Archive for the ‘Security’ Category

h1

Symantec – The Good, The Bad, The Ugly

February 9, 2009

The Good:
For some time, Symantec’s anti-virus product had a reputation for being bloated. Then along came the Norton Internet Security 2009 package and with it rave reviews. The improvements included a leaner footprint, improved speed, white listing and other technologies to mark clean files as trusted, as well as continued free technical support.

AV-Comparatives.org reported the product achieving ADVANCED+ in detection tests and proactive ADVANCED due to improved heuristics. The biggest improvement noted by AV-Comparatives.org was the impact on system resources, with the new version running light on the system and no major impact on performance.

The Bad:

Could it be that that Symantec was not able to build sales on the favorable press results and bundling with Hewlett Packard and Dell computers? Instead, Symantec announced a partnership with IAC/Ask:

“Oakland, CA and Cupertino, CA – Feb. 03, 2009 – Leading search engine Ask.com, an operating business of IAC (Nasdaq: IACI) with 76 million monthly unique users, and Symantec Corp. (Nasdaq: SYMC), whose Norton brand is the world’s security market share leader for consumer software and services, today announced a multi-year, strategic partnership to deliver the best answers and even safer search results on the Web.”

The Ugly:

If you can get past the Symantec self-promotion in the above quote, I suggest that you read Ben Edelman’s report in Current Practices of IAC/Ask Toolbars and learn more than you ask for:

“As the fifth-biggest search engine, Ask faces a clear problem: How to get users to leave their favored search engines, to conduct their searches at Ask instead? One Ask strategy is to buys ads on TV and in other media, claiming to offer a better product. But Ask also drives traffic to its search engine by enticing users to install its toolbars. This article looks at Ask’s current and recent toolbar practices, including:

  • Promoting its toolbars on sites targeted to kids. Details.
  • Promoting its toolbars through ads that appear to be part of other companies’ sites. Details.
  • Promoting its toolbars through other companies’ spyware. Details.
  • Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  • Soliciting installations via “deceptive door openers” that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  • Making confusing changes to users’ browsers — increasing Ask’s revenues while taking users to pages they didn’t intend to visit. Details.

Throughout, I compare these practices to the statements of Ask’s staff, and I compare these practices with applicable legal and ethical duties.”

Understand that IAC pays vendors per install of their product. Thus, the pre-checked option to include the toobar in products such as Check Point’s ZoneAlarm Firewall, Webroot, Comodo Firewall, and StopZilla has resulted in their inclusion in the Calendar of Updates (CoU) Installers Hall of Shame.

Tell me, are you ready to pay $39.99 (U.S.) for Norton Antivirus 2009 and get the “bonus” IAC software included?

IAC/Ask References:

Hat Tip: Donna’s Security Flash


Remember – “A day without laughter is a day wasted.”
May the wind sing to you and the sun rise in your heart…

Advertisements
h1

WinPatrol v16 Monitors Changes to UAC

February 2, 2009

For the past several days, discussions in various venues have centered around what has been described as a security flaw in Windows 7 UAC. To illustrate the concern for this issue, at the end of this post is a sampling of blog posts by many well known bloggers in the tech community.

As has been pointed out, this change by Microsoft is “by design”. However, regardless of whether UAC is changed on the PC by a family member or malicious software, Bill Pytlovany has added a new feature to WinPatrol v16 (Beta) which Monitors Changes to UAC Settings.

I installed the new beta on the Windows 7 test installation and changed the UAC from the default (medium) security setting. Scotty warned me of the change and allowed me to prevent the change by clicking Yes to block the change and restore the original setting.

Had I installed a program that made this change, this warning would have allowed me to have WinPatrol restore the original setting.


In the event the change is intentional, merely click No and WinPatrol will not prevent the change and restore the original settings.

Once again, I applaud Bill Pytlovany!

See Bits from Bill: WinPatrol v16 Monitors Changes to UAC Settings.

