Month: August 2005

Netscraft claims that banks are moving off https to http for performance purposes.  Larry Seltzer blogs here.

Are rental car companies tracking your every move by GPS?

Thankfully, the Connecticut Supreme Court struck a recent case on this issue down.

Check this idiocy out:

First, let’s look at the Connecticut case. It arose because American Car Rental had a policy of charging its clients $150 for “excessive wear and tear” to the rental car, each time they drove over 79 miles per hour.

“American knew exactly when that occurred because its subsidiary, Acme Rental, used GPS installed in its cars to monitor renters’ speed as they traveled. Whenever GPS reported that the customer drove at least 80mph for more than two minutes at a time, the company charged the customer’s credit or debit card $150.

This happened as follows: Wireless technology transmitted the vehicle’s location, as determined by GPS, to a tracking company. The tracking company faxed the information to Acme, which – with the rental customer’s credit card on file — posted a $150 charge to the card. Sometimes, this process was repeated numerous times. And sometimes, as a result, customers had their credit or debit cards rejected by retailers because their credit limit was exceeded.”

This is just sick

Alex Eckelberry

 

Google Storm

A flurry of new stuff from Google:  GoogleDesktop, the new desktop search tool;  GoogleTalk, the new instant messaging tool; and a new Blogger add-in for Microsoft Word which lets you publish stuff from inside of Word.  

I briefly tried out the new Blogger add-in to see if I like it as much as my all-time favorite, BlogJet.   Jury:  I prefer BlogJet for now, as it allows you to publish images (the Google add-in says that’s not “currently” supported).  But it is really nice to use Word to post blogs.

Alex Eckelberry

     

From this week’s issue of Sunbelt’s WXPnews.

Remember when talking on the phone meant being tied to a confined area by a cord? Many members of the younger generation don’t; cordless landlines and cellular/mobile phones have always been a part of their lives. Most of those reading this, though, can still remember when setting up a home or business network required running Ethernet cabling throughout the building (or paying someone else to do it). Those who have actually spent time crawling through attics to drop cable can fully appreciate the miracle of wireless networking technology. No wonder the popularity of 802.11 wireless equipment has boomed in the last few years. For convenience, you can’t beat it. But what about security?

Some people will tell you that wireless networking is inherently less secure than wired communications, and that’s true. To “tap into” your cabled network, an intruder has to have physical access to that line. Because common wireless networking technologies are RF (radio frequency) based and send signals over the airwaves, an intruder can sit in a car with a laptop down the street from your location and “catch” your transmissions. Many wireless users think they’re safe because of the distance limitations referenced in the documentation of their wireless access pointers or routers: approximately 300 feet for 802.11b/g, about half that for 802.11a. What they don’t tell you is that a “war driver” can increase that range by attaching a powerful directional antenna to the wireless network adapter on his laptop.

Now, there are ways to control what computers can connect to your wireless network. You can configure your WAP/router to use “MAC filtering,” which lets you specify that only computers with specific physical (Media Access Control or MAC) addresses can connect to the network. The MAC address is a hexadecimal number that’s usually burned into the chip of the network card by its manufacturer. Unlike the IP address, it’s not easy to change. Unfortunately, though, a skilled hacker can monitor the traffic that’s going over your wireless network and capture the MAC address of a valid computer, then “spoof” it to make it appear that’s the address of his own computer.

Another tip for securing your wireless network is to turn off SSID broadcasting (the feature whereby your WAP/router broadcasts the network name that wireless computers “see” in the list of available networks). That will make an intruder work a little harder to find your network, but only a little. There’s software freely available on Internet hacker sites that a determined intruder can use to “sniff” the packets that are transmitted when a valid user connects to your network and get the SSID that way.

WAPs and wireless routers include encryption mechanisms, typically Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) for added protection. Unfortunately, WEP has well known weaknesses that can be exploited by a hacker. WPA provides stronger protection, but isn’t supported by all WAPs, wireless network cards and operating systems.

Because of all these challenges, some folks will tell you that it’s impossible to attain an acceptable level of security on wireless networks and you should just stick with cables, inconvenience and all. Some companies and government agencies have banned wireless networking as a matter of policy. Should you just give up on wireless, too?

We don’t think so. First of all, most of us aren’t transmitting national defense secrets on our wireless nets, so for us an “acceptable” level of security generally means the ability to deter casual intruders, not agents of foreign governments with multi-million dollar equipment who are targeting us specifically. Secondly, much of the insecurity of wireless networking is due to improper configuration of the WAP/router. This is because the default settings of most products leave your network “wide open” (vendors don’t do this to intentionally put you at risk; they do it to make it easier for you to get your wireless network up and running right out of the box). However, you can make your wireless network much more secure by applying the proper settings and encryption. Even more importantly, software companies are hard at work developing products that we can use to make our wireless networks more secure.

We’d like to know what you think about wireless security and what you’d like to see in a wireless security product. Please take the quick survey to share your opinions here.

.
 

Archived, here.  Featuring the University of Vermont and <shameless plug> Sunbelt’s CounterSpy Enterprise.

 

Alex Eckelberry

A while back, Aluria made a deal with adware company WhenU, in which WhenU gives out a branded version of Aluria’s antispyware program.

Alex Morganis reviews the application and blogs on it here.

Alex Eckelberry

A few weeks back, we held the world’s first Antispy Film Fest, featuring the works of cutting edge directors Wayne Porter and Paperghost.

Now, Paperghost has outdistanced the trade with his latest tour-de-force, Grokster: The Movie. 

Filmed in a gritty film-noir cum Benny Hill style, Grokster: The Movie shares the tale of a hapless web surfer (Hapless) caught in the tangled web of a massive adware infestation brought on by a Grokster install.

Featuring the dreaded KVM media installer (one of the most malicious beasts we’ve seen), Hapless is forced to choose between thousands of rotational ads serving pornography and diet pill ads, while (assumably) seeing his machine turned into a spam zombie, blasting out thousands of messages per minute through port 25.

We can only hope to see more of this brilliant young director’s cinematic excellence.

Alex Eckelberry

There are a couple of recent measures against keyloggers that banks have started using.

One is a “reverse pin” algorithm. The customer is instructed when transferring funds to enter their PIN numbers in a specific order (such as in reverse, or the third and fourth digit switched.  The bank then transliterates the sequence into the correct order on the back-end (thanks Catherine).

Another is where customers enter their information by mouse-clicking on a virtual keyboard (CitiBank uses this, click here for an example).  However, we’ve already seen evidence that this can be fairly easily hacked.

Another idea is to tie the password in with the website URL at the time of the transaction.

More is needed.  I have seen my fair share of compromised systems.  Authentication is old news.  Banks, right now, need to work with the belief that their customers have had their account information and PINs stolen. 

Alex Eckelberry

I knew Aluria was on the block (they had hired the firm that PestPatrol hired to get sold, Updata, to rep them in trying to sell).  But Earthlink buying them?

Earlier, Earthlink had dumped Webroot in favor of Aluria (blogged here).

Well, WhenU must be dancing in the streets. 

This is surreal.

Alex Eckelbery
(Tip o’ the hat to SpywareInfo)

The marketing department went out and bought two choppers and then gave one away at Tech.Ed. 

The other one?  Oh, after being spiffed up, it’s being sold on eBay.  Bid away.

Alex Eckelberry

Security Guy Xavier Ashe spoke at a presentation recently on WiFi security and has this Powerpoint available for download.

He highlights these trends:

• Wireless threats are increasing exponentially
• Tools are becoming increasingly available and easier to use…. For both good and bad
• Wireless risks and security a wireless infrastructure are misunderstood

He also provides a good overview of current security breaches/risks.

Alex Eckelberry

 

This is starting to get intriguing and quite disturbing. Antispyware heavyweight Andrew Clover left this very interesting post on SpywareWarrior’s blog on Grokster last night:

“Apart from the usual suspects Grokster installs (BroadcastPC, MSearch/MyGlobalSearch etc.) we are seeing something else here as pictured in the screenshot on Alex’s blog.

That something is simply an advert spawned through Grokster’s normal in-application advertising system (Cydoor). However this uses IE to display the ads, so is vulnerable to all the same exploits IE can meet during normal browsing. The ad network let exploits in, so will be serving spyware to everyone who views ads on that network, through Grokster or otherwise.

In this case the exploit is a new variant on 2ndThought, going under the name KVM Media. 2ndThought is a perennial source of exploits served through mainstream ad networks.

Other names used by the company behind 2ndThought (and the related FreeScratchAndWin/xzoomy, EnhanceMySearch and RebateShoppers parasites) include CPM Media, PopNugget, SoftTech, Advolt, AdsLimitless, LeadTaxi, WMG Media, Pacimedia, PacerD, AdSavior, Pan-Advert, More Media One and ICANNNews.”

This KVM attempted force-install I wrote about last week (pictured below) is very nasty.  We also have an unconfirmed report from a reliable source that one of the apps KVM installs turns your machine into a spam zombie. 

We should see some interesting new developments over the next week…

Alex Eckelberry

“…In the 1970s, communist dictator Nicolae Ceausescu ordered the nation’s universities to make sure young Romanians learned about computers. As freedom came, many well-trained young programmers moved to other parts of Europe and to America to escape the dismal economy at home. But many stayed.

It was much the same in the former Soviet Union. The education system cranked out scientists and computer programmers, but the economy staggered. Graduates of schools there had computer skills that rivaled any in America, but most of them couldn’t afford computers…” From today’s Rocky Mountain News via SpywareInfo.

 

Alex Eckelberry

 

While my personal view is that Google has shown an extraordinarily responsible view about ‘net privacy, CIO Today has published a fascinating (if largely inconclusive) three-part series entitled: Google has your data: should you be afraid? Click here.

Alex Eckelberry

Antispyware veteran Suzi Turner of Spwyarewarrior has taken over the ZDNET spyware blog.  Since Wayne Cunningham was moved to another area of CNET, it’s been pretty slow over there, so this is a welcome change.  Definetely RSS this blog, it’s going to be a good one.

Alex Eckelberry

 

Vista has this new thing called Peer Name Resolution Protocol (PNRP), which is actually a nifty peer-to-peer networking technology. But testers didn’t realize it’s turned ON by default and started noticing all this network traffic! Gulp. Also there are security issues… CNET writes about it here.

Alex Eckelberry

Check out this host file hijack found on this website.  The hijacker methodically replaced a large list of baniks (apparently mostly UK banks) in the user’s host file with a name that resolved to the hackers IP address.  (For the newbies: Your host file is like an address book for your internet connections.  Click here for an easy writeup on host files or here for a more technical writeup.)

In other words, you merrilly go to Barclay’s bank and get redirected to the hackers website.  The sad thing is it’s such a stupidly simple hack.

This is just another reason why it’s a good idea to lock down your host file.  Wayne Cunningham explains how to do that here.  But remember that nothing is foolproof, as nasty spyware programs like CoolWebSearch are masters of altering read-only hosts files.  

<snip snip>
O1 – Hosts: 141.225.152.142 onlineaccounts2.abbeynational.co.uk
O1 – Hosts: 141.225.152.142 www3.aibgbonline.co.uk
O1 – Hosts: 141.225.152.142 www.bank.alliance-leicester.co.uk
O1 – Hosts: 141.225.152.142 login.iblogin.com
O1 – Hosts: 141.225.152.142 ww2.bankofscotlandhalifax-online.co.uk
O1 – Hosts: 141.225.152.142 inet.barclays.co.uk
O1 – Hosts: 141.225.152.142 iibank.barclays.co.uk
O1 – Hosts: 141.225.152.142 iibank.cahoot.com
O1 – Hosts: 141.225.152.142 www3.coventrybuildingsociety.co.uk
O1 – Hosts: 141.225.152.142 ww.hsbc.co.uk
O1 – Hosts: 141.225.152.142 login.ebank.offshore.hsbc.co.je
O1 – Hosts: 141.225.152.142 ww3.online-offshore.lloydstsb.com
O1 – Hosts: 141.225.152.142 ww3.online-business.lloydstsb.co.uk
O1 – Hosts: 141.225.152.142 ww3.online.lloydstsb.co.uk
O1 – Hosts: 141.225.152.142 ww3.online.lloydstsb.co.uk
<snip snip>

 

Alex Eckelberry

The Sans Institute is holding a web seminar next Tuesday at 1 pm EST on “What Works in Stopping Spyware”, sponsored by yours truly.  The discussion is oriented around stopping spyware in the enterprise.

Alex
(Pardon the shameless plug)

Oh man, I wish I had time to really blog on this.  But for now, read the article.

One priceless comment: “I agree there is some frustration around Aurora. However, with our improved branding and disclosure, users should feel free to uninstall our ad client.  It seems to me there are still some people who for some reason do not trust our uninstall process, who try to remove it by their own means.”

Dude, a user has to go to a friggin website to uninstall your product.  And howls of user agony over your product can’t just be blamed on distribution channels.

Alex
(Tip o’ the hat to Suzi)

Sascha over at Paretologic posted some tips on Phishing.  Good stuff.

It reminded me, however, of a test that MailFrontier (a competitor of ours) did a while back. So I’m posting it for all the world to see.

You’re going to be surprised by this one.  I did this quite a while back and it was not a cakewalk. Some of these are hard.

So take this test from MailFrontier  and see if you can guess which emails are legitimate or not.

Feel free to comment your results 😉

And for a good (and free) anti-phishing toolbar, download Cloudmark’s.

Alex Eckelberry