The Legacy Sunbelt Software Blog

This is great news. Spyblast was being marketed by Advertising.com with spyware built in!  The FTC got a bit grumpy and now there is a settlement.

Check this out:

“The FTC complaint charged that Advertising.com, Inc., and its co-founder, John Ferber, distributed ads stating that because a consumer’s computer was broadcasting an Internet IP address, it was at risk from hackers. Consumers who clicked on one of the ads were shown an Active X “security warning” installation box, with a hyperlink describing SpyBlast as “Personal Computer Security and Protection Software from unauthorized users” and telling them, “once you agree to the License Terms and Privacy policy – click YES to continue.” The hyperlink did not indicate the nature and significance of the terms of the licensing agreement – namely that adware would be installed on their computers. Consumers were not required to read the agreement before installing the software. If consumers had read the agreement, they might have seen a statement saying that by accepting the software, they agreed to receive marketing messages, including pop-up ads, based on their Internet browsing habits.

…the SpyBlast software was bundled with a software program that collected information about consumers, including the URLs of pages they visited, that was used to send them advertisements.”

The consent order is here.

Alex Eckelberry
(Thanks Eric)

Web marketing folks are worried about the state of cookies — because antispyware programs are whacking them.

WebAnalytics makes the point that 3rd party cookies are dying, but the sky is not falling. It’s an outstanding article and well worth reading.

To wit: “The people who are most badly affected by monthly cookie cutting are the ad-delivery networks. These are the companies placing ads in many sites, and tracking exposure to the same users across all these sites. Third-party cookies are the life-blood of these agencies, and it seems 40 percent of the internet population doesn’t like them.”

Cookies are actually valuable on a first-party basis — meaning when they are only used for you and the website you’re visiting, without consideration to other sites. 

The internet is inherently “stateless”.  A website simply doesn’t remember or know who you are, and the minute you refresh a page, it thinks you’re a brand new visitor.  That’s why cookies were invented years ago by Netscape and are so useful.  You login to a site and it will remember who you are from that point on—and the site owner knows it’s you and not a new visitor. It creates a sort of persistent web experience.

Marketing people like Doubleclick soon realized that you could use cookies to track online habits of users and then serve specifically tailored ads.  That’s a third-party cookie.

So you can go radical and proclaim “The internet should be stateless!  All cookies should be banned”.  Or you can look at real issue that people have, which is these third party cookies.

Alex Eckelberry
(Thanks Eric)

As I’ve blogged earlier, the Ignore option in our database is a way to deal with programs that people may actually want.

I’ll give you an example:  Kazaa is a program that people usually care to keep (along with all of their MP3 files in the Kazaa directory). 

What people don’t usually care for is the adware that comes with it.  So we might put Kazaa as “Ignore” and the adware applications bundled with it as “Quarantine”. 

We also use Ignore with programs like WeatherBug, which are programs that people may want to keep on their system.

It doesn’t mean we won’t remove Kazaa or WeatherBug.  It means that we present “Ignore” as an option, giving people the choice to remove or not remove the program.

Unfortunately, it’s a highly misunderstood wording.  To some people, “Ignore” might translate into “this program is not being detected”, which is an understandable, but incorrect perception.

We have thought of a number of alternatives.  They are:

1. Quarantine everything.   Bad idea, since then you’re toasting programs like Kazaa and WeatherBug, which people may actually want.

2. Put only adware bundlers on the Ignore list. That still leaves you with the problem of what to do about programs like WeatherBug… but does it matter?

3. Give people the option to default everything to Quarantine or Remove.  Well, we sort of have this already but it’s not a well understood feature.

4. Change Ignore to “Choose”.  That way, a user is presented with the potentially offensive application, and clearly given the option to make a choice. Personally, my favorite. Example:

5. Change everything to Ignore and make people decide for each program.  Eek, I don’t like that, people routinely like cleaning out cookies and it’s a hassle to click and choose each program or cookie to remove.

Please feel free to comment on this blog or send me an email directly.  I’m curious to know your thoughts.

