Category: Software

RealPlayer Vulnerability

Here’s another vulnerability to report on. If your computer has the following then you’re at risk:

  • Windows 2000 or Windows XP
  • Internet Explorer 6 or 7
  • RealPlayer versions:
  • 6.0.10
  • 6.0.11
  • 6.0.12
  • 6.0.14
  • 6.0.14.536
  • 6.0.14.543
  • 6.0.14.544
  • 6.0.14.550
  • 6.0.14.552

The vulnerability makes it possible for you to infect your computer just by opening a malicious web page (you wouldn’t know it’s happened till it’s too late). So if your version of RealPlayer is out of date and you fall into the category above then update RealPlayer to the latest version.

MDB Files are vulnerable

At the moment there’s a vulnerability in Microsoft’s Access program. This means it’s possible to create an Access file that contains malicious code (e.g. a virus, trojan, spyware, etc). More details here.

In plain English it means if you receive a file who’s name ends with .MDB treat it as highly suspicious.

Skype Encryption

Skype is a popular communication tool allowing people to have voice and video conversations over the internet. And one of its features is how it transports that communications data. Skype first encrypts your data then distributes it using a network of other skype users (using what’s called a peer to peer model).

The encryption is intended to stop random strangers eavesdropping on your conversations. And it seems to be fairly effective from what this article says – the German Federal Police Office have a problem wiretapping Skype calls.

Is this a good thing or a bad thing? Well, it’s a little of both. It gives Skype users a level of security that makes the general public comfortable enough to use it, and stops casual eavesdropping. That’s the good news.

The bad news is that VoIP traffic (phone calls over internet) can be intercepted in other ways. When it becomes too hard to break the encryption, as the German police found, an easier path is to install a trojan on the PC and intercept the voice data before it becomes encrypted. This stuff really happens.

The German federal police office is looking into developing trojans so they can install one on people’s computers they need to listen in on (article here). This is a legal form of spyware (at least in the country it’s used in). Other governments have been using this technique for years and legally it’s not much different to wiretapping a phone. What makes it scary is that antivirus companies have an understanding with law enforcement agencies and some government spyware may go undetected.

This isn’t a problem to most people. And at the end of the day it’s no different to using a house or mobile (cellular) phone.

The message in this article is that you should place the same level of trust in any VoIP phone (such as Skype) as you would with any other phone. It doesn’t offer any additional level of privacy. Law enforcement agencies have been finding ways to listen in, and fairly soon we’ll have spyware that can do the same thing only with less legal intentions.

Taking A Work Notebook Home

A common scenario is when someone takes home a notebook from work. The intention is to do work from home for whatever reason.

Notebook - typingThis could be a serious security risk. Most companies have gone to a lot of trouble to secure their office networks (for example by installing and managing firewalls; though a firewall is not enough to secure a network). In fact some companies have an entire department dedicated to maintaining network security. However most homes don’t have managed firewalls or any of the other network security systems or resources that companies often use. This effectively makes a home network less secure.

The risk is having an outsider gain access to the contents of the notebook. This could be achieved in a number of ways including having a trojan on another PC in the house. The possible damage to businesses can be huge, depending on the importance of the data on the notebook, or the importance of the work being done from home.

Some misconceptions need to be explained:

  • All firewalls are the same – this is not true. There are different types of firewalls making some more secure than others. They also need to be patched when the vendor discovers a vulnerability. Some home routers even claim to have firewalls when they don’t (they claim that a NAT feature is effectively a firewall – it isn’t). SPI firewalls are good (Stateful Packet Inspection)
  • No one would be interested in hacking into your home network. The internet doesn’t discriminate, every device connected to the internet is at as much risk as every other device

It’s not all bad news though. There are things you can do to protect yourself and your employer.

