There is no anti-spyware silver bullet

The spyware threat to enterprise security will increase over the next few years without an enterprise-class tool to prevent it, consulting firm META Group warns.

Spyware has both good and bad properties that make it difficult for traditional antivirus software to identify and clean up, leaving only a handful of consumer and emerging corporate solutions to combat the problem. And that’s pretty risky too.

On a new website online forum, Spywarewarrior claims that many of the anti-spyware tools available are actually malware or spyware themselves.

Some of these products simply do not provide proven, reliable anti-spyware protection. Others may use deceptive sales tactics and false positives to scare up sales from confused users. Few of these products are either associated with known distributors of spyware/adware.

For instance: eAcceleration/Veloz Stop-Sign is accused of carrying “deceptive advertising” for sites related to CoolWebSearch, one of the worst trojans around. NoSpyX promises a free scanner, but then demands purchase. Others are known to have stolen databases from other anti-spyware vendors.

At the moment, META Group says, there is still no “silver bullet” enterprise-class tool to protect against spyware, so the IT world must address the problem through a combination of policies, procedures, and products until more complete enterprise-class solutions become available.

META Group believes antivirus vendors are in the best position to provide extended threat protection once they enable clean-up tools, and provide a more complete signature database of spyware threats.

http://www.theregister.co.uk/2004/06/30/anti_spyware_silver_bulllet/

Posted in Security | No Comments

Password Stealing Browser Hijacker Discovered

The Internet Storm Center has announced a very scary discovery. They have found a browser hijacker, installed as a Browser Helper Object (BHO), that will monitor what are supposed to be secure, encrypted browsing sessions and steal passwords. These passwords then are forwarded to a web based script at www.refestltd.com. It appears that this site now has been deleted.

The hijacker is loaded from a web page as if it were a .gif image file. The file is not really an image. It is a compressed trojan dropper that installs a .dll file as a BHO. How the trojan is executed is unknown. The most likely explanation is that the page calling the file exploits some flaw in Microsoft Internet Explorer.

If any more information is discovered about this new hijacker I’ll be sure to mention it here.

http://www.spywareinfo.net/june30,2004#scary

Posted in Security | No Comments

CERT recommends anything but IE

US CERT (the US Computer Emergency Readiness Team), is advising people to ditch Internet Explorer and use a different browser after the latest security vulnerability in the software was exposed.

A statement on the CERT site said: “There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites.” CERT otherwise recommends users to set security settings to high and disable JavaScript

Malicious code, dubbed variously as “Scob” or “Download.Ject”, originally posted last week on a Russian website, could be downloaded secretly onto websites using Microsoft’s Internet Information Server 5.0. The code could then be used to log keystrokes made by visitors to the site – so long as they used Internet Explorer as their browser. Information, including passwords, was then to be emailed to the criminals behind the atack.

Microsoft said that it was unaware of widespread consumer impact and noted that the Russian site had been taken offline. It said some enterprise users of Windows 2000 Server, specifically users running IIS 5.0, were being targeted by “Download.Ject”. According to MS, this is not a trojan or worm but “a targeted manual attack by individuals or entities towards a specific server”. It said users should use a firewall, ensure they have the latest software updates and use anti-virus software.

Bill Gates, Microsoft chairman, called on users to switch on auto-update so that patches would spread faster. Speaking to Reuters in Australia at the weekend, he vowed to “guarantee that the average time to fix will come down. The thing we have to do is not only get these patches done very quickly…we also have to convince people to turn on auto-update.

http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/

Posted in Security | No Comments

Beastie Boys CD installs virus

According to unconfirmed reports, including a recent thread on the BugTraq mailing list, versions of a new Beastie Boys CD from Capitol Records (‘To the Five Boroughs’), which is being distributed worldwide except in the USA and UK, contain what could be labeled as a computer virus. Based on these reports, when the CD is loaded, an executable file is “automatically and silently” installed on the user’s machine. The file in question is said to prevent copying of the CD, but it can be viewed as affecting a “computer’s functionality, without first obtaining informed consent: a likely violation of pretty much every jurisdiction’s anti-hacking laws.”

http://www.theregister.co.uk/2004/06/23/beastie_boy_cd_virus/

Posted in Security | No Comments

Who really reads your e-mail?

The people in my personal focus group (my wife, my mother, and some coworkers at CNET) agree that this is one of the creepiest things they’ve ever heard of: a new service that will tell your correspondents exactly when you opened the e-mail they sent you. It will also tell them how long you took to read their message and which computer you used to do so. The kicker: You’ll never know all this information is being collected. It’s a supercharged return receipt that’s completely invisible. The service is called DidTheyReadIt. What it does is insert a small tracking device, often called a Web bug, into the e-mail that you want to track. When your recipient opens your message, the bug (a one-pixel, transparent GIF file) is pulled from the DidTheyReadIt server, generating a logged event that shows when the message was opened and for how long.

Whose mail is it, anyway?
The existence of this service raises interesting privacy issues. Do we have the right to read e-mail without sending a beacon back to the sender that we’re doing so? Certainly it’s customary that no beacon is sent. However, while personal messages don’t usually send such beacons back to their senders, many commercial messages and most commercial Web sites have been closely metered for some time. You can’t twitch a mouse on a big site like Amazon (or CNET, for that matter) without creating a log file entry that likely has your IP address attached to it.

The difference is the one-to-one nature of e-mail from friends or associates. Big sites aggregate log file entries and use the information to design more effective overall sales strategies or more compelling content. Individuals could use the data for other purposes that you might not like.

Furthermore, such tracking eliminates one of personal e-mail’s big charms: plausible deniability. “Sorry, I haven’t read your e-mail yet,” will vanish as an excuse for a tardy reply. And worse, if a sender knows you read his or her e-mail and you don’t reply in a timely fashion, you could be in line for social or business awkwardness of a very high order.

DidTheyReadIt adds presence to e-mail; with this live tracking, e-mail becomes similar to instant messaging. With IM, you can tell if your recipient is online and awake; with e-mail, to date, you haven’t been able to. DidTheyReadIt changes that. In fact, it goes beyond IM, by hiding the fact that people are watching your activity. Most IM systems at least require that you approve the addition of people to your buddy list before they can see your presence.

DidTheyReadIt has some legitimate uses. What with antispam products occasionally blocking even good e-mail these days, you might want to use this product to make sure that your personal e-mail messages are punching through your recipient’s filters. And it could turn e-mail into a medium with higher legal status than it has now. But overall, the product changes the customary usage models of e-mail, and more importantly, it just creeps people out. People should be able to turn off the capability of DidTheyReadIt to spy on them or at least be able to see if people are doing it.

Get out of my in-box!
Fortunately, there are countermeasures. While almost any e-mail reader that displays HTML will send DidTheyReadIt beacons, text-based e-mail programs (such as Pine, which I admