Month: May 2010

The Attorney General of Pennsylvania (and Republican candidate for governor) Tom Corbett has subpoenaed Twitter to find the identities of “bfbarbie” and “CasablancaPA.”

News accounts say Corbett wants information on the two accounts because they were used to criticize his use of grand juries, claiming he used the investigations for political gain.

For several years Corbett has been investigating Democratic legislators and their staffs for using time and state resources for party business. Although there have been many allegations of similar activities by Republican legislators, Corbett has concentrated his fire on Democrats. Needless to say, it’s been a running controversy in that state. And it’s been aggravated recently by the fact that Corbett has been running for governor and just won the Republican primary election.

Someone representing Twitter is to appear before Corbett’s statewide investigating grand jury May 14.

Story here: “AG Corbett Subpoenas Twitter to Name Bloggers”

For some flavor of the controversy, see the story and comments in the Beaver County Times here.

Beaver County is in the political “watershed” of Corbett’s Democratic opponent in the fall election, Dan Onorato who is the Allegheny County executive . Allegheny County is the Pittsburgh area, just east of Beaver County.

Onorato weighs in on the Twitter issue here.

Today the effect on the two Twitter accounts was obvious:

“10storyfallguy RT @hotbutton: INCREASE YOUR FOLLOWERS by having AG subpoena Twitter over you! B4: 2 accts had 190 total; NOW: @bfbarbie 578 @casablancaPA 852 – IT WORKS!”

Reading between the lines I’m wondering if the Twitter accounts were used to discuss testimony or other information from INSIDE some of the grand jury deliberations – which are not public information. Corbett could be going after the people who leaked the information.

Not that I really want to wade into that political morass… ya know… Ahm just sayin’…

Tom Kelchner

CSS are watching you

Researchers Artur Janc and Lukasz Olejnik have made public a paper “Feasibility and Real-World Implications of Web Browser History Detection” that describes how a decade old “feature” of Cascading Style Sheets (CSS) allows Web sites to tap the “visited” pseudoclass and read a visitor’s browser history.

They wrote: “We present a web-based system capable of effectively detecting clients’ browsing histories and categorizing detected information. We analyze and discuss real-world results obtained from 271,576 Internet users. Our results indicate that at least 76% of Internet users are vulnerable to history detection; for a test of most popular Internet websites we were able to detect, on average, 62 visited locations. We also demonstrate the potential for detecting private data such as zip codes or search queries typed into online forms. Our results confirm the feasibility of conducting attacks on user privacy using CSS-based history detection and demonstrate that such attacks are realizable with minimal resources.”

Mitigation

Janc and Olejnik wrote: “A viable clientside solution was a proposed modication to the algorithm for deciding which links are to be considered visited . . . and implemented in the SafeHistory extension for Mozilla Firefox. Unfortunately, no such protection measures were implemented for other Web browsers, and the SafeHistory plugin is not available for more recent Firefox versions.”

There’s a simple workaround if you don’t mind losing it – turn off browser history.

In Firefox: tools | options | privacy | “Never remember history.”

To check what is in your browser history: History | Show all History:

In Microsoft Internet Explorer

Microsoft offers workarounds in “CSS History Probing, or: ‘I know where you went last week’” including:

“3. Disable Visited Link tracking entirely. This would work, although it would entail a pretty significant user-experience penalty because the user could no longer see what sites had been visited. There’s an unsupported registry key available to IE8 users to disable Visited Links. To do so, create a REG_SZ named Disable Visited Hyperlinks inside HKCUSoftwareMicrosoftInternet ExplorerSettings with the value yes.

At minimum you can set up Internet Explorer to delete your browser history on exit:

Tools | Internet Options | General

There’s a great news story about it in the Register: “Most browsers silently expose intimate viewing habits”

Tom Kelchner

FB does a fast takedown

A researcher we know who prefers not to be named found this on the Zynga game Mafia Wars. When you shared it, you were offered a free gift if you completed a survey.

The free gift you got was an installation of MyWebSearch which Sunbelt detects as an potentially unwanted program:

“MyWebSearch Toolbar is a customizable Internet Explorer search toolbar with various other tools. These tools include a pop-up blocker, screensavers, and cursors. Searches entered into the toolbar search field are directed to MyWebSearch.com.”