  • The laptop should have an antivirus program installed. It needs to be up to date.
  • The laptop would ideally have a “personal firewall” installed. Windows Firewall is not good enough. You need something that not only stops other programs getting into the notebook, it needs to stop unknown programs already on the notebook from getting out to the internet.
  • The home router should have its own firewall, or you could use a dedicated firewall device. Ideally the firewall would filter out traffic coming from or going to known sources of malware but this isn’t going to happen at home, it requires a fair bit of maintenance (i.e. it’s expensive)
  • Encrypt the hard drive in the notebook. This can protect you if you lose the notebook or it gets stolen (and statistics show this happens often). Whole disk encryption costs money and slows down the notebook a bit but it’s very important.
  • Don’t carry all your files on the notebook. Don’t keep all your emails, or your entire client list, etc. Only copy the data you need to get the job done and limit the risk.
  • A VPN to your office network can help.
  • Don’t connect your notebook to the internet. These days almost everyone needs the internet to do work so this idea might not be very practical
  • Don’t use someone else’s wireless network. Not only is this illegal in many countries, you would be sending all your data through a stranger’s network. It’s technically possible for someone to intercept that data, even to manipulate it.
  • If you use wireless at all make sure it uses a strong security protocol (WPA or WPA2)

A note about VPNs:

VPN stands for Virtual Private Network. It’s a piece of technology that can be used to join an office network to a home network. Servers and PCs on the networks would behave as if they were sitting in the same location, ignoring the fact there’s some distance inbetween, and ignoring the fact it’s really travelling across the Internet.

A VPN isn’t the be all and end all of security, it’s only a technical solution to a technical problem. You still need firewalls, virus scanners, and a little bit of tech support.

They can be setup to route all traffic to your office network and then you would trust your office network to filter the traffic for you. This is generally good. There are some caveats:

  •  Activities like internet browsing are slowed down
  • Your office network may keep a log of what websites you view from home, when you’re connected to the VPN
  • You’re trusting your office’s IT staff not to hack into your home network (it’s technically easier when you establish a VPN)
  • It costs your employer money to setup and manage a VPN
  • If you have an unreliable internet connection at home it’ll disrupt your work.

Above all find out what your company’s IT policies are and follow them as best you can. If they don’t have one then now’s a good time to suggest one. Working from home doesn’t have to be risky.

Keep critical software up to date

Some programs you use are critical to the safe use of your computer, and it’s important to keep these patched.

In this article critical software is the collection of programs (both visible and those that run in the background) that transport information from a web server to your screen. It’s the chain of data flow that you use the most often when using the internet.

You have your operating system (e.g. Windows, MacOS, Linux), a web browser, and a stack of drivers that basically make the internet work for you. This is a simplified model, most people’s computers will be unique and full of all sorts of programs.

Because information is flowing along this chain of programs, data being handed off from the operating system to the web browser, every link in the chain is critical. And like the old mantra, the price of security is eternal vigilance. In this case we’re looking at the eternal task of patching your software.

Patches are released by software vendors, whether it’s a free open source program or from a commercial software company. Patches are written because the programmers are always fixing bugs, in particular they’re always fixing security vulnerabilities as they are discovered. It’s a way of strengthening each of the links in your data chain.

The point of this article is that you should always update the following:

  • Patch your operating system (Windows, Mac OS, Linux, etc). Yes there’s a risk in being the first to install a patch, it might break something. Large companies have long complicated procedures to test patches before installing them. Small companies and home users need to take the risk and apply the patch blindly, trusting the vendor. It’s a choice between having the most secure computer possible or waiting to see if a patch is released by mistake. My advice is to take the secure option and make regular backups of all your data (backups would be a good topic for a future article). Most operating systems these days have automated patching systems in place making this simple and often a transparent process.
  • Patch your web browser. All web browsers need to be patched – Microsoft Internet Explorer (IE), FireFox, Opera, Safari, etc. Apply patches as soon as they’re released. Today a web browser is the most vulnerable program on a computer, it gets used to run code that other people write. Code that comes from all corners of the world and is almost always not certified in any way and there’s almost no way of trusting the code. Your web browser will execute it blindly, trusting that it’s safe and you trust that all other programs on your computer (including the operating system) will handle the attacks in a graceful way. Web browsers will be attacked, this is almost a certainty these days. So you need to very latest version that hopefully has had every known vulnerability fixed.
  • Patch your antivirus software. This is often automatic, and it’s often a paid service. Antivirus companies spend a lot of time and money keeping their tools up to date and it’s in your best interest to use their technology. Consider it a good investment, it could cost you thousands of dollars if your system is compromised.
  • Sometimes routers will have to be patched as well. This is a little more advanced and you should only do it if you’re comfortable working with your router.
  • Personal firewalls should also be patched. If your antivirus software includes a [personal] firewall then it’ll be patched automatically, otherwise it’s a separate process.

