You might have thought that with Microsoft’s “Patch Tuesday” fix of the seven year bug, things would be over.  And in a more perfect world, they would be.  Unfortunately we don’t seem to live in that more perfect world.

The problem is, according to sources like Metasploit, it ain’t over yet.

“The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim,” says Metasploit.  In fact, Metasploit goes on to say, “The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to.”

And since this is quite possible to do, it basically means that Microsoft’s “fix” ammounts to nothing for any dedicated attacks.

So what does Microsoft have to say about it?  Well, let’s take a gander over here, where Christopher Budd speaks.

Let’s see. “At a high level, the behavior that was discussed in the original SMBRelay attack is related to some of the basic behavior of the legacy NTLM protocol.“  Okay, congratulations on being able to throw acronyms around.  “When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications.“  Well … yeah.  Obviously fixing the problem would mean changes to every application that uses the faulty code.  It’s a lot of work.  Something that should have gotten on right away, instead of being put off.  But why do that when you can procrastinate?

“We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.“  So the workaround wasn’t actually feasible.  Microsoft’s own words here.  “As Mark notes in his post, implementing SMB signing is still an option and one that we ultimately recommend.“  Wait, so it’s not feasible, but it’s still the option that Microsoft recommends?  Even after releasing their “fix”?

“However, if you’re like me and remember the SMBRelay attack, you now have a protection option in case you can’t implement SMB signing: apply MS08-068.“  Oh, great.  The MS08-068 that according to Metasploit isn’t actually a fix at all because a hacker can work around it to still execute code remotely.

So let me get this straight.  Microsoft delays a fix to Windows for seven years because it would mean also fixing all of the affected networking clients.  Instead of just fixing it and fixing the clients too.  Their suggestion to people who are afraid of an attack by this route are to use an admittedly “infeasable” workaround.   And when, so much later, Microsoft finally patches the actual security hole, they don’t fully patch it, but just one approach to it.  So that hackers can still get around the patch.  So your options are use a patch that doesn’t work, or use an “infeasable” workaround? And that’s after seven years!

Yep.  That’s security, Microsoft style.

So in less than a month Grisoft has issued false-positives for their AVG (free and pay editions, 7.5 and 8 versions) virus definitions that claimed the incredibly commonly used firewall - CheckPoint Zone Alarm - is a virus, as well as that almost always used (because it’s Windows)  Microsoft Windows XP kernel file: user32.dll.  Now one, but two extemely commonly used files marked as viruses when they’re clearly not.  This should have been caught in testing before release to the world at large, because if these programs aren’t installed on the test bed, then what the heck is?

Well, it ain’t over.  Not by a long shot.

Because now in less than a month we have three, yes, count them, three false-positives from commonly used software.  That’s right.  Just shortly after smearing egg on their face with the Windows user32.dll false positive, Grisoft went and released a false positive of … Adobe Flash.  Yes, that’s right.  That little bit of software used all over the place on the internet.  That practically anyone who surfs the web has installed.  That just as clearly should be in Grisoft’s test bed.  That Adobe Flash.

I don’t think it could possibly get much more embarrassing for Grisoft at this point.  I mean it was bad enough when they instituted their Link Scanner that automatically pre-scanned common search results, causing web page hits across the world to jump insanely high when people weren’t actually visiting the sites, just getting them returned as search results.  That was bad.

But now three major false-positives, one of which rendered customer’s computers inoperative if they acted on it, in less than a month.

Hello?!

There was a time when I would have said that Grisoft AVG was hands down one of the best anti-virus software packages out there.  It had a lot to offer, and was well refined, even for the free version.  It used less resources than the majors from Norton and McAfee and worked just as well.  And so I’d used it for years.

In all fairness, I can no longer make such a statement.  There are others out there that are better.  There are others out there that are actually taking the time to test before release.

I’m not saying don’t use Grisoft.  If you have it, and like it, then by all means, the choice is yours.  But if you’re looking for something new, maybe, sadly, it’s time to look somewhere else.  Grisoft no longer inspires confidence.

Grisoft, makers of the AVG anti-virus software, have made a bad mistake.  Correction, have made two bad mistakes.  The first was identifying CheckPoint’s Zone Alarm as a trojan not long ago.  The second, was identifying a Windows system file (user32.dll) as a virus.  Of course it wasn’t.  It’s a false positive.  But if you make the mistake of believing your AVG antivirus, you’re going to end up with a computer that can’t boot up.

