|
|
|
|
Windows Secrets Newsletter • Issue 218 • 2009-10-15 • Circulation: over 400,000 |
|
BONUS DOWNLOAD
|
|
Table of contents INTRODUCTION: Public deprived of WS site for two boring days TOP STORY: Press delete: the risk of outsourcing your data KNOWN ISSUES: Tips for avoiding bogus ads in search results WACKY WEB WEEK: Finally! An effective way to reduce traffic LANGALIST PLUS: Remove a persistent Trojan once and for all BEST SOFTWARE: How to find out whether a file is infected PATCH WATCH: Windows GDI+ update prevents Web-image attacks |
|
ADS
|
|
INTRODUCTION Public deprived of WS site for two boring days 
By
Brian Livingston
Power users of Microsoft Windows found themselves with nothing to read but blogs when a disk crash took down the WindowsSecrets.com site Oct. 13–14, subjecting Web surfers to 48 hours of utter boredom. Fortunately, all the site's information was soon back online, to the chagrin of some of our columnists, who'd hoped that a few poorly chosen sentences here and there would disappear forever. Being the geeks that we are, the Windows Secrets server is crammed with hardware designed to keep things running 24/7. The box is packed with four separate hard disks, which we imaginatively call Drives 0, 1, 2, and 3. Because hard disks can crash, our server uses RAID technology. RAID, as described by PCGuide.com, instantly switches from a failed hard drive to a second, identical drive. This is supposed to eliminate down time. A built-in RAID controller on our server's motherboard mirrors Drives 0 and 1, which contain our operating system and thousands of lines of code. An independent RAID add-in card synchronizes Drives 2 and 3, which contain our database. At 12:10 a.m. Pacific Time on Oct. 13, Drive 3 experienced a head crash. Our RAID setup should have recovered smoothly from this. What we didn't know, however, was that Drive 2 had failed a few weeks earlier. The RAID controller for some reason neglected to notify us back then, when we could have installed a fresh drive. (Or perhaps the e-mail was routed to Microsoft, which outsourced the message and then lost all copies of it, as WS contributing editor Rob Vamosi reports in today's Top Story.) Lacking the expected responses from Drives 2 and 3, the on-board RAID controller went bonkers, gradually corrupting data sectors on Drives 0 and 1. We learned later that this particular controller behaves poorly in this specific situation. Now they tell me! At this point, all four drives in our vaunted RAID array were rendered useless. The good news is that all of our information is fine and our server is fully restored. Thankfully, we're a bit fanatical about backups here. Not only does our server make a nightly backup, which is stored deep beneath a mountain somewhere. It also communicates in real-time with a replication server that we keep far away from the Web server. As it was programmed to do, our replication server had preserved every single transaction that had been committed to our database. That included a subscription by some lucky person just seconds before the 12:10 a.m. disk crash. To get our server back to normal, all we had to do was swap in three spare drives (yes, we had them on hand), reinstall our operating system and code, and repopulate our database from the replication machine. Believe me, all this takes more than 60 minutes. Several WS staffers worked day and night Oct. 13 and 14 to restore our server and bring you today's articles. We're ba-a-a-ck! Being down for 48 hours was a living hell, but our disaster plan was never designed to guarantee 99.999% uptime. That's always been way too expensive. Instead, we're obsessed with never losing one byte of reader data. If you're a subscriber, you remain a subscriber. If your paid sub expires on Dec. 31, you're darn tootin' it still does. If you purchased a lifetime subscription ... well, we can't tell you the end of your lifetime, but we didn't know that before the crash, anyway. I was seriously tempted to fire the individual responsible for the outage — me — but I decided to extend mercy to me. After all, if I don't forgive me for my lack of psychic abilities, who will? This week's disk crash was unrelated to the electrical blaze on July 3–4 that knocked offline the hardened colocation facility we use in Seattle (which I reported on July 9). But outages such as these have made us more interested in moving to virtual servers (as described by ShareVM.com). Virtual-server complexes, like Rackspace's Mosso and Amazon's Elastic Compute Cloud (EC2), are located in special data centers. If one machine goes down, or an entire data center loses power, identical servers in another location can instantly take over. The cost of such services has plummeted in recent years. Well, if virtual servers are so great, why is Windows Secrets still hosted on a single server that can go down at any time? The answer is that virtual servers present unique reliability and security issues, as Rob outlines today. It's true that all Web servers are "in the cloud," in the sense that they are "on the Internet." But cloud computing is a different animal, and it deserves to be done right. I can assure you that, if Windows Secrets moves to virtual servers, they'll be fast and they'll be secure. Stay tuned in the months to come, and I'll keep you informed about our efforts to achieve true 100% uptime. Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books. |