Chain and padlockAll software that uses the internet in any way, including the various video and music players, needs to be kept up to date. Web browsers and operating systems are the most critical and should be patched the most often. The time and effort you spend is the price you pay for having a safe computer.

A QuickTime Flaw

Here’s a new vulnerability in Apple’s QuickTime program, discovered just recently (and published today). A computer can become vulnerable if the following events happen:

  • You have Quicktime version 7.x installed (any version beginning with 7.)
  • Your computer uses Windows XP or Windows Vista
  • You use FireFox for web browsing (IE 6, 7, and Safari are safe from this vulnerability for the now)
  • QuickTime is your default media player
  • You visit a site hosting a malicious video file that takes advantage of this exploit.

Chances are you don’t meet all of the above criteria, but since there are so many computers on the internet now there would still be a large number of people who do.

The damage from this could be anything for now. Since the exploit has been published malicious hackers all over the world are probably busy writing viruses and trojans to take advantage of it.

So when Apple releases an update be sure to install it. And if you use a good antivirus package it won’t be long until they release a new update (this is why it’s important to keep your antivirus program updated).

Details have been published here.

2 New Skype Related Warnings

There are two new warnings related to Skype today. In each case it’s not Skype that’s the problem, it’s just related to their service.

1. Some people have received a warning saying “Security Center has detected malware on your computer“. If you click on the links provided you’ll get a message telling you malware was found on your computer. It then asks you to pay money for an alleged program to clean it. If you see this, ignore it. It didn’t really scan your computer for viruses, and the money they ask for won’t really go towards anything good.

2. Some Skype users have received a message about finding a lost girl. Again this is a hoax and if you click on the links provided a web site will attempt to install a virus on your computer. Ignore it.

More details can be found at Skype’s security site.

Sony SonicStage CP Vulnerability

Version 4.3 of Sony’s SonicStage CP program has a vulnerability (flaw) that can be exploited for malicious intent. The exploit comes in the form of a playlist received from an external party (website, untrusted friend, etc).

So if you’re using a Sony digital music player and this program on your computer don’t open any playlists you didn’t create yourself, until Sony releases a patch to fix it. Details here.

Harmful Websites

It seems Possibility Media’s websites have been hacked. There are a few interesting things to learn here. First have a look at the following screenshot:

Possibility Media
At the time of writing (28 Oct 2007) if you go to Google’s website and search for the term “possibility media” you’ll get the results shown above. Google found the correct website and if you look closely there’s a warning that “This site may harm your computer“. If you don’t notice this small writing and just click on the link Google will display a large warning spelling out the risks. This is a very nice security feature provided by Google. They use a 3rd party tool to analyse websites for malware and make it difficult for you to load a website that contains harmful code.

The other thing to note is that Possibility Media’s websites have been hacked and contain harmful code. It’s still unclear what damage this can do to your computer (it’s currently being investigated by antivirus companies). Some of their other websites that have also been hacked are:

  • webweekmag.com – Web Week Magazine
  • itweekmagazine.com – IT Week Magazine
  • technologyweekmag.com – Technology Week Magazine
  • theinternetstandardmag.com – The Internet Standard
  • securitystandardmag.com – Security Standard

Hopefully by the time you read this it would have been cleared up. The purpose of mentioning these websites is to point out that common websites that have completely legitimate businesses behind them are still vulnerable to malicious tampering and that it can affect pretty much everybody.

There are a couple of things you can do about this:

  • Use a good antivirus program on your computer. To be effective against this type of attack it needs to do something called “web filtering”.
  • Keep your antivirus software updated. This usually requires a paid (yearly) subscription.
  • Use an alternative web browser. I haven’t written about this yet but consider using either FireFox or Opera.