Apparently, that was then. Fyodor, the creator of nmap recently wrote a scathing article about how CNET has now become the very essence of a drive-by download – where you get a little more than you bargained for when you download software from a website. CNET has taken the concept to another level by actually reverse-engineering submitted software and injecting malicious content before presenting them to trusting users.

The article is a serious indictment on CNET for abusing the trust placed on them by millions of users and the software developers who are kind enough to create a program and give it to users for free. By monetizing the hard work of these developers without their knowledge (unless they are willing to pay a “premium fee), it is not far-fetched to accuse CNET of “stealing”. It is just now, after they were outed that there is talk of ” giving the developers a cut” of the money they’ve been raking in from dropping trojans and adware on the computers of millions of unsuspecting users, including kids, for crying out loud.

Why is this a problem? We know that most users click through installation prompts without bothering to read, and this is exactly what CNET was taking advantage of, until they messed with Wireshark and NMap.

The unethical nature of it is that while CNET was raking in millions of dollars, the creators of the software they were reverse-engineering were catching grief for infecting users’ computers with bogus web browser toolbars, home pages and adware that could very well have leaked private information.

As Alan Shimel of networkworld explains it, here’s how these “wrappers” work:
“[W]hen you click to download software from their site (which is software developed by others), they are “wrapping” it in their own installers.  This C/Net installer will either ask you (if they are polite) or in some cases not so obviously install other 3rd party software on your computer.  Things like web toolbars, alternate search engines and other programs that usually pay money for every copy that gets installed.”

Is this practice limited to just CNET? Not by a long shot, but most do it on the website – like when you are presented with the download button for something different than what you originally wanted to download. The argument is always that ” this is to help us pay the bills”. No one is arguing with the need to generate revenue. It is the deceptive way in which that goal is being achieved that is drawing some angst. There is a difference between giving the user an option to install a toolbar and respecting the choice when the user selects “No”, and installing a toolbar, changing the home page and dropping adware on a user’s computer through a deceptive “accept” button.

Then there is the other part of the equation – the enablers of CNET’s unethical behavior. The parties who were encouraging CNET to bundle toolbars, browsers, search engines etc. in the software they were hosting should also be ashamed of their dirty tricks.

It is important to remind users to take the time to read the dialog boxes that pop up when trying to install an application:

• If available, always choose the “Custom” option so you can at least see what other crap is going to be dumped on your computer by the installer. In most cases, you can decline or uncheck the box for items you do not want.
• After the installation, go through the “add/remove” (Windows XP) or “program features” (Windows Vista/7) section in control panel to see if some strange software was installed without your knowledge and promptly remove them.
• Run “msconfig” and look through the “startup” tab to see if some strange application has inserted itself to automatically start with Windows and disable them.

It is only going to get worse, unfortunately.

The symptoms are usually that you are unable to open your company file in Quick Books and resolution attempts like repairing the installation fail, and you get prompts for a mysterious html file.

From most indications, this usually happens if you do a system restore, or move your operating system files to a new hard drive or new computer. It leads one to believe that there is some kind of hash or signature on the specific file causing the frustration and that file is the aptly named “Entitlement” file which manages the phone-home registration process of Quick Books. The file in question is the “Entitlement DataStore.ecml” file.

To fix error 3371, rename the offending file and you should be able to start living again. Obviously, you will have to re-register with Intuit.

If you are still using Windows XP, you need to do this:

For those who like to type:

• Click Start and choose Run.
• Type the following command into the Open field:
  C:Documents and Settings\All Users\Application Data\Intuit\Entitlement Client\v2 (Note: you may have multiple “v” folders, so look for the current or latest one)
• Click OK
• Delete (or preferably, rename) the “Entitlement DataStore.ecml” file.

For the clickers, you can just “Explore” your way to the “C:Documents and Settings\All Users\Application Data\Intuit\Entitlement Client\ v*” folder and rename or delete the stupid file.

For the Windows 7 users, go here: C:\ProgramData\Intuit\Entitlement Client\v* (where ‘*’ is a number). Rename the errant file. Quick Books will create a new one when you start the application.

[Note that the "ProgramData" folder may be hidden in which case you can unhide it like this:

• Open "Computer", Click on "Organize | Folder and search options | View,  and select "Show hidden files, folders..."]

Start Quick Books and you should be good to go. Remember, you most likely, will get a reminder to register Quick Books within 30 days.

Disclaimer: Backup your stuff before you start messing with files. If you hose your application, do not come crying to me. If you are not sure, consult a professional. ‘Nuff said.

Some of the names in the list of bogus certificates generated by the attackers include Comodo, Google, Thawte, Microsoft, Mozilla, WindoswUpdate, WordPress’ MI6, the CIA, Facebook and Twitter.

For three whole months ( June to August), the attacker camped out on DigiNotar’s servers and did his/her work and cleaned up.  S/He was even kind enough to leave a message in a script file that was used to generate the rogue certificates.

The question now is, how much trust should we place on these providers of digital certificates? A few months ago (March 2011), a subsidiary of Comodo was hacked apparently by the same person. Here’s why I am concerned, and I’ll quote from page 9 of the report:

• The successful hack implies that the current network setup and/or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.
• The most critical servers contain malicious software that can normally be detected by anti-virus software
• The separation of critical components was not functioning or was not in place
• The CA (Certificate Authority) servers were accessible over the network from the management LAN
• All CA servers were members of the same Windows domain (and they all apparently used the same user/password combination)
• The password was not very strong and could easily be brute-forced
• The software installed on the public web servers was outdated and not patched
• No antivirus protection was present on the investigated servers
• No secure central network logging was in place

The breach has led to the revocation of a lot of digital certificates – over 500 so far and the breach prompted Mozilla to take measures so “that all DigiNotar certificates will be untrusted by Mozilla products,” which includes the Firefox browser. Google’s Chrome browser also placed DigiNotar certificates on a permanent block list.

It is inexplicable that after the attention that the Comodo breach garnered and the recent spate of hacks against RSA, Barracuda, Citigroup and a host of other high profile targets, that the management at DigiNotar did not deem it wise to do due diligence and execute some element of due care.

This is even more depressing because from this F-Secure blog, the company has been hacked before, back in May of 2009.

Look at the bullet points above again and tell me if those are not things that could have been fixed. And beyond that, what role has their auditor play in this mess? It will be ridiculous to assume that they were not paying an external party to audit their environment. Why did an auditing firm not raise a red flag over these lapses? Is this another case of check box auditing that has come to bite DigiNotar in the ass?

The larger concern is how can we continue to trust DigiNotar and other certificate authorities to help ensure that there is no eavesdropping on secure communications between users and the sites they visit? After all, anyone armed with a rogue certificate for a web firm or service can impersonate that organization and get at communications that would otherwise be impossible to read because they are encrypted.

Update:

As Russ Bellew posted, DigiNotar filed for bankruptcy and their fate should be a wake-up call to other Certificate Authorities and indeed all companies with an internet presence. After all, the DigiNotar hacker did say that four other major CA’s were on the chopping block.

The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem

Then there is an error code 0×80070424. It could also show up as error 80070424.

This could be a symptom of one or more of the following problems:

• The Automatic Updates feature is turned off in Security Center and you cannot turn this feature on.
• The Automatic Updates service is missing from the Services snap-in.
• The registry is missing one or both of the following registry subkeys:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV

What this simply means is that Windows thinks the update service does not exist on your computer either because it was accidentally de-registered or was not installed properly. So you get error 0×80070424.

The fastest way to fix Windows Update Error 0×80070424 is to re-register the Windows Update and Automatic Update services by running the following commands either using command prompt or the “Run” option.

Option 1:

• Go to Start>Run
• Type regsvr32 wuaueng.dll
• Click on OK wait a few seconds, then click on OK in the RegSvr32 dialog box.
• Click on Start>Run key in regedit then click on OK
  Navigate to:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
  Look for a DeleteFlag value and, if it exists, right-click on it and select
  Delete.

Option 2:

Open the command prompt, or the “Run” box and type, or cut and paste the following:

%systemroot%\system32\regsvr32.exe %systemroot%\system32\wuaneng.dll

This will register the Windows Update service and a dialog box should display to say the commands were executed successfully. You can then retry the Windows Update service again.

It may also help to make sure that required Windows Update services like the Background Intelligent Transfer Service, Windows Update and Workstation services are running. If they are not, start those services.

To check and start required Windows Update services:

• Click on Start, select “Run” and type in “Services.msc“. You may be prompted for an administrator password or confirmation.
• In the Services dialog box, click Background Intelligent Transfer Service
• Note the status of the selection. If it shows Stopped, right-click the service and click “Start”.

Do the same for Windows Update and the Workstation services.

In some weird instances, when you look in the “Services” section under Administrative tools, the Windows Update service may not appear at all. If that is the case, see this article about installing the Windows Update agent.

Additionally, Microsoft has also made version 7.4.7600.226 of the Windows Update Agent available and you can get the files here.

You must know which kind of processor platform (x86-based, x64-based, or Itanium-based) that you have. Most users have x86-based processors [http://support.microsoft.com/kb/949104]

To learn which version of Windows that you are running, or to learn whether it is a 32-bit version or 64-bit version, open System Information (Msinfo32.exe). Then, review the value that is listed for System Type. To do this, follow these steps:

Step 1:
Click Start, and then click Run, or click Start Search.
Type msinfo32.exe, and then press ENTER.
In System Information, review the value for System Type.
For 32-bit editions of Windows, the System Type value is x86-based PC.
For 64-bit editions of Windows, the System Type value is x64-based PC.

Step 2:
Download Windows Update Agent for Windows Vista, Windows Server 2008, Windows XP, Windows Server 2003, and Windows 2000 Service Pack 4

To automatically obtain the latest Windows Update Agent,  we recommend that you visit the Windows Update Web site. When you visit this Web site, the latest version of the Windows Update Agent will automatically be installed. For Windows 7 and Vista, Windows Update is integrated with the Operating System and can be accessed through the Control Panel.

A lot of the accolades are warranted, but my focus in this write-up is on the area of user data privacy and how the Chrome browser seems to have built-in tools that are a reg-flag for privacy violations in spite of Google’s Privacy Policy.

Our position is that the Chrome browser is “chatty”,  and acts as a keystroke logger in the area of search. In fact, the folks at Scroogle characterized Google Chrome as a browser that tends to “phone home a lot”.  And here’s why:

• It is common knowledge now that when a user conducts a search using a search engine, Google stores three main types of information in a log file: the user’s IP address (a unique network address given by an Internet service provider), the words the user searched for, and a cookie identifier (unique value given to every Web-browser that visits a web page). See here for more details.

• According to Google, the Omnibox (which combines search with the address bar) is supposed to automatically suggest websites as you type and you “can disable Omnibox suggestions by unchecking the box in the “Privacy” section of Goggle Chrome’s options. As it turns out, you can disable Omnibox suggestions, but the browser conveniently ignores your choice and uses auto-suggest anyway.

• The Chrome browser uses a client_id variable which is unique for every Chrome user, and which can be used to create exact user profiles of a user’s actions while using Google Chrome. According to Google’s Privacy Policy:
  “The client ID is used for the user metrics service. This is an opt-in service that lets users send usage statistics to Google so that we can learn how Google Chrome is being used for the sake of making improvements. It helps us answer questions like, “Are people using the back button?” and “How common is it that people click the back button repeatedly?” Users can always update their preference about sending usage statistics.”

• Apparently, there is no option to prevent Chrome from recording History and downloads, options which  are available in Firefox, Opera and Internet Explorer 9. I found it really annoying that Google deliberately removed the option to disable history, especially since it was tied to the search engine a user may be using at any point.
  For example, here’s how Firefox does it:
  

Auto-complete and “predictive” search may have their uses, but the fact that a user’s keystrokes are sent to a search engine in real-time and are tied to the user’s IP address does not look like protecting privacy. This is doubly worrisome since we learned a long time ago that Google was uploading the history data in Chrome offsite – to its data centers.

• Google Update does more than update your Chrome browser to the latest version. It “periodically sends information to Google about how you obtained the browser, how often you use the Chrome browser, and specifically, “whether you used Google Chrome in the last day, the number of days since the last time you used it, and the total number of days that Google Chrome has been installed”

Here’s how to lock down Google’s Chrome browser:

There are some tools available that you can install to help you remove the client_id that Google tags you with in order to track your usage of the browser. See Unchrome,  Chrome Privacy Protector  and Chrome Privacy Guard. Ultimately, I prefer not having to deal with yet another software for a feature Google should have made available or not included in the first place. So we will fix this at the source.

• First thing is to resolve the privacy issue by making Chrome open up in private browsing or incognito mode permanently. To do this, right-click on a Chrome shortcut, select properties. The “Shortcut” tab will open up. On the “Target” address, add –incognito at the end so it will look like this:
  \google\Chrome\Application\chrome.exe — incognito

To address the history palava, make the relevant files in the default folder read-only. These files are “Archived History”, “History” and “Visited Links” and can be found in the “Users\<profile>\AppData\Local\Google\Chrome\User Data\Default” folder in Windows Vista and 7.  XP users can find the folder here: …\Local Settings\Application Data\Google\Chrome\User Data

1. Create a blank home page by going to options and setting the home page to about:blank
2. Close the Chrome browser and navigate to “Users\<profile>\AppData\Local\Google\Chrome\User Data\Default”. Delete the files called “Archived History”, “History” and “Visited Links”. Do not close the folder.
3. Open Chrome, but do not visit any site. This will allow the browser to recreate the files you just deleted. The big difference now is that those files are empty and you want to keep them that way by doing the next step.
4. Locate the new archived history, history and visited links files and make them read-only by right-clicking, selecting properties and checking the “Read-only” box.
5. Open Chrome and enjoy

The next hurdle is the search engine spying that is built into the Chrome browser. While this knowledge is not new, it is still disturbing that the browser tracks every keystroke you type while using the location bar. A quick check with Wireshark will educate you on this.

The ability of browsers to tie your search to your IP address is troubling. To prevent this, create your own “search engine” by doing this:

• On the “Basics” section of the Options page, select “Manage search engines”.
  In the “Other search engines” section, click on the “Add a new search engine” box and type in a name. Call it anything you want, like “Private”.
  Enter a keyword in the Keyword box and http://%s in the URL box. This prevents Chrome from piping every URL you type in the location bar to a search engine. Unfortunately, this also messes up searching.
  If you must set up a default search engine, I recommend Scroogle at www.scroogle.org and you can use this on the URL box – https://ssl.scroogle.org/cgi-bin/nbbwssl.cgi?Gw=%s

A little paranoid? I don’t think so. It’s all about choices. There are things we must do online and it is inevitable that some of our private information will be exchanged. But users need to know that they have the option of turning something off, if they do not need it. If a “malicious” software installed a keylogger on a user’s computer, we would cry blue murder. How is the keystroke tracking behavior by search engines different?

Next we need to disable the automatic opening of files.

You cannot control the setting to automatically open certain downloaded files in the browser – a practice you should stay away from as much as possible. It is preferable to download and scan before opening a file. Drive-by downloads use this vector to drop stuff on your computer.
The option to manage this feature tends to be grayed-out on first use, unless you allow Chrome to open a file – see the complaints here. Thankfully, exe files are not allowed.

Again, in contrast, here’s how applications are managed in Firefox:

Notice the options to “Always ask”, “Save File” etc.

To fix this annoyance, open a blank tab and type in chrome://plugins/ or about:plugins to pull up the settings for the plug-ins installed with Chrome and turn off what you do not want.

For those not afraid of looking under the hood:
Close Chrome. Browse to: Users\<profile>\AppData\Local\Google\Chrome\User Data\Defaul (Windows Vista/7) or In Linux it is usually $HOME/.config/google-chrome/Default/Preferences.

Open the Preferences file in a text editor. Look for these lines:

“download”: {
“directory_upgrade”: true,
“extensions_to_open”: “flv”,   [ change this to ]    “extensions_to_open”: “”,
“prompt_for_download”: false
}

For those who are interested, here’s a link on customizing chrome.

Final thoughts are that Google’s Chrome browser may be a good fit for many users, but given the subtle and sometimes aggressive data gathering tools built into the browser, there is a lot to be worried about in the area of user data privacy. While data breach and hacking seem to be a daily occurrence these days, it won’t hurt a user to take some precautions in limiting the amount of information unwittingly sent to vendors just because you installed their software on your computer.

Here are some other things you could do:

Set the browser to automatically delete cookies every time you close it.

Whenever possible, use the private browsing feature built into most modern browsers.

Use specific browsers for specific purposes – general browsing, search, online banking etc. and customize each browser accordingly.

You can also get an alternative Chrome-like browser called Iron that is based on the free Source code “Chromium” – without the problems of privacy and security baggage of Google Chrome.