Don’t fall for PC scan scams

Don't fall for PC scan scams

By Brian Livingston

Thanks to massive publicity about the subject, computer users are now widely concerned that their machines might be infected with "spyware" programs. These applications monitor users’ activities and perhaps transmit to a hacker the users’ passwords and other confidential information. But many Web sites that claim to “scan your computer” to detect spyware are, in fact, spreading spyware themselves.

In one of the latest examples, the U.S. Federal Trade Commission announced on Mar. 11 that Spyware Assassin, a $29.95 program sold by MaxTheatre Inc., was promoted by bogus pop-up windows. These windows falsely claimed, "You have dangerous spyware virus infections on your computer. Click OK  to install the latest free update to fix these errors."

The FTC said that if a computer user clicked OK, a phony "local scan" then reported that spyware has been found, displaying a phony list of supposedly infected files and folders. Both the original message and the "local scan" reported problems even if the computer was free from infections, the FTC said.

The federal agency persuaded the U.S. District Court in Spokane, Wash., where MaxTheatre is based, to issue a temporary restraining order. The site is now shut down.

This kind of scam is now so common on the Web that it’s generating its own macabre jokes. One wag suggested in a Slashdot posting that, if the FTC really got serious, we’d soon see the following story:

• "The Federal Trade Commission has shut down Microsoft, alleging the company participated in fraudulent practices with its Windows and Office software, which purportedly gave the illusion of an operating system and/or increased productivity at work, even though no improvement was done and in most cases, the user machine would stop working correctly after a day. The company’s site then offered the user a $30 product to enhance security, which the commission reports ‘didn’t do a thing.’“

Impersonating a cleanup service

All kidding aside, the number of bogus programs that now pose as "antispyware" applications is enormous and still growing.

Eric Howes, a security researcher who has published numerous tests of cleanup programs (as described in our Feb. 24 and previous newsletters), has found more than 100 examples of disreputable applications on the Web.

He maintains a detailed list of Rogue/Suspect Antispyware Products on a page at Spyware Warrior, an informational site. The rogue’s gallery includes such programs as "SpyDeleter," a product promoted, according to an FTC complaint, by Sanford Wallace, formerly a well-known spammer. The FTC sought a restraining order against Wallace and a related company, Seismic Entertainment Productions Inc., last October.

In many cases, according to Howes’ listings, rogue programs actually install browser home-page hijackers and open a back door to install other software.

Many computer users are understandably fearful of online threats and click OK to cleanup offers, without first questioning the source of the “alert.” This is one more thing to guard against on the Web.

Unfortunately, some legitimate security companies also offer online scans to detect malware on PCs. Although these companies mean well, I can’t recommend such scans at this time. Even if the company produces a fine software product, any remote scan is subject to false positives. In other words, the scan might detect something on a PC and incorrectly label it malware. If the company then offers to sell a product to clean up the system, it can be accused of engineering the false positives, just as the FTC charged MaxTheatre of doing.

A much better approach is for computer owners to purchase low-cost but effective security programs to clean up their systems and then protect them from further infections. We include a summary of the top-rated programs in our Security Baseline section, below.

Important: Please note that my recommendation against Web scans of PCs does not apply to vulnerability detection sites, such as the excellent Shields Up! service provided by Steve Gibson of the Gibson Research Corp. This service, with your permission, examines a PC’s network connection to determine whether or not it has "open ports" that can be exploited by hackers. Since the testing mechanism needs to be outside your network in order to conduct such vulnerability assessments, Shields Up! provides a valuable service that cannot easily be performed by software you install.

Let’s call it spyware if it qualifies

I wrote in the Feb. 24 newsletter that the distinction between "spyware" and "adware" was meaningless. Since all such programs generate revenue or something else of value for their promoters, they should all be called adware, I said. This would preclude authors of such programs from saying, "Our product is not spyware, it’s adware, which is fine." Programs that control any aspect of your PC without your full knowledge and consent are always a severe security risk and should not be tolerated. (I have always stated that "ad-supported software," where the ads are displayed within an application’s primary window, as with Opera and Google, are fine.)

I now believe I shouldn’t have dissed the term "spyware" so much. The public has come to fear "spyware" because of saturation coverage of the problem in the mass media. For this reason, I’m dropping my objections to the term and the newsletter will use "spyware," "adware," "malware" and other terms as appropriate.

Howes has written to me that definitions of spyware are actually becoming a burden on consumer advocates such as himself. He now feels that the more specific a definition is, the more it may be a trap:

• "I’m really skeptical at this point that we ever will come up with a term for this kind of software that everyone can live with. The problem is that once you come up with a term and that term becomes even remotely tainted or even hints that the software is in any way undesirable, the people whose software you’re trying to hang that term on are going to object.

  "Just one year ago the industry was pushing the ‘spyware=bad / adware=good’ distinction. Now many of these same companies don’t even want to be associated with the term “adware,” so tainted has that term become.

  "I actually think the right approach now is to push people to stop getting hung up on the precise word(s) you use to name the software, which leads only to useless definitional disputes that the bad guys exploit to wriggle out of your term, and focus on the practices and behaviors of the companies and the software."

Howes provided the most far-reaching analysis of the various problems we face — and terms to describe them — in a paper he submitted to the FTC last year. At that time, he thought a better catch-all term would be "junkware." I recommend his paper to everyone interested in this subject.

The problem isn’t ads, it’s remote control

Unfortunately, the issue of pop-up ads (which are bad enough) has confused the main threat facing us. It isn’t a display of ads that makes a program malware. It’s the fact that the application has (1) the ability to run commands on the infected PC, or (2) download new versions of itself (which may have negative features), or (3) download entirely new programs that aren’t in the best interest of the computer owner.

The fact that a PC user is giving control of the machine to someone other than its owner is the heart of the matter.

If I were writing laws about this, I’d prohibit software that can "morph" its code once installed, except under strict conditions. I believe all such software should be removed automatically by security programs. The user should then be able to see a log of what was removed, and should be able to undo some of the uninstalls, in some cases.

As I noted on Feb. 24, the license for the iSearch Toolbar, an adware program, says it may "without any further prior notice to you… install software from iSearch affiliates; and install Third Party Software." There is absolutely no reason for a legitimate software company to claim the right to install on your PC other programs from other companies, which you may never have heard of.

I believe there’s an enormous financial incentive for adware makers to sell access to their network of PCs to questionable characters. With this temptation, I believe it’s only a matter of time before seriously nasty programs are installed everywhere, making them stronger than the defenders. (At some point, say, they may collectively launch a massive DDoS against the servers of Symantec, McAfee, and other security firms. Some such attacks have already begun. Numerous malware programs alter a PC’s Hosts file so attempts to connect to security firms’ sites fail. These alterations are stopped by installing the leading antispyware apps, which are shown in our Security Baseline section, below)

That’s why I believe all computer users should eradicate this stuff now, and that ISPs should start checking for and eradicating it, too.

Don’t use P2P software that installs spyware

I’ve written previously that file-sharing software usually tries to install spyware. I noted on Jan. 27, for example, that Grokster alone could install as many as 15 separate adware programs.

If you insist on using such peer-to-peer applications — which open connections in your PC that have their own serious security risks — I urge you to read Ben Edelman’s Unwanted Software Installed by P2P Programs.

Edelman, a respected researcher who is a Ph.D. economics candidate at Harvard University, shows the junk you can accumulate from file-sharing applications. Of the five programs he tested, only LimeWire was free from adware. (Edelman discloses that LimeWire has a consulting relationship with him. I believe his results are trustworthy none the less.)

In future issues of the newsletter, I hope to publish a list of Web sites that actually do provide useful PC scanning services without any hint that they might use false positives to sell products. This is an extremely difficult topic to research, because such sites may change at any time, making guarantees difficult. All I can say is: Watch this space.

