The Legacy Sunbelt Software Blog
The Great Years: 2004-2010
Paul Roberts at eWeek has started a weekly podcast on security.
In this debut OnSecurity podcast, eWEEK Senior Writer Paul Roberts talks with Eric Sites, vice president of research and development for Sunbelt Software, about the malicious hacker program CoolWebSearch, and what IT managers and users can do about it.
Podcast link here.
Alex Eckelberry
We do hire interesting people, and along those lines, Joe Wells, our chief scientist for security, has written a sci-fi book. It’s a free download, along with maps to accompany the storyline. There’s also a “Story Development Kit” that is planned for release allowing for other writers who might want to use the world and it history.
The book is free, and you can download it here.
Alex Eckelberry
Oh boy, this takes the cake. An antispyware application which bundles in adware.
In order to install Spy-Shield, you have agree to install BestOffersNetwork (formerly known as DirectRevenue) adware. The EULA for the BestOffersNetwork software is shown right after you start to run the installer for Spy-Shield. If you refuse the BestOffersNetwork installation, Spy-Shield will not install…
Absolutely unbelievable. Link here.
Alex Eckelberry
A timely follow up to yesterday’s blog posting on other people’s wi-fi connections:
Ontario Provincial Police charged a 25-year-old man last week under Section 326 of the Criminal Code – “Theft of Communications.”
The OPP allege the man was using his lap top computer to steal a wireless Internet connection in Morrisburg.
Alex Eckelberry
Update from Wired: Editor’s note: Since publication of this article, iBill has spoken with Wired News. The company now says that the purportedly stolen database did not originate with iBill, and only three of the more than 17 million entries match past iBill customers. Asked to respond, Secure Science says it no longer believes that iBill was the source of the data. Read the full story.
Wired just posted an article on some outstanding work that Lance James at Secure Science worked on with regard to porn payment processor iBill. We collaborated with him later on the project as well.
From the article:
Seventeen million customers of the online payment service iBill have had their personal information released onto the internet, where it’s been bought and sold in a black market made up of fraud artists and spammers, security experts say.
…Secure Science found that data in February 2005, and reported it to the FBI’s Miami field office, the company says. The FBI declined comment.
Last month, Sunbelt Software found an additional list of slightly over 1 million individual entries labeled Ibill_1m.txt on a spamming website. That list appeared to date from 2003.
Link here.
Alex Eckelberry
There’s Raze, SpySheriff, PestTrap, SpyAxe and all the rest. Now there’s BraveSentry.
Below is a screen shot of an infestation from Game4all(dot)biz that installed both BraveSentry and Alfacleaner:
Here is the desktop hijack associated with BraveSentry:
bravesentry.com
Ocean Industries Daniel Ocean
Amsterdam NL
Email: ceo @ bravesentry.com
Other site in the IP:
anosurfer.com
Pietro Miezani Privaweria Ltd
Gua EC
anosurfer @ anosurfer.com
Our dear friend “anosurfer” is also apparently related to SpySheriff
Alex Eckelberry
(Thanks to Sunbelt researchers Patrick Jordan and Adam Thomas)
We’ve moved to new digs. Basically, this is a consolidation of our operations that were previously in two buildings.
Our new mailing address is:
33 N. Garden Avenue
Suite 1200
Clearwater, FL 33755
The view is beautiful (this image shows the view of the Gulf of Mexico) and the building is quite nice.
A side note: I am so cheap that instead of buying nice new furniture, we simply bought furniture from the previous tenant and didn’t do any redecorating (I’d rather spend money on R&D than fancy furniture). However, the previous tenant was some kind of financial services company, and all the furniture and decorations looks like something out of a bank lobby. It’s very high quality, beautiful stuff, but it’s a bit funny to have a high tech company in offices which look like they should be on Wall Street.
Oh, and did I mention that we’re hiring? 😉
Alex Eckelberry
I’m sure you’ve seen this in the past — you’re looking at something online and right next to it is an inappropriate advertisement.
