Month: July 2005

Your printer is spying on you. Gulp.

According to this post on Hexus.net, the Electronic Frontier Foundation says that “The US government has succeeded in persuading some color laser printer manufacturers to encode each page with identifying information. That means that without your knowledge or consent, an act you assume is private could become public. A communication tool you’re using in everyday life could become a tool for government surveillance. And what’s worse, there are no laws to prevent abuse.”

Hexus.net notes that the FBI has been collecting documents on groups like the ACLU and Greenpeace. 

Time to use your trusty Enron Document Retention System!

<Joke alert: No, we are not encouraging illegal activities or shredding documents>

Alex

 

Antispy film fest

There’s Sundance.  There’s Cannes.  There’s Toronto.

And now there’s the Antispy Film Festival.

First off, Paperghost moves into the genre with a brash, hard-edged look at the spyware business.  Two thumbs up.  Feel good movie of the year.

Then, Wayne Porter of Facetime comes through with another look at the antispyware business — the merger mania.  See it here.  A new twist on an age-old problem: Whom to buy?  Two thumbs up, plus extra points for a character that looks extraordinarily like Jeff McFadden.

 

Alex Eckelberry

 

What irritates you the most about websites?

From eMarketer, always good at nifty spiffy charts and graphs:

“Requiring the installation of extra software to view the site” can mean a Flash install (yawn) or a spyware install (not good). 

I agree with all of these, but let’s be real: Sites that automatically play music should be banned from the Internet! Nothing worse than going to a site and having a Fur Elise midi file or techno playing. 

Alex Eckelberry
(Thanks to techdirt)

Latest happy fun PayPal scam

Hans Eisenman posts on a new Paypal phishing twist. Nothing that extraordinary as far as phishing (they are doing basic URL spoofing), but it is an ugly one that will very likely take someone’s money — at least someone who is not aware.

Until other solutions come out, download the Cloudmark Anti-Fraud toolbar.  Free and quite effective.  You can download it here.

Here is the scam:

—–Original Message—–
From: service@paypal.com [mailto:service@paypal.com]
Sent: Friday, January 07, 2005 7:55 AM
To: [my email account]
Subject: Jack Chalker has just sent you $26.00 USD with PayPal [773040]

PayPal
Protect Your Account Info
Make sure you never provide your password to fraudulent websites.

To safely and securely access the PayPal website or your account, open a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL to be sure you are on the real PayPal website.https://www.paypal.com/us/) to be sure you are on the real PayPal site.

PayPal will never ask you to enter your password in an email.

For more information on protecting yourself from fraud, please review our Security Tips at https://www.paypal.com/us/securitytips
Protect Your Password
You should never give your PayPal password to anyone, including PayPal employees.

You’ve got cash!

Jack Chalker sent you money with PayPal.

Jack Chalker is a Verified buyer.

Payment Details
Amount: $26.00 USD
Transaction ID: AWI02354741258412412

View the details of this transaction online

Shipping Information
Address: Jack Chalker
225 West Washington
Chicago, IL 60637
United States
Address Status: Confirmed

Thank you for using PayPal!
The PayPal Team

PayPal Email ID PP65304

 

Alex Eckelberry 

 

CounterSpy running on Vista

This is more fun than anything else.  Nifty screen shots here.

This is more of a general sampling of Vista screen shots, with some of CounterSpy running.

(Disclaimer:  Vista is beta software, and CounterSpy is not fully tested to run on this platform, your results may vary, don’t run with scissors, etc.).

And hey—you want to be a Vista wannabee without crashing your machine or needing an MSDN subscription?  Download Vista wallpaper here and here!

Alex Eckelberry

Enterprise antispyware review at eWeek

You can see the short list here.

They have a good list of desired features, which I have taken the liberty of reprinting:

“Enterprise-class anti-spyware systems are an emerging and rapidly evolving product class. Solutions fall into three main categories at this time: dedicated anti-spyware systems, defenses integrated into anti-virus applications and gateway defenses for HTTP and other protocols. eWEEK Labs has put together a series of questions to help administrators begin developing an RFP (request for proposal) and gauge the severity and source of spyware infections throughout the enterprise.

  • The nebulous term “spyware” can mean a lot of different things, some of which may already be addressed by existing in-house solutions. IT staffers will need a solid understanding of the problems that need to be solved, whether they are primarily concerned with spyware’s potentially debilitating effect on security, system and network performance, and/or worker satisfaction. Spyware categories include adware, system monitors, Trojans, tracking cookies, dialers and joke programs.

  • Analyze how big a problem spyware truly is in your organization. • Is it pervasive or limited mainly to a few users? Will spyware defenses be best implemented by limiting administrative rights for troublesome users?

  • Gauge the importance of integrated solutions for your business. • Is best-of-breed anti-spyware defense of paramount concern, or are ongoing deployment, management and system performance issues—and their impact on IT time—most important?

  • Is the rate of spyware infection similar on desktops and mobile computers? Do Web- logging or syslogging software programs indicate whether infections are generated in the main office or when machines travel remotely?

  • How much control do administrators need to quash the spyware threat? Will different policy controls for various categories suffice, or do you need drill-down control for individual exceptions?

  • What client machines need anti-spyware defense? • Windows XP, Windows 2000 or other? • Are older operating systems supported?

  • Will anti-spyware policy controls conform to directory structure? How do anti-spyware solutions interact with directories to establish defense groups?

  • What deployment techniques are supported? • Push from the management console, individual executables, group-policy deployment? • Does the solution scale to enterprise use? • Are multiple servers manageable from one location? • Can administrators deploy signature and policy repositories in multiple locations? • Does the system support differential access for different administrators?

  • What is the anti-spyware vendor’s process for dealing with companies that wish to have their software removed from spyware classification? Will this software ultimately be removed from signature databases altogether, or will the administrator at the customer site have the final word?

  • When the anti-spyware agent is installed, what is the expected system CPU and memory hit? • During scans? • During normal operation?

  • Does the administrator have any control over how system resources are affected?”
    Source: eWEEK Labs

    • Alex Eckelberry

    Microsoft’s new antiphishing tool

    Update:  According to CNET, we learn that MS is using WholeSecurity’s technology for the antiphishing component.  The security space is a small world, and we know the guys from Wholesecurity and respect them.  But I admit to being a little bummed they didn’t go with Cloudmark’s, which I’m a big fan of.

    In IE 7, MS plans to have a new antiphishing tool.  It looks to be a combination of hueristics (guessing), the use of online reputation services (hmm) and user feedback (good).

    They just publishing a whitepaper, available here

    “The focus of this white paper is to describe the basic workings of a new capability, the Microsoft® Phishing Filter, that will be included in the upcoming release of Internet Explorer 7. The Microsoft Phishing Filter will not only help provide consumers with a dynamic system of warning and protection against potential phishing attacks, but — more important — it will also benefit legitimate ISPs and Web commerce site developers that want to try to ensure that their brands are not being “spoofed” to propagate scams and that their legitimate outreach to customers is not confusing or misinterpreted by filtering software.”

    From the whitepaper:

    ·        The first level of warning (yellow) signals to users that if the Phishing Filter detects a Web site which contains characteristics similar to a phishing site, Internet Explorer 7 will display next to the address bar a yellow button labeled “Suspicious Website.” Clicking on the yellow button reveals a warning that users have landed on a suspected phishing Web site and recommends that they avoid entering any personal information on the site.

    ·        The second level of warning (red) automatically blocks users from a Web site if it has been confirmed as a known phishing site and displays a red button labeled “Phishing Website.” When users land on a known phishing site (based on an online list of sites that are updated several times every hour), Internet Explorer 7 signals the threat level (in red) and automatically navigates them away from that site to a new page. This warning page offers users the option to close the Web page immediately or proceed at their own risk to the phishing site.  

     

    Here’s a tip. Download Cloudmark’s free and killer antifraud toolbar (Cloudmark is a business partner of ours and we like ‘em).  I wonder why Microsoft didn’t just license that? 

     

    Alex Eckelberry
    (Thanks to Bespacific)

    Windows Genuine Advantage

    I was a bit ticked off by this new Windows DisAdvantage Program (I tried Windows Update it and sure enough, a friggin “Validation Tool” was downloaded to my machine), until I learned that security patches will still be available. 

    However, when you go back to Windows Update, it checks your hardware to see if multiple copies of Windows are installed on different hardware (notice and disclosure are fairly adequate when it does this).

    I admit to being thankful that I don’t have to crawl around to the the back of my machine (no easy feat the way I have setup my home PC) and copy those numbers down.  Call me bovine and I won’t argue. The term fits.

    Alex Eckelberry

    Patrick Jordan joins Sunbelt

    The most vexing spyware strains are Cool Web Search and VX2/Transponder.  These are the types of spyware that kill machines.

