If you’re paranoid, Skype might be your best bet

Worried that someone may be eavesdropping on your phone calls? Landlines and cell phones can easily be wiretapped. Some Voice over IP transmissions can be intercepted. But it appears Skype-to-Skype calls may be the most secure means of voice communication, since they’re encrypted with 256 bit keys. This is a good thing for privacy advocates, but may not sit as well with government and law enforcement agents, who see it as an opportunity for terrorists and other criminals to go undetected. Read more here.

Skype was one of the first popular computer-based VoIP services. It’s now owned by eBay, and it allows you to make free voice calls and send Instant Messages from your computer to another computer. You can also pay a per-minute fee to make calls to regular landline phone numbers and cell phones through a service called SkypeOut. And there’s also a service called SkypeIn, where you’re assigned a regular phone number for your Skype account so people can call you from landlines and cell phones. You have to download and install the Skype program, which is available for Windows, Macintosh OS X, Linux and even Pocket PC. You can get the software here.

According to this article, Skype calls are impossible – or at least very difficult – to eavesdrop on (this doesn’t apply when you use Skype to call landlines and mobile phones because the call can be intercepted when it enters the regular or wireless phone system).

Skype uses 256 bit AES encryption, a U.S. government standard, and uses 1024 bit RSA to negotiate the AES keys. But does NSA have a “backdoor” into AES? Some folks think so although there’s no real proof. The ACLU published this interesting article about what the NSA may be able to do; although it doesn’t specifically mention the encryption schemes they can crack, it offers insight into their data mining practices here.

Up until the late 1990s, there were strict laws in the U.S. controlling the export of encryption software to other countries. This software was actually classified as “munitions.” Use of encryption never really caught on with regular computer users, in part because it required installation extra software such as Pretty Good Privacy (PGP) and in part because encrypting your data was seen to call more attention to it, providing a red flag to the government and others that there must be something “juicy” involved.

It’s not just the encrypted nature of the calls that could make Skype attractive to criminal types. As with most VoIP services, you can get phone numbers in any area code no matter where you actually live. So you might live in New York and have a phone number with a San Francisco area code, making it more difficult to determine where you really are. And of course, you can use that number when you’re traveling, from many different places.

In fact, the problem is that just about anything that provides privacy for regular folks also helps the bad guys conceal what they’re doing. And that’s resulting in a lot of laws that are stripping us all of the last remnants of privacy that we had – and that’s not just a matter of concern for those with something to hide. It subjects us all to the risk of identity theft.

For example, we have always used our PO box for credit card correspondence to prevent the possibility of thieves stealing our mail from the curbside box and getting our credit card information from statements or sending in responses to the free offers of new cards without our knowledge. We recently closed our PO box 20 miles away (near our old residence) and opened a new one close to where we live now. But when we went to change the address with our credit card company, they wouldn’t accept a P.O. box. Supposedly this is because of Patriot Act requirements. Now I don’t mind giving them my street address for their records (well, okay, I do mind because of the many times companies have had this sort of customer information hacked, but I understand it). However, to not allow us to have a separate mailing address is ridiculous – and we’re canceling that card because of that, along with the fact that they send us “blank checks” several times a month that anyone could fill in to charge to our card. We have a credit card with another company (AAA) that does allow us to use a mailing address.

This is just one example of how new laws are eroding our privacy. Will Skype be outlawed – or forced to change its technology so messages aren’t encrypted – in the name of fighting terrorism? We’ve got to wonder.

What do you think? Much ado about nothing, or are the current trends dangerous to our well-being? Should we crack back down on the export of encryption, or is that futile since many of those plotting against us may be inside our own borders? When you make a phone call, does it matter to you if the NSA is listening, or do you figure it’s worth the sacrifice of a little privacy if it helps prevent further terrorist attacks or catches a drug dealer?

Deb Shinder

Netword classification

The Netword Agent (netword.com) is a browser toolbar and add-on that enables users to perform searches on keywords (“networds”) either through the toolbar itself or the browser URL address bar. Although users can define their own “networds” or “keywords” (which are then used as an alternative form of bookmarks), the search results returned for most “networds” are, in fact, paid-for advertising of one sort or another.

The company had approached us about our listing of their product in our CounterSpy database.  Subsquently, we performed an exhaustive review of the product and the company’s practices and as a result, we will be changing the product’s classification from “Adware” to “Low Risk Adware,” and will be changing the default action presented to users from “Quarantine” to “Ignore.” This ensures that although CounterSpy will still detect Netword, users must affirmatively elect to let CounterSpy remove the program by changing the action themselves from “Ignore” to “Quarantine” or “Remove.”

