This CA user forum was filled with comments from confused and upset customers after the software detected a Windows system file as a virus.
(Credit: Computer Associates)Users of Computer Associates anti-virus software were complaining on Thursday after the company's anti-virus software mistakenly identified a Windows XP systems file as a virus.
Some customers were concerned that the Windows Service Pack 3 and files from the commercial Cygwin application files deleted when they couldn't find them. However, CA said the files were intact but quarantined and the file extensions were modified.
CA said it learned on Wednesday that its software had detected the file "Win32/AMalum.ZZQIA" as a false positive and was urging customers to update Signature 6606 to address the situation.
The CA advisory reads:
"CA Internet Security Suite users should restore affected files from quarantine using the GUI. CA Threat Manager customers should search local hard drives for files with the extension .AVB and manually rename to their original file extension by removing the appended text on the original file name."
Through its customer support CA also is offering a tool to search for the affected files and restore them to the original extension.
In the meantime, CA customers were griping on the CA forum. "Shame on CA for not being on top of this," one customer wrote. "Sure things happen, I've seen game patches erase hard drives, stuff happens. But it's what you do after that defines the value of your company."
"This latest nonsense with a false positive detection that causes damage to the operating system is the last straw for me. I have had continuing problems with CA AntiVirus crashing during email downloads with Thunderbirds," wrote another customer. "I am changing to Sophos. So far, it works fine and no false positives. ... I guess CA has gotten too big and forgotten that customer service is an an important part of doing business."
Microsoft said on Thursday that it will issue six security updates on Patch Tuesday next week, including a critical one that will fix two outstanding holes in DirectX that have been targeted in attacks.
In May, Microsoft announced that there had been attacks against a DirectX vulnerability that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.
Earlier this week, Microsoft warned of attacks being launched that exploit a hole in the Video ActiveX Control when used in Internet Explorer for recording and playing video in DirectShow. Microsoft offered a workaround on Monday for that hole, which reportedly it had known about since last year.
The ActiveX control vulnerability was likely independently rediscovered by malicious hackers or leaked through the Microsoft Active Protection Program which the company uses to share early security information with third-party vendors, according to a statement from security firm Rapid7.
Asked for comment, a Microsoft spokeswoman provided a statement that said: "Microsoft received the original, private report from Ryan Smith and Alex Wheeler with IBM ISS X-Force in the early Spring of 2008. The company did not share any information with MAPP partners about the reported Video ActiveX Control vulnerability until immediately before the advisory posting on Monday."
The critical vulnerabilities affecting various Windows versions all could allow an attacker to run code remotely, while one of the non-critical holes involving Virtual PC and Virtual Server would allow remote code execution and the other non-critical holes could allow elevation of privilege.
Affected software for the critical updates is Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and 2008. The versions of Direct X affected are DirectX 7.0, 8.1 and 9.0.
The non-critical updates affect 2007 Microsoft Office System Service Pack 1, Microsoft Internet Security and Acceleration Server 2006, Microsoft Virtual PC 2004 and 2007, and Microsoft Virtual Server 2005 R2.
Updated 1:55 p.m. PDT with Microsoft comment.
Google has a long history of tracking user activity, and the introduction of its Chrome operating system later this year is sure to follow suit. While we know that it's being built off of Linux, one big thing we don't know is how its terms of service will differ from those found in other Google products, and what kinds of user data it will be collecting. Based on the company's track record of watching and monetizing user data, it could be anything from which applications you're using, to all the information that's coming in and out of your computer.
To provide a better picture on what to expect, let's take a look at some of the ways Google is currently monitoring user activity in a handful of its products and how that may trickle down into the OS:
Google personalized Web search--Google's bread and butter business is its search engine, and its personalized search is a way to put a face on the data. When you're signed in with your Google account you can opt in to having your Web history tracked; Google archives all of the sites you've clicked on from search results, as well as what time of day you clicked on them.
