Still Sneaky After All These Years

By | November 22, 2011
0 Comment

image

I still retain the capacity to get bummed out by the intrusiveness of software from companies you’d think would be trying to make us happy these days, not make us madder.

My friend Scotty, the Winpatrol watchdog, has been doing a great job of keeping an eye on these things. The culprits either try to change file associations or add a program to the boot sequence, without telling us. Some recent examples:

Windows Live Mail, without me doing anything at all, suddenly tried to wrest control of my emails by grabbing the extension EML from Thunderbird:

image

This was unconnected to anything I was doing, or had asked. I didn’t even know I still had Live Mail installed. Shocking. Imagine if I hadn’t been asking Scotty to keep guard? Or that I didn’t have much of a clue what I was doing? (OK, don’t answer that one.)

(Just out of interest, launching Outlook Express will do the same thing:)

sc847

Still, I suppose the Microsoft defence is that everyone else is doing it. I installed WordPerfect Office the other day and found that, without asking, it tried to take over handling DOC files without asking first. Luckily, Scotty woofed a warning:

sc1028

No wonder users are baffled about what is going on with their computer and end up heading off to the Apple Store for some TLC. Software companies have got to stop doing this kind of thing. (And no, I’m not saying that Apple are any better at this. It’s just they reduce the choices so people feel their computers behave more predictably. This, after all, is what people yearn for.)

Likewise with starting programs. Once again it’s about predictability: If software starts loading without the user being asked first, then a) the computer is going to slow down and b) the user will have a bunch of new icons and activities to figure out. A couple of examples:

Windows Live forces its Family Safety Client to boot without asking:

sc947

as does eFax, the online faxing service:

sc948

These companies need to stop this. They need to stop it now. Consumer confidence is low, but so is user confidence. I am inundated with letters from readers of the columns who talk about their bafflement and sense of alienation from their computer. (Meanwhile, I read love stories from those who switch to Macs.) The point is this: Not that people believe Macs are better computers—although they may well be—but they are simpler to use, more predictable, more understandable, more, well, user-friendly.

What’s user-friendly about changing the settings on someone’s computer without asking them? Would a company try that with someone’s car, fridge, or dishwasher?

Radio Australia stuff, Jan 23 2009

By | November 22, 2011
1 Comment

For those listening to my slot on Radio Australia’s Breakfast Show, here’s what I was talking about:

  • Inauguration fever: How it may have tipped the way we use the Net, just like the election did. (People who weren’t there weren’t googling, they were twittering and facebooking.)
  • ‘Dark ages’ White House:The White House runs on ‘six year old versions of Microsoft software’; press office officials use Gmail. Website doesn’t get updated until evening of first day. Or is it a case of Macopia?
  • Shock, horror: Windows 7 might actually be quite good

and some stuff we didn’t have time to talk about, but which tickled me:

Malware Inside the Credit Card Machine

By | November 22, 2011
2 Comments

image

(Update, July 2009: A BusinessWeek article puts the company’s side; maybe I was a little too harsh on them in this post.)

This gives you an idea of how bad malware is getting, and how much we’re underestimating it: a U.S.. company that processes credit card transactions has just revealed that malware inside its computers may have stolen the details of more than 100 million credit card transactions. That would make it the biggest breach in history.

Heartland Payment Systems, one of the fifth largest U.S. processors in terms of volume, began receiving reports of fraudulent activity late last year. But it took until last week to find the source of the breach: “A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients,” according to Brian Krebs of The Washington Post.

Revealed were credit/debit card numbers, expiry dates and names of customers to some, or all, of more than a quarter of million retail outlets. Bad guys could make fake cards based on this data, but they probably couldn’t use it to buy stuff online, the company said. (At least one observer has characterized this as garbage, opining that a lot of eCommerce merchants turn off their Address Verification System because of errors, and fears of losing the customer.)

That it took so long is pretty extraordinary in itself—these are, after all, the company’s own computers. We’re not talking about investigators having to track down malware on one of its customers computers, or somewhere in between. But that’s not all that’s remarkable: It looks like the certification that these kinds of operations rely on, the Payment Card Industry Data Security Standard, or PCI DSS, was issued last April  (here’s the proof. Certificates are valid for a year). This suggests according to Digital Transaction News, that the bad guys have found a way around the industry standard level of protection.

