Microsoft W7 security fix appears to require more than one account on a personal computer

There is more to say about this most recent security fix to Microsoft W7 in the logon logic (Dec. 21, 2012 posting).

Twice today, on cold boot of my Dell XPS laptop with Windows 7, after getting to the “Welcome” step with the spinning circle, the machine just put up a blank light blue screen, no dump.  If I pressed the power button, and then told the boot BW screen to proceed normally, the boot finished normally. Checking around online indicated that to get around this, put up another admin account in Safe Mode. 

I went ahead and did this, not bothering with Safe Mode (it works in regular), creating another admin account and a regular user, with passwords and hints.  I found that neither user got all the programs (like Chrome) unless you add them again.  And I couldn’t get the regular user to give update access to Word documents.  If I’m the “owner” of the machine, it’s still much easier to work that way.

I did find that I don’t get the hang on a cold start (at least the first test).  Well see tomorrow.  I think that the software is counting logons and suddenly requiring another account or it goes into a loop looking for one.  One site said that when this loop happens it stops after about 15 minutes and says “logon failed”.  I didn’t wait that long.

   

Microsoft still seems a bit sloppy with these updates.  They can interfere with getting work done (even on Saturday night – why am I not clubbing?) 

Sunday morning (as with Benjamin Britten): fix still seems to hold. 

Can a Microsoft W7 security update require a cold restart?

I got a single Microsoft update for Windows 7 this morning for KB2753874, regarding a vulnerability that would allow an attacker to gain control of a personal computer and execute commands on it (like log on to your bank accounts, or copy keystrokes), if you visited certain malicious websites or opened a document with “True Type” or “Open Type” font files, with explanation here. 

This would be one of the scariest possible attacks. 

The single update took longer than usual to install.  Then, on restart, the computer would not completely reboot, but stayed on a blue screen.  Upon prompting with the power button (on a Dell XPS from 2009, a computer that originally had Vista), it went to the account locked screen.  Upon one more prompt with the power button, it turned off properly. On cold restart, it booted up normally.  On a subsequent restart, it took slightly longer than usual and executed the startup menu in a different sequence than usual. 

I haven’t before experienced a Microsoft update need a cold restart to work properly.  The machine comes up and tells you it didn’t shut down normally the last time, but does restart as usual if you just press Enter once. 

I usually rarely get single updates like this (except for the Malicious Software Removal Tool).  Anyone else had this experience? 

(Yup, I've heard people say "Microslop".) 

Scammers go to the gutter after tragedies with fake domains; more on Windows 7 stops

A word to the wise.  The media (especially Anderson Cooper, and Piers Morgan, who just tweeted an example) are reporting on a number of scams, domain names set up to help victims of the Newtown tragedy.  Similar scams exist also for Hurricane Sandy, but didn’t get much attention. (The Morgan tweet linked to a jewelry scam that, in Firefox, displays a "red circle" from MyWOT right on Twitter.) 

Here’s a typical news story, on NewsVine.  

There is a risk that scammers will create trademark-infringing domain names, deliberate misspellings (or different tld’s) to start fraudulent collection.

I really haven’t noticed that much phishing from either incident in my own inbox.

On another matter, a few of the conservative sites get really crazy with ads that hang Windows 7 for a minute or so, trying to load something like, “realtime.services.discqu.com”.  Is “realtime” a Windows 7 service that needs to be in my Startup menu?  I actually allow pop-ups for “journalistic” reasons.  Webroot Secure Anywhere does not consider this to be malware.  The Washington Times and the Washington Examiner do a lot of this.  But then again, so does CNN and Major League Baseball.  

PC Magazine now rates Webroot Secure Anywhere in the top three

PC Magazine has listed Webroot Secure Anywhere as one of the three most effective anti-virus software products in detecting and blocking malware threats.  The other two products scoring highest are Norton and BitDefender.  The story, by Neil J. Rubenking, is here.  

Webroot switched to a cloud-based product about eighteen months ago, and that means that users don’t have to let time-consuming data signature updates run.  The article also points out that antivirus companies are now getting away from annual releases of their products.

   

I have Kaspersky and Trend Micro on two other netbooks, and the Kaspersky is always asking for a data file update. 

It have Symantec Norton on my MacBook.  

The most effective anti-virus software tends to move from company to company as years go by.  What was best three years ago isn't necessarily so now.  

At one time, Webroot (I believe it's based in Colorado) called its anti-virus engine "Spysweeper" (the label I still use on the blog for it), which is how it was known in the industry (like with Geek Squad) and used Sophos as its engine.  

Wikipedia attribution link for second picture, Pikes Peak Summit. I drove it in a rental manual transmission care in 1994, and didn't use my brakes coming down (you use low gear). It was awesome. There is a restaurant on top and people work at 14000 feet.  

New "drive-by" ransomware impersonates the FBI, seems to have affected thousands in US already

Various media sources have reported a piece of malware that seems to take the form of a “drive-by” attack (upon visiting certain infected websites), called “Reveton” or “Moneypak” (these may be similar but different items).  They interrupt the user’s (Windows) experience with a warning purporting to be from the FBI (or IC3) that your computer is locked, with a demand to pay ransom through a credit card.  Of course, paying the ransom doesn’t free the computer. This is somewhat different from some previous malware in that it doesn’t appear to offer “fake” anti-virus software.  It may disable existing anti-virus software, particularly if it is out-of-date.

The FBI (in Tennessee) has a warning about the idem here.

Of course, the FBI and other law enforcement agencies and police departments do not interrupt users with malware like this (although maybe the Stuxnet planted against Iran makes people wonder).  Law enforcement normally contacts or apprehends suspects directly. 

  

The IC3 version is described in SC Magazine here.

Station WJLA in Washington DC has a story today on the item.

Norton offers a removal tool for this item, which may not work in all environments, here. It may work if you use a different anti-virus product, but it is better to contact your own anti-virus company. 

Botcrawl has the most detailed discussion of “Monkeypak” that I can find, with very detailed removal instructions (involving Windows commands and safe mode).  The user may want to print this out.  The link is here.

The virus seems to make use of the webcam on a PC or laptop.  

  

Many users would have to take an infected computer to a service (like Geek Squad) to unlock the machine.
 
 It’s a good idea to have a service contract (about $200 a year) if you have several computers and laptops.

Kennedy Center spelling and other sites; more on W7 hangs

I just noted an oddity this morning with a popular symphony orchestra site.  The correct spelling for the Kennedy Center in Washington DC is "kennedy-center.org".  Take out the hyphen, and you get to another site that appears to offer ways to buy tickets.  It gets a Green from McAfee Site Advisor, a 100 from Webutation (on Firefox), and "not enough data" from MYWOT.  If the site were not legitimately part of the Kennedy Center, it could also present a trademark infringement issue.

I still get hangs from Windows 7 in emebdded ads on a few sites (lately, CNN and some television stations) that start "realtime services".  The computer cursor wakes up when the service responds, which takes up to a minute, once since the last reboot.  Webroot and Trend Micro do not consider this undesirable behavior. (Haven't seen this on an older netbook with W7 and Kaspersky).

Here is another example of a popup or embed  from CNN today that made W7 pause:

Mac users warned about new trojans; McAfee marks some sites as yellow in search engines when it has no report

Webroot Community Forum  is warning users about a Mac Trojan associated falsely with the Dalai Lama, called “Gyalwarinpoche” and recommends not visiting it, at least on a Mac.  It installs itself in the user’s home directory under the name “Dockset” and does not show up in Finder.  It uses java. 

The Webroot link, tweeted today, is here.

The Webroot story gives reference to a Cnet story about Mac Flashback Malware.  It can pretend to be an installed for Adobe flash.  It grabs passwords and acts like a keylogger.  That story is here. 

 /

In another matter, I encountered an anomaly with McAfee Site Advisor in a Windows 7 environment this morning. A site for “Public Participation Project”, called “anti-slapp.org” gave a yellow warning through McAfee in search engines, but when I looked at the McAfee report it was gray and said it hadn’t been tested yet.  I don’t get the inconsistency. There are more details on the “BillBoushka” blog today.

Anderson Cooper presents some tips on protecting "private" photos on social media

On Monday, December 3, 2012, Anderson Cooper (and cohost Caroline Manzo)  presented the issue of protecting photos that you post online when you intend them to remain within a specific circle of friends.  That’s not a practice I particularly recommend, but here is a (website url) link that gives some tips from Mashable. 

Note that you can turn off the GPS tagging in your smart phone, and can watermark your photos. 
  

You can also add McAfee protection to the contents of your Facebook account, here. You need to be logged on to Facebook to see it.

I tuned in late, but I didn’t see any discussion of a related problem (which has been presented before) , other people taking pictures of you in possibly compromising places (maybe bars) and posting them (I took this up on my main “BillBoushka” blog on Nov. 26, 2012, as an “online reputation” problem).  Anderson has taken up that problem before, and I expect that he will again, maybe with attorney Parry Aftab or Reputation.com’s Michael Fertik.  The speaker and photographer has more rights in a public place than you might think.  But you can set up Facebook so photos can’t be tagged without your permission.
  

Caroline also talked about Internet threats, as here.

Washington DC sets up "bricking" to counter street cell phone thefts

Television station WJLA is reporting that Washington DC has put in a “bricking” plan to disable stolen cell and smart phones. 

The “bricking” means that once the phone is reported, the SIM card or phone can never be reused.  However thieves are slow to realize that the stolen phones are quickly becoming worthless. 

There have been problems with theft in residential areas of the city and on the Metro, especially near exit doors of cars.  

The DC government and Metropolitan Police have set up a website for bricking, here.