Alex Eckelberry

There’s been plenty of press over the last many months on some antispyware companies delisting or reducing the threat level of various adware programs.  

So what is the state of detections?  Who lists what, who doesn’t? Whom can you trust?

Sunbelt consultant and SpywareWarrior contributor Eric Howes has come up with the definitive test of the state of adware detections in the industry. 

Six adware vendors were tested:

• 180 Solutions
• AskJeeves
• Claria
• Hotbar
• WeatherBug
• WhenU

The tests were run against twelve antispyware apps:  

• CA Pest Patrol
• FBM ZeroSpyware
• Lavasoft Ad-aware SE
• McAfee AntiSpyware
• Microsoft AntiSpyware
• PC Tools Spyware Doctor
• Spybot Search & Destroy
• Sunbelt CounterSpy
• Tenebril SpyCatcher
• TrendMicro AntiSpyware (formerly Spy Subtract)
• Webroot Spy Sweeper
• XBlock X-Cleaner

Alex Eckelberry
(This subject was posted on separately in a different form earlier.  My apologies for any confusions.)

If you didn’t catch the Slashdot post last night on this, here is the ZDNet Australia article on eBay’s security.

The /. post is here.

Alex Eckelberry

New York Times article on Mark Seiden, hacker for hire. 

“Tell me the things you most want to keep secret,” Mr. Seiden challenged a top executive at the bank a few years back. The executive listed two. One involved the true identities of clients negotiating deals so hush-hush that even people inside the bank referred to them by using a code name. The other was the financial details of those mergers and acquisitions.

A week later, Mr. Seiden again sat in this man’s office in Manhattan, in possession of both supposedly guarded secrets. As a bonus, he also had in hand a pilfered batch of keys that would give him entry into this company’s offices scattered around the globe, photocopies of the floor plans for each office and a suitcase stuffed with backup tapes that would have allowed him to replicate all the files on the bank’s computer system.

MP3 interview also available, here.  Thanks to beSpacific.

Alex Eckelberry

 

Big article by Mitch in InformationWeek.  Read the article Claria Software Seeks Legitimacy, and the sidebar “Claria—Unsafe at any speed”.

Highlights:

-Claria is trying to shed its image as a spyware company.

-They disagree with assertions that their software is spyware. According to Claria marketing honcho Scott Eagle, “Users know they have our software. They use it hundreds of millions of times. We expose our terms of service; all roads lead to full exposure. They know we have pop-up ads.”

-Their new behavior analysis technology is touted as the future of advertising on the internet (Claria: “In five to ten years, all marketing will be behavior marketing,”)

-They are launching a new downloadable program, called PersonalWeb, which will generate a personalized home page based on the user’s behavior (why would anyone want this?).

-InformationWeek tests two Claria applications to see if they are, in fact, legit.   The results?  Insufficient disclosures on the types of data collected and confusing EULAs. Read the analysis here.

Lots more in the two articles.

 

Alex

Interesting perspective by Eric Goldman on New York Attorney General Elliott Spitzer’s recent enforcement action against adware vendor Intermix Media and how it has opened up a new front in the battle against this type of software.

techdirt reports that Reuters has a story that cars could attacked by virusues. 

Hide your children!  Stock up on batteries!  Spay the cats!  The end is nigh!

As techdirt points out: Never mind that F-Secure tried like mad to infect a car with no results. 

Alex Eckelberry

 

According to this post on Hexus.net, the Electronic Frontier Foundation says that “The US government has succeeded in persuading some color laser printer manufacturers to encode each page with identifying information. That means that without your knowledge or consent, an act you assume is private could become public. A communication tool you’re using in everyday life could become a tool for government surveillance. And what’s worse, there are no laws to prevent abuse.”

Hexus.net notes that the FBI has been collecting documents on groups like the ACLU and Greenpeace. 

Time to use your trusty Enron Document Retention System!

