Bright Stove

Reflecting information risk journey

How users of non-genuine software secure their systems

leave a comment »

Happy new year! As I checked through the list of "draft" blogs that I have left unfinished in 2008, one particular entry looks like something that I should complete for the learning that perhaps we may gain from it, amongst the many other things that we learned through the eventful year. So, here it goes.

About two months ago, while many Windows users in China were concerned over their desktop wallpaper being repaced by a black screen by the validation program in Windows Genuine Advantage (WGA), the rest of us in the information security team were deciding how to better convince users to turn-on or not to disable Automatic Updates (AU) so that they would continue to get protected against the most serious security exploitation. At that time, it was an exploit on MS08-067, which is still evolving today, even though the update has been available since Oct 2008. As we discovered, users of non-geniune Windows in particular were concerned not only that AU will automatically cause an activation of the WGA validation program but also been found out by law enforcement that they are not using genuine Windows. In reality, even if AU has been enabled, and WGA updates downloaded, the validation still would not take place until user has clicked an "accept" button to the program prompt. They will only receive automatic updates, but not automatic validation. This lack of understanding of Microsoft’s policy of ensuring user’s consent and control may have caused many users to make their systems wide open to attacks. *sigh*

While we were on this, a colleague took an extra step to visit the retailers and shopkeepers at the computer malls at ZhongGuanChun to learn about the security advice that they give to the non-genuine software users (since they sell the PC hardware, and their customers need advice on how to get protected). To our expectation, they do have a way to be protected. As today’s market for anti-virus, anti-spyware, and anti-whatever-ware has become very competitive, a number of AV providers have embarked on providing either completely free, or a limited period (six months or one year) free-trial version of their professional products for any users, as long as they are willing to provide a few pieces of personal information to the provider to register for the free use or free trial. These free tools come with regular signature updates as well, and therefore provide a way for the non-genuine products to get a form of protection. When the free use or free trial period expires, they were adviced to switch to another AV provider’s offering. As there are enough providers, their systems security health state could perhaps be maintained for a long period, without paying anyone for it. This is perhaps one way to get risk managed. On the surface, it seems to be a smart way of getting protection — using the free tools to get protection for non-genuine software. Nobody wins but the users. Such a form of protection, however, focuses on the attacks or exploits involved, through applying signature updates against known attacks, but not closing the vulnerability or security bug on the original program code through applying the security patch or update that is already available. If the AV provider slacks in its signature updates, or the attacker alters its exploit code slightly to fool the AV program, the vulnerability will get exploited. The irony is, real protection is actually available for such cases, simply by enabling AU.

Another more concerning outcome that the providers of free security protection should consider is that instead of helping to improve the overall security of systems on the Cyberspace, unintentionally, they may be facilitating the use of non-genuine software, allowing perpetuation of such software to prevail. When those users could maintain security of such a system, it is unlikely that the providers of the free protection will ever see the day when users start to pay for what they would use. If they can’t, then the providers are likely to be discredited for providing ineffective tools. Maybe having more systems protected in whatever ways still outweigh a state whereby only those who use genuine software get protected. However, considering IDC analysts’ report in 2006 that more than 25% of the web sites supporting the use of non-genuine software contained some forms of malicious code in their offerings, such a scheme of protection using freely available tools may not actually serve a useful purpose from the start. How effective can it be then? 


Written by mengchow

January 4, 2009 at 4:45 pm

Posted in Risk Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: