Category Archives: Things that are bad

Windows 10 cumulative updates hopelessly botched

Recently I noticed that my Windows 10 test PC wasn’t staying logged in. Every day, despite not having logged out, I was seeing the login screen. A bit of poking around in the Windows 10 settings showed that Windows was trying to install update KB4013429, rebooting to complete the install, failing to complete the install, and rolling back the changes. Rinse and repeat daily, since March 14.

Searching online, I immediately found plenty of other people experiencing this problem. No official solution from Microsoft, but plenty from other users, including what turned out to be the only thing that worked for many: a total reinstall of Windows 10.

One user pointed to an interesting tool, available in the TechNet Script Center, called Reset Windows Update Agent. This script was created and submitted by a non-Microsoft contributor, not by Microsoft. Since I wasn’t getting anywhere looking for an official solution, I tried the tool’s main feature, which does indeed reset all things Windows Update. After rebooting, Windows successfully installed a few updates, then started to install ‘Cumulative Update for Windows 10 Version 1607 (KB4015438)’, which Microsoft issued on March 20 to address problems with KB4013429. But that update also failed to install.

I admit to being tempted to contact Microsoft about this, but then I remembered my previous encounters with Microsoft support, shuddered, and thought better of it. After all, Microsoft already knows my PC is having trouble installing this update, because of all the telemetry in Windows 10, right? If anything, they should be contacting me with a solution. Yeah, right. Like that would ever happen.

I feel sorry for anyone who tries to do anything productive with Windows 10. I only use it for testing and media playback, but even so, this is the end of the line for my relationship with Windows 10. I’ll be installing Linux Mint MATE next.

They’re here: ads in Windows 10

We called it. Microsoft denied it. Now the reality of advertising in Windows has arrived. We’re not talking about the tiny, easily-ignored ads commonly seen in Skype, either. The ads that just started appearing in Windows 10 are hard to miss, and they’re in Windows Explorer, arguably the core user interface of the system.

Of course Microsoft is calling these ads ‘tips’ and insists that they just provide helpful information to Windows 10 users. Okay, let’s take a look at what users are seeing:

You be the judge: is this an advertisement?

You may disagree, but in my opinion, that’s an ad. It might as well say “Your Advertisement Here” or “Advertise In This Space”. At this stage, I’m sure we’ll only see ads from Microsoft in Explorer, but once the anger subsides, it’s difficult to imagine Microsoft won’t start selling that space – and others like it – to the highest bidder.

That’s right, Windows 10 really is an advertising platform, just as we’ve been saying all along. It explains why Microsoft was so happy to give away the O/S to anyone who upgraded from an earlier version, why they pushed so hard and literally tricked people to upgrade from earlier versions, why they included so much user activity tracking in Windows 10, and why they retrofitted that tracking into earlier versions when people failed to upgrade in sufficient numbers.

Clearly, the underlying reason for Microsoft’s advertising-in-Windows strategy is simply the enormous amount of money being made by Google from advertising.

Linux is looking a lot better now, isn’t it?

Analysis from The Verge and Ars Technica.

Update 2017Mar17: Tom Warren over at The Verge reacts to the new ads in Windows 10. He describes it as an ‘infestation’, and I agree with his assessment.

Nasty Cloudflare bug leaked sensitive information for months

Cloudflare provides caching, proxy, and security services for thousands of web sites, including some very popular ones like digitalocean.com, patreon.com, bitpay.com, news.ycombinator.com, medium.com, 4chan.org, yelp.com, okcupid.com, zendesk.com, uber.com, 23andme.com, curse.com, and minecraftforum.net.

For about five months, starting in September 2016, a truly awful bug in Cloudflare’s services caused private information from sites hosted by Cloudflare to be leaked to unrelated systems. Since the leaked information was merrily crawled and stored by all the major search engines, all that data became available to the entire planet.

The leaked data includes just about everything you wouldn’t want leaked, such as encryption keys, cookies, passwords, private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings.

My initial reaction to the news of this leak was relief, because I don’t use Cloudflare for any of my (or my clients’) web sites. But I use other web sites and services that use Cloudflare, so my private information may have been leaked. Almost anyone who uses the web actively could be affected by this bug, and its fallout.

The bug itself has been fixed by Cloudflare. The major search engines are working with Cloudflare to scrub related private information from their databases. But the damage has already been done.

What should you do?

If you run any web sites or services that use Cloudflare, you should take action immediately, by invalidating all user sessions (e.g. login cookies). How this is done depends on the platform you’re using (WordPress, Joomla, etc.) You should probably recommend to your members/subscribers that they change their passwords.

If you use any of the affected sites or services, you should probably change the associated passwords. This may turn out to be overkill, but it’s difficult to know for certain.

The full extent of the damage caused by this bug remains to be seen. In the worst case scenario, malicious hackers noticed the bug when it first appeared, and proceeded to gather leaked information for months.

References

Continue reading Nasty Cloudflare bug leaked sensitive information for months

BEWARE this nasty, effective, GMail-based phishing attack

By now you should be aware that indiscriminately clicking on anything in an email can be dangerous. Even if you know the sender, and the email looks totally mundane, you’re taking a risk any time you do it.

Recently, a particular kind of phishing email is showing up in inboxes everywhere. These emails look completely ordinary at first glance, and they contain what appears to be an attachment.

When you click the ‘attachment’ to open it, your browser is directed to a phony Google login screen. This in itself may not raise any alarms, since Google — in an effort to improve security — often throws extra login screens at us.

Unfortunately, if you fill in your Google username/email and password, that information goes straight to the perpetrators. Almost immediately after that, your password will be changed and you will have lost control of your Google account. If you’re like most people, you use your Google account for numerous Google sites and services, including Google Drive, Analytics, AdWords, and so on. The potential for damage is extreme.

The goods news is that you can avoid being victimized by this attack by doing something you should already be doing: before you click anything in an email, hover your mouse over the link or ‘attachment’. Most useful web browsers and email applications will show you some information about the item, either in a popup or in the status area at the bottom of the app. What you see should provide all the clues you need. If it’s an attachment, it should show you the file name. If it’s a URL, it should show you an ordinary web address that starts with ‘http://’ or ‘https://’.

Hovering over the fake attachment in these phishing emails shows what looks sort of  like a URL, but starts with ‘data:text/html’. No valid URL will ever look like that.

This blogger wasn’t careful. He clicked the ‘attachment’, then entered his Google username and password on the fake login page. Luckily for him, the ‘login’ failed, which alerted him to the situation. He immediately changed his Google password, and appears to have dodged that bullet.

The Wordfence blog has additional details.

Microsoft releases fix for Windows 10 Internet connectivity issues

Details are sketchy, but apparently a recent Windows 10 update caused major problems for some users. Affected users were suddenly unable to access the Internet. December’s Patch Tuesday (earlier this week) included an update that addresses this problem.

This issue once again raises the question of whether Microsoft can be trusted not to push flawed Windows updates, especially now that updates are essentially mandatory and unavoidable.

Update 2016Dec16: Many of the Knowledge Base pages on the Microsoft support site now include this message at the top: “If you are experiencing issues connecting to the internet we recommend you restart your PC by going to Start, clicking the Power button, then choosing Restart (not Shut down).” No further explanation is provided.

Stay away from Certificate Authority WoSign/StartCom

A litany of abuse and incompetence has prompted Mozilla to completely distrust security certificates from Certificate Authority (CA) WoSign in Firefox.

Starting with Firefox 51, the browser will no longer trust WoSign or StartCom certificates. According to Mozilla: “If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to. Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.

WoSign/StartCom can dig themselves out of this hole by applying for inclusion of new (replacement) root certificates, and there’s little doubt that they will pursue this course. But should anyone really trust their security and privacy to this company? I sure won’t, especially when there are excellent free alternatives like Let’s Encrypt.

Mozilla has been tracking WoSign’s failures since the beginning of 2015, recording their observations on their corporate wiki site.

The most recent example of WoSign’s failings stems from their acquisition of CA StartCom in November of 2015. WoSign failed to disclose the acquisition, then lied about it.

On a related note, Mozilla will also no longer accept audits performed by the consulting firm Ernst and Young (Hong Kong). That’s the company that failed to catch several of WoSign’s worst abuses. This is personally amusing to me, since I’ve had dealings with Ernst and Young that were somewhat less than positive.

Update 2016Nov01: Google is following Mozilla’s lead and removing trust for WoSign and StartCom certificates in Chrome, starting with Chrome 56.