Our thanks go out to our reader whose handle is Navigatr1 for help in researching this topic. To send us more information about spyware, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

'Log Me In' is free remote access done right

By Paul Thurrott

Windows XP Pro includes Remote Desktop, which is useful for remotely connecting to your PC. But Remote Desktop has trouble with firewalls, and it isn’t available on Windows XP Home Edition, 2000, 9x, or Me. Fortunately, Windows users have a variety of options for remotely accessing your PC. And one of them, surprisingly, costs nothing.

We’ve all been there: You’re stuck at work, in a coffee shop, or halfway around the globe, and you need a file on your home computer. If you’re lucky, you can call a spouse or other family member, and talk them through the process of emailing the file to you. But that’s not an elegant or foolproof system. What you really need is some sort of remote access software.

XP Professional includes such a solution, called Remote Desktop. But if your XP machine is behind a firewall in your home network, and you’re out on the road, good luck making that connection. Users with other Windows versions, including XP Home Edition, are even more out of luck, as they don’t have Remote Desktop at all.

Various third party application makers, of course, have stepped in to fill that gap. These solutions have no problem navigating firewalls automatically. And they use encryption to protect the data traveling over the connection between you and your PC.

Classic remote access

The problem, until recently, was that most of these solutions were pretty expensive. Symantec’s pcAnywhere is the classic remote desktop solution. Available for Windows XP, 2000, 9x/Me, and NT 4, as well as various Linux versions, pcAnywhere offers many valuable functions, most of which are aimed at business users. pcAnywhere also includes clients for Pocket PC devices, as well as a Web-based Java client. However, the product lists for $200 USD.

Welcome to the Web generation

In the past year or so, a new Web-based offering, GoToMyPC has gotten a lot of press. GoToMyPC lets you remotely access your PC from any Web browser, giving you much of the functionality of pcAnywhere or Remote Desktop. Pricing is a bit high, however. If you choose the monthly payment route, the cost is $19.95 per month ($29.95 per month for two PCs). Or you can pay for a year upfront for $179.40 ($269.40 for two PCs).

The price is right

Recently, a new remote access solution has appeared, and this one is perfect for occasional users, based on my recent tests. The service is called LogMeIn, and, like GoToMyPC, it’s Web-based. It supports Windows XP, 2000, 98, and Server 2003 for the remote PC, and virtually any Windows version — 95, 98, Me, NT 4.0, 2000, XP — or any Java-enabled Web browser for the client. That includes, incidentally, Pocket PCs, Macs, and Linux machines.

What really sets LogMeIn apart, however, is the price. It’s free.

Using the Web client, LogMeIn performance is excellent, rivaling that of Remote Desktop on a local area network. But make note: Like other similar solutions, it does require a small client installation so that you can access the PC remotely.

Now, the free version of LogMeIn does come with some caveats. For example, you can’t easily transfer files between the remote PC and the local PC, though a LogMeIn Pro service ($12.95 a month or $99 a year per PC) adds that functionality.

For occasional users, however, this isn’t a huge limitation. To get around it, you can simply e-mail files to yourself from a Web-based e-mail client such as Gmail or Hotmail.

LogMeIn Pro includes other unique features, like one-click synchronization of files between your local and remote PCs, and a Click2Share function that makes it easier to transfer files that are too large for e-mail. But the no-cost LogMeIn service is such a no-brainer — and can be installed on any number of PCs — that you will almost certainly want to check it out. To my knowledge, LogMeIn has no free competition that can match its ease of use.

I’ve installed LogMeIn on the server in my home network and have tested the service from various clients in various locations around town. But the big test will come during a trip this week to Ireland: I’ll be relying on LogMeIn to keep me in touch with my data. And if it works as advertised, I might just opt in for the Pro version.

Paul Thurrott, associate editor of the Windows Secrets Newsletter, is the author of Windows XP Home Networking, 2nd Ed., and Great Digital Media with Windows XP and the author or co-author of several other books.

Web surfers, beware of dangerous waters

By Chris Mosby

Like that beach movie that recently aired on CBS-TV, the Internet is infested with hacker "sharks" that are constantly swimming around fishing for computer "food."  Unlike the real thing, these sharks swim with their fin deep underwater and it’s hard to see them coming.

