18.4 C
London
Monday, August 21, 2017
Home Tags Microsoft Windows 8

Tag: Microsoft Windows 8

IP address behind thousands of bootleg Windows, Office, Server installations. Microsoft has asked a US court to issue a subpoena to Comcast, in a bid to obtain subscriber-to-IP address information on users alleged to have pirated en mass copies of Windows and Office platforms. The subpoena filed with a Washington US District Court seeks to identify users behind IP address 173.11.224.197 alleged to have activated thousands of copies of Microsoft wares. A filing obtained by TorrentFreak shows Redmond is persuing users alleged to have contacted Microsoft servers some two thousand times between 2012 and 2015. Microsoft says pirates will often install activated pirate copies of Windows software on computers and sell those at a cut-rate in what is known as hard-disk loading. Redmond does not claim that the John Doe defendants are doing so. "During the software activation process, defendants contacted Microsoft activation servers in Washington over two thousand times from 2012 to 2015, and transmitted detailed information to those servers in order to activate the software," Microsoft says in the documents [PDF]. "Defendants’ contact with Microsoft’s activation servers was voluntary, intentional and comprised a routine part of defendants’ installation of software. "Defendants activated and attempted to activate at least several thousand copies of Microsoft software, much of which was pirated and unlicensed." Microsoft says pirates activated copies of Windows 8, 7, Office 2010, and Windows Server 2008 and 2010 using stolen and repeatedly activated codes obtained through the Redmond's 'supply chain'. The intelligence is gleaned from activation information voluntarily shared with Microsoft. "[Forensics] allows Microsoft to analyse billions of activations of Microsoft software and identify activation patterns and characteristics that make it more likely than not that the IP address associated with the activations is an address through which pirated software is being activated," Redmond says. It would be a significant gaffe on behalf of the alleged pirates if the IP address data pointed to their real identities. Some of the most popular activation cracks rely on bypassing and blocking Microsoft software activation locally. ® Sponsored: 2016 global cybersecurity assurance report card
Microsoft really, really wants everyone to dump Windows XP, Windows 7, and Windows 8 in favor of Windows 10.
It's been aggressively urging users to upgrade to Windows 10, even preinstalling the Windows 10 update on PCs unasked.

This week, it provided a new incentive to encourage Windows 10 updates, especially in businesses: enhanced security. The company announced a new service built into Windows 10 called Windows Defender Advanced Threat Protection that helps IT detect and make suggestions on how respond to attacks that have made it into the network. Windows Defender ATP does not yet actually remediate any breaches that it detects, though Microsoft plans to add such capabilities in the future. (Don't confuse Windows Defender APT with Exchange Online ATP, a for-pay add-on to Office 365. Windows Defender APT complements Exchange Online ATP, not serves as an alternative to it.) Windows Defender APT is one of several security features that Microsoft has brought to Windows 10 in hopes of upping the appeal to enterprise IT departments. Others include: Credential Guard: Built into Windows 10 Enterprise and Education editions, this tool stores credentials (NTLM hashes and Kerberos tickets) with the LSASS process that manages them in an isolated Hyper-V virtualized container. Device Guard: This tool prevents untrusted apps from running on Windows 10 Enterprise PCs.
Via virtualization, it isolates the Code Integrity services from the Windows kernel.

For this to work, you have to go through and sign your apps and determine their trustworthiness.  Windows Hello: This is a biometric authentication feature built into Windows, using fingerprint matching and facial recognition. Enterprise Data Protection: This tool works with Microsoft's Intune and Configuration Manager servers, as well as with third-party mobile management servers, to encrypt enterprise data and remotely wipe enterprise data from devices. Other mobile management tools offer similar capabilities, but Microsoft's stands apart in its integration with Azure Active Directory for access management to cloud and other sevices.  Windows 10 also provides security tools included in previous Windows versions, such as a software firewall, BitLocker drive encryption, and the Windows Defender antimalware tool.
Microsoft released its second batch of security updates for this year, addressing a total of 36 flaws in Internet Explorer, Edge, Office, Windows and .Net Framework.The patches are covered in 12 se...
Microsoft has patched 41 CVE-listed security vulnerabilities in its software this month. The second Patch Tuesday monthly update of the year brings with it fixes for security flaws in both Internet Explorer and Edge that could allow remote-code-execution attacks simply by visiting a webpage. Also fixed are remote-code-execution holes in the Windows PDF Viewer and Microsoft Office. The full list is as follows: MS16-009 A cumulative update for Internet Explorer 9 through 11. The update includes fixes for 13 CVE-listed issues, including remote-code-execution flaws and information disclosure vulnerabilities. As with all IE updates, the fixes are considered a lower risk for Windows Server installations. MS16-011 An update for the Edge browser in Windows 10 comprising six fixes for CVE-listed issues, four of which are remote-code-execution vulnerabilities. MS16-012 A fix for two remote-code-execution vulnerabilities in Windows PDF Library and Reader for Windows 8.1, Server 2012 and Windows 10. MS16-013 A memory-corruption vulnerability in Windows Journal potentially allowing remote code execution in Windows Vista, Server 2008, Windows 7, Windows 8.1, Server 2012 and Windows 10. MS16-014 Five security holes in Windows, including two remote-code-execution holes and a denial-of-service condition in Windows DLL Loading. Also fixed were an elevation-of-privilege error in Windows and a Kerberos security bypass flaw. MS16-015 Six memory-corruption vulnerabilities in Office, each of which could allow for remote code execution. The update covers Office 2007, 2010, 2013, 2013 RT, and Office 2016 as well as Office for Mac 2011 and 2016. MS16-016 One elevation-of-privilege flaw in WebDAV for Windows Vista, Server 2008, Windows 7, Server 2008 R2, Windows 8.1, Server 2012, Windows RT 8.1 and Windows 10. MS16-017 An elevation-of-privilege flaw in Remote Desktop Protocol that could allow an attacker to log in to systems that have enabled Remote Desktop, which is turned off by default. The issue affects Windows 7, Windows 8.1, Server 2012 and Windows 10. MS16-018 An elevation-of-privilege flaw in the Win32k component for Windows Vista, Server 2008 and 2008 R2, Windows 7, Windows 8.1 and 8.1 RT, Server 2012 and 2012, and Windows 10. MS16-019 Updates for a denial-of-service flaw in .NET Framework and an information disclosure hole in Windows Forms. The fix covers Windows Vista, Server 2008 and 2008 R2, Windows 7, Windows 8.1 and 8.1 RT, Server 2012 and 2012 R2, and Windows 10. MS16-020 A fix for one denial-of-service vulnerability in Windows Server 2012 R2. Other versions of Windows and Windows Server are not affected. MS16-021 A denial-of-service vulnerability in the Network Policy Server Radius Implementation on Windows Server 2008, Server 2008 R2 and Server 2012. After installing the Microsoft updates, users and administrators would be wise to install monthly fixes issued Tuesday by Adobe for Flash Player. The updates cover a total of 22 CVE-listed flaws for Flash, all of which could potentially be targeted for remote-code-execution attacks. The Flash Player update also affects versions for OS X and Linux boxes. ® Sponsored: Building secure multi-factor authentication
During the latter part of 2015, Kaspersky researchers from GReAT (Global Research and Analysis Team) got hold of the missing pieces of an intricate puzzle that points to the dawn of the first Portuguese-speaking targeted attack group, named “Poseidon.” The group’s campaigns appear to have been active since at least 2005, while the very first sample found points to 2001.

This signals just how long ago the Poseidon threat actor was already working on its offensive framework. Why has the Poseidon threat remained undetected for so many years? In reality, it has not. Most samples were detected promptly. However, Poseidon’s practice of being a ‘custom-tailored malware implants boutique’ kept security researchers from connecting different campaigns under the umbrella of a single threat actor.

This approach entails crafting campaigns components on-demand and sometimes fabricating entirely unique malicious artifacts. 1st Portuguese-speaking group #ThePoseidonAPT attacks companies globally #TheSAS2016Tweet Our research team was able to put together the disparate pieces of this puzzle by diligently tracing the evolution of Poseidon’s toolkit in pursuit of an overarching understanding of how the actor thinks and the specific practices involved in infecting and extorting its victims. With a set of tools developed for the sole purpose of information gathering and privilege escalation, the sophistication level of campaign highlights that, today, regional actors are not far behind better-known players in the global game of targeted attacks. Becoming familiar with the operations of the Poseidon Group meant patiently dismantling their modus operandi to unearth the custom-designed infection tools deployed to each of their selected targets.