<Joke alert: No, we are not encouraging illegal activities or shredding documents>

Alex

 

Spywarewarrior.com has made a full report as to the state of Hotbar detections in the industry.  It compares Ad-aware, CounterSpy, McAfee, Microsoft, Pest Patrol, Spy Sweeper, Spyware Doctor, Trend Micro, X-cleaner, ZeroSpyware.

Click here to view it.

Alex Eckelberry

There’s Sundance.  There’s Cannes.  There’s Toronto.

And now there’s the Antispy Film Festival.

First off, Paperghost moves into the genre with a brash, hard-edged look at the spyware business.  Two thumbs up.  Feel good movie of the year.

Then, Wayne Porter of Facetime comes through with another look at the antispyware business — the merger mania.  See it here.  A new twist on an age-old problem: Whom to buy?  Two thumbs up, plus extra points for a character that looks extraordinarily like Jeff McFadden.

 

Alex Eckelberry

 

From eMarketer, always good at nifty spiffy charts and graphs:

“Requiring the installation of extra software to view the site” can mean a Flash install (yawn) or a spyware install (not good). 

I agree with all of these, but let’s be real: Sites that automatically play music should be banned from the Internet! Nothing worse than going to a site and having a Fur Elise midi file or techno playing. 

Alex Eckelberry
(Thanks to techdirt)

Release products when they’re ready to ship!

 

Hans Eisenman posts on a new Paypal phishing twist. Nothing that extraordinary as far as phishing (they are doing basic URL spoofing), but it is an ugly one that will very likely take someone’s money — at least someone who is not aware.

Until other solutions come out, download the Cloudmark Anti-Fraud toolbar.  Free and quite effective.  You can download it here.

Here is the scam:

Protect Your Account Info Make sure you never provide your password to fraudulent websites. To safely and securely access the PayPal website or your account, open a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL to be sure you are on the real PayPal website.https://www.paypal.com/us/) to be sure you are on the real PayPal site. PayPal will never ask you to enter your password in an email. For more information on protecting yourself from fraud, please review our Security Tips at https://www.paypal.com/us/securitytips Protect Your Password You should never give your PayPal password to anyone, including PayPal employees. You’ve got cash! Jack Chalker sent you money with PayPal. Jack Chalker is a Verified buyer. Payment Details Amount: $26.00 USD Transaction ID: AWI02354741258412412 View the details of this transaction online Shipping Information Address: Jack Chalker 225 West Washington Chicago, IL 60637 United States Address Status: Confirmed Thank you for using PayPal! The PayPal Team PayPal Email ID PP65304

 

Alex Eckelberry 

 

This is more fun than anything else.  Nifty screen shots here.

This is more of a general sampling of Vista screen shots, with some of CounterSpy running.

(Disclaimer:  Vista is beta software, and CounterSpy is not fully tested to run on this platform, your results may vary, don’t run with scissors, etc.).

And hey—you want to be a Vista wannabee without crashing your machine or needing an MSDN subscription?  Download Vista wallpaper here and here!

Alex Eckelberry

BoingBoing reference here.

I’m sure it’s only a matter of time before MS fixes that…

Alex
(Thanks John)

You can see the short list here.

They have a good list of desired features, which I have taken the liberty of reprinting:

“Enterprise-class anti-spyware systems are an emerging and rapidly evolving product class. Solutions fall into three main categories at this time: dedicated anti-spyware systems, defenses integrated into anti-virus applications and gateway defenses for HTTP and other protocols. eWEEK Labs has put together a series of questions to help administrators begin developing an RFP (request for proposal) and gauge the severity and source of spyware infections throughout the enterprise.

The nebulous term “spyware” can mean a lot of different things, some of which may already be addressed by existing in-house solutions. IT staffers will need a solid understanding of the problems that need to be solved, whether they are primarily concerned with spyware’s potentially debilitating effect on security, system and network performance, and/or worker satisfaction. Spyware categories include adware, system monitors, Trojans, tracking cookies, dialers and joke programs.