    For a while now, Patrick Jordan (known in the antispyware community as WebHelper), has been helping us with removing these types of spyware.  I would venture that he’s one of the top 3 people in the world when in comes to these nasties.

    We finally convinced him to join us, and he is now on staff as a senior researcher.

    What’s fascinating is talking to this guy. He is a walking encylopedia on spyware.  Ask him something like: “So who was behind this strain of such and such”, and prepare yourself for a 30 minute detailed run-down of all the players involved and the details of the payload.

    Anyway, Sunbelt PR’s official statement here.

     

    Alex Eckelberry
    President

    WhenU listing status in CounterSpy database

    We have been in discussions with WhenU over the past several weeks over our detection of their software in our database.  As we had blogged earlier, we have found WhenU’s practices have shown a dramatic improvement over the last year (certainly, better than any other adware vendor we have seen).  The company was forthright in their dealings with us, all of which is detailed in our new WhenU Whitepaper.

    Now, not all is perfect.  As much progress as WhenU has made over the past ten months, problems remain. Roughly one-third of its distributions still use poor notice and disclosure regimes. In a small number of cases, not all of WhenU’s programs are fully disclosed during installation. Finally, the conditional uninstallers for the Save advertising program can fail in some instances.

     

    Given this mixed bag of commendable improve and lingering problems, the Sunbelt Research team will be making changes to some but not all of WhenU’s programs within Sunbelt’s CounterSpy detections database:

     

    SaveNow / Save: This pop-up advertising program will remain classified as “Adware” with a Threat Level of “Moderate risk” and a Recommended Action of “Quarantine.

     

    WhenUSearch: This desktop toolbar program will be reclassified as “Low Risk Adware” with a Threat Level of “Low risk” and a Recommended Action of “Ignore.” This re-classification should, as a practical matter, encompass all of WhenU’s re-skinned, co-branded toolbars, including WhenU’s own PriceBandit toolbar.  Since UControl is also bundled with WhenUSearch, it will be treated in the same manner. (UControl is WhenU’s adware program that is actually powered by Aluria…)

     

    Weathercast: This weather information program will be reclassified as “Low Risk Adware” with a Threat Level of “Low risk” and a Recommended Action of “Ignore.”

     

    ClockSync: This system clock synchronization program will be reclassified as “Adware Bundler” with a Threat Level of “Low risk” and a Recommended Action of “Ignore.”

      

    WhenUShop: This shopping companion program is currently not included in the CounterSpy detections database. As it was only recently made a free program (previously it was available only for a fee), WhenUShop will be reviewed over the near future for possible inclusion in a future version of the CounterSpy database.

     

    By classifying WhenUSearch (with UControl), Weathercast, and ClockSync as “Low Risk Adware” with a Recommended Action of “Ignore,” we will continue to offer these programs as detections to its customers and users, providing them the opportunity to remove this software if they so choose.

     

    The new whitepaper is here. As always, feel free to comment.

     

    Alex Eckelberry

     

    on Frontbridge

    So Microsoft continues its inexorable march toward attempted world domination of the security space with the purchase of FrontBridgeSierra Ventures, one of the VCs, must be happy.

    What is FrontBridge?  They are a managed services play for enterprise email security.  You point your mail to them, they clean it, and it gets passed on to you all spiffy and clean. It’s complementary to their Sybari acquisition.

    FrontBridge doesn’t use their own antivirus technology.  Instead, they partner with Sophos, Kaspersky and Symantec for virus scanning.

    They didn’t buy Postini (a heavyweight in this space), probably because the price was going to be too high.  FrontBridge only had $10 mill in sales, whereas Postini is probably (I’m guessing) 4x that number.

    Managed Services for email security is only used by certain types of enterprise customers — those that don’t care about someone else handling their email (security and control are issues).  

    Alex

     

    Making the Department of Homeland Security a wee more careful

    Ari Schwartz of the CDT just posted a framework on what the Department of Homeland Security needs to do to protect personally identifiable information.

    “Considering the government’s increasing reliance on commercial data, and the harms that can occur when the government makes decisions about individuals based on inaccurate or irrelevant data, it is imperative that DHS develop rules for use of commercial data, regardless of whether the data is brought into government computers. While the principles of the Privacy Act remain viable, DHS will have to go beyond narrow interpretations of the Act in order to ensure that adequate privacy protections are built into its projects. There are increasing calls to update the Privacy Act, but, in the meantime, DHS can take administrative steps to apply the Act’s principles to all its uses of personal information.”

    (Thanks to beSpacific.)