Wednesday, April 16, 2008

Vista Security Is Annoying by Design

Latest Neil McAllister Saturday, April 12, 2008 Vista Security Is Annoying by Design
If you're running Windows Vista, you're familiar with User Access Control (UAC). It's the security subsystem that pops up those irritating dialog boxes asking whether you really want to install software, or modify system files, or write to the Registry.
UAC may be Vista's most-hated feature, but as it turns out, it may also be its best-designed [KJHH comment - This is just stupid!]. As reported by Ars Technica, UAC was created with a very specific purpose in mind: to annoy you. [KJHH comment: Should read about POLP or POLA and how security improves useability...]
Ars picked up this tidbit at the recent RSA 2008 security conference in San Francisco, where David Cross, Microsoft's product unit manager for Windows security, discussed the company's security directions post-Vista. "The reason we put UAC into the platform was to annoy users. I'm serious," Cross is quoted as saying.
More cynical observers will note that this is a longstanding Microsoft business strategy. But in this case, believe it or not, it actually makes some sense.
Before Vista, most Windows users did their day-to-day computing with full Administrator access to their PCs. This gave them -- and by extension, the software they used -- total control over the system, including the ability to modify critical system files.
That degree of freedom grants a lot of power, but it leads to unpleasant side effects. Most importantly, when you're logged in as an Administrator, any Trojan horses, viruses, or other malware you unwittingly download will have free reign to attack your system with impunity.
Vista attempts to correct this legacy of bad behavior by only granting Administrator privileges to applications in situations where it's absolutely necessary. Unfortunately, developers have been spoiled by the old-style security model. Too often, they write their software in such a way that it actually requires Administrator privileges, even if there might be another (albeit more complicated) way to do the same work.
That's where UAC comes in. When a program tries to gain Administrator privilege, UAC pops up a dialog box, forcing the user to click a button. As Cross pointed out, that's annoying, and intentionally so. The idea is that users will shy away from programs that cause too many UAC dialogs to pop up, out of sheer irritation. If developers don't want to scare users away from their software, they're forced to rewrite it so that it plays nice under the new security rules.
Microsoft is onto a whole new paradigm here: modifying user behavior via reverse psychology. By making users click "OK" in a bunch of security dialogs, Microsoft is actually discouraging them from continuing.
Of course, so far this strategy has only met with limited success. Many users have preferred to disable UAC, rather than participate in Microsoft's social-engineering experiment. But isn't it nice to know that the good folks in Redmond are thinking outside the box?

'Pro-Tibet' Rootkit Attacks Windows PCs

'Pro-Tibet' Rootkit Attacks Windows PCs (

Wednesday, April 16, 2008 8:25 AM PDT

A cartoon that ridicules the efforts of a Chinese gymnast at the Olympic games is the latest ploy used by cyber-criminals to infect Windows PCs, according to McAfee Avert labs.

While the movie files, which show the cartoon followed by images supporting a free Tibet, are playing, a keystroke logging tool, hidden by a rootkit, is installed onto the user's PC.

McAfee Researcher, Patrick Comiotto, said: "This is a pro-Tibet Rootkit. What looks like a simple Flash movie actually silently drops a number of files onto your PC and then hides those files."

This is second Olympics-related virus in seven days. The 'Fribet' Trojan horse was placed on hacked websites and subsequently loaded onto the PCs through a Windows vulnerability.

Dave Marcus, security research and communications manager at McAfee Avert Labs, said: "Cybercrooks are increasingly taking advantage of the high general interest in the Olympic Games to trick people into giving up personal information or to load malware onto their PCs. If you want to watch the Olympic Games it is better not to do it by opening a file that appears to be a movie that comes in e-mail."

Wednesday, April 9, 2008

Virtualization's Dark Side

The security industry's big annual confab, the RSA Conference, going on this week in San Francisco, interesting to see how the Virtualization issue will turn out. RSA will no doubt offer more of the same in solution. Add more IT staff.

The decision to switch to virtualization is easy enough: As companies discover that the process can consolidate hardware and save space, energy and money, virtualization is sweeping through the world's desktops and data centers. Now comes the hard part: keeping a new and largely untested IT world safe from hackers and data breaches. Andy Greenberg, 04.09.08, 6:15 AM ET SAN FRANCISCO