Welcome to Working Nets Tech Thoughts!

For more information about our company, please see our main website at www.workingnets.com.

To schedule a Free I.T. Consultation in the Greater Baltimore area, please use our Contact Us page, or phone us at
(443) 992-7394

Wednesday, August 4, 2010

What is User Account Control (aka UAC)?

The much-maligned UAC is an important Windows security feature that first made its debut in Windows Vista, and has continued into Windows 7 and Windows Server 2008. It's a really important feature that we should all be embracing. But most people don't really understand what it does; they find it annoying and largely ignore it. Worse, some folks actually turn it off, which removes a lot of the protections afforded by Vista and 7 over Windows XP.

In brief, UAC is the security feature that makes your screen go dark, and brings up a window asking you to Allow something to do something (i.e. install software) to your computer.

It is interesting that Macs have something very much like it, as do most current versions of Linux. But their users don't seem to complain about it too much. I think this is due, largely to the way Microsoft chose to go about it, particularly in Vista. Windows 7 has done it a lot better, but I still think we have a way to go.

So what, exactly, is UAC? What does it do? Why do you want it?

In order to understand that, we have to go back a little bit...

Why XP is so vulnerable

There's a concept in Security referred to as "Least Privilege." The idea is that you give someone the least access you can, while still allowing them to do their job. It makes sense, if you think about it. You give all of your staff access to the email system and the Internet, but the Accounting Dept. also gets access to the financials, and HR has access to the personnel files. There's no reason for HR to be rooting around in the accounting system, or for Accounting to be looking at whether Bill was reprimanded for that incident in the Break Room... The Janitorial folks, who come in when everyone else has gone for the day, have access to everyone's offices, but not the network. That's Least Privilege: Everyone has what they need, but not more.

Well, most people don't really need administrative privileges on their local computers either. Certainly not most of the time. It doesn't take an admin to write a Word document, or work on a spreadsheet. But those Microsoft Updates need to be installed, and there's that new version of Firefox, and they really wanted to try that new utility everyone's been talking about... In larger companies, those things are regulated by the central I.T. Dept. and that's that. But at home or in smaller companies, it's just easier to let people do those kinds of things on their own. So it's typical, on Windows XP computers, to just give the local user administrative-privileges on their own computers.

The problem is that now you use that administrative-user account to go to some perfectly legitimate website on a server that's been infected, and wham - things start popping up all over your machine. Nasty, vile things that you don't want to see; that you certainly wouldn't want your kids, or your boss, to see. Then you get a window that tells you that you've got 3 bazillion viruses on your machine, and that you've been barred from the Internet, but that for a mere $80.00, they'll unlock their "malware removal tool," which will immediately fix all the problems, and all will be right in the world again.

And then, you call me...

UAC

Now imagine that you didn't have to worry about some of those things. Imagine that your computer automatically stopped the bad stuff from infecting your computer. Imagine that, instead, your computer told you that something was trying to install itself, and then asked you if you were sure you wanted it to install. Then you could say something like, "Hey - I wasn't trying to install anything on my computer. I was just surfing on a website. Why is it trying to install stuff on my machine? That might be malware. I'm going to say No!"

Alright, stop imagining. That's what Vista and Windows 7 are doing. In keeping with the concept of Least Privilege, your "Normal" account is now secretly a "Limited" account. And for most of your day, that's fine. When something comes up that requires Admin-level privileges, instead of just telling you that you can't install it with a Limited account, it asks you if you'd like to temporarily upgrade your privileges, in order to do that particular function.

That gives you the best of all worlds: You're using Least Privilege at all times, without even knowing it. The bad guys can't install things surreptitiously on your computer, because they don't have the permissions required to do it. The only way they can get those permissions is by asking you! Sure, they'll use Social Engineering techniques to try to trick you into saying Yes, but that's more difficult. You can say No.

But Microsoft doesn't explain that part so clearly. Instead, in typical Microsoft-ese, they tell you that "A program needs your permission to continue..." They don't tell you what, or why. And you get frustrated because you've seen it before, like when you were legitimately trying to install Flash Player, and they freaked you out with that pop-up window, (because you thought it meant you had a virus). But it turned out to be okay. Now, you see that window so often that you just Allow everything without even thinking about it. Or maybe you've disabled it entirely, to prevent it from ever bothering you again.

Software Companies and UAC

Also frustrating is that many software manufacturers actually recommend that UAC be turned off, in order to get their software to run properly. They do it because their software isn't really written to the Vista/7 specifications, but they wanted to get their applications to run on those OSes, without having to recode them a whole lot. This is most common with "Vertical Market Applications," which are applications written for specific industries: Beauty Salon Management software; Medical Office software; Auto Shop software; things like that.

The companies that make these types of software are usually smaller companies, with very limited budgets. They don't want to rewrite their software if they don't have to. And they often don't have to because there's no push-back from their target markets. They don't have customers threatening to switch to a competitor because of it. But they should! Essentially, they are saying that they don't care about their customers' security. They'd rather put your computers and your data at risk, than rewrite their out-of-date code to conform with new security standards. And since you don't know better, you don't complain about it.

Well, now you know better!

What else can I do?

So if you shouldn't turn off UAC, what do you do when some applications just won't run properly with it turned on? What do you do when the software vendor's Support Team tell you that it's not compatible with their software?

I'd like to say that you tell them that you're going to switch to another application unless they fix the problem, but that's not always realistic. I'd also like to say that Microsoft has provided a way to address it, but unfortunately, they haven't really.

Microsoft did improve the UAC configuration set significantly in Windows 7. In Vista, there were two settings: On and Off. And the On setting was very annoying, giving rise to things like this commercial, from Apple. Windows 7 now has an additional option in between those two poles. Alright, they give you two, but they're really identical, except for the question of whether the screen goes dark or not. This additional option(s) says that it will ask you about some things, but not about others. It's much less intrusive. But even this isn't good enough, in my opinion.

There's much talk from users about the possibility of a UAC "Whitelist", which would allow you to specify certain applications as being automatically Allowed by UAC. I think that would be a great idea! It would enable you to avoid UAC problems for known applications, while still protecting your computer from the things you don't want installed. Yes, it could lead to some compromises. You could expressly Allow malware to run, defeating the purpose of it. But let's face it: you just can't protect everyone from everything. And it would be better than having people turn UAC off on their machines entirely. But for now, that's not an option. Hopefully, they'll put something like that in soon.

If you're a Vista user, there is a Norton tool that's still officially in "beta," which apparently does exactly what I was suggesting: It allows you to save a UAC setting for a given application, so if you Allowed it once, it will always allow it. The tool looks like it does a great job, but it doesn't work for Windows 7 - I tried it.

Otherwise, in those situations, you may just have to turn it off. But you should be asking your software companies why UAC isn't supported, and when they'll have a version that works properly available. And you should be aware of the risks.

Tuesday, August 3, 2010

Microsoft Patch - MS10-046 - Critical

Microsoft released a Critical patch today for pretty much all versions of Windows, from XP on up. (This doesn't mean it doesn't also apply to earlier versions; just that earlier versions are no longer supported.)

The issue behind this patch lies in that when you create a shortcut for something, Windows actually reads part of the underlying file to pick up things like the icon to use for the shortcut. Well, they've found a problem in the way that this works, and that very process of displaying the icon can be exploited, enabling code of the attacker's choosing to run, with the privileges of the locally logged-on user.

In other words, you don't even have to run the program, in order to be attacked. All they have to do is make an icon appear on your desktop, and when Windows reads the file to display the icon for it, it will run the malicious code with your permissions. Since many people use Windows XP with Administrator permissions, this means they own your system. And since many people with Vista or Windows 7 routinely ignore (or even turn off) the UAC warnings, they're going to to own them too.

If your system is set for automatic updates, you'll have already applied this patch this morning. If not, do! It's a Critical level security patch, and it will likely require a system reboot - it did for me.

Wednesday, July 14, 2010

Facebook Privacy - Again

It's true... Once again, those security guru's at FaceBook have decided that your privacy isn't all that important. At least, not important enough to do something novel like... ask your permission before divulging your personal information!

This time, it's your phone numbers. Recent changes now have the defaults set to show your phone numbers to your Friends only. I guess I can hear the logic on it: If they're my friends, then maybe it's okay for them to have my phone numbers. Unfortunately, that's not in line with the way most people actually use FaceBook. They have business acquaintances, the guy they met at that last trade show, people they knew back in kindergarten who may have grown up to be axe murderers (you never know...), etc. Come on people - we've all done that. And we're generally okay with them seeing our bizarre thoughts, but do we really want them all calling us?! I think not!

Nonetheless, they are out there, available. If you want to get an idea as to the scope of this, try this:
  • Log into your FaceBook account.
  • On the top right of the screen, click Account, and then Edit Friends.
  • On the left side of the screen, click Phonebook.
Take a look at all your friends, and their phone numbers!

Now if you don't want your numbers to be displayed like that, here's what you gotta do:
  • Click Account, and then Privacy Settings
  • Select Custom, and then click Customize Settings link, on the lower left of the chart.
  • Scroll down to the Contact Information section, and then set the appropriate items to Only Me.

Friday, May 28, 2010

Man Infects Self With Computer Virus

In England, this past week, Rory Cellan-Jones, reporter with the BBC, reported about a "scientist", Dr. Mark Gasson, who implanted himself with a computer virus. Apparently, this was supposed to be an "ooh, aah" sort of thing. Revolutionary and whatnot. It wasn't, but more on that later.

The response to the article was apparently (and I believe correctly) largely derisive, to the point where yesterday, Mr. Cellan-Jones published a follow-up article. In it, he admits that he "should have adopted a more sceptical tone" in his original piece, but then attempts to justify it anyway. He also contacted Dr. Gasson for a reply to some of the criticism. Dr. Gasson responded that he wanted to bring attention to the need to consider security in medical technology devices.

Now, I agree that security absolutely must be considered as we begin to move towards electronic devices being used as body parts. It would be terrible if, for example, unsecured wireless technology was used to connect the brain to an artificial arm, and someone hacked it and made it beat its owner to death. But Dr. Gasson's experiment isn't anything like that.

What Dr. Gasson did was take some "virus code", put it on an RFID chip, and implant it under his skin. The code was designed to redirect a web browser to a malware site. Dr. Gasson is not a web browser, at least not in the technical sense. And the chip doesn't have the mechanics necessary to make him do anything. It was no more impressive than if he stuck it in his pocket. This "experiment" is sort of analogous to sticking dirt up your nose to see if it will give you a dirty mind. At best, this was more a political point than a science experiment. At worst, it was simple publicity seeking.

Wednesday, April 21, 2010

Opening Attachments

You're sitting at your computer checking your email, when you notice that you've got one from DHL. You open the message and read an official-looking message saying that they tried to deliver a package to you, but no one was available. Please open the attached file which contains a form they need to redeliver. Now maybe you're waiting on a package and don't remember whether it was DHL, UPS or FedEx; maybe you're not waiting on a package and can't figure out what they would be trying to deliver to you.

Or...

You get an email from your brother's email address that says, "Check this out - it's really funny!" It's got an attachment. Well, your brother wouldn't send you anything bad would he? (No seriously - would he? I probably don't know your brother.)

In any case, you open up the attached .zip file, run the executable it contains and then... WHAM! You're infected!! Suddenly you've got hundreds of porn pop-ups appearing on your machine. And you've got something that says it's an anti-malware program that you don't remember installing, coming up to tell you that it's discovered 385 infections, and you need to run it to get rid of them.

Why did this happen?

In most cases, the reason this happened was because of a technique called Social Engineering. Social engineering is the act of manipulating people into performing actions or divulging confidential information - sometimes both.

Social Engineering relies, primarily, on two things: the basic trusting nature of most people, and fear.

In the first example, there was a little bit of both. You trusted that the email was actually from the company it said it was, and you were afraid something bad would happen (i.e. they wouldn't deliver your package) if you didn't do what they said.

In the second example, it was basically just trust. Why would you think that your brother would send you a virus? In fact, your next phone call or email is probably to your brother telling him that what he just sent you was infected. And when he tells you he didn't send you anything, you don't know what to make of it.

Windows Pre-Vista

The previous examples are most prevalent on PCs running Windows XP or earlier. Why? Because they're the most susceptible. Here's why:

Microsoft and most security experts agree that the best way to run your computer is as a "Limited User". In other words, a user account that doesn't really have the privileges to install software, or do other things that could impact the entire machine.

But most users don't want to run their machines as a Limited User, because... well, frankly, it's a pain. This, of course, is only even relevant for folks using Windows NT, 2000 or XP. Anything earlier than that didn't even have the option to run as a Limited User anyway. (If you're using anything earlier than Windows XP, we should talk anyway.)

