Month: May 2006

A billion here, a billion there

There was a lawsuit filed yesterday against a few phone companies for billions of dollars for turning over calling records to the government:

AT&T Corp., BellSouth Corp and Verizon Telecommunications are facing lawsuits seeking billions of dollars in damages for the decision to turn over calling records to the government, the New York Times reported Saturday.” (Marketwatch)

Meanwhile, the gubmint is trying to get the EFF’s class action lawsuit dismissed, because:

“Only the United States is in a position to protect against the disclosure of information over which it has asserted the state secrets privilege, and the United States is the only entity properly positioned to explain why continued litigation of the matter threatens the national security.” (NY Times

But Qwest comes out as the good guy, as they blew off the gubmint’s request for info:

In a written statement, the attorney for former Qwest CEO Joseph Nacchio said the government approached the company in the fall of 2001 seeking access to the phone records of Qwest customers, with neither a warrant nor approval from a special court established to handle surveillance matters.” (NY Times)

All quite interesting.

When hackers try to con hackers

IRC (Internet Relay Chat) is a micro-world of its own, filled with all kinds of characters—an ecosystem that can remind you of everything from a text-based version of Blade Runner to a cyber version of ham radio. 

It’s used for many good purposes, but the darker side of IRC is its common use by hackers.  The indefatigable PaperGhost has spent countless hours on IRC,  hunting down nasty malware that might not have been found otherwise.  It’s also used by malware itself, something for which Symantec gained some mild attention a while back — Norton Antivirus kicked you off an IRC session if you used the words “startkeylogger” or “stopkeylogger”.  It was babyhood a bit, but I think most would see it has normal heuristics doing their job (in this case, better to have a false positive than to not catch it at all..).

IRC is also being used for Advance Fee Fraud (419 scams). Recently on a private IRC newsgroup, I saw this reported by security researcher FiXato

[2006-05-12 – 14:05:22] <jamsmoore8701_1>  am looking for hackers with logins and drops. i have hsbc am not buying it from you we have to share the real money together.
[2006-05-12 – 14:05:23] <jamsmoore8701_1> am loking for hackers who knows about logins and drops. i have hsbc

This piqued my interest. This fellow is looking for a “hacker” who knows about “logins and drops” (drops being places to store stolen data).  He has “hsbc”, which assumably means he has stolen data from customers of HSBC bank (The Hongkong and Shanghai Banking Corporation). 

Is this from phishing? A keylogger? 

Well, we’re not quite sure about that. Another security researcher, spadge, took a quick look and found a Nigerian hostmask:

whois 82.128.2.240
NetRange:   82.0.0.0 – 82.255.255.255
CIDR:       82.0.0.0/8
country:      EU # country is really somewhere in African Region

So, it looks like it was some naughty, naughty Nigerian, quite likely looking to hook a hacker into a 419 scam.

Spadge tells me that he’s seen quite a few of these.  They start looking for hackers, and before you know it, “they are asking you to get them a loan so they can study in the US”.

Spadge hunted around and gave me an example a typical conversation, this one encountered a while back with some hapless scammer who goes by “bcky”.  Check this out:

[23:18] <bcky> hispadge
[23:19] <Spadge> what, no space bar?
[23:19] <bcky> yes
[23:19] <Spadge> cool
[23:19] <bcky> Aeneasaid,contactyou
[23:19] <Spadge> what about?
[23:20] <bcky> abouthacking
[23:22] <Spadge> I see.
[23:23] <bcky> canweproceedaboutit
[23:24] <Spadge> I don’t talk to people who don’t use spaces between words.
[23:24] <bcky> ok sorry abt this
[23:24] <Spadge> what did you want to know about hacking?
[23:24] <bcky> well how to host website to get somedetails
[23:25] <Spadge> hosting a website is easy. what details do you want to get?
[23:25] <bcky> bank logins
[23:26] <Spadge> why?
[23:27] <bcky> to know and get the logins for online transfer
[23:27] <bcky> are u there
[23:27] <Spadge> sometimes, I wonder if the internet exists in nigeria solely for some kind of crime or money making scam.
[23:28] <bcky> well i think so but things are not like that
[23:30] <bcky> but there some people not using it for crime nor scam
[23:31] <Spadge> but you don’t think you’d like to be one of them
[23:31] <bcky> i think to be one of the but the economy situation here
[23:32] <bcky> but am thinking of being one of them very soon so i can leave the scam of a thing
[23:34] <Spadge> I would strongly advise against any kind of internet scam or identity theft or other kind of theft. Anonymity online is a myth.
[23:34] <bcky> yes
[23:35] <bcky> but can u help me for the last time and i stop…..do u know why i am into this ?
[23:36] <Spadge> I can’t help anyone do anything illegal for any kind of material gain.
[23:36] <bcky> ok
[23:36] <Spadge> and no, I don’t know why.
[23:36] <bcky> well i was give a scholarship to study in the USA but i need to pay certain amount after the scholarship
[23:37] <bcky> i wrote to the state government here to help me on this but they said no
[23:37] <Spadge> harsh
[23:37] <bcky> and that is why am looking for Bank logins to make the transfer for the school
[23:38] <bcky> i can show u proof for this
[23:38] <Spadge> you will get caught, and you will not be allowed to go to the US ever.
[23:38] <bcky> though it is not good but I am being frustrated to doing this
[23:39] <bcky> am not doing for livin jst to get my school fee paid
[23:39] <bcky> if u could help me
[23:40] <Spadge> I can’t
[23:43] <bcky> i mean if u can get me a loan
[23:43] <Spadge> nope
Session Close: Tue Dec 06 23:53:23 2005

So there it is.  Nigerian 419ers trying to find hackers to scam out of money.  Poetic, isn’t it?  

Of course, there are may be real hackers out there looking to collaborate, and that’s why it may not always easy to see through these setups.  But as Spadge says “In my experience they are always working some scam. They offer lucrative rewards for help with illegal activities. This is so that when you get ripped off, as you can’t go to the police.” 

In his eyes, it’s “exactly the same as the original ‘I am the former attache to the former finance minister… with millions of dollars” 419 scam, only modernised for the internet generation. Needless to say, they aren’t actually involved in doing said illegal activities, they just want to get your money off you somehow.”

 

Alex Eckelberry

Let’s hope for the end of SOX as we know it

Sarbanes Oxley (which I refer to as the “Accountants’ Job Security Act”) is a law that encumbers many corporations with far too much beaucracy and headache compared to the benefit.  Made in response to the corporate scandals a few years back, it was hoped that the law would solve problems of corporate malfeasance.  Instead, it’s put an unecessary and counterproductive weight on American industry. 

Don’t get me wrong. There were (and still are) real problems with corporate accounting.  In particularly, there are some intricacies in GAAP accounting that, I believe, work against the purposes of good financial practices. And if you need to be an accountant just to understand a company’s financials, something is wrong. 

And, SOX did actually mandate some pretty good things.  Many of the problems in SOX are in the internal controls required (the “SOX 404”).  

Solving the problem of bad corporate accounting and practices is something easily doable.  But it doesn’t require the 800 lb sledgehammer of Sarbanes Oxley. 

Network World article on the situation here.

Alex Eckelberry

 

Shameless self-aggrandizement

I’m a big fan personally of our Kerio firewall, so I’m sorry, I have to do this every once in a while:  A shameless act of self-aggrandizement.  Think of it as a “proud parent” kind of thing. 

Yesterday, we got an email from a user in responce to an email we sent her, that sums up many reasons why I think it’s so great (she gave us permission to reprint).

Fear not, you’ll have a paid software user for your Kerio Personal Firewall before my 30 day trial expires. With much trepidation and concern, I replaced my argumentative, ever-cantankerous Zone Alarm Pro Firewall with a trial of Kerio 3 weeks ago. I say “much trepidation and concern” because all of my sole proprietorship business, banking, credit card merchant account and of course the ever-effusive PayPal premiere business account, is tied up online – EVERYTHING related to my business, except for the actual artwork I create in my studio, is handled online.

So, while Zone Alarm Pro caused mega-problems I used it and put up with its annoying tendencies. Several times, if not even more, per DAY I’d have annoying hang-ups with ZAP where it would freeze and refuse to allow any access to web pages, even my own, as well as halting incoming and outgoing email. Sometimes, I could alleviate the problem by turning ZAP off and immediately reactivating it within seconds, but at other times, trying this annoying “fix” would cause my system to freeze and crash, necessitating a complete, “cold” reboot. I spent hours and hours on the phone with ZAP tech support through my broadband cable provider, who initially provided my latest version of ZAP – it’d be an hour on the phone with my provider, then the transfer to CA for direct ZAP tech support for at least 3-4 more hours on the phone, installing and uninstalling and going through all the paces to try to alleviate this annoying, all-too-frequently-occurring freeze-up problem with ZAP. The problem was NEVER totally rectified, but we’d get it down to only turning ZAP on/off a few times in a 24 hour period and I’d live with it for the firewall protection.

However, the last time the web and email access “freeze-ups” started with MUCH greater frequency daily, I didn’t bother calling tech support.

Every hour I spend on the phone with tech support with problematic software is an hour I’m NOT down in my studio creating the artwork which pays my bills, frankly. So I started reading software Firewall reviews across the board and finally stumbled across Kerio. For years and years I’ve never used anything but first, Norton’s Firewall, then for many years up until Kerio, Zone Alarm Pro. So I’m sure you can appreciate that switching to a new firewall program I couldn’t find any review information on for the “premium” (that is, the paid, registered version) left me rather leery of taking it for a spin at risk of exposing my business to potential hacking.

I installed Kerio’s Personal Firewall and it seemed far too easy, so I called your tech support, just to be sure since I can’t afford to be hacked.

I was never on hold more than a single minute, either getting through initially or when I was transferred to tech support, which I found quite impressive, actually. Over the last 21 days, I’ve yet to have Kerio hang my system or block my access to the regular web pages I need to access for my business. It just does its job, quietly in the background without so much as a single system lock-up.

As soon as I installed Kerio (I disabled ZAP, being leery of totally uninstalling the very problematic firewall until I had sufficient peace of mind that Kerio would do the job and, along with my paid Spyware Doctor and SpySweeper anti-spyware software packages, effectively protect my system), I put the firewall through the paces. I had all of the online leak tests run and Kerio passed flawlessly. I then headed over to Symantec’s web site and granted Symantec permission to attempt a benign hack of my system. Again, Kerio passed flawlessly, preventing all attempts by the “white hats” to hack in.

Okay, so why haven’t I become a paid user of Kerio’s Personal Firewall yet?

I downloaded your CounterSpy anti-spyware software to take it for a spin as well. I am already running two top-rated anti-spyware programs, both of which I very recently paid my annual renewal fees for, so I’ve been debating whether to just register Kerio’s Personal Firewall or whether to add a third anti-spyware software and, thus, register both Kerio’s Firewall and CounterSpy (as you know, I’m sure, no one anti-spyware program gets all of the potential malicious Trojans, keyboard loggers, etc.). There’s the only reason for my paid registration delay during Kerio’s 30 day firewall trial.

Since CounterSpy cohabits quite peacefully with my Spyware Doctor and SpySweeper anti-malware programs, I think I’ve just about persuaded myself to register both Kerio firewall and CounterSpy together as a package …

but, I still have a few days to ponder it over.

All of the above notwithstanding, rest assured that at the very least, my trial version of Kerio Personal Firewall WILL be registered before the end of its 30 day trial period. It is a superlative firewall which runs flawlessly without any problems whatsoever, a real pleasant experience after fighting with the bug in ZAP for months, I can assure you.

