Bright Stove

Reflecting information risk journey

Archive for January 2009

Beware of pirated software, even on non-Windows systems

with one comment

In an earlier entry, I blogged about how users of non-geniune software secure their systems, and mentioned about IDC’s analyst reporting the link between malicious/trojan software and non-geniune software. It seems that the connection is becoming stronger ever, and has grown beyond the Windows platform. 
According to Computerworld, "Trojan hides in pirated copies of Apple iWork ’09" as well. As such, any software that can be exploited will be exploited.  Be aware, or beware.

Written by mengchow

January 27, 2009 at 2:39 am

Posted in Risk Management

Why not localize your password

with one comment

Having moved to a new residence over the weekend, the first thing that happened then was to also move the broadband connectivity so that I could continue to have a Cyber life from my new residence. As usual, the last mile is always the challenge. I have to first get an ADSL account with the new residential phone number, and at the same time figure out the phone/data network in the new place. The ADSL account was subscribed by the landlord, and unfortunately, the password that was given couldn’t get the connection authenticated and established. Working into the wee hours, I finally called the ISP’s helpdesk. The helpdesk guy has to do a password reset for me, since he could not see the actual password to verify if what I have was the correct one. In fact, to digress a little here, this practice is actually a discrepancy since doing a reset would enable him to know the new password. So the security control to prevent the helpdesk from helping doesn’t really stop the guy from knowing, as he could always encourage every customer to do a reset.

After verifying the necessary information, the support guy at the other end of the phone started to form a new pseudorandom password and read it over the line to me. He was speaking Mandarin, and his pronunciation of every other alphabet along with some numbers in Chinese got me rather confused. I thought I heard a “s”, followed by a “4”, and after re-confirmation, then realized that there was just one “s” without a “4”, but “s” was pronounced with the extra end-tone that sounds like a separate “4”, in Mandarin 😦 We finally used the keyboard layout to verify each alphabet since words such as “Singapore” for “s”, “Malaysia” for “m”, etc., doesn’t really help as my pronunciation sounded equally foreign to him. 🙂 When I finally thought I got the entire password spelt out correctly and hung up, then I realized that there was actually a “t” that I also mistaken as a “7”. It seems that many Singaporean Chinese, who use English (or Singlish) more often than Mandarin faces the challenge of decoding spoken alphabet characters from our Chinese friends in China.

As I reflected, the question then is why wouldn’t the locals use Chinese words and phrases to form localized passwords? I don’t really know why not—maybe it has to do with the security education and contents translation—but there are in fact many benefits to gain from such a practice. By using Chinese phrases, one could select phrases of quotes from famous or favorite authors, celebrities, politicians, or make them up themselves, which many are capable of doing actually. With just four Chinese characters, for example, encoding them into PinYin (in English alphabets), they could easily form passwords of more than 10 characters long. Given that the PinYin has four tones for each character, the tones can be encoded as numbers or special characters at the end of each word. A simple localization in this manner would produce long passwords (actually, passphrases) which will be so much more difficult to guess, especially by foreign attackers, and easy to remember, encode, and more importantly, when need to communicate over a support line (when absolutely necessary to do so), it is a simple step, since most foreigners in China will learn the PinYin system, and most locals already know it well since young. I believe the same localization method would also work (in slightly different manner) for many other languages. All in all, such an approach would improve security and ease of use at the same time—a rare combination.

Written by mengchow

January 19, 2009 at 3:11 pm

Posted in Awareness

How users of non-genuine software secure their systems

leave a comment »

Happy new year! As I checked through the list of "draft" blogs that I have left unfinished in 2008, one particular entry looks like something that I should complete for the learning that perhaps we may gain from it, amongst the many other things that we learned through the eventful year. So, here it goes.

About two months ago, while many Windows users in China were concerned over their desktop wallpaper being repaced by a black screen by the validation program in Windows Genuine Advantage (WGA), the rest of us in the information security team were deciding how to better convince users to turn-on or not to disable Automatic Updates (AU) so that they would continue to get protected against the most serious security exploitation. At that time, it was an exploit on MS08-067, which is still evolving today, even though the update has been available since Oct 2008. As we discovered, users of non-geniune Windows in particular were concerned not only that AU will automatically cause an activation of the WGA validation program but also been found out by law enforcement that they are not using genuine Windows. In reality, even if AU has been enabled, and WGA updates downloaded, the validation still would not take place until user has clicked an "accept" button to the program prompt. They will only receive automatic updates, but not automatic validation. This lack of understanding of Microsoft’s policy of ensuring user’s consent and control may have caused many users to make their systems wide open to attacks. *sigh*

While we were on this, a colleague took an extra step to visit the retailers and shopkeepers at the computer malls at ZhongGuanChun to learn about the security advice that they give to the non-genuine software users (since they sell the PC hardware, and their customers need advice on how to get protected). To our expectation, they do have a way to be protected. As today’s market for anti-virus, anti-spyware, and anti-whatever-ware has become very competitive, a number of AV providers have embarked on providing either completely free, or a limited period (six months or one year) free-trial version of their professional products for any users, as long as they are willing to provide a few pieces of personal information to the provider to register for the free use or free trial. These free tools come with regular signature updates as well, and therefore provide a way for the non-genuine products to get a form of protection. When the free use or free trial period expires, they were adviced to switch to another AV provider’s offering. As there are enough providers, their systems security health state could perhaps be maintained for a long period, without paying anyone for it. This is perhaps one way to get risk managed. On the surface, it seems to be a smart way of getting protection — using the free tools to get protection for non-genuine software. Nobody wins but the users. Such a form of protection, however, focuses on the attacks or exploits involved, through applying signature updates against known attacks, but not closing the vulnerability or security bug on the original program code through applying the security patch or update that is already available. If the AV provider slacks in its signature updates, or the attacker alters its exploit code slightly to fool the AV program, the vulnerability will get exploited. The irony is, real protection is actually available for such cases, simply by enabling AU.

Another more concerning outcome that the providers of free security protection should consider is that instead of helping to improve the overall security of systems on the Cyberspace, unintentionally, they may be facilitating the use of non-genuine software, allowing perpetuation of such software to prevail. When those users could maintain security of such a system, it is unlikely that the providers of the free protection will ever see the day when users start to pay for what they would use. If they can’t, then the providers are likely to be discredited for providing ineffective tools. Maybe having more systems protected in whatever ways still outweigh a state whereby only those who use genuine software get protected. However, considering IDC analysts’ report in 2006 that more than 25% of the web sites supporting the use of non-genuine software contained some forms of malicious code in their offerings, such a scheme of protection using freely available tools may not actually serve a useful purpose from the start. How effective can it be then? 

Written by mengchow

January 4, 2009 at 4:45 pm

Posted in Risk Management

%d bloggers like this: