Two unrelated events inspired this piece. I came across an interesting blog recently comparing the performance of various anti-virus products on a number of items of malware. I haven’t come across the guys behind this before, InfraGard but given their links to the FBI they seem to have some credibility so I’m assuming their testing methodologies are reasonably reliable.

Three things struck me about that blog,

• AVG does a pretty good job of protecting Windows systems from malware and viruses (I know I’m starting to sound like an AVG fan-boy between this and my previous references to it).
• Some of the “leading” anti-virus programs / suites are pretty poor at protecting Windows systems (not to mention the fact that they interfere with the operation of your computer).
• You can’t rely on any anti-virus software to fully protect your Windows system.

That’s about the point where I become the smug Linux user, up until the point where I remembered that I have to look after my share of Windows systems both in our offices and for friends and family. This brings me on to the second recent event which inspired this piece.  A friend running Windows Vista had recently started getting worrying messages about things called Trojan-Spy.Win32.KeyLogger.aa trying to send traffic from his PC and wanted to know if he should be worried. “Probably”, I said and took a look at his system.

In the past, my toolbox for a healthy Windows PC would include the aforementioned AVG and, if I had concerns about spyware, Spybot – Search & Destroy – another great Windows tool that is free for non-commercial use. Between those two tools, I could be pretty confident that a Windows machine was running clean of any malicious software. So I installed and ran both on my friends PC – multiple times! Spybot even suggested running immediately after start-up as Administrator so that it could ferret out as much dodgy malware as possible. A few hours later, we were still being entertained by messages from Windows about our good friend Trojan-Spy.Win32.KeyLogger.aa (and maybe some others) which hadn’t even been detected by AVG or Spybot, never mind removed by them.

Some research on the interweb turned up posts and comments from various people who had encountered this particular trojan and by all accounts it’s a tough one to remove. I was on the verge of suggesting an OS re-install (taking inspiration from Aliens,  sometimes nuking the system from orbit is the only way to be sure) possibly in tandem with a Linux re-install to forever banish such nasties when I came across some references to another tool called Superantispyware which some recommended as the antidote to Trojan-Spy.Win32.KeyLogger.aa. With a name like that, it had to be good at dealing with spyware right? I figured it was worth a shot before we tried something more drastic, particularly since there is a free for non-commercial use version available. One download and install later, it kicks off and immediately warns us about some spyware it has found (either our friend the KeyLogger or another, as yet unknown, piece of spyware). After a half hour or so, it had finished a scan and proceeded to remove or quarantine all of the various pieces of spyware it had turned up. We booted the system once more, re-ran AVG and Spybot S&D and didn’t get any more warnings about Trojan-Spy.Win32.KeyLogger.aa. trying to send data off of the system. My friend was happy enough that the system was clean. Me? I’d probably still go and re-install the OS before putting my credit card details near the computer again (to be sure, to be sure) but the odds are it is clean – for which we probably have Superantispyware to thank.

So, what are our conclusions?

• (With my smug Linux hat on once more) – consider installing and running Linux for your home desktop – a distribution such as the latest Ubuntu will provide all the software you need for typical day to day surfing, emailing and word-processing and won’t leave you open to half of this stuff (you’ll still be susceptible to phishing attacks and cross-site scripting attacks but you’ll be automatically eliminating a whole world of viruses, keyloggers and trojans which won’t ever run on a Linux system).
• If you must run Windows, make sure you install some decent software to protect you – start with AVG, Spybot S&D (and maybe Superantispyware) – or let a comment to tell us about other useful ones.
• If you’re running Windows, do not use the Administrator account for your activities, and don’t set up an alternative account with administrator privileges either – that kinda defeats the purpose. I know it’s a pain in the ass when you want to install some new software, but trust me, it’ll be a bigger pain in the ass when someone starts buying things from Itunes with your credit card.
• Don’t click on things that you don’t understand and don’t install stuff from random web-pages, even if they do tell you it’s for your security (cmon, if some random stranger came to your door and told you he needed to “install something” in your bedroom “for your security” you’d slam the door in their face, before calling the police, why would you react differently to a stranger on the internet?).
• Finally, the bad news is that email you just received claiming to be a red hot picture of Britney or Christina in a compromising position … well it probably isn’t (I know, if some international criminal ring is going to take over your computer for nefarious purposes you’d think they’d at least give you a naughty picture to take your mind off things, but I’m afraid they generally don’t play fair) so don’t click on the attached zip-file.

The intention with Google Chrome seems to be to keep the UI clean – first impressions are that they’ve succeeed in doing that. It seems much cleaner than either IE (which I find to be irritatingly non-intuitive) or Firefox (which, while it has a lot going on, since 3.0, manages to display things pretty cleanly).

Interestingly during initial start-up, it offered to import my Firefox settings, but I didn’t see any sign of an offer to import my Internet Explorer settings – not that I would have needed it but there seems to be a statement of intent here.

A quick tour of a few of the sites that I usually visit didn’t reveal any major problems. Chrome also enforces the same kind of warning about self-signed SSL certs that Firefox 3.0 introduced but doesn’t present quite as intimidating a warning. Performance seems pretty good but I couldn’t think of any particularly tortuous sites that I regularly visit so I don’t know how well it will handle heavier sites. I do miss my Adblock Plus Firefox extension though – I didn’t have time to see whether there is anything equivalent in Chrome yet or whether you can somehow get it to use Firefox extensions (mind you, considering Google’s core business, it probably won’t be going out of it’s way to help us filter ads). The new tab page / home page is interesting but I’m not sure how useful it will be in the long-term. I may revisit the same old pages every day more than I realise, in which case it may turn out to be a handy launch-pad.

An hour of use isn’t going to show a great deal. I’ll probably give this a test drive for a week or so before I come to any solid conclusions. Unfortunately (or maybe fortunately) most of my day-to-day activities are carried out on Linux desktops / notebooks so I won’t get to fully battle test Chrome until they release the Linux port.

First impressions though, are that Google have an interesting new browser with some nice features and that both Microsoft and Mozilla have some interesting times ahead.

Memory and drive upgrades for laptops are surprisingly cheap these days – 1GB of DDR2 for the nx6310 cost just €20.50. A 7200rpm notebook drive cost a little more but I figured it was worth upgrading both as we were doing any upgrades. Upgrading memory in the nx6310s is very straightforward, there is a memory expansion port on the underside of the laptop accessed through a panel with a single screw – it took all of 30 seconds.

Upgrading the hard drive is physically very straightforward but of course there is one catch – ideally I’d prefer not to spend a half a day to a day reinstalling Windows XP on the new drive including all the post-SP2 updates and hot-fixes and all of the applications installed (unfortunately we’re not big enough yet for me to justify the time it would take to develop a proper customised install image although I have been looking at tools like nlite to see what’s possible). So I need some way of copying or ghosting the contents of the existing hard-drive and restoring them to the new drive when I swap them. The traditional solution to this was to the use the aforementioned Ghost software – but since we use Linux for a lot of our infrastructure I was more interested in seeing if there were viable alternatives on Linux for doing the same thing.

Some research reveals that the wikipedia page for disk cloning summarises the current Linux-based options pretty well. After looking at the various tools and their functionality, I opted to run with partimage which seemed to be lightweight and capable of doing what I required (dumping the Windows partition from the notebook onto a Linux server and restoring this partition onto a new notebook – all over the network). I had briefly considered just using dd after booting the notebook up with a rescue disk – it would work fine (I’ve used this approach in the past to recover a badly corrupted LVM volume to a new disk) but it is a little less user-friendly than a cloning tool like partimage. One of the benefits of using partimage is that it understands a number of filesystems including NTFS and it’s smart enough to only back up the parts of the filesystem that have data on them, rather than copying the whole partition as dd would. It’s also capable of backing up the Master Boot Record and the partition data, and allowing you to restore them independently of restoring the whole drive.

So partimage it was – I needed client software to run on the notebook and server software to run on a Linux box and receive the partition data read from the client. The partimage guys recommend the SystemRescueCd which is a Live Linux CD which you boot off of and which provides a whole bunch of tools including partimage. I’ve used SystemRescueCd before and it’s well put together and does exactly what it says on the tin. So I downloaded the latest version of that which includes partimage 0.6.6. Note that you seem to need the same version of partimage on the client and the server. I’m using Debian 4.0 on our Linux server which includes version 0.6.4 of the partimage server software. To get around the version incompatibility, I had to go with building the partimage server from a source package downloaded from the partimage site. It sounds worse than it turned out in practice! It’s a pretty painless configure, make, make install after you install a few dependencies.

I compiled my partimage server with ssl and login disabled because it was only running on our local network for a short while under my supervision. If you’re running this permanently, you should probably opt for a more secure configuration. After pointing the partimage server at a writable area on the Linux server (you’ll need a good amount of disk space, partimage can compress backed up images, but you should probably still allow close to the raw size of the partition you are backing up to have some headroom), the laptop was rebooted with the SystemRescueCd.

After booting, the partimage command was started and a basic curses dialog was displayed. I selected the partition we wanted to back up (/dev/sda1) and gave it a name of hostname.partition and pointed it at the server with partimage running. This brought me to a second screen where I specified to use a gzip compressed image and put in a description of “sda1”. After this the backup started and partimage told me it was backing up 17.5GB out of the 37GB NTFS partition (the rest was unused).

The backup took about an hour all told (this over a gigabit LAN – I’d imagine the laptop drive was the bottleneck) after which I installed the new drive in the laptop and again booted with the SystemRescueCd.

Before starting partimage to restore the image, I had to create a partition on the new drive. Partimage doesn’t seem to like running against a drive with no partition (even though I planned to restore the partition and mbr from the partimage backup anyway). So I created a throwaway partition of 10MB and then started partimage. First, I selected the option to restore just the MBR and pointed it at the server. I then selected the image I wanted to restore from the server and proceed with a restore of the MBR and the partition table. When this had finished (it took seconds to do the MBR restore), I exited partimage and verified that the throwaway partition table I had created had been replaced with the partition table from the partimage backup (I used cfdisk, but the SystemRescueCd includes a bunch of different partition tools if you prefer something a little more powerful).

The partition table looked exactly as it had on the original drive, so I restarted partimage pointing it at the server again and went for a full restore of the sda1 image to the sda1 partition this time. This took about 40 minutes, which was faster than the original backup. Since writes are normally a bit slower than reads I was surprised – I’m guessing the speed difference is down to the faster laptop drive but it might be something else. Either way, after 40 minutes partimage told me the image had been restored. So the moment of truth had arrived, I rebooted the laptop and waited to see if it gave me the old “Operating System Not Found …” message or whether it booted back to Windows as it had with the original drive. Success! After a few tense moments, the laptop booted to Windows on the new drive and allowed me to login with the same credentials as I’d used on the old drive. A quick inspection of the environment indicated that it all looked as per the original – and there weren’t any wierd errors in the Windows event logs. As a quick smoke test, I ran a defrag of the Windows drive – I figured if there were any problems with the installation, it was a good way of stress testing the filesystem. There were no problems with the defrag, so unless the main user of the laptop notices any problems when I return it to him, I’m pronouncing this a success.

For users of Ghost, I suspect the interface on Partimage may be a bit rough around the edges, but for anyone that is comfortable with command-line Linux and has done some system administration – Partimage is definitely a very useful tool for disk cloning. I can see myself using this regularly both for migrating systems across hard drives and for backing up critical systems at the partition level.

• I could start using biometrics such as my fingerprint rather than passwords (we’re getting closer to this being feasible too – my IBM Thinkpad T60 has a pretty decent fingerprint scanner built in).
• I could start using OpenID or something similar to reduce the number of unique usernames and passwords I need (although this isn’t really going to work until more of the big guys starting supporting it )
• I could write ’em down (which, after years of being labelled a bad thing, is now being recommend by the experts).

I’ve decided to go with another option, which is a distant cousin of writing them down – with a little 21st century cryptography thrown in for good measure (hey, it even sounds more secure than writing them down as soon as we say that). The basic idea is to store your passwords in a file, which is then encrypted with a single master password. If you lose the file, providing it is encrypted with strong encryption such as AES, it should be extremely difficult for anyone to read the contents of the file and recover your passwords. I say extremely difficult rather than impossible because at some stage in the future, all current encryptions algorithms will be found to have weaknesses or computers will become powerful enough to brute force the encryption. With currently recognised strong encryption algorithms, this point should hopefully come in decades though, so it’s not worth any sleepless nights just yet.

There are a number of open source tools out there for doing this. There may be commercial tools for doing this too – but personally, I’m inclined to have as much faith in the open source tools (although neither approach to software development necessarily makes for a more secure product, as discussed in the Secure Programming for Linux and Unix HOWTO). The first tool I used for doing this is PasswordSafe which was designed by Bruce Schneier and has been around since 2002. I’ve been using this for about 3 years and it does exactly what it says on the tin. It’s still being actively maintained and is a good choice, especially if you’re working only on Windows only.

For the last few months, I’ve been considering moving away from PasswordSafe to something else, because I spend half of my time working on a Linux desktop and PasswordSafe won’t run on Linux. There are some PasswordSafe clones which run on Linux – notably MyPasswordSafe and PasswordSafeSWT which mostly work – but which don’t give quite the same user experience as you move between Windows and Linux. With this in mind, I went looking for an alternative solution and turned up KeePass which runs on Windows and KeePassX, a port of KeePass which runs on Linux and MacOS X. What’s nice about KeePassX is that it comes bundled with Debian (and probably the other main Linux distributions).

The icing on the cake for me in migrating to KeePass is that it comes with a plugin for importing the encrypted PasswordSafe files so it was pretty hassle free to move to using it. I’ve been working with KeePass and KeePassX now for a few weeks and so far I haven’t hit any problems. In practice, I think that both PasswordSafe and KeePass/X are good tools and both are worth evaluating. Using either one is a huge improvement over writing the passwords down on a post-it stuck to your PC or in an unencrypted file stored on your PC.

On a closing note, if you are going to go to this effort to secure passwords, try to avoid giving your passwords away to random strangers for a chocolate bar, it’s surely worth at least an Easter Egg!

Updated 10-Mar-2008: An old college friend noted that the plural of viruses is viruses, not virii! Thanks for that Mike

Wow — where did the first 2 months of 2008 disappear to? I figured I better get back blogging before tomorrow or I might be accused of only blogging every 4 years

I don’t usually talk about commercial products here and I certainly haven’t spoken about Windows software in the past, but where I find a useful Windows tool (commercial, open source or indeed free software) that does its job and offers value for money (either in terms of the cost of licensing it or the cost in time to install and use it) I’m inclined to sing its praise – if only to give it a bit of extra publicity. Before anyone asks, I’m not getting any freebies from Grisoft for blogging about their product.

I initially started using AVG when I came across the free version which has been available for a number of years for home and non-commercial use. It’s an interesting marketing trick – when it came to choosing an anti-virus solution for the office AVG was on my list of contenders. We have about 10 desktops and laptops in use around the office, only some of which are running Windows (we tend to use a mixture of Windows and Linux on the desktop depending on our developers personal preference and the needs of the customer projects they are working on) so initially the small business version of AVG met our requirements. My experience of using AVG is that,

• It’s lightweight – unlike some of it’s competitors (M****e and S******c) it doesn’t hog all of your system resources while it sits in the background.
• It’s easy to install and uninstall – again, unlike some it’s competitors who require you to deinstall about 4 different packages in the correct order before you can rid your PC of them.
• Licensing is straighforward and uncomplicated – Grisoft (the makers of AVG) allow you to buy bundles of licenses in units of 5 and have hassle free upgrades when moving to large numbers of licenses or indeed to their more advanced products such as the Network edition. They don’t force you to jump through hoops to upgrade or require you to buy a whole new suite halfway through your current licenses.
• The price is right.
• It works (I thought this was a given but just in case anyone was wondering, we did opt for an anti-virus solution that actually catches viruses, not just the cheapest one).

The lightweight thing is a big selling point for me. I recognise that I need anti-virus software on all of our Windows systems – but I don’t want to have to buy a second CPU just for the privilege of running it – AVG seem to get that. Sure, running a virus scan will slow down the system a little – but it largely sits in the background with impacting system performance.

I suspect once we have more than 5 Windows systems in use I’ll probably move to the network edition of AVG but for now, we’re just sitting on the tipping point where it’s as easy for our guys to maintain their own systems and run their own updates when it suits them (especially since we trust our guys to do the right thing and run regular updates — right lads? )

So why am I only talking about AVG now when we’ve been using it for about 3 years? Well, AVG just released v8.0 of their product today. For the moment at least, it doesn’t look like v8.0 of the product is available as a freebie, hopefully this will change over time. Not only have they upgraded the interface in v8.0 – they’ve also introduced a bunch of new features some of which used to be previously distributed as separate products or freebies. As well as the existing anti-virus and email scanner, AVG 8.0 introduces the following,

• Anti-Spyware – I’ve previously used Spybot-S&D as an anti-spyware solution – it has a good reputation and works well, but we’ve never deployed any anti-spyware tools on our company network because of the extra effort involved in managing multiple tools. It’s nice to see AVG including this in their core product now (it was previously available as a separate tool).
• Anti-Rootkit – again, this was previously available as a separate component but we didn’t have it deployed on our network. It’s nice to now that our AVG now includes support for rootkit scanning also.
• Web Shield and Link Scanner – AVG 8.0 also introduces some new tools for scanning both web pages as your browse them and instant message traffic (currently only supporting MSN and ICQ it seems) for malicious content. I’ve no idea how useful these will be in practice but it’s good to see Grisoft continuing to add value to their core product without gouging the customer for these additional features.

I’m just running my first full scan with the new version now — I’d be surprised if it turns up anything since I regularly ran AVG 7 on the system but I’ll be sure to report if it does. To steal a line from Hill Street Blues –

All right, let’s roll… Hey… Let’s be careful out there.

(am I showing my age with that one?)