Such is what happened Monday in the New York Post. The Post, which apparently contracts with aQuantive to sell its online advertising inventory, ran the story of the sexual assault and murder of college student Immette St. Guillen. Unfortunately, in the story online was an advertisement for True.com, which according to Mediapost:
“…in an especially bizarre coincidence, the creative, which carried the tagline “Get Soaked By Love,” featured a young dark-haired woman who physically resembled St. Guillen, staring suggestively at the camera.
…Not all visitors to the site Tuesday were shown the ad. DrivePM used its cookie-based behavioral targeting technology to display the ads to users who met certain criteria. The ad also appeared to be frequency capped, so that the same visitor didn’t receive that ad every time the page loaded. By Tuesday evening, DrivePM had made arrangements to remove the ad from its rotation on the Post’s site.”
True.com was not happy about this:
True.com, which bills itself as an especially safe dating service because it screens all members for a criminal history, said it would not have approved of having an ad accompany this particular story.
“If you’re going to talk about online dating, you just wouldn’t want to associate with someone being raped and murdered,” said Cornell McGee, senior vice president, acquisition marketing at True.com. “You’d think that would be common sense.”
True.com had only been using aQuantive’s DrivePM to place ads for about three weeks, McGee said. He added that True.com would develop a policy to prevent ads from being displayed in stories it considers inappropriate.
MediaPost article link here.
It is a problem with third party ad networks — how do they screen sites and contents to match their advertising? It’s easy in the print world, because when a newspaper or magazine goes for layout, the content can be made compatible with the advertising (and ad buyers can choose the actual vehicles to advertise in, so that they can match their audience to their product).
Ben Edelman has written about this problem in the adware space, where children were being exposed to advertising for adware.
This is a big reason why third party ad networks like tracking cookies — it gives them some way to infer demographics and tastes and hence, display advertising that attempts to match the behavioral characteristics of the viewer (for example, an advertisers can infer that someone who goes to a lot of NASCAR sites might be interested in Ford trucks or Budweiser beer). However, it’s imperfect because a) many people hate cookies and b) there are privacy concerns and c) it is a actually a fairly sloppy way to gauge demographics.
Enter companies like Claria, who promise much better behavioral based advertising with BehaviorLink, a third party ad network that apparently melds adware with advertising on site pages. That doesn’t seem to make much sense either from a privacy standoint.
In order to truly allay privacy concerns and insure compatibility of the advertising message with content, it’s going to require a lot of manual labor. In this era of automation, that’s going to be a challenging task for ad networks who want to make automation work for them.
Comments?
Alex Eckelberry
Back in November, we expressed concern over TRUSTe’s plans for its “Trusted Download Program,” which should be going into beta very soon.
At the heart of the “Trusted Download Program” will be a whitelist of adware vendors whose practices satisfy TRUSTe’s requirements for notice, consent, distribution, and uninstallation. According to TRUSTe, this whitelist allows “market incentives” to “promote ethical behavior” among adware vendors seeking certification because the white list “will be used by companies beginning with program sponsors such as Yahoo!, AOL, Computer Associates, CNET Networks and Verizon as a tool to make business decisions about advertising, partnering or distributing software products.” In short, the idea is to dangle economic carrots in front of misbehaving adware companies in order to coax them into improving their naughty practices.
We certainly don’t doubt the attractiveness of this white list to adware vendors, many of whom have been scrambling for any scrap of legitimacy they can lay their hands on — loading up their web sites with empty “privacy pledges” and “certified spyware free” logos while issuing endless self-congratulatory press releases in which they celebrate their own “consumer friendly” self-reforms. Not surprisingly, there are signs that adware vendors are already lining up at the door in order to get white-listed.
Some, it would seem, can’t even wait for the door to open. Last week, UTcontextual, a British company that handles ad campaigns in Britain for a number of adware vendors, jumped the gun and issued a press release in which announced to the world that…
“the company confirms that all six contracted networks managed by UTcontextual, will strictly adhere to the TRUSTe download program.”
The press release even includes a laudatory quote from a certain “Tony Sullivan of Media Services” who remarked that
‘”UTcontextual has always delivered ethical advertising opportunities, and it is no surprise that they are first in the UK to publicly back the TRUSTe initiative.”
So just who are these upstanding partners of UTcontextual — partners whose practices have been so sterling that UTcontextual itself has “always delivered ethical advertising opportunities”? They are…
Hardly what one might consider a list of angels, in other words.
DirectRevenue: Although DR has taken substantial steps in the past few months to improve its distribution practices, the company had to be dragged kicking-and-screaming to the point it would even consider serious changes. The subject of a class action law suit and well known (in the past) for threatening critics with legal action, DR gained notoriety last year for carpet bombing the internet with its much-hated “Aurora” program (remember nail.exe?).
Exact Advertising: Another well known adware vendor (Bargain Buddy, CashBack Buddy, Navisearch, BullsEye Network), eXact is also the target of a civil lawsuit over its installation and distribution practices.
Hotbar: This company’s poor practices were exposed last year by both Sunbelt and Ben Edelman..
Claria: Although improving its behavior over the past year or so, Claria’s practices still leave much to be desired (link here and here).
WhenU: The same holds true for WhenU, which has implemented significant reforms over the past year and a half, but which still has nagging problems, including several recent documented force-installs (link here and here).
180solutions: 180 has had no end of problems with unethical and illegal installations over the last few years. 2005’s list of bad installs and bad practices is staggering enough. But 180 has already seen several outbreaks of bad installs in 2006, the latest being through a security exploit. Ever optimistic, 180solutions has elsewhere expressed confidence that it will meet the Trusted Download Program’s requirements.
Given the history of this collection of adware vendors, how is it that anyone can claim that UTcontextual has “always delivered ethical advertising opportunities” — the kind of absolute statement which makes it sound like TRUSTe certification is an afterthought at best? And how can the company “confirm” with such certainty that all of its adware partners “will strictly adhere to the TRUSTe download program”? Not only is it TRUSTe’s job to “confirm” that adware vendors adhere to its standards, but to our knowledge TRUSTe hasn’t even initiated the application and certification process.
It’s just this kind of effort to exploit the TRUSTe program for publicity that gives us pause. Certainly TRUSTe cannot itself completely control the PR departments of adware vendors, and we don’t doubt that TRUSTe has anything but the most serious commitment to ensuring that vendors white-listed through the Trusted Download Program actually meet the program’s requirements. (The practical matter of whether TRUSTe can conduct the kind of thorough investigations required to issue and stand behind white-list certifications for adware vendors is another problem that troubles us.)
This press release is evidence, though, that the program is already attracting adware vendors with a long history of poor practices, a legacy installed base in part derived from these poor practices, and a penchant for exploiting any perceived mark of legitimacy. No one should be surprised at that the companies most desirous of certification and white listing are those who in many respects least deserve it. A similar phenomenon has plagued TRUSTe’s privacy seal program — sites with TRUSTe privacy seals are more likely to be privacy invasive than those without, as it is the privacy invasive sites that most value the air of legitimacy and consumer friendliness that such a seal confers.
Although TRUSTe has insisted that the Trusted Download Program is not be a “consumer facing” seal program, we fully expect that any adware vendor white-listed by TRUSTe will wield that certification as a stick against anti-spyware companies such as Sunbelt — an alleged “industry standard” certification with which Sunbelt is out of step should Sunbelt continue targeting that vendor’s adware programs. Thus, it’s worth reminding users, administrators, and adware vendors that even TRUSTe itself recognizes that anti-malware providers are not bound to respect TRUSTe’s own whitelist. TRUSTe’s “Program Requirements” document states:
“For example, TRUSTe understands that some potentially unwanted software applications may reach users’ computers, and that antispyware software will continue to provide a means of detecting and removing software that fails to meet the standards of the anti-spyware industry or the interests of anti-spyware consumers. TRUSTe hopes that antispyware companies will consider the whitelisting of a company as a useful input into their research efforts, but recognizes that antispyware companies may have different valid methods of evaluating programs and may consider additional relevant factors important to their users.: (“Program Requirements,” p. 2)
Moreover, the independence of Sunbelt’s spyware review process is explicitly established within Sunbelt’s Listing Criteria, which state:
“Although Sunbelt Software does consult and review the opinions and judgments of respected industry experts and leaders regarding the software it considers for detection by CounterSpy, Sunbelt is not obligated to agree with those other viewpoints, nor is Sunbelt obligated to recognize and respect third-party seals, logos, certifications, or classifications of any kind. As Sunbelt’s primary obligation is to its own customers, Sunbelt is bound to make its own independent decisions about software detected by CounterSpy.” (Link )
Put another way, despite what we anticipate adware vendors will be saying about the TRUSTe whitelist, Sunbelt will not be basing its targeting decisions on that white list but rather on its own Listing Critera. We would hope that adware vendors would recognize and respect the independence of Sunbelt’s review process, but we wren’t counting on it.
Eric Howes
Director of Malware Research
Note: this blog entry was updated on March 18 to include 180solutions (MetricsDirect) in the list of adware vendors mentioned in the UTcontextual press release.
It looks as if upgrading from one edition of Windows Vista to another is going to be much easier than ever before, with Microsoft’s Windows Anytime Upgrade feature. This appeared in the latest beta of Vista, and allows you to upgrade from Vista Home Basic to Vista Home Premium or Ultimate editions, to get more features and functionality. Read more about it here.
You open up your laptop computer and see three wireless networks displayed as available. You pick one, click Connect, and a few minutes later you’re surfing the Web – on somebody else’s Internet connection. You might be sitting on your front porch, picking up a neighbor’s wi-fi signal, or in a hotel room, connecting to the hotel’s own wireless network or that of a law firm across the street. It’s a common scenario that’s happening all over the country every day.
Most new portable computers, PDAs and even Windows Mobile cell phones come with built in 802.11 wireless network adapters. They’re handy for connecting to the many wireless hotspots that are springing up all over, in airports, restaurants and coffee shops, parks, etc., as well as for connecting to your own home wireless access point. Some of these hotspots are commercial and require you to pay a daily or hourly fee to connect. Some are free, operated by municipal governments and funded by taxpayers or established by businesses to draw in customers. And some aren’t really hotspots at all – at least, not intentionally. They’re private networks set up by companies and individuals who aren’t well versed on computer security and don’t realize they’re leaving themselves open to connections from anyone within a several-hundred-foot range with a wireless-enabled computer.
“War drivers” make a pastime of hunting down unsecured wireless networks and hopping on, wherever they may be. They argue that they aren’t doing anything wrong and aren’t hurting anyone if they just use the bandwidth to Web surf or get their email, and don’t try to access files on the other computers that may be connected to the network. Others disagree, pointing out that the owner of the network is paying for that Internet access and the “free rider” is in effect stealing bandwidth. Who’s right?
We’ve had a lot of questions wanting to know whether connecting to a wireless network that you just “stumble across” is illegal. That’s not an easy question to answer. Some point to federal law, specifically Title 18 of the U.S.Code (Chapter 47, Section 1030). At first glance, it would seem to address the situation by prohibiting unauthorized access to computers, but as you read further, you see that it really only pertains to certain types of networks – those that belong to federal government agencies and departments, financial institutions, or those involved in interstate commerce. While that last one might be interpreted broadly enough to cover connecting to that law firm if it has out-of-state clients, you may be hard pressed to find anything that applies to your next door neighbor’s home network. You can read the federal law yourself here.
State laws vary all across the board, and their language is often even more vague. Hwo do you define “unauthorized access,” anyway? One could reasonably argue that by leaving a wireless network unsecured, you are in effect setting up a public hotspot and issuing an implied invitation to use it. Perhaps this analogy will help: in most jurisdictions you can’t prosecute someone for trespassing if he simply walks across your yard, but if you put up a fence and “no trespassing” sign, then you can because you’ve taken steps to make people aware that you don’t want them there.
Likewise, if you use encryption and require users to authenticate to connect to your network, you’re giving notice that you don’t want any and everyone to connect. But if you leave it open so that all anyone has to do is click the Connect button, you may seem to be saying “come on in.”
Last summer, a man in Florida was arrested on felony charges of unauthorized use of a wireless network when he sat in a parked car and connected to a WAP in another man’s house. The story made big news when it happened but we’ve been trying to find out, with little luck, what the disposition was.
Of course, stealing bandwidth isn’t the only (or biggest) concern. If someone uses your network to commit illegal acts, such as downloading child porn or sending threatening emails or conspiring to commit terrorist acts, you could find yourself the object of police investigations or worse.
What if, despite that risk, you want to share all you have with the world, and choose to deliberately leave your wireless network open so others can share your DSL or cable connection to the Internet? No problem, right? Well, actually, your ISP may not appreciate your generous spirit. While it’s not a criminal offense for you to share, it may very well be a breach of your contract with your ISP for which you could have your service terminated or even be sued. Check the Terms of Service (TOS) before you share. Some providers are okay with sharing.
For example, see Speakeasy’s Wireless Sharing Policy here.
What do you think? Should connecting to a wireless network without permission be a crime, even if it’s left unsecured? After all, you wouldn’t just walk into a stranger’s house just because it was left unlocked.
Or should the responsibility be on network owners to put up a virtual “fence” if they want to keep others out? Do you ever connect to available but “unknown” wireless networks just for fun, or when you can’t get a connection any other way? What about voluntarily sharing your bandwidth? Should that be your right since you pay for the service, or should your ISP have the right to tell you “no?”
Deb Shinder
There’s this new thing called “BioBouncer”, a facial recognition system for bars. The whole idea behind it is bars can start to maintain a database of troublemakers, which can be shared with other bars.
Well, this is all rather interesting, isn’t it? It’s one thing to have a CCTV inside of a bar. It’s another to start maintaining digital data that is shared with other businesses on their own customers.
In a Wired article, EFF’s Lee Tien makes one point:
Lee Tien, a staff attorney with the Electronic Frontier Foundation, said people may find BioBouncer insulting or invasive. Facial recognition software is notoriously inaccurate, he said, and he is concerned that data-sharing could be used to blackball innocent partiers.
“Think about it: Someone doesn’t like you, your photo gets in there, you walk in someplace and they’re telling you, ‘You’re a troublemaker, you got bounced from that other bar.'”
Bruce Schneier blogs about the subject and has this to say, more related to the creeping aspect of these types of applications:
Anyone want to guess how long that “automatically flushed at the end of each night” will last? This data has enormous value. Insurance companies will want to know if someone was in a bar before a car accident. Employers will want to know if their employees were drinking before work — think airplane pilots. Private investigators will want to know who walked into a bar with whom. The police will want to know all sorts of things. Lots of people will want this data — and they’ll all be willing to pay for it.
And the data will be owned by the bars that collect it. They can choose to erase it, or they can choose to sell it to data aggregators like Acxiom.
It’s rarely the initial application that’s the problem. It’s the follow-on applications. It’s the function creep. Before you know it, everyone will know that they are identified the moment they walk into a commercial building. We will all lose privacy, and liberty, and freedom as a result.
The company is requiring bars that use the service to have a conspicuous sign which includes the following
Wired article here via Bruce Schneier.
Needless to say, I’m sure you can imagine my feelings about this thing. I don’t like it one bit. The signs may go up, people will notice for a while and then forget it’s there. And you’ve just lost one more part of your freedom.
Alex Eckelberry
(From BioBouncer’s website)
The IT Security Services crew at the University of Michigan have written a fairly extensive whitepaper on security considerations for Google Desktop.
Unfortunately, it only covers version 2.0, not the new 3.0 — the one which has a number of people quite concerned. (It is important to remember that the feature that’s most disconcerting to folks is Search Across Computers, which is not enabled by default.)
Nevertheless, it’s still a good read and I look forward to an updated version with their comments on 3.0.
From the whitepaper:
1. Google Desktop should not be deployed
a. As part of a “standard build” that is available to all users
b. On workstations that process sensitive (per SPG 601.12) data
c. In Terminal Server environments
d. On workstations that do not follow common security best-practices such as automatic OS updates and automatic AV updates
e. On workstations that leverage external (non-UM) email or IM services
2. Instead, Google Desktop should only be deployed to individual users on an “as-needed” basis in accordance with the following deployment guidelines:
a. Disable Google Integration
b. Disable Network Drive Indexing
c. Disable Indexing of secure web pages
d. Disable Indexing of Instant Messages
3. In managed Windows environments
a. Use the
b. Be prepared for “zero-days” in the indexer by ensuring that you can centrally disable it.
4. Finally, make user’s aware of
a. Google Desktop’s privacy policies and, in particular,
b. Privacy concerns with Google Desktop Advanced Features
Link here (via Martin McKeay).
As always, your comments are welcome.
Alex Eckelberry
Process Explorer is one of several extremely cool tools made by Windows uber-guru Mark Russinovich.
In a recent blog posting, he explains how you can use Process Explorer to run specific applications as a Limited User, without the attendent hassles of actually running the entire user session as in Limited User mode.
An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook. Microsoft promises this capability in Windows Vista with Protected-Mode IE and User Account Control (UAC), but you can achieve a form of this today on Windows 2000 and higher with the new limited user execution features of Process Explorer and PsExec.
Process Explorer’s Run as Limited User menu item in the File menu opens a dialog that looks like and acts like the standard Windows Run dialog, but that runs the target process without administrative privileges:
Link here.
Alex Eckelberry
There’s this new paint that’s been developed that can dynamically shut off cell phone reception:
“You could use this in a concert hall, allowing cell phones to work before the concert and during breaks, but shutting them down during the performance,” said Michael Riedlinger, president of NaturalNano.
The cell phone guys hate it. But they have a point:
“We oppose any kind of blocking technology,” said Joe Farren, spokesman for The Wireless Association, the leading cell phone trade group. “What about the young parents whose baby-sitter is trying to call them, or the brain surgeon who needs notification of emergency surgery? These calls need to get through.”
Blocking RF as a general practice may have practical uses. But in the way this is marketed, do you agree with the cell companies or the paint maker?
Alex Eckelberry
My earlier blog story on Hotbar apparently not being happy with the Symantec settlement had a broken link. In the interest of fairness, I am publishing this new blog entry with the correct link, here.
Alex Eckelberry
Google is moving Google.cn offshore.
The Mountain View, Calif., company has decided to store search records from the site outside of China in order to prevent that government from being able to access the data without Google’s consent, said Peter Norvig, Google’s director of research, speaking Monday at a panel discussion at Santa Clara University.
All similar types of Internet companies doing business in China should follow the same move.
Alex Eckelberry
NOTICE: This Blog contains information that may be indirectly or directly critical to the Chinese Government and hence may be in violation of Chinese Government Law. If you reside in mainland China, do not read or even allow this blog to enter your thoughts.
His son is suing to have his Dad removed from managing the family’s trust.
“A renowned psychiatrist from UC Irvine was duped into squandering at least $1.3 million of his family’s fortune on a Nigeria Internet scam, according to a lawsuit recently filed by his son.
The son, also an Orange County doctor, said his father — Dr. Louis A. Gottschalk — gave as much as $3 million over a 10-year period in response to an Internet plea that promised the doctor a generous cut of a huge sum of cash trapped in African bank accounts in exchange for money advances.”
Link here.
Alex Eckelberry
Only regulated gaming houses will be allowed online. The state is losing too much money in tax revenue.
A few hours ago the recently approved measure forcing Italian internet service providers to block unlicensed online gaming websites entered into force. The censoring method recommended by the [Italian] Amministrazione Autonoma Monopoli di Stato – the State Monopoly Agency – is based upon the redirection of queries to unauthorized websites to a dedicated website by using the ISP DNS systems.
So a country is censoring all traffic to a particular segment of the Internet. Nuts.
Link here, with a hat tip to Ferg.
Alex Eckelberry
Hotbar founder Oren Dovronsky apparently doesn’t like the company’s settlement with Symantec:
“We don’t understand why they’re vilifying us; it’s just not fair,” said Hotbar founder Oren Dovronsky via the Hebrew news Web site Ynet. “There is no adware company in the market so upstanding as Hotbar.
“Indeed, there is a great confusion of concepts. It’s not at all clear what adware is. If it’s a program that presents advertisements, then there are a lot of programs that need to be included in that category, including MSN Messenger,” Dovronsky said.
Link here.
Alex Eckelberry
(Hat tip to Richard)
