Does Microsoft take Security Seriously? - Internet Bank hacked - it could happen to you!

[rajeshk4u]

Does Microsoft take Security seriously? We are constantly being told to
keep your PC up-to-date and to run Windows Update.... yet what happened
to me could happen to anyone.

I had to rebuilt my PC from scratch. I installed Win XP and then
installed SP2 (from disk rather then Windows Update, which would have
put my PC at disk). I also installed Norton Anti-Virus 2006. I was very
careful, everything up to this point was done off-line.

As soon as I connected to the Internet, I did a Windows Update - I
found 45 HIGH PRIORITY updates. But I was NOT allowed to download
because it was pending Windows Activation. This was a hassle because I
had to activate by telephone. After all that I could finally do a
Windows Update. I was worried about security hacks. Because it did take
a while to download & install those 45 updates.

I am furious at Microsoft. If there are 45 HIGH PRIORITY UPDATES after
SP2, I don't understand why Microsoft don't make them available as a
SINGLE DOWNLOADABLE UPDATE or provide customers with a CD. This is the
only safe way to build a new PC. It is madness to take an out-of-date
PC and put it on the Internet, but this is exactly what Microsoft
expects users to do!. Microsoft wants users to use Windows Update so
that they can check they you are using a Genuine version of Windows.
This is all good for them, but what about the poor user?. Sadly, I was
unlucky!.

A couple of weeks later my Internet bank had been hacked.. money was
taken without my knowledge. It is nice that Microsoft can think of
wonderful ways to protect its revenues without thinking of their
customer's pockets or the time wasted in me having to re-install this
PC.

I found a similar issue with Norton. Even though I had Norton 2006,
they don't have a single downloadable update. I had to reboot a couple
few time before I got the all the updates using LiveUpdate.

 

[Mike Hall - MS MVP Windows Shell/User]

A single downloadable update would not be possible as some updates have to
be installed separately.. producing a CD would take time and distribution
would be a huge task..

Why did you not get all of the updates first?.. going onto the net initially
to get updates would not harm anything..

Why do you save passwords?.. especially for internet banking purposes.. was
your account the only one hacked or was the hacking done at the bank end?

 

[Jupiter Jones [MVP]]

If your bank was hacked, that has nothing to do with your computer and
everything to do with the security of the bank.
This could have absolutely nothing to do with Microsoft since many
businesses use OSs from manufacturers other than Microsoft.

Nothing in what you say shows your computer at risk.
SP-2 enables the firewall by default but you should still check to make sure
the firewall is enabled.

Going to Windows Update does not put your computer at risk as long as your
firewall is active.
But the going is not the only issue.
You do not have to go anywhere or do anything to get malware.
An unprotected computer (no firewall) can get attacked in seconds simply by
being connected.

Simply enabling a firewall keeps your computer safe while you download all
remaining updates.
As long as you do not surf or check Email etc, you are safe.
Only after all Windows Critical Updates are installed and an updated anti
virus is running should you surf or work with Email.

If your computer had problems, it seems they originated elsewhere.
More details of exactly what happened could also help.

 

[Steven L Umbach]

Service Pack2 enabled the built in Windows Firewall by default and protects
you if you then go to Windows Updates to download your security updates. You
can also safely activate Windows XP when the Windows Firewall is enabled.
For cable/DSL users I ALWAYS recommend that an "internet router" also be
used as the first line of defense. Microsoft used to offer free cdrom with
the security updates on them but I don't know if they currently do such
though any user can download security updates from Microsoft and burn to a
cd/DVD. While it is frustrating to have 45 updates it is better than not
correcting operating system vulnerabilities and not unusual. Apple just
released patches to fix 43 flaws in it's operating system. If there is
another service pack released for XP it will include all those security
updates as could a security rollup download.

