Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • WinDeals
  • E-Books
  • Lounge
  • Polls
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>SiteAdvisor ratings may be 1 year out-of-date

Windows Secrets Newsletter • Issue 184 • 2009-02-12 • Circulation: over 400,000

Table of contents 
  • Top Story: SiteAdvisor ratings may be 1 year out-of-date
  • Known Issues: CNN.com’s use of Octoshape puts readers on edge
  • Wacky Web Week: More fun than reporting on stock-market carnage
  • LangaList Plus: Recover lost disk space by dumping dump files
  • Best Software: What you should do about Windows Vista
  • Patch Watch: Critical update for Internet Explorer 7 and 8
 
Top Story

SiteAdvisor ratings may be 1 year out-of-date

Mark Edwards 1 SiteAdvisor ratings may be 1 year out of date By Mark Joseph Edwards

The free SiteAdvisor browser add-in claims to protect you by labeling Web sites green, yellow, or red to indicate that they are safe, questionable, or dangerous.

But a good or bad SiteAdvisor rating can persist for as long as a year after the site’s content has changed, raising serious questions about the service’s usefulness.

SiteAdvisor was initially launched as an independent, free service in April 2005 by Massachusetts Institute of Technology developers led by CEO Chris Dixon. The company built software to automatically crawl the Web and find sites containing virus-infected downloads and hyperlinks to suspicious addresses. Security giant McAfee Inc. acquired the company in April 2006, at which point the SiteAdvisor team said it had rated some 2.7 million pages, representing a majority of Web traffic.

Ratings from SiteAdvisor’s browser plug-in and its associated Web site, SiteAdvisor.com, are based on a variety of measures. Besides scanning sites for malware, the service enters customized e-mail addresses into registration forms to see whether this generates spammy e-mails.

The outcomes of these and other tests are used by SiteAdvisor to give a green rating to sites that score well and red ratings to destinations considered dangerous. Browser plug-ins are available for Internet Explorer and Firefox. Besides showing a rating for sites that a user visits, the plug-in also displays its color-coded symbols next to the links that appear in search engines such as Google, Yahoo, and MSN.

Unfortunately, I’ve found that SiteAdvisor’s ratings can persist for as long as one year after a site has been analyzed by its automated Web crawls. If a legitimate Web site falls victim to a false “red” rating, McAfee’s official policy is that months can elapse before a site is evaluated again. Conversely, if bad guys create a clean site that initially wins a green rating, and then immediately start offering infected games or other downloads, it might take SiteAdvisor months to notice.

McAfee certifies for a fee, but it’s no guarantee

At the time of its acquisition of SiteAdvisor, McAfee was widely expected to integrate the service into the corporation’s line of commercial products. McAfee soon announced SiteAdvisor Plus, a $24.99 download that added e-mail checking and other features.

Ratings such as SiteAdvisor’s can be helpful, but according to its own documents, McAfee allows up to 365 days between tests of individual sites, even if a Web site owner protests that a “red” rating is a false positive.

McAfee promotes a paid service to ensure that a site will be scanned for security threats on a daily basis. The site’s owner must pay a fee for “McAfee SECURE certification,” as described at the McAfeeSecure site.

For the smallest sites, SECURE certification costs $859 annually plus a $100 setup fee. If a site gets more than 2,000 page views per day — a tiny number for any serious e-commerce destination — the price rises. McAfee measures traffic by inserting a bit of HTML into the site’s pages.

After a site ponies up the cash, a security audit is performed, according to a description by McAfee. This audit (formerly known as McAfee HackerSafe certification) has long been criticized as permitting critical Web vulnerabilities, as outlined in a recent analysis by security researcher Mike Bailey.

Even paying for and passing SECURE certification, however, doesn’t guarantee that a site with a false rating in SiteAdvisor will get the red flag corrected immediately.