We have elected to continue detecting the application because of concerns surrounding the inadequate disclosure of the advertising functionality of the program. See our report here  for more details.

Alex Eckelberry

Fake Microsoft Lottery

What chutzpah but this fake lottery is almost humorous.  From a spam email received today:

FROM THE VICE PRESIDENT
MICROSOFT LOTTERY INTERNATIONAL
PROMOTIONS PRIZE AWARD
REF Nº: MIC25003189SP05
BATCH Nº:1007581906

ATTN WINNER, 

We wish to congratulate you over your success in our MICROSOFT LOTTERY INTERNATIONAL WORLD GAMING BOARD computer balloting Sweep stake held on the 15Th April 2006. This is a Millennium scientific computer games lottery in which email addresses were used. It is a promotional program aimed at encouraging Internet users; therefore you do not need to buy ticket to enter for this draws.

Your email address name attached to a ticket number 042091690 with serial number 932306 drew the lucky numbers 82148814575 which consequently won the lottery in the 1st category. You have therefore been approved for a lump sum payout of
THREE HUNDRED AND FIFTY THOUSAND EUROS ONLY (350,000.00 Euros) this is from total prize money of 1,000,000.00 Euros distributed to winners from 1st to 3rd and consolation awards categories.

CONGRATULATIONS:
Your fund is now deposited with our correspondence Bank .Due to mix up of some numbers and names, we ask that you keep your winning information confidential until your claims has been processed and your money Remitted to you. This is part of our security protocol to avoid double claiming and unwarranted abuse of this program by some participants. All participants were selected through a computer ballot system drawn from Microsoft users from over 20,000 company, and 3,000,000 individual email addresses and names from all over the world. this promotional program takes place every three years.

To begin your claim please contact your claim agent Mr. David Lopez For processing and remittance of your prize fund into your designated bank account.

LIBERTY SEGUROS COMPANY
Contact person: Mr. David Lopez
(Legal Department Officer)
Email: legaldepliberty@netscape.net
Tel: 0034 676799031
Madrid Spain

Note: All prize funds must be claimed before the 8Th of May 2006 after this date all funds will be returned to the MINISTERIO DE ECONOMIA Y HACIENDA as unclaimed. In order to avoid unnecessary delays and complications, please endeavor to quote your reference and batch numbers in every correspondence with us to your claim agent. Furthermore, should there be any change in your address do inform your claim agent as soon as possible. Congratulation once again from all members of our staff and thank you for being part of our promotion program.

Yours Sincerely,
Sandra Garcia
Vice President,
MICROSOFT LOTTERY INTERNATIONAL

NOTE; ONLY REPLY TO YOUR CLAIMS COORDINATOR TO CLAIM YOUR CASH PRIZE.

There’s a sucker born every minute…

 

Happy fun exploit party

There are a number of sites out there using a large number of different exploits to install malware on system.  

For example, one site that masquerades as the Red Cross installs nasty malware using one of the following exploits:

MS03-11
MS04-013
MS05-002
MS05-054
MFSA2005-50  (Firefox vulnerability)
MS06-006

You can see a screen shot of the admin console with the success by exploit:

Exploitpent1212387

There are other similar consoles we ran across as well showing similar types of statistics.

This site claims exploit efficiency of 7%, a number that’s not trivial. Even unpatched Firefox are getting hit here.

Just a reminder that just because you use Firefox, you still need to keep updated with the latest patches.  And as far as running IE, well, you know what you need to do. 

More detailed stats are available here (pdf), from the same page.

Alex Eckelberry
(Thanks for the tip from some French friends)

Microsoft will patch the patch

Microsoft will re-engineer the patch that’s been causing some difficulties.

From the Stephen Toulouse:

So what we have done is re-engineered the MS06-015 update to avoid the conflict altogether with the older Hewlett Packard and NVIDIA software. We’re going to run a test pass on it and we will release this new update on Tuesday, April 25th.  What the new update essentially does is simply add the affected third party software to an “exception list” so that the problem does not occur.  The revised update automates the manual registry key fix.  

I want to be real clear about that.  When the update is re-released, it’s going to be very much targeted to people who are having the problem, or people who have not installed MS06-015 yet.  That means if you have already installed MS06-015 and are not having the problem, there’s no action here for you.  Windows Update, Microsoft Update, and Automatic Update will have detection logic built into them to only offer the revised update (which essentially includes the reg key fix) to those customers who either don’t have MS06-015 or are having the problem. [My emphasis].

Link here via Ferg.

Separately, I saw this last night:

Microsoft released today thru their Download Center the Compatibility Patch for Internet Explorer (KB917425)

Do not install that compatibility patch if you are not experiencing problem in your Internet Explorer *after* installing the Microsoft Security Bulletion – MS06-013: Cumulative security update for Internet Explorer which was released last Patch Tuesday – April, 11, 2006 because… the said compatibility patch was made available only for “customers who have experienced compatibility issues and who require more time to test/update websites and programs that are impacted by the IE Active X update.”

That means if you have already installed MS06-015 and are not having the problem, there’s no action here for you.

Link here

So. one fix will be coming out on Tuesday (I’ve got an email into Microsoft get a little more data).  And there’s one right now for people who are experiencing issues with the Active X update.

And then just to add spice to the whole mix, Microsoft is investigating problems the patch may have had on some Outlook Express users.

I do hope that people aren’t holding off on the implementing the April 11 patch because of fears that it will cause harm to their system.  The createTextRange() zero day exploit is still a potential threat out there.  Correction: To be clear, MS06-015 does not address the createTextRange vuln.  That bulletin is MS06-013

 

Alex Eckelberry

Sad

Google had a beautiful logo this morning, which looked like this:

Google1230123123

Here at Sunbelt, one person sent a group email wondering what it was.  Someone else explained that it was dedicated to the birthday of Joan Miró.

It is so cool for a company to change their logo to commemorate the birthday of an artist who is not even known to most of the world (yes, he’s famous in art circles, but do you think the average person on the street would know who Joan Miró is?  Well, many do now).

What a good thing Google did today.  A lot of people learned a little more today about art, and a lot of people were introduced to a great artist of this century.  And that, I believe, is a good thing.

Anyway, some guy called Theodore Feder, who runs the Artists Rights Society, demanded that Google take the logo down. According to a story in the Merc (via techdirt):

“There are underlying copyrights to the works of Miro, and they are putting it up without having the rights,” said Theodore Feder, president of Artists Rights Society.

So Google complied and yanked the logo.

This begs the question:  If, as an artist, I were to be inspired by the style of Joan Miro, would I suddenly be in trouble?  It seems pretty clear to me that they didn’t steal his art.   (If you want to see what his art looked like, you can click here, or do a Google image search.)  But it just seems to me to be a representation of his art by a Google artist (granted, a very good representation of Joan Miró’s art).

So, is this an abuse of copyright law?  Or is Theodore Feder right?   Did Google go too far? 

What about the benefits of spreading a bit more art and life into an Internet bombarded with crap and incessant ads for cars, dating sites and casinos — while respecting a great artist of our time?

Alex Eckelberry

Micheal Miller pulls no punches

Michael Miller, PC Mag’s editorial leader, writes a hard-hitting editorial on the state of security products.

All of you have reason to worry about the prospect of Microsoft entering the security market this summer with a new service called OneCare. But you’re focused on the wrong problem. Instead of focusing on Microsoft, you need to take a good hard look at the effectiveness of your own wares. I’ve talked with a lot of computer users lately, and the conclusion is inescapable: Your products just aren’t good enough.

Link here via Catherine.

He’s spot-on. It’s an excellent read.  And a wake-up call to the industry.

 

Alex Eckelberry

Is MyGeek.com helping a security scammer?

MyGeek.com is a third party ad network that has had a business relationship with Direct Revenue (also, a press release last year announcing a “Strategic Partnership”. 

Mygeek.com hosts a site called cpvfeed.com (66.179.234.169). CPV stands for “Cost Per View”, something MyGeek is into.

Take a look at this google search. 

Mygeekcpv2q90842

If you click on that link (which you shouldn’t do), you get this odd page:

Cpvfeed123108sad

Clicking on OK gets you to this bogus security site:

Cvpprotection132123123

Why is this relevant?  A big thing about Mygeek is keyword advertising.  If there are keywords purchased by this company for things like “virus”, “spyware”, etc…. well, you get the idea.  

 

Alex Eckelberry 

Behind the scenes

I have a completely eclectic bunch of brothers.  One of them does the market. Another is an architect.  Another is a high tech marketing consultant. And another is a film director, and was recently working on the film The Mirror.  He just forwarded a link to an unofficial (and irreverent) behind-the-scenes video. 

He’s the guy with the hat (true, he may have gotten the bad genes, but we don’t hold it against him).

Stephen213408123123123

Link here.

Alex Eckelberry

 

Wired updates iBill story

Back in early March, we had blogged about iBill information possibly being leaked on the ‘net.