|
ADS
|
|
TOP STORY Press delete: the risk of outsourcing your data 
By
Robert Vamosi
A recent failure affecting T-Mobile's Sidekick service caused thousands of customers to lose their personal contact information. There's nothing new about servers crashing, and something like this is sure to happen again, so you need to protect yourself against such losses in the future. On Oct. 2, the servers used by the Sidekick service to store customers' contacts, calendars, to-do lists, photos, and other personal information failed, as described in a New York Times story. During the process of restoring the servers, which are managed by Microsoft's Danger subsidiary, the data files on the primary and backup servers were corrupted. T-Mobile apologized to customers and offered subscribers a $100 credit on future products and services, as well as a free month of data service. As you might expect, the reaction of Sidekick customers to this half-hearted measure has been overwhelmingly negative. Several hundred Sidekick users affected by the outage expressed their displeasure on the Sidekick Help site. Late on Oct. 14, Microsoft notified Sidekick customers that "most, if not all" of the lost data had been recovered. The company said it would begin restoring the data "as soon as possible." This hasn't prevented several Sidekick users from filing lawsuits related to the outage, as reported by Nick Eaton of SeattlePI.com. Taking a closer look at on-the-go security As people rely increasingly on their mobile devices — and Microsoft and other vendors put productivity apps online — the dangers increase for consumers and enterprises alike. Researchers at several recent computer-security conferences have highlighted the risks of cloud computing, primarily in the area of security and accessibility. "Cloud-busting" and "BlackBerry poisoning" were two of the hottest topics at the Hack in the Box conference in Malaysia in early October. In his talk, "Clobbering the Cloud," Haroon Meer — the technical director of South African security vendor Sensepost — pointed out that cloud computing means many things. For some, it describes a platform, such as Microsoft's Azure or Google's App Engine. For others, it's a service, such as Google Maps or Amazon's Elastic Compute Cloud (EC2) service. Still others see it as a home for such hosted applications as SalesForce.com and the Mint personal-finance service. Meer says reverse engineering kept Microsoft and other software vendors honest in the past. If the software of the future is hosted in the cloud, how will we verify the security of that software? Without access to the servers that host the code, independent security checks are impossible. Meer's presentation emphasized that the marketing folks involved with cloud-based initiatives are using "crypto-pixiedust magic words" in their security assurances. His talk examined where security might break down for SalesForce.com, Amazon, and MobileMe, among other cloud services. Audio and video recordings of Meer's presentation are available as a zip file from a conference download page. (The file is labeled D1T1 - Haroon Meer at the top of the file list.) Bitbucket users become lost in the cloud People who lose access to their Web-based data have few options. For example, the popular Bitbucket code-hosting and version-control service was offline for about 24 hours last week, as reported by the Register. Bitbucket uses the EC2 service to host its files and Amazon's Elastic Block Store (EBS) as the platform for its database, log files, and user data. The idea is that EBS exists to provide persistent storage for EC2 server instances. As it turns out, EBS is public-facing on the Internet and can thus become a target for intruders. Suspecting that it might have become a target, Bitbucket worked through Amazon to find evidence of a distributed denial of service (DDoS) attack. Apparently, a flood of User Datagram Protocol (UDP) packets was being sent to the servers. The sending computers didn't wait for an acknowledgment before launching even more packets — a classic DDoS scenario. It took engineers at Amazon EC2 and Bitbucket several hours to realize they were being attacked. Meanwhile, users of Bitbucket were left scratching their heads for 16 hours. If a cloud-based service is used for mission-critical apps — particularly for health-care and financial services — a few hours of downtime could be disastrous. A security advisory for BlackBerry users In another talk at the Hack in the Box conference, Sheran Gunasekera, head of research and development at ZenConsult, stated that there's no technical way to hack a BlackBerry mobile device, but there are ways to seriously discomfit users. Since Research in Motion (RIM), the BlackBerry's maker, encrypts everything, a man-in-the-middle attack is unlikely. Because there are few vulnerabilities, criminals have few potential points of entry. But not everything's perfect. Gunasekera described various means of attacking a BlackBerry — remote use of its camera, alteration of the contact information it stores, the ability to run up international phone charges, and use of the phone to pump out phishing SMS messages. Gunasekera pointed out that, unlike the Apple iPhone store where every app is tested, BlackBerry apps are not regulated. Gunasekera's talk is available via the Hack in the Box download page. (The file is labeled D1T2 - Sheran Gunase and is the 10th item in the file list. Bandwidth-challenged, beware: it's a 16MB download). Gunasekera's advice for BlackBerry users can be summed up in the following four points:
|
|
KNOWN ISSUES Tips for avoiding bogus ads in search results 
By
Dennis O'Reilly
Our Oct. 8 Top Story by contributing editor Susan Bradley reported that Google, Bing, and other indexes need to do a better job of policing the ads that appear alongside the search results. Immediately after Susan's story was published, describing malware ads that appeared alongside queries on security terms like malwarebytes, such ads temporarily disappeared. Reader Bill Tone monitored the search-engine results after Susan's article came out:
 Figure 1. Soon after last week's Top Story appeared, Google removed the malware ads that previously had accompanied results of Malwarebytes searches. As Figure 1 shows, the sponsored links were indeed missing from Google's results for a search of Malwarebytes Anti-Malware utility. Unfortunately, this policy may have lasted for only a brief time. When I repeated the search earlier this week, a sponsored link to AntiMalware-Software.com appeared on the right. (See Figure 2.) That program is listed by the Precise Security Threat Center and other security sites as malware that attempts to hijack your system and hold it for ransom.  Figure 2. Unfortunately, the malware ads made a comeback in the Google search results very soon thereafter. Whether the disappearance and reappearance of the malware ads in Google search results is a policy decision or a coincidence is uncertain. But what I know is that, as of Monday afternoon, similar ads didn't show up when I conducted the same search using Bing. Ad-blocking browser add-ons are one solution Several readers suggested using ad blockers to eliminate altogether the threat posed by malware ads. Clive R. Taylor takes ad-blocking one step further:
You'll find a description and download link for the free Adblock Plus at Mozilla.org's add-ons site. Several other readers recommended such free browser add-ons as LinkExtend and Web of Trust (WOT), which alert you to dangerous links before you click them. WS senior editor Ian "Gizmo" Richards wrote about LinkExtend in his March 5 Best Software column (paid content). You'll find more information about WOT on its home page. Others recommended alternative search engines, such as Scroogle, that aggregate search results from many different services and strip away the ads. Taking the malware fight to the big guys When a small — tiny, really — publication does battle with tech titans such as Google and Microsoft, it's easy to feel like David facing Goliath without his sling. That's why it's doubly encouraging to receive notes such as the one sent to us by Jonathan English:
The Known Issues column brings you readers' comments on our recent articles. Dennis O'Reilly is technical editor of WindowsSecrets.com. |
|
WACKY WEB WEEK Finally! An effective way to reduce traffic
|
|
PERMALINKS Use these permalinks to share info with friends We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam," and corporate filters start blocking our e-mails.) The following link includes all articles this week: http://WindowsSecrets.com/comp/091015 Free content posted on Oct. 15, 2009:
You get all of the following in our paid content:
Thanks in advance for your support! |
|
YOUR SUBSCRIPTION The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008. Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Program Director: Tony Johnston. Web Developers: Dan Engler, Damian Wadley. Research Director: Stephanie Small. Research Analyst: Allison Espiritu. Copyeditor: Roberta Scholz. Contributing Editors: Susan Bradley, Scott Dunn, Michael Lasky, Woody Leonhard, Ryan Russell, Robert Vamosi, Becky Waring. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
|