Tom Kelchner

There has been an explosion of rogue security products with different names in the last year – which is clearly an attempt to avoid detection by the rogue peddlers. Now the names of LEGITIMATE companies’  LEGITIMATE products are getting mixed up with the names of rogues. Case in point: “Antivirus 2010.”

The REAL security product (came out at least in early 2010):

Info here: http://www.pctools.com/spyware-doctor-antivirus/index/d/3/

The rogue (put in detections April 7):

More info on Sunbelt Rogue Blog here.

To be sure, the rogue distributors are probably pleased by this confusion.

Tip to consumers: ALWAYS purchase security products from company web sites AFTER you do some research. NEVER purchase them from spam email or when you get an alarming pop-up window on your computer giving you dire warnings that you are infected.

For further guidance see our white paper: “How to Tell If That Pop-Up Window Is Offering You a Rogue Anti-Malware Product” here.

Thanks Trip.

Tom Kelchner
 

“…fire and burn hazard.”

Hewlett-Packard has announced it has expanded the May 14, 2009, recall of its laptop battery packs. The company will replace the defective batteries at no cost to customers.

The notice on the HP site said “HP and the battery manufacturers believe that certain battery packs shipped in HP notebook PC products manufactured between August 2007 and May 2008 may pose a potential safety hazard to customers. The batteries can overheat, posing a fire and burn hazard.

“The affected battery packs were distributed worldwide in certain notebook PCs within the following models:“

HP Pavilion
dv2000, dv2500, dv2700
dv6000, dv6500, dv6700
dx6000, dx6500, dx6700

Compaq Presario
A900
C700
F500, F700
V3000, V3500, V3700
V6000, V6500, V6700

HP
G6000, G7000

HP Compaq
6510b, 6515b
6710b, 6710s
6715b, 6715s

HP notice here: http://bpr.hpordercenter.com/hbpr/M14.aspx

Tom Kelchner

End the frustration of slow, bloated antivirus

Now through May 31, buy three years of maintenance with any new VIPRE Enterprise order and get a fourth year free!

Get the performance and protection you need to achieve total endpoint malware protection, all managed from a central console.

With VIPRE Enterprise you get:

— Antivirus and antispyware protection
— Desktop firewall
— Malicious website filtering
— IDS (Intrusion Detection System)
— HIPS (Host Intrusion Prevention)
— Scalable multi-site tiering and role-based access control

Facebook feature “Everybody Draw Muhammad Day” didn’t play well there.

The Pakistan Telecommunications Authority yesterday told Internet service providers in their country to block YouTube because of its “growing sacrilegious content,” according to the BBC.

A Pakistani court ordered Facebook blocked Wednesday as well because of a feature it’s carrying called “Everybody Draw Muhammad Day.” Images of the Prophet are considered sacrilegious in Islam.

Wikipedia pages deemed offensive also are being filtered, BBC said.

YouTube says it is investigating and would try to restore service as soon as possible. Facebook said the “Draw Muhammad” content did not violate its terms.

BBC story here: “Pakistan blocks access to YouTube in internet crackdown”

An underlying theme in many of these censorship stories seems to be “will proxy connections skirt government shutdowns of parts of the Internet?”

Nobody ever said globalization was gonna be easy.

Tom Kelchner

Maybe advertising your SSN on billboards isn’t such a good idea

The Phoenix New Times has reported that the CEO of LifeLock ID theft protection service of Tempe, Ariz., has had his identity used by rip-off artists 13 times since 2007.

CEO Todd Davis advertised his social security number publically to assure customers that his service could protect their identity. The service cost $10-15 per month.

In March we blogged the story when the U.S. Federal Trade Commission and LifeLock reached a settlement in which the company would pay $12 million – $11 million of which would be refunded to consumers – for fraud.

Blog piece here: “LifeLock will pay $12 million for false claims “

At that time the FTC said in its news release:

“The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

“New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.”

Apparently, LifeLock can’t even protect against that!

The ID theft incidents involving Davis’s ID that were reported to police and listed in the Phoenix New Times story were:

Reported in 2007:

1. A man in Texas used Davis’ ID to get a $500 loan. Davis didn’t know about it until he was contacted by a collection agency.

Reported in 2008:

2. Someone in Albany, Ga., opened an AT&T wireless account. Late in 2008, a collection agency contacted Davis to recover $2,390.

Reported February 2009:

3. Verizon account opened in New York: $186 unpaid.

4. Centerpoint Energy, a utility company in Texas: $122 unpaid.

5. Credit One Bank: $573 unpaid.

6. Swiss Colony, gift-basket company: $312 unpaid.

7. USA Savings Bank credit card account opened (no balance).

8. Gap credit card account opened (no balance).

9. Bay Area Credit (collection agency): $265.

10. Associated Credit Services (collection agency): $207.

11. Associated Credit Services (collection agency): $213.

12. Enhanced Recovery Corporation (collection agency): $250.

13. Enhanced Recovery Corporation (collection agency): $381.

Phoenix New Times article here: “Cracking LifeLock: Even After a $12 Million Penalty for Deceptive Advertising, the Tempe Company Can’t Be Honest About Its Identity-Theft-Protection Service”

Thanks for the tip, James.

Tom Kelchner

Update:

ComputerWorld is running a Q&A piece with LifeLock Inc. CEO Todd Davis that allows him to give his side of the controversy.

Two interesting facts:

1. Davis’s take on the $12 million FTC fine: “I am passionate about what we do. [The FTC] didn’t like our choice of words … so they wanted more clarity.”

2. He says LifeLock actually has 1.7 million customers.

Story here: “LifeLock identity theft service a game changer, insists embattled CEO”

We have seen many rogue security applications copying logos, images and names of legitimate security applications to make their fake application look more legitimate.

In a similar effort the notorious WiniGuard rogue family has targeted another legitimate security software company BitDefender to push their new rogue security application.

As a result they came up with a new rogue security application called ByteDefender.

The fake ByteDefender web site

Most of the text has been smuggled from BitDefender’s Total Security2010 product page.

WiniGuard group went a step ahead and compared their new rogue security with other legitimate security software products.

Site used:
212.124.112.41 Bytedefender in

Bharath M N

Scribd is a website that lets users share written content online, converting Powerpoint, PDFs and Word documents into web documents that can be viewed through sites such as Facebook and other social networking services.

It was inevitable, then, that a scammer would decide to use such a service for foul means and “share” a little over 4,500 mail logins (mostly from .ru domains, and possibly used for a .ru social networking site) in the form of a 77 page text document for anybody to download and plunder.

Click to Enlarge

As you can see, the document had been viewed 94 times when the above screenshot was taken; by the time it was deleted, that figure had increased to 152. Interestingly, the account behind the upload is still busy posting utterly random content – everything from technical documents and videogame commands to what look like job advertisements, lists of cameras and descriptions of GIMP plugins (there’s even a manual for Warhammer 40,000 lurking in there somewhere). To give you an idea of the upload rate, this was taken an hour or so ago:

“970 uploads”. The account is now up to 1,308 with fresh (and entirely random) uploads appearing constantly. Is the process automated? Perhaps – they certainly don’t seem to have taken a break from their uploading frenzy.

You can see a little more background to this one on this forum, courtesy of Mod Alexey P who pointed me in the right direction. The translation is a little off in places, but it seems one of the victims noticed lots of spam coming from their account and after a quick google saw their stolen login sitting on the Scribd page.

Unfortunately there’s no indication if their login was claimed through an infection or a phish, but whether the uploader is someone trying to make stolen logins “sociable” or some kind of automated bot gone awry there’s an awful lot of compromised accounts being put up for grabs…

Christopher Boyd

Pricewert is done

A federal judge in California has permanently shut down the 3FN ISP.

The U.S. Federal Trade Commission said in a news release today that 3FN “recruited, hosted, and actively participated in the distribution of spam, spyware, child pornography, and other malicious and illegal content. The ISP’s computer servers and other assets have been seized and will be sold by a court-appointed receiver, and the operation has been ordered to turn over $1.08 million in ill-gotten gains to the FTC.”

The defendants named in the action are Pricewert LLC which was doing business as 3FN.net, Triple Fiber Network, APS Telecom, APX Telecom, APS Communications, and APS Communication.)

The news release also said: “Transcripts of instant-message logs filed with the district court show the defendants’ senior employees discussing the configuration of botnets with bot herders. And, in filings with the district court, the FTC alleged that more than 4,500 malicious software programs were controlled by command-and-control servers hosted by 3FN. This malware included programs capable of keystroke logging, password stealing, and data theft, programs with hidden backdoor remote control activity, and programs involved in spam distribution.”