Microsoft ‘clarifies’ upcoming Windows Update changes

Yesterday, in a blog post aimed at people who support Windows in organizations, Microsoft responded to some of the questions that arose in the wake of their announcement of upcoming changes to the way Windows 7 and 8.x are updated.

If you plan to risk a migraine and read Microsoft’s blog post, keep in mind that the intended audience is Enterprise users, not us lowly consumers (aka Windows 7/8 Home/Pro users). Parts of the post need to be interpreted differently for non-enterprise users. For instance, references to WSUS and ConfigMgr only apply to Enterprise users.

The changes will take effect on October 11, next week’s Patch Tuesday. The bottom line is that updates will no longer be delivered separately, but in large update packages. Each month, three of these packages will be produced:

  • security-only quality update – a single update containing this month’s security updates; not available through Windows Update!
  • security monthly quality rollup – a single update containing this month’s security updates, as well as non-security updates from the previous month, and the contents of all previous rollups.
  • preview of the monthly quality rollup – perhaps weirdest of all, this update will contain next month’s non-security updates. In other words, this month’s non-security updates, which are otherwise not available in the regular monthly rollup. Microsoft seems to be saying “For those of you who want this month’s non-security updates but would prefer not to wait until next month to get them, here’s a preview of those updates.” Even weirder, this update will become available the week after the regular Patch Tuesday. The preview rollups will also include fixes from all previous monthly rollups, and older updates will be gradually added as well.
This graphic makes all this much easier to understand, right?
This graphic makes all this much easier to understand, right?

Questions

Why will the monthly rollups contain non-security updates from the previous month? For example, according to Microsoft, the first (October 2016) rollup will include non-security updates from September. But why delay October’s non-security fixes for another month? This makes no sense.

What happens if an update causes problems? In the past, you could just uninstall the problematic update. That won’t be an option with this new system. Microsoft’s response to this question makes it clear that this is your fault: “Every Windows update is extensively tested with our OEMs [customers] and ISVs [customers], and by customers – all before these updates are released to the general population. Your organization may also be interested in validating updates before they are publicly released, by participating in the Security Update Validation Program (SUVP).” In other words, our updates are thoroughly tested by you, and if you’re not testing them, you should be.

Why is Microsoft doing this?

According to Microsoft, these changes will “simplify your updating of Windows 7 SP1, Windows 8.1, … while also improving scanning and installation times and providing flexibility depending on how you typically manage Windows updates today.

There may actually be some good reasons for bundling updates. But Microsoft is being so vague that it’s hard to believe they aren’t trying to foist something unwanted on us. Maybe the new system will make Windows Update faster and more reliable. Maybe it will simplify updates, an appealing notion for many users. Maybe it will make us all safer. It’s difficult to predict.

But there’s no question that these changes will make it difficult to avoid unwanted updates, and therein lies the problem. We already know for sure that Microsoft desperately wants us to either upgrade to Windows 10, or install updates that make Windows 7 and 8 more like Windows 10. Clearly these changes are beneficial to Microsoft, and we have a pretty good idea why (it’s advertising infrastructure). And, despite Microsoft’s assurances, we can be fairly certain that these changes don’t actually benefit the user, unless the user enjoys targeted advertising.

Given Microsoft’s recent actions, and suspicions concerning their actual motivation, these new updates are going to be examined closely. Are all the ‘security’ updates actually necessary? Are they even related to security? Microsoft can slap a ‘security’ label on anything they want and force it down our throats.

What can we do about this?

If you use Windows 7 or 8.x Home or Professional, there’s not much you can do. As I explained in an earlier post, you can trust that Microsoft will act in your best interest and let them install what they want on your computer (yikes), you can stop using Windows Update completely (also yikes), or you can switch to Linux.

It’s also still possible that – with enough pressure from users – Microsoft could make these changes more palatable. The Electronic Freedom Foundation says (and I totally agree) that “Microsoft should come clean with its user community. The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations.” I would add that Microsoft should describe in detail exactly what each update really does, and how it affects the collection and transmission of user activity and other information.

Related news

Woody Leonhard reports that Microsoft recently reactivated one of the Windows 7/8 updates associated with the ‘Get Windows 10’ nightmare. In response to the predictable uproar, Microsoft simply repeated their claims that this update is nothing to worry about, while saying nothing about what the update actually does.

