Month: May 2005

Read it here.

Alex

Hot off the presses: Ben Edelman just posted a detailed writeup.

Why the big deal? AOL Netscape (nee Netscape) is assigning a trust rating based on certifications. Certifications are useless for trust ratings, because all they do is certify what they are supposed to certify–such as “is the traffic in a SSL browser session secure?”. They are not ways to actually determine the validity of a site in general.

In short, the new Netscape 8 apparently will assign a trust rating to sites like abbeterinternet.com, hotbar.com, Ezula.com, mywebsearch.com and others.

Alex

(Part one in an informal series on the absolute uselessness of current certifcation practices…more later).

The new Netscape has a trust rating, explained here.

According to their website:

The Netscape Browser is equipped with a web site rating system called “Trust Ratings” which is driven by lists of sites provided by our trusted security partners. The intent of this system is to automate browser security and site compatibility on an automated basis by identifying the following:
• Verified sites which are safe for entering personal and/or financial information
• Malicious sites intended to steal your information (aka Phishing sites)
• Sites which attempt to inject malicious programs or code onto your system (Spyware, Adware, Trojans, and viruses)

Looking a bit further, one sees their “Trusted Security Partners”: Verisign (for light reading on Verisign, see Ben Edelman’s writeup here), Truste (whose “sealholder” list includes abetterinternet.com, direct-revenue.com and others), and Paretologic (makers of Xofspy, a former member of the Rogue/Suspect Spyware list).

Update: Suzi at SpywareWarrior.com just ran with the story. You can see her blog entry here.

Alex
(Thanks Suzi, Eric, Ben)

This just out. Morgan Stanley’s report on the spyware market. Read it here.

Note: We have not reviewed the material to determine accuracy, a quintillion disclaimers apply, etc.

Click here to read a scan of our response to Hotbar. This went out today. A cleaner version is here.

Later, I’ll be posting a more exhaustive writeup, with screen shots.

Alex Eckelberry

Abetterinternet has just send us a Cease and Desist letter. You can see it here.

As with all of these types of legal issues, I have fowarded it to our high priced lawyers and a response will be sent in due course.

The letter basically asks us not to label BetterInternet (aka Direct Revenue) as spyware, but instead list it as adware.

Oh, and for those waiting for our response to Hotbar, we should have a response up by the end of the week.

Alex Eckelberry

If you haven’t read this story in the Washington Post, it’s worth a quick read.

It went something like this:

-A small group of hackers sent out a bunch of porn spam with a virus/keylogger attached.

-A police officer opened one of the emails, and then subsequently logged onto Seisint, a LexisNexis subsidiary. Of course, the keylogger was on the system and everything the officer did was recorded.

Then:

“The young hacker said the group members then created a series of sub-accounts using the police department’s name and billing information. Over several days, the hacker said the group looked up thousands of names in the database, including friends and celebrities. The law enforcement source said the group eventually began selling Social Security numbers and other sensitive consumer information to a ring of identity thieves in California. washingtonpost.com has not been able to reach the young source to seek comment about the sale of personal information.”

Then check this out:

“LexisNexis disclosed on March 9 that records on 32,000 individuals were downloaded by an unknown person or persons who gained access to the company’s database using compromised user accounts. A month later, the company said it determined that 310,000 personal records had been accessed over a series of weeks…

What’s the lesson? This is basic security!! Everything that could have stopped this attack is commercially available and not even that expensive. A friggin free desktop firewall with inbound and outband protection would have obviated most, if not all of the breach. Layer that with a good AV with robust attachment filters.

Then throw in some employee training about social engineering (i.e. “don’t open attachments unless they are from a trusted, known source that you know is supposed to be sending something”, etc.).

Alex Eckelberry
(Thanks to BeSpecific)

Word is spreading that Sunbelt is being attacked by Hotbar.

Lots of interesting comments from our previous post.

Our crack legal team will be writing a response, which we will post for public viewing in the next week or so. For an example of a prior letter, see our letter to iDownload.

However, some new developments.

1. We found this action by Hotbar against Lavasoft. It is unknown what happened, but it possibly explains this snippet from their letter to us:

Click to enlarge

2. Spyware guru Ben Edelman has just done a detailed look at Hotbar’s installation practices.

Quote:
“This article examines one such installation, its (purported) license agreement, and its effects. Notable characteristics:
• Installation at a site targeting kids.
• License agreement not affirmatively shown. Unhelpful section headings, convoluted language.
• Installation confirmation screen lacks a button or option to cancel installation.
• Intrusive advertising, not specifically disclosed in prior on-screen text, including ads in toolbars, pop-ups, pop-unders, auto-opening sidebars, and desktop icons.”

Alex Eckelberry
NOTICE: Hotbar® and Hotbar.com® are Reg. U.S. Pat & TM Off.

Many haven’t seen our research paper on this matter we wrote back in March. Here is a link to our whitepaper on Firefox.

In summary, over the past few months security experts have speculated that we could see new spyware and adware crafted for Mozilla Firefox

Until now most of this speculation has centered on the potential for security holes in Firefox that could be exploited by spyware and adware creators. But such speculation is arguably misguided. In fact, we already have seen instances of spyware and adware that can be installed through Mozilla Firefox.

These cases have only received little attention, however, largely because researchers have been too focused on security exploits instead of the more run-of-the-mill methods through which spyware and adware are typically delivered to users’ desktops: namely, social engineering techniques that spring unwanted software on confused users who aren’t careful enough about what they click.

Alex Eckelberry

Hotbar sent us a Cease and Desist letter yesterday. Read it here.

I have forwarded it to our high-priced lawyers and an appropriate response will be filed in due course.

Of course, we won’t remove them from our database under any circumstances. Clearly, the folks at Hotbar didn’t read our listing critieria.

Here’s what’s odd about all of this. Hotbar is what we label “low-risk adware”. We list them in our database, we display them in the scan results, but we tell the user “This is not a big deal” and we put the default action as “ignore” (as opposed to “remove” or “quarantine”). While Hotbar is clearly adware, it is not nearly as destructive to the system as something like CoolWebSearch.

So we are telling the user it’s on their system, but we’re letting the user decide if we should remove it or not.

Now check out this little snipped from their letter:


Click to enlarge

As most people know, we get spyware database updates from Microsoft. We did notice a while back that Microsoft had removed Hotbar, but we didn’t remove them from our version of the database. We figured Hotbar had gone after them and now we can see that it looks like they really did.

You know, you can get farther with a bit of with molasses than a lot of vinegar.

Contrast Hotbar’s vehement attack with WeatherBug’s kindler, gentler style. The WeatherBug Chief Privacy Officer Dan O’Connell and I had a respectful interchange (and we both blogged on the matter of listing WeatherBug). They didn’t like the fact that we were listing them in our database, but respected our position. While we continue to list them, at WeatherBug’s request, we are making changes in our UI to help users understand that having WeatherBug is not the end of the world.

In other words, a little bit of molasses sure is better than a lot of vinegar.

Alex Eckelberry

If you’re a privacy advocate, you’re familiar with the various analogs for slow destruction of civil liberties. The light-dimmer effect is one, something I heard years ago from Arthur Maren.

Here’s how it works: You go into a room, and someone turns the light-dimmer down just a few notches every few minutes. After a while, it’s dark, and you haven’t even noticed what happened.

And so it goes with our civil liberties and our privacy in the US. The dimmer just got turned a notch.

From the News.com article:

“The so-called Real ID Act now heads to President Bush, who is expected to sign the bill into law this month. Its backers, including the Bush administration, say it’s needed to stop illegal immigrants from obtaining drivers’ licenses.

If the act’s mandates take effect in May 2008, as expected, Americans will be required to obtain federally approved ID cards with “machine readable technology” that abides by Department of Homeland Security specifications. Anyone without such an ID card will be effectively prohibited from traveling by air or Amtrak, opening a bank account, or entering federal buildings.“

This thing was sleazily put into a larger bill.

Wired article here.

Alex Eckelberry

Ari Schwartz of the CDT is testifying before the Senate Committee on Commerce, Science, and Transportation on “Spyware” today. The link to the webcast is here.

He has some great information in that testimony. If you’re a dedicated spyware fighter, it’s worth scanning. Those who were at the CNet Antispyware Workshop will be familiar with much of this information.

But briefly, here are some pics from the testimony.

It all starts with this simple model:

Advertisers (either directly or through brokers) pay money to adware companies for impressions or clicks or whatever. Distributors get the adware on people’s machines.

Like this:

Click to enlarge
(Image courtesy of the CDT)

So here is another theoretical slide as to how that works. It looks monstrously complicated, but it’s still based off the same simple idea. Advertisers (either directly or through brokers) pay money to adware companies. Distributors get the adware on people’s machines.

Click to enlarge
(Image courtesy of the CDT)

It is Byzantine but understandable if you look at it long enough.

Now, this slide shows the truly pernicious behavior of Seismic Entertainment (Seismic is being sued by the FTC).

Click to enlarge
(Image courtesy of the CDT)

What was Seismic doing? Nasty, nasty, nasty stealth installs.

Ok, those with weak stomachs turn away (don’t worry, it’s not nasty pictures, it’s just typical run-of-the-mill criminality exposed):

Here is an email from Seismic:

From:
To: jared@optintrade.com
Date: Sat, Mar-6-2004 4:51 PM
Subject: I DID IT
I figured out a way to install an exe without any user interaction. This is the time to make the
$$$ while we can.

Here is another fun one:

From:
To: jared@optintrade.com
Date: Fri, Nov-28-2003 12:37 PM
Subject: strategy
I do my sneaky shit with adv.com today through Sunday — everyone’s off anyway…. You
then send an email to your contact early Monday AM saying the advertiser was unethical and
pulled a switch and you are no longer doing business with them… Then we stop buying
adv.com through you in any way.

All of these pics and the emails I got from Ari Schwartz’ testimony. (Thanks Suzi for forwarding the link).

Hats off to the CDT and to Ari for this.

Alex

Aurora…as in Aurora Borealis, the northern lights, from Latin for “northern dawn”. A word that evokes images of beauty and light.

——————————

That’s marketing.

The truth isn’t so pretty.

April 26, Direct Revenue announces Aurora, a new piece of adware.

In the release, they say this:

“Direct Revenue CEO Joshua Abram said, ‘Aurora and MyPCTuneUp demonstrate our commitment to providing advertising partners, clients and consumers the best possible experience in behavioral marketing and search.'”

That is chutzpah. The best possible experience for consumers?

Here’s what that experience is like for users.

(Thanks Eric)

Alex Eckelberry

(Props to Dave Methvin at PC Pitstop for sending me these pics and the ad links, and to Simon Clausen at PC Tools who originally made these pics).

One of the more shocking things we saw at the Antispyware workshop last week was this screen:


(Click to enlarge)

You can see us all seeing the screen here.

It was part of this discussion (an edited version I created from the Ziff Davis version–you can find the originals here ).

Ben Edelman starts the discussion, then you hear Dave Methvin’s (PC Pitstop) voice, and it goes on from there.

(One thing that happened during the discussion was that Ralph Terkowitz, one of the investors behind WhenU, looked very good by being thoroughly pissed when he saw this. You can hear him in the interchange. It made a good impression on the whole crowd.)

As you can see, someone who has this 180 product goes to PC Tools’ website, and gets a competitor popping up, with very similar colors. The end user is ostensibly fooled into perhaps buying from the competitor.

So this is “relevant” advertising.

180 did approve this ad. You can hear Daniel Todd of 180 say that during the conference. Note that they have pulled this advertiser.

Here are some more fun pics:


(Click to enlarge)

(Click to enlarge)

The ads targeting Symantec and McAfee are still up. You can see them here and here (As Dave Methvin points out, the “Open CD to test your computer” is one of the stupidest and oldest tricks in the book).

Finally, here is one you would get when searching on Download.com, clicking on utilities – system utilities.

(Click to enlarge)

Not Good.

Alex Eckelberry

Article in the LA Times.

Update: Situation looks resolved as of this morning. Thread on Broadband Reports here. ACCORDING TO WEBROOT, THIS WAS NOT A HACK.

Some jerk(s) are attacking a reputable antispyware vendor.

An apparent DNS hack. Some systems are reporting this, some aren’t. Note that if you’re seeing this hack, you aren’t going to be able to send mail to them either.

In other words, someone is going after Webroot and it’s nasty. Man, this really tees me off.

3 pm EST today

4:20 pm EST today

Just got this reported from Eric Howes when he tried to update SpySweeper.

Ouch, this has gotta hurt.

If anyone has more data, please drop a note in the comments section.

Alex

I’m still trying to find the time to actually write a bit about this interesting workshop, but in the meantime, I have some links for you.

There were four panels:

Session I – Defining spyware and adware
Session II – EULAs and you-knows: What is meaningful disclosure?
Session III – The Money Game: How adware works and how it is changing.
Session IV – Future of the antispyware industry

The famous PaperGhost has written about the event.

Bill Pytlovany of BillP Studios has blogged on it with pics too.

Dan Farber at ZDNET has written about the event here and here .

Links to the MP3s of the conference are here (you have to sign up, but it’s free).

Below is a picture of the 4th panel (Future of the Antispyware Business):

Below is a picture of me being a bit grumpy and asking a question of the 180 Solutions CEO about stealth installs of their software. Behind me, in order, are Ben Edelman, Dave Methvin, and Eric Howes. You can hear my chat with him here (this is an excerpt from the ZDNET MP3 of the conference). After my question, Ari Schwartz from the Center for Democracy and Technology pipes in with a comment and Ben Edelman adds a comment.

And thanks to Andrew Brandt at amishrabbit.com for the pics!

Alex Eckelberry

The CNET-sponsored antispyware summit yesterday was amazing.

Sunbelt was there in force; one journalist speculated to us that
Sunbelt might have had the largest contingent outside of the CNET/Download.com staff. I think he’s right.

I got in on the red-eye from San Francisco this morning and am still digesting all of the various things that occurred at the event. I hope to be posting more later.

Alex Eckelberry