Month: February 2006

A while back, I blogged that AOL and Yahoo plan on charging for priority delivery of commercial email (EFF writeup here).

What’s interesting is that this issue has crossed party lines. 

Below are emails sent within minutes of each other from RightMarch.com (a decidedly conservative website) and MoveOn.org (a decidedly liberal website).  Both urge their constituents to take action.

These groups are diametrically opposed on virtually all issues.  Nice to see them coming together…

RichtMarch action center here.  MoveOne action center here.

 

Alex Eckelberry
A note of clarification to my European readers:  I know many Europeans get completely baffled by the use of “liberal” by Americans, which is at odds with the continental European definition.  Wikipedia explains the difference here: “In the US, liberalism is usually contrasted with conservatism…”

The Antispyware Coalition public workshop in DC was a great experience, and they have just released videos of many of the panels.  You can view the whole list here. They use the dreaded Realplayer, but some of these videos are worth looking at if you’re interested in this field.

Eric Howes, our director of malware research, is on the panel on “Industry Self-Regulation” (video) (and I ask a question at about 48:00 and Ben Edelman follows me with some good remarks.  I also ask a question at about 50:00, to the panel “Overview of Solutions”.)

But if you watch one video, watch Walt Mossberg of the Wall Street Journal.  He presented a wild, outspoken take on spyware and cookies, followed by an exchange with DoubleClick.  You can see it here, just forward to about 23:00.   While I don’t necessarily agree with everything he says, it’s quite entertaining.

Alex Eckelberry

Well, sort of. Sensory Networks makes acceleration technology for security appliances.  They’ve chosen our CounterSpy BorderPatrol technology to offer to their partners who want antispyware capabilities.

 

From the corporate hype:

“This next-generation solution will be available to OEM vendors of security products as both software- and hardware-accelerated solutions, with peak performance of 1 Gpbs. Sensory and Xilinx just announced yesterday the delivery of the industry’s most scalable FPGA-enabled network security acceleration solution, which will enable CounterSpy to scale to multi-gigabit speeds.”

Press release here. 

Pretty cool. 

Alex Eckelberry

Don’t know if you caught this one, but the IE team put together a humorous teaser video. 

Link here.

Alex Eckelberry

I have been testing IE 7 but found that a couple of the keyboard shortcuts that I used with IE 6 no longer work due to changes in the design.  It’s really minor stuff, but I mentioned this to Rob Franco on the IE 7 team, and he was kind enough to point me to a link that provides all the keyboard shortcuts in IE 7.   If you’re like me and think that mice should be in cages, this is the site for you.

Many are content to spend all day clicking fancy looking buttons or menu items in order to get their tasks accomplished, but those who know the correct keyboard and mouse shortcuts can often get around applications more efficiently: Browsing the web with Internet Explorer is no exception. I want to take a minute to discuss a few useful shortcuts already available in IE6 that will help you get around the web, and then list some great new shortcuts we are providing in IE7.

First: Getting around the web in Internet Explorer 6

Basic navigation

To do the following	Press this
Go Back to the last page*	Alt+Left Arrow
Go Forward to the next page*	Alt+Right Arrow
Stop the page from loading**	Escape (Esc)
Refresh the page***	F5 or Ctrl+F5
Go to your Homepage	Alt+Home
Give focus to the Address Bar	Alt+D
Add “www.” and “.com” to what you typed in the address bar before navigating****	Ctrl+Enter
Scroll down/up the web page	Spacebar / Shift+Spacebar
Close the window	Alt+F4

More here.

Alex Eckelberry

 

Patrick Jordan
Spyware Research

From Paul Thurrott:

As with Windows XP today, there will be home and business versions of Vista, plus a weird pseudo-Vista called Windows Starter 2007 that will replace XP Starter Edition and won’t include any of Vista’s graphical improvements. On the home side, we’ll see Vista Home Basic (and Home Basic N for the European Union–EU–version), Vista Home Premium, and Vista Ultimate. Vista Home Basic (note the lack of the word Edition anywhere in the titles) is a replacement for XP Home Edition, whereas Vista Home Premium will replace XP Media Center Edition (XP MCE). I’ll get to Vista Ultimate in a moment.

On the business side, Microsoft is planning a Vista Business (and Business N for the EU) version that will replace XP Professional Edition, a new Vista Enterprise that will provide a single instance version of Microsoft Virtual PC and other unique features, and, probably, a Vista Small Business version, also new, that will be the client equivalent of Microsoft Small Business Server (SBS). I say probably, because Vista Small Business is the one product edition that didn’t appear on Microsoft’s site temporarily.

On the top of the heap is the new Vista Ultimate, which is of course the version everyone will want. This version will include all the features from both the home and business sides of the fence. And unlike the various XP versions today, each Vista version should be a true superset of the others as you move up the product line. So Vista Home Premium is a superset of Vista Home, and Vista Enterprise is a superset of Vista Business.

Link here.

Alex Eckelberry

Yesterday, I blogged that Secure Computing had blamed its allegedly misleading marketing practices on its third party affiliate network, ClickBank.

There’s more to say on this, and I plan to have a more extensive writeup over the next two weeks when I get more free time.  But there is great danger in marketers trusting their outreach efforts to third party ad or affiliate networks, without a thorough vetting.  Not only can you find yourself running afoul of the law (as was the case with Secure), you can find yourself advertising through adware, or worse, getting charged for advertising that really didn’t occur.

For example, I was recently testing Zango Search Assistant and got a popup for what appeared to be a legitimate antispam application.  Somewhat surprised, I emailed the marketing department for this company (which shall remain nameless) and mentioned this to them.

Looking at the URL for the popup, one saw the following:

?from=ad&refid=cpaempire&g rpid=&itemid=ban19&user=&sPage=lconsumer2

See that?  The ad was done through CPA Empire, which was confirmed through an email from the company, who has since killed the relationship.

Well well.

According to this press release, CPA Empire is a subsidiary of OptInRealBig, Scott Richter’s company.  You’ll recall that Scott Richter was the spammer who got sued by Microsoft and the New York AG,  and apparently agreed to pay a $7 million fine.

According to one expert, CPA Empire’s director of marketing, Missy Ward has been on record that they (and the rest of Optinrealbig) are clean of all ethics issues…

Alex Eckelberry

Follow-up to my prior blog post on Google Desktop,  the “search across computers” feature comes disabled and the user needs to change the settings so it is associated with their Google Account, if they have one. 

Alex Eckelberry

Pretty wild.  BP has taken thousands off its LAN in order to repel hackers.

Energy group BP has shifted thousands of its employees off its LAN in an attempt to repel organised cyber criminals.

Rather than rely on a strong network perimeter to secure its systems, BP has decided that these laptops have to be capable of coping with the worst that malicious hackers can throw at it, without relying on a network firewall.

Ken Douglas, technology director of BP, told the UK Technology Innovation & Growth Forum in London on Monday that 18,000 of BP’s 85,000 laptops now connect straight to the internet even when they’re in the office.

Link here via Funsec.

Alex Eckelberry

“Etiquette” is a word that many in today’s world seem never to have heard – at least, judging by their behavior. It refers to the rules, mostly unwritten, that govern what behavior is considered proper or acceptable, especially in public or when interacting with people you don’t know well.

Those born in the baby boomer years grew up with Amy Vanderbilt and later, Miss Manners to tell us which fork to use when and how to formally address a letter. Many of that generation rebelled against the rules, and promoted the philosophy of “if it feels good, do it.” That philosophy has, in many respects, carried over into the Internet world as global connectivity created a brand new online society where we come into contact with many, many more people from all walks of life that previous generations ever did in a lifetime.

The Internet is often compared to the wild west, a “place” of freedom, where the old rules don’t apply. Efforts to impose limits on online behavior (especially by the government) usually meet with great resistance, although that’s slowly changing and it appears our “last frontier” is slowly becoming more tamed.