Also remarkable is this: The company chose to release the news on Inauguration Day, a fact that has rightly prompted accusation the company is burying the news. The company has played down the seriousness of the breach, saying that not enough information was revealed about individual cards for identity theft to be an issue, while at the same time suggesting that it’s part of a wider “cyber fraud operation.” I’m not sure it can have it both ways.

The company but has set up a website for concerned individuals at 2008breach.com. (Note the cute use of last year to make it seem like something of historical interest only—or maybe 2009breach.com was already taken? That doesn’t seem to have stopped worried customers trying to log on; as of writing the website, and those of the company, are down—possibly because of visitor traffic.)

Apart from the insubstantial response of HPS itself, it’s worth pointing out that this kind of attack is not new. CardSystems, another processor was breached in 2005—apparently via malware which grabbed data it was storing (rather than processing.)

I was kinda skeptical back then of the way it was handled—the company itself delayed release of the information for a month. More digging suggested that the information had been available far longer. It was perhaps understandably coy, given these things never end prettily: Within a few months what was left of CardSystems was acquired by Pay By Touch, also known as Solidus Networks, just in time for it be slapped down by the FTC. Pay By Touch itself closed down last year and its website is no longer active.

What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed—so while CardSystems was clearly in breach of the rules by storing data, HPS is arguing that it’s not.

But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it—or something–was known to be there. But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.

The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.

Image: Screenshot of the inaccessible 2008breach.com website.

Virus Hits British Defences

By | November 22, 2011
0 Comment

image

I wrote a couple of weeks ago about how KL’s airport information system had been infected by a virus. I shouldn’t have gotten so het up. Turns out that the UK’s air force and navy have bigger problems.

ITV News reported on Friday that the Ministry of Defence’s computer network has been shut down “because of a mysterious virus that is causing wholesale disruption of MoD sites.” Among those affected were Royal Navy ships including the Ark Royal and RAF [Royal Air Force] bases including Brize Norton.

The Register quotes a statement from the “MoD that [s]ince 6 Jan 09 the performance of the MOD IT systems in a number of areas was affected by a virus.” The Register says “no command or operational systems had been affected, though many of these are based on similar hardware. Spokespersons also stated that “no classified or personal data has been or will be at risk of compromise” due to “pre-existing security measures”.”

This is less than a month after the Royal Navy announced it had switched its nuclear submarines to a “customized Microsoft Windows system” dubbed, snappily, Submarine Command System Next Generation (SMCS NG).

In 1998 the USS Yorktown was “dead in the water” for about two and a half hours after a glitch in its new Smart Ship system, which used off-the-shelf PCs to automate tasks sailors traditionally did manually. The mishap sunk the Smart Ship initiative, which was quietly dropped a couple of years later.

A report in Portsmouth Today said the virus had affected 75% of the navy’s ships, preventing sailors from sending email and performing tasks (like finding out how many sailors are joining the ship at its next port of call). A blog on the Ministry of Defence’s website denied a report in The Sunday Times that ‘all email traffic from a number of RAF stations has been sent to a Russian internet server’ as a result of a ‘worm virus that entered MOD systems 12 days ago’. (The report makes it appear like it was a Russian attack, which is unlikely. But I’m not sure how the MoD can be so sure that emails were not diverted in that way.)

Neither do I know how they can be sure that it wasn’t a targeted attack. As Graham Cluley of Sophos points out, it’s more likely it was human error. But aside from the issues that raises—just how many MoD computers are hooked up to the Internet, and how smart is this? What kind of antivirus software do they have installed on the computers that are?—I would prefer the MoD not to jump to the conclusion that it’s not a targeted attack.

The reason? We need to stop thinking about cyberwar and malware as two different things. Governments rarely launch cyberattacks. But individuals and gangs do—and they usually do it for a mix of nationalistic and commercial motives. This case probably is just a screw-up. But it’s foolish to discount the notion that the information that may have been gleaned—accidentally, perhaps—would prove of value to a government or an agency.

(Image above is the result of my trying to search the Royal Navy website for the word “virus”. )

Articles | MoD computers attacked by virus – ITV News