For those who are not signed in, the company uses identifiers like cookies and IP addresses. But when you're signed in it can actually aggregate that data no matter what computer you're on. With a system-level log-in, it could theoretically do this no matter what browser you're using, giving Google a far richer set of data.
Chrome browser--When Chrome was first released, Google got in some hot water over its terms of service, which stated that Google had the rights to license any content that went through the browser. It quickly backtracked on the claim, citing that the terms heavily borrowed from other Google products and that it didn't make sense for Chrome. This would have given Google licensing control over things like user photos, videos, and words.
The one area where Google's Chrome can still access some of that information is with its reports system. This is an opt-in program for users to provide Google with crash reports and detailed information about what features they're using. Google has said this does not include any information from form fields, or from users' Google accounts. However, it does track what sites and search terms you've entered into the address bar.
Gmail--Google's Web mail service was one of the first Web mail services to provide contextual advertising, meaning it actually goes through your e-mail messages to give you advertisements that match up with a conversation you're having. Did you mention skiing in that last e-mail? Don't be surprised if you start seeing ads for local lift tickets or a new pair of ski boots.
Gmail also tracks what features users are using, including... Read more
Wednesday's two big technology stories--Google's Chrome-based operating system and cyberattacks against U.S. and South Korean government Web sites are oddly related. The stories are connected because if Google does well at gaining market share for its browser, we could see fewer successful attacks. Or maybe we'll see more attacks.
The reason hackers succeeded in launching denial-of-service attacks against government computers in the U.S. and South Korea is because they were able to enlist an army of "zombie" computers to carry out the attack. And what do those computers likely have in common? The vast majority of them likely run Microsoft Windows.
Whether Windows is inherently less secure than Mac OS X or Linux is debatable, but one thing is for sure--it's more popular and therefore a more attractive target to hackers. Indeed with nearly 90 percent of the world's PCs running Windows, it's something of a "single point of failure." Figure out how to infect Windows PCs and you can stage a very successful attack.
Linux--which is the underpinning of Google Chrome--is not entirely exempt from malicious software but historically Linux machines are less likely to be infected. So it stands to reason that the more machines running non-Windows software, the safer we'll all be.
But there's another side to this story. The Chrome OS will be far more Web-centric than Windows, which means that many--if not most--of its applications will be running over the Internet. What's more, people's data will be stored "in the cloud," much of it on servers run by Google. So while Google may help reduce Microsoft's potential as a single point of failure, it increases its own. If hackers were successful in launching an attack on Google, that would affect not only people's ability to use Google apps, but the integrity of their data.
Although there weren't any reported data breaches, there was a day in May of this year when Google sites were partially inaccessible as a result of a technical glitch. On that day, millions of people were unable to use Google services, including Google Docs and Spreadsheets. Say what you want about Microsoft, but even if the company totally shut down its Web operations, its operating system and PC applications would still run.
Personally, I'm a big believer in competition and like cloud computing, so I welcome Google's entry into the operating system arena. But like almost anything worthwhile, it's not without risk.
This graph show the sharp rise in the number of spam e-mail messages sent recently that include short URLs.
(Credit: MessageLabs)In yet another piece of anecdotal evidence of the increasing threat from shortened URLs, e-mail security provider MessageLabs said on Tuesday it saw a dramatic spike in the number of spam e-mails that include truncated Web addresses.
Shortened URLs, which allow spammers to hide the real Web address from Web surfers and are commonly used on social media sites like Twitter where message character length is restricted, began a sharp rise last week and now appear in more than 2 percent of all spam caught in the company's spam trap, according to MessageLabs.
"Usually when we see a spike of this nature it tends to indicate that a spammer has found some method of automating the creation of these short URLs," said Matt Sergeant, a senior antispam technologist at MessageLabs.
The many URL shortening services make it more convenience to post long URLs on sites like Twitter, but they also make it easy for attackers to lead Web surfers to sites hosting malware.
A major spam botnet called Donbot has aggressively moved to using this technique, Sergeant said. Donbot appears to be primarily focused on displaying advertisements, but could be linking to sites that drop malware onto visitors' computers too, he said.