Since the Internet is pretty essential to everyday living to some people, all you can really do is put on that steel-reinforced scuba gear and take a dip.

CSS styles can now infect IE 6

Once again, hackers have found a way turn a perfectly good feature of a Web browser against you.

A Cascading Style Sheet (CSS) is defined by the World Wide Web Consortium as "a simple mechanism for adding style (e.g. fonts, colors, spacing) to Web documents." Used correctly, this formatting feature is a good way to standardize the look and feel of Web sites, while leaving other HTML code untouched.

Unfortunately, this formatting feature can be used against unsuspecting Internet Explorer 6 users, even those who have XP SP2 installed. An unpatched IE weakness allows a hacker to access a user’s computer via a specially crafted CSS file. All that’s needed for this to happen is to use IE to visit a Web site that has the hacker’s CSS file. This may sound far-fetched, but there is already exploit code available on the Web for this vulnerability.

What to do: Until a patch is available, you can take steps to disable style sheets in Internet Explorer.  This can be done by doing the following:

• Step 1: Open the Tools menu in Internet Explorer.
• Step 2: Click Internet Options and select the Accessibility button towards the bottom left corner.
• Step 3: In the Formatting section, check all three boxes
• Step 4: Click OK on all dialog boxes you have opened to saved your changes.

Note: This may make some Web sites display improperly or not at all.

The amount of damage that this exploit can do is limited to the rights that a user has on the machine. This is a good argument for logging on to your computer with reduced rights, as was suggested in the March 10, 2005, edition of this newsletter.

For more information, see Microsoft’s MSDN article on safe browsing and a Security Focus bulletin on the IE flaw.

New info leak found in most browsers

If you haven’t figured it out by now, the Web isn’t safe unless you take precautions. Even using a different browser than Internet Explorer doesn’t always protect you from vulnerabilities. The newly popular Firefox browser sometimes has security issues, too.

This has become even clearer recently with information released by Security Focus. According to the security firm’s report, browsers from many different vendors are vulnerable to a weakness that could allow a hacker to gather information from a computer. This information could be user names, file names, and file locations. By itself, this problem is not too much of a threat, but combined with other exploits, the damage done to a computer could be significant.

This problem has been confirmed in all versions of Internet Explorer, Firefox, and Opera. Exploit code for this is already available as well.

What to do: This problem is pretty new, and because the exploit is unpatched, details are hard to come by. Your best plan of action is to follow the IE hardening guidelines detailed in the Nov. 11, 2004, issue of the Windows Secrets Newsletter. Paul Thurrott’s suggestion from the March 10, 2005 edition on running with reduced user rights may also prevent exploits that can leverage this vulnerability.

For more information, see the Security Focus bulletin on the flaw.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

Patches are subject to a great deal of FUD

By Susan Bradley

Today is going to be FUD Roundup Day at the ‘ol Patch Corral. You’ve heard of FUD, right? Fear, Uncertainty, and Doubt? Once used only in relation to IBM, then in reference to Microsoft, it seems everyone likes to throw around a bit of FUD these days to get us consumers upset and concerned.

Today we’re going to cover some FUD about operating systems, patching, and — as usual — our ever-present topic, browsers.

FUD 1: April 12, your PC is no longer yours

As I said in last issue’s Patch Watch, April 12 will not be the day you "automatically" receive Windows XP SP2. But if you’re currently on XP SP1, perhaps this is the time to think about finally installing SP2.

Many firms that have not deployed it are in state of being "stuck between their vendors and their applications." The vendors will not certify the service pack — and the firm is unable to install the patch unless the vendors support it.

Personally, I’ve found that all of my line-of-business applications have worked just fine on XP SP2. I had no service agreement to worry about voiding. I tested my applications for full functionality and didn’t even bother with vendor certification.

If you must wait for vendor certification, you should try as best as you can to get them to approve the service pack, if that’s what is holding you back. In general, the best installations have been done on malware-free machines, according to Jupiter Jones’ installation checklist.

Make sure you’ve used the top-ranked antimalware tools from the Security Baseline (above) before beginning to install a service pack. If the machine is badly infected, seriously consider a process called “flattening” it and reinstalling the operating system from scratch. This is not without its risks, however, and not for the faint-hearted. Microsoft TechNet has an article on the subject.

In my experience, desktops are managable, but laptops can be annoyingly hard to reinstall from scratch. In my own office, the only "gotchas" that I came across deploying SP2 were Nvidia digital video-card drivers that were updated and then would not function after the application of Service Pack 2.

What to do: I merely booted into safe mode, went to the Control Panel where the video card was located and rolled the driver back to the Service Pack 1 version of the driver, and the systems are working perfectly.

FUD 2: The entire U.S. government can patch before us

If you believed the information from news stories on our next FUD alert, you’d think that the government was able to obtain and deploy Microsoft security patches before everyone else. In reality, they are just one of the firms identified as being part of a program that was already in place to test security patches in more realistic test environments, according to the Microsoft Security Response Center blog. As was reported in the Mar. 10 Windows Secrets, this closed beta is designed to make patches more reliable.

While patches themselves appear to be getting better in quality, a French tech Web site, however, reports that there are still many issues with Windows Update. The majority of issues I have personally seen with failures in Windows Update are due to Catroot2 corruptions.

What to do: The corruption can be fixed by renaming the Catroot2 folder, as discussed in Microsoft Knowledge Base article 822798.

FUD 3: Firefox is open to spyware

If you believed a certain FUD news story when you heard it, you’d think that Firefox is suddenly being hammered with spyware.

The truth is that such exploits require deliberate clicking of "yes" on an end user’s part, according to a VitalSecurity.org analysis. The security site shows that the Sun Java Runtime Envrionment (JRE) is subject to an exploit if users click through security warnings.

I can’t imagine a normal, rational person clicking "yes" with such security warnings confronting them. But that is what one security blogger wants you to believe. While the author has a valid point — most malware is indeed invited in by user actions — he clearly overuses the FUD factor.

The exploit does point out that Internet Explorer is still under the hood of your operating system, even if you are using Firefox. Thus you may wish to review the additional protection for Internet Explorer that was discussed by Paul Thurrott in the Mar. 10 newsletter.

Remove old versions of Sun JRE

Related to the above item, you should be aware of an older security issue with Sun JRE. According to a Sun alert, the following versions on IE/Windows can cause an untrusted applet to launch applications: JRE 1.42, 1.4.1_06 and earlier, 1.4.0, and 1.3.1_12 and earlier.

What to do: It is recommended that you remove prior versions of the Sun JRE. To determine if you are running the Microsoft JVM or Sun’s JRE, click Start, Settings, Control Panel. If you see a coffee-cup icon labeled Java plug-in, or you see a coffee cup in your system tray, you are running Sun’s version of Java.

Next, click Start, Run, type cmd and press Enter. In the dialog box that appears, type in java -version and review the results. You can follow the instructions to determine if you have the version in question.

Keep in mind that on newer machines that automatically update, the prior JRE may still be on the machine. In the Control panel, in the Add/Remove Program utility, review whether you have older Java JRE implementations installed. If so, uninstall them. At this time, the 1.42 version of JRE has been reported to be more stable if you’re running Firefox 1.0.1.

Thwart LAND attacks on XP and 2003

A recent posting to a security listserve indicated a specially crafted packet can cause a system to “freeze up” for about a minute and cause a denial of service scenario, according to a SANS advisory.

What to do: This old-fashioned attack can be thwarted on the XP SP2 platform if you are running the firewall. On the Windows 2003 platform, you can add a SynAttackProtect setting to public-facing servers for additional protection.

While not an earth-shattering vulnerability, it’s still interesting because (a) it’s the type of attack that has been around for a long time, (b) there’s a way to mitigate the issue, but (c) the setting is not “default” in Windows 2003 servers at this time. There are, however, indications that the setting is enabled on Windows Server 2003 SP1, according to a Microsoft TechNet article.

Mozilla Suite out, Firefox and Thunderbird in

The Mozilla Foundation has stated for a long time that its intentions were to focus on the standalone products of Firefox and Thunderbird. So it was not completely unexpected to hear that the Mozilla Suite was going to be retired and transitioned to the separate products.

However, it surprised some that a lot of work had been done on the 1.8 platform that now appears to be abandoned. There’s even talk of a community project to maintain the suite under the SeaMonkey name.

MS05-002 patch for Win 98/Me crashes video driver

MS05-002 (891711): At the present time, there appears to be an issue with the long-delayed MS05-002 patch for Windows 98/Me. A version of this patch was made available for Windows NT, 2000, XP, and 2003 on Jan. 11. The version for 98/Me wasn’t released until the most recent Patch Tuesday, Mar. 8.

The symptom is that the PC is hit with the Blue Screen of Death. The issue appears to be related to video drivers. We’ve heard that this particularly affects the Intel 82810 Integrated Graphics Controllers.

What to do: If you experience this, roll back the patch and look for an updated video driver from the manufacturer.

MS05-011 halts XP file saves to 95, 98, OS/2

MS05-011 (885250): The installation of this patch, which Microsoft released on Patch Tuesday in February, interferes when you use XP to try to write a file to a shared folder. This occurs when the folder is on Windows 95, 98, or OS/2. These operating systems use Server Message Block (SMB) communications.

What to do: Install a hotfix released Mar. 14 by Microsoft if you’re having this specific problem. The fix is available from KB 895900. The hotfix is available for free by calling Microsoft at 1-866-PCSafety in the U.S. or reviewing the toll-free numbers in other countries.

The ‘right’ browser for you and your environment

This reminds me of an e-mail that a reader to Windows Secrets submitted. He writes that he was going to stick with the security plan he had in place to protect the browser he had installed in his firm. He had a browser that he felt had proper support, a firewall in place, and an enterprise spyware solution. He feels that he has enough protection in place to be comfortable with his decision.

I cannot agree more. Whether your browser that you choose to protect and defend is Opera, Firefox, Internet Explorer, or any of a number of others that are out there, understand it, make sure you have the resources you need for your sized environment to support it properly, and add antispyware programs as needed.

I don’t know about you, but keeping up with the browser alternatives these days is leaving me a little pooped. Pick one. Protect it. And don’t forget to say "no" when something stupid wants you to download it. Just saying "no" a bit more often will keep us all a bit safer.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

Rules of engagement for patch warfare

By Mark Burnett

Over ten years ago, I locked my keys in my car. It was the first time in my life I had ever done this and I have never done it since. But, to this day, my wife still asks me if I have the keys every time I shut the car door. A decade of not locking the keys in my car has done little to gain her trust.

I feel the same way about Windows patches. I’ve been burned enough to think twice every time I let Windows install a hotfix for me. For countless companies around the world, patch management has become a million-dollar nightmare.

I remember the first NT4 server I ever administered. After years of unprivilege, I finally got promoted to use the Administrator login for myself. But I was still so naïve about security — my password was superman.

I remember looking at Microsoft’s list of available hotfixes and being so overwhelmed that I just put it off to deal with later. Of course, the task grew greater each month and finally got to a point where I was so far behind, it was just easier to wait until the next service pack and start over again. It turns out that that approach wasn’t too uncommon among NT administrators.

Windows 2000 was my fresh start

When Windows 2000 came out, I was determined to not let that ever happen again. I studied, dissected, tested, and tracked every new Win2k hotfix that ever came out.

One side-effect of all that study was that it made me acutely aware of all the sloppy patchwork Microsoft put out. It got so bad that I gradually lost all confidence in the system.

So, like my wife, I too began to question; I came up with a list of rules to protect myself. Even after all this time, I still don’t feel comfortable installing a patch without considering at least some of these rules.

To many people, these rules might seem extreme and somewhat paranoid, but I’m a security consultant — people pay me to be paranoid.

Rule 1: Don’t always trust what you read

Microsoft has come a long way in improving the consistency and quality of their KB articles and security bulletins.

