Thursday, July 28, 2005

New Rootkit Techniques Spell Trouble

Just when we thought we were getting safer from computer intrusion comes word of a new type of stealth rootkit. This new proof of concept rootkit means the bad guys are gaining on us again. Just the though that someone can install a piece of software on your system to perform secret acts while remaining completely undetected is a very scary though. But it's more than a though or possibility its being done right now with rootkits readily available. Worse the new method revealed shows that it can be done at a level and in a way that it’s not detectable by most if not all of the current detection software programs available.

Jamie Butler (a director of engineering at HBGary Inc.) and Sherri Sparks (a student at the University of Central Florida) demonstrated a technique at the recent Black Hat Briefings in Las Vegas that uses DKOM to prevent the Windows Event Viewer from seeing a program. The technique can even hide drivers and such allowing for just about any activity that a hacker could possible want to do. Worse still is that it can be done with little or no impact on performance?

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks. With its use of DKOM (Direct Kernel Object Manipulation) to hide from the Windows Event Viewer it makes forensics virtually impossible and will require that scanners improve and expand existing rootkit detection technologies.

So what's the answer?

The same as it's always been; pay close attention and stay vigilant. Look for and monitor changes in how your system functions. Is it taking longer for your system to start up? Is it hanging or freezing up? Does your computers response and activity seem slower or different than usual?

Any of these danger signs mean that you should be checking your system even closer than normal. This also means that it’s becoming necessary to use dedicated software for Trojan and Rootkit detection.

Sadly we've reached the stage in computer security that Rootkit Trojans and other such software have became enough of a danger that only specialty software can address the problem.

So pay attention, do your homework, and get a good Trojan/Rootkit detection program to go with your Spyware/Antivirus software and use them frequently.

Check out the eWeek article on the same subject at;,1759,1841266,00.asp?kc=EWRSS03129TX1K0000614

Thursday, July 21, 2005

American Express Cuts Ties With Processor

Finally at last the major credit card companies (American Express Co., Master Card, and Visa) are taking action against CardSystems Solutions Inc., the Tucson-based company responsible for the largest loss of credit card data in history. It's certainly time for something to happen to this company for putting so many of us at risk for identity theft due to their carelessness.

Let’s hope that this action will send a strong message to all the companies that process our credit cards that the loss of personal data will have major consequences.

But is this really a case of too little too late?

Will the major credit card companies really stick by this decision and not just give a little slap on the wrist to CardSystems Solutions Inc. before going back to business as usual?

Will the credit card companies do what the government so far has been unwilling too do; punish companies that are careless with our personal information?

Well I for one doubt it.

Let’s face it; one of the last of the "Good Old Boy Clubs" is the credit card industry. Most of the companies that process credit cards and collect consumer data are private companies answering to no one. Not to the government due to the lack of laws and regulations and not to the public or stock holders due to their being private businesses.

From the massive amount of lobbying money they throw around in Washington to the ruthless business practices they employ against their competition the big boys in this industry play rough. Worse still they care little about the customers that make them their obscene profits. These guys make Microsoft's business practices look like school boy antics.

So what I predict will really happen is that as soon as the publicity quiets down the major credit card companies will go right back to using CardSystems Solutions Inc. It will be business as usual just as it was before any of this ever happened and their buddies who own CardSystems Solutions Inc. (Including Camden Partners a major private venture capitol company which invested $9.3 million in the Tucson company last year.) will continue to rake it in while leaving us at risk.

Anyway a good article about American Express’s, Master Card’s, and Visa’s action against CardSystems Solutions Inc. can be found here;

American Express Cuts Ties With Processor

Let,s just hope that it's for real and this company is made to pay the price for their carelessness.

Thursday, July 07, 2005

Microsoft’s Old Dog “Security” Hasn’t Learned any New Tricks.

Microsoft has never received high marks when it comes to security but things seemed to be getting better. With the advent of security based code writing and the purchase of a company to get an excellent Spyware Adware scanner it seemed that Microsoft had finally decided that their customers deserved security and protection and Microsoft was committed to providing it.

But as the saying goes it’s hard for an “old dog” to lean new tricks. Now it seems that Microsoft’s old dog named “Security” is back at its old ways. Microsoft seems to again be looking at profits before security and customer protection.

The first hints of trouble started recently with the growing rumors of Microsoft’s intent to purchase the software company Claria. I’ll bet you’ve never heard much if anything about this company. It keeps a low profile but it’s well known in security circles.

Claria just happens to be the company that has single handedly produced some of the worst of the Spyware/Adware programs found on the web today. Just look up Gator, Gator Wallet, PrecisionTime, and Weatherscope on Google and you’ll see that these programs have a really, really bad reputation with security experts. (One that is rightly deserved in the opinion of every expert I’ve studied.)