Spam-filtering software can block spam from getting into inboxes and programs like Long URL Please and shortText make it easy to see what the real URL is.
Mark Dowd, X-Force research engineer at IBM Internet Security Systems and winner of the Google Native Client security contest along with partner Ben Hawkes.
(Credit: Mark Dowd)Two security researchers are splitting a cash prize from Google after winning a bug hunt contest designed to improve the security of Google Native Client technology, Google announced on Tuesday.
Despite the dozen or so bugs they found in the code, which lets Web-based applications run native code and take advantage of a computer's processing power, one of the winners predicted the technology will be secure when it is deployed.
"The quality of the implementation was pretty good," said Mark Dowd, X-Force researcher engineer at IBM Internet Security Systems. "Everyone makes a few mistakes here and there, and the purpose of the competition was to weed those out."
Dowd and his partner, Ben Hawkes, an independent security researcher in New Zealand, found the largest number of security vulnerabilities and the most severe of the 22 total bugs that were reported by contestants and accepted as valid, said Brad Chen, Google's engineering manager of Native Client.
The more severe bugs, for instance, would allow an attacker to completely disable the technology's inner sandbox, according to Chen.
"Had this been available on production Web sites you would have been able to take some of these vulnerabilities and turn them into exploits and gain complete control of systems," Dowd said. But "this is not a production release, so there's not a huge user base at this point you can exploit."
"I know they want to roll out a few more features before they bring it into prime time, but the core technology itself is pretty interesting, and if they keep up with the security side of it I think...it will be deployed on the Internet in a secure fashion," he said.
The technology, revealed as a research project in December and promoted to a development platform last month, is an attempt to enable computers to run Web applications downloaded from the Internet directly on the processor and at the speed of "native" software installed on a computer.
Current Web application programming environments, like Flash, JavaScript, and ActiveX, offer limited processing power and have suffered their own share of implementation flaws that can be exploited.
With Native Client, Google faces with the challenge of balancing more performance with new security challenges from a relatively new approach. That approach, called static analysis, involves screening software before it runs to make sure it doesn't perform any of a range of prohibited risky actions.
Google expects to integrate Native Client into the developer version of its Chrome browser before the end of the year, opening it up to the broader development community as it does so, Chen said.
About 600 people participated in the contest, which was announced in February and judged by a panel of nine experts.
I got my first SMS spam message last week and it infuriated me.
The mortgage-related text message was more than just a nuisance, like e-mail spam is. It also was a strong indication of how marketers have managed to invade every private communication space consumers have.
And it was frustrating that I didn't know what to do about it. Being an AT&T customer, I tried to register on AT&T's site figuring I could learn what to do and take action there. Unfortunately, it kept telling me that it didn't recognize my password, so I had to call customer support. The support representative directed me to a different URL where I was able to log in and she tried to walk me through the site to the place where I could set spam-blocking settings, but was unable to because of some technical issue on her end. So she just changed the settings for me.
I called the four major U.S. wireless carriers to find out exactly what they suggest their customers do when they get SMS spam. Here is what they said, along with some other basic questions and answers people may have about mobile spam.
AT&T
Customers can block text messages or calls from a specific phone number on its Web site here, as well as restrict the sources of e-mail that reach your phone on this site. Customers can also reply to text messages by typing in "BLOCK" or "STOP" to prevent future messages from that sender, and call a customer service representative if further help is needed, said AT&T spokesman Mark Siegel.
Sprint
Sprint wants customers to call customer service to report all spam messages so the company can modify its spam-filtering technology to block the phone numbers that are sending it, said Sprint spokesman John Taylor. Customers should not reply to the messages, otherwise it verifies to the spammer that the phone number is valid, he said.
T-Mobile
Postpaid and FlexPay customers can create their own filters and block chargeable text messages, MMS (multi-media service) messages, instant messages, and e-mail from being sent to their phones by calling customer service, spokeswoman Cara Walker said.