Blog Post Sampling:

  1. Adrian Kingsley-Hughes, ZDNet: Microsoft neuters UAC in Windows 7
  2. Andrew Nusca, ZDNet: UAC security flaw in Windows 7 beta
  3. Aubrey, Windows Connected: Massive Security Hole In Windows 7
  4. Bill Pytlovany, Bits From Bill: Windows 7, Not Ready for Prime Time
  5. Dana Epp, SilverStr’s Blog: Is UAC really broken in Windows 7? More importantly, does it make us less secure?
  6. Dwight Silverman, TechBlog: Updated: Windows 7’s UAC is now insecure ‘by design’
  7. Ina Fried, c|net News: Windows 7 less annoying, but also less secure?
  8. John Leyden, The Register: Windows 7 UAC shutoff ‘bug’ leaves Microsoft unmoved
  9. Larry Seltzer, PCMag, SecurityWatch: Is UAC Emasculated in Win7?
  10. Long Zheng, I Started Something: Sacrificing security for usability: UAC security flaw in Windows 7 beta (with proof of concept code)
  11. Long Zheng, I Started Something: Microsoft dismisses Windows 7 UAC security flaw, continues to insist it is “by design”
  12. Paul Thurtott, Supersite for Windows: Microsoft response to UAC ‘issue’
  13. Tom Warren, Neowin.net: Microsoft: Malware can disable UAC in Windows 7 ‘by design’
  14. Tom Warren, Neowin.net: Microsoft insists UAC vulnerability is not a flaw
  15. Rafael Rivera, Within Windows: Malware can turn off UAC in Windows 7; “By design” says Microsoft
  16. Sumeeth Evans, Bink.nu: UAC security flaw in Windows 7 beta (with proof of concept code)
  17. Swa Frantzen, SANS Diary: Windows 7 – not so secure ?


Remember – “A day without laughter is a day wasted.”
May the wind sing to you and the sun rise in your heart…

h1

The MVP Program In-Depth

April 17, 2008

From Channel 9:

“The next 4 podcasts will focus on the ins and outs of the MVP program. Microsoft Most Valuable Professionals (MVPs) are exceptional technical community leaders from around the world who are awarded for voluntarily sharing their high quality, real world expertise in offline and online technical communities.”

Tune in to the podcasts:

Sean O’Driscoll, a General Manager for Community Support and the MVP Program at Microsoft, is interviewed by Ken Levy discussing the history, current state, and future of Microsoft MVPs and the MVP Program. For the past 5 years, Sean has been responsible for the MVP Program which now includes about 4,000 MVPs worldwide. Microsoft MVPs (Most Valuable Professionals) are a select group of experts representing technology’s best and brightest people who share a commitment to community. For more information about the MVP Program, refer to http://mvp.support.microsoft.com/.”

h1

SunJava SE Update 6

April 17, 2008

Update 6 has been released by SunMicrosystems for Java SE.

I do not have Java installed on my home computer. It has been a year without the SunJava update headaches and I have yet to find anything that has not performed properly due to this bit of freedom I have experienced without it. However, I know there are many others who use SunJava so have updated the widely used tutorial, SunFlowers and SunJava Update to reflect the latest release.

Note: If you do not have the Google Toolbar installed on your computer, it may be offered with the update. Be sure to UNcheck the option if you do not want the toolbar.

References:

h1

Microsoft Security Bulletin Summary for April 2008

April 8, 2008

Microsoft released the Security Bulletin for April, 2008. In addition to an updated version of the Microsoft Windows Malicious Software Removal Tool, there were five critical and three important security update released.

Critical

Important

References:

TechNet: Microsoft Security Bulletin for April 2008

MSRC Blog: April 2008 Monthly Release

h1

“How Do I?”

April 7, 2008

Hat tip, Roddy32:

MSDN provides a number of “How Do I” videos on various security issues for developers. As described at the site:

Here you’ll find videos that explore a variety of security questions for developers, including encryption, handling attacks, security best practices, and a lot more. New videos are added regularly, so check back often.

You can find the videos at the MSDN Security Development Center.

h1

CoU Sister Site

April 7, 2008

Officially announced today, BFC Computer Help is a sister site with Dozleng aka Calendar of Updates or “CoU”.

  • Announced by Donna here.
  • Index to CoU sister sites here.

If you didn’t already know about CoU, it’s the right time to check them out! Loads of good information is available and you will find several BFC staff members at CoU as well.