Now, false positives happen.  But false positives on core software, like a very commonly used security firewal, or worse, like an extremely often used operating system, these shouldn’t happen.  Any basic testing should catch these false positives before the virus definition update is released to the public.

Clearly, that isn’t happening.

Grisoft is failing to perform even basic quality assurance.  And customers have every right to complain.  Free and pay users of AVG 7.5 and 8 are all affected by these obviously untested virus definition updates.

For what it’s worth, Grisoft has fixed their virus definitions, so if you have performed an update as of today, you’re safe.

And for those who let their AVG anti-virus break Windows, Grisoft offers a support page, without a direct link.  Look for item 1574 here.  Let’s hope that you still have your Windows XP install CD handy.  Heck, with as many OEMs that just ship recovery CDs instead of Windows install disks, and as many OEMs that don’t even ship you an actual CD - just an ISO you can download or an equally useless measure, let’s hope that you actually have a Windows XP install CD, period.

Random false positives are to be expected.  Nothing is ever fool proof.  But false positives on operating system files are just unconscionable.  Grisoft, you should be ashamed.

Computer security is as vitally important today as it ever was.  And you might have all of your passwords locked up safe inside of your head with a vow to never tell another soul, but sleep fitfully, for your computer’s keyboard has no such qualms.

No, I’m not talking about keylogging software.  Though that certainly is something to fear too, a good security sweep will keep nasty programs like that at bay.  I’m talking about the simple electromagnetic eminations over the wires that connect your wired keyboard to your computer.  (And no, wireless is most definitely not better.  By definition wireless broadcasts your keyboard’s activity.)  Be it PS/2, USB, or even your notebook computer, the data has to travel over wires to get from the keys to the computer.  And for people who know just how to listen in, your data is far from secure.

So say Martin Vuagnoux and Sylvain Pasini of the Security and Cryptography Laboratory (LASEC) at the School of Computer and Communication Sciences (I&C) at the EPFL.  (Say that five times fast.  Better yet, say it in French.)

They found four different ways to wirelessly snoop your keyboard’s activities, from a distance of up to 20 meters (65 feet) away, even through walls.  No keyboard was safe from these researchers.

And it’s not just computer security at risk.  Any key or number entry pad potentially poses the same security risk, including ATMs.

Now, while scary, this is certainly not an attack you can expect the common criminal to attempt.  For one, you need a big antenna.  John Q. Public standing next to an ATM with a huge antenna might be a bit suspect.

But professional corporate espionage is certainly game.  That white van parked in your parking lot?  That office across the street?  The apartment next door to yours?  It’s not just your wireless ethernet (and other devices) that you have to worry about anymore.  Now you have to worry about your computer itself.

Which, actually, has pretty much always been true anyway.  The only safe computer has no wireless devices, is disconnected from the internet, is running tons of security software, from a non-admin account, is unplugged, and buried twenty feet in the ground.

Or, in other words, simply the act of using a computer makes your data unsafe.  There is no such thing as a completely secure computer.

Still, there are plenty of things that one can do to keep a computer relatively safe.  And surely I’ve gone over them all before.  But there’s also a new one emerging.  It started with the advent of wireless technology, and is no doubt growing in importance day by day.  And that is blocking electromagnetic radiation.  There are more and more technologies like EM shielding paint that can be used to EM secure a room or building.  And if your data is of the utmost importance, perhaps it’s time that you looked into seperating your PC’s room (or building) from the rest of the EM world.

So Firefox has released some much-needed fixes.  From memory corruption to privilege escalation.

While it’s nice to see such high priority fixes being worked on, one can’t help but wonder what “Forced mouse drag” was doing in the lot with them.  Still, any security hole that gets boarded up is one less attack route.

What I’m personally really hoping to see is that Firefox 3 can finally address its incredible slowness in closing.  Since Firefox 2 didn’t suffer from such a horrible fate, I know it must be possible to resolve.  Just as the spell checker being suddenly dumber than a brick in Firefox 3 when it was actually useful in Firefox 2.  Can we please just revert that code if nothing else?

Anywho, so at least Mozilla is trying.  They are fixing the turd that is Firefox 3.  Maybe it’ll even eventually, one day, be as useful as Firefox 2 was.

Now if they’d only design it so that you can turn off and hide features that you don’t want…