Category Archives: Things that are bad

Ransomware update

Ransomware has been in the news a lot lately. The CryptXXX ransomware is no longer susceptible to easy decryption, and it’s been making a lot of money for its purveryors, in many cases using compromised, high profile business web sites as its delivery mechanism. On a more positive note, the people who created the TeslaCrypt ransomware stopped production and released global decryption keys. New ransomware delivery systems are able to bypass Microsoft’s EMET security software. The Cerber ransomware was recently delivered to a large proportion of Office 365 users via a Word document in an email attachment. And an even more hideous piece of malware surfaced in the last week: posing as ransomware, Ranscam actually just deletes all your files.

Ransomware is different from other kinds of attacks because of the potential damage. It can render all your data permanently inaccessible. Even paying the ransom is no guarantee that you will get all your data back intact. Other types of attacks typically try to fly more under the radar: trojans and rootkits want to control and use your computer’s resources; and viruses want to spread and open the door for other attacks. While other types of attacks can be fixed by removing the affected files, that doesn’t work for ransomware.

Like other types of attacks, ransomware first has to get onto your computer. These days, simply visiting the wrong web site can accomplish that. More common vectors are downloaded media and software, and email attachments. Preventing malware of any kind from getting onto your computer involves the kind of caution we’ve been advising for years; ransomware doesn’t change that advice.

What CAN make a big difference with a ransomware attack is limiting its reach. Once on a computer, ransomware will encrypt all data files it can access; specifically, files to which it has write access. Ransomware typically runs with the same permissions as the user who unwittingly installed it, but more insidious installs may use various techniques to increase its permissions. In any case, limiting access is the best safeguard. For example, set up your regular user so that it cannot install software or make changes to backup data.

Here’s a worst-case scenario: you run a small LAN with three computers. All your data is on those computers. Your backup data is on an external hard drive connected to one of those computers, and a copy exists on the Cloud. For convenience, you’ve configured the computers so that you can copy files between them without having to authenticate. Once ransomware gets onto one of the computers, it will encrypt all data files on that computer, but it will also encrypt data it finds on the other computers, and on the external backup drive. Worse still, some ransomware will also figure out how to get to your cloud backup and encrypt the data there as well.

How to limit your exposure? Require full authentication to access computers on your LAN. Use strong, unique passwords for all services. Store your passwords in a secure password database. Limit access to your backup resources to a special user that isn’t used for other things. In other words, exercise caution to avoid getting infected, but in case you get infected anyway, make sure that you have walls in place that limit the reach of the ransomware.

Most ransomware targets Windows systems, so most of the verbiage out there is about Windows as well. This article covers the basics fairly well.

Pre-installed crapware still a problem

A recent report from Duo Security shows that pre-assembled, ready-to-run computers purchased from major vendors almost always include pre-installed software that often makes those computers much less secure. That’s in addition to being unnecessary, unstable, resource-hungry, and often serving primarily as advertising conduits.

If you purchase a pre-assembled computer, you should uninstall all unnecessary software as soon as possible after powering it up. Before even connecting it to a network. It can be difficult to identify exactly which software should be removed, but a good starting point is to remove anything that shows the manufacturer’s name as the Publisher. PC World has a helpful guide.

And now the good news, at least for some of us: Microsoft now provides a tool that allows a user with a valid license to reinstall Windows 10 from scratch at any time. Minus all the crapware that the manufacturer originally installed.

Major vulnerabilities in Symantec security products

Earlier this week, a Google researcher published a report on vulnerabilities affecting all Symantec security products, including Norton Security, Norton 360, legacy Norton products, Symantec Endpoint Protection, Symantec Email Security, Symantec Protection Engine, and Symantec Protection for SharePoint Servers. All platforms are affected.

From the original report:

These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.

Symantec quickly released security advisories and updates to address the vulnerabilities, including SYM16-010 and SYM16-011.

Anyone who uses Symantec or Norton security products should install the available updates as soon as possible.

Microsoft updates now harder to find

Until I hear a better explanation, I’m going to assume that Microsoft’s latest move – removing updates from its Download Center – is just another way to force user eyeballs through conduits for which they can sell advertising space.

Starting May 10, Microsoft wants you to use the Update Catalog instead of the Download Center. Previously, security bulletins included links to the Download Center, but since most updates (including security updates) will no longer be available there, those links will now point to the Update Catalog.

Okay, so we can use the Update Catalog, right? But guess what happens when you visit the Update Catalog with a browser that isn’t Internet Explorer? MS Update Catalog: IE Only Please

Note the final line of that message, which encourages visitors to use the Download Center instead. I guess Microsoft hasn’t gotten around to changing that. It should probably say “If you prefer to use a different Web browser, you’re out of luck.”

Most regular users get their updates via Windows Update, and won’t be affected by this change. Once again, it’s power users and system admins who will be affected the most. Does Microsoft hate us, or are they just ignoring us?

Although other mechanisms exist for obtaining updates, the Download Center was certainly convenient. Are we likely to see more third party sites offering Microsoft updates? Probably, although Microsoft frowns on this sort of thing and will probably move to shut them down.

The perils of using free services

RIP TweetDeck

Twitter is pulling the plug on the Windows version of its popular TweetDeck application, pushing users to switch to the web-based version. Although they claim otherwise, the reason is simple: web applications are easier to monetize.

Twitter purchased TweetDeck in 2011 because users found its interface much more useful than the Twitter web interface, and were switching in large numbers. This translated into a loss of advertising revenue for Twitter. There were immediate predictions that Twitter would kill off TweetDeck, and that’s finally happening.

For some users, switching to the web-based TweetDeck will not be a problem. The two interfaces are virtually identical. But having a compact, separate application has several advantages: I can configure it to start automatically with my computer; I can leave it running all the time without hurting my computer’s performance; and it’s not – like all web-based apps – inherently fragile. So I’m looking at alternatives. If I find one I like, I’ll post about it.

Mandrill email no longer free

If you use Mandrill’s email service, you should start looking for an alternative. Unless you think $20 per month seems like good value to send a few emails.

I originally started using Mandrill because my Internet Service Provider’s email service was increasingly less willing to process email from domains I host, including If you don’t host your own domains, and you don’t send large quantities of email, you’re unlikely to ever need a ‘transactional email’ service like Mandrill.

Luckily, there are plenty of alternatives to Mandrill. Right now I’m evaluating MailGun, which is free for up to 10,000 emails per month, and supports DKIM and SPF, technologies that help to identify legitimate senders and reduce spam.

Critical security flaw affects millions of systems

Here we go again. Researchers have discovered (actually more like rediscovered) a very bad flaw in the commonly-used GNU C Library, also known as glibc.

The flaw has existed, undiscovered, since 2008. It was discovered and reported to the glibc maintainers in July of 2015 (CVE-2015-7547), but nothing was done about it until Google researchers re-discovered the flaw and reported it on a public security blog.

The glibc maintainers reacted to the Google revelations by developing and publishing a patch. It’s not clear why such a serious vulnerability was not fixed sooner.

But that’s not the end of the story. Any computer or device that runs some flavour of Linux, including most of the world’s web servers and many routers, is potentially vulnerable. Individual software applications that are compiled with glibc are also potentially vulnerable.

Although it’s safe to assume that diligent sysadmins will update their Linux computers, tracking down all the affected software will take time. The Linux firmware running on routers and other network devices will be updated much more slowly, if at all. All of this opens up many exploitation possibilities for the foreseeable future.

The good news is that there are several mitigating factors. Many routers don’t use glibc. In some cases, default settings will prevent exploits from working. Android devices are not vulnerable. Still, this problem is likely to get worse before it gets better.

Update 2016Feb20: Dan Kaminsky just posted his analysis of the glibc vulnerability. It’s very technical, but if you’re looking for a deeper dive into this subject, it’s a great place to start. Dan helpfully explains why it’s difficult to predict just how bad things will get.

Disappointment: Google decides not to add a sidebar to Chrome

Chrome is a pretty good browser. I recommend it with few reservations. I even use it myself. But my use of Chrome is limited to a few sites that just work better in Chrome than in Firefox – at least for me.

The main reason I don’t use Chrome for most of my browsing, despite the fact that I really don’t want to use Firefox either, is the lack of a sidebar. No feature is more frequently requested for Chrome. And yet Google has resisted adding one.

Why is a sidebar such a big deal? Like many other people, I use the sidebar to show my bookmarks, in a nested tree format. This is an extremely efficient way to manage a lot of bookmarks. There’s just not enough room in the horizontal toolbar to do this; I can add folders and subfolders to the toolbar to create a drop-down menu effect, but I want the bookmarks I’m currently working with to stay on the screen and not disappear when I click one.

And I’m not the only one. Just look at the comments and votes for this bug in Chrome’s bug tracking system, and in this post in the Chrome support forum.

If you look at that bug, you’ll see that Google started the work to add a sidebar. But they must have run into a big problem, because today the bug was updated to the status ‘WON’T FIX’. That means we are unlikely to ever see a sidebar in Chrome. The update provides very little explanation, and points to the general Chrome FAQ. Presumably what they are referring to is the word ‘simplicity’ in the second point.

And so concludes another chapter in my love-hate relationship with Google. I think Google is terrific, and I depend on their services, but this is a huge disappointment.

Update: the WebKit-based Opera browser also doesn’t include a useful bookmark sidebar, but I’ve just discovered a sidebar extension called V7 Bookmarks, and so far I’m loving it. It looks like Opera will be my new main browser when I finally can’t stand Firefox’s bloat and instability any more.