Verizon
Customers can log into the site and sign up for Usage Controls ($4.99 a month) that allow them to block certain numbers from calling or sending text messages to the phone. And if customers text only with a few people they can create an alias address here for free and receive only text messages sent to that address, said Verizon spokeswoman Debra Lewis.
Verizon has filed eight to 10 lawsuits against SMS spammers over the past four to five years, and 20 lawsuits altogether involving telemarketers, she said.
What can I do to prevent unsolicited phone calls to my mobile phone?
To block spam phone calls, customers should register their mobile numbers with the U.S. Federal Trade Commission's Do Not Call Registry.
What are the carriers doing to block spam?
The mobile service providers said they are using antispam filters and antivirus technology to protect against the different types of mobile spam. They did not want to go into too much detail as to what technologies they are using.
Why am I getting spam?
Some people may be inadvertently opting in to receive text messages when they sign up for other services with merchants. Many free ringtone download sites are used to harvest mobile numbers. Spammers also use auto-dialers that randomly generate numbers or try them sequentially. Because mobile phone numbers do not appear in public directories people should be careful who they share their numbers with. Be wary of sites that promise to remove numbers from spam lists because they are often set up to collect the numbers instead. Also, read terms and conditions of sites and services carefully before giving out a mobile number.
Do I get charged for spam messages?
In general, consumers will not be charged for spam text messages and can get a credit if they report it to the company, on a case-by-case basis.
Is spam illegal?
While Verizon is suing companies for violating the federal Telephone Consumer Protection Act, which makes it illegal to use an auto-dialer to make calls to wireless phones, there is no explicit measure outlawing SMS spam, yet. Measures in the U.S. House of Representatives and Senate were introduced this year to rectify that. The m-SPAM Act, introduced by Sens. Olympia Snowe, a Maine Republican, and Bill Nelson, a Democrat from Florida, would expand the regulatory authority of the Federal Communications Commission and the FTC to intervene against SMS spammers and would explicitly bar marketers from sending text messages to any mobile number in the national Do Not Call registry. A similar measure was introduced by Rep. Phil Gingrey, a Georgia Democrat, in March after his antispam effort last year failed.
How big a problem is this?
While people in the U.S. might receive two SMS spam messages a year, things are worse in other countries like Europe where one a week is typical; India where people receive as many as two per day; and China where it's more like five to 10 each day, according to Ferris Research. Last year, Ferris Research estimated that wireless users in the U.S. received more than 1.1 billion spam text messages in 2007, up 38 percent from 2006.
It is possible to use publicly available data on state and date of birth to predict someone's Social Security number, particularly if they were born after 1988 and in smaller states, according to an article published Monday in The Proceedings of the National Academy of Sciences.
The ability to use statistic inference to predict the sensitive data exposes the Social Security numbers to identity fraud risks on "mass scales," the article said.
Social Security numbers "were designed as identifiers at a time when personal computers and identity theft were unthinkable; today, abused as authentication devices, they enable an 'architecture of vulnerability,' in which losses are incurred even in absence of fraud, because of costs caused by attempts to defend, and exploit, the system," the article concluded.
The researchers from Carnegie Mellon University analyzed Social Security numbers of people who have died to detect statistical patterns in the assignment of numbers. They were then able to use those patterns to predict a range of values likely to include a living person's Social Security number. Birth data, meanwhile, can be inferred from data brokers, voter registration lists, online white pages, and social-networking profiles, the report said.
The researchers identified in a single attempt the first five Social Security digits for 44 percent of the records of the people listed as dead from 1989 to 2003 and the complete Social Security numbers in fewer than 1,000 attempts for 8.5 percent of those records.
On average, the researchers matched on the first attempt the first five digits for 7 percent of all records for people born nationwide between 1973 and 1988.
"Extrapolating to the U.S. living population, this would imply the potential identification of millions of SSNs for individuals whose birth data were available," the article says.