At first I didn’t put much credence in these rumors of a buyout but now it seems that there must be some truth to these rumors after all. If it’s not a buyout something is definitely going on between Microsoft and Claria. It seems that suddenly Microsoft’s much touted Anti-Spyware program is now passing over Gator and some of the other programs that Claria software writes and distributes.

Strange that since by default every single major Spyware/Adware scanning package disables and/or removes all of these Claira programs so it’s not in question if these programs are Spyware/Adware. All of these Claria programs were by default also quarantined by Microsoft’s Anti-Spyware program UNTIL their latest “update”. Now it seems that Microsoft has changed the default setting of it’s scanner to pass over these programs and it allows them to continue to run on systems it’s scanned.

So if Microsoft isn’t trying to buy Claria then why did they make such radical changes to the basic default settings in their Spyware/Adware scanner? It didn’t happen by accident. Microsoft is smelling profit somewhere and it looks like they’re willing to lie down and roll over to make it. It’s too bad that some companies will do anything to make a profit. I was hoping that Microsoft had changed that attitude but it looks like it hasn’t.

Security and data protection have been sold out by Microsoft and unless their Anti-Spyware scanner is changed back to labeling Claria’s software for what it is Microsoft will ultimately be held accountable. I would hope that Microsoft wakes up before it’s too late but I don’t suppose that will happen if the past is any indication.

Microsoft and security still seem to be opposites.

PS If you still want to remove these Claria programs you only have to go to the ignore list and change the setting back to quarantine or remove to solve this problem. I've already be there and done that!!!

You can also find out more details on this matter in two other good articles located at;

eWeek’s home site,1895,1834607,00.asp
and on sunbelts blog site

Saturday, July 02, 2005


Well the experts are at it again and it’s a real bone headed stunt this time. It seems that I received an email the other day that I just knew was a phishing attempt. My credit card company (one of the largest in the country) had sent me an email explaining their new security feature of providing one time use numbers for on line purchases.

Having a number that was only good one time would make stealing the number worthless. Good idea!! I’m thinking that maybe these guys have it really together. Here’s a simple, cheap to implement, useful answer to stop online credit card number theft from being effective. Steal the numbers, so what, they’re useless.

So far so good I’m thinking as I read on through the very BOOOOOORING letter.

Then suddenly as I read on the alarm bells begin to ring. They (the credit card company) want me to click on an embedded link to go to their site to automatically activate this feature.

“YEAH RIGHT” I’m thinking.

Who do these idiots think they’re dealing with some dumb newbie?

Do they really think that I’m that stupid?

Now being a good net citizen I went straight to the banks site and sent a copy of this email to their “security” contact address. Now I’m I thinking that have nothing to do but sit back and wait to be thanked for reporting this new phishing attack. I just know that the bank will be glad to be able to warn others about it.

Well guess what?

I get a call from the bank the next day telling me that this email is correct and it really is from the bank credit card center.

“WHAT you guys are sending out emails that contain links to be clicked to go to your site.” I said. “Don’t you know that’s the favorite method used by hackers and phishing artists to get us to go to their bogus sites and be ripped off.”

“But this is different, said the agent on the line, we really did sent this email. It really will take you to our site.”

“But how should I know your email from all of the other phishing email that I receive”, I ask?

I get a long silence from the other end before he says that I don’t understand how this works. When I click on the link I will activate the one time use credit card number security feature which will protect me from such things as phishing and credit card number thieft.

“But what if a hacker or phisher gets a copy of this letter and changes the link to take me to a site where they try to get me to reveal my credit card information I ask? If I have any doubts and contact the bank you guys will even tell me it’s ok. Just like your doing now. How could I not be fooled by this copied email from going to a rogue site. You've told me everything is ok.”

“But it is ok the agent says. You don’t have anything to worry about we did send you that email.”

Well as you can guess by this time I’m giving up on this guy so I thank him for his help and ask to talk to his supervisor. When the supervisor comes on the line I let him know that I think I’m going to changing my credit card company and could he just put a hold on the account until I can pay off the balance due.

I bet you know what he said. “Why would you want to do that?”

Well I told him that I would send him an email to explain it to him if he would just give me his email address. While writing this email I was sorely tempted to enclose a clickable link to my blog site so he could read this letter but I resisted.

Besides he wouldn’t get it anyway!!!!

PS another article on the subject can be found here.,1759,1833855,00.asp?kc=EWRSS03129TX1K0000614

PPS Have a safe and sane Fourth Of July everyone. I want to see you back here again so be careful.