But if you run as an Administrative User, then anything you run is run as an Administrator, and Administrators are presumed to know better.

Windows Vista/7 and the UAC

Enter Windows Vista (and now Windows 7) and UAC (User Account Control). This allows the best of both. When you log into your PC, you're using a Limted User account, and you run everything in that limited mode. When you want to install something, or try to do anything requiring upgraded permissions, everything freezes and goes a bit dark, and a window pops up asking whether you want to allow it. If you say yes, it temporarily places you in Administrative mode to affect the change. Then you go back to your Limited User account, and continue your work.

There are two problems:

  1. People get so used to seeing that "annoying box" that they click Allow without even really looking at it, or thinking about it.

  2. Some people get so sick of the box they actually turn off UAC. Also, some vertical-market applications tell you to disable it (which is usually a sign of bad programming, but be that as it may...)


Either of these behaviors will allow malicious code to run unimpeded on your machine, even with a more-secure operating system. Turning off UAC is actually worse, because you no longer even know there's anything trying to get in. It makes it, effectively, Windows XP in Administrative mode.

Tips

Here are some rules of thumb that I use when dealing with email attachments:

  • Don't open them unless you have some reason to believe they are safe.

  • Just because the "sender" is someone you know and trust, doesn't mean it's safe. They could have gotten infected themselves, and the virus could be sending itself to all their contacts. Some malware is even smart enough to scan the user's contact list, choose two names and then send messages "from" one to another. So some third party may have been infected, and you get an email "from" someone you may know in common.

  • In general, you can open attachments you're expecting. If you're waiting for me to send you a Service Contract proposal, and you get one from me, it's probably okay.

  • Even if you weren't expecting it, per se, if you have contextual reasons to believe it's really from the person it says it's from, it may be okay. In other words, if the message part says, "Open this. It's funny." - that's not okay. But if it says, "Hey Dave - This is that article you asked me to write for your blog. Tell me what you think." - that's probably fine.

  • If you're not sure, ask. Send an email back to the sender asking whether they really intended to send that file to you.

Friday, February 12, 2010

Remote Access

It's February 2010; a couple of days after what President Obama referred to as Snowmageddon. At least if your office is in this region, right now, you've probably been thinking about Remote Access to your computer systems. If you have it, you've been very glad of it. If you don't, you may have been wishing you did. And you wouldn't be alone: According to a CNNMoney article, LogMeIn's remote access service usage surged nearly 40% during the recent storms.

Bad weather is but one of the reasons many businesses need some form of remote access, or even remote office solution. It can be a critical component of your overall Disaster Preparedness Plan. If your computers don't shut down because of some environmental disaster, why does your business have to?

Remote access to your systems can also enable you and your staff to be a bit more time-flexible, or provide for remote technical support. (Yes, I use it all the time.) It can enable sales staff to access critical data while on the road, even from a SmartPhone.

Sounds great! What do we need to do? Well, slow down a moment. Like most things, you do need to put in a little bit of forethought and planning for this. So here are some things to think about:
  • How many people are going to need to use it? Concurrently?
  • Do we need application access, or just data access?
  • How important is remote printing?
  • Do we need remote access even during the workday, without affecting others' work?
  • How concerned are we about security?
These, and other factors can determine which is the most appropriate / cost-effective way of providing remote access services. These are some of the major categories used:

Remote Control
This type of solution has been around for a very long time. Typical examples of this type of solution include GoToMyPC and LogMeIn. A small client application is installed on the user's PC(s), which connects out to the provider's Internet servers. On the remote side, the user logs into the provider's website, and makes a connection to the provider's website. To make the actual remote-access connection, these two separate sessions are connected through the provider's site. Both connections typically use strong encryption, making this type of remote access pretty secure.

As the name describes, this type of connection literally has the remote user taking over control of the host PC. This means that, typically, someone at the office could actually be watching whatever the remote user does, and the remote user will have no way of knowing it. If the user is accessing confidential data, this could be a concern.

Also, because the user is actually taking over the entire computer, the computer cannot be used by anyone else at the same time. If the access is needed during the regular business day, it has to be on a computer that no one else uses.

Terminal Services
This type of solution has many of the same benefits as the Remote Control solutions. The user gets a virtual desktop and runs applications at the remote site. When using a Terminal Server, you can have multiple users on the same machine simultaneously, each with their own virtual desktop. Since users are not actually taking over the remote machine, passersby at the office cannot watch a session taking place. And since a Terminal Server is generally a dedicated machine, it doesn't affect other users ability to work.

There are some things to be aware of, though. For example, remote printing can be tricky - especially if you're trying to print to a printer on a remote network. Also, security can be a concern. The encryption used by RDP (Remote Desktop Protocol) is not as strong as some other solutions - at least not by default. And, of course, there is the cost of the Terminal Server itself. A Terminal Server is a Server, requiring a Microsoft Server operating system, and typically, server hardware.

Virtual Private Networks (VPN)
VPN is a term I've often heard misused to mean all sorts of remote access services. So let me explain what it is: A VPN uses encryption to form a "tunnel" through an untrusted network (i.e. the Internet). So if you have two offices, you can use a VPN to connect them through the Internet, enabling machines to communicate securely between the two sites. You can also create a VPN from a computer to the network, allowing that computer to communicate as if it were directly connected to the network.

Typically, the encryption used is strong. But people often complain that performance is slower than they expected. The issues are usually due to applications that are not particularly well-suited for this type of connection.


The important thing is that you know your options, and understand both the costs and the benefits each can provide for your business.

Monday, January 18, 2010

Is My Network Secure?

Have you ever asked yourself that question? I get it all the time. That, and "How can I make my network secure?" Unfortunately, it's not quite that simple. Security isn't really a thing you can do, per se. It's part of an overall posture you set up for your business, as I described last month.

The instructor of the first computer security class I ever took, told us that there is an inverse relationship between Security and Convenience. Translated that means, the more convenient something is, the less secure it is, and vice versa. In my roughly 20 years of computer-industry experience, I've found that rule to be fairly accurate.

Here's an example: Wouldn't it be much more convenient if you didn't need to lock your car door and use a key to start it up? Imagine never having to worry about losing your car key again! But you would never really consider leaving your car unlocked with the key in the ignition, would you? Of course not. Because if you did, you probably wouldn't have the car for very long.

On the other hand, if you really wanted to make your car secure, you could pull out the spark plugs every time you parked it. That'd make it much more secure, but it would be extremely inconvenient - not to mention messy.

Instead, most people choose to use other means to secure our cars, including:
  • Keys
  • Alarms
  • Steering-wheel locks, like The Club
  • Immobilizer devices

All of these require special devices and/or security codes to use the car. Thus, they all require some sacrifice of convenience. We use them because we find them less inconvenient than having our cars stolen.

And so...


And so, we wake up in the morning, get dressed, and then get into those cars and, after having disabled all our security devices, drive them to work, where we sit down at our computers and log into our systems using the same username and password that everyone in the office uses, and which we haven't changed for the last three years. In case we do forget it, it's written down on a Post-It note hidden under our keyboards where nobody would ever think to look. Not only that, but we use the same username and password for every website we've ever signed up with, including PayPal, which is used to transfer money over the Internet.

What can we do?


One fairly simple thing you can do to help protect yourself, and your business, is to improve your password policies. Here are some suggestions for improve your passwords:

  • Use at least 8 characters
  • Use at least 3 of the 4 types of characters (Uppercase, Lowercase, Numeric and Symbol)
  • Change your password at least twice a year. More frequently would be better, but at least twice
  • Don't keep your passwords where they could be found. Under the keyboard, in your desk drawer, or on your bulletin board all qualify as "where they could be found"
  • Use character substitutions to help make passwords more complex, yet easy to remember
    • a becomes @
    • s becomes $
    • i becomes 1
    • o becomes 0
    • e becomes 3
    • WorkingNets becomes W0rk1ngN3t$
  • Consider some of the following when making a complex password, to help make it memorable:
    • Passphrases: OnceUponATime
    • Misspellings: SkubaDyver
    • Themes: MilesDavis, SonneyStitt, TheloniusMonk (old Jazz Musicians)
    • Combinations: M1l3$D@v1$, 0nc3Up0n@T1m3, $kub@Dyv3r
  • Wherever possible, don't share passwords. There are other ways to get into important data, if you have to.
Using some of these basic methods can go a long way towards protecting your business, and yourself, from fraud.