But, at one time, this was a big problem. If a KB article said something worked or didn’t work, I simply couldn’t trust it; I had to test it out for myself. And, to my disappointment, my tests too often proved the KB article wrong, further confirming my mistrust.

Rule 2: Don’t always trust what you know

Even if you test something, that doesn’t mean it won’t change. For every security bulletin Microsoft releases, there are dozens of other security-related KB articles that go unnoticed.

For example, when Windows 2000 first came out, the order you installed hotfixes didn’t matter. Then suddenly it did. Then it didn’t, because they integrated the qchain into hotfixes, but then later it did again, at least in some cases.

You can’t assume that just because you tested something once that it will always be true, you have to test it again.

Rule 3: Don’t always trust the tools

Patch-management products are getting better than they used to be, but do you trust your tools enough to protect your business, personal privacy, and security?

Once I worked on an incident response where a large banking Web site got hacked. They couldn’t figure out how the hackers got in, and even re-ran their patch-management software to verify that all the patches were up-to-date, which it said they were.

Only after a manual review did we discover that because patching the FrontPage server extensions was at that time quite complicated, their product missed a patch, leaving the door wide open for the hackers.

There are dozens of patch-management products out there, and each has their own strengths and weaknesses. Some are best at product coverage and some are better at accuracy.

Unfortunately, a software company usually doesn’t advertise their weak points. No matter what product I use for managing patches on a server, occasionally I break out some other tool just for that second opinion.

I’d say if there is any goal in patch management, it should be this: let me abandon these rules. My wife might never trust me with the car keys, but restore my trust and I’m willing to throw out these rules for good.

Mark Burnett is the author of Hacking the Code, coauthor of Microsoft Log Parser Toolkit and Stealing the Network: How to Own the Box, and an independent security consultant.

BackupFox is new Firefox profile-saver

We reported in our Mar. 10 issue the untimely demise of the MozBackup Firefox profile-saving tool. Now reader Christopher W. turns us on to a discussion on the Neowin forums regarding a recently developed utility for Firefox called BackupFox. This tool is useful when you’re upgrading Firefox and want to make sure your bookmarks and other preferences are preserved in case anything goes wrong.

At press time, the latest revision of BackupFox is "only" version 0.73, but the author is very good about quickly releasing updates for fixes and new features. Read the first post of the forum to ensure you have the latest version before installing. See: Neowin discussion of BackupFox.

Roboform tracks browser upgrades

In our Mar. 10 issue, we also published reader Les Barnes’ experiences with Roboform after upgrading to Firefox 1.0.1:

• “I used the paid version of RoboForm, so I was rather upset when the Roboform people said that they don’t make [Mozilla, Firefox, and] Netscape adapters for small browser changes.

  But I did find that I could ‘force’ the installation by showing the Roboform program where the browser was located (since it couldn’t find 1.0.1) and it installed beautifully…”

Andrew Finkle, VP of Business Development at Siber Systems (the makers of RoboForm) wrote in with this response:

• “This is not entirely correct. Whenever Firefox has a new version, it “breaks” the plug-ins, such as our Mozilla adapter. So we have to re-write our adapter, and this takes time.

  So it would be more correct to state that we (RoboForm) ALWAYS support Mozilla (Firefox) upgrades, however our upgrades (fixes) usually lag anywhere from a day to a week behind…”

Christopher W. will receive a gift certificate for a book, CD, or DVD of his choice for sending us a tip that we printed.

Why wait 'til you're dead to show in the Louvre?

Reuters, the New York Times, and many other news outlets reported today that a British artist who goes by the name Banksy has been hanging hilarious painted spoofs (photo, left) in New York’s Metropolitan Museum of Art and other museums around the world. The Wooster Collective, a group named after a street in New York City, has posted what it calls exclusive photos of the artwork and how the installations were pulled off. In one case, the collective says, a piece remained on a museum wall for three days before it was discovered and taken down by officials. Reuters quotes the artist as saying he was inspired to do his pranking by his sister, who he found one day tossing out some of his pictures. When he asked why, she replied, "It’s not like they’re going to be hanging in the Louvre." He says, "I thought why wait until I’m dead." See the photos