Confirmed: record-breaking DDoS attacks using IoT devices

Another week, another huge DDoS attack, this time against French web hosting provider OVH.

Analysis by security experts has now confirmed that these attacks used a huge network of compromised devices, mostly security cameras and Digital Video Recorders (DVRs). These devices are typically vulnerable out of the box, and unless they are configured properly, they remain vulnerable. Most of the devices in question run a version of BusyBox Linux.

Brian Krebs posted a list of manufacturers that produce hardware known to be affected, based on his research. But his list is only a starting point, and much more work is needed.

Adding to this nightmare is the news that the source code for Mirai, the botnet used for the recent, massive attacks, has been released to the public. We can (and should) expect more attacks in the coming weeks and months.

What can be done to stop this? The best solution would be to complete the work of identifying vulnerable hardware (make and model), and contact the owners of all affected devices with instructions for securing those devices. In practical terms, the first part is relatively straightforward work. The second part is problematic. Who is responsible if a device is being co-opted in DDoS attacks? The user? The service provider? The manufacturer? Many owners of these devices have no idea they are being used like this.

Eventually, the current crop of IoT devices being used in these attacks will be secured. But more new ‘smart’ devices are being manufactured and connected to the Internet every day. Until manufacturers stop shipping unsecure-by-default devices, we’re going to keep seeing these huge attacks.

Brian Krebs site dumped by Akamai due to massive DDoS attack

In what can only be viewed as a victory for the attackers, content delivery provider Akamai has dropped Brian Krebs’ web site krebsonsecurity.com in the midst of a record-breaking DDoS attack against the site.

Krebs and his site have been the target of DDoS, SWATting, and other attacks in the past, in response to his reporting on various illegal activities – and the people behind them. But this most recent attack, which began on Tuesday, is the largest in history.

Akamai provides services that limit the effectiveness of DDoS attacks. According to Krebs, Akamai was providing their services for krebsonsecurity.com at no charge. He doesn’t fault Akamai for dropping his site, but their doing so raises some interesting possibilities.

The most likely explanation is that Akamai could no longer justify providing their services to Krebs for free; dealing with such a large attack would have involved a lot of time and effort. Akamai may have offered to keep supporting krebsonsecurity.com, but at their normal price. Those prices are typically only paid by large corporate clients, and Krebs probably just can’t afford them.

As a result of all this, krebsonsecurity.com is offline, and likely to stay that way until the attackers lose interest. Once the attacks subside, I’m sure the site will return.

Although Krebs doesn’t blame Akamai for dropping him, it’s hard to see how Akamai can come out of this without their reputation being harmed. There will always be questions about exactly what happened. Was Akamai actually overwhelmed? I’m sure Akamai’s competitors will be looking at picking Krebs up as a client.

And finally, this is a clear win for the attackers. They now know that they can take down even high profile web sites, although perhaps not those owned by companies with very deep pockets.

Ars Technica has more, including speculation that the attacks involved hacked ‘Internet of Things’ devices.

Updates 2016Sep25: krebsonsecurity.com is back up, thanks to Project Shield, a free program run by Google to help protect journalists from online censorship. It will be interesting to see how well this service protects Krebs’ web site from inevitable, future attacks. And how will Akamai spin this?

Meanwhile, Krebs also thinks that poorly-secured ‘Internet of Things’ devices made the record-breaking size of this attack possible. And despite the site only being down for a few days, he feels that this kind of attack is a new form of censorship, referring to the effect as ‘The Democratization of Censorship‘.

Someone out there is testing the Internet’s breaking point

Security analyst Bruce Schneier reports on the recent increase in Distributed Denial of Service (DDoS) attacks against critical Internet infrastructure. He’s unable to go into details about exactly which companies and resources are involved, but the attacks are real. Someone is engaged in a series of DDoS probes that are clearly meant to test the Internet’s ability to cope with extreme stress.

Most DDoS attacks are perpetrated by angry hackers against web sites they don’t like, or simply to demonstrate their skills. Underground DDoS attack services are available for those not possessing the requisite skills. But the attacks Schneier is talking about stand out: they’re much more calculated and methodical than usual.

Assuming that Schneier is correct, and someone is gathering information about the Internet’s potential breaking point, one can only wonder what they have in mind. If the perpetrators are – as Schneier suggests – a state actor like China, the possibilities are the stuff of nightmares.