This process revealed a series of campaigns with highly-regionalized malware practices and geographically-skewed victim tasking, unsurprising in a region with a gradually-maturing cybercrime industry.

The proper detection of each iteration of their evolving toolkit may have been enough to thwart specific efforts, but to truly understand the magnitude of Poseidon’s combined operations required an archeological effort to match. Frequently asked questions What exactly is the Poseidon Group? The Poseidon Group is a long-running team operating on all domains: land, air, and sea.

They are dedicated to running targeted attacks campaigns to aggressively collect information from company networks through the use of spear-phishing packaged with embedded, executable elements inside office documents and extensive lateral movement tools.

The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm.

Even when contracted, the Poseidon Group may continue its infection or initiate another infection at a later time, persisting on the network to continue data collection beyond its contractual obligation.

The Poseidon Group has been active, using custom code and evolving their toolkit since at least 2005.

Their tools are consistently designed to function on English and Portuguese systems spanning the gamut of Windows OS, and their exfiltration methods include the use of hijacked satellite connections. Poseidon continues to be active at this time. Why do you call it Poseidon’s Targeted Attack Boutique? The presence of several text fragments found in the strings section of executable files belonging to the campaign reveal the actor’s fondness for Greek mythology, especially regarding Poseidon, the God of the Seas (which also coincides with their later abuse of satellite communications meant to service ships at sea).

The boutique element is reflected in their artisanally adaptive toolkit for lateral movement and data collection which appears to change from infection to infection to fit custom-tailored requirements for each of their prospective clients.

The business cycle includes what is euphemistically referred to as ‘financial forecasting’ using stolen information, so we like to say that Poseidon’s boutique not only deals in targeted attacks but also stolen treasures. How did you become aware of this threat? Who reported it? We noticed that several security companies and enthusiasts had unwittingly reported on fragments of Poseidon’s campaigns over the years. However, nobody noticed that these fragments actually belonged to the same threat actor. Perhaps because many of these campaigns were designed to run on specific machines, using English and Portuguese languages, with diverse command and control servers located in different countries and soon discarded, signing malware with different certificates issued in the name of rogue companies, and so on.

By carefully collecting all the evidence and then reconstructing the attacker’s timeline, we found that it was actually a single group operating since at least 2005, and possible earlier, and still active on the market. With this understanding, GReAT researchers were able to recognize similarities in obfuscation and development traits leading back to widely-reported but little understood variants on a sample in 2015, which searched for prominent leaders and secret documents involving them. When did you discover this targeted attack? The very first samples from this campaign were detected by Kaspersky Lab back in the early 2000s. However, as noted previously, it is a very complex task to correlate indicators and evidence in order to put together all the pieces of this intricate puzzle.

By the middle of 2015 it was possible to identify that throughout this period of time it’s been the same threat actor, which we call Poseidon Group. Who are the victims? / What can you say about the targets of the attacks? The targets are companies in energy and utilities, telecommunications, public relations, media, financial institutions, governmental institutions, services in general and manufacturing.

The geographical spread of victims is heavily-skewed towards Brazil, the United States, France, Kazakhstan, United Arab Emirates, India and Russia. Many of the victims have joint ventures or partner operations in Brazil.

The importance of the victims is not measured in numbers since each of these victims is a large-scale (often multinational) enterprise. What exactly is being stolen from the target machines? One of the characteristics of the group behind Poseidon is an active exploration of domain-based networks. Such network topology is typical for companies and enterprises. The highest value asset for these companies is proprietary information, technologies, and business-sensitive information that represents significant value in relation to investments and stock valuations.

The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information, occasionally focusing on personal information on executives. How does Poseidon’s APT Boutique infect computers? The main infection vector for Poseidon is the use of spear-phishing emails including RTF/DOC files, usually with a human resources lure.

The executables are also often digitally signed and occasionally hidden in alternate data streams to fool security solutions. Poseidon’s toolkit displays an awareness of many antivirus providers over the years, attempting to attack or spoof these processes as a means of self-defense for their infections. Once the infection happens, it reports to the command and control servers before beginning a complex lateral movement phase.