The report goes on to give an example of how someone could get the entire Social Security number by renting a botnet to apply for credit cards impersonating 18-year-old West Virginia-born residents. Following numerous assumptions, including that the attacker can find birth data for 50 percent of the potential targets and that inquiries with the correct first seven of nine digits are sufficient for a credit reporting agency to answer a positive match in half of the cases, an attacker could potentially harvest credentials at rates as high as 47 per minute, obtaining 4,000 credentials within two hours before the IP addresses used in the botnet were blacklisted, the article said.
Microsoft on Monday warned of a vulnerability in its Video ActiveX Control that could allow an attacker to take control of a PC if the user visits a malicious Web site.
There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.
This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files.
Since there are no by-design uses for the ActiveX Control within Internet Explorer, Microsoft is recommending that users implement a workaround outlined in the security advisory. Customers can automatically implement the workaround by following the instructions under "Fix It For Me" in the Knowledge Base article for advisory number 972890 on the Microsoft support site.
Asked to explain what is meant by "no by-design uses," Christopher Budd, Security Response Communications lead, said: "In older operating systems like Windows XP that were originally developed under older programming methodologies, this ActiveX control was enabled for use within Internet Explorer by default to allow for possible future uses. These uses never materialized and as part of the more stringent security requirements that Windows Vista was developed under, this control was later disabled for use within Internet Explorer."
Even though Windows Vista and Windows Server 2008 are not affected by the vulnerability, Microsoft is recommending that users of those products also use the workaround.
Microsoft is working on a security update and will release it when the quality is at the appropriate level for broad distribution, the company said.
The Microsoft Video Control object is an ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording, and playing video. The control is the main component used in Windows Media Center for building filter graphs for recording and playing television video.
When it is used in IE, the control can corrupt the system state in such a way that arbitrary code could be run by an attacker. If the user is logged in with administrative rights, the attacker could take complete control of the system.
Antivirus vendor Symantec said it was seeing the flaw being exploited in China and other parts of Asia and cited reports that indicate thousands of Web sites are hosting the exploit.
Internet Explorer versions 6 and 7 are at risk, but people running IE 8 are not vulnerable, Symantec said.
Updated July 7 8:25 a.m. PDT with Microsoft explanation of "by-design," and July 6 at 11:45 a.m. PDT with background on a previous DirectShow hole and more details on exploits of the most recent hole.
Twin obstacles of technical problems and privacy issues are holding back the overarching system created to protect the federal government's computers from cyberspies, according to The Wall Street Journal.
"The latest complete version of the system, known as Einstein, won't be fully installed for 18 months, according to current and former officials, seven years after it was first rolled out," the newspaper reports. "This system doesn't protect networks from attack. It only raises the alarm after one has happened."
The privacy concerns stem from the National Security Agency's acknowledgment of its warrantless wiretapping of phone calls and e-mail that started after the terrorist attacks of September 11, 2001. AT&T is supposed to test new Einstein technology, but the Journal reported that the company sought Justice Department's approval first. The Obama administration has OK'd the testing, an official told the newspaper.
According to the Journal, these are the three phases of the Einstein program:
• Einstein 1: Monitors Internet traffic flowing in and out of federal civilian networks. Detects abnormalities that might be cyberattacks. Is unable to block attacks.• Einstein 2: In addition to looking for abnormalities, detects viruses and other indicators of attacks based on signatures of known incidents, and alerts analysts immediately. Also can't block attacks.
• Einstein 3: Under development. Based on technology developed for a National Security Agency program called Tutelage, it detects and deflects security breaches. Its filtering technology can read the content of e-mail and other communications.
The Department of Homeland Security began work on the project in 2003, adapting it from a Pentagon program that watched military networks, former national security officials told the Journal.
A Homeland Security representative told the Journal the phases are "incremental improvements" that also safeguard privacy and civil liberties. "We don't want to let the perfect be the enemy of the good," the representative told the newspaper.
Homeland Security is the only department using Einstein 2 at this point, the newspaper said, but it is expected to cover most of the government in another 18 months.
