An Acrobat (PDF) Reader Alternative

I wrote about an Adobe zero-day exploit a while back... They've been in the security news quite a bit lately; their huge success with Acrobat as a document distribution standard and the Flash media player becoming more and more common has ironically made their products a favored target of malware creators.

I finally got fed up with how large Acrobat Adobe Reader has gotten - the version 9 installer for XP is 35.7 MB (vs. 21MB for v8, 15MB for v6, ...) - so recently I installed a free alternative called Foxit. The latest version, 3.1, has a 5MB installer that results in a 7.2MB installation. Compare this to the 206MB Acrobat Reader installation that is on my PC!!! (wtf?)

But the best news is that Foxit starts up much faster than Acrobat Reader. I view PDFs all the time, and so far I have not had any issues with this application. It does have a tiny advertisement window as shown below (The blue area in the upper right corner), but this only seems to advertise Foxit's own payware products, which seems fair given that the reader is free.


I'll also mention that Foxit is potentially a better choice than Acrobat Reader since most exploits that are targeted at Acrobat do not manifest themselves in FoxIt. However, Foxit's popularity as an Acrobat alternative has made it the target of the malware authors, but it appears that the Foxit folks take security seriously and are prompt to release updates, as discussed here.

For the moment Foxit is available for Windows, Linux, and some handheld OSs, but not the Mac.

Why you should switch to Firefox

Executive summary: If you're using Internet Explorer v7 or earlier as your web browser, you should seriously consider switching to Firefox. Even if you're using the new v8 of IE, you're still not going to have as much protection from malware as with FF and the NoScript plugin.

--

I have been using Firefox as my primary browser for several years, and generally try to avoid Internet Explorer as much as possible. (Sometimes, though, it's not possible - my previous employer only supported IE for all of its Oracle infrastructure.) IE, being the most popular browser in the world - primarily because it is essentially built-in to Microsoft Windows - has been the primary target of cybercriminals for quite a while. Also, I like the fact that Firefox's user community has developed any number of (occasionally) useful plugins for it.

One (free) Firefox plugin that I run religiously on all of my systems is NoScript. Although there's a little bit of a hassle factor involved with using it, I feel a lot more "protected" from malicious web sites with it turned on. With its default settings, it will initially block all JavaScript, Java, Flash, etc. content and require you to specifically allow that content to be downloaded and displayed. You have the option of temporarily allowing content from a specific site, or adding the site to a "white list" of sites that will always be allowed through. (It protects against several other potential exploits, such as cross-site scripting.)

What prompted me to finally write something about Firefox and NoScript (this has been on my to-do list for a while) is the zero-day Adobe exploit that I posted about earlier today. NoScript can protect you from the exploit described in that post.

Finally: At the top I mentioned IE v8, which was released recently. I was hoping that Microsoft would take some steps to improve IE's resistance to malware, and I think they've made some good progress, but I found an article that seems to indicate that IE still has a ways to go. So although I'll continue to evaluate IE v8 on my Vista install as an intellectual exercise, I'll be keeping Firefox (and NoScript) as my favored "surfboard" for the indefinite future.

Urgent: Majority of Windows systems vulerable to Flash/Acrobat zero-day exploit

Firstly - you may be hearing the term "zero day exploit" more often these days in discussions about security issues. It basically means that the exploit under discussion is already being taken advantage of by the crooks.

Anyway, here's all of the details about the Flash/Acrobat Reader weakness. What is a little different about this one is that more than a few "legitimate" web sites have become infected with malicious Flash content, and so it's quite possible to be exposed to Eeeevil Stuff even if you're not snooping around the darker corners (and tubes) of the Internet. (Flash is used everywhere these days - e.g. YouTube basically runs on it.) Also, unlike some earlier exploits, disabling Javascript in Acrobat (which you should do - it's turned on by default when Acrobat Reader is installed) does not provide protection against this malware.

What seems almost criminal about this is that Adobe has apparently known about this defect for seven months. However, the exploit that actually takes advantage of it is apparently much more recent. I guess they decided to wait until really bad stuff happened before actually fixing their software...

A Pathetic Example of a Hacker...

First: the good news - this guy is probably wearing a bright orange jumper at the moment. The bad news - the accused was a security guard at a Texas hospital, and in his idle moments, he figured out how to break into some of the hospital computers - including the system that controls the hospital's heating and air conditioning systems. It doesn't seem that killing anyone was his real goal, but it gets hot down there and if he had wanted to turn off the AC on a hot day, he could've, causing all kinds of problems for the hospital. Fortunately his ego got the better of him and he posted Youtube videos of his adventures and other clues which led to his sudden wardrobe adjustment.

The whole story is here, which has a link to his last couple posts (prior to getting arrested!) on a hacker forum that he was a member of. (The best part about that thread is where someone labeled him a Massive Chunk of Fail after he was caught - that made me cackle.)

While we're on the topic of computers and health care - did you hear about the MRI machines that were infected with the Conficker worm a while back? Of course, that only happened because the machines had an internet connection. Doh!

New "zero day" Microsoft IE exploit

This has been in the news quite a bit over the last few days, but the nature of it prompts me to briefly post about it: there is a vulnerability in Internet Explorer versions 6 and 7 that can cause your Windows XP or Server 2003 system to be "hacked" just by visiting a site that is serving up the exploit - you don't even have to click on anything. The Microsoft Security Advisory about it is a pretty technical read, so check out this link first for information that is actually readable 8^) . There is a link there that will use MS's relatively new "Fix It" technology to download a ".msi" installer file that will install a workaround. I just tried this and it is pretty easy to do!

Here is yet another example of why it might be smart to use a browser other than Internet Explorer - most casual (and some not-so-casual) Windows users have it as their default, and sometimes only browser. I have been using Firefox for several years - it's not perfect, and as it becomes more popular it's getting its own share of attention from the crooks, but it's still not as prevalent as IE by about two-thirds. Other alternatives are Opera and Google Chrome (neither of which I've used much).

If you insist in using IE, at least update to the latest version, IE 8 (read about it here). You might already have it, as MS has made it a critical update for most or all Windows versions - which I'm not sure I agree with. I suppose (and hope) that their motivation might be that it has enough significant security updates so as to make it "critical" for most IE users.

Back Up or Be Stupid - your choice

One of my hobbies is flight simulation, and persuant to that, I've been reading the Avsim flight sim community web site for well over ten years. The URL is http://www.avsim.com, but as I'm typing this at about 5PM PDT on Friday, the site is dead and gone.

It's gained that unenviable status because some, uh, (gotta watch my language here) nefarious, lowlife, twisted, gin'd up, lilly-livered, one-eyed son of a prarie dog (a.k.a. hacker) managed to bring down not one but both of their servers. The problem is that apparently the administrators of that site were using these systems to back each other up, and the hacker deleted the main partitions on the hard drives of both. I don't want to opine whether or not their backup "strategy" was a dumb one - although more than a few Avsim subscribers have already done so (and I do question why they didn't have an off-site master backup somewhere) - but it brings home in a dramatic and tragic way that we all really need to back up our important data. You know that, I know that, we all know that, but the fact is that probably every minute of the day someone somewhere loses data that is precious and irreplaceable, yet gone forever.

Now, my own backup strategy is fairly lame - periodically, I back up my most important data on this (home office) system to a USB memory stick, and less periodically I duplicate that stick's contents to another one, and keep that second stick "somewhere else" (e.g. in my car) just in case the house burns down. However - and it's really embarrassing to admit this - but at this moment all of my memory sticks are in the house "somewhere" (I think I know where they all are). So if this great old house that we live in (that still has some knob-and-tube wiring) burns up, I'm S.O.L. I guess I know what I'll be doing tomorrow...

So maybe I'm writing this as much to myself as to you, but at any rate, here's yet another reminder to make a copy of your really important Data Stuff.

Here's an idea: go to your favorite big-box warehouse - e.g. Costco - and buy one of those 2-packs of 4GB SanDisk (or whatever) USB flash drives. Back up everything that you care about onto one (assuming it will all fit), and then do a direct copy of everything on that drive to the other one. Keep the second one at your office, in your glovebox, whatever - just somewhere else than the first one. Voila! with that $40-ish investment and a little time, you'll probably be better off than you are right now.

Another idea, which I have not yet tried but sounds like a hella good deal, is to use a web-based backup service. One that I'm aware of, Carbonite.com, backs up as much data as you can throw at it (from a single hard drive, anyway) for about $5 a month, and via a background process keeps the backed up data "sync'd" with any changes you make on your computer. There are at least a few other, similar companies - just google "remote backup" for more information.

To Update or Not To Update?

Early on in this blog, I encouraged you to keep Microsoft Windows updated with whatever Critical Updates that Microsoft pushes out. (BTW these are typically pushed on Patch Tuesday, unless something really serious comes up that Microsoft deems worthy of immediate attention. If you've got Automatic Notification turned on for Windows Updates - which you should - it's practically a sure thing that you'll get a popup on every single Patch Tuesday that there's new stuff to go get.)

However, for many years I took the attitude with my systems' applications that "if it ain't broke, don't fix it". As a for-instance: until fairly recently I had been loathe to update Adobe Acrobat Reader to a newer version, because all that newer Acrobat versions have seemed to do is get way bigger and more unstable, so I was running version 5 until only a couple months ago on one of my PCs (the current version is 9.1).

I really wish I could continue with that mindset, but unfortunately (if your system is connected to the internet, anyway) it just really isn't advisable anymore. New exploits (cracks in the armor) are being found at a dizzying rate for practically any popular application that in any way interacts with your network/the internet.

However, keeping everything updated on a rigorous basis can be a serious pain in the okole, as I realized only yesterday. In general I am not a big Apple Quicktime player fan, but because iTunes installs it automatically (and because some media on the web is in ".mov" QT format), it's on all of my systems. On some of those systems, I have iTune's automatic update notification turned off because I don't run iTunes on them on a regular basis - and so the QT format on at least one of them is fairly old. That's a bad thing, because according to the QT wikipedia entry, all versions prior to v7.5.5 have a cross-site scripting vulnerability. I won't go into CSS here, but the point is that I have potentially opened myself up to Bad Stuff that I might inadvertently encounter just by clicking the "play" button on a video at some site that I'm not terribly familiar with.

It's unfortunate that we've come to this point, because Acrobat is not the only application by a long shot that seems to get bloated with every new release - in many cases, with things that we don't care about, but that the creators stick in there just to keep it New And Fresh.

I thought about making a list of applications that you should consider keeping an eye on, but I've decided that it would be very long but yet ultimately incomplete. So just be mindful of the applications you use in your web journeys, not forgetting things like Quicktime (and Acrobat) that you might never run directly, but that are auto-run by your browser when you click on something neat.

Coffee Shops, HotSpots, and Thee

Assuming that no-one manages to sneak up and splice a connection onto your home or office LAN cabling (although I'm sure it's been done!), the wireless connection to your network is the potentially the weakest spot in it - which is why using an effective wireless encryption scheme (best: WPA2 w/ AES; almost worthless: WEP) is very important in keeping your network closed to the villains.

However, when you're traveling for business and doing the hotel gig, or choking down a thermonuclearly-heated Starbuck's latte as you update your Facebook page, you might not have the luxury of being able to use an encrypted wireless connection on your laptop. At the very least, if you going to connect to a public wi-fi hotspot that doesn't offer some kind of encryption and/or VPN, make sure that your firewall is turned on and that you have un-shared any shared folders, or (probably easier) turned off sharing entirely.

The trend seems to be that responsible public hotspot providers are requiring you to set up an encrypted connection to their wireless hotspots, but for those that aren't (or just as an additional layer of protection), you can take advantage of Virtual Private Networking. Currently I'm evaluating a "free" way to do this on Windows XP with Firefox 3.0 - I put "free" in quotes because the service does insert ads here and there but it's not very intrusive in my experience (with version 1.14 anyway). It's called Hotspot Shield, by a company called AnchorFree. There is a Mac version available too, but I have not tried it yet.

The basic concept is that Hotspot Shield, when enabled via the System Tray icon that it installs, sets up a secure, encrypted "tunnel" in your browser from your laptop to their network; from there you can surf the web as usual. Data that travels to and from your laptop is in the tunnel and is not readable by anyone that's trying to snoop your network connection.

There are other ways to do this - most cost money and I may eventually move in that direction but this seems like an easy way for the Road Warrior to get some extra protection with a minimum amount of effort.

By the way, this discussion has focused on wireless connections, but note that some hotels only have wired connections in their rooms. This by no means says that you're safe - depending on how conscientious they are about how their network is set up, it could be said that you're more vulnerable in this situation since you don't even have the option of WPA encryption. So here again, using VPN along with your trusty firewall can provide a decent amount of protection against malware and/or data theft.

Cryptography: Tambourines and Rubber Hoses

Did you know that secure passwords can, with the proper training, be discovered via a procedure that involves a tambourine? It says so right here. There's a link there that also talks about the rubber hose method, which is one of the least computationally-intensive approaches that has been developed. (Thanks to JJ for the link!)

I am reminded of one of the songs that's in the Sony PSP game Lumines 2 (awesome!) - "Black Tambourine". I never realised until just now that it's by Beck, or that it has at least a tenous link to cryptanalysis!

Conficker - the lead story on 60 Minutes last night!

I should've posted about this before, but my pal Neopublius sent out an email on Saturday that I'm just going to shamelessly copy here, 'cause it's got the goods you need:

"There is a pretty serious computer virus making the rounds with a target activation date of April First. There is a background article here: http://tech.yahoo.com/blogs/null/128643/beware-conficker-worm-come-april-1/ The article links to a Microsoft site with a free scan and removal tool, there is a another tool here: http://enigmasoftware.com/

As always, run some virus protection on your computer, don’t download or open attachments from people you don’t know, and stay out of the bad neighborhoods on the internet."

Here's an article with a few more technical details... BTW this issue is PC-only, but don't get all smug just yet if you're on a Mac or Linux - Conficker is a "remote exploit" vulnerability, and MacOS X has its own remote exploit critters to deal with.

SQL Injection: Tenderizing websites the world over

Some folks like to inject some sort of marinade into chicken/steak/whatever prior to stoking up the grill... I couldn't resist the title's play on words, but you do need to know about yet another thing that's somewhat new, that is yet another peril of doing e-commerce on the web - "SQL Injection".

SQL is a very popular language for manipulating databases, and it's practically a sure thing that you've accessed an SQL database server many times in your websurfing adventures. For instance, just this morning I took at look at the BAE Systems job search site, and got this:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near the keyword 'AND'.

/includes/local_subs.asp, line 1586

Which means roughly "this SQL-based database query engine is busted; come back later".

But back to SQL Injection - the problem is serious enough that that phrase has made it into the mainstream media - an article in USA Today describes the vulnerability in detail. The upshot for you, Dear Surfer, is to keep everything that you use to access web content updated with the latest patches - which is almost a job unto itself: the article mentions Internet Explorer, Firefox, Safari, Opera, Chrome, Adobe Flash, Adobe Reader, iTunes, QuickTime, Windows Media Player and RealPlayer. Most or all of those tools can be configured to check for updates, and more and more I'm turning that feature on. (Historically my philosophy has been "if it ain't broke don't fix it" in terms of software updates, but things have gotten to the point where I feel I just have to trust the vendors not to break stuff when they update their applications, in order to try to stay ahead of all of these vulnerabilities.)

