The life and untimely demise of TrueCrypt

The problem with BIOS-level passwords

BIOS-level passwords can be defeated by resetting the BIOS, but a second level of security can still keep your files safe.

Plus: Using encrypted data with 7-Zip, KVM switch weirdness, and curing a “User profile cannot be loaded” failure.

Defeating BIOS-level, pre-boot passwords

After reading the May 14 Top Story, “Better data and boot security for Windows PCs,” reader Frederick Barrow wrote this:

• “Fred: As I recall, you addressed BIOS-level passwords years ago. And at that time, I implemented one. But one day, the techie at my local PC shop said he could defeat the password by removing the on-board battery. I assume that removing the battery would reset the BIOS to default settings — sans passwords. Was he correct?

Yes, most BIOS-controlled passwords can be bypassed by resetting the BIOS. That’s why I discussed a second type of password security in that article. Used together, the two methods are far better than either one alone.

(Note: For this story, BIOS is shorthand for both classic BIOSes and the newer Unified Extensible Firmware Interface [UEFI] system-boot firmware. UEFI PCs can be more resistant to tampering, depending on system design.)

Here are the potential issues with BIOS-based passwords.

In many PCs, the BIOS includes a small amount of RAM that’s used to store custom BIOS settings — including pre-boot passwords. This BIOS RAM needs constant electrical power to maintain its contents. When the PC is off, a small battery, typically mounted somewhere on the mainboard, provides the necessary trickle of power to keep the RAM alive.

If you — or anyone with physical access to your PC — open the case and remove the mainboard battery, the BIOS’s RAM will lose power and forget its custom settings and passwords; the BIOS will revert (or reset) back to its factory defaults.

Some PCs have a small switch on the mainboard that will reset the BIOS without removing the battery. Other PCs let you reset the BIOS via low-level software.

Bottom line: Resetting the BIOS by any of these methods will wipe out any BIOS-based, pre-boot passwords you’ve set up.

Moreover, resetting the BIOS defeats any BIOS-based hard-drive password you’ve set. And anyone can access the drive’s contents simply by physically removing the drive and attaching it to a PC that doesn’t have a BIOS-level hard-drive password enabled.

Those are the drawbacks of configuring passwords in the BIOS. But there’s an upside.

Obviously, resetting a BIOS or removing a hard drive requires direct, physical access to your PC. It also requires some time, skill, and (usually) tools to accomplish the task.

So, though BIOS-level passwords won’t stop a determined data thief, they will impede more casual snoops: nosy roommates, office busybodies, and so forth.

Assuming someone can get past your passwords, what then? The next level of defense is to encrypt sensitive files and folders. I discussed encryption techniques in the May 15 Top Story, “Better data and boot security for Windows PCs.”

Combining passwords and encryption should make your PC virtually impervious to local attacks. BIOS-level passwords will keep out all but the serious hackers; encryption will keep your files safe from almost any attack.

Accessing and editing encrypted 7-Zip files

Jeffrey Nase also had a question about the May 15 Top Story.

• “Just read Fred Langa’s article about encrypting data.

  “It seems like a lot of work to save the edited file, add it to the ZIP file, and then delete the non-zipped version.

  “I was wondering if it’s possible to open a file, edit it, and then save it directly back to the ZIP file.”

Absolutely. But the key is to access and edit encrypted files with 7-Zip’s own File Manager. Just left-click (or double-click) an archive, enter your password once, and the 7-Zip File Manager will open to reveal the contents of the archive. Leave the 7-Zip File Manager open and do your work within it.

When you access files from within the 7-Zip File Manager, the files open normally, edit normally, and save normally. In fact, files saved this way automatically inherit the compression and password settings of the original archive — no extra steps required.

The catch? Depending on how your system is set up, left-clicking an archive might not automatically bring up the 7-Zip File Manager; it could instead bring up the 7-Zip compression/encryption front end — or some other archiving program entirely.

If that’s the case with your setup, it’s easily remedied with a fresh installation of 7-Zip. Uninstall the current version and then head over to 7-zip.org. Download and install the version with the correct bittedness for your PC (i.e., 64-bit 7-Zip for 64-bit systems and 32-bit 7-Zip for 32-bit systems).

Next, make sure the 7-Zip File Manager is the default app for archives. Right-click any archive, select Open with, and then select Choose default program. If the 7-Zip File Manager is offered in the list of available programs, select it. If not, navigate to the File Manager’s location and manually select it; it’s usually at C:\Program Files\7-Zip\7zFM.exe — or your setup’s equivalent location.

Once the 7-Zip File Manager is correctly installed and set as the default application to open .zip or .7s archives, a simple left-click should open your archives; you can then access, edit, and save archived files — again, all from within the 7-Zip File Manager.

Note: 7-Zip is a complex piece of software. If you need assistance, refer to the available help:

• 7-Zip’s built-in help system
• The 7-Zip Online FAQ
• Z-Zip’s technical-support forum
• SourceForge’s discussion form

Keyboard/Video/Mouse switch doesn’t play nicely

KVM switches are devices that allow a user to control multiple local PCs with one keyboard, monitor, and mouse (Wikipedia explanation).

Reader Robert Hall has a USB-based KVM setup that’s causing him all sorts of headaches.

• “I have a Tripp Lite KVM switch that can control up to four PCs. But I’m using it for just one pair of Win7 machines. Both PCs are updated regularly.

  “One computer has no problems, but the other does; it fails to recognize the USB KVM on startup. It usually ignores either the keyboard or mouse but rarely both. Also, if I use the well-behaved system for a while and then switch to the problematic PC, the KVM fails to recognize the video monitor. The monitor acts as if it’s turned off and won’t turn back on.

  “Tripp-Lite feels these are Windows issues. Is there a fix?”

Years ago, I was a KVM switch user. I’d have adjacent PCs set up, each running a different Windows version. As I answered questions sent in by readers, I’d switch to the PC with the appropriate Windows version, and work out my reply.

But like you, Robert, I eventually found that KVM switches were sometimes more trouble than they were worth.

Now, when I need to control several physical PCs from one location remotely, I use Windows’ built-in Remote Desktop instead of a KVM switch.

Remote Desktop lets the PCs connect via network, eliminating any weirdness with USB. Plus, using the network means I can place the PCs anywhere there’s an Ethernet port or a Wi-Fi signal. I’m no longer physically tethered to a rat’s nest of keyboard, video, and mouse cables.

I’ve used Remote Desktop on all Windows versions from XP through 8.1. I sent my KVM gear to Goodwill many years ago, and I’ve never missed it.

So, my first and best suggestion to you is to try Remote Desktop. It might do everything you need with greater simplicity and reliability than your current KVM setup.

Remote Desktop varies by Windows version and edition. Here are the specifics from Microsoft:

• Remote Desktop for Windows 8
• Remote Desktop for Windows 7
• Remote Desktop for Vista
• Remote Desktop for XP

There are third-party alternatives, too. Not all versions of Windows include Remote Desktop. One excellent option is TeamViewer (free for personal use; site).

If software-based remote-control simply won’t work for you — some setups require physical rather than networked connections — you can try three other things to get your USB KVM going again:

First, to help resolve any hardware conflicts that might be causing your USB troubles, try uninstalling and then reinstalling the drivers for your PC’s USB subsystem. Then do the same for each USB device you use with your PC. Check the vendor’s site for each device to make sure all USB-related drivers are current. For more information, see the Oct. 24, 2013, LangaList Plus item, “Resolving strange hardware problems.”

Next, check out your PC’s HotPlug subsystem. If used correctly, the HotPlug subsystem can prevent several serious types of USB trouble. For more information, see the April 5, 2007, LangaList Plus column, “How to prevent and remove ‘phantom’ devices.”

If none of the above works, the likely culprit is the KVM hardware itself. You could have a bad connector or cable, a fried chip, a failing power supply, or something else.

But again, if your setup allows it, give Remote Desktop a try. If you can make the switch to software-based remote control, I bet that — like me — you won’t miss your old-school KVM setup at all!

“User profile cannot be loaded” failure

Samuel Campbell’s setup has a malfunctioning user account.

• “I tried to create a guest account (actually a Standard account) on my Windows 7 machine. While testing the account, I got this error message: ‘The User Profile Service service [sic] failed the logon. User profile cannot be loaded.’ I searched the Internet for a remedy and found several suggestions. But none worked. Can Fred come up with a remedy?”

A Windows user profile consists of not only that profile’s files and folders but also its security identifier (SID) in the Registry. The SID defines a user account’s permissions — that is, what it’s allowed to do. (For more info, see the MSDN Security Identifiers article.)

If you manually delete a User Profile in Windows Explorer (or via a del or erase command in a command window), the profile’s SID can get left behind in the Registry. The orphaned SID prevents that User Profile from loading or operating normally — if at all!

You can cure this problem by manually deleting the faulty SID. You’ll find instructions for doing so in the Microsoft Support article, “You receive a ‘The User Profile Service failed the logon’ error message”; skip down to “Method 3: Delete the error SID and create a new profile.”

If that doesn’t work, the other methods discussed on that page might help.

And, if that doesn’t work, try the fixes suggested in a related Microsoft Community thread.

For information on the Microsoft-recommended ways to create and manage User Accounts (methods that help to avoid the problem with orphaned SIDs), see the version-specific User Account Help pages for Vista, Windows 7, and Windows 8.

A visual tour of Win8's new Task Manager

Windows 8’s Task Manager offers more power, features, and functions than any of its predecessors.

Possibly more impressive: common tasks such as finding and terminating malfunctioning applications are easier than ever.

Almost a one-stop Windows maintenance shop

A key troubleshooting tool in Vista and Win7, Task Manager is even more useful for solving Win8 operation and performance problems. It also has a new look that’s easier to work with.

For Win8’s Task Manager, Microsoft consolidated numerous tools that are scattered throughout Vista and Win7. For example, key functions of the Management Console (MMC), the System Configuration tool (MSConfig), and the Resource Monitor (ResMon) are now at your fingertips, inside the revamped Task Manager.

Win8’s Task Manager even borrows some good ideas from third-party diagnostic tools. For instance, there’s a built-in startup analyzer that lets you see and control what’s slowing down your system-boot process.

What follows is a visual tour of the new Task Manager. If you’re running Win8, open your copy of Task Manager and work along with the examples shown below. At the end of the article, you’ll have a good sense of what’s in Task Manager and how the major pieces function.

If you’re not running Win8, the following text will give you a glimpse of what’s coming when you eventually upgrade to Win8 or its successor.

Opening the Task Manager in Windows 8

Windows typically offers multiple ways to accomplish any given task, and that’s especially the case with Win8’s Task Manager. Here are the easiest ways to access it:

• Press Ctrl + Shift + Esc.
• Press Ctrl + Alt + Delete and then select Task Manager.
• Type “task” on the Start screen and then select Task Manager when it appears in the apps list.
• On the Desktop, right-click an empty spot on the taskbar or notification area and select Task Manager from the context menu.
• Launch the Quick Link menu (Windows key + X) and select Task Manager.

However you launch it, Task Manager opens with a simple dialog box.

Starting with an ultra-simplified default screen

In its research for Windows 8, Microsoft noted that the most common use of Task Manager, by far, was ending tasks — killing hung or malfunctioning apps or processes.

So the first time you open Win8’s Task Manager, you’re presented with a simplified screen that lists your running applications. If an app is hung, the words Not responding will appear next to its name. You can then select the problematic program or process and kill it via the End task button at the bottom of the dialog box. Simple as that.

Note: The Win8 Task Manager no longer uses double prompts. If you click End task, there’s no following “Are you sure?” confirmation prompt. Task Manager simply does what you asked — immediately. So be careful. Terminate only those apps that refuse to close the normal way. And if at all possible, kill an app only after you’ve saved your data.

Processes: Dig deeper with the More details view

The default screen’s visual simplicity is deceptive. Task Manager’s full set of powerful tools (see Figure 2) is hidden behind the More details link at the bottom of the dialog box.

On the left side of Task Manager’s Processes tab, the Name column lists all software currently running in Windows. They’re organized into three groups: Apps, Background Processes, and Windows Processes. (You’ll most likely need to scroll down the list to see the last group.)

The three-part grouping helps you determine what’s safest to kill or modify. In general, ending or modifying an Apps-level task won’t impart any risk to the system. (But, again, you might lose unsaved data.) On the other hand, it’s dangerous to meddle with items in the Windows Processes group — they’re part of the Windows operating system itself. Background Processes typically fall somewhere in between.

Some process names have a small expand/contract arrow to their left. This indicates a group of related items. Simply click the arrow to see what’s inside.

The Processes section also includes a four-column, color-coded heat map of the PC’s CPU, Memory, Disk, and Network subsystems.

The heat map visually groups items that are behaving similarly. The colors change according to system impact. Light colors represent light use and light system impact. Darker, redder colors indicate heavier use and greater system impact.

In the Figure 2 example, everything’s operating normally, so only a few muted colors are used. But if Task Manager detected a critical problem — say, a process was hogging 99 percent of the CPU — that item would be highlighted in dark red. This color coding makes it easy to see what’s operating normally and what needs attention.

Task Manager also will change the color of a column header if any item in that column is experiencing a critical condition. It gives you a quick way of locating a malfunctioning item, even if that item is out of sight — for example, it has scrolled off the bottom of the page.

As with previous versions of Task Manager, you can click any column’s header to sort the contents. One click sets up a descending sort; a second click sets up an ascending sort. This makes it easy to float processes and apps that are consuming the most (or least) resources to the top of the list.

Figure 3 shows the Memory column sorted so that the most memory-intensive items are listed first.

Clicking the Name column heading re-sorts the list by app/process and restores the default three-part grouping — Apps, Background Processes, and Windows Processes.

Whenever it can, Task Manager uses noncryptic friendly names for apps, processes, and services. But some items will remain obscure to most Windows users. Right-click any item you wish to know more about, and a context menu will provide shortcuts to related functions, data, and other information. The context menu even includes a Search online option (see Figure 4), which feeds your default browser a preconfigured Web search for the item.

Performance: Display real-time subsystem stats

The Performance tab provides a ton of data on a PC’s CPU, memory, hard-disk, and networking subsystems.

For example, the CPU section displays processor utilization overall or for each core or logical processor. It can also show rated and actual (measured) processor speeds; real-time counts of the number of processes, threads, and handles the CPU is managing; information about the chip type; the presence and size of on-board caches; and virtualization support (see Figure 5).

The other subsystems — memory, disk, and networking — are similarly detailed. For example, the Disk section’s data includes activity level, disk transfer rate, average response time, and average read/write speeds for each disk in the system.

Networking is now broken down into network type, with separate tracking for each Ethernet and Wi-Fi adapter in your system.

If you like to keep an eye on things, you can tear off any Performance graph and leave it open as an independent, floating window. Right-click the graph you want and select Graph summary view from the context menu (Figure 6); a new, small window will appear containing just the graph you selected (Figure 7).

App history: The one dud in the bunch

Of all Task Manager tools, this is the one offering that seems rather useless.

The App history tab monitors native Metro/Modern Win8 apps — and only those apps. Classic Windows apps you typically install on the Win8 Desktop are, unfortunately, ignored. I assume this is a remnant of Microsoft’s early delusion that everyone would instantly abandon the classic desktop and live happily ever after inside the tiled universe of Modern pages and apps. Yeah, r i g h t!

Aside from that considerable omission, App history works fine. It lists all the native Win8 apps on your system (Figure 8) and displays a sortable heat map for CPU use, network time, metered network time (for those who have bandwidth caps or limits), and tile uptime (or “Total network usage for tile updates and notifications”).

Startup: Manage app loading at system boot

The Startup tab is a power-user’s delight. It not only lists all the software that normally launches at Windows boot, it also tracks the impact of each item on system boot (see Figure 9).

Disabling nonessential app-loading at system boot time is a time-honored way of improving system startup speed. The Startup impact column makes it easy to find those apps that have a disproportionate (High) impact on system boot and quickly remove them from the boot process.

Here’s an example:

Figure 9 shows that my system was loading the Akamai NetSession Client at system startup and that its impact was High — it took a relatively long time to load.

I vaguely remembered that the Akamai NetSession Client was some kind of download helper. I was fairly sure it didn’t need to load at boot time.

I right-clicked on the Akamai item to open its context menu and used the Search online option to learn more about this software. After reading several websites, I was confident it didn’t need to run every time I started Windows. Again using the context menu, I clicked Disable (Figure 10) so that it would load only when actually needed.

Note: To be perfectly clear, disabling a program on the Startup tab doesn’t prevent that software from being used; it simply removes it from the startup queue. You can manually launch the software later (after startup), and in most cases it’ll load and run normally.

Figure 11 shows the result of disabling Akamai NetSession Client — it no longer has any impact on my PC’s boot time. Perfect!

Note: It may take one or two Windows reboots for Task Manager to recalculate the effects of any changes you make.

Users: Individual user stats on multiuser PCs

The Users tab lists the accounts that are active on a system. Each User’s listing can be expanded to show all the apps that that user is currently running plus the impact of those apps on system resources. The columns are sortable and, like the other Task Manager tabs, heat-map color-coded (see Figure 12).

On single-user systems, information in the User tab duplicates the data already available in other tabs. But if you’re running a multi-user setup, the Users tab lets you see who’s on the system and whether anyone is hogging an undue share of resources. If you have an admin-level account, you can also alter what any user is running — even terminate their apps — and disconnect connected users or force them to sign off.

Details and Services: Serious troubleshooting

The Details and Services tabs can be helpful for heavy-duty problem solving. It’s fine to explore these tabs casually, but don’t make changes there unless you know what you’re doing — and have thoroughly backed up your system!

Details (Figure 13) shows you every executable file currently running on a PC. Advanced task information includes PID (process identifier; used by software to track what’s what), User name (person or software that launched the executable), plus CPU and Memory use. A general text description helps you understand what you’re seeing. The columns are sortable, but there’s no heat-map coloring.

As elsewhere in the Win8 Task Manager, right-clicking any listed item brings up a context menu that lets you explore and control that item — including a Search online option to help you determine what unfamiliar items do.

The context menu lets you terminate any selected item or terminate the entire process tree associated with that item. Similarly, you can analyze and manage the item’s entire Wait chain — a way to sniff out the source of hangs and delays. (For more information on wait chains, see the June 13, 2012, Top Story, “Exploring Windows’ Administrative Tools: Part 2.” Skip down to the “Using ResMon to cure hangs and delays” section. The Win8 Task Manager’s wait-chain tools are similar to ResMon’s.)

The context menu also lets you adjust any given item’s priority (Figure 14). An advanced technique for managing software bottlenecks, it tells the system to give a selected item more or less CPU time and other system resources.

The Services tab offers similar data for every system service currently running in Windows. It lists the service, any associated process identifier, a description, status (stopped or running), and the Group to which the service belongs.

The Services tab’s right-click options include the usual Search online for more information plus the ability to start any stopped services — or to stop any running ones. Obviously, this feature deserves great caution.

Digging even deeper: Additional information

The Win8 Task Manager is hugely complex; this visual tour only scratches the surface.

If you’d like more detail, two Microsoft sources provide additional information plus insight into the reasoning behind the changes in Task Manager:

• Extreme Windows Blog: Windows 8 Task Manager in-depth
• Building Windows 8: The Windows 8 Task Manager

With this information and a little practice, the new Task Manager really can become your one-stop shop for solving PC problems and improving its performance!

June brings a hodgepodge of security fixes

June’s security updates are officially the last for Win8.1. Many of the following updates have separate patches for those who have not moved to Win8.1 Update.

Plus: There’s a new variant of the infamous CryptoLocker: CryptoWall exploits Microsoft’s Silverlight.

MS14-035 (2957689, 2963950)

June’s Internet Explorer update is a doozy

The two patches in MS14-035 fix a whopping 59 IE vulnerabilities. Two of them were publicly disclosed; the other 57 were revealed during investigations of other “in the wild” exploits. XP users should keep in mind that they won’t receive this critical update. (The patches are rated important on servers.)

Windows 8.1 machines that do not have KB 2919355 installed will receive only KB 2963950, if they’re behind a corporate patching platform — as will IE 11/Win7 systems that do not have KB 2929437, an April cumulative IE update. (Note that neither patch is offered via the Microsoft Download Center.)

Also, look for Adobe’s usual Flash Player update typically released on Microsoft’s Patch Tuesday.

What to do: Install either KB 2957689 or KB 2963950 (MS14-035) when offered.

Uninstall to protect from CryptoWall

A headline on an Internet Storm Center forums page caught my attention. It notes that even though the threat of CryptoLocker has faded, a variant called CryptoWall is alive and kicking. It’s using Flash, Java, and Microsoft’s Silverlight to sneak into computers.

Ensure you’re running Flash 14.0.0.125, just released on Tuesday, as noted in a June 10 Adobe Security Bulletin.

Exploiting Silverlight came as a surprise. Unless you’re playing Netflix movies on your PC, you probably don’t need it. I recommend uninstalling Silverlight rather than keeping it updated. Click Control Panel/Programs and Features and scroll down the list of installed applications until you find Silverlight. To my surprise, I had three versions of Silverlight, all of which looked out of date (see Figure 1).