I only wish that Kerio’s personal firewall got more attention in reputable review sources. I only discovered it when Kerio kept showing up as the best free firewall software, almost universally across the board besting Zone Alarm’s light, “free” version. I ignored Kerio initially because the only reviews I kept seeing were for the free version and I was of the mindset that, generally speaking, you get what you pay for. When the software kept popping up as the best free firewall software, I finally followed the link and discovered more about it.

Otherwise, I might never have found the trial of your excellent firewall.

The modestly priced “pay” version of Kerio for some reason doesn’t end up in the non-free firewall reviews. I have no doubt it would stack up splendidly against Zone Alarm Pro, Norton’s and Panda’s firewall software programs and the like. I hope to see your paid version of Kerio Personal Firewall included in new reviews of “premium” firewall software packages in the future. It’s a heck of a product and I hope now that Sunbelt has acquired it, the company will aggressively promote it.

Kind Regards,

Debra

Gallery B

 

</hype>

Alex Eckelberry

The safety of searches

Ben Edelman has worked with the Siteadvisor folks on a fascinating study on the safety of search engines. 

Our most notable result? Search engine ads are a risky business. Overall, across all keywords and search engines, 8.5% of sponsored results were “red” or “yellow” by SiteAdvisor’s standards, versus only 3.1% of organic results. It’s not unusual to see ads for notorious spyware vendors like Direct Revenue (as documented in my January piece); for sites that charge for software available elsewhere for free (like the ad shown at right, trying to charge $29 for Skype’s free phone); and for spammers that send hundreds of mesages per week, if a user enters a single email address. These scams deceive and harm search engine users, and I’d like to see Google update its advertising editorial guidelines to prohibit such practices — then enforce these rules with appropriate diligence.

Link here.   Also, WSJ article here for subscribers.

Alex Eckelberry

A cool tool from Google

Google Trends is a nifty tool from Google Labs.  While it’s not perfect (and shouldn’t be used for any serious analysis), it does allow you to plot a rough approximate of the “zeitgeist” of search term (or terms).

For example, let’s look at the decline of the some of the bigger spyware/adware companies: 180Solutions, Direct Revenue and Claria:

Googletrendsadware

You can see they are on a decline.

Or, let’s look at the overall trend in the search term “spyware”:

Spyware_1000000

 

You can hit the site at google.com/trends.

Alex Eckelberry

Are security researchers exposed to potential criminal charges?

Security research is sometimes a thankless task.  Take the well-known example of Michael Lynn, the ISS employee who let the cat out of the bag about a vulnerability in Cisco routers, then got into a whole bucket of trouble. 

But the ultimate in thanklessness is going to prison.  That fate might very well be in the cards for Eric McCarty:

On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants’ personal information, including Social Security numbers.

It’s a bit distressing that legitimately reporting a security bug could land someone in prison.    There should be some kind of “good Samaritan” exclusion.

Link here, with a hat tip to Ferg.

 

Is this man just incredibly stupid or incredibly gullible?

If you haven’t caught this, read the absolutely dumbfounding story of the hapless psychotherapist John Worley (what is it with these types, anyway?) who got completely bilked by Nigerian 419 (advance fee fraud) scammers, got busted, the evidence was presented in court and then he got convicted — yet still, after all that, believes that there was some truth in the scam:

When I asked Worley what he wished he had done differently, he didn’t answer directly. Instead, he spoke about hoping that the Abachas would get back in touch with him. However, before they could resume work on the multimillion-dollar transfer, he expected them to send the six hundred thousand dollars that he needs for restitution.

It’s an incredible story and well worth reading.  Link here.

And as reminder, you can always forward 419 scams to spam(at)uce.gov  and 419.fcd(at)usss.treas.gov.  There is also a whole underground of vigilantes that “scam bait”, which is the practice of manipulating 419 scammers.  A highly dangerous game and I would NOT recommend it at all (really, I mean it — the Nigerians have US reps and you could get hurt).  However, for entertaining stories, you can go to sites like 419eater or others on this Wikipedia page.

Alex Eckelberry
(Hat tip to Lance)

 

Congratulations Herr Doktor

One of the members of our development team, Yong Tang, recently received his doctorate from the University of Florida.  Yong is in our SDK team under Sunbelt’s chief scientist Joe Wells, working on the CounterSpy BorderPatrol SDK, which is used by gateway appliance vendors to stop spyware at the network perimeter. 

His doctoral dissertation is apt — it’s on “Defending against Internet Worms”:

In the first part of the dissertation, we propose a distributed anti-worm architecture (DAW) that automatically slows down or even halts the worm propagation….In the second part of the dissertation, we propose a defense system that is able to detect new worms that were not seen before and, moreover, capture the attack packets.

You can read his excellent paper here.

Congratulations Dr. Tang!

 

Alex Eckelberry

Oh, and Bittorrent isn’t the only thing Warner Brothers is doing

They’re also in business with 180solutions. 

CONTROVERSIAL ADWARE COMPANY 180SOLUTIONS AT the end of last month quietly began offering streams of two shows distributed by Warner Bros. Online. The shows–the soap opera “Deception” and the animated show “Medical Island”–were created specifically for the Web.

Both programs are available online exclusively on 180solutions’ consumer site, Zango.com. Visitors to the site can only view the shows if they agree to download the company’s ad-serving software, which serves up to six pop-up ads daily, based on Web-surfing behavior.

Link here.

Alex Eckelberry

 

 

Wired’s paper chase

Kevin Poulsen at Wired has been trying to find out what happened to the Department of Homeland Security system that screens incoming visitors to the US:

The August computer failure led to long queues at airports across the country, but was only tersely explained to the public. The DHS initially said a computer virus had infected one of the mainframe servers — in Virginia. Later, the agency reversed itself and claimed there was no virus, and the outage was a normal computer crash.

They filed a Freedom of Information Act and got some runaround, but finally got the answers:  It was apparently a virus.

More here via Ferg.

Alex Eckelberry

Ebates sued

The Collins Law Firm and Varga Berger Ledsky Hayes and Casey have filed a class-action lawsuit against Ebates (makers of Moe Money Maker), alleging trespass to chattels, fraud and negligence.

From their press release:

The Collins Law Firm (Naperville, IL) and Varga Berger Ledsky Hayes and Casey (Chicago, IL) have filed a federal court lawsuit against Ebates Shopping.com, Inc., of San Francisco, CA., accusing the Internet company of illegal trespass to potentially millions of computers; “spying” on computer users’ Internet-browsing habits; diminishing computer capacity and interfering with computer use.

You can see the complaint here, where some work by Sunbelt is been cited. 

Alex Eckelberry

When banks themselves do silly things

Look at this Bank of America email here.  Is it a phish? 

No, it’s real.  I got this sample from phishing guru Lance James over at Secure Science, and he sums it up quite well:

Ok, BofA, shame on you, this looks like phishy spam to me. Note the link you included:

http://links.em.bankofamerica.com:8083/ct/click?q=6b-8g5ZIHENsxyGOqH8niwc~ynzP6cR

Guess where it lands:
https://www.ehealthinsurance.com/ehi/Alliance?allid=Ban24050&sid=em1

How is that supposed to help consumers understand legitimate links and not? This bulk mail can easily be replayed with phishing links.

Banc of America and Bank of America — I’m sure it’s legit, but do your customers know that? And are we sure we know who eHealthInsurance is? How do we know they’re not a spam site, or a malicious site?

And just because your domain is in the email doesn’t make it safe (we’ve proven that already!)

And just to add insult to injury, there is a link in the email that allows you to add other people to the mass-mailing list.

When will they learn?

Alex Eckelberry

The luddites again

Warner Brothers got big news today for using Bittorrent as a distribution method.

Let’s not get too excited. 

According to an article in the LA Times, “the company expects TV shows to be priced comparably to the current rate of $1 per episode on other Web sites and movies to be around the price of a new DVD.”

What’s a new DVD?  $20?  $30?

Well, the ”content … cannot be copied and burned onto a DVD. They must reside on a computer drive.”

The idiocy still makes my head spin.  

More commentary here.

Alex Eckelberry