Can Your Anti-Virus Software Become Infected

Experienced computer users know that any time your firewall software decides to flag a program, it’s worth double-checking before you let it go ahead. Indeed that’s arguably the key function of a firewall. But what if the program being named as suspect purports to be part of your security software?

Users of Symantec’s Norton Internet Security and Norton Antivirus found themselves in that position in early March this year when an update patch called PIFTS.exe was sent out as part of its regular stream of updates. Unfortunately, owing to human error, the patch was sent out without being ‘signed’ – the process that confirms the software really was developed by Symantec and can be trusted. Unsurprisingly, that led to widespread user confusion.

Symantec withdrew the patch after three hours, and issued an apology on its blog. “Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users,” the company said. However, that didn’t prove to be the end of the story. As is often the case with security issues, one single problem (accidentally sending out an incorrectly configured file in this instance) mushroomed in several unexpected directions.

Symantec’s user forums, which had been one of the first areas where the PIFTS.exe problem was widely reported, were attacked by an unidentified individual. “One individual created a new user account and posted about the names of the patch executable, PIFTS.exe,” Symantec explained. “Within minutes several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone.”

As a result, Symantec deleted the relevant posts, claiming they violated its terms of service. While that might seem like a reasonable response, it led to widespread speculation online that the company had something to hide and that it might have been deliberately distributing the PIFTS.exe file for unspecified nefarious purposes.

One possible reason for the attack might have been to increase the visibility of the reporting about the attack. Several sites purporting to contain information about PIFTS.exe  – and ranking highly on Google searches for that term – actually were set up purely in an attempt to distribute other malicious code. As I often see, ‘drive-by’ distribution via sites is now a major source of concern, and it seems developers of such malware are happy to use any means to attract traffic.

What lessons can be learned? Firstly, that you should always take firewall warnings seriously, because even virus companies aren’t perfect. Secondly, if you encounter reports of a security problem, don’t rely on a simple Google search to try and find information without a solid sense of caution.

Twitter’s Cam Attack

Twitter – the social networking service that lets you provide details of what you’re up to in real time, provided you don’t use more than 140 characters, just like a text message – has been getting increasing coverage in the media. Inevitably, its increased visibility and popularity have also made it a fertile target for attack.

Earlier this year, you may recall prominent Twitter accounts, including that used by US President Barack Obama, were attacked by using a rare help-desk problem. In the most recent incident, 750 Twitter accounts were compromised, and used to post details of an adult Webcam service. The same dodgy site was also promoted in other hacking attacks, but Twitter’s current prominence made it easily the most visible target for attack.

It’s worth emphasising that those attacks didn’t occur because of fundamental flaws in Twitter’s system design, but because individual users had set passwords that were too easy for hackers to guess using automated systems. Twitter’s own statement on the problem highlighted that issue. “As a general reminder, keep in mind that strong passwords can help prevent hijacked accounts,” its blog pointed out.

Password Stupidity Still Abounds

That advice from Twitter reinforces an important point. Not using easily guessed passwords (like your username, a series of consecutive numbers, or the ‘password’ itself) is one of the staples of security advice. Another is having different passwords for each individual application or site, rather than using the same password for everything (the logic equivalent of having one key for your house, office and car!) One of the reasons we constantly need to repeat these rules is that, for the most part, everyone ignores them.

A recent online survey by business security software developer Sophos underscores that point. Less than 20% of those surveyed consistently used a different password for every application. Around half used “a few different passwords”, while one-third used the same password for pretty much everything. Given Sophos’s relatively sophisticated enterprise audience, it’s not hard to imagine that the relevant figures for the average computer user would paint an even grimmer picture.

“With social networking and other Internet accounts now even more popular, there’s plenty on offer for hackers and by using the same password to access Facebook, Amazon and your online bank account, you’re making it much easier for them,” Sophos senior technology consultant Graham Cluley pointed out.

So, at the risk of repeating the obvious, a really good password doesn’t contain any dictionary words, uses a mixture of upper and lower-case letters, and is at least eight characters in length.

Ideally, you should have unique passwords for every different application or site, but at the very least have unique passwords for your PC, email account and online banking. Regularly changing passwords is also good security practice. And remember to keep your operating system and anti-virus software up to date – fewer vulnerabilities always means fewer risks.

Leave a Reply