Microsoft anti-phishing tool to ship ahead of IE 7

According to Paul Thurrott:

“We complain when Microsoft restricts certain features and functionality to only the latest product versions, so this report should be seen as good news. Although Microsoft Internet Explorer (IE) 7.0 will include Phishing Filter, a feature that helps protect users from scam Web sites, Microsoft believed that the feature was important enough to make it available to IE 6.0 users (via a plug-in for the MSN Search Toolbar) before IE 7.0’s release. (It’s due any day now, I’m told.) If you’re not into the MSN Search Toolbar but want antiphishing features, check out Netcraft Toolbar, which is what I use. There’s also a version for Mozilla Firefox.”

He likes NetCraft.  I downloaded it once and disliked it almost immediately (maybe it’s gotten better).  As I’m sure you’re tired of hearing, I’m a fan of Cloudmark’s antiphishing toolbar available here.  I’ve also played with FraudEliminator and it’s quite good too.

Update:  More info at News.com

Alex Eckelberry

More on the Kutztown kids

If you followed my last blog on this, a group of 13 kids who “hacked” into their schools computers were going to get charged with felonies from the luddite school officials.

We learned today that the kids have been offered a deal

From Newsday:

“In meetings with students over the last several days, the Berks County juvenile probation office has quietly offered the students a deal in which all charges would be dropped in exchange for 15 hours of community service, a letter of apology, a class on personal responsibility and a few months of probation.”

Well that’s nice. 

For background, check out  the kid’s perspective of how this all started  (I love it that they set up their own website).

Alex Eckelberry

 

Security on the cheap

(This blog will be updated as I change my mind, think of better things to say or just for the heck of it).

Alternative titles: “The Four Pillars of Internet Security”, “Dirty little secrets of the software world”, “Steal this software”. Or more appropriately: “There goes Alex again, burning bridges in the software business”.

People have sometimes asked me the seemingly simple question: “What do I do to protect myself on the Internet”?

Well, first off, a large number of the people we see getting hid very badly by spyware have older unpatched Windows systems–meaning, they are running Windows XP in practically its native original state, without security patches. So, making sure you’re running the latest security patches is quite important.

Trite bromides like “get yourself antivirus programs, a firewall and an antispyware program” wear thin. The response is invariably one of confusion: “What antivirus program?”, “What firewall?”, “Is a hardware firewall enough?”, and so on.

The simple fact is good internet security is based on what I call the Four Pillars of Internet Security. They are:

• Firewall protection
• Antivirus
• Antispyware
• Patching

With these basics, your internet experience is dramatically safer. Antispam, antiphishing tools, content inspectors and the rest are often necessary, but not absolutely necessary.

Now, you don’t have to pay through the nose for “security suites” that are sometimes, well, ten pounds of crap shoveled into a five pound bag. If it was a cost issue, people wouldn’t care. They’d shell out the bucks to get a good solution, and if they didn’t, we could all smirk and say “see, I told you so, if you’d just spent $80 on a security suite, you would still have a wife, a car and money in the bank.”

(I often joke that Internet security suites are worse than spyware. Spyware does a couple of notable things: It pummels you with popups and slows your system down. Internet security suites pummel you with popups (aka security warnings) and slow your system down. But worse, they have the audacity of charging you an arm and a leg.)

Introducing Security on the Cheap
I make my living making and selling software, so my interest is always to have you pay for it. But for those who want to save a buck or two, I’ve got my Security on the Cheap guide below. Getting these (mostly) free basics in now will make your internet experience dramatically more secure:

(Realize that most of the free solutions mentioned are gratis for only types of certain people, like home users. Check the terms of the licensing agreements.)

Get an antivirus program. Grisoft’s free antivirus is pretty decent. There’s the free AntiVir and the free Avast. Want to pay? Kaspersky’s is excellent but a wee pricey ($40), and I’m personally a bit fan of NOD32. Might want to try AOL’s new freebie as well. Or the free BitDefender (which I believe is unfortunately an on-demand scanner only — no real-time protection). If you want other suggestions, ask your friends or download the various trial versions out there.

Get a software firewall: You don’t have to spend money on a good firewall. My personal favorite: The Kerio firewall, which is a totally biased statement since it’s my product. However, another option is the ZoneAlarm personal version, free and good. (Sygate used to be great but has been discontinued).

Get an Antispyware tool: In my completely biased opinion, I of course recommond mine (CounterSpy), but WebRoot’s SpySweeper is a very solid product. (PC Tools makes an outstanding product as well, but to be blunt, I’m not a fan of their marketing tactics.)

Now, I understand and forgive you if you don’t want to spend $20 on a commercial antispyware program 😉 So here’s the low-down on the free ones: Microsoft’s free one is ok, but not great. The two other free ones are Spybot and Adaware. Spybot is behind in the spyware race and I’m not sure if Lavasoft is still the product it used to be. Things have changed — threats have gotten very hard to remove. The real scoop? The free Yahoo toolbar Norton Antispyware on-demand scanner is quite good, and it’s no longer using the old PestPatrol engine.

Patching: The final leg of the Four Pillars of Security is getting your security patches from Microsoft. You would be amazed at how many people haven’t updated to the latest patches.

That’s the list of the really important security programs. Here’s a host of other little tools you can get that will make your experience even safer:

Antiphishing. Microsoft and Firefox now have antiphishing in their latest versions, but you can also get the free Netcraft antiphishing toolbar.

Antispam. Some would argue that a spam filter is vital for security. Actually, it really isn’t if you’re relatively intelligent, since spam is more of a nuisance than anything else and if you can stand deleting messages, you don’t need one. But that being said, spam is a royal pain, and a good antispam tool is a lifesaver.

Here’s my advice: Use the Outlook 2003 junk mail filter. It’s mediocre but free if you have Outlook 2003. Other options: Find out if your internet service provider has spam protection (Earthlink’s is actually decent). Otherwise, I’m afraid you’ll have to shell out some bucks. I have one, iHateSpam for $20. Cloudmark (incidentally, a business partner of ours) also has a very good one. Shop around, but you’ll find there’s a lot of junk out there, believe me.

Misc. tools. Paranoid and want to check for rootkits? Download the incredibliy confusing but powerful SysInternal’s Rootkit Revealer. Or F-Secure Blacklight. Got a tough job cleaning spyware? Get HijackThis. Want to help protect against spyware? Download the free IE Spyad by Eric Howes (who incidentally does consulting work for us). Want to lock-down what sites your kids can visit? Get either CyberPatrol (a wee pricey) or CyberSitter (a good value). Or buy this bundle at Dell.

Also, Micheal Horowitz wrote to recommend Javacool’s SpywareBlaster (not to be confused with a rogue app of the same name. I would also add WinPatrol to the “Security on the Cheap” list.

And then, of course, there is your operating environment. If you can live with it, Linux or Macs are infinitely safer than PCs. Don’t want to migrate to another OS? Then at least get Firefox, which will add a lot of security to your browsing experience.

And a final miscellaneous tip: Primary users on their computers might think of setting up accounts with Restricted Access. You as an administrator can control what’s installed, but when someone else wants to use your PC, put them on a Restricted Account. Password protect your own Administrator account. However, in some cases, it can be a hassle, as Michael Horowitz points out here. Vista will offer improved functionality in this area.

That’s it for now. Feel free to comment if you have any other ideas or opinions.

Alex Eckelberry

Update: PC Mag publishes their list of free stuff.

XP users may be at risk for Zotob

Patch your systems.

From Microsoft Watch: “Users running certain configurations of Windows XP Service Pack (SP) 1 beware: That pesky Zotob worm that hit Windows 2000 users last week could affect your systems, too. This week, Microsoft issued a new advisory on the expanded Zotob threat. Windows XP SP2 users are not vulnerable to the Zotob attacks, Microsoft said.”

New version of Srv.SSA-KeyLogger up

We discovered a new variant of the identity theft keylogger (a dumaru/nibu variant). We have since updated our free tool to scan for this keylogger. You can find it here.

Counterspy and CounterSpy Enterprise definitions will be updated shortly.

The SSA-KeyLogger spyware should only be installed on Windows XP, Windows 2000/2003. If you do find your PC to be infected, please call our tech support dept immediately at 877-673-1153.

Alex Eckelberry

Update: Important information here on the keylogger.

A look into the mind of spyware criminals

We found a document this morning while researching some spyware. Written in Russian, we have the translated version here.  Fascinating reading.  The document was dated May 16. Note that the document has been broken into pieces by the translator — it is not in this sentence-by-sentence format.

The reference to iFrame is ostensibly to the various Internet Explorer Iframe exploits  (which affects unpatched systems). 

Alex Eckelberry

 

CDT supports the broadcast flag?

The Center for Democracy and Technology (CDT), which is organizing the antispyware consortium, is now supporting a modified version of the broadcast flag.

“An array of non-profit groups including the Electronic Frontier Foundation, Public Knowledge, and the American Library Association spent years fighting the idea of a ‘broadcast flag,’ a federal regulation that would have outlawed many digital TV receivers and tuner cards starting July 1…In May, a federal appeals court unceremoniously tossed out the Federal Communications Commission’s regulations.

But now one non-profit advocacy group is breaking ranks with its usual allies and handing Congress a road map to reinstating the broadcast flag. The idea is to reduce piracy of digital TV by prohibiting the manufacture of computer and video hardware that doesn’t sport copy
protection technology”

CDT conflict of interest? “A now-deleted Web page, saved in February 2003 by Archive.org, shows that Time Warner, Disney, and Vivendi (an owner of NBC Universal) have been supporters. Though for the record, a CDT spokesman said Tuesday that only Time Warner (that is, AOL) currently is providing cash.”

IMPORTANT UPDATE AND CORRECTION:

It appears the post by Declan McCullagh at Politech (from which the content of this blog was framed) was innacurate.  According to an email to me from a high-ranking official of the CDT:

1) The sponsor page mentioned [above] was not deleted.  It is still online, but we stopped linking while we are redoing our Website, precisely because it was outdated and included companies that no longer fund us.  We hope to have a new one up sometime next month.

2) Content companies hate our copyright position.  That is why they (Disney, Universal, etc) stopped funding us.  As you know AOL is a member of ASC and other CDT working groups.  Therefore, Time Warner supports us.  Our funding on copyright is almost entirely funded by the MacArthur Foundation.

3) CDT DOES NOT support the broadcast flag.  The paper was saying that Congress SHOULD NOT support a broadcast flag, however, since they are working on it, they should at least consider fixing the completely broken current proposal.

In other words, no story here. 

Alex Eckelberry
Tip o’ the hat to Ben Edelman

Sneaky rental car companies

Are rental car companies tracking your every move by GPS?

Thankfully, the Connecticut Supreme Court struck a recent case on this issue down.

Check this idiocy out:

First, let’s look at the Connecticut case. It arose because American Car Rental had a policy of charging its clients $150 for “excessive wear and tear” to the rental car, each time they drove over 79 miles per hour.

“American knew exactly when that occurred because its subsidiary, Acme Rental, used GPS installed in its cars to monitor renters’ speed as they traveled. Whenever GPS reported that the customer drove at least 80mph for more than two minutes at a time, the company charged the customer’s credit or debit card $150.

This happened as follows: Wireless technology transmitted the vehicle’s location, as determined by GPS, to a tracking company. The tracking company faxed the information to Acme, which – with the rental customer’s credit card on file — posted a $150 charge to the card. Sometimes, this process was repeated numerous times. And sometimes, as a result, customers had their credit or debit cards rejected by retailers because their credit limit was exceeded.”

This is just sick

Alex Eckelberry

 

Google Storm

Google Storm

A flurry of new stuff from Google:  GoogleDesktop, the new desktop search tool;  GoogleTalk, the new instant messaging tool; and a new Blogger add-in for Microsoft Word which lets you publish stuff from inside of Word.  

I briefly tried out the new Blogger add-in to see if I like it as much as my all-time favorite, BlogJet.   Jury:  I prefer BlogJet for now, as it allows you to publish images (the Google add-in says that’s not “currently” supported).  But it is really nice to use Word to post blogs.

Alex Eckelberry

     

Does Wireless Networking Have to Be Insecure?

From this week’s issue of Sunbelt’s WXPnews.

Remember when talking on the phone meant being tied to a confined area by a cord? Many members of the younger generation don’t; cordless landlines and cellular/mobile phones have always been a part of their lives. Most of those reading this, though, can still remember when setting up a home or business network required running Ethernet cabling throughout the building (or paying someone else to do it). Those who have actually spent time crawling through attics to drop cable can fully appreciate the miracle of wireless networking technology. No wonder the popularity of 802.11 wireless equipment has boomed in the last few years. For convenience, you can’t beat it. But what about security?

Some people will tell you that wireless networking is inherently less secure than wired communications, and that’s true. To “tap into” your cabled network, an intruder has to have physical access to that line. Because common wireless networking technologies are RF (radio frequency) based and send signals over the airwaves, an intruder can sit in a car with a laptop down the street from your location and “catch” your transmissions. Many wireless users think they’re safe because of the distance limitations referenced in the documentation of their wireless access pointers or routers: approximately 300 feet for 802.11b/g, about half that for 802.11a. What they don’t tell you is that a “war driver” can increase that range by attaching a powerful directional antenna to the wireless network adapter on his laptop.

Now, there are ways to control what computers can connect to your wireless network. You can configure your WAP/router to use “MAC filtering,” which lets you specify that only computers with specific physical (Media Access Control or MAC) addresses can connect to the network. The MAC address is a hexadecimal number that’s usually burned into the chip of the network card by its manufacturer. Unlike the IP address, it’s not easy to change. Unfortunately, though, a skilled hacker can monitor the traffic that’s going over your wireless network and capture the MAC address of a valid computer, then “spoof” it to make it appear that’s the address of his own computer.

Another tip for securing your wireless network is to turn off SSID broadcasting (the feature whereby your WAP/router broadcasts the network name that wireless computers “see” in the list of available networks). That will make an intruder work a little harder to find your network, but only a little. There’s software freely available on Internet hacker sites that a determined intruder can use to “sniff” the packets that are transmitted when a valid user connects to your network and get the SSID that way.

