Security Watch

UAC Under Control

UAC not so snarky in Windows 7. Plus, .NET exploit; Internet dangers; hiring hackers.

• By Jabulani Leffall
• 04/21/2009

Such is the theme in IT security these days as cybersecurity seems to be as perilous as ever. As the week begins, there is a lot to discuss from the annoyance of security popups to the latest exploit dangers of the Internet and the ambitions of teenagers.

Fewer UAC Popups in Windows 7
After a debate earlier this year about the functionality and integrity of the user account control feature in Microsoft's upcoming OS Windows 7, Redmond is promising to meet users half way.

UAC is a security feature that made its debut with Vista, but got a chillier reception than the much-maligned operating system itself. UAC is supposed to reduce the chance that malware could injure a workstation, by issuing pop-up warnings so users can confirm that they want to perform functions deemed risky.

On Monday Paul Cooke, director of Windows 7 client enterprise security, said users will see nearly 30 percent fewer popups in Windows 7.

.NET exploit
It's becoming increasingly common for security researchers and techies to raise their profiles by becoming mock hackers, sometimes even monetizing their efforts (case in point, see last item). Erez Metula, the software security engineer for security company 2BSecure is no different. His company has released an app that can place difficult-to-detect malware using Microsoft's .NET Framework on Windows computers.

The tool, called .Net-Sploit 1.0, allows for modification of .NET, a piece of software installed on most Windows machines that allows the computers to execute certain types of applications.

"You'll be amazed at how easy it is to devise an attack," Metula said, according to transcripts from his presentation at the Black Hat Security Conference in Amsterdam last week. "Security vendors should upgrade their software in order to detect tampering with the .NET Framework." Yes, perhaps security vendors should do that.

Charney: Internet Still Dangerous
In a series of videos posted ahead of this week's RSA security conference, Microsoft, led by Scott Charney, corporate vice president of Trustworthy Computing, said the Internet, while here to stay and viable, is still untrustworthy.

"The fact is that because the Internet can be anonymous and untraceable, criminals flock to the Internet," Charney said in the video. "Today too many people do not know what software is running on their machine and often they have malware. They often don't know who they're communicating with, whether an e-mail they've received is spoofed or from some unknown sender even when it appears to come from someone they know. When they visit Web sites, they don't know if that Web site is to be trusted or not."

The security community needs a "push back on anonymity and lack of traceability," he said, before going on to stress that for these reasons "End to End trust is needed," meaning that people should be able to have more trust in the transactions and interactions they are having on the internet. He called on software and hardware vendors to build secure products.

For Microsoft, he said, the company's security development lifecycle combines many elements that foster the defense in-depth approach to security, as nothing will ever be absolutely certain. Vulnerabilities, he said, "will never be down to zero."

Hack Job Begets Programming Job
In my last blog post, we spoke of attempts at alliteration as it relates to talking tweets on Twitter. And these desperate puns remain hokey. But wait, enter 17-year-old Michael "Mikeyy" Mooney who is a new star on the Web due to Twitter. It's not because his "tweets" are particularly prolific and witty, but because he hacked into the popular mini-blogging and social networking site with as many as three different worms a week ago.

So what now, jail? Not exactly.

It emerged Monday that Travis Rowland, CEO of exqSoft Solutions LLC of Hammond, Ore., offered Mooney a paid gig after the teenager said he had written at least two of the worms that struck Twitter starting on April 11; he claimed to have cowritten others. Mikeyy allegedly said he exploited cross-site scripting vulnerabilities in Twitter to infect user profiles.

Twitter co-founder Biz Stone has promised a full review of the 10,000 rogue tweets set off by these worms, which ran amok without compromising user personal information during the incursions. But aside from that there is no word on who, if anybody, will be prosecuted. For his part, Rowland has asked Stone -- via tweets on Twitter of course -- not to press charges.

"I hope u guys don't file lawsuit against him, hope u understand Mikeyy did u favor and could have compromised personal information," Rowland wrote.

Security experts such as Graham Cluley of Sophos says incenting hackers to land paydays by doing what they do best could set a dangerous precedent.

"ExqSoft Solutions are in effect encouraging other youngsters to behave like irresponsible idiots. The last thing we want is a wave of other kids exploiting software and Web sites, in the hope that they might be rewarded with a job offer," Cluley wrote.