This phase will often leverage a specialized tool that automatically collects a wide array of information including credentials, group management policies, and even system logs to better hone further attacks and assure execution of their malware.

This way the attackers actually know what applications and commands they can use without raising an alert to the network administrator during lateral movement and exfiltration. What does the Poseidon Group do? What happens after a target machine is infected? Once the target’s machine is compromised, the attacker first enumerates all processes running in the system and all services.

Then the attacker looks for all administrator accounts on both the local machine and the network.

This technique allows them to map network resources and make lateral movements inside the network, landing in the perfect machine to match the attacker’s interest.

This reflects the Poseidon Group’s familiarity with Windows network administration.
In many cases, their ultimate interest is the Domain Controller. Additionally malware reports itself to its hardcoded command and control servers and established a backdoor connection, so the attacker may have a permanent remote connection. What are the malicious tools used by the Poseidon Group? What are their functions? Poseidon utilizes a variety of tools.

Their main infection tool has been steadily evolving since 2005, with code remnants remaining the same to this day, while others have been altered to fit the requirements of new operating systems and specific campaigns.

A noteworthy addition to the Poseidon toolkit is the IGT supertool (Information Gathering toolkit), a bulking 15 megabyte executable that orchestrates a series of different information collections steps, exfiltration, and the cleanup of components.

This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement.

The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops.

This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective.

The main purpose of the IGT tool is to make an inventory of the system, saving information from the network interfaces and addresses, credentials belonging to the Domain and database server, services being run from the OS and everything that could help the Poseidon Group make its attack more customized to its victim. Are the attackers using any zero-day vulnerabilities? No zero-day vulnerabilities have been found in the analysis of the samples obtained regarding this campaign. Poseidon’s conventional means of deceiving users with executable files posing inside Word and RTF document files, and actual poisoned documents with malicious macro-scripts has been the sole method used for compromising their desired targets.

As we have seen in other targeted campaigns, social engineering and carefully crafted spear-phishing attacks play a crucial role in the effectiveness of getting a foothold in the desired system. Is this a Windows-only threat? Which versions of Windows are targeted? Poseidon is particularly focused on the Microsoft Windows operating system family, specifically customizing the infection method for each one so as to gather different information and hide its presence after the initial infection. Other products usually found in corporate environments, such as an SQL server, are being used for lateral movement and credential harvesting using a customized toolset designed by the crafty Poseidon Group.

Because of Poseidon’s longevity, there are samples targeting Windows systems as early as Windows NT 4.0 Server and Windows 95 Workstation up to current versions like Windows 8.1, as well as server variants (very important to them, given the emphasis on reaching Domain Controllers in corporate environments.) How is this different from any other targeted attack? The extortion elements of this campaign are what set it apart from others.

The exfiltration of sensitive data is done in order to coerce the victim into a business relationship under the threat of exchanging this information with competitors or leveraging it as part of the company’s offering of ‘investment forecasting’.

Additionally this is the first ever publicly known Portuguese-speaking targeted attacks campaign. Are there multiple variants of the Poseidon Group’s malware? Are there any major differences in the variants? Poseidon has maintained a consistently evolving toolkit since the mid-2000s.

The malware has not avoided detection but instead been so inconspicuous as to not arouse much suspicion due to the fact that this malware only represents the initial phase of the attack.

An altogether different component is leveraged once Poseidon reaches an important machine like an enterprise’s Domain Controller.

This is where the main collection takes place by use of the IGT (Information Gathering Tool) toolkit. Is the command and control server used by the Poseidon Group still active? Have you been able to sinkhole any of the command and controls? Poseidon Group has interesting practices when it comes to its use of command and control servers, including redundancies and quickly discarding command and control (C&Cs) servers after specific campaigns.

This has actually allowed us to sinkhole several domains.

A few of these still had active infections attempting to report to the C&Cs.

This adds an interesting dimension to the story.