WAPs and wireless routers include encryption mechanisms, typically Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) for added protection. Unfortunately, WEP has well known weaknesses that can be exploited by a hacker. WPA provides stronger protection, but isn’t supported by all WAPs, wireless network cards and operating systems.

Because of all these challenges, some folks will tell you that it’s impossible to attain an acceptable level of security on wireless networks and you should just stick with cables, inconvenience and all. Some companies and government agencies have banned wireless networking as a matter of policy. Should you just give up on wireless, too?

We don’t think so. First of all, most of us aren’t transmitting national defense secrets on our wireless nets, so for us an “acceptable” level of security generally means the ability to deter casual intruders, not agents of foreign governments with multi-million dollar equipment who are targeting us specifically. Secondly, much of the insecurity of wireless networking is due to improper configuration of the WAP/router. This is because the default settings of most products leave your network “wide open” (vendors don’t do this to intentionally put you at risk; they do it to make it easier for you to get your wireless network up and running right out of the box). However, you can make your wireless network much more secure by applying the proper settings and encryption. Even more importantly, software companies are hard at work developing products that we can use to make our wireless networks more secure.

We’d like to know what you think about wireless security and what you’d like to see in a wireless security product. Please take the quick survey to share your opinions here.

.
 

Another winning entry from Paperghost!

A few weeks back, we held the world’s first Antispy Film Fest, featuring the works of cutting edge directors Wayne Porter and Paperghost.

Now, Paperghost has outdistanced the trade with his latest tour-de-force, Grokster: The Movie

Groksterthemovie

Filmed in a gritty film-noir cum Benny Hill style, Grokster: The Movie shares the tale of a hapless web surfer (Hapless) caught in the tangled web of a massive adware infestation brought on by a Grokster install.

Featuring the dreaded KVM media installer (one of the most malicious beasts we’ve seen), Hapless is forced to choose between thousands of rotational ads serving pornography and diet pill ads, while (assumably) seeing his machine turned into a spam zombie, blasting out thousands of messages per minute through port 25.

We can only hope to see more of this brilliant young director’s cinematic excellence.

Alex Eckelberry

Spyware countermeasures by banks

There are a couple of recent measures against keyloggers that banks have started using.

One is a “reverse pin” algorithm. The customer is instructed when transferring funds to enter their PIN numbers in a specific order (such as in reverse, or the third and fourth digit switched.  The bank then transliterates the sequence into the correct order on the back-end (thanks Catherine).

Another is where customers enter their information by mouse-clicking on a virtual keyboard (CitiBank uses this, click here for an example).  However, we’ve already seen evidence that this can be fairly easily hacked.

Another idea is to tie the password in with the website URL at the time of the transaction.

More is needed.  I have seen my fair share of compromised systems.  Authentication is old news.  Banks, right now, need to work with the belief that their customers have had their account information and PINs stolen. 

Alex Eckelberry

Xavier Ashe presentation on wifi security

Security Guy Xavier Ashe spoke at a presentation recently on WiFi security and has this Powerpoint available for download.

Warchalk

He highlights these trends:

  • Wireless threats are increasing exponentially
  • Tools are becoming increasingly available and easier to use…. For both good and bad
  • Wireless risks and security a wireless infrastructure are misunderstood

He also provides a good overview of current security breaches/risks.

Alex Eckelberry

 

Disturbing new evidence on Grokster

This is starting to get intriguing and quite disturbing. Antispyware heavyweight Andrew Clover left this very interesting post on SpywareWarrior’s blog on Grokster last night:

“Apart from the usual suspects Grokster installs (BroadcastPC, MSearch/MyGlobalSearch etc.) we are seeing something else here as pictured in the screenshot on Alex’s blog.

That something is simply an advert spawned through Grokster’s normal in-application advertising system (Cydoor). However this uses IE to display the ads, so is vulnerable to all the same exploits IE can meet during normal browsing. The ad network let exploits in, so will be serving spyware to everyone who views ads on that network, through Grokster or otherwise.

In this case the exploit is a new variant on 2ndThought, going under the name KVM Media. 2ndThought is a perennial source of exploits served through mainstream ad networks.

Other names used by the company behind 2ndThought (and the related FreeScratchAndWin/xzoomy, EnhanceMySearch and RebateShoppers parasites) include CPM Media, PopNugget, SoftTech, Advolt, AdsLimitless, LeadTaxi, WMG Media, Pacimedia, PacerD, AdSavior, Pan-Advert, More Media One and ICANNNews.”

This KVM attempted force-install I wrote about last week (pictured below) is very nasty.  We also have an unconfirmed report from a reliable source that one of the apps KVM installs turns your machine into a spam zombie. 

Kvm123

We should see some interesting new developments over the next week…

Alex Eckelberry