Category: Uncategorized

(There are so many stupid puns available for the asking, so out of respect for my above-average-intelligence audience, I will refrain.)

John Paczkowski  of Good Morning Silicon Valley has this to say about AskJeeves:

Jeeves, the P.G. Wodehouse character that’s been the cornerstone of Ask Jeeves’ brand for the past nine years, is out of a job. Speaking at a Goldman Sachs Group investor conference yesterday in New York, Barry Diller, Chairman and CEO of Ask Jeeves’ new owner IAC, said the affable butler’s days at the company are numbered (see “Jeeves! Dammit man, get me my coat and a larger portion of the Internet search market!“). IAC plans to rebrand Ask Jeeves as Ask.com and when it does it will no longer require the services of its longtime mascot. IAC, it seems, feels Jeeves’ butler inhibits how people view its brand (the Jeeves character is often perceived as a “gay butler” in some countries). “Jeeves will disappear, and we will probably be called Ask or Ask.com,” Diller told conference attendees. “Not that I don’t like that butler. He’s actually a thinner butler now.”

Bill Day, the CEO of WhenU (who also has done a lot to clean up the company’s practices), writes about how adware companies must behave..

He outlines three basic principles:  Relevance, Respect and Restraint.

Link here.

Alex Eckelberry

 

In response to my earlier post, Sean Sundwall of 180 Solutions has this to say:

We agree, ActiveX is somewhat problematic and for that reason, it is not our preferred method of installation. However, it is a method that some of our web publishing partners request so we continue to provide this as one of several options. As you stated, many well known software makers use ActiveX to install software. But given the limitations Microsoft has imposed on the ActiveX install experience, it’s probably fair to say that ActiveX by itself cannot truly provide the user with enough information to make an informed decision, no matter who the software maker is. This is why we provide additional notification such as the dialog boxes you posted in your update, to ensure there is no confusion and no question as to what is being installed, what the tradeoff is for users and how they can uninstall. We expect that over time, fewer and fewer publishers will use the ActiveX method, but in the meantime, we offer ActiveX as an option building in the extra measures to ensure complete disclosure.

We also recognize that many consumers don’t read EULAs (Google has done away with one altogether for their Desktop Search tool). We believe, though, that EULAs are necessary and have made every effort to offer one of the shortest and easiest to understand in the software industry. And rather than simply provide a link to our EULA, we add it to the installation dialog boxes for all to see. But knowing EULAs are often skimmed or skipped altogether, we provide a plain-language description that really cannot be misunderstood. And just in case the user doesn’t read that or was somehow confused, we provide a short, clear reminder to the user upon completion of the installation that they have installed our products and we provide a link to our customer support services. We feel like this represents a fair, honest and transparent installation experience.

 

Alex Eckelberry

Laura Betterly was once dubbed the “Spam Queen” by the Wall Street Journal.  The title wasn’t entirely accurate as she was really just one of many run-of-the-mill bulk mailers, and never did offers for porn, enlarging body parts, viagra, etc.  In other words, she was nothing like the true hall-of-famers like Scott Richter and Sanford Wallace.  But the title stuck and she got some noteworthy press for it.

But she doesn’t spam anymore. 

Why?  She writes about current marketing practices and spam in an article here.

It’s actually an interesting read.  Take this, for example under the heading “The future of bulk email and why it is likely to remain dead”:

“In other words, Spam is a four-letter word.

Legitimate marketers are staying away in droves and it’s easy to see why. First of all let’s look at some facts. In the United States, it is legal to send unsolicited commercial e-mail. The CAN SPAM act allows for this. You have to provide a way to opt-out and not hide who you are, and a few more simple but ethical rules.

Although it is legal, there isn’t an internet service provider in the United States who will allow you to send unsolicited commercial e-mail.

Larger mailers have opt-in information from lists they purchase which imply consent but those lists aren’t originated from the mailer, but from other sub-mailers—you get a free thing or access to a particular site and the user checks a box that it is okay to get information from their “affiliates and partners.”

The “affiliates and partners” they are referring to are those who pay for the e-mail addresses and opt-in information.

These guys are sending you mail legally, but the fact is, they are not getting into your e-mail box for the most part. Blocking, filtering, and doing it the “legal” way bulk wise, is just not working.

Not to mention, there is no way to prove that the recipients opted in or are willing to get the message since they opted in at someone else’s site, not yours.

The response rate is pathetic and when that mail does get through, you have many disgruntled individuals who never remember opting in, so in their view, the mail is unsolicited. The only way to get e-mail into inboxes en masse is by not following the rules, so the only messages getting through are the scams, including the pornographic, illegal, and objectionable.

It is ironic that the very thing people want to rail against, they are getting more of in the aftermath of Can-Spam.”

 

Alex Eckelberry

This recent video shows 180 Solutions is now installing Zango Search Assistant (the replacement for 180 Search Assistant) via ActiveX installs at third-party web sites.

Why is this notable?

1. The user goes to the site and gets a confusing Active/X control thrown into their face.

Click to enlarge

Even under Windows XP Sp2, it is intrusive and confusing. One gets one of these redirect/layover screens that directs the user to install an ActiveX control — a screen not necessarily from Zango but nevertheless confusing.

Click to enlarge

2. The ActiveX box describes this program only as “Website Access” from “Zango.” No mention or description of functionality such as pop-up advertising, installation of a toolbar, error page hijacking, etc.

3. The EULA itself likewise makes no mention of key functionality, disclosing only advertising in some vague way (redirects to partner websites) but not pop-up advertising — no mention of a toolbar at all. Click here.

4. Three separate programs are installed (with three different entries in Add/Remove Programs). There is a fourth, MediaGateway, a Zango app which is intalled if you agree to it (a different ActiveX popup).

5. On one test system, a device driver capable of accessing the drive directly (ide210201.vxd) is dropped in System32. Just what this driver is being used for is unknown. See google. According to this post, “this is a legitimate file and it is used in Windows Me/98/95 computers in order to get data on the hard disk installed”.

Alex Eckelberry
(Thanks to Eric Howes for his invaluable contribution)

8:44 PM Update: 180 Solutions is fiercely defending this install, and we expect something to post later tonight or tomorrow morning.

In the meantime, here is some more information and clarifications.

The VXD file mentioned above (ide210201.vxd) comes from MediaGateway, a Zango application. I did not get this file on a re-test this evening with Windows SP XP2.

So here is how the install occurs on a Windows XP Sp2 system:

After getting the “You Must Click Yes” dialog, and you agree to install the ActiveX control, you get the standard ActiveX install warning:

After agreeing to Zango, to their credit, you then get these screens:

Note that this screen is pre-selected, has a big EULA stuffed into a tiny box, etc. But it is a step better than what we’ve seen in the past…

So, notice is given that Zango is being installed, and one can uninstall the programs through Add/Remove.

Here’s the key problem, though: The use of ActiveX installs is problematic, since one cannot provide adequate notice and disclosure in the initial screen — and it’s a method of install that has been heavily abused in the spyware space.

ActiveX controls are used by many reputable publishers, such as Microsoft and Trend Micro. However, in these cases, the user is quite aware of what is going on. Simply getting an ActiveX control popping up in your face (the case if you’re not running SP2) simply confuses and baffles users.

However, to 180’s credit, they do provide an install screen after the ActiveX install which clarifies what is going on.

A final note: Contrary to intimations in the installer and uninstaller, access to this website does not need Zango.

Ted Richardson writes about hacking an ATM machine, with pics…

Here are his pics of an ATM Machine after being compromised.

They attach a device over the card slot on the legitimate ATM, which reads the magnetic information. Using the latest wireless technology, it is normally transmitted to fraudsters in a nearby vehicle.

Your ATM is protected by a PIN, but these criminals have a solution for this too. They install a hidden camera, again using the latest technology (wireless) and the PIN is digitally recorded.

Here is a picture of the compromised ATM with the camera installed.

Alex Eckelberry

Ex-army intel guy and security pundit William Arkin has started a national security blog. Check it out here.

Alex Eckelberry
(Thanks to beSpacific)

As blogged earlier, vulnerabilities in Firefox are now running at a faster clip than those for Internet Explorer.

ZDNET article here: “Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla’s “ability to react, find a solution and put it into the user’s hands is better than Microsoft.”

Alex Eckelberry
(Tip of the hat to Donna)

SpywareIno wrote about Evidence Eliminator and called the compay
“scum”. Pretty harsh words.

Well, after having seen this screen this morning, I can say that I can’t agree with them more completely.

Click to enlarge

Alex Eckelberry
Thanks to Patrick Jordan for finding this one)

Great move.  Opera is now free, with no ads.

Download Opera for free.

Alex  

From Deb Shinder:

It’s not just that the amount of spam is increasing lately (over the last few weeks, I’ve gone from getting 5-10 spam messages in my Inbox each morning to 20-40). Thank goodness for iHateSpam (on a recent typical Monday, over 3000 spams were caught by our server-level filters, addressed to either my husband or me, or to nonexistent addresses in our domain, before they ever reached our mailboxes). The really bad part is that the “quality” of the spam that gets through is deteriorating.

Now maybe “quality” is a contradiction in terms when you’re talking about spam, but here’s the point: in the past, the majority of spam messages that got through my filters were attempts to sell something, similar to the junk mail that we get in our physical mailboxes. Annoying, but not infuriating. My mail filters caught the blatant porn spam and other offensive messages.

The past month has seen a big increase in spam scams of all kinds. Part of this is undoubtedly the natural tendency of con men rushing in where angels fear to tread after a natural disaster like Hurricane Katrina – I’ve seen a few of the fake charity solicitation spam with links that most likely lead to phishing Web sites. These sites are dangerous. It would be bad enough if the only problem were that the unsuspectingly person who enters credit card information to supposedly donate to the charity has those funds diverted to the scammer’s use, but it gets worse. The credit card info itself is often used to steal the person’s identity and make other, unauthorized charges. This is, in my opinion, the lowest of the low. Federal and state governments are cracking down on these scammers. Read more here.

Another spam scam I’ve been seeing regularly is from an organization that calls itself SPAMIS, which is supposed to stand for “Strategic Partnership Against Microsoft Illegal Spam.” I started getting these months ago, and found it pretty ironic that these claims that Microsoft sends unsolicited and unwanted e-mail were being sent as … unsolicited and unwanted e-mail.

The more recent messages from SPAMIS have gone far afield of the “spam” claims against Microsoft, and started making other accusations. The latest one, which I got last Thursday, is titled “Microsoft plans to stop supporting the American economy by outsourcing more than 10,000 jobs over 10 years to China.” When you dig deeper into this story, you find that the source of those numbers appears to be Kai-Fu Lee, the Microsoft executive who left to work for Google and is being sued by Microsoft for breaching the non-compete agreement that he had signed. Not exactly an unbiased source.

But whether or not the outsourcing numbers are true, it’s highly unlikely that the company has any plans to “stop supporting the American economy.” And if they did, what does that have to do with spam (which is supposedly SPAMIS’s purpose for existing)? It has become very clear, if it wasn’t already, that SPAMIS is not an anti-spam organization like CAUCE (the Coalition Against Unsolicited Commercial Email), but is in fact an anti-Microsoft organization that uses spam to further its campaign against the company.

To confirm even further that SPAMIS is a spammer, their most recent messages – like so many other spam messages – disguise who the message is from by placing the recipient’s own e-mail address in the “from” field. Thus, when their messages show up in my mailbox, it looks as if they came from me. Gosh, why would a legitimate organization do that? Obviously lots of other folks are onto their scam and blocking mail from their own domain.

According to several sources on the Web, the driving force behind SPAMIS is none other than Robert Soloway, who is a well-known spammer and seller of mailing list addresses. According to Spamhaus, a popular register of known spam operations, rumor has it that Soloway has hired virus writers to create spam zombies. You can read more about Soloway here.

It comes as no surprise that Soloway was one of the spammers Microsoft sued for illegal spamming. He has recently mounted a campaign against Microsoft’s Sender ID framework, a technology that’s designed to stop spam by verifying the IP addresses of email senders and comparing them to the registered addresses for the purported sending domain to authenticate senders’ identities – you can read more about Sender ID here.

I’m also getting lots of spam these days in other languages, including those in Cyrillic and Asian alphabets. Don’t know what they’re trying to sell me, but at least those are easy to tag as spam.

What about you? Have you noticed any new patterns in the spam you’re receiving lately? Are any of the new spam messages particularly annoying to you? Are you seeing more scam spams than usual? Are your filters having a hard time keeping up as the spammers change their domains and methods? Feel free to comment.

Deb Shinder

Here is a good explanation of exactly how WPA works.

Alex
(Thanks to our Deb Shinder and Steve C. who sent us this link)

No. I think you’re way, way safer using Firefox over IE, but now, according to security expert George Ou, Firefox now has more vulnerabilities per month than IE (you need to read the whole article to understand the data).

Read George’s blog here. 

Click here to read an unrelated CNET story about Symantec’s recent statements on Mozilla browser security (“Mozilla Web browsers are potentially more vulnerable to attack than Microsoft’s Internet Explorer, according to a Symantec report…There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox”).

 

Alex Eckelberry

We’ve developed a version of CounterSpy that can be put into gateway appliances.  Our first deal is with a company called Cymphonix.  They make a pretty nifty appliance— it blocks spyware and a lot more, such as shaping bandwidth (meaning, you can give different users and applications different restrictions on bandwidth).

 

Alex Eckelberry

This Russian website writes about hacking the Cisco IOS (the Internet Operating System—what their routers run on)..

In case you don’t speak Russian, we have translated the text (some potentially offensive text was removed):

On September 9th Andrey Vladimirov, security specialist, known as the co-author of “Wi-Foo: The Secrets Of Wireless Hacking” book, revealed information regarding the end of “brain storm” which targeted Cisco software vulnerabilities in his LiveJournal blog, where he goes by nick name “dr_nicodimus”.

Researches developed methods of injecting code in Cisco IOS and figured out how Exploits and Shellcode could be written for that platform. They created mechanisms that allowed implementing cross-platform worms for IOS. They detected a big number of vulnerabilities in EIGRP routing protocol. To demonstrate this they attacked one Cisco box from the other and as a result they were able to run IRC server on hijacked machine.

Therefore, we can certainly say that they succeeded in cracking Cisco router software and this demonstrates once again that overestimating the idea of “security through obscurity” leads to very dangerous consequences.

Hopefully, Cisco will take in account the lessons learned by Microsoft and will soon release their own “Cisco IOS SP2”.

I admittedly don’t have much sympathy for Cisco these days after watching their treatment of Michael Lynn and their frantic and bungling efforts to kill the information (one of the most mindboggling things I’ve seen was this video of Cisco employees tearing up his presentation at the BlackHat conference).

 

Alex Eckelberry
(Thanks to Olexiy for the translation)

According to this video at Microsoft’s Channel 9, Outlook Express will be renamed Windows Mail and will have spam filtering.  More here.

Alex Eckelberry

This is actually useful.  The Common Vulnerability Scoring System allows companies to realistically interpret a security threat for their organization. 

From the article in CNET:

“CVSS goes beyond today’s severity ratings, such as the familiar “critical” and “important” found in security bulletins from Microsoft. The new scoring system, which uses numbers between 1 and 10, enables organizations to calculate the specific risk to their own environment by adding information related to their IT systems. This could help them prioritize patches.”

 

Alex Eckelberry

Crackz sites (where one can find stolen registration numbers for software) are always good places to get yourself a big fat payload of spyware. But there’s fuel to the fire from two notable researchers: Microsoft MVP Chris Boyd at VitalSecurity.org writes a damming review of a program called Crack Extractor which has a mass of spyware as a payload. And Roger Karlsson stepped in with a video taken back in June of YourSiteBar, 180Solutions, Exact Advertising and more distributed side by side with a license key generator for Nero 6 Ultra Edition CD burning software.

This just in. Information Week’s review of enterprise antispyware products resulted in CounterSpy Enterprise winning Editor’s Choice.

“Sunbelt CounterSpy Enterprise wins our Editor’s Choice award for its modern interface design, ease of deployment and ability to remove what we threw at it. “

Article here.

(Correction: As Mitch Wagner points out, this is actually a Network Computing article that was republished in Information Week).

Alex Eckelberry
(Apologies for the shameless plug.)

Christopher Abad at Cloudmark (a business partner of Sunbelt’s) wrote an extraordinary paper on phishing several months ago.  If you haven’t seen it, it’s highly recommended research treatment of the subject.

For example, by spidering through IRC servers, they found this complex interrelation among phishers: 

(Click to enlarge)

 

Alex Eckelberry
(Thanks Eric)