As part of Kaspersky Lab’s commitment to securing cyberspace for everyone, we reached out and notified identifiable victims, regardless of their security solution and provided them with indicators of compromise (IOCs) to help root out the active infection.
In the process, we were able to confirm the previously described operating procedures for the Poseidon Group. Is this a state-sponsored attack? Who is responsible? We do not believe this to be a state-sponsored attack but rather a commercial threat player.

Collaboration with information-sharing partners and victim institutions allowed us to become aware of the more complicated business cycle involved in this story, greatly adding to our research interest in tracking these campaigns.

The malware is designed to function specifically on English and Portuguese-language systems.

This is the first ever Portuguese-speaking targeted attack campaign. How long have the attackers been active? The attackers have been active for more than ten years.

The main distribution of samples goes back to 2005 with possible earlier outliers. Operating systems such as Windows 95 for desktop computers and Windows NT for server editions were not uncommon at the time and Poseidon’s team has evolved gradually into targeting the latest flagship editions of Microsoft’s operating systems. Recent samples show interest in Windows 2012 Server and Windows 8.1. Did the attackers use any interesting/advanced technologies? During a particular campaign, conventional Poseidon samples were directed to IPs resolving to satellite uplinks.

The networks abused were designed for internet communications with ships at sea which span a greater geographical area at nearly global scale, while providing nearly no security for their downlinks. The malware authors also possess an interesting understanding of execution policies which they leverage to manipulate their victim systems.

They combine reconnaissance of GPO (Group Policy Object management for execution) with digitally-signed malware to avoid detection or blocking during their infection phases.

These digital certificates are often issued in the name of rogue and legitimate companies to avoid arousing suspicion from researchers and incident responders. Does Kaspersky Lab detect all variants of this malware? Yes, all samples are detected by signatures and also heuristics. With a fully updated Kaspersky Lab anti-malware solution, all customers are protected now. Kaspersky Lab products detect the malware used by Poseidon Group with the following detection names: Backdoor.Win32.NhoproHEUR:Backdoor.Win32.Nhopro.genHEUR:Hacktool.Win32.Nhopro.gen How many victims have you found? At least 35 victim companies have been identified with primary targets including financial and government institutions, telecommunications, manufacturing, energy and other service utility companies, as well as media and public relations firms. The archaeological effort of understanding such a long-standing group can severely complicate victim identification. We see traces of upwards of a few tens of companies targeted.

The exact number of the victims may actually vary. Since it is a very long term group, some victims may be impossible to identify now. At this time, we are reaching out to victims of active infections to offer remediation assistance, IOCs, and our full intelligence report to help them counteract this threat.

Any victims or potential targets concerned about this threat should please contact us at intelreports@kaspersky.com. Who is behind these attacks? We do not speculate on attribution. Language code used to compile implants, as well as the language used to describe certain commands used by the group, actually corresponds to Portuguese from Brazil.

The inclusion of Portuguese language strings and preference for Portuguese systems is prominent throughout the samples. The tasking of Poseidon’s campaigns appears to be heavily focused on espionage for commercial interests. Speculating further would be unsubstantiated. Reference samples hashes: 2ce818518ca5fd03cbacb26173aa60cef3499a9d9ce3de5dc10de3d7831d09380a870c900e6db25a0e0a65b8545656d42fd8bb121a048e7c9e29040f9a9a6eee4cc1b23daaaac6bf94f99f309854ea102c4aeacd3f7b587c599c2c4b5c1475daf821eb4be9840feaf77983eb7d55e5f62ce818518ca5fd03cbacb26173aa60ce Command and control servers: akamaihub[.]com – SINKHOLED by Kaspersky Labigdata[.]net – SINKHOLED by Kaspersky Labmozillacdn[.]com – SINKHOLED by Kaspersky Labmsupdatecdn[.]com – SINKHOLED by Kaspersky Labsslverification[.]net – SINKHOLED by Kaspersky Lab For more about counter Poseidon and similar attacks, read this article in the Kaspersky Business Blog.
Revision Note: V5.0 (February 9, 2016): Rereleased advisory to announce the release of update 3126593 to enable the Restricted Admin mode for Credential Security Support Provider (CredSSP) by default. See Updates Related to this Advisory for details.Su...
Microsoft's enhanced mitigation toolkit (EMET) has been updated with support for Windows 10, but the company says you don't really need to download it any more. The defence tool is Microsoft's way of re-enforcing Windows versions from Vista to 8.1. Available since 2009, the tool has introduced the latest mitigation techniques to stymie common attacks including address space layout randomisation and data execution prevention. Version 5.5, released this week, adds official support for Windows 10 (although previous versions did support the operating system). Over time security technologies have been copied from EMET and baked into Windows, alongside many other security improvements, making it a less critical feature than in previous years. "[It] helps enterprises better protect their Windows clients by providing an interface to manage built-in Windows security mitigations while also providing additional features meant to disrupt known attack vectors used by prevalent malware," Microsoft's security wonks say. "Since that time, we have made substantial improvements to the security of the browser and the core OS. "With Windows 10 we have implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10. The latest EMET introduces improved configuration through group policy, the blacklisting of untrusted fonts, better registry writing, and Export Address table Filtering pseudo-mitigation performance improvements. It also grants Control Flow Guard protection for third party software not yet using once-bypassed exploit protection introduced in Windows 8.1 updates and present in Windows 10. Control Flow Guard is one of the three that Microsoft cites as having made its way from EMET into Windows and injects a check before indirect-calls are made in code such to ensure that they call known safe locations. If that's not the case, programs are closed. AppLocker is another Windows security feature from EMET, and helps stop most unathorised users from executing certain apps within a network. Paired with an enterprise application whitelist like Device Guard, AppLocker can ensure only trusted apps run. EMET may be powerful, but like most other security controls has previously been bypassed. ® Sponsored: Building secure multi-factor authentication

Doneo Castle

Even the best antivirus products are fairly utilitarian. You run a scan, make sure real-time protection is turned on, check that malware definitions are up to date, that sort of thing. Naturally the websites for these products are also strongly focused on the task of wiping out viruses (and on getting you to upgrade to a more advanced product). Doneo Castle, which the company claims is the "safest place on earth," varies from the norm. Its main Web page displays an imposing castle, and a sepulchral voice intones the product name ("done-oh castle") when you visit. Fun, right? And you get "completely clean data," without the need for a local antivirus. It's a lovely fantasy, but in reality, relying on this castle's walls to protect you would be a big mistake. Plans and PricingYou won't solve the mystery of Doneo Castle by signing up for a free trial. The closest you can come is an $8.99 refundable Happy Month subscription. There are plenty of other options: A $22.99 Safe Season subscription covers you for 90 days, and a $36.99 Six and Sound subscription is good for six months. For $69.99 you get a Best Year of protection for two devices. There's also a limited-time one-device $49.99 per year offer. They're Bad, We're GoodAccording to the Doneo Castle website, existing antivirus products "have the elementary structure of their first generation," and "still use a 20 year old algorithm which checks all files one by one against their virus database." They have a "primitive client-based structure" and can't match products in "resent [sic] years" that operate in the cloud. Current antivirus products "start scanning after the entrance of a virus in the system, which in any case put your security in danger." There are a few problems with those statements (besides the spelling and grammar). In truth, modern antivirus products use layer upon layer of protection. The old-fashioned signature-based detection system is still present, in most cases, but it doesn't work alone. Behavioral analysis, cloud-based detection, URL reputation checking: There are many technologies that go beyond Doneo Castle's claims, as you can see in our reviews of competing products. In particular, some products are very good at preventing malware from ever reaching your system. I run a test using very new malware-hosting URLs, checking whether products prevent the malware payload from reaching my test system. Symantec Norton Security Premium and McAfee AntiVirus Plus (2016) both earned 91 percent protection in this test. That's a far cry from "scanning after the entrance of a virus." Completely Clean Data?So what does Doneo Castle actually do? Once installed, it functions as a Virtual Private Network (or VPN), diverting all your Web traffic through the company's servers. According to the website, "All data before entering to your device will be checked against viruses, spyware, and malware by several engines." As a result, you receive "completely clean data." Doneo Castle relies on AVG's technology, along with the antivirus fighting powers of Avira Antivirus 2015 and Bitdefender Antivirus Plus 2016. Now, you may wonder why the company would rely on the same "primitive" and "20 year old" antivirus techniques decried by its own Web page. Sorry, I can't answer that. I did check with those three antivirus companies, asking about their partnership with Doneo Castle. The two that responded knew nothing about it; one mentioned bringing in the legal department. Difficult InstallationOnce you've signed up for the service, you can use your email address and password to enter the Chamber—the online dashboard for Doneo Castle. Don't try this on an old, small monitor. Unless your desktop is at least 1,280 pixels wide, you won't be able to see all of the Chamber, and there's no horizontal scrollbar. I had to widen my virtual machine's desktop in order to test this product. If you can't see all of the Chamber, you might not notice that you have some more work to do. Your incoming Internet traffic won't be sanitized until you install the VPN component, called Doneo Bridge. Fortunately, there's a utility to perform the installation. Unfortunately, it didn't entirely work in testing. I downloaded the DoneoBridgeCreator application, overriding Chrome's warning that it might be dangerous. I ran it, with no apparent effect. After some investigation, I found that it only worked if I right-clicked the file and chose Run as administrator. How many average consumers would figure that out? The company fixed this problem just before I completed the review. The fix seems to work, though of course, it doesn't help customers who hit the earlier problem and gave up. Once the utility finished its work, I did find Doneo Bridge as an available network connection. Alas, it rejected my attempt to log in, stating "Connections that use the L2TP protocol over IPSec require the installation of a machine certificate." It took quite a bit of digging to sort that one out. Naturally the real problem didn't relate to a certificate. It seems the installer failed to populate the Doneo Bridge connection's authentication properties with the correct pre-shared key. Going back to the Chamber, I found a link to "instractions [sic]" for manually installing Doneo Bridge. Poring over the steps (more than 20 of them) I found the key, entered it manually, and finally managed to connect to the Doneo Bridge. Whew! The instructions for manually installing the connection are specific to an earlier version of Windows—I'm guessing Windows 7. If you try to follow them in Windows 8.x or Windows 10, you'll hit a wall. Just before the release of this review, the company contacted me, reporting that they'd fixed the missing key problem. I verified that indeed the Doneo Bridge installer now runs correctly and doesn't need the Run as administrator workaround. Once again, though, this doesn't help users who gave up on encountering the problem before it was fixed. Poor ProtectionI double-checked that the product was installed correctly by attempting to download the EICAR test file, from the Anti-Malware Testing Standards Organization (AMTSO) Security Features Check page. Doneo Castle correctly blocked access to direct download of the file, though it failed the drive-by download test using the same test file. My malicious URL blocking test does use direct download, so it was time to proceed. For this test, I use a feed of recently discovered malware-hosting URLs, generously supplied by MRG-Effitas. When I run this test on a full-scale antivirus tool, I give equal credit for blocking URL access and for wiping out the malicious payload. With Doneo Castle, URL-blocking is the sole line of defense. I found that it took a very noticeably long time for the browser to open many of the URLs; I assume this was due to processing time on the Doneo Castle servers. In some instances, I got a large notification in the browser window stating that Doneo Castle blocked an infected file. It listed the filename and also displayed the three antivirus engine names with a checkmark next to the ones that detected the malware. Doneo Castle's accuracy was disappointing. Out of 100 malware-hosting URLs, it blocked just 31. That's a far cry from the promise of "completely clean data." As noted earlier, some products managed 91 percent protection in this test. Comparing it only with URL-based blocking by other products, Doneo Castle still doesn't look great. McAfee and Trend Micro Antivirus+ Security 2016 managed 85 percent strictly at the URL level. A product that offers nothing but Web-based protection needs to be really, really good at it. Doneo Castle isn't. Further DifficultiesAfter I managed to connect to the Doneo Bridge, I observed that nothing changed back in the Chamber. It still advised me to set up Doneo Bridge. Worse, after a reboot the bridge connection was lost, without any indication or warning. The average user wouldn't notice the loss of Doneo Castle protection, and would probably have a tough time figuring out how to log into it again. Among the choices on the Chamber's left-rail menu are My Key (to manage username and password), Statistics, FAQ, and Contact Us. These, along with the other left-rail menu items, did nothing. It turns out this was because I was running the product in a virtual machine. For some reason, Doneo Castle only works with Firefox inside VMware VMs. On a physical test system it functioned correctly under Firefox, Chrome, and Internet Explorer. Clicking the Statistics button got me a more detailed list of URLs that passed or failed Doneo Castle's safety check. It even listed which of the three antivirus engines blocked a bad URL. The Gift menu item is echoed by a Gift button. This lets you give "days of your own residency at Doneo Castle" as a gift. Basically, you shorten your own subscription period by offering a portion of it to a friend. Not surprisingly, the Purchase button and menu item both work fine. They bring up a page that lets you extend your subscription. Have Fun Storming the Castle, Boys!I really wanted Doneo Castle to be a winner. The imposing castle on the home page is so much more interesting than almost any competing site. I even sort of like the slightly wacky stream-of-consciousness screeds on the main page, e.g. "Our Leader Vint Cerf, Father of the Internet, crossed over to the telco side of the force. Cerf Vader and legions of imperial stormlawyers are now defending the death stars against the insignificant ISPwoks." (Not joking.)  Unfortunately, the protection just doesn't perform as promised. Perhaps in the future (or in a galaxy far, far away) Doneo Castle will reappear and make good its promise of "completely clean data." Until then, stick with our Editors' Choice antivirus products Bitdefender Antivirus Plus, Kaspersky Anti-Virus, McAfee AntiVirus Plus, and Webroot SecureAnywhere Antivirus. And don't believe anyone who says those products are relying on primitive 20-year-old technology.
The safest way to escape from Superfish is to wipe your PC yourself. Here's how.
Microsoft is seeing red over Google's decision to publicize a flaw in Windows 8.1 before it could issue a fix. Google first raised eyebrows in the waning days of 2014 when it publicly disclosed a zero-day vulnerability in Windows 8.1. In Google's report of the privilege-escalation bug, the company noted that its 90-day disclosure deadline—the time between a vulnerability being reported privately and a patch subsequently being made available—had elapsed. Microsoft failed to issue a patch in time within the 90-day window, but the company downplayed the bug's severity. "It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid log-on credentials and be able to log on locally to a targeted machine," a Microsoft spokesperson revealed to eWEEK's Sean Michael Kerner last week. "We encourage customers to keep their antivirus software up-to-date, install all available security updates and enable the firewall on their computer." On Sunday, Jan. 11, Google released details about another Windows rights escalation flaw, this one first reported to Microsoft on Oct. 13. Now, as the disclosures pile up, Microsoft is striking a more confrontational tone. On that same day, Microsoft Security Response Center (MSRC) Senior Director Chris Betz took Google to task for letting slip the details of the latest vulnerability just days before the software giant was scheduled to issue a patch addressing the issue. In an MSRC blog post, he accused Google of releasing "information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so." Betz further asserted that Google's strict deadline can hurt more than it helps. "Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha', with customers the ones who may suffer as a result," Betz said. "What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal." There are conflicting views between those who support full transparency disclosure of IT security issues as they arise and software providers that subscribe to a privately coordinated approach, or Coordinated Vulnerability Disclosure (CVD), as Microsoft terms it. More often than not, CVD enables vendors to stop potentially dangerous bugs before users are affected, argued Betz. "Of the vulnerabilities privately disclosed through coordinated disclosure practices and fixed each year by all software vendors, we have found that almost none are exploited before a 'fix' has been provided to customers, and even after a 'fix' is made publicly available only a very small amount are ever exploited," he stated. "Conversely, the track record of vulnerabilities publicly disclosed before fixes are available for affected products is far worse, with cybercriminals more frequently orchestrating attacks against those who have not or cannot protect themselves." Microsoft has been in Google's shoes, but has walked a different path when it comes to disclosing bugs. "You can see our values in action through our own security experts who find and report vulnerabilities in many companies' products, some of which we receive credit for, and many that are unrecognized publically," said Betz. "We don't believe it would be right to have our security researchers find vulnerabilities in competitors' products, apply pressure that a fix should take place in a certain timeframe, and then publically disclose information that could be used to exploit the vulnerability and attack customers before a fix is created," he added.
Unmark those calendars. The days of major patches are gone as Microsoft switches to a diet of smaller, more frequent updates. The Windows Service Pack era is well and truly over. Although dubbed "updates" in rec...
Microsoft investigated the leak by rummaging through a French blogger's Hotmail account.