Is that a good thing or a bad thing? Certainly the stilted conformity of Victorian times wasn’t conducive to creativity or personal gratification. But have we gone a little too far in the opposite direction on the ‘Net, where flame wars rage, “hate speech” flourishes, and pornography of the vilest sort is readily available? Is a world with no rules really a “free” one, or do rules actually exist to prevent some from infringing on the freedoms of others?

I hear many complaints, from Internet users of all ages, about the lack of basic etiquette today, online and off. It does seem that many people are much more inclined to be rude or even hateful in online communications than in “real world” face to face interactions. I guess it makes sense; there’s an illusion of anonymity online that makes folks think they can get away with saying or doing what they want without the same consequences they would face in their offline lives (it’s hard for someone to punch you in the nose or report you to the cops if you’re only a faceless email address or nickname on their computer screens).

Many of the offenses that people complain about aren’t big things: others who “shout” by typing email messages and newsgroup/message board posts in all caps, those who send HTML mail to discussion lists, and so on. These are analogous to the people who break in line at the grocery store or chat loudly on their cell phones in restaurants; their behavior doesn’t endanger anyone or cost us money, but it’s irritating and annoying and temporarily reduces the quality of life for those around them.

In law enforcement, there is a concept called “Broken Windows” that’s based on the premise that little things (like broken windows and other physical signs of deterioration in a neighborhood) lead to big problems. Likewise, little breaches of etiquette on the ‘Net and in real life can, I think, result in an overall deterioration of behavior in general.

Of course, one problem with etiquette is that the same rules don’t always apply everywhere. Just as you aren’t expected to dress, speak or act the same way depending on whether you’re at home, at a friend’s home, or attending a formal function at the White House, netiquette also depends on “where” you are in cyberspace. For example, on some mailing lists it’s verboten to include the entire quoted message to which your responding with your response. On others, that’s standard operating procedure to ensure that everyone can easily keep up with the thread as it’s evolved.

Netiquette (etiquette for the Internet) follows the same general principles as offline etiquette. It’s important to remember that all public forums (newsgroups, mailing lists, chat rooms, web boards) are, well, public. And to comport yourself as you would in any public place. If you wouldn’t run up to a stranger at a dinner party and call him a dirty name for expressing an opinion with which you disagree, why would you do it on a mailing list?

Despite the thick books on the subject and the seeming complexity of navigating through the silverware at a formal dinner party, the core principle of etiquette is very simple: behave as you’d prefer others to behave toward you. Respect people and their time and bandwidth. That means knowing whom you’re communicating with and, if they use a dialup connection, not sending an HTML message with embedded photos that will take them an hour to download. Don’t expect instant answers to your questions. Most people have an offline life, too.

Would you call up a doctor or lawyer you’ve met once and ask for a diagnosis of your complicated symptoms or an untangling of your complex legal mess over the phone for free? If not, it’s not okay to email that doctor or lawyer (or computer expert) you “met” on a mailing list and ask questions that will take hours of his/her time to answer.

Don’t waste people’s time by forwarding every joke you get or sending virus warnings that turn out to be hoaxes. Before you pass a story along as true, take a moment to check it out at www.snopes.com or other sites that deal with rumors and urban legends.

New networking technologies bring up new netiquette issues. For instance, with wireless networking, if the owner doesn’t take steps to secure it, anyone within range can hop on the signal and use the Internet connection or even, in some cases, access personal files. But something that many Internet users – especially those who fancy themselves “hackers” – don’t seem to grasp is that just because you can do something doesn’t mean you should do it. Even if there’s not a law against it. And that’s really what netiquette is all about.

What do you think? Should there be rules to play by when we’re online, or should anything go? If Internet users don’t start policing their own behavior, will the government start doing it for them to a greater and greater degree? What rules do you try to go by in your online behavior? What breaches of netiquette do you see most often, and which ones bother you the most? Let us know your opinions.

Deb Shinder
 

 

Gartner has said that the new Google Desktop 3 has security risks for enterprise customers, and Google explains more:

Google told ZDNet UK on Monday that it recognized the risk, and recommended that companies take action. “We recognize that this is a big issue for enterprise. Yes, it’s a risk, and we understand that businesses may be concerned,” said Andy Ku, European marketing manager for Google.

Google confirmed to ZDNet UK that data was temporarily transported outside of businesses when the Search Across Computers feature was used, and that this represented “as much of a security risk as e-mail does.”

“Theoretically any intellectual property can be transferred outside of a company,” Ku said. “We understand that there are a lot of security concerns about the Search Across Computers feature, but Google won’t hold information unless the user or enterprise opts in (to the feature).”

If you’re concerned, just disable the Search Across Computers feature. 

Link here.

Alex Eckelberry

Correction:  The “search across computers” feature comes disabled and the user needs to change the settings so it is associated with their Google Account, if they have one. 

One of our systems engineers, Jason Reynolds, happened upon two Dodge Calibers in Tampa over the weekend — a rare sight. They have only been seen in public a few times without spy cladding.  Dealers are expected to get them very soon.

More pictures here. (This is a clean link, the last one had a banner ad supporting WinFixer, which we just don’t appreciate.)

Alex Eckelberry

180Solutions has issued a press release in response to blog postings (Edelman, Vitalsecurity, Suzi Turner, Sunbelt) about an illegal driveby install of their product (along with a slew of other adware programs):

180solutions, Inc., the leading provider of Internet search marketing solutions, today became aware of a publisher with an online name of “Sniper84” who hacked its software in a way that caused the company’s notification and consent process to be automatically accepted, denying users the ability to make that choice for themselves.

Despite an unprecedented effort by some industry critics to keep secret the critical information that would have led to a quicker shutdown of the fraudulent behavior, the company, through its own policing mechanisms, was able to track down the nefarious actor responsible and shut him down. This rogue publisher will not receive any payment for these installs and as stated in the Code of Conduct, will be subject to further financial penalties and legal action. 

… “No software is ever hack-proof,” said Keith Smith, co-founder and CEO of 180solutions. “Thanks to our recently-developed S3 technology, we were able to identify the rogue  publisher, immediately shut down the channel, and implement our re-messaging efforts in which every user involved in this exploit will be required to re-opt in to the download of our programs if they wish to keep the software.”  

More here.

Alex Eckelberry

Sans reports:

We received notice from Juergen Schmidt, editor-in-chief at heise.de, that a serious vulnerability has been found in Apple Safari on OS X.  “In its default configuration shell commands are execute[d] simply by visting a web site – no user interaction required.”  This could be really bad.  Attackers can run shell scripts on your computer remotely just by visiting a malicious website.

Link here.

Alex Eckelberry
(Thanks Eric)

Follow-up to my prior posting in early January: All five of Jeff Molander’s interviews with Ben Edelman are now available online.

What exactly is adware? How does it work to the detriment of advertisers and what can they do to combat it? Do advertisers even want affiliates to stop using adware and if so can they count on affiliate networks to help?

Spyware/adware consultant and Harvard PhD candidate Ben Edelman helps us understand in a five part series of shorts.

Link here.

 

Alex Eckelberry
(Thanks Dean)

2:00 PM – 3:00 PM EST, free to Sunbelt enterprise customers under a maintenance plan, $99 otherwise. More here.

Saturday, I blogged that Secure Computing LLC had responded to a lawsuit by Microsoft and the Washington State AG’s.  However, I couldn’t find their Answer on the PACER system (a way to get Federal court documents online). I had even contacted the attorney in the case with no success.

Well, this morning Eric Chien over at Symantec was kind enough to provide me with the docs. 

And it’s worth reading.

While I can’t claim to have done an exhaustive study of both the original complaint by the AG and Secure Computing’s response, a few points struck me in their Answer:

False positives: The original lawsuit shows a number of standard Windows registry keys being marked as “Bonzi Buddi”.  These are clearly false positives.  However, Secure’s answer is:

“Secure Computer was consistently advised by the developer that the product was without ‘false positives.’”

Huh? Since when did getting an assurance from your developer absolve you of responsibility?  We’ve had our own issues with false positives, as have virtually all other antispyware companies, and getting an email from your developer assuring you that “no, there are no false positives”, without any independent investigation and research seems laughable. 

Erasing the Hosts file contents: Secure defends its practice of erasing the contents of the Windows hosts file:  

“Simply stated, there is ample independent expert commentary to support a complete removal of the contents of the hosts file in order to optimize scan results. This is exactly what Secure Computer’s software was doing.”

Whoa.  I’m sorry, but running a free spyware scan and getting your hosts file hosed (when you might have built it up to your preferences over a long period of time) is, in my mind, totally irresponsible and I really don’t know what “expert commentary” would support this action.  Remove individual entries if they are bad, but don’t just arbitrarily wipe out the hosts file contents.

They claim they never had an affiliate program in place: 

“Secure Computer operates no affiliate program at all, despite the allegations of the Plaintiff. All of the allegations about third parties marketing the products of Secure Computer relate to activities undertaken by the sales force engaged solely and exclusively by “Clickbank.com.” Secure Computer does not operate an affiliate marketing program.”

To me, this appears to be a play on words.  ClickBank is its own type of affiliate program with a large number of affiliates in place (basically, it’s sort of an affiliate and low-level marketplace hybrid).  Few companies (like Amazon.com) actually run and manage their own affiliate program (we don’t either, we use a third party system for affiliates).

Blame the affiliates: They blame the spam and Windows Messenger popups on ClickBank affiliates  Whatever.  According to the CAN-SPAM act, the advertiser is responsible for how their products are marketed through email.  Otherwise, everyone would be able to use the hackneyed “it’s not our fault, it’s the affiliates” argument. 

Comments about Microsoft:

“Plaintiff, while touting the benefit of using the Microsoft AntiSpyware software, fails to disclose that Microsoft’s anti-spyware software is presently identifying a primary competitor’s anti-spyware software (Symantec’s Norton Anti-Virus) as a “password stealer,” leading to destruction of that program on consumer’s computers around the world, and more notably, throughout the State of Washington. Likewise, Plaintiff fails to note that Microsoft’s anti-spyware software does not report Claria as adware, even though the industry considers it an aggressive adware program.”

And

“Microsoft is attempting to buy Claria for undisclosed sales and marketing purposes.”

Actually, this is a bit different: You don’t have to actually buy the Microsoft AntiSpyware program, so if it presents a false positive which would scare you, you don’t have to buy it in order to remove this “threat” (something you had to do with Secure’s product).  Secondly, Microsoft’s AntiSpyware had the Symantec false positive in for only a very short period of time.And finally, MS AntiSpyware DOES, in fact, detect Claria as adware.  

And Microsoft is not “attempting to buy Claria”.  This was a controversy that blew over back in July of last year.

Free scan: While I strongly disagree with the practice of “scan and buy” spyware scanners (where you download a spyware scanner, it finds all sorts of nasties, but you have to pay to remove anything), they do make a good point about one thing: The AG’s complaint said “Defendants mislead the user into believing that they are only downloading a free scanner, something that is different from anti-spyware software”.  Secure’s answer: “Plaintiff ignores the fact that almost every anti-spyware application works the same way as Secure Computer’s Spyware Cleaner.” Well, that’s a broad statement, but they are right that the use of the phase “Free spyware scan” to include a full download of an antispyware application is not an uncommon practice.

My read on the whole situation?  Secure had what was probably an unremarkable antispyware product on the SpywareWarrior rogue antispyware list, which had false positives and was marketed in an extremely aggressive fashion, through their use of ClickBank (itself a popular affiliate program for rogue antispyware programs).  The company is trying to absolve themselves of any responsibility in the matter.  While they certainly aren’t in the criminal class of the SpywareSheriff/Raze/Winfixer crowd, it does appear that they still have some dirty laundry to take care of. 

It’s an object lesson about being careful as to what affiliates you use and how you market on the Internet. 

Finally, remember that these are the guys who allegedly had this popup:

(Image from the Washington AG’s complaint)

And here’s all the details (for convenience, I’ve also linked to the original Microsoft/Washington State AG’s complaint here.)

Securecomputeranswer.pdf (87 KB)

exhibita.pdf (566 KB)

exhibitb.pdf (177 KB)

exhibitc.pdf (698 KB)

exhibitd.pdf (1086 KB)

exhibite.pdf (663 KB)

exhibitf.pdf (429 KB)

traubanswer.pdf (165 KB)

 

Alex Eckelberry

Ben Edelman has a new piece up in which he documents an illegal force-install of 180solutions’ Zango Search Suite (Zango Search Assistant, Zango Toolbar, Media Gateway) on his test machine. While force-installs of 180’s software are certainly nothing new, this particular installation does present something of note: it seems the bad guys have figured out how to bypass 180’s new S3 (“Safe & Secure Search”) notice prompt, which is supposed to notify users of 180’s software and gain users’ consent to the installation of that software.

The S3 notice prompt was just one component of the larger “S3 technology” that 180solutions announced to the world back in September and October of last year. According to 180 (which was the target of a recent complaint by the CDT to the Federal Trade Commission) – S3 promised to help “prevent the suppression or manipulation of the user consent experience by rogue distributors who use botnets, Windows security holes and other illicit means to fraudulently install the company’s software onto computers without user consent.” All 180 affiliate distributors were forced to adopt S3-enabled installers by the end of 2005.

The bad guys, however, have already figured out how to circumvent this new notice prompt in order to install 180’s software without users’ consent, and Edelman’s piece points out just how trivially simple it was to do so. That the S3 notice prompt was rendered worthless so quickly should come as no surprise to anyone who has read Brian Krebs’ recent eye-opening piece on botnet masters who install 180’s software for profit — the “pay-per-install” money that 180 offers affiliate distributors is tempting enough to attract even outright criminal elements with little regard for the prohibitions and stipulations of affiliate contracts.

Although Edelman has refused to publicly divulge the source of the force-install he discovered (even his video is heavily edited), Sunbelt has tested the same installation and can confirm that the install operates in just the way that Edelman describes. This installation kicks off with a combined CHM and WMF exploit when users land on a certain web page, either by visiting the page directly or by being redirected to it through an exit prompt at another web site (as in Edelman’s case). The installation process automatically dismisses notice prompts for both Zango and YSBWeb (IST) without any user intervention or consensual action whatsoever. By the time this install winds down, users’ PCs have been buried under a bone-crushing load of adware, including:

Zango Search Suite
WhenU Save
YourSiteBar (IST)
TargetSaver
New.net
Webhancer
Regifast
Tagasaurus
Internet Optimizer
Surf Sidekick
Elitemediagroup
Command
QuickLinks
VaultSearch
Freeprod
Mirar Toolbar
Zenotechnico
ConsumerAlertSystem
WinFixer

It’s worth noting that this is not the first instance in which a much ballyhooed notice prompt that was incorporated into 180’s software to thwart rogue affiliate distributors has been circumvented. Almost one year ago Sunbelt documented the fact the 180solutions was itself bypassing its own “CBC Force Prompt” (a predecessor of the S3 notice prompt) in certain circumstances, rendering that allegedly improved form of notice and consent effectively worthless.

Note: although Sunbelt has reproduced the exploit install documented by Edelman, Sunbelt intends to honor Edelman’s refusal to identify the source of that install to the public, 180solutions, or any other adware vendor/distributor. Sunbelt will provide (and indeed already has provided) details of the install (including a video) to law enforcement and regulatory authorities as well as to recognized members of the press. For Edelman’s justification of his refusal to divulge the source to 180solutions, see here. Government officials and journalists interested in learning more about this installation should contact Sunbelt’s Director of Malware Research:

Eric L. Howes
ehowes (at) suneblt-software.com
727-562-0101 ext. 320