The Basic Basics - Continued

OK, Part One's list items were probably familiar to most, although perhaps not the last one ("don't normally use Windows logged in with Admin privileges"). Here are some more nuggets of ponderment:

1. Make sure that the internet router box that you use has "NAT" (Network Address Translation) turned on. It probably is, since most or all consumer-grade routers have it enabled by default, but it doesn't hurt to make sure. One way to see if you have NAT working is to do the following: (1) Figure out what your Windows IP address is - e.g. open a Command Prompt window and type "ipconfig"; it will show a number that might look like "192.168.1.147" or something like that. (There are other ways to do this, but I won't detail them here.) (2) Determine what your "external" IP address is - this is the address that the rest of the world thinks you're at. I use this site to get my external address. If your Windows IP address and your external address are different, then you have NAT working. If not, you really need to get this addressed (no pun intended?).
   
2. This is another obvious one, but can be tedious to adhere to all the time: Don't Use Obvious Passwords, at least for any sites/accounts that you consider confidential and/or valuable. I was lazy about this for the longest time, but finally hunkered down and changed all of my on-line financial passwords to things less guessable/dictionary lookupable. A tool that made this easier for me is Roboform2Go, which is a "password vault" application that I keep on a USB memory stick. RF2G can act as a Firefox/IE plugin; you have to enter a password to unlock it (optionally for a limited amount of time for each use); after that, it will auto-fill the username and password fields of sites that you've told it about. Generally it works very well although it seems to be a little Firefox-unfriendly (sometimes I have to quit out of FF before starting RF2G; otherwise it doesn't start up correctly). There are other alternatives out there but this is the one I use.
3. Consider using what's called Multi-Factor Authentication for logging into your on-line commerce/shopping accounts where possible. For instance, both EBay and PayPal can be set up to do this. You have to buy a little gizmo that they sell, but it's quite inexpensive (right now it's $5). After you've received this "security key" you set up your Ebay and/or PayPal accounts to use it. Thereafter, when you log in and enter your normal password on the site, you are prompted to enter the number that the key's LCD display shows whenever you press the button on it. That number changes every 30 seconds... This form of authentication is very secure, and apparently this particular security key is being adopted by more and more on-line businesses, so hopefully your five-buck key will be good for more than just EBay/PayPal. More details are here, and a discussion about using the key with "OpenID" (which is a topic for another day) is here.
4. Here's a follow-on to the item last time about how you're quite vulnerable when connecting to free public wi-fi access points - be doubly sure that your firewall (either Windows' or a third party one) is turned on before connecting to the WAP. Even if you're going to use some kind of Virtual Private Network to do your surfing, your system is still exposed in the time it takes for you to establish the VPN connection. (A sideline to this - just because you fire up your laptop some place and see a WAP called "Free WiFi For My Homies" or similar, it doesn't mean that it's safe to connect. For all you know it could be a WAP set up specifically to steal whatever it can from your computer when you connect, or to infect it with who-knows-what malware-wise.)

OK, that's a wrap for this lovely Monday!

The Basic Basics - Part One of ?

I wish I could do this as a separate page or file that's part of this blog, but I can't figure out how to do that. Soooo... Here are some first-level things to think about in terms of "hardening" your system(s) and network against the bad guys.

1. Make sure that Windows Update is turned on on all systems. This can be configured in different ways - "fully automatic", "tell me when there's a new update", "download the update but don't install it until I say so", etc. Microsoft typically sends out Windows updates every Tuesday, but occasionally if something is really "hot" they'll do it sooner. For a long time I only installed these things when I was absolutely sure what they were, but have become convinced that for most people it's better just to let Microsoft do their thing. Generally, they've gotten better and better at it over the years.
   
2. Make sure you have at least WinXP Service Pack 2 installed. This is because it includes an updated Firewall, that is turned on by default. (If you do have SP2, make sure the firewall is still turned on!)
3. You should be running some kind of anti-virus software. This is not as much of a great thing as it used to be, as the bad guys are figuring out other, even sneakier ways to be bad, but you should still run something. I am running a couple free ones (on different systems): AVG Free, and Avira AntiVir Personal. Historically, the well-known commercial titles such as Norton and MacAfee have gotten bigger and bloatier over time (to the point where I stopped using them), but at least one of those has recently de-bloatified their stuff. I still use the free ones 'cuz I'm cheap, but heard a plug by a reputable computer repair guy in Hawaii for the Kaspersky stuff.
   
4. If you have a wireless network in your home, you really really should have a particular kind of wireless encryption (WPA) turned on. Your wireless connection can be the weakest link in your network - if it's not robust, all of the other things here are not worth nearly as much, especially in terms of data privacy/security. Don't rely on just the "WEP" kind of encryption - you must use "WPA". Older routers and laptop wireless cards don't support WPA - I had to buy a new card for my laptop since its built-in card is WEP-only. (If you want to run an "open" network so that your friends and family and the occasional drive-by "guest" can get on your network easily, that can be done - but there's a right way and a wrong way. Hint: the right way involves setting up a "DMZ" on your router.)
   
5. If you travel and/or use free wireless access points (say, at your local coffee shop), you are taking your laptop's overall security into your own hands, and not in a good way. This topic is really beyond the scope of this list, but - briefly, you need to figure out a way to use some kind of so-called "tunnelling" communication protocol whenever you're connected to such a network (e.g., VPN, which stands for Virtual Private Networking). There are free ways to do this (e.g. OpenVPN, which I haven't tried), and there are certainly "payware" ways.
6. Don't use a Windows user account that has Administrator privileges for your day-to-day computer activities. This turns out to be kind of a pain in the *ss in some ways, but it does lessen the ability for malicious software ("malware") to sneak and and do things at the "administrator" (god-like) privileged level. In all likelihood your user account on your laptop has Administrator powers - if nothing else, check and see if it does, using the Control Panel's "User Accounts" applet.
   

That's enough to chew on for one session, ya think?

Adobe PDF exploit

Probably the biggest IS news item recently is the discovery of a fairly serious vulnerability in the venerable Adobe Acrobat "PDF" file format. Briefly, it's one that doesn't require you to actually do anything for the vulnerability to be triggered, other than have Windows Indexing Service enabled (which I believe is turned on by default in XP). Even if you don't have that enabled, merely passing your mouse cursor over the file in Windows Explorer could still trigger the exploit. Now, this is only if you've actually downloaded a PDF that has been hacked to have this kind of malware inside of it, but AFAIK this is a sort of a new thing, where you don't even have to open the file to get the bad stuff happening. Note that this vulnerability exists on MacOS as well.

The morbid details are here, or you can see the sanitized Adobe discussion here.

What the hay?

I just recently said I'd start blogging right after hell freezes over, but.... well there you go.

If nothing else, this'll be a place to record the tidbits and links about things I come across related to internet security (IS) issues, such as new exploits (esp. "zero day" ones), etc. It will at least initially be PC-centric, but I may inject a little Mac Goodness as needed since I support Grace's MacBook (which as of today has Leopard spots - thanks B!). I have no idea how long I'll keep this up, or how often I'll update it, so treat it as a Social Experiment.

As I am a relative Noob to the details of IS, I also thought I'd try to make this a place where more casual computer users (e.g. relatives, pet pigs, etc.) can learn a thing or two.

As I have no idea how this Blogspot thing works, please stand back a bit just in case something breaks and spins off debris at ballastic speeds, and please do wear your safety glasses.