More Ways To Surf Safely

In the last newsletter, I suggested creating a limited user account on your computer and using that to surf the internet. As a limited user, it becomes very difficult for malware to attack the browser and install itself. As it turns out, there is an even simpler way to do this.

Several people wrote to mention a program written by a Microsoft programmer called DropMyRights. This program allows you to use your computer as an administrator while opening programs with limited rights. It is a much easier way to surf the web than what I described last time.

You install the program, then move the .exe file to another folder, “c:/lowrights” for example. Then you right-click on your desktop and create a new shortcut. To create a shortcut that loads Internet Explorer with limited rights, this is what you would put as the location: c:/lowrights/dropmyrights.exe “c:/program files/internet explorer/iexplore.exe”. (Change to back slashes instead)

When you launch Internet Explorer with that shortcut, the DropMyRights program will give it the same permissions as a limited user. You cannot install or run ActiveX and most of the methods used to install malware will fail. I tested this out on a couple of very nasty web sites and absolutely nothing happened.

You still see the prompts asking permission to install ActiveX controls. However, nothing happens even if you say yes. You can test this out at SpywareInfo. We have a page that will load an ActiveX spyware scanner designed by X-Block and it is perfectly safe. The page is at http://www.spywareinfo.com/xscan.php . If you ever have a legitimate need to install an ActiveX control, you can simply launch Internet Explorer with the normal shortcut.

This also works with any other program on the computer. Just create a shortcut to the program, with dropmyrights.exe in front of the program’s location and it will launch that program with limited rights. That means you can do this with your email or instant messenger programs.

A few people mentioned a similar program, also written by Microsoft programmers. This one does the exact opposite of DropMyRights. MakeMeAdmin lets you log in as a limited user, but launch certain programs with administrator rights. It is similar to the Windows “Run As” function. The difference is that this program gives administrator-level rights to your limited account just before launching a program.

Of the two programs, it probably is safer to use MakeMeAdmin while logged in as a limited user. That way you cannot accidently launch Internet Explorer or your email program with full rights. Both of these programs give you a very elegant way to avoid much of the risk associated with the internet. If you (or a family member) are constantly fighting a spyware infection, this may be the solution to the problem.

http://www.spywareinfo.net/nov23,2005#safesurfing

Posted in Internet, Privacy, Security | No Comments

GRC’s Ultra High Security Password Generator

Generating long, high-quality random passwords is not simple. So here is some totally random raw material, generated just for YOU, to start with. Every time this page is displayed, our server generates a unique set of custom, high quality, cryptographic-strength password strings which are safe for you to use.

https://www.grc.com/pass

Click your web browser’s “refresh” button a few times and watch the password strings change each time. Every one is completely random (maximum entropy) without any pattern and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again.

Also, because this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection, and it is marked as having expired back in 1999, this custom generated (just now for you) page will not be cached or visible to anyone else.

Therefore, these password strings are just for you. You may safely take these strings as they are, or use chunks from several to build your own if you prefer, or do whatever you want with them. Each set displayed are totally, uniquely yours. 

Posted in Internet, Security, Software | No Comments

Microsoft Picks Partners to Fight Phishing

Microsoft has signed up three companies to add phishing monitoring and detection technology to its antiphishing filter in the MSN Search Toolbar and the upcoming release of Internet Explorer 7, and its SmartScreen e-mail filter, the company says.

The software vendor has also released the final version of its phishing filter add-on technology for the MSN Search Toolbar. The technology is available as a free download.

Partners in Security

Microsoft is teaming with Cyota, MarkMonitor, and Internet Identity to beef up customer protections in its antiphishing filters, said Samantha McManus, business strategy manager for the technology, care and safety group at Microsoft.

“These companies are providing us with data on reported phishing attacks so we can use that data to protect our customers through our filters,” she said.

Phishing is online fraud that uses fake Web sites, which look like those of legitimate businesses, to trick online users into disclosing personal and financial information that can be used for criminal activity.

Microsoft offers antiphishing technology in IE 7, which will be available in full release for Windows Vista and Windows XP Service Pack 2 (SP2). Windows Vista is in beta now and is scheduled to ship in the last quarter of 2006. Windows XP SP2 is available now, but the IE 7 technology for the OS is still in beta.

Microsoft’s SmartScreen e-mail filter protects Microsoft Hotmail and the Windows Live Mail beta as well as Microsoft Outlook and Exchange e-mail software. SmartScreen also provides antiphishing protection.

Cyota, based in New York, offers online authentication and antiphishing services to provide real-time information about phishing attacks. MarkMonitor monitors and detects online fraud for financial institutions and other corporations, and will deliver information about confirmed phishing attacks against its customers directly to Microsoft, according to the San Francisco company. Internet Identity, based in Tacoma, Washington, automatically detects and takes reports for phishing Web sites for a wide range of clients, such as banks and credit unions. The company will forward this information to Microsoft’s antiphishing filter whenever those reports find a URL that leads to a phishing site.

Antiphishing Tactics

The services provided by the three companies will work slightly differently with the IE 7 antiphishing filter and the SmartScreen e-mail filter, McManus said. For the IE 7 filter, the services will report to the technology’s reputation service, which uses the information to scan a Web page to see if it has been reported by online users as a known phishing site, she said.

For SmartScreen, the filter can learn when phishing attacks are happening and include that information in the filtering process for messages that are sent through Hotmail and Windows Live Mail, as well as clients using Outlook or Exchange, McManus said.

Microsoft previously worked only with WholeSecurity, which was recently acquired by Symantec, to provide information about phishing activity and known phishing sites to its filters, McManus said. The company plans to partner with more companies to provide information in the future.

“This isn’t the final list of people who will provide the service,” she said. “This is a step along the way.”

http://www.pcworld.com/news/article/0,aid,123606,tk,dn111805X,00.asp

Posted in Internet, Privacy | No Comments

Keystroke Logging Increases, Security Firm Says

Hackers are likely to release more than 6000 keylogging programs this year–up 65 percent from the number in 2004–according to Reston, Virginia, security vendor iDefense. Such software illegally records every keystroke pressed on a victim’s PC and then transmits the data to the hacker, making it an effective way to snoop out confidential information such as user names and passwords.

Organized cybercrime groups commonly send keyloggers to unsuspecting victims via e-mail, often in combination with spyware, phishing e-mail, or some other type of malicious software, the security company said.

Costs to You

Citing a survey by National Mutual Insurance, iDefense estimates that the average cost of a successful keylogging attack is about $4000 per victim.

But the financial cost is only part of the equation. Keylogging attacks are a major time sink, as well. The National Mutual survey found that victims of this type of fraud spent 81 hours, on average, resolving matters.

In 2000, hackers released just 300 keyloggers, according to iDefense’s numbers; and in 2001, the number dropped to 275. The first spike in keylogger programs occurred between 2002 and 2003, when the number rose from 444 to 1230. This year, the total is expected to jump from 3753 in 2004 to just under 6200 by year’s end.

iDefense, a unit of VeriSign, sells security intelligence to government and enterprise customers.

http://www.pcworld.com/news/article/0,aid,123569,tk,dn111705X,00.asp

Posted in Hardware, Privacy, Security | No Comments

Surf More Safely In Any Browser

This is one of those ideas that make you want to slap your forehead and wonder why it never occurred to you before. I don’t remember what prompted it, but I decided to do a little experiment with my virtual test PC. I created a low-level user account and then went surfing some of the most spyware-infested web sites I could find.

Guess what? Nothing happened. Not only did I fail to pick up a single hijacker, I never once saw as much as a single ActiveX prompt. As far as I could determine, I was immune to spyware infection. Why? Because in limited mode, Windows doesn’t allow you to do very much. You are not allowed to make the changes necessary for malware to install and hide itself.

That is not much of a revelation. Many people already realize that if you surf the web in limited mode, not as “root” or “Administrator”, then you are much safer. The reason why people, myself included, do not tell internet newcomers to do that is because using a Windows computer in limited mode is nearly impossible.

Don’t believe me? If you have Windows 2000 or XP, try it right now. Go to Control Panel > User Accounts and create a new limited user. Now spend a few days in it and see what happens. Numerous programs that you use, if you are able to install them at all, simply will not work. You will have an unending series of “permission denied” errors as you try to use your computer normally. Because of this problem, very few people use Windows in limited mode.

The main culprit is software developers. Many of these developers create their programs in such a way that a limited user cannot use them. I remember trying to install a copy of PaintShopPro 7 once. First, I couldn’t install it. When I circumvented that by using the “Run As” feature and did install it, I couldn’t use it. That is just boneheaded design right there.

Microsoft is partly to blame. I mentioned the “Run As” feature. What that does is allow you to load a program as a different user. Basically, you provide the log-in password for an administrator account while logged in as a limited user.

The problem with this is that Windows treats that situation as if you are logged into that administrator’s account. Files saved from the program, if launched this way, cannot be stored in “your” My Documents folder. They have to be stored in the My Documents folder associated with the administrator account. Occasionally, a program won’t operate correctly even if you use the “Run As” feature.

Microsoft could learn from Linux on this one. With Linux, you operate normally as a limited user. If you need to do something to the system, you can open a command terminal, give the “root” password and Linux will temporarily give you the same permission as the root-level user. The problems you run into with a limited Windows account simply do not occur with Linux.

So, although it is much safer to surf the web in limited mode, people refuse to do it because of the permission problems they run into. No one wants to run Windows in limited mode.

Well, there is a simple fix for this problem. It is so simple that I wonder why it never occurred to me before now.

Use Windows normally in your admin-level account to avoid the problems caused by bad software design. However, any time you plan to surf the web, log out of that admin-level account and into a limited account. When you are through surfing the web, log back into your admin-level account. If you have any version of XP, you don’t even have to log out of your normal account. Just use Fast User Switching to go back and forth.

I won’t claim that you will be immune to a spyware infection if you do this. I will say that the chances of it happening are very slim.

There is one thing that I want to point out. Windows XP has a really stupid bug. If you create an additional account, the default “Administrator” account will disappear from the Welcome screen. Since quite a few people use that default account, that leaves them unable to log-in from the Welcome screen after they create a new account. This bug is present in XP Gold, XP SP1 and XP SP2.

Unbelievably, Microsoft considers that to be a feature, not a bug. So the chances of it ever being fixed are low. There is a registry hack that will put the account back on the Welcome screen. Do not attempt to edit your registry if you don’t know what you are doing. You could cause some serious problems with Windows.

Don’t worry, there is an easy way around this bug if you don’t feel comfortable hacking at your registry. At the Welcome screen, simply press the CTRL ALT DEL buttons at the same time and a new log-in prompt will pop up. Just type “Administrator” for the user and give your normal password and it will log you in.

If you are one of those people whose computer is infected repeatedly by malware (you know who you are), you should give this a try. I’ll bet that, if you do this, you will not have nearly as much trouble with spyware as you do now.

http://www.spywareinfo.net/nov11,2005#limitedsurfing

Posted in Internet, Security | No Comments