In a telephone interview, McAfee research analyst Shane Keats explained that SECURE certification will fail — even if a site passes all the SECURE security tests — if SiteAdvisor rates the site as “red.” In that case, he said, the site owner must wait for a period of time that’s specified in SiteAdvisor’s Site Rating Escalation Process (a PDF document).

I detail the waiting periods below, but an example will illustrate the procedure. The document says sites that request a re-evaluation are “subject to a rigid aging, or expiration, policy.” Something judged to be a Web exploit may be “aged out” in 30 to 365 days, e-mails that are considered spammy in 60 to 270 days, and so forth.

According to Keats, SiteAdvisor uses SpamAssassin, an automated scoring application, on messages that the service receives after its crawler signs up for a list. If SpamAssassin rated a site’s once-a-day e-mails as spammy, but they weren’t and the site owner protested, is it true that the site wouldn’t be tested again for 60 to 270 days? “That’s correct,” Keats said.

“The retest can happen tomorrow, quote unquote, whether it’s 24 hours or 4 days, for persistent site owners, particularly someone who says this is a inadvertent mistake,” Keats added. “But the probationary period is no different for a McAfee SECURE customer or a non-McAfee SECURE customer.”

McAfee doesn’t say how often the average site is scanned. “We’ve made a public decision not to tell how often we test sites,” Keats said.

The lack of a quick and easy retesting policy is hard to defend. Legitimate Web sites that erroneously receive “red” ratings might try to pay for SECURE certification to clear their names. But they could bear a scarlet letter for months before being rescanned and receiving a “green” SiteAdvisor rating. While waiting, their site couldn’t display the McAfee SECURE logo, because the certification would fail no matter how clean the site actually is.

Meanwhile, sites that initially garner a “green” rating but later go bad have no incentive to pay to be scanned — they can be labeled “good” indefinitely.

Ratings unchanged for 6 weeks, 6 months, or more

I called McAfee’s sales staff, posing as an ordinary Web site owner. My main question was: “If you rate my site green, and tomorrow it gets hacked and a lot of malicious stuff is put on it, how long will it be before you change the rating to red?” The answer I received was “about six weeks.” That’s a long time before a hacked site might be detected. But even that period is not the real story in many cases.

Web site designer Scott Thompson discovered this first-hand after his HometownZone.com site, known as Webster Weather, received its first SiteAdvisor rating in March 2008. At that time, the site justifiably earned a green icon. Six months later, however, Scott completely changed the site, to the extent that only its domain name remained the same.

SiteAdvisor today still shows links that existed only in the old design, according to Thompson. (See Figure 1.) Some of the links SiteAdvisor currently shows as being on the site had been removed even before the redesign.

W20090212 SiteAdvisor Hometownzone SiteAdvisor ratings may be 1 year out of date
Figure 1. SiteAdvisor shows that HometownZone.com has several links to sites rated green, but the site removed those links long ago and McAfee hasn’t updated its rating for months.

As of this week, SiteAdvisor still thinks the old links are there. The McAfee service doesn’t currently show the actual links on the site. These, of course, are what SiteAdvisor users assume are being evaluated to determine whether the site deserves a green rating.

Site re-evaluations can be agonizingly slow

According to McAfee’s Site Rating Escalation Process, SiteAdvisor “ages” its scanning criteria at the following intervals for individual sites that request a re-evaluation:
  • Annoyances: every 10 to 270 days
  • Downloads: every 10 to 365 days
  • E-commerce: every 30 to 365 days
  • E-mail: every 60 to 270 days
  • Exploits: every 30 to 365 days
  • Links: every 10 to 270 days
Considering how long it can take for the service to re-evaluate sites that specifically request reconsideration, I feel only SiteAdvisor’s red ratings can be at all useful to Web surfers. Even then, these can’t be taken as truly up-to-date ratings.

Unfortunately for legitimate Web site owners, SiteAdvisor is subject to criticism for false positives and unwarranted red flags, according to an analysis by The Register’s John Leyden.

