.24.205.20: 4 Time(s)
   master/password from 218.24.205.20: 4 Time(s)
   oracle/password from 218.24.205.20: 5 Time(s)
   root/password from 218.24.205.20: 2 Time(s)
   root/password from 218.8.127.193: 1 Time(s)
   slapme/password from 218.24.205.20: 10 Time(s)
   test/password from 218.8.127.193: 9 Time(s)
   user/password from 218.8.127.193: 2 Time(s)
   webmaster/password from 218.24.205.20: 4 Time(s)
   www/password from 218.24.205.20: 5 Time(s)

I know it's not dangerous, nothing more than people checking the door handle of a locked room, but still annoying. Especially sine the number of failures isn't always 4 or 10, but sometimes in the hundreds.

According to this thread on bugtraq it's another exploit in the wild, probably being run off of infected zombie boxes, but it's still annoying. It's even more annoying and disturbing when I see not only the standard root/admin/test/user attempts, but lists of common first names including 'alan', and other user accounts that are actually on the system. Last thing I want is a user with a weak password to get my box owned. Sadly, other than blocking the IPs with firewall rules, which is kinda pointless as the IPs change every day, I don't think there's a way to do anything about it.

An interesting look at why Windows and the Mac are different security wise (OSNews story).

One difference between Mac OS X and Windows, however, is that Mac OS X doesn

Great message posted to the Bugtraq security list showing how easy it is to execute code on the "secure by default" Outlook 2003. Maybe the much touted security cleanup at Redmond isn't as good as some think.

By "easy" above I mean "easy as described by someone who does this sort of thing for a living, not for me" of course. Basically the goal of "silent delivery and installation of an executable on the target computer, no client input other than reading an email" (default configuration, activeX disabled, etc) goes something like this:

• embed OLE to call Windows Media Player in rich text message
• use a bunch of 0's to get Outlook to call up IE
• convince IE to execute the arbitrary executable file by putting it in an <img> tag.

(Obvious "profit" step ignored :) The steps are something like that anyway, read the message, it's much more coherant than this post. So Dana, would your solution prevent this? Wonder how many months it'll be before this sort of thing gets patched by the boys in Redmond? Maybe by 2009 when Longhorn comes out....

Went to a website in Firefox and got this. Guess they are an equal-opportunity privacy invader! Just a wake up call to always read what is on the screen before clicking "ok". That and legitimate websites don't ever need you to install anything to visit them.