Analyze how big a problem spyware truly is in your organization. • Is it pervasive or limited mainly to a few users? Will spyware defenses be best implemented by limiting administrative rights for troublesome users?

Gauge the importance of integrated solutions for your business. • Is best-of-breed anti-spyware defense of paramount concern, or are ongoing deployment, management and system performance issues—and their impact on IT time—most important?

Is the rate of spyware infection similar on desktops and mobile computers? Do Web- logging or syslogging software programs indicate whether infections are generated in the main office or when machines travel remotely?

How much control do administrators need to quash the spyware threat? Will different policy controls for various categories suffice, or do you need drill-down control for individual exceptions?

What client machines need anti-spyware defense? • Windows XP, Windows 2000 or other? • Are older operating systems supported?

Will anti-spyware policy controls conform to directory structure? How do anti-spyware solutions interact with directories to establish defense groups?

What deployment techniques are supported? • Push from the management console, individual executables, group-policy deployment? • Does the solution scale to enterprise use? • Are multiple servers manageable from one location? • Can administrators deploy signature and policy repositories in multiple locations? • Does the system support differential access for different administrators?

What is the anti-spyware vendor’s process for dealing with companies that wish to have their software removed from spyware classification? Will this software ultimately be removed from signature databases altogether, or will the administrator at the customer site have the final word?

When the anti-spyware agent is installed, what is the expected system CPU and memory hit? • During scans? • During normal operation?

Does the administrator have any control over how system resources are affected?”
Source: eWEEK Labs

Alex Eckelberry

Update:  According to CNET, we learn that MS is using WholeSecurity’s technology for the antiphishing component.  The security space is a small world, and we know the guys from Wholesecurity and respect them.  But I admit to being a little bummed they didn’t go with Cloudmark’s, which I’m a big fan of.

In IE 7, MS plans to have a new antiphishing tool.  It looks to be a combination of hueristics (guessing), the use of online reputation services (hmm) and user feedback (good).

They just publishing a whitepaper, available here. 

“The focus of this white paper is to describe the basic workings of a new capability, the Microsoft® Phishing Filter, that will be included in the upcoming release of Internet Explorer 7. The Microsoft Phishing Filter will not only help provide consumers with a dynamic system of warning and protection against potential phishing attacks, but — more important — it will also benefit legitimate ISPs and Web commerce site developers that want to try to ensure that their brands are not being “spoofed” to propagate scams and that their legitimate outreach to customers is not confusing or misinterpreted by filtering software.”

From the whitepaper:

·        The first level of warning (yellow) signals to users that if the Phishing Filter detects a Web site which contains characteristics similar to a phishing site, Internet Explorer 7 will display next to the address bar a yellow button labeled “Suspicious Website.” Clicking on the yellow button reveals a warning that users have landed on a suspected phishing Web site and recommends that they avoid entering any personal information on the site.

·        The second level of warning (red) automatically blocks users from a Web site if it has been confirmed as a known phishing site and displays a red button labeled “Phishing Website.” When users land on a known phishing site (based on an online list of sites that are updated several times every hour), Internet Explorer 7 signals the threat level (in red) and automatically navigates them away from that site to a new page. This warning page offers users the option to close the Web page immediately or proceed at their own risk to the phishing site.  

 

Here’s a tip. Download Cloudmark’s free and killer antifraud toolbar (Cloudmark is a business partner of ours and we like ‘em).  I wonder why Microsoft didn’t just license that? 

 

Alex Eckelberry
(Thanks to Bespacific)

I was a bit ticked off by this new Windows DisAdvantage Program (I tried Windows Update it and sure enough, a friggin “Validation Tool” was downloaded to my machine), until I learned that security patches will still be available. 

However, when you go back to Windows Update, it checks your hardware to see if multiple copies of Windows are installed on different hardware (notice and disclosure are fairly adequate when it does this).

I admit to being thankful that I don’t have to crawl around to the the back of my machine (no easy feat the way I have setup my home PC) and copy those numbers down.  Call me bovine and I won’t argue. The term fits.

Alex Eckelberry