After many years of steadily rising hard drive reliability claims, a recent study by Carnegie-Mellon University and Google has found a much worse failure rate than that usually claimed by manufacturers. The study, cited in an article on PC World’s site, indicates failures occurred at least four times as often as industry figures indicate. It made use of the MTTF, or “mean time to failure,” specification often used by vendors to indicate the reliability of their drives. For obvious reasons, this figure isn’t based on long term studies of current drives; instead it’s based on historical models of similar disks.

The study didn’t state that more drives are failing catastrophically, but rather that more are reporting errors during read/write operations than would be expected based on manufacturer claims. A catastrophic failure is somewhat rare (and can be dramatic, especially if the drive motor seizes or a head snaps loose), whereas a data error basically means a disk was unable to read or write data at one or more specific locations. Such failures usually mean the disk internally marks that sector as unusable, and re-vectors a write attempt to a different location. This is fine, but if the disk was attempting to read data when the failure occurred, it means you’ve lost something that previously was written successfully to that location. This could well mean an entire file has become corrupted (it all depends on the exact nature of the error and whether Scandisk or another utility can recover all or part of the data), so the consequences of such a failure can also be fairly severe.

Drives can fail for a number of reasons. Heat and vibration are the biggest enemies, along with shock (mostly in laptop disks) and, rarely, exposure to very strong magnetic fields. Many people don’t vent their PC’s case adequately, and tend to jam tower machines into cramped quarters that prevent adequate air exchange. This can lead to disk (and CPU, and memory…) failure since the temperatures inside such a case can skyrocket to 150 degrees or more. Serious Gamers, who often use extreme hardware that generates higher than normal heat loads, often install multiple fans or even liquid cooling systems in order to minimize case temperatures and improve component lifetime.

Shock can also be caused by someone kicking or hitting a PC, and can cause localized drive failures. The heads in a disk ride on an extremely small cushion of air just above the spinning platter, and it’s possible for a strong shock to cause one or more heads to slap against the platters. If this happens, it’s bye-bye data (and maybe the entire disk).

The best defense against this type of data loss is a simple one: back up your data on a regular basis. Putting a copy on a separate drive or tape is the best way to ensure it’ll be there when you need it. You should also run Scandisk or another disk-checking tool on a regular basis; if it reports any errors, consider replacing the disk immediately. Once a drive starts throwing errors, it’s usually heading rapidly down the path toward a major failure.

A final tip: listen to your PC. If it starts making any sort of squealing or loud whirring noise, it’s telling you that a spinning component (power supply fan, CPU fan, or disk drive) is starting to fail. If this happens, have someone look at the system immediately.

While reading through technical news stories today, I noticed AVG are offering a free Rootkit detection and removal tool, which can be downloaded from their Web site. This reminded me that we haven’t really talked about this topic yet, and provided a handy excuse for introducing the subject. But first, some background.

“Rootkit” is an old term that originated with the UNIX operating system, though I recall seeing Rootkit-like methods demonstrated on a VAX/VMS system in the mid 1980s. It describes a set of libraries or applications that allow a malicious user to remain concealed, even from a system administrator, when logged into the system. The term is derived from the name of the “super user” or “root” account present on all UNIX systems; the Windows equivalent is the Administrator login ID. On a UNIX or Linux machine, such libraries might prevent a hacker’s ID from being displayed on a list of currently logged in user accounts or active network connections, or allow someone to open a “shell” (like a DOS prompt) over the network without the need for a login ID.. The term has been expanded to include any set of tools, no matter which OS is involved, that allows a hacker to operate undetected in the background even when antivirus or other security tools are present and active.

Rootkits are often used by hackers who want to hijack machines for use as part of a botnet or other malicious network; once installed, the hacker can log into the machine at will and cause it to execute any desired commands. The only indication that a problem exists might be that the machine operates more slowly than usual; more astute users could notice that memory use statistics don’t quite add up or that disk space is being consumed but cannot be accounted for. Normal, built-in applications such as the Task Manager or command-line “netstat” commands will not show unusual processes or network connections. As far as I know, the only means of detecting and removing a Rootkit involves a specialized application such as the one now being offered gratis by AVG, who deserve a great deal of credit for their efforts.

One caveat of this application is that it provides no real time protection against new attacks. The free version operates only as a scanning and detection tool; it will find and (hopefully) neutralize existing Rootkit installations during a scan, but is not capable of detecting or deflecting an attack during normal system operation. This capability is restricted to AVG’s commercial products. Still, users who are on a budget or are not convinced of the prevalence of Rootkit attacks should download, install, and make use of such tools; the more people who avail themselves of this service, the harder it’ll be for hackers to turn systems into zombies or install keylogger and other malicious software. Go download the kit.

Today Microsoft announced a new version of its Media Player plug-in for Mozilla’s Firefox browser, replacing an earlier version that was apparently extremely buggy. They’re also developing a Firefox plug-in for their own CardSpace application, according to an InfoWorld article. It’s good to see things like this happening, since it reflects an increased willingness on their part to accept the reality of Open Source. For years, Microsoft derided any OS or application that it didn’t control, referring to Linux and other Open Source projects in disparaging (and sometimes hysterical) terms. Now, with Linux use on the rise and an increasing number of third party applications offering non-Windows variants, Microsoft seems to have accepted the inevitable. Competition is alive and well in the marketplace, and not everyone wants Windows. From a personal perspective, I started using Windows 3.0 in 1991 or so and have migrated to subsequent releases ever since. I’m running XP Pro now, but also use Linux. I plan to migrate fully to the latter once a few more of my favorite applications are available in native mode.

The funny thing about Microsoft’s resistance is that their past refusal to work and play well with others may have cost them dearly in terms of both good will and market share. Many Open Source development efforts seem to start out as protests against the perceived restrictive nature of proprietary applications (witness the development of Open Office), and a mega-corporation’s failure to participate in Open Source is often seen as an attempt to keep users dependent on its retail application offerings. It’s been established that open development projects can, and do, produce applications that equal or exceed the capabilities of commercial ventures. Indeed, UNIX itself is largely the result of participation by a wide range of developers and companies over a long period of time. Once the base OS was created, people built applications on top of it and donated them to the overall effort.

Large companies that refuse to jump into the Open Source marketplace are increasingly seen as behind the times, worried about public disclosure of code defects or poor design, or paranoid about theft of their technology. The latter is rarely true, and the success of Open Source shows that companies that participate often gain access to a wide network of developers who help locate software defects, make suggestions, and occasionally offer up their own code free of charge. With IBM and other large corporations firmly entrenched in the Open Source movement (Big Blue has donated several older but popular applications to the cause, and is a strong proponent of Linux, even on Mainframe systems) Microsoft can no longer afford to stay out of the game.

Last week’s “Storm Trojan” attack may presage a new wave of hijacking attempts designed to take control of insecure PCs for use as new botnet nodes. An article on Yahoo’s tech news site discusses the situation in some detail, and also raises some interesting points about the nature of the growing underground botnet economy. Time was, most hackers attacked other machines simply because they could, or in order to steal applications and data. Today, large spammer organizations actively solicit for new machines to add to their expanding botnet networks, and it’s entirely possible small operators are writing (or simply exploiting) newly available hacks so they can “sell” cracked machines to these larger operators. In a way, it’s very similar to the manner in which various large conglomerates evolved; small time operators are bought out by mega corporations, which are interested in the little guys’ customer base. In this case, though, the “customer base” is composed of machines whose capabilities are being hijacked without the legitimate owners’ permission or knowledge.

The article mentioned above reinforces this image, noting that “As malware writers, adware distributors, and fraudsters pool access to botnets and look for new ways to cash in on the systems, large-scale attacks like Storm, which mimics more traditional worm activity with its rapid-rate of propagation via spam, will rise to the top. [...] As we’re seeing a flood of botnets on the market, there also appears to be consolidation with several dominant organizations taking over.” In real world terms, one could almost use the analogy of an underground company making use of the postage meter located at another company’s facilities; the underground group is able to sneak large quantities of its own mail through the meter and have it mailed for free without much fear of detection.

It’s no wonder that technologies like Blue Security’s spam detection and alerting system have elicited such violent responses from large scale spammers, who have launched vicious and widespread attacks in order to shut down or cripple such systems. Botnet operators rely on stealth, and must operate “under the radar” in order to survive. A new technology capable of detecting and alerting legitimate individuals and companies of the presence of compromised machines in their homes and offices represents a threat to the botnet operators’ bottom line, and even to their very survival.

The fact that attacks are changing yet again in character, from e-mail to Web based, reflects basic evolutionary principles: viruses and other means of attack must adapt and change as users and companies deploy ever more sensitive, capable threat prevention systems. The increasing success of antivirus systems in regard to e-mail based attacks mandates that the virus move from mail to another vector in order to escape detection; thus we’re seeing more e-mail containing innocuous text and a link to a Web site, which contains the actual virus payload. It will be some time until security software vendors improve their systems sufficiently to counter this new threat; until that time, users will remain vulnerable. And of course, the cycle will begin all over again once security vendors develop effective counters to Web-borne virus attacks.

With the annual US “tax day” of April 15 rapidly approaching, the Internal Revenue Service blasted the owners of several Web sites that advertise tax preparation services. Why? The IRS’ official site uses the URL http://www.irs.gov, while commercial vendors have taken over the .com, .org and .net variants. The IRS feels some taxpayers could become confused, and end up paying unnecessarily for services offered free of charge on the government’s site.

The IRS assertion is not wholly without merit, since many people are accustomed to using .com when visiting corporate Web sites and may not notice they’re not on a government site. The http://www.irs.com site, while sporting a small disclaimer clearly stating that it is not the government’s Web presence, uses a US flag logo and sports a red, white, and blue motif that could easily trap the unwary. Additionally, the repeated use of the “IRS” acronym is relatively deceptive in some respects, especially since it appears to stand for nothing in particular. One link on the site takes the user to a page of other links, all of which point to private tax preparation companies. By way of contrast, the operators of the http://www.irs.org and http://www.irs.net sites use vastly different design layouts; one clearly states in large type that the site is privately operated and offers a link to the official government site, while the other fails to mention either of these caveats.
Is this deceptive practice, or is it a legitimate means of doing business?

In a way, the answer to both questions is yes, but with the qualification that such quasi-deceptive business methods are not confined to Internet marketers. Nearly everyone has received official looking envelopes, often marked with “Official Business,” “Penalty for Private Use,” or other important looking logos, only to open them and discover a sales pitch for a credit card or financial services company. A few go too far, and include paperwork that leads readers to the false conclusion that failure to act will result in legal penalties.

Similarly, quasi legal charity groups operate using both Internet and more traditional contact methods. An elderly relative regularly receives phone calls soliciting money for groups claiming to represent Native Americans, homeless children, disabled persons, and others. I’ve checked into several of these groups, only to find questionable fundraising practices and deceptive techniques. In some cases, no such charity could be found on a list of known, registered groups.

What we’re seeing today is the migration of long-used tactics of deception to an electronic format. Just as chain letters, hoaxes, and urban legends made the transition from hand-written paper to Xerox, then to fax, and finally to e-mail, other questionable practices are following suit. It’s no surprise, but it’s another reason to be careful when using Internet-based resources for personal business. The convenience of electronically submitting official forms far outweighs any potential hazards, but make sure you’re on the right site before you provide any personally identifying data.

Users today are justifiably concerned about data and personal security, especially given that we often store years of tax, medical, and general financial data on our PCs. We often go to great lengths to prevent hackers, spyware, and other security problems, but few people think twice about a machine that’s destined for the trash. Discarding a PC is also problematic, and is a process that should be handled with care.

Many users believe that simply deleting all their files is sufficient. This is an incorrect assumption, since the delete function does not physically erase files from the disk. At the OS level, this function removes the entry in the File Access Table (FAT) or NTFS equivalent; this simply means there’s no longer a user-available marker that matches a file name to one or more physical sectors where that file was stored. Anyone with a bit of knowledge can usually scavenge all or part of a deleted file, so normal deletion isn’t an adequate means of protecting private data when discarding a PC.

Several methods can be used to ensure files are truly dead and gone before you pitch an old machine into the trash or, even better, donate it to charity for re-use. One involves removing disks from the machine, moving them to another system, then running a low level format program that fully re-initializes the drive (a “quick format” won’t work). Another is to purchase software that rewrites an entire drive, which often means writing “0”s to each and every sector on the disk; this ensures no latent data remains behind to be found by the machine’s next owner.

Some companies and individuals, resort to more extreme measures depending on data security requirements. Removing a disk and smashing it on a concrete driveway or other hard surface is one method, though you need to ensure that individual platters inside the drive are adequately damaged since it’s possible to disassemble an otherwise non-functional disk and insert intact platters into another drive carcass. This requires expertise and equipment, but it can be done. A few good smacks with a sledgehammer will generally ensure a disk is sufficiently destroyed to prevent anyone from extracting information from it, and may also provide excellent stress relief for the hammer-wielding user.

For users who lack the time and expertise, PC repair shops will also erase disks on discarded machines for a nominal fee. If this method is chosen, be sure to insist on a certificate of data destruction or other verification that the drive has been rendered unreadable, and use a reputable vendor. Handing a disk full of data to someone is like giving them access to your life story, so check out the shop before resorting to this method. A friend once bought a used PC from a shop that claimed the prior owner’s data had been removed; when he ran a disk scavenging program on it, he found Social Security and financial data spanning a five year period.

Some people will tell you running a strong magnet over a disk will erase it. This isn’t true, and you probably don’t own a magnet strong enough to affect a hard drive’s data (huge electromagnets used at junkyards to lift cars would do the trick). Refrigerator magnets might erase data on an old style floppy disk, but they won’t touch the data on a hard drive.

Oh, and don’t forget about all those data CDs you throw into the trash. A paper shredder that can also handle such items (not to mention credit cards) is a very good investment.

Most of us joke about “surfing” the Internet, or simply following links until we run into some type of interesting material. In many ways, it’s the technological equivalent of a word association game: search on a random term, and off you go. Sometimes it’s a lot of fun, but sometimes you find yourself in the online equivalent of the red light district and wonder how you got there.

The analogy can go even further, since even on the Internet you can end up being mugged in one way or another. Anything goes once you’re off the beaten path of trustworthy commercial and organizational sites. You could pick up a virus caused by malicious code on a badly maintained or intentionally designed Web site, and your movements can be traced using cookies. In the latter case, someone who figures out which IP address you’re using (an easy task, incidentally) may know more or less where you are. In many cases, addresses are traceable since companies often allocate their IP space on a regional basis, and your location can be even more closely identified if your ISP uses an “address.state.city.provider.com” addressing format.

Recently I accidentally visited a site that, based on a keyword search, alleged to contain information I needed regarding a programming language. It turned out to be an online dating service that was covering its real purpose using META keyword tags (also an easy task). I was immediately greeted with a banner headline asking if I was interested in meeting single women in a town about 3 miles from my house. The site had used my IP address to determine a probable location, and customized its message accordingly. Imagine the security ramifications: you hit a site containing illegal materials, and end up paying blackmail to prevent the information from being published. You visit a site run by thieves, who determine your location and surfing habits for later use in setting up a burglary at your home. And as we discussed recently, spammers and phishers are making use of such topical items in order to disseminate interesting sounding links via e-mail.

Security concerns aside, surfing can also be a time sink. A recent article on this topic mentions an acronym that’s sprung up to describe “pointless surfing” activities: WILF, or “(what) was I looking for?” “Wilfing,” which sounds vaguely illegal, is estimated to waste up to two full work days per month per worker in the UK. It’s less a case of intentional time wasting than of being pulled into vaguely interesting, but useless, side trails to our original queries. What starts off as a quest for the best printer can end up in a discussion of the history of printing presses, or a topic even further from the original query. Certain events, such as major sports or news items, can elicit even more time wasting as interested parties are dragged into reading the latest online reports.

Information is indeed power, and the Internet is an almost inexhaustible source of data on almost any subject. Some of it is even accurate. Surfing can be enjoyable and even educational, but it can also be a security hazard as well as a huge waste of time.

Today we had reports of a weekend “spam strike” that made use of yet another interesting social engineering mechanism. This time, spammers generated fake news reports of an alleged “missile strike on Iran” in an attempt to lure unwary users into clicking on false links. The spam messages even included attached files “that posed as videos of a bogus missile strike by the U.S. against Iran,” according to an article on Computerworld’s site.

Earlier we discussed other spam/phishing attempts that made use of links to sites alleging to offer titillating photos of Britney Spears; now spammers are using news stories. This is an intriguing, yet somewhat frightening blend of technical attacks coupled with social engineering. More users are becoming aware of “traditional” attacks involving financial scams, deeply discounted software, and outright pornography, so spammers are turning to a more subtle techniques directed at user curiosity and, in this case, fear. Recent events in Iran have placed that country’s name firmly in the public consciousness, so news of an alleged missile attack is likely to entice more people into clicking on a link than would, for instance, an offer involving free porn or black market software.

Details about the attack mechanism also help emphasize the necessity of keeping our antivirus software packages up to date. The “storm Trojan” made use of an existing virus delivery system, and involve “variants of Trojan.Peacomm and W32.Mixor, which have been repacked in an attempt to avoid existing detection” mechanisms. In this they were apparently relatively successful, and the article also notes that the Peacomm virus, AKA Zhelatin, has apparently been very popular as an attack vector over the last few days, comprising 32% of all malicious code distributed during that timeframe. In fact, the same storm Trojan delivery system was used during a February attack against blogs, Webmail systems, and forums.

The term “variant” is important. Antivirus software relies on a virus’ signature in order to detect and counter a given threat. When hackers alter the profile of a particular virus, that variant may not be detected by existing virus definition files. Only by keeping up with signatures (i.e. by maintaining a subscription to an update service and downloading new updates regularly) can we hope to catch and disable new variants.

Just as terrorists have altered their tactics in Iraq in response to improved security measures, hackers and spammers will continue to improve their delivery technique. It’s the same type of war - attack, response, analysis, counterattack. Though the stakes in a cyber attack may not directly involve human lives, an indirect effect could be seen if hospital or other systems are infected. Our lives depend more on technology with each passing day: all the more reason to protect our systems.

Yesterday Microsoft released a new patch designed to plug a serious vulnerability in Vista - the first truly nasty one yet uncovered. Interestingly, the problem lies in ANI files used by the system to produce hourglass and other effects with the mouse cursor, and is so amazingly dangerous that teams of hackers in China are already using it intensively in attempts to break into vulnerable systems.

According to an article on the Web, the emergency patch (MS07-017) is available now and has been released separately from Microsoft’s normal patch schedule due to the severity of the defect, which is being used as a back door for installing malware/spyware onto Vista systems. At first it was thought the exploit was hazardous only to Internet Explorer users, but it now appears that Firefox users might also be at risk.

Another interesting aspect of this vulnerability involves the distribution mechanisms being used by hackers attempting to exploit it. Another article reported that hackers are embedding exploit code in Web sites, then using massive quantities of spam promising access to compromising photos of Britney Spears to users who click on an embedded link in the message. Specifically, “the attack has evolved to feature an embedded image of the scantily clad pop star and links to a hacker website promising more explicit titillation” for those who follow the link. This is not the first time celebrity names have been used by spammers, but the sheer volume of message traffic is apparently surprising to some security analysts. The use of embedded images is also not new, but has become a favorite trick since image files cannot be read and rejected by anti-spam or antivirus software. The removal of all text from a message makes it that much more difficult for security software authors to detect spam based on pattern matching algorithms, and such messages could contain legitimate photos or other images that should not be rejected out of hand.

This incident showcases the adaptability of hackers and others, who are fully capable of altering attack methodologies in response to new security measures. It also shows how spammers will make use of trends and popular news topics when attempting to disseminate spyware. Recently I’ve received many spam and phishing mails that use snippets from legitimate news stories as titles, as opposed to the “penis enlargement” or “online casino” titles of the past. These represent not only attempts to slip past spam filters, but are also designed to pique the interest of the user. If you make a message sound interesting enough, more people are likely to read it. This is a skilful blending of technical exploit and social engineering, and we’re likely to see a lot more of it in the future.

While it’s long been possible to watch TV on your PC monitor, and it’s certain many people do so on a regular basis (hopefully not while trying to work!), the PC has not yet morphed into the all-encompassing entertainment system/network portal/communications device that some have hoped for. Mind you, I have friends who have ripped every CD they own, along with DVD movies and in some cases even vinyl media into digital format, which they store on large disk arrays so it’s instantly accessible from anywhere on their in-home network. But two real problems remain. First, I’ve not yet seen an audio card that can drive a 50″ TV and I’m in love with my 16:9 Sony unit. Second, no one has an HDTV-compatible video card yet.

Or so I thought, until I saw an article that discussed one reporter’s attempt to have a new PC-based HDTV/digital video system installed on a machine with Windows Vista MCE (Media Center Edition). Interestingly, companies are still working on the idea of fully enabling the Media Center concept even though Cable companies have taken the lead in this market and will probably maintain it. Aside from the problem of screen size, a standard DVR (Digital Video Recorder) is currently much more stable and easier to use than MCE. It also doesn’t suffer from the ongoing issue of crashes, driver incompatibility, stuttering video, and general complexity that’s endemic with the current crop of PC-as-Home Theatre hardware. As the article states, “If MCE was out during the late 90s, it wouldn’t have been a problem, but when MCE 2005 made its debut with no more than OTA HDTV support, it was clear that MCE had lost its potential.” While Vista is said to be secure enough to give media providers a warm feeling about allowing people to purchase and store HD movies on it, MCE itself is simply behind the curve in terms of consumer-grade Home Theatre hardware.

The other problem, as discussed in the article, is that the installation of the specialized hardware required to receive digital HD cable signals on the PC was horrendous and took several days. At the end, the Time Warner Cable technician apparently asked what the system could do. When told, “his reaction asked the question ‘why on earth would you go through this when you can just rent an HD-DVR from us for $9 a month?”

The general concept of PC as Home Theatre is still tantalizing and should be explored. Presumably, other companies are working on hardware and driver combinations that might enable display of large-screen video without sacrificing the PC’s other capabilities, but again the problem involves all that other stuff that people invariably want to install on their machines. Sure, you can set up a machine that does nothing but act as a video center and runs only the OS and media software, but what’s the point? It’s no longer a PC, but a dedicated Home Theatre system. For the money, I’ll go buy or rent a DVR and a nice LCD monitor.