A month ago I downloaded a well-known shareware application from a download web site–a site that has been around long enough for me to recognize the name. I wanted to test the download speeds on a freshly installed Windows 2008 server in my data center and multi-threaded download managers are a good way to load up your bandwidth pipe. I double-clicked on the installer, saw my mouse turn to an hourglass, and then disappear. I saw the hard drive lights flicker a few times, and then nothing else happened.

I knew right away something wasn’t right and that was quickly confirmed when I realized I couldn’t launch Task Manager or Regedit: I was infected with malware. A trojan to be more specific.

In the last ten years I have been infected once or twice before–usually by something minor like spyware attached to a game my kids downloaded–but I had never anything major like this. Bringing up a command prompt, I quickly fought the infection with my arsenal of cmdlines I had gathered over the years. But once I thought I had the thing completely gone, it once again would appear in my task lists and runonce entries.

It didn’t take long for me to realize that it was using WMI events to keep itself alive on my system. Because these types of infections are difficult to detect and even more difficult to remove, I went after the file system, removing any binaries related to the trojan. Using timestamps and several SysInternals tools, I was able to eliminate all of the infected files, although the trojan was still active–albeit neutered–on my system.

I spent two days working on the server and ultimately ended up with a system that would blue screen before loading Windows. I finally just gave up and reinstalled the system to a fresh state. What bothered me most wasn’t the time I had wasted fighting this trojan, it was the fact that it had beat me. In fact, it beat me using the very same tactics I myself had developed and used over the years.

But as I got thinking I realized that what really bothered me is that this was a fully patched server running Windows 2008 behind two firewalls. And I was downloading a trusted application from a web site I recognized. And most of all, it bothered me that this is 2009 and I still got infected.

A decade ago I remember telling my clients that it would take ten years for the tech industry to get caught up with security. There was simply too much stuff to fix and not enough talent to fix it. Well that ten years has come and I wonder how those clients are doing now. The daily security headlines nowadays really aren’t much different than they were in 1999. Some new worm threatens the Internet infrastructure. Some .gov or .mil was hacked, probably by The Chinese, and it turns out you can still get hacked no matter how many initials you have after your signature and no matter how many standards you comply with.

It’s 2009 and I am still forced to use ancient, unencrypted protocols like FTP, Telnet, and SNMP. And even where public key encryption is commonplace, like with SSL encrypted protocols, I still find myself faced with things like having to decide whether I should trust a self-signed certificate or not.

Then there’s e-mail. Not only is it unencrypted, but it is unauthenticated and also subject to tampering. Nevertheless, I finally stopped installing PGP on all my computers because no one ever sends me PGP-encrypted e-mails and no one is ever able to read the ones I send encrypted. And this is 2009.

Even though it’s 2009, so many are still fooled by those fake e-mails from their banks. And even though spam filters work pretty well at protecting us from seeing our spam, there are still thousands of spam messages that end up on my servers every day.

And when I send an e-mail, there’s no guarantee that only the recipient will receive my message. There’s no guarantee that other’s can’t read or even modify my message.

Ten years ago we knew exactly what it would take to fix our security problems. We got the firewalls down pretty good. Code is generally more secure now. And most of us are good at keeping our systems up-to-date with patches.

But we still don’t have widely-adopted solutions for authentication, encryption, and data integrity. We still have weak passwords and our mother’s still have the same maiden names. And most people are simply too underequipped or undermotivated to combat the skills of the malware developers.

That means that despite all our advances in security technology, the best ways to hack someone are the same as they have always been—through a malicious e-mail attachment, or some infected download, or simply guessing someone’s password.

This is a serious problem, a problem that will take a decade to fix.

What distinguishes an effective CAPTCHA from a poor CAPTCHA is the ability to make things hard on non-humans without making things hard on humans. Most of the CAPTCHAS I [...] Continue Reading…

I just finished writing patch reports for Windows systems I must support for my clients or for my own business. After you put together all the Vistas, XP’s, 2000’s, [...] Continue Reading…

A couple of years ago I wrote an article at SecurityFocus.com about my security paranoia, which ended up in a lot of people thinking I went way too far [...] Continue Reading…

Today I was driving on the freeway and couldn’t avoid driving over a flattened cardboard box. I looked in my rearview mirror waiting for it to fly out behind [...] Continue Reading…

I have a problem with my two-year old: he keeps getting out of his bedroom. This morning it was 4am and he was climbing over me and my wife, [...] Continue Reading…

I thought I would write about a technology introduced in Windows Vista called Mandatory Integrity Control (MIC), which is an access control scheme that Microsoft developed partially based on [...] Continue Reading…

This morning, after being startled by two of my sons arguing over who had the longest turn playing Guitar Hero, and still not quite ready to get out of [...] Continue Reading…

For those of you who have been waiting for SP1 before you move to Vista, that time has come:

http://windowsvistablog.com/blogs/windowsvista/archive/2008/02/04/announcing-the-rtm-of-windows-vista-sp1.aspx

Some of you who know me know I have four kids—all boys. Now when you have four brothers growing up together under the same roof there is a lot [...] Continue Reading…

I thought I would share a tool I had developed a while back as part of my Windows lockdown procedure. Deleting files that are in use and particularly WFP-protected [...] Continue Reading…

In case you haven’t noticed, in the last few years Microsoft has released a number of different client protection tools. First it was Windows Defender, then OneCare, and now [...] Continue Reading…

In my last post I vented out some Vista complaints I had. One of those was how Microsoft changes the Start Menu with every version of Windows. In fact, [...] Continue Reading…

Vista has had some pretty bad press this year, some people blame Microsoft for initially overhyping but eventually poorly marketing the OS, some blame the “I’m a Mac” commercials, [...] Continue Reading…

I was recently playing around with web proxies at my data center lab and got an idea to open up a couple anonymous proxies to see how long it [...] Continue Reading…