Meanwhile, any bad guy on the planet can game the system by getting a green rating for a clean site and then changing the site into a vector for attacks. SiteAdvisor may display a green rating for months, leading its users to think the site is safe. At that point, it’s “game over,” and you lose.

Web surfers should consider alternatives such as Web of Trust (MyWot.com). This plug-in updates its ratings more quickly than SiteAdvisor, according to an interview with CEO Esa Suurio and several forum commentors, and incorporates feedback from a large community of users.

UPDATE 2009-02-19: McAfee representatives have responded to the above article and released previously undisclosed documents that reveal SiteAdvisor’s timetable for scanning and retesting Web sites. See our Feb. 19 follow-up for details.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT. Editorial director Brian Livingston contributed research assistance and interviews to this article.
 
Known Issues

CNN.com’s use of Octoshape puts readers on edge

Dennis OReilly 1 CNN.coms use of Octoshape puts readers on edge By Dennis O’Reilly

Last week’s Top Story on CNN.com prompting visitors to install an application named Octoshape application hit home with many readers who had been stung by the program.

The backlash is directed at the sneaky nature of the Octoshape installation rather than against P2P technology, which can benefit users and providers alike when correctly implemented.

When it comes to applying new technology, there’s a right way and a wrong way. People who inadvertently installed the Octoshape peer-to-peer application prior to watching CNN.com’s live video stream of President Obama’s inauguration on Jan. 20 bumped head-first into the wrong way.

Among the victims of CNN.com’s drive-by download was a reader named Ron:
  • “Thanks for the great article on Octoshape. I became aware that something was running but was not able to discover what app was the culprit ’til your article on CNN’s adding of Octoshape for the live stream on Jan 20.

    “I watch CNN for a number of reasons and never felt the need to be concerned about what they might add to my system. You have opened my eyes to the methods that can be used to compromise an individual PC. Great article. This is the type of article I keep an eye out for when I get your newsletter.”
As the story by WS editorial director Brian Livingston pointed out, there’s nothing new about P2P. As with so many technologies, the key to winning customers over to the idea of sharing their bandwidth is being up-front about how P2P will be implemented and — most importantly — how to turn it off.

Reader Tim Monk provides a U.K. perspective on a service that is much more considerate in its use of P2P:
  • “I read [last week's Top Story] with some interest. Over this side of the pond, I’ve been using the British Broadcasting Corporation’s iPlayer (making much of their extensive produced-for-TV content across all their channels) since mid-2007. As one would tend to expect, their approach was from the beginning peer-to-peer based using Kontiki, but this was relatively clearly explained before signing up and could be easily opted out of at setup or any time later.

    “The opportunity of swift availability of the latest episodes and the openness about the P2P nature meant that I often felt happy to be a good citizen and help other users, as they helped me — I could see all the connected machines in the TCP list supplying me on [Sysinternals'] Process Explorer. (Thanks, Windows Secrets!)

    “Interestingly, although many U.K. ISPs run capacity-restricted packages, the main backlash was not about P2P, but from the ISPs about capacity and from users about DRM [digital rights management]. So the latest versions of the BBC iPlayer turn their back on P2P and also offer multiple platforms for on-demand or for download. Over here, we think the BBC has responded creatively as a public service provider in the face of sniping from the Rupert Murdoch–owned media channels.

    “This [BBC] blog entry provides some background on the new changes, avoiding Octoshape-type issues experienced with Kontiki.”
Big media companies such as CNN don’t always get technology right the first time, but we trust that with a little forethought and a lot of listening to customers, they’ll get it right eventually.

To unstick a disc, a deep freeze beats butane

Last week’s Known Issues column included a tip from reader Scotty Burrous, describing how he revived a failed hard drive in his mother’s computer by applying butane to the device’s bearing. Several readers wrote in to remind us of a drive troubleshooting trick that goes way, way back. Yaakov Laks explains his technique thusly:
  • “A few years ago, I came back from a month away to find my HD making odd noises. I figured that the pivot or the bearings had gotten stuck somehow. I also thought that cooling might shrink the clogged pivot and the thing might rotate long enough for me to save the data.

    “I took the HD out of the desktop computer, wrapped it with a few layers of polyethylene, and let it freeze for 24 hours in the deep freezer. I then removed only the interface side and immediately connected it to the computer. It worked for three years after the cold shock.

    “I left the polyethylene wrapping on the HD for a few hours until any condensation risk was eliminated. Since then, I’ve done it two more times when called to rescue friends’ failing HDs. It worked OK once and didn’t help the other time. I believe that this is much less risky than butane.”
Update: Microsoft does a U-turn on Win7 UAC

Microsoft had a change of heart last week, the day after Woody Leonhard’s column described the company’s reluctance to fix a security weakness affecting user Account Control in the forthcoming Windows 7. Woody reported on researcher Long Zheng’s discovery of a simple way that a Trojan horse could disable UAC in Win7.

Yesterday, Windows Secrets’ paid subscribers received an update from Woody that explained the reasons for Microsoft’s big 180 on Win7′s UAC settings. We’ve made the original article and Woody’s follow-up available to all subscribers, free and paid.

As Woody points out, perhaps the best news is that the incident shows a new willingness on Microsoft’s part to listen to the Windows community and respond immediately to their concerns. We can only hope this isn’t a one-off!

Readers Ron, Tim, and Yaakov will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.
 
Wacky Web Week

More fun than reporting on stock-market carnage

More fun than reporting on stock market carnage By Katy Abby

TV news anchors have a pretty tough gig: delivering the news with a poker face. Whether it means masking their anxiety during a grisly economic report or suppressing a smirk while dishing on Christian Bale’s latest freak-out, they’ve got to remain cool and collected. But what happens when the cameras stop rolling?

Take a look at these Chicago co-anchors, who’ve got their decompression system down to an art form. You may never look at Wolf Blitzer or Katie Couric the same way again! Play the video
 
LangaList Plus

Recover lost disk space by dumping dump files

Fred Langa 1 Recover lost disk space by dumping dump files By Fred Langa

An obscure function in XP may be consuming huge amounts of free space on your hard disk.

Error “dump” files are supposed to be temporary but sometimes aren’t, and the cost can be multiple gigabytes of wasted storage.

Error files leave you down in the UserDumps

It’s unusual to encounter a truly “wow!” experience with operating systems as old as Windows XP. But XP still surprises me on occasion. Maybe this XP peculiarity will be new to you as well.

My Jan. 8, 2009, column, “On the trail of mysterious missing disk space,” discussed a reader’s problem with disk space that was decreasing with no obvious cause. The answer I gave was complete as far as it went, but this recent eye-opening moment made me realize I may have missed something major.

I came across it quite by accident at a family gathering. My brother asked me to check out an XP system he maintains. Like the system discussed a few issues back, this one was losing tons of disk space. My brother, an able tech guy, knew where the problem was: each day, the system would generate hundreds and hundreds of megabytes in .hdmp files!

The file extension .hdmp is used for uncompressed error dumps, which are files containing diagnostic information designed to help you unravel a problem and trace it back to its source. There’s a related file type, .mdmp, that’s a compressed version of the same information.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Best Software

What you should do about Windows Vista

Ian Gizmo Richards 1 What you should do about Windows Vista By Ian “Gizmo” Richards

Every day, people ask me whether they should order their new PCs with Windows XP or Vista, while others wonder whether they should hold off for Windows 7.

And there are those who are already running Vista and want to know what they can do to overcome its problems.

Making sense of the big Vista muddle

I don’t blame people for being confused over Vista. Before it was released, Microsoft hyped Vista, just as the company is currently playing up Vista’s successor, Windows 7. When Vista was finally introduced, the press and public reception was generally terrible. Then the Microsoft PR machine chipped in, trying to convince users that Vista was actually the answer to their prayers.

This led to another round of criticism from the press and users. Then the whole cycle was repeated again with the release of Vista Service Pack 1. Finally, Microsoft has totally confused things by switching the focus from Vista to Windows 7, a product that might not even appear until 2010.

At the moment, getting an accurate take on Vista is like trying to form a political opinion by listening to a room full of die-hard Democrats and rabid Republicans. You won’t end up with a balanced opinion, but you sure will be totally confused.

Taking a second close look at Vista

I’ve been as uncertain about Vista as anybody, but last September I had an opportunity to cut through the Gordian knot and clarify the situation for myself.

At that time, I was replacing my aging IBM T42 laptop with the latest IBM T500 model. The T500′s standard configuration ships with Vista Home Premium. Normally, I would have requested a downgrade to Windows XP, but I decided instead to try an experiment.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Patch Watch

Critical update for Internet Explorer 7 and 8

Susan Bradley 1 Critical update for Internet Explorer 7 and 8 By Susan Bradley

This month’s patches include a cumulative update for IE that plugs two holes allowing remote-code execution of malware.

Don’t wait to download and install this patch, which will likely be exploited by virus authors very soon.

MS09-002 (961260)
Protect IE against drive-by Web infections

There’s an unusual Internet Explorer patch among this month’s updates from Microsoft. Patching IE isn’t unusual, but patching only the newer versions 7 and 8 is. To download and install the patch for IE 7, visit the Microsoft Update site. If you use IE 8, browse to Microsoft Help and Support article 961260 and scroll down the page to find the update download. IE 6 users don’t need this patch.

The cumulative security update addresses two vulnerabilities that allow bad guys to plant malware on a site that downloads automatically when the page opens in your browser. I expect we’ll soon see this used in Web-based attacks, so if you use IE 7 or 8 while logged in a Windows administrator account — as many people do — you need to install this patch as soon as possible.

When I tested the patch, I didn’t have to do any additional tweaking to ensure that it worked with firewalls. If you encounter problems with the update, my standard guidance applies: before uninstalling the patch, try disabling and then re-enabling your antivirus software and review your firewall settings to ensure they aren’t blocking your browser.

You’ll find more information about the update in this Microsoft TechNet article.

960715
Time to kill off a few more ActiveX bits

If you download software from various vendor sites, you have likely received an ActiveX control for Akamai’s Download Manager program. The patch described in Microsoft Security Advisory 960715 disables this ActiveX control. The action was taken at the request of Akamai. When you return to an Akamai download location, you’ll be prompted to install the new ActiveX controls, as described in Akamai’s advisory. Installing the ActiveX kill-bit patch allows you to deactivate the bit without having to visit a site that uses the Akamai download app.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.57
  • LizaMoon infection: a blow-by-blow account 4.46
  • RPV: Win7′s least-known data-protection system 4.35
  • Recovery: the last step in total data security 4.31
  • The sorry tale of the (un)Secure Sockets Layer 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Get wired performance from your Wi-Fi network 4.24
  • Caution: Bumps in the road to IPv6 4.23
  • Patch Watch adds problem-patch update chart 4.23
  • ZeuS Trojan reinvents itself as bots rock on 4.22
  • Pros and cons of a ‘keyfile’ password 4.21
  • April brings showers of browser patches 4.20
  • Readers comment on the LizaMoon infection story 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • The advanced system-recover toolkit 4.18
  • One year and 99 security bulletins later 4.18
  • Don’t pay for software you don’t need — Part 3 4.17
  • What to do when Windows refuses to boot 4.17
  • Make the most of Windows 7′s Libraries 4.16
  • Keeping you up to date: say no to .NET — again 4.16
  • Internet Explorer gets another round of patches 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Big-time Wi-Fi security for the small office 4.14
  • Office File Validation patch leads to problems 4.14
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb