Questions arise on PC World tests

Questions arise on PC World tests

By Brian Livingston

A sweeping review of 10 security suites published in a major computer magazine last month featured some very unlikely rankings for this crucial category of products. After examining the evidence, I’ve found that some material facts were omitted from the article, rendering its ratings useless.

The cover of the July 2006 PC World Magazine promised a review of security suites that would give readers “total protection against spyware, hackers & spam.” Inside the magazine, a lengthy article summarized extensive test results by AV-Test.org, a respected antivirus research group based in Magdeburg, Germany. The magazine’s product rankings, however, seemed inexplicable.

When good software ratings go bad

I reported on July 27 that CNET had given its Editors’ Choice award in a June 4 review of security suites to Zone Alarm Security Suite (ZASS). PC Magazine’s Editors’ Choice went to the same product in a June 13 article. But PC World’s ratings, which were first posted online in May, dropped ZASS to 6th place out of 10 products reviewed. The magazine’s top honors went to Symantec Norton Internet Security 2006. I promised in my previous article to find out why and report the answer to you today.

I have no love of any hardware or software vendor. If a product drops from being top-rated to merely mediocre, I’ll say so in my Security Baseline section, below, or my Reviews Overviews, which I update online.

PC World’s ratings, however, are so puzzling that I immediately suspected something was wrong. After looking at some of the raw data, I believe AV-Test did provide PC World with accurate figures on the security suites that the German lab tested. Essential tests, however, were left out. The errors fall into three broad categories:

1. The review ignored behavior-based protection. Behavior-based protection, which stops suspicious activity, was left out of the tests. Signature-based virus scanning is declining in effectiveness, but at this point only a few of today’s security suites include behavior-based protection. This crucial feature, which could represent a huge difference in malware detection, was simply left out of PC World’s scoring.

2. The review omitted complete leak-test results. Leak tests rate a security suite’s abilities to prevent malware that somehow sneaks into your PC from successfully sending your personal data to a remote server. AV-Test’s findings revealed widely divergent scores for the tested suites. But the results for most vendors were left out of PC World’s ratings.

3. The review turned off some suite features. Integrated security suites should be tested with all features turned on. PC World, however, chose to disable some capabilities in order to run tests aimed at other capabilities.

Consumer Reports backs up CNET and PC Mag

The well-regarded U.S. product-testing magazine, Consumer Reports, hit the newsstands last week with its own ratings of PC security programs. The lab’s testing separately rated the antivirus, antispyware, and antispam programs available from each vendor. In addition, the magazine contracted with security experts to generate 5,500 original virus variants to test behavior-based protection. CR also monitored how quickly the companies released updated signatures in real time over a period of weeks as new threats emerged on the Net.

Zone Alarm Security Suite received Consumer Reports’ Quick Picks award — the magazine’s version of Editors’ Choice — for “the best all-around protection.” Perhaps because it’s well known that security suites haven’t yet mastered the latest spyware, CR also gave Quick Picks awards to Webroot Spy Sweeper and PC Tools Spyware Doctor in the antispyware category (with the free Spybot as a complement).

These ratings make sense. They dovetail with CNET and PC Magazine’s latest findings, both in the rankings and the award winners. Besides PC Magazine’s Editors’ Choice for the Zone Alarm Security Suite, for example, Editors’ Choice awards also went to Webroot and PC Tools in the magazine’s latest, July 2006 reviews of antispyware apps.

To be sure, it’s not unusual for magazines to differ in their ratings of computer products. For one thing, PC World’s tests were conducted in April using ZASS version 6.0 and the then-current versions of competing products. The other publications’ latest awards are based on the newer ZASS 6.5.

But when a category is as important as security suites, and when one magazine’s rankings deviate so much with no logical basis, I look for a reason.

I found the answer in personal interviews with principals at AV-Test, Symantec, McAfee, and Zone Labs. To solicit comments, I provided AV-Test and PC World with draft copies of this story. I then participated in a telephone conference call with PC World editor-in-chief Harry McCracken, test center director Ulrike Diehlmann, and senior associate editor Narasu Rebbapragada.

The review ignored behavior-based protection

Near the middle of PC World’s July 2006 article, I found a few sentences that related to nothing else in PC World’s review:

• “AV-Test.org found that Panda TruPrevent will block up to 90 percent of network and e-mail worms and that Zone Labs’ OSFirewall will stop up to 70 percent of network and e-mail worms.”

Panda TruPrevent and Zone Labs OSFirewall are terms for behavior-based protection. But there’s nothing in PC World’s ratings about the relatively high success rate of this new technique.

Behavior blocking isn’t a panacea. But when combined with traditional signature scanning it’s a major enhancement. It should hardly be ignored. (Behavior-based protection should not be confused with heuristics, a technique that looks for suspicious patterns in executable code. See TechTarget’s Apr. 12 article on antivirus trends.)

I arranged an interview with Andreas Marx (photo, right), co-manager of AV-Test.org. I was one of the first American journalists to write about this university-based antivirus research group in my Executive Tech column back on Feb. 23, 2004. At that time, the lab’s ratings of antivirus programs were being used by German publications, but its work wasn’t yet widely reported by U.S. magazines.

Explaining the value of behavior blocking to stop new malware variations, Marx told me by telephone:

• “We’re seeing at least 200 to 300 new variants a day. The malware writers are using optimizations … They’re not only doing the modifications, they’re also creating several variants. This can’t be detected any more by virus scanners without antivirus [signature] updates. …

  “Only ZoneAlarm and Panda have behavior-based solutions that block malware by its bad behavior. That kind of advanced protection is not just relying on traditional signature-based solutions but also mechanisms to protect the user against unknown malware as well.

  “Most of the other companies — like Symantec, McAfee, F-Secure, Trend Micro — they will include such behavior-based solutions in their software as well in two to three months, as soon as the new 2007 editions come out.”

The three PC World editors provided me with a set of written comments after our conference call. On the subject of why behavior blocking was not included in the magazine’s scores, the editors say:

• “We agree that behavior-based protection is becoming increasingly instrumental in fighting zero-day threats, for which no signature-based patch is yet available. Eventually PC World security reviews will thoroughly test a product’s behavior-based protection. During the testing period for this particular story, however, we were not able to test behavior-based protection in a manner that was fair, defensible, and repeatable during our testing window for the story, which was well before the July 2006 publication date. Rather than conduct unsatisfactory tests, we chose to focus on features included in all programs.

  “We make clear in the story that behavior-based protection was not included in our testing and that it could have an impact on overall results. Later in the process we were able to get some top-level statistics on Panda’s TruPrevent and Zone Labs OS Firewall, two behavior-based technologies. We included that information in the story.”

In my opinion, inserting a sentence about the results of behavior blocking doesn’t make up for the omission of these tests from the ratings. The whole point of a security suite is its integration of many kinds of protection. Ignoring behavior blocking is like tying one arm behind a baseball player’s back and then complaining that his batting average has gone down.

The review omitted complete leak-test results

Another omission involves leak tests. Let’s say that a Trojan horse somehow manages to install itself on your PC. A leak test determines how many little critters are able to defeat a security suite and slip your data out to a hacker’s server.

PC World’s Rebbapragada, the author of the piece, mentioned the leak-test scores in just a single paragraph near the end of her article:

• “Zone Labs’ firewall was again 100 percent successful, passing all 17 leak tests, with Microsoft’s in second place, passing 7 tests. The other products earned very low scores, and Panda’s passed none of the leak tests. … [Panda] says that it doesn’t optimize its software for leak tests, instead relying on its TruProtect behavior-based technology to decide whether a piece of code is malicious.”

This paragraph indicates that all of the products (except for one) failed more than 50% of the tests. So just how bad are those "very low scores"?

Table 1, below, shows the percentage of leak tests that each security suite passed, according to raw data sent to me by AV-Test. Most of the products passed only one or two of the 17 tests. Aside from the single paragraph cited above, none of this was mentioned in PC World.

Table 1. Percentage of 17 leak tests passed by security
software. Higher numbers are better. Source: AV-Test.org

PC World’s editors say:

• “Our evaluation of security suite firewalls included seven tests for blocking malware already on the system (inside attacks) and four tests for blocking malware outside the system (outside attacks). Leak tests represented one of the seven inside attack tests. While we felt it was worthwhile to include leak test results as a portion of our overall rating, we chose not to weight it heavily or to report on these tests in detail. Leak tests are standardized, publicly available tests for which companies can optimize their firewalls. We believe that AV-Test.org’s other inside attack tests were most representative of a product’s ability to fight real-world malware.”

The magazine published a paragraph making it sound rather important that one product passed 100% of the leak tests while another product passed none. But now we’re told that these tests are not very important. Perhaps Panda Software is correct in saying that having behavior-based protection is better than passing leak tests.

Unfortunately, there’s no way a reader could know, based on the information in PC World’s article.

The review turned off some suite features

The third concern about PC World’s ranking of security suites is the magazine’s practice of turning off some features during testing. This is intended to allow the magazine to use existing tests that are specific to adware, spyware, virus detection, and the like.

But does testing one security component while other components are turned off actually reflect the real-world performance of an integrated suite?

Vendors are increasingly combining all of their individual security products into a single, integrated package. Representatives of Symantec, the company that won PC World’s Best Buy award, explained to me how two separate software components can strengthen each other when brought together into a single product.

“The firewall might detect some activity independently,” said Kraig Lane, Symantec’s group product manager of consumer Internet security products. “Then it can say that the antivirus [component] should quarantine some file.” In other words, each component can use the strengths of the others.

Providers of security suites say they want real-world testing. McAfee’s suite did extremely well in PC World’s ranking, receiving almost the same overall scoring as Symantec. (The two suites were rated 83 and 84 points, respectively, out of a possible 100.) Even having received such a high rating from PC World, McAfee’s director of product management, Marc Solomon, expressed concerns about testing new products with older routines.

“I’d really like to know how they tested this, to see if they turned off the antivirus in order to test the firewall,” Solomon said in a telephone interview.

PC World’s editors tell me:

• “PC World’s philosophy in testing security suites is to test the strength of individual components of that suite and then combine the results in an overall PCW Rating. To run some of these component tests, it is sometimes necessary to disable a product’s malware detection capabilities in order to get the malware samples onto the test PC. In some cases, this involves altering default settings.

  “However, this approach tests several scenarios that exist in real world, including situations in which the malware is already on a PC before the software is installed and ones in which a user has, for whatever reason, turned off detection features. In either of these scenarios, a user may need to use one component of a security suite to get rid a PC of malware even if another component of the suite might have been able to detect it.”

As far as I can tell, most PC users don’t turn off individual components of their security software, hoping that they’re still protected. People want to know which software will make them the safest — overall — if all of its components are left on. This is the kind of real-world testing that’s meaningful to users.

Moving toward 100% protection, all the time

Today’s worms and rootkits can be difficult or impossible for Windows users to remove. Once the devious little critters have snuck into a system, they can be devilishly hard to detect and eradicate.

For this reason, it’s important for security suites to be installed before a PC is set up and exposed to the Internet. Gateway computers, for example, now ship with a 90-day free version of McAfee Internet Security Suite automatically enabled. In my opinion, most such vendors’ annual subscription fees to continue the protection are reasonable.

The question is, How much protection does the best security suite provide? Users want to know how often a real-world threat can slip through the automatically updated armor of these suites. (Every six days? Every six months? Almost never?)

For his part, AV-Test’s Marx says he’s satisfied with PC World’s article. In an e-mail after reading a draft of this story, he noted:

• “Security suites are integrated products with many features, like virus scanning and personal firewall protection. For example, in case of ZoneAlarm, the firewall was top-class, but the virus detection was rather poor, so they lost some points here. Even then, the ranking was still ‘Good,’ as it’s a good product, so the rating is perfectly fine. (Maybe it should even be mentioned that ZoneAlarm confirmed the problems we have seen in their antivirus product. We have also supplied the missed viruses, worms and bots to them, so they can add detection for them with the new few updates — and they did! So we were even helping improving their product, as well as all others.)

  “1. Again, the behaviour-based features of all 10 products were reviewed, but only two of them actually included something we could test. Almost all 2007 products will include behaviour-based warnings, so we can review it in more detail than now.

  “2. Leak tests: The prevention of firewall leaks is just one of many different tests we have performed. We attacked the firewall against a set of inside and outside attacks, against real malware. Leak tests are (as the name is saying) special test programs which are not reflecting the real-world protection in a proper way. As I said, the protection against real-world threats is much more important and this was included in the ranking with much higher weights, as the user wants to be protected against keyloggers, backdoors and bots/zombies (real-world malware!) and not necessarily against leak tests. Leak tests are harmless, but malware is not harmless.

  “3. We tested both the on-demand scanner protection and the protection by the real-time/on-access virus guard. In order to check the guard, we need to access malware in some way (e.g. by copying files or double-clicking on it) and see if it’s blocked or not blocked. This test was included in this review — and some products performed not so well here, but this is included in detail at the Web page. In addition to this, we have also tested the on-demand scanner as a separate feature. In order to test the on-demand scanner, you need to switch off the real-time protection mechanisms, as you want to test the scanner, not the guard. So the test was simply split into two parts which have to be tested separately and independently from each other.”

As I’ve said before, I don’t operate my own test lab and I can’t afford to buy extensive outside testing. What I can do is analyze the tests that are published by bigger organizations that have the necessary funding. I then synthesize the results for you.

PC World has a reputation for excellence in its technical material. Disclosure: I myself was once a contributing editor, writing a monthly column for the magazine for a couple of years in the 1990s. The publication’s quality has steadily improved since then, in my opinion. But mistakes can hurt a publication, even if most of its work is solid.

I request that PC World retract its ratings of security suites. This topic is important enough to warrant spending the money to write up a new set of real-world tests.

In our conference call, PC World editor-in-chief McCracken told me, “We won’t retract that. We feel we made the right decisions.” He also said, however, “I think you will see us do behavior-based testing in the next few months.”

The online version of the security-suite review is posted at PC World’s site. For details on Marx’s antivirus testing group, visit AV-Test.

Readers, I leave it up to you at this point. I welcome your expertise on how security suites should be tested — and whose tests you find to be the most dependable.

Many subscribers have asked me whether installing separate programs to handle firewall, virus, spam, and spyware duties wouldn’t be superior to installing an integrated security suite. That’s certainly true for large enterprises. Corporations with IT staff capable of evaluating these programs will always put together their own layers of protection.

Many home users and small businesses, however, don’t have this luxury. They need to run one or two products that they can understand. Security vendors — and the test labs that review their products — will inevitably concentrate more and more on integrated suites to meet this demand.

My hope is that all the competing suites will improve enough that their detection of malware becomes virtually foolproof. Then these products can compete over which one is easiest to use, has excellent customer support, and is affordably priced. We won’t know when that day has come, however, unless the major test labs convince us that their methods reflect real-world protection.

To send us more information about security suites, or to send us a tip on any other subject, visit the WindowsSecrets.com contact page. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

PowerPoint is still a big security risk

By Chris Mosby Even with a barrage of patches coming out from Microsoft this month, computer users are still vulnerable to exploits of PowerPoint. Microsoft did make an effort to address flaws that are actively being exploited, but left others unpatched that could be exploited later.

PowerPoint still has big, exploitable flaw

I was kind of shocked to find that Microsoft patched a specific flaw in a component to Office that was getting a lot of attention, but then left unpatched another flaw that’s just as severe in that same component. The only difference between them was that one was being exploited, and another wasn’t. Is this a “squeaky wheel gets the grease” kind of thing?

With the release of MS06-048 (922968) on Aug. 8, Microsoft plugged one hole in mso.dll. This is the DLL file that’s exploitable if a user happens to open an infected PowerPoint file. But an equally serious hole in the same DLL remains vulnerable.

This flaw is caused by undisclosed memory-corruption errors when opening, closing, or saving a presentation file under certain conditions. A hacker who gets you to open such a file would be able to run infected code on your system. This is similar to the workings of Trojan.PPDropper.B, a virus described by Symantec.

What to do: Since the details of this flaw haven’t been disclosed, there isn’t any real workaround for this vulnerability until Microsoft produces a patch.

I would suggest, as always, to never open any e-mail attachment from anyone unless you are expecting to receive it. That’s especially true of PowerPoint data files since proof-of-concept code for this flaw has already been released. These files could possibly have .ppt, .pot, or .pps extensions, based on the extensions described on Microsoft’s PowerPoint Viewer 2003 download page.

More infor CVE-2006-3655, SecurityFocus, FrSIRT, ISS, Secunia

Flaw in powerpnt.exe causes unknown impact

Vulnerabilities like this one really worry me. Information on this flaw, unfortunately, is really sketchy.

All I’ve seen on the different security sites is that there is an “unspecified vulnerability in powerpnt.exe that has an unknown impact.” Though some sites list this flaw in association with others that I’m covering in the column this month, it very well turn out to be a separate vulnerability after more research has been done.

From what little knowledge is available, it’s possible that a hacker could exploit this flaw to run infected code, cause a denial-of-service condition, or possibly take over a user’s machine. That’s bad, any way you look at it.

What to do:  To me this is a pretty easy decision: don’t use PowerPoint until this flaw is fixed, whatever the flaw may end up being. I realize that’s not very practical advice for heavy .ppt users.

More info: CVE-2006-3660, SecurityFocus, FrSIRT, ISS, Secunia

Closing PowerPoint files corrupts memory

Here’s yet another "unspecified" flaw in PowerPoint — but this time it comes from closing an exploited PowerPoint file. You heard that right, closing a file, not opening it.

This unspecified memory corruption could allow a hacker to run infected code on a computer by first tricking a user to open and then close an exploited PowerPoint file. Just amazing, isn’t it?

What to do: Well, if you don’t open any unsolicited PowerPoint files, or even use PowerPoint in the first place, you certainly can’t close an infected PowerPoint file, either. I’d suggest Sun’s OpenOffice at this point, as I have in previous newsletters, but Ars Technica reported last month that the French Ministry of Defense found it to be even less secure than Microsoft Office. I find that claim really hard to believe, especially from what I’ve seen this month, but I haven’t been able to verify the validity of this either way.

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby recently received an MVP (Most Valuable Professional) award from Microsoft for his knowledge of Systems Management Server. He runs the SMS Admin Store and is a contributor to Configuring Symantec Antivirus Corporate Edition.

Install MS06-040 to avoid the Next Big One

By Susan Bradley I feel like telling everyone to print out today’s Windows Secrets Newsletter and read it while you’re deploying this month’s patches. Not only do we have a busy patch month, but the very first patch has many in the industry thinking that we might see a full-scale, MSBLAST-like incident again.

MS06-040 (921883)
Top priority: install the 921883 Patch

Our first patch of August, MS06-040, looks to turn this summer into potentially a repeat of 2003. You may recall that MSBLAST that year created havoc on the Internet in less than a month.  (For those who need a refresher on this infamous vulnerability, my SBSLinks Web site charts the worm, which hit the Web only 26 days after Microsoft released MS03-026.)

This year, the flaw is equally bad but the problem is much worse. Exploit code is already out on the Web. US-CERT, the government computer warning entity, indicates on its site that the exploit has already been used in targeted attacks on specific companies.

The server service that’s involved, which is also called by RPC, is heavily used in both corporate and home networks. Basic file and printer sharing is dependent on this process. Even if you have an external firewall that will keep port scans out, once this critter gets inside your network it will potentially run wild.

When I began to do my initial patch testing on a server and a workstation, I was surprised to see an additional warning from Microsoft in bright red type. This very much highlights the urgency of this patch. You can see in Figure 1 the warning displayed in Microsoft Update for Windows XP. Figure 2 displays the warning for Windows Server 2003.

Figure 1: The red warning to install MS06-040 on Windows XP.


Figure 2: The red warning on Windows Server 2003.

If you’re running Windows 2000, due to its weaker security platform, I would make installing this patch even more of a priority. While industry pundits like Dave Aitelare predicting that Windows 2000 will be an easy target, Windows 2003 and XP SP2 are expected to become targets as well.

I feel like I’m selling Ginzu knives on a late-night ad because I’m shouting, "But, wait! There’s more!"  As reported on the MSRC blog, this patch does not close another issue with the same server service. We patched this service last month with MS06-035 (917158). Right after this patch, several batches of code came out that were thought to prove the vulnerability. Instead, they were new exploits for a denial-of-service on this server service.

What to do: Place a high priority on getting this patch on your systems earlier rather than later. It’s that important. But be ready to patch this service again, possibly as soon as next month.

How to deal with August’s ‘Dirty Dozen’

I’m going to take a slightly different tack this month and not bore you with the intricate details of the rest of this week’s 11 patches. These patch the usual suspects: Windows, Office, and our ever-present Internet Explorer rollup.

Instead, I’ll give you an enhanced version of a rundown posted by my friend Alun Jones, a fellow security MVP. I’ve given you my "patch now" diatribe above for the most crucial patch — MS06-040 — but Alun’s recap of all 12 is concise and to the point.

I’m going to take the list and add whatever we know to date about each of these patches. With so many, I’m sure you’re doing exactly what I was doing earlier — glazing over a bit after delving through the pages of documentation:

So, without further ado, here’s my “Dirty Dozen” for the month:

• MS06-040 (921884). I covered this in detail up above, but let’s do it again here. What else can be said — PATCH! Having an external firewall is obviously the best overall way to protect yourself. But the lessons of past vulnerabilities have taught us that we cannot depend on keeping the good guys in and the bad guys out. Patch! The sooner the better. Got that?
• MS06-041 (920683). We all use DNS or Domain Name Resolution to get around the Web. Your DNS server may be provided by your ISP. You can’t control when your ISP patches this hole, so you do your part and patch it in Windows yourself.
• MS06-042 (918899). This is a usual Internet Explorer patch fixing the usual problems. It has the usual caveats at KB 918899. Warning: Some customized Web applications are being affected by this month’s rollup — apparently XP SP1 and Peoplesoft applications are involved, as reported by Incidents.org. If you’re not touched by that, then install this patch, even if you use a different browser than IE.
• MS06-043 (920214). This patches Outlook Express. So yes, I agree with Alun, you really only need to patch it if you use Outlook Express. But since you are installing all the rest anyway, what’s one more? Patch.
• MS06-044 (917088). Are you supporting any Windows 2000 machines? No? Congratulations, you get to skip this one. For anyone with Windows 2000, this security hole is tied into Internet Explorer. Patch.
• MS06-045 (921398). Do you think you can kick back on this Windows Explorer patch because this one is just rated "Important"? Think again. These days, "specially crafted Web pages" can mean anything from a page on Myspace to banner ads offered up on a normal-looking Web site. Mere surfing can be dangerous. Patch.
• MS06-046 (922616). HTML Help is installed all over your machine. Patch, but keep reading. We have more patches to get through.
• MS06-047 (921645). Many years ago, I tool a class in Basic in college. No, VBA isn’t quite the same thing, but it is fixing the underlying macro coding language in Office applications. Do you have MS-Office suites older than Office 2003? Patch.
• MS06-048 (922968). This patches PowerPoint against malformed files. Even if you don’t use PowerPoint, and an infected .ppt file might somehow get on your system, you should install this patch. You never know when such a file might be e-mailed to you. Patch.
• MS06-049 (920958). In Windows Server, there’s a way to have multiple users share one server and have it act like their personal desktop. This is called Terminal Services. This patch is probably most important to install on Windows 2000 servers that act like desktops for multiple users. With this exploit, a single user can take control of the rest of the machine, and as Alun says, we don’t trust our users, now do we?
• MS06-050 (920670). We’re almost done, the end is in sight. Hyperlinks. If I was in a really nasty mood, I could craft a malicious hyperlink myself to prove to you that you need to patch. But I’m way too busy deploying patches this month — and too pooped after reading all the security bulletin documentation. So just take my word on this that you are at risk and should patch, OK?
• MS06-051 (917422). Congratulations — you made it to the end! The last patch of this month nearly had my hopes up. This is a two-part patch. The first part primarily affects Windows 2000. You need to be a valid user on the system to exploit this flaw. In the second part of the patch, however, we’re back to those malicious Web sites being the key element. Remember, class, what I’ve said about malicious Web sites these days? They can actually be perfectly ordinary a Web site that happens to have banner ads which the site owner has no control over. Don’t rely on safe surfing to be your only means of protection.

So there you have it. Twelve patches, mostly impacting Windows 2000, but Windows XP and Windows 2003 are still affected in some cases as well.

Hopefully, my somewhat jaded, network-admin view of Patch Tuesday this.month will reinforce two things: (1) For many of us, there isn’t a good way to mitigate, therefore we must patch. (2) These days, so-called malicious Web pages can be the very next page you surf to. You can’t be assured that you’ll know what one looks like when you see it. Your next click can take you to a bad site. Protect yourself by patching quickly.

The priorities for patching Apple OS

Lest we feel that it’s only us Windows folks with a heavy patch month, you’ll be glad to know Mac guys got their fair share of patching to do this month. Incidents.org lists lists the links and recaps the critical ones this month. But you can also read the original info on the Apple Web site. There’s a mixture of vulnerabilities in file sharing and images you need to fix.

Wireless drivers need updates

Typically, I just sit at my desk deploying patches. This next patch, however, meant that I had to go track down some roaming machines and manually update their Intel wireless network drivers.

My Acer Tablet PC has a built-in Intel Centrino wireless network card. These cards need a security update in the driver, as described by Incidents.org. Merely turning on the button that enables wireless could leave me vulnerable to an attack, if I’m not patched.

When I went to update my tablet, I found that I could only load the driver portion of the software. I couldn’t load up the entire wireless package, because the Intel software would not work as on my OEM Acer tablet. In fact, the package conflicts with the native wireless controls provided by Windows XP.

To work around this, when installing the update package from Intel, select only the driver update and deselect the wireless installer package from Intel. All you need is the driver. You don’t need the extra GUI interface from Intel, which didn’t work on my tablet and in fact broke my wireless access.

The exploit that’s fixed by the Wi-Fi update looks similar to the MacBook exploit that was demonstrated at the annual BlackHat Briefings hacker convention. The demo was done on video because they didn’t want to reveal details of how potentially damaging this attack could be, according to Brian Krebs.

To determine if you have such an Intel wireless device, check out Jesper Johansson’s blog.

Correction — upgrade to Flash 9.0.16.0

Several on-the-ball readers pointed out that I said on July 27 you need to update Macromedia Flash to 8.0.24.0. What I meant to say was that you need to update all versions prior to and including this version. Thus you should update to 9.0.16.0. Thanks for those who are obviously patching more than just Windows. Jon Chorney and Joe Kelly will receive gift certificates for a book, CD, or DVD of their choice for sending in the correct information.

SBS 2003 R2 released, recalled, patched

For those anticipating the next version of Small Business Server 2003, which will include Windows Server Software Services, the wait is going to be a bit longer. The product was recalled, as reported by ZDnet. The software is not quite final and must be re-released.

For those beta testers and partners who happened to get copies of the original R2 release, there has already been a patch deployed on Microsoft Update to fix the issue. KB 923432 has been released and it discussed on Stephen Van Roeckel’s blog. Those who are affected do have fully functioning machines, even without this patch. They just don’t have the final core patches.

If you use Firefox, patch it, too!

Normally, we just say, “Use an alternative browser like Firefox or Opera to avoid the security issues of Internet Explorer.” But you may know that H.D. Moore, a security researcher, published in July the so-called Month of Browser Bugs. This once-a-day series of little-known security flaws was predominately focused on IE, but Moore also revealed a few bugs in other browsers. So it’s wise for you to ensure that, no matter what Web browser you use, it’s the most patched version you can get. For Firefox, that means 1.5.0.6, which was released on Aug. 2.

A final word

Just a reminder — as always — if you have issues with security patches and you’re in the U.S. or Canada, call 1-866-PC-SAFETY to report them. In other countries, check for your local contact numbers on Microsoft’s support Web site.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received a MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

MS software leads to new headaches

By Brian Livingston As though we didn’t have enough to worry about with viruses and worms, my readers are reporting all kinds of trouble with the IE7 beta, Windows Update, and Microsoft’s little-known dumprep.exe program. I’ll show you how to get over these and other software gotchas in the tips below.

Don’t install the IE7 beta on crucial PCs

I’m getting reports of readers who’ve had major disasters because they’ve installed the beta of Internet Explorer 7 on their usual workstations. A reader named Vivian writes:

• “I am a subscriber who enjoys your Windows Secrets Newsletter tremendously.

  “I am writing to warn everybody that if you decided to download Internet Explorer Beta, you had better have a backup system that can fully restore you from a hosed computer.

  “Since my experience with Office Beta 2007 had been fine, I made the erroneous assumption of assuming that IE would be OK. Boy, was I wrong.

  “Not only did IE fail to install, I was unable to reinstall IE6 to the point that it would work. I could have worked around that, but unfortunately, whatever happened also destroyed files and programs, as I couldn’t open some of them. Also, when I would try to download programs that might possibly be helpful, I was forbidden from installing them.

  “Because Microsoft is the only company that won’t let you install an older version of software than what is on your computer, my options were pretty bad. I wasn’t allowed to installl IE6 from Microsoft’s site and I couldn’t reinstall IE 6 from my Windows CD.

  “To make a long story short, I tried the repair option without stopping to think that I had an OEM copy of Windows XP and didn’t have my code. Long story on that issue, which I won’t bore you with. Anyway, I had to buy another copy of Windows XP Home and reinstall it.

  “I am not one to bash Microsoft for who they are. But I feel they bear a major part of the responsibility for what happened. I will take the blame for downloading beta software, but if this software was only beta and thus experimental, why was that the only option I had, since I already had Windows XP Home SP2 installed? Come on, you don’t offer an unstable beta software as your only option to a certain group of customers.

  “Also, everytime I go to Microsoft’s site, that IE7 Beta Software is being advertised like it is the real deal. Most software companies will advertise beta testing on their forums, but you won’t see it on their Web site. That is crazy.

  “This type of experience will make me strongly look at Macs the next time I have to buy a computer.

  “Yes, I had a backup of data files, even though they weren’t as recent as I would like. But I will be searching for image backup software in case, God forbid, something like this happens again.

  “Anyway, please alert the other readers to be very careful with this product.”

Another cautionary tale comes from reader David Rubin:

• “I am using Explorer7, the edition with the tabs. On Friday I, along with many others, received an update notice for the McAfee SecurityCenter with the Internet Watch software. Now I cannot access any on-line email programs; I have no virus protection; I cannot remove the software becase McAfee puts a piece of software in the interface and that window is blank; System Restore has also been disabled.

  "Finally, a home user cannot get in touch with them during the weekends. I have been monitoring the McAfee Web board, but apparently that facility is just for insiders. Help!”

If you absolutely must install the IE7 beta, I strongly recommend that you read up in advance on the problems you may encounter and how to work around them. One good reference is MVP Sandi Hardmeier’s unofficial known issues page. This lists 11 steps you should take when installing the IE7 beta and provides 18 separate workarounds for specific problems.

I myself am running a beta of Windows Vista (so I can write Windows Vista Secrets, to be published in Q1 2007), but I bought a separate machine to run it on, which is somewhat isolated from my regular 5-user Windows Server 2003 network.

Finally, it’s been widely reported that Microsoft will install the gold version of IE 7.0 automatically to users’ machines via Automatic Updates. This will cause all kinds of problems, but IE 6.0 has so many security issues that IE 7.0 may be worth the hassles. Still, you should be aware that the download is coming, probably in October. I’ll have a complete story on the download at that time.

To learn more about this, see WhatPC’s story, the official IE blog post on the subject, and Microsoft’s announcement of a toolkit you can use to disable the auto-download of IE7.

My thanks to reader Robert Miranda for his research on this topic.

MBSA is another alternative to Windows Update

I reported several comments from readers in the July 27 newsletter about alternatives to the Windows Update downloader, which installs the controversial Windows Genuine Advantage program. Reader Paul Yelk tells us his experience using another method — the Microsoft Baseline Security Analyzer:

• “I have never seen this addressed and think that, with all the stuff that’s lately been going on with WU, this should be considered!

  “I have never used WU! Why? Because I do not like things happening without my knowledge! Although this is a home computer, I monitor everything it does so that when it crashes, I generally know why and can fix it (I’m a 25-plus year computer technician!).

  “The program I use is Microsoft Baseline Security Analyzer, now at version 2.0. This program does not automatically download anything. It simply connects to Microsoft and compares what updates Microsoft has issued against the Microsoft programs you have on your computer (primarily the OS, Office, IIS, and SQL applications). When MBSA has completed the scan of your computer (it can also scan computers on a network!), it presents you with a detailed description of what is scanned, the results, and how to fix any programs it found! If there are any missing updates, it provides links to those downloads!

  “This has been my primary ‘update checker’ for numerous years and has given me very good results without the WU hassles!

  “Although this program is on the Microsoft Web site in their TechNet section, it does not require an advanced knowledge to use. It’s uses a very simple "point and click" interface that is very familiar to all Windows users by now!

  “I think you should review this excellent program and make recommendations for its use and a viable alternative to the WU fiasco!”

Many companies have used MBSA for years, and it’s a valuable program no matter what size your network may be (if you don’t mind running a separate app like this to get updates).

Norton, OneCare, et. al., force auto-updates on

I’m collecting a little list of applications that "protect" you by turning on Automatic Updates — sometimes with no warning to you. I wrote in the May 25 newsletter about Norton Internet Security doing this, but now there’s more information. Reader Chris Adamson writes:

• “If users of Norton Internet Security follow your advice and turn off Automatic Updates, they will suffer an annoyance courtesy of the ‘Norton Protection Center.’ This component of NIS is supposed to monitor your system configuration and warn you when there are security holes that can be closed up. Unfortunately, it expects Automatic Updates to be turned on and set to ‘automatic.’

  “When Automatic Updates is turned off, Norton will display a flashing red ‘X’ in the Norton Status Window every time you log on. The Norton Status Window is either on the taskbar or in the Tray, depending on how your options are set. The flashing stops a minute or so after login, but the red ‘X’ remains. If you keep Automatic Updates set to ‘Notify Only,’ you get a slightly less distracting yellow exclamation point in place of the red "X".

  “To disable this distraction, you must disable the Norton Protection Center service. The Protection Center does not have a configuration option to ignore Automatic Update settings.

  “To disable the Norton Protection Center service, click Start, Run and type services.msc. Locate the Norton Protection Center Service. Double-click the service name. In the Properties dialog box, on the General tab, change Startup Type to Disabled. Close all programs and reboot.

  “Doing this will also prevent you from accidentally re-enabling Automatic Updates. Norton considers anything other than the Automatic setting to be ‘in need of attention.’ If you open the Norton Status Window and check the option to ‘fix now,’ it will reconfigure Automatic Updates, enabling the Automatic setting.”

Microsoft is saying, "We’ll change your settings for you, too," with its Windows OneCare service. Reader Eli Kaminsky writes:

• “In regard to your well-taken objections to Windows Update, you may be interested to know that Windows OneCare always shows that the computer is unhealthy if fully automatic Windows Updates is not turned on. Of course, when the indicator shows that the computer is unhealthy, you cannot tell whether that is a false alarm triggered by not having turned on Windows Update, or there is really a danger to the computer. That kind of pressure is reprehensible.

  “You can’t avoid it by turning on notification of updates or even by turning on the downloading of updates to be installed at the user’s convenience. Nothing less than full automatism will satisfy Windows OneCare.”

Please do send me reports of other apps that are changing your Automatic Updates settings without your knowledge or without giving you the ability to configure this behavior.

New Spy Sweeper may slow performance

Webroot Spy Sweeper has become the most-recommended antispyware program in numerous test lab rankings, as reported each issue in our Security Baseline section, above. But it’s not perfect, as reader Gerald Lightsey writes:

• “I think you have been high on Spy Sweeper. A couple of weeks ago, as a registered Spy Sweeper customer, they offered an upgrade to version 5. After the upgrade I found that my PC was frequently locking up.

  "Using msconfig to selectivly remove items that were activated at start-up, I isolated it to Spy Sweeper in the system tray. Tech Support at Webroot tells me that Spy Sweeper version 5 minimum system requirements have been increased from 128MB of RAM to 256MB. I have 512MB RAM. I asked them what they are doing on my PC that degrades its performance so frequently and they tell me they are checking for bad stuff even when not scanning.

  "I have asked for and received instructions about how to revert to version 4.5, which I plan to do, and I will be looking for a replacement for Spy Sweeper when my subscription runs out.

  "I think you should know that Webroot has made a choice to degrade the performance of their customer’s computer that’s as bad as or worse than the spyware their product was purchased to prevent. This looks like a fatal company decision on their part that you should warn your followers about.”

Another reader, Mike Reynolds, sent in an e-mail he received from Webroot tech support that seems to correct some performance issues. The e-mail reads, in full, "Please open Spy Sweeper, click on Shields, click the Windows System tab. Here, uncheck the Keylogger shield at the bottom. This should return the performance level to your computer but in no way diminishes the functionality of Spy Sweeper." The e-mail then provides a toll-free number for users in the U.S. and Canada: 1-866-612-4227, 7:00 a.m. to 6:00 p.m. Mountain Time.

Ever since Spy Sweeper was added to the Security Baseline several months ago, I personally have installed it on my SBM network and run its scan on my machines every day. But I don’t have deep technical knowledge of it, so I can’t answer any support questions.

Disable dumprep.exe to stop 100% CPU usage

I printed a reader’s comment in the July 27 newsletter saying the dumprep.exe program in ZoneAlarm occasionally goes wild and consumes 100% of your CPU time. This program is actually a feature of Windows and is trying to prepare a memory dump report to send to Microsoft when an application hangs.

Reader David Kaplan notes that you should simply disable the useless dumprep.exe rather than deal with any conflicts it may have with ZoneAlarm:

• “Regarding the problem with ZA and dumprep, I found at Eddie on Everything how to disable dumprep, and then leave ZA alone. A much easier process.”

The procedure at Eddie’s simply involves a documented dialog box in My Computer. No editing of the Registry is required. I’ve already made this change on my personal workstation, because I was periodically seeing dumprep.exe go nuts myself. If this happens to you, press Ctrl+Alt+Delete, start the Task Manager, find dumprep.exe and click the button to kill the process. Disabling the dumb thing is a lot better.

The readers named above will receive gift certificates for a book, CD, or DVD of their choice for being the first to send me tips that I printed. Thanks for your support, and keep sending in your findings!

The report from Black Hat and Defcon

By Ryan Russell I just got back from my annual trip to Las Vegas to attend the Black Hat Briefings and Defcon conferences. This is my tenth year in a row for both. In this relatively small amount of space, I can’t possibly cover everything that went on. So I’ll stick to the topics that I think are of the most interest to Windows Secrets readers.

You can get hacked via wireless drivers

In my June 29 column, I mentioned that researchers claimed to have discovered a way to attack computers via buggy Wi-Fi drivers. It’s true.

I attended in Vegas a talk given by David Maynor and "johnny cache." (If you really care about johnny’s real name, several of the articles about the talk name him.) The presentation consisted in large part of a new technique for fingerprinting what wireless chipset a computer is using — and, in some cases, even what driver software revision. If you plan to attack a Wi-Fi driver, you need to know which attack flavor to send, of course. Then they showed a video of David remotely breaking into a MacBook running OS X.

Why a video? Because if they had done a live demo of the attack, then every one of us in the audience with a wireless packet-capture program running would then have a copy of the exploit. And the patch hasn’t been released by the vendor yet.

I have no doubt at all that David and johnny are telling the truth. David has been doing this kind of thing for years and has no reason whatsoever to lie about it. He has quite a bit of reputation to lose, if he did. Still, some key pundits in the Mac community are being highly skeptical, for some reason.

Listen, the problem is real. It can affect any platform. I’ll boldly predict vulnerabilities in this area for most platforms in the short-term future. Here’s a FreeBSD example from US-CERT.

One possible exception might be OpenBSD, which builds its own wireless drivers and refuses to accept binary drivers from vendors. They’re pretty fanatical about code quality. It’s certainly not impossible that they might make a mistake, but they’ve got a darn good track record.

And Windows? Intel, for example, has just released a set of security patches for some of its Centrino and PROSet wireless chipsets. You can read about it in an eWeek article. Interesting timing, though David said during his talk that it wasn’t because of them. Maybe Intel was just being proactive because of the upcoming talk, and went looking themselves. If so, then good for them.

Intel’s security bulletins indicate that remote code execution is possible. There are some practical challenges with detecting vulnerable driver versions and deploying fixes. Please see the patchmanagement mailing list (which I help moderate) if you’d like to see some of the discussion.

More evidence of virtual machine rootkits

I mentioned in my July 13 column that there was going to be a presentation on a new rootkit technique, involving the use of the new hardware virtualization support in recent AMD chips. In fact, there were two presentations on that topic, one for Intel chips and one for AMD chips.

The talk I had mentioned before, given by Joanna Rutkowska, was the AMD one. She showed a video of her hypervisor being loaded on top of Vista, and how it could not be detected by certain means, etc.

She claimed to show a video, because the AMD chips that support this so far are desktop chips, and she didn’t want to lug a desktop machine to the conference.

Her talk had some interesting technical bits. For one, she went the extra mile and implemented virtualizing the virtualizer. Meaning, what if her stealth hypervisor is in place, and you try to load your own? She has implemented support for loading a slave hypervisor that is actually under the control of hers. Slick.

My favorite part, though, was her technique for loading an unsigned driver in Vista. According to Microsoft, they will not allow you to load unsigned kernel drivers in the 64-bit versions of Vista, even if you’re the machine administrator. The current beta versions have a mechanism for doing so, but that is supposed to go away when the OS ships.

Her technique involves (1) requesting lots of RAM, thereby forcing the kernel to page out as much of itself as possible, (2) using raw disk access, which is permitted for the administrator, to go through the pagefile and find a certain rarely-used function in the null.sys driver, (3) modifying the driver on disk in the pagefile and then calling that function, forcing it to load, and (4) executing the modified version loaded from the pagefile. What does the loaded bit of code do? It disables, in the kernel, the requirement for drivers to be signed.

Keep an eye out for my future Vista hardening article, which will cover things like disabling paging of kernel code.

Joanna says she has no plans to release her code, but the ideas she presented were clear enough for anyone who codes in that area.

A fairly similar talk used Intel’s VT flavor of the same kind of hardware virtualization support. This one was presented by Dino Dai Zovi from Matasano. His version was somewhat less polished. He also has no plans to release it, but says that he lifted much of his code from XEN, which is open source. So if any budding virtualization or rootkit coders want help, they’ll just look there.

I could go on about rootkits. There was an entire track this year solely on rootkits, six talks worth. But I’ll leave it at that for now. Suffice it to say that I still hold my opinion that the kernel is the next big battleground.

More cross-site scripting worms?

Briefly, the last topic I want to pass along is a talk given by Dan Moniz and HD Moore. Yes, the HD Moore that did the Month of Browser Bugs, as discussed last issue. It seems that those cross-site scripting (XSS) bugs that are so common on many sites may be more dangerous that previously thought.

For example, that cool AJAX stuff that the Web 2.0 sites use for interactivity? Basically, you can exploit an XSS hole to inject a JavaScript program into someone’s browser. This program can use AJAX-like features to post copies of itself back to similar sites, again via XSS holes. And since it’s running in your browsers, it uses your login credentials.

That’s not good.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

The best ways to surf anonymously

By Woody Leonhard "You have zero privacy anyway. Get over it." Scott McNealy, chairman of Sun Microsystems, uttered those infamous words in 1999. Incredibly smart people have been working overtime since then to prove him wrong.

The sad state of your privacy

If McNealy told me the sky was blue, I’d run outside to check. But the sad fact is that our privacy, that of Americans in particular, has taken many body blows in the past five years. Led by the Patriot Act, and bolstered by the ECPA and FISA Acts, U.S. government surveillance has reached unprecedented heights. In January, the Electronic Frontier Foundation filed a class-action suit alleging that AT&T has illegally opened its enormous communication logs to the National Security Agency for data mining. It’s getting worse.

Outside the U.S., the current state of privacy remains a mixed bag. Telecom Italia is mired in a wiretapping scandal. Yahoo! has come under a great deal of fire for providing information to security authorities in the People’s Republic of China, helping to convict Shi Tao, a Chinese journalist. Virtually every corner of the (virtual) globe has experienced assaults recently on individuals’ Internet privacy.

And at work? Fuhgeddaboutit. You have no privacy at work. Your company can do just about anything to its computers — install keyloggers, use packet sniffers, read Web-access reports. It’s fair game now.

What about you can be tracked

Every time you visit a Web site, you give it your IP address. There’s nothing you can do about it; that’s the way the Web works. If you have a dial-up Internet connection, your IP address changes every time you dial up. If you have a permanent Internet connection, your IP address rarely, if ever, changes. With more and more people getting broadband, permanent connections are rapidly becoming the norm, and IP addresses are fast becoming uniquely identifiable.

Even dial-up IP addresses can be traced, if your Internet service provider can be cajoled or coerced into providing their access logs.

Privacy concerns aren’t limited to leaving the return address of your connection. For example, a site might plant a cookie on your computer. This will identify your computer whenever it returns to the site, even if you connect your laptop at a different Internet café or in a different country. When you surf to a site, you leave traces all over the place. Unless you’re using a secure (https) Web page, everything you do gets transmitted “in the clear,” much like a postcard going through the mail.

It’s a jungle out there.

Selecting the best ‘anonymizing’ service

People who are concerned about their Web surfing privacy should consider using Web anonymizing sites. (Note: the term "Anonymizer" is trademarked by The Anonymizer Inc., the owners of the eponymous product as well as the Anonymizer.comsite.)

The basic idea is straightforward: you log on to the anonymizing site. You tell the anonymizing site which Web page you want to visit. The anonymizing site goes out to the Web site you requested, retrieves the page, and sends it back to you. That way, your only interaction is with the anonymizing site: you don’t actually go to the "forbidden" site. The anonymizing site, acting as a proxy server, does it for you. If the Web site plants a cookie, it’s discarded by the anonymizing site.

There are lots and lots of free anonymizing sites on the Web. I’ve used Anonymouse.org , SafeForWork.net and The-Cloak.com. A quick trip through Google will net you many more. In my experience, they’re almost uniformly slow, but the price is right.

Anonymizing sites suffer from several congenital problems.

First, there are ways that sneaky Web sites can bypass some anonymous intermediaries and reach directly into your computer, extracting a local address and (possibly) planting a cookie. Granted, a Web site would have to be specifically aimed at gathering such information — but, at least with some anonymizing sites, it’s possible.

Second, and more troubling, is the possibility that the anonymizing site might be sandbagged or subpoenaed into revealing information about its customers’ surfing habits.

Third, unless the anonymizing site provides a way for you to encrypt your interactions with the site, everything you do goes out "in the clear" and snoopers and sniffers can still see everything.

Big-time anonymizing sites (actually, they’re more like services) know all about those tricks and more. The companies say that they don’t keep logs of the transactions, so if they’re ever subpoenaed, there’s nothing to, uh, poena. They maintain dedicated servers all over the world that quickly handle your requests. They let you specify which sites should go through unblocked, so if you want cookies from a specific site (for, say, ordering on Amazon or booking tickets on your favorite airlines), it’s all handled automatically.

The two best-known anonymizing sites/services are Anonymizer and Ghost Surf. Both have several different packages, with widely varying prices starting around $30 USD for the first year. If you aren’t sure which package is right for you, I suggest you try the GhostSurf Standard free 15-day trial. (I don’t recommend that you install GhostSurf Platinum; too many people have reported problems with the antispyware component.) Give it a whirl and see if the advantages outweigh the quirks.

The free Java Anonymous Proxy project

Last week, while wrangling with Windows Vista over a latte, I met a guy who pointed me to a project undertaken by the Technical University of Dresden and the University of Regensburg.

The Java Anonymous Proxy project (JAP Anon) is a long-standing open source effort to bring anonymity and privacy protection to the masses. The project uses a technique called "server mixes," which routes your Web accesses through a bunch of proxies. Many people use the server mixes, and they change dynamically, so the activity of a single user gets lost in the shuffle. The result, to quote the developers, is that "no one, not anyone from outside, not any of the other users, not even the provider of the intermediary service can determine which connection belongs to which user."

While the current stable version of JAP Anon crawls along at a snail’s pace, the new AN.ON servers make JAP quite sprightly. Follow the instructions here and download the free “developer version” of JAP Anon to get onto the AN.ON network. (The heading on that page says it’s a "Payment Component Test" but in fact, as you see further down the page, you can download and use the developer version free of charge.)

How to use the free ‘Onion Ring’

Another major research project, called Tor, uses "onion routing" to implement anonymous routing along its entire network. You’re not only anonymous at the beginning and end of the network, there’s effectively no way to track your requests through the Internet.

The Tor Network started as a U.S. Naval Research Laboratory project, but in late 2004 the Electronic Frontier Foundation picked it up. The reach of the project is nothing short of astounding:

"Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers…

"Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses. Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organization… 

"Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication…

"A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations."

You can use, Tor, too. It’s free. Completely open source. Download it fromthe official Tor download page. There’s a great introduction to the technology on the Tor overview page. And the Tor Wiki sports an extensive FAQ, including instructions for installing Tor on a USB drive, so you can run it from any computer with a USB port.

Tying it all together, the AN.ON network I mentioned in the preceding section also uses Tor technology. So if you run JAP Anon over AN.ON, using the method described above, you get the best of both worlds. Free.

Scott McNealy was wrong. Online privacy is alive and well. You just have to know where to look.

Woody Leonhard writes books about Windows and Office. His most recent works are Windows XP All-In-One Desk Reference For Dummies, Windows XP Timesaving Techniques For Dummies, Windows XP Hacks & Mods For Dummies, Office 2003 Timesaving Techniques For Dummies, and Special Edition Using Office 2003 (with Ed Bott).