What to do: Malware evolves rapidly; to protect yourself from CryptoWall, keep Flash up to date and remove Java and Silverlight if an application doesn’t require them.

MS14-034 (2880513, 2880515)

New exploit uses malicious Word documents

A privately reported vulnerability in Office 2007 SP3 and Office Compatibility Pack SP3 could allow attackers to take remote control of PCs. The patches in MS14-034 fix a flaw in the way Word parses embedded fonts.

Keep in mind that it’s highly likely that Word 2003 is also vulnerable. But as with Windows XP, Microsoft no longer offers security updates for Office 2003 (more info).

Although Microsoft rates this update important, there’s a high probability of active attacks within the next 30 days — typically via malicious email attachments and other phishing-related attacks.

What to do: Install KB 2880513 and/or KB 2880515 (MS14-034) when offered.

MS14-036

Watch out for malicious image files

The various patches in MS14-036 fix security flaws in Windows, Office, and Lync. Attackers could use malicious graphics files to take remote control of systems.

The Windows updates are rated critical, as are the updates for MS Live Meeting 2007 console and Lync 2010 and 2013. Those for Office 2007 and 2010 are rated important.

Malicious PowerPoint files could also be used, so don’t open any shared PowerPoint files you receive in email until you’ve installed these updates. (Dad, I’m talking to you!)

What to do: See MS14-036 for the full list of patches. It’s likely there will be active attacks within the next 30 days, so install those offered as soon as possible.

MS14-033 (2939576, 2966631)

Browser attacks lead to info disclosure

The way most of us leak information is by posting it on Facebook or other social-networking sites. But a flaw in Windows could let attackers exploit Microsoft’s XML Core Services and Internet Explorer to acquire information about a computer system. That information could then be used for additional attacks.

For the exploit to work, the victim must visit a malicious webpage or open a malicious document. That sends the local path name of a downloaded file to attackers. The path name includes the user’s sign-in name.

XP users are vulnerable to this attack. Most Windows users running Vista or higher will see KB 2939576. But Win8.1 users who have not upgraded to Win8.1 Update will see KB 2966631. (Some servers will see KB 2957482.) These patches are rated low or important.

What to do: Install KB 2939576 or 2966631 if offered. See MS14-033 for more info.

MS14-030 (2965788, 2966034)

A new threat via Windows Remote Desktop

Remote Desktop is a popular tool for accessing both local and remote systems. That makes it a high-value target for hackers. A vulnerability in Windows could allow a man-in-the-middle attack during the start of a Remote Desktop connection. The attacker could then gain information from or tamper with the RDP session.

Generally, I don’t recommend that consumers use Remote Desktop to connect to their home-based systems. Long ago, there was an app called TSGrinder that would brute-force access a Windows XP RDP connection. Updates to Windows 7 removed many of these RDP weaknesses, but in a home setting, I still find it safer to use tools that don’t require Port 3389.

This update is rated important and applies to systems running Windows 7 SP1 and higher. Win8.1 users (those who have not upgraded to Win8.1 Update) will see KB 2966034.

What to do: Install KB 2965788 or KB 2966034 (MS14-030) if offered.

MS14-031 (2957189, 2961858 )

TCP Protocol vulnerability could result in DoS

Impacting all Windows systems from Vista on, the patches in MS14-031 fix the Windows TCP/IP stack. A flaw in the TCP protocol could result in denial-of-service attacks. KB 2961858 is for Windows 8.1 systems that do not have KB 2919355 (Win8.1 Update) installed. Both patches are rated important.

What to do: It’s unlikely there will be widespread attacks based on this TCP vulnerability. But I recommend installing either KB 2957189 or KB 2961858 (MS14-031) when offered.

MS14-032 (2969258, 2963288)

Lync attacks can lead to data disclosures

The patches in MS14-032 fix a privately reported vulnerability in Lync Server. If a user clicks on a malicious meeting link with a valid Lync meeting ID, the attacker could then run scripts in the user’s browser and steal information from Web sessions.

This exploit is not considered an imminent threat and is rated important.

What to do: This update should not show up on Windows workstations. But if either KB 2963286 (Lync Server 2010) or KB 2963288 (Lync Servers 2013) is offered, install the update as soon as possible. See MS14-032 for more info.

2919355

An update for some failed Win8.1 Update installs

As has been widely reported, after June’s Patch Tuesday, Microsoft will no longer release security updates for customers who’ve stayed on Windows 8.1 or who could not get Win8.1 Update installed. However, Redmond has released an update that might provide some help for those who have run into trouble with KB 2919355.

As discussed in an MS Community forum thread, Some Win8.2 users who tried to install KB 2919355 received the message Error: 0x80073712 and the install failed. But on June 10, Microsoft released KB 2969339 to fix an underlying problem with the installation process. It apparently helped at least one Win8.1 user.

For those who have successfully updated to Win8.1 Update, Microsoft has released several patches to fix problems caused by KB 2919355. They include:

• KB 2962409 – Fixes several post-update issues.
• KB 2966804 – Fixes a problem whereby Bluetooth, USB, or PCI devices freeze the system.
• KB 2966870 – Clears up compatibility problems with certain motherboards that result in BSoDs.

What to do: I am still tracking unresolved installation issues with KB 2919355. If you’re one of the unlucky, Microsoft wants you to go to MS Support (site). And please let me know how your interaction with Microsoft went, using the Windows Secrets Lounge link below.

A couple of Windows-patching oddities

Some PatchManagement.org listserv posts note two patching glitches that 32-bit Win7 users might see. One or more patch install fail with a 0x80070308 error code. Fortunately, these problematic updates install completely on the second try.

Some folks installing IE 9 and 10 patches report that a privacy-statement tab displays when the browser is restarted after updating. It’s not an ad, but it is unexpected. In my test, installing June’s IE update make an IE 9 privacy statement pop up on IE 10.

What to do: These Patch Tuesday glitches reinforce the old adage, “If at first you don’t succeed, try again.” In the case of the failed Win7 updates, simply try installing the updates a second time; in the case of IE, just close the tab.

Nonsecurity updates to put on hold

June’s nonsecurity updates include the following:

MS Office stability and performance updates:

• KB 982726 – Office 2010 Junk Email Filter
• KB 2760587 – Outlook 2013 Junk Email Filter
• KB 2850074 – Lync 2013
• KB 2878313 – Office 2013
• KB 2880457 – Office 2013; email subject display when switching to Thai language
• KB 2880458 – OneNote 2013; issues with large print jobs
• KB 2880524 – Office 2010; table properties error when tracking changes in Word
• KB 2880529 – Word 2010
• KB 2880991 – Office 2013; lexical improvements
• KB 2881000 – PowerPoint 2013
• KB 2881005 – MS Word 2013; mistranslated words
• KB 2881014 – MS Excel 2013; crash when accessing cached copy
• KB 2881018 – OneDrive for Business
• KB 2881027 – Office Web Apps
• KB 2881035 – Office 2013
• KB 2881065 – Outlook 2007; Junk Email Filter

Other MS application fixes and updates:

• KB 2850073 – SharePoint Enterprise Server 2013; copy/paste data display in KPI report
• KB 2878322 – Microsoft Visio 2013; improved visuals
• KB 2880516 – SharePoint Server 2010
• KB 2880988 – MS SharePoint Enterprise Server 2013; lexical improvements

What to do: As usual, I recommend installing approved security updates immediately and coming back to the nonsecurity fixes in a week or two.

Regularly updated problem-patch chart

This table provides the status of recent Windows and Microsoft application security updates. Patches listed below as safe to install will typically be removed from the table about a month after they appear. Status changes are highlighted in bold.

For Microsoft’s list of recently released patches, go to the MS Security TechCenter page. See our “Windows Secrets master Patch Watch chart” post for a more extensive list of recent updates.

Patch	Released	Description	Status
2862973	02-11	MD5 deprecation; skip on workstations, optional for admins	Skip
2934207	03-11	XP end-of-support warning	Skip
2862330	01-14	Reissued kernel fix; ongoing USB issues	Hold
2871997	05-13	Enhancements to Local Security Authority	Optional
2952664	05-13	Migration compatibility	Optional
2919355	04-08	Windows 8.1 Update; May 13 deadline to install	Install
2922229	04-08	Windows file handling	Install
2936068	04-08	Cumulative IE patch; also, KB 2929437 for IE 11 for Win7	Install
2949660	04-08	Word zero-day; see MS14-017 for complete list.	Install
2950145	04-08	Publisher; KB 2817565 (2007) and KB 2878299 (2003)	Install
2926765	05-13	Windows Shell; also KB 2962123	Install
2928120	05-13	Group Policies preferences; for admins, also KB 2961899	Install
2933826	05-13	Windows Server; also KB 2962073	Install
2952166	05-13	SharePoint (for admins); see MS14-022 for complete list.	Install
2953522	05-13	Internet Explorer; also KB 2961851	Install
2958732	05-13	.NET; see MS14-026 for complete list.	Install
2961033	05-13	Common controls; basic workstations; see MS14-024 for complete list.	Install
2961037	05-13	MS Office; KBs 2767772, 2878284, 2880463, 2878316; see MS014-023.	Install
2939576	06-10	XML Core Services; KB 2966631 for Win8.1	Install
2957189	06-10	TCP Protocol; KB 2961858 for Win8.1	Install
2957689	06-10	Internet Explorer; KB 2963950 for Win8.1	Install
2965788	06-10	Remote Desktop; KB 2966034 for Win8.1	Install
2967487	06-10	MS Graphic Component; see MS014-036 for full list.	Install
2969258	06-10	MS Lync; KBs 2969258, 2963288; see MS014-032.	Install
2969261	06-10	Word; KBs 2880513 and 2880515; see MS014-034.	Install

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.

The cruelest months, according to Henri

From time to time, we revisit Henri, the feline philosopher, to hear what’s been annoying him lately. He’s no fonder of the White Imbecile than he’s ever been, but this spring Henri finds his housemate’s catnip-fiend existence tragic. Do we hear Henri expressing sympathy? Maybe not. Henri notes other indignities to which domestic cats are prey. Perhaps Henri feels solidarity after all. You be the judge. Click below or go to the original YouTube video.

Help offered you might not yet know you need

Lounge member Protopia recently analyzed the difficulties he’d experienced with DNS lookup errors as he browsed the Web.

And then he set out his findings and solutions in an admirably clear step-by-step procedure in the General Windows forum. Other Lounge members have been thanking Protopia for the offering. You might, too.

The following links are this week’s most interesting Lounge threads, including several new questions for which you might have answers:

Office Applications
General Productivity	Win7/Pro x64: Office 2000 worked briefly, now “Not Responding”
Word Processing	Explanation for weird behavior of F4 key?
Spreadsheets	Pivot-table grouping
Databases	Redesigning Access 2007 report
Presentation Apps	Want to run PowerPoint show in window, then quit app
Visual Basic for Apps	Using RefEdit to return multiple addresses
Microsoft Outlook	Outlook 2013: Missing Social Connector function
Non-Outlook E-mail	Pictures in forwarded emails can’t be found
Other MS Apps	Stop Visio from opening drawing window
Windows
General Windows	DNS reliability and performance
Windows 8	What backup solutions are ‘non-Metro’ users of Win8.1 using?
Windows 7	Enlarging the D: partition?
Windows XP	Print to LPT1 (prn) from DOS program
Internet/Connectivity
Internet Explorer	Website restore error
Third-Party Browsers	Chrome x64 dev versions available for Win7 and Win8
Networking	Lost Internet connection
Software Development
Windows Programming	Possible to revive ancient Visual Basic project?
Other Technologies
Non-Microsoft OSes	Bodhi Linux 3.0.0 RC1
Security & Scams	Recommend best free antivirus for Windows 7 PC?
Maintenance	Malwarebytes: Unscheduled scans
Hardware	Mouse and keyboard trouble
Graphics/Multimedia	Repairing music library?
Other Applications	Hassle-free editing of PDFs possible?

starred posts: particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right into today’s discussions in the Lounge.

The life and untimely demise of TrueCrypt

The developers of TrueCrypt, a once highly respected, open-source encryption application, have apparently folded their tents and disappeared.

Left behind are questions and paranoia — and a message that users should migrate to other encryption platforms.

Leading the way to public data encryption

TrueCrypt was first released back in 2004 — well before most other mass-market encryption platforms became mainstream, and certainly long before we became aware that the U.S. National Security Agency (NSA) was trying to tinker with these security apps for its own ends. It was built and has been maintained by an anonymous group of developers known simply as the TrueCrypt team. According to Wikipedia, the TrueCrypt moniker is “registered in the Czech Republic under the name “David Tesařík.”

TrueCrypt’s developers based their new encryption software on E4M (Encryption for the Masses) — code that was, according to a February 2004 usenet thread, stolen from security company SecurStar by ex-employee and E4M author Paul Le Roux. That dispute effectively shut down TrueCrypt distribution for several months.

TrueCrypt 2.0 was released in June 2004 and updated off and on until 2012. But then there were no new releases the following two years — a fact noted by several Windows Secrets readers who expressed concern that their favorite encryption software did not officially support Windows 8 or 8.1; nor did it support computers equipped with a Unified Extensible Firmware Interface BIOS. These enhancements were reportedly promised but never delivered.

One of the fundamental concepts of open-source software is that it can be audited for security flaws by any competent developer — not just by its authors. With millions of active TrueCrypt users, there was, not surprisingly, growing concern over the software’s lack of updates and the resulting possibility of new vulnerabilities.

That led to the creation of the not-for-profit Open Crypto Audit Project (OCAP; site), tasked primarily to conduct an external security audit of TrueCrypt’s code. The project would be funded via crowdsourcing, and various programming and security experts would volunteer their time.

Last April 14, OCAP completed its Phase I Audit Report (PDF download). The report found relatively minor problems with TrueCrypt’s code but no evidence of back doors or malicious code. OCAP reportedly will begin a Phase II audit this month.

TrueCrypt’s run comes to an unexpected end

May 28 brought shocking news for all current and would-be TrueCrypt users. A “new” Version 7.2 was released, along with an announcement that the project had been discontinued. Those going to the truecrypt.org site are now redirected to a SourceForge download page, where they’ll find a blazing announcement that TrueCrypt might contain unfixed security issues and is thus not secure (see Figure 1).

The site recommends that Windows and Apple users migrate their encrypted data to native-OS applications (Microsoft’s BitLocker in the case of Windows users). It advises Linux users to “Use any integrated support for encryption. Search available installation packages for [the] words encryption and crypt, install any of the packages found, and follow its documentation.”

Rumors were soon flying that the site was a hoax or had been hacked. There was also speculation that it was an elaborate form of warrant canary (more info), a security device used to inform your clients that you’ve been served with a law-enforcement warrant. These warrants may specify that those served can’t notify anyone else. The warrant canary is a sort of inverse notification: you regularly inform your customers, typically via a posting on your website, that you’ve not been served. Removing the notification tells all interested parties that you have been served.

However, in the case of TrueCrypt, none of these theories made sense — or was in any way supported by the facts. SourceForge, a highly respected software download site, found no signs of tampering. And no one has taken credit for creating a hoax page. The SourceForge notification also didn’t act like a warrant canary.

In fact, the only real consequence of the notification was to destroy trust in an application millions have relied on for years to secure their data. In the days following the announcement, numerous sources contacted the elusive TrueCrypt Team members for clarification. The response simply confirmed what had been posted on SourceForge: there would be no further development of TrueCrypt — the project had effectively been shut down and abandoned.

Is ‘In open-source we trust’ a myth?

I was among the many TrueCrypt users who became concerned about the lack of updates. Malware evolves rapidly, and security software must always stay a step ahead of it. That TrueCrypt’s developers were unknown made me only more uncomfortable.

Also, TrueCrypt was completely free; it had no obvious revenue stream to buttress its long-term development and support — a fact especially worrisome for business applications. Software is rarely free; it might be “free for personal use” and supported by paid business versions, or it could be a sideline hobby for its author. But with a sophisticated product such as TrueCrypt, those tasked with maintaining it ultimately have to keep food on the table.

If you think about it, it’s a mystery that we gave TrueCrypt such an extraordinary level of trust. Again, it had dubious legal foundations, its developers were unknown, and its support was primarily relegated to forums that are now missing. Those forums included person-to-person, cryptologic information that might be lost forever.

Moreover, we’ve often been told that we can trust open-source software. “Many eyes make all bugs shallow” is a saying that, in theory, embodies the advantages of open-source development. But TrueCrypt’s demise, along with the other recent open-source security implosion — OpenSSL — suggests that our trust in the open-source process can be misplaced; there might not be those “many eyes” at work.

For example, in the case of OpenSSL, it was basically one person authoring and another reviewing the code. As Brad Kovach points out in his blog, we build much of the Web on open-source software, often relying on volunteers to build and secure the code. As Blanche DuBois declares in A Streetcar Named Desire, “I have always depended on the kindness of strangers.” I’m doubtful that’s the best policy for software such as TrueCrypt — or for Internet security.

There’s even debate whether TrueCrypt qualifies as open-source. There are basically two ways to develop, release, and support software. The source code for the commercial software you purchase is typically closed; its structure is never publicly released. The obvious example is Windows and most other software Microsoft sells. We use the software, but we don’t know exactly how it’s built. (What we know is usually revealed by coders who have reverse-engineered the code.)

Open-source software should be completely transparent. For a specific open-source project — variations of Linux, for example — each developer posts his code to the project servers so that another developer can modify it to make it better. That developer then posts his changes back to the project servers, where other developers can build on that foundation. According to the Open Source Initiative (site), a specific license must be attached to any open-source software release — typically under the GPL v2 or GPL v3 licenses.

Reportedly, TrueCrypt never included a standard open-source license. Its code was never thoroughly audited until now. And yet we trusted it to encrypt and secure our systems. Why? In large part because it was free and it worked. (Despite repeated attempts, TrueCrypt was never publicly cracked.) Effectively, its huge number of users became both the product testers and marketers. Windows Secrets contributors have, on occasion, discussed and recommended TrueCrypt.

I think we’ve all received a wakeup call. We might need to step back and question the source of our open-source software — and in the future, review its pedigree before installing it.

Protecting our sensitive data in the future

As a first step toward protecting sensitive data, you should follow the posted advice to “Search available installation packages for [the] words encryption and crypt, install any of the packages found, and follow its documentation.” Fellow Windows Secrets contributor Lincoln Spector is working on a follow-up article about replacement encryption software. And Fred Langa wrote about using 7-Zip to protect critical files in his May 15 Top Story, “Better data and boot security for Windows PCs.”

But the product at the top of my short list is BitLocker. It’s included with Windows 8 and 8.1 plus the Business and Ultimate versions of Windows 7. I’ve also used Symantec Encryption Desktop Professional (site), a product that doesn’t require all systems to have TPM chips (more info). Unfortunately, Symantec’s product starts at U.S. $215, and neither solution is cross-platform (Mac and Linux).

As reported on the Gibson Research site, TrueCrypt isn’t destined for the grave. There are just too many TrueCrypt supporters. The Linux Foundation and the Open Crypto Audit Project announced that they’ll bring back TrueCrypt in a process called “forking the code.” The new authors will restructure the software, provide a new license, and eventually release the product under a new name.

My recommendation to current TrueCrypt users? Don’t panic! But also don’t deploy any new versions of TrueCrypt; simply maintain what you have. Based on the OCAP audit, TrueCrypt does not have any back doors and still provides secure encryption that can’t be easily cracked.

By “easily,” I mean that the password can’t be stolen from your machine’s memory when the system is turned off. With most encryption software (including BitLocker), a user’s private encryption key can be extracted from RAM memory if the machine is running or in sleep mode, as noted in a Feb. 7, 2013, Top Story, “Legitimate app breaks popular encryption systems.” But in order to do this, the attacker must be physically present and chances are your system is owned already.

That said, I’ll return to my main point. Should we trust any free software from unknown sources? Free is rarely “free.” As noted above, it might be supported by paid business editions, advertising, unwanted software downloads, or limited support. In the case of TrueCrypt, it appears the price was paid with a lack of long-term support and planning.

Vendor-proofing your personal-computing system

The virtual death of TrueCrypt is echoed by the recent closing of cloud-storage service Norton Zone. As reported in a Techday story, Symantec is giving Norton Zone customers 60 days to move files out of the service. The report states, “After August 6, 2014, all files and related data, like file names, will be permanently deleted from the service, and neither the users nor Symantec will be able to access them.” The files you trusted to that service could be in limbo while you scramble to move data to other local or cloud locations.

As discussed in a recent article in a Network World story, you need to plan for the possibility that your cloud-storage vendor will shut down.

The TrueCrypt saga highlights the importance of having a Plan B for all our important computing services. For example, if your business has its website with a hosting service, what will you do if that service fails? You need to keep a list of alternative vendors and a plan to migrate your data quickly, if needed.

Also, review the health of any company you depend on. Is it sufficiently funded for longevity? The lack of TrueCrypt releases over two years should have been a warning that something was amiss. It’s a lesson for us all, and one we should apply to all software and services we rely on.