Wired has since made the following modification to their story:

Editor’s note: Since publication of this article, iBill has spoken with Wired News. The company now says that the purportedly stolen database did not originate with iBill, and only three of the more than 17 million entries match past iBill customers. Asked to respond, Secure Science says it no longer believes that iBill was the source of the data. Read the full story.

Link here.

Alex Eckelberry

More happy fun security scam hijack sites

Yesterday we wrote about some security scam hijack sites

Here’s some more for you to block: 

IP: 70.86.246.35
17webplace(dot)com
aurealm(dot)com
authorsontour(dot)com
beepwear(dot)com
carterobregonlaw(dot)com
cma2004(dot)com
coloreal(dot)com
ideagenerationmethods(dot)com
indiahcsl(dot)org
interacttheatre(dot)com
poliblog(dot)com
praxispost(dot)com
salestaxsimplification(dot)org
samchampion(dot)com
sapsapphire-emea(dot)com
scienceserver(dot)com
sputnikbook(dot)com
thresholdofvisibility(dot)com
uscmchicago2005(dot)com

All of these sites will attempt (after evaluating your computer’s OS and service pack level) to run currently patched exploits on your system to install Spyware Quake.

Do not visit these sites. 

Alex Eckelberry
(Data from Sunbelt’s Patrick Jordan and Adam Thomas)

Alligator encounter

Hungrygator191238f

Robert LaFollette, our creative director, took his wife down to the Everglades (about 3 hours south of us) to “shoot alligators” last weekend.  Not with a gun, but with a Canon digital camera (a 20D with a Canon 100-400mmL Pro Lens).

They stopped in a park for a bit and were sitting near a pond eating sandwiches, when Robert stepped a few yards away from his wife.  He heard a scream, and turned to find his wife running from a very friendly alligator lumbering over, interested in her sandwich.   Robert ran over and tried to distract the gator, to no avail.

Fortunately, some local fisherman threw some fish at the gator, and he went off to munch on the fish. Robert and his wife took off as quickly as they could. 

Now, it’s not usual for gators to get near people like this.  They actually aren’t much interested in humans (at least large ones).  However, just like any other animal, they start to see humans as a source of food when humans make the mistake of feeding them.  Robert was told later by the park ranger that the only reason the gator walked up in the first place was probably because the local fisherman had been feeding the alligators — an illegal offense.

Robert has more pics of the whole experience on his blog, here.

Alex Eckelberry

Yapping about YapBrowser

The YapBroswer interview with Paperghost.

1) Why is Yapbrowser available to download again, when the application doesn’t actually work? (Any search made results in a page cannot be found message)?

YB: Because there on the main page was only a pattern i.e. only design of a site for a kind. And in general all sites are not completed. Partner program is in a test mode. Even the engine of site has not been installed on a site yet. On them there are no users and there is no traffic. This all is made for us, but not for for public. For public all would be tested and all links would appear in a working kind.

Link here.

Alex Eckelberry

EFF: DMCA sucks

Not sure if you caught this broadside by the EFF against the DMCA:

The DMCA Chills Free Expression and Scientific Research.
Experience with section 1201 demonstrates that it is being used to stifle free speech and scientific research. The lawsuit against 2600 magazine, threats against Princeton Professor Edward Felten’s team of researchers, and prosecution of Russian programmer Dmitry Sklyarov have chilled the legitimate activities of journalists, publishers, scientists, students, programmers, and members of the public.

The DMCA Jeopardizes Fair Use.
By banning all acts of circumvention, and all technologies and tools that can be used for circumvention, the DMCA grants to copyright owners the power to unilaterally eliminate the public’s fair use rights. Already, the movie industry’s use of encryption on DVDs has curtailed consumers’ ability to make legitimate, personal-use copies of movies they have purchased.

The DMCA Impedes Competition and Innovation.
Rather than focusing on pirates, many copyright owners have wielded the DMCA to hinder their legitimate competitors. For example, the DMCA has been used to block aftermarket competition in laser printer toner cartridges, garage door openers, and computer maintenance services. Similarly, Apple invoked the DMCA to chill RealNetworks’ efforts to sell music downloads to iPod owners.

The DMCA Interferes with Computer Intrusion Laws.
Further, the DMCA has been misused as a general-purpose prohibition on computer network access which, unlike most computer intrusion statutes, lacks any financial harm threshold. As a result, a disgruntled employer has used the DMCA against a former contractor for simply connecting to the company’s computer system through a VPN.

Link here via beSpacific.

Alex Eckelberry