Our blog piece from last year: “The Internet is a safer place (well, slightly) as FTC shuts down crime-hosting N. Calif. ISP”

FTC news release: “FTC Permanently Shuts Down Notorious Rogue Internet Service Provider”

Tom Kelchner

To celebrate our new release of VIPRE 4.0, we want to give everyone the opportunity to buy now and save! Start the summer with a PC that feels like new again! Take action now, these special prices are only valid till May 31st. Switch to VIPRE, get rid of your old antivirus bloatware now.

Tom Kelchner

You might avoid looking for photos of Miss USA Rima Fakih for a while. There is a controversy about a certain pole-dancing incident in her past that is stirring up the talk show circuits and the adolescent inside every male on the planet. It also has stirred up a massive number of SEO poisoned links to photos.

In 2007, Fakih won a “Stripper 101” contest sponsored by a Detroit radio show “Mojo in the Morning.” And, of course, she was no sooner crowned Miss USA than somebody resurrected the “Stripper 101” video. And, of course, everybody is searching for “Rima Fakih pole dancing.”

Almost none of these Google Image hits are safe:

What? I need a new codec to view it?

All righty then!

Thanks to alert Sunbelt Analyst Adam Thomas.

Tom Kelchner

 

Have they finally noticed the hordes at the gate?

The All Facebook blog (not an official Facebook site) is reporting that Facebook’s Public Policy Director, Tim Sparapani has said the company will install privacy settings that are easier to understand and control in the next few weeks. (“Facebook Preparing To Release Simple Privacy Settings” )

The 800-pound gorilla of the social media world has been taking increasing heat recently about its sloppy attitude toward securing users personal information and privacy policy that seems to permit it to do nearly anything with users personal info..

Yesterday the Tech Herald ran a story about MySpace co-president Mike Jones announcing (Monday) simplified security settings that will be put in place on his company’s site in the next few weeks.
“MySpace to simplify privacy controls for users with new changes”

“As things stand, the major levels of access are public, anyone under 18, and only friends. The change to MySpace’s privacy settings will center on “friends only”. If you currently use that setting for the majority of your account, then it will remain as is, and a single switch will change all the settings at the same time to whatever level you select. There will be no need to opt-in or opt-out of any of the settings,” Jones said.

On May 12, the New York Times ran a huge graphic that showed the complexity of Facebook’s 50 settings and 170 options that a user would need to digest in order to set up in order to control his or her privacy. (“Facebook Privacy: A Bewildering Tangle of Options”)

Funny how markets work.

Tom Kelchner

Russian-based PROXIEZ-NET, which was known to allegedly host 13 Zbot command-and-control servers has been shut down by its upstream provider DIGERNET, according to the site The New New Internet (News story on Web Host Review here: “Alleged Russian Malware Host Cut Off By Upstream Provider”)

Legitimate web sites hosted by PROXIEZ-NET many have been caught in the takedown, the Review said.

Brick House Security said the Zbot-related servers on PROXIEZ-NET were used to collect PayPal, EBay and online banking passwords stolen by key logging malware.

There’s probably an interesting story behind WHY an upstream provider took down a (formerly) bullet-proof ISP that hosted criminal activity IN RUSSIA. I doubt if it will ever be made public though.

Tom Kelchner

From the “What-were-they-thinking?” department

Security guru Bruce Schneier on his “Schneier on Security” blog noticed this one:

Charlapally Central Jail, near the Andhra Pradesh state capital Hyderabad will set up a public-private partnership with Radiant Info Systems to put 200 inmates to work doing data entry and information processing FOR BANKS!

The unit will have round-the-clock staffing – three shifts of 70 staff each.

The inmates will receive the equivalent of $2.20-3.32 US per day. Normal prison wages are 33 cents per day.

The BBC quoted CN Gopinath Reddy, the state’s director general of prisons: “The idea is to ensure a good future for the educated convicts after they come out of jail. With their experience of working in the BPO [business process outsourcing] in jail, any company will absorb them in future.”

Now the REALLY good news: BBC wrote: “Officials say this is a pilot project and, if it succeeds, it could be extended to other jails in the state.”

Story here: “Outsourcing unit to be set up in Indian jail”

Tom Kelchner

From the “What-were-they-thinking?” department

Security guru Bruce Schneier on his “Schneier on Security” blog noticed this one:

Charlapally Central Jail, near the Andhra Pradesh state capital Hyderabad will set up a public-private partnership with Radiant Info Systems to put 200 inmates to work doing data entry and information processing FOR BANKS!

The unit will have round-the-clock staffing – three shifts of 70 staff each.

The inmates will receive the equivalent of $2.20-3.32 US per day. Normal prison wages are 33 cents per day.

The BBC quoted CN Gopinath Reddy, the state’s director general of prisons: “The idea is to ensure a good future for the educated convicts after they come out of jail. With their experience of working in the BPO [business process outsourcing] in jail, any company will absorb them in future.”

Now the REALLY good news: BBC wrote: “Officials say this is a pilot project and, if it succeeds, it could be extended to other jails in the state.”

Story here: “Outsourcing unit to be set up in Indian jail”

Tom Kelchner

The Electronic Freedom Foundation has released a white paper that reveals most Web browsers leave enough information about their configurations on Web servers that they are identifiable.

The EFF put up a web site, took data from 470,161 informed participants and found that among browsers with Flash or Java activated, 94.2 percent were identifiable (“unique” in their words.)

“By observing returning visitors, we estimate how rapidly browser fingerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an “upgraded” version of a previously observed browser’s fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%.”

And, if that isn’t scary enough, they said that those using anti-fingerprinting privacy technology will still be identifiable until a lot of people start using the same countermeasures.

White paper here: “How Unique Is Your Web Browser?”

Tom Kelchner

The Electronic Freedom Foundation has released a white paper that reveals most Web browsers leave enough information about their configurations on Web servers that they are identifiable.

The EFF put up a web site, took data from 470,161 informed participants and found that among browsers with Flash or Java activated, 94.2 percent were identifiable (“unique” in their words.)

“By observing returning visitors, we estimate how rapidly browser fingerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an “upgraded” version of a previously observed browser’s fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%.”

And, if that isn’t scary enough, they said that those using anti-fingerprinting privacy technology will still be identifiable until a lot of people start using the same countermeasures.

White paper here: “How Unique Is Your Web Browser?”

Tom Kelchner

Short answer: no, it’s just a numbers game.

The debate is continuing over Facebook’s lack of concern for users’ privacy and strangely difficult procedures for managing users’s privacy settings.

Graham Cluley at the UK AV firm Sophos (http://www.sophos.com/blogs/gc/) drew the world’s attention to the fact that the Google Trends page is showing a spike in searches for the string “delete Facebook account.” The spike is still getting steeper.

What it shows is that there are nearly 30 times as many searches as there were at the lowest period represented in early 2009. It doesn’t say what the absolute numbers are, it just shows a huge increase in the RATE. If one person ran the search in 2009, there could be only 30 people checking it this week. It also doesn’t indicate if the Googlers are finding anything useful or actually deleting their Facebook pages.

Diaspora

Meanwhile, the Diaspora group (http://www.joindiaspora.com/) four college students who set out several weeks ago to raise some cash to support themselves while they write a “the privacy aware, personally controlled, do-it-all distributed open source social network,” are getting far more pledges of support than just the $10,000 they set out to raise:

Just say “No” to Facebook

A protest site QuitFacebookDay.com (http://www.quitfacebookday.com/), meanwhile has begun pushing the idea of users leaving Facebook. As of this afternoon, 3,466 people had committed to quit.

But, the big number

To put all this in perspective, we have a headline from the AllFaceBook.com blog (which is not connected to Facebook): http://www.allfacebook.com/2010/05/facebook-prepares-to-announce-500-million-users/#more-14403

“Facebook Prepares To Announce 500 Million Users”

Nick O’Neill writes there: “Facebook is working on plans for their 500 million user celebration, projected to take place at some point before the end of June.”

And this:

“Before the end of this year, the company should near the 600 million user mark and surpass $1 billion in annualized revenue.”

With numbers like that, Facebook’s privacy policy can probably be summed up in a couple of sentences — something like: “We don’t care. We’re so big we don’t have to.”

Tom Kelchner