As far as your internet bank being hacked what specifics make you believe
that is Microsoft's fault?? Generally they are the result of phishing
attacks where an attacker tricks you by social engineering into entering
confidential information into a website that you believe is your bank and
uses that information to access your account. You should NEVER enter
confidential information into a website that is not a secure https website
and it is good practice to view the certificate for the website. I have
never seen a phishing website use https and I have seen a lot of them. The
bank could also have internal problems such as dishonest/inept employees or
someone could have otherwise obtained confidential information about you,
maybe even a family member or a friend possibly by using a keyboard logger
on your computer to capture your keyboard input or going through your papers
or garbage. Maybe you used a weak logon ID and password. Also NEVER EVER
enter confidential information on a computer you do not know is secured. For
me that limits it to about two computers of mine and all else are considered
untrusted. Users that use wireless networks at home are a whole other area
of possible vulnerabilities if not configured correctly. --- Steve

http://www.securityfocus.com/brief/209
http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
--- Protect Your PC tips.
http://www.microsoft.com/athome/security/email/phishing.mspx --- Phishing
attacks

 

[Leythos]

I am furious at Microsoft. If there are 45 HIGH PRIORITY UPDATES after
SP2, I don't understand why Microsoft don't make them available as a
SINGLE DOWNLOADABLE UPDATE or provide customers with a CD. This is the
only safe way to build a new PC. It is madness to take an out-of-date
PC and put it on the Internet, but this is exactly what Microsoft
expects users to do!.

Most normal people would have purchased at least a NAT Router which
would allow them to download the updates without ANYTHING reaching the
computer that you didn't invite into it. It's only been this way for
ever OS on the market for about a decade, MAC, Linux, Windows, AIX, HP-
UX, etc....

 

[rajeshk4u]

A single downloadable update would not be possible as some updates have to
be installed separately.. producing a CD would take time and distribution
would be a huge task..

I know it is not an easy task. In my view Microsoft should strive for
this. I think they should produce a roll-up quarterly or some way
getting a WindowsUpdate from one computer and able to apply to another.

Why did you not get all of the updates first?.. going onto the net initially
to get updates would not harm anything..

This is what I would have liked to done in the first place!. Can
someone tell me how I could have got ALL the updates post SP2? (ie
without using Windows Update).

Why do you save passwords?.. especially for internet banking purposes.. was
your account the only one hacked or was the hacking done at the bank end?

Who said I saved passwords?. There are multiple passwords to access the
bank account.

The bank has told me that the banking fraud was done by someone
accessing my bank account via Internet, setting up a Bill Payment
online (a user would set this up to say pay Electricity Bill etc..),
but in this case Bill Payment was to an individual. And that is how the
money was transfered out.


Jupiter Jones wrote--->

Simply enabling a firewall keeps your computer safe while you download all remaining updates.
As long as you do not surf or check Email etc, you are safe.
Only after all Windows Critical Updates are installed and an updated anti

virus is running should you surf or work with Email.

YES! that is exactly what I did!!. No surfing/email, until the PC was
totally secure!.

Nothing in what you say shows your computer at risk.

SP-2 enables the firewall by default but you should still check to make
sure

the firewall is enabled.

I did check this firewall manually. When I installed Norton, it turns
off Windows XP firewall and says I will look after you, but I enabled
both of them. So, yes XP Firewall was running.

Steven Umbach---->

Generally they are the result of phishing
attacks where an attacker tricks you by social engineering into entering
confidential information into a website that you believe is your bank and
uses that information to access your account.

I am well aware of most the scams and I can confirm that this is not
it. I even use a paper shredder, so I take security seriously.

In my view, there must have been some sort of keylogger that managed to
get into my system. The only time I was vunerable is during the Windows
Update.

 

[Leythos]

I did check this firewall manually. When I installed Norton, it turns
off Windows XP firewall and says I will look after you, but I enabled
both of them. So, yes XP Firewall was running.

You can't run them both, it's unstable. You could have just found the
cause of your compromise. Running two active firewall products on the
same system is always a bad idea.

 

[Steven L Umbach]

So it is pure speculation on your part that it was the fault of Windows XP
since you have no other plausible explanation. How would a keyboard logger
get into your system by going to Windows Updates only?? Did you find a
keyboard logger right after that? I am really sorry for what happened to you
but I don't see how it was the fault of the operating system. Millions and
millions of XP users access their bank on the internet and do other
transactions [PayPal, Ebay, etc] without any problem. You might want to look
into using a bank that can use multifactor authentication such as a smart
card. I do wish more banks offered such. --- Steve

 

[rajeshk4u]

I was running Norton Anti-Virus 2006, would you count that as a
Firewall?

May be you are thinking I was running Norton Internet Security 2006?

If so which do you think I should be using Firewall XP or Norton
Anti-Virus 2006?

 

[Leythos]

I was running Norton Anti-Virus 2006, would you count that as a
Firewall?

May be you are thinking I was running Norton Internet Security 2006?

If so which do you think I should be using Firewall XP or Norton
Anti-Virus 2006?

Norton Antivirus 2006, as the named product, is not any form of
firewall, it's a Antivirus product.

Norton Internet Security is a firewall product that may include Norton
AV in its bundle.

Windows firewall, if you are running XP + SP2, if you don't poke any
holes in it, will protect you long enough to download the service packs.

If you were paying attention these last couple years, you would have
purchased a NAT Router to protect your computer/network from intruders.

 

[Jupiter Jones [MVP]]

Still, you have said nothing that confirms there was a problem with your
computer after the Windows installation.

Your computer was not vulnerable during the update process.
And there was no way for a key logger to get installed unless something is
not as you thought.
Even the key logger is speculation on your part.
The fact someone got access to your account proves nothing other than they
got access to your account.
There countless possibilities outside of Windows or even your computer for
this.
From your description, your computer was secure and the problem lies
elsewhere.

 

[Opus]

It is my experience as a system administrator that it is the users who don't
take security seriously. I have used Microsoft products for year without
ever having a security compromise that led to data loss, but that, like your
own experience, is anecdotal. The fact that Microsoft releases product
security updates on a monthly basis is evidence that they take security
seriously. Moreover, if they did not as you seem to believe, they would
very soon be out of business. How long do you think a shopping mall would
be in business if packs of armed thugs roamed the midway randomly harassing
customers? They would hire security just as Microsoft does in their own
way.

It appears from your post that there are key security measures that you
overlooked. In particular, you make no mention about having a firewall. If
you were running a good firewall, you would not have to worry about attacks
while downloading those updates. Moreover, if you are not running a
firewall, those updates are only of limited usefulness. In other words, you
must take responsibility for your own security.

So the question should come back to you:

Do YOU take security seriously?

BTW: I seriously doubt that Microsoft had anything to do with the security
compromise at the bank. Remember that Microsoft does not run every computer
on earth, and most large business applications run on variations of UNIX.
If your bank was hacked to the point that money was lost from your account,
the bank would be responsible and not you. They would replace your losses
immediately.

Opus

 

[Kerry Brown]

I was running Norton Anti-Virus 2006, would you count that as a
Firewall?

May be you are thinking I was running Norton Internet Security 2006?

If so which do you think I should be using Firewall XP or Norton
Anti-Virus 2006?

NAV 2006 includes a feature they call worm protection. This is actually a
simple firewall and Norton turns off the Windows firewall so that two
firewalls aren't running. I prefer the Windows firewall so I recommend the
NAV worm protection be turned off and the Windows firewall be turned on. It
can be unstable when both are turned on. It is extremely unlikely that
having both on was the cause of your problem with your bank account. I have
no idea what caused it but running the Windows firewall and NAV worm
protection at the same time only causes problems with actually connecting to
a network. I have never seen this configuration cause a breach of security.

 

[Guest]

Perhaps the breach of his PC occured *before* he rebuilt it.

 

[cquirke (MVP Windows shell/user)]

On Wed, 17 May 2006 21:18:39 -0600, "Jupiter Jones [MVP]"

Still, you have said nothing that confirms there was a problem with your
computer after the Windows installation.

Your computer was not vulnerable during the update process.

Is your LAN cabled, or WiFi?
If WiFi, do you disable WEP?
XP Home or XP Pro?
If XP Pro, do you have a weak non-blank password?
If yes to the above, do you disable hidden admin shares?
Did you restore any "data" backups during the rebuild?

------------------------ ---- --- -- - - - -

Can't stop what's coming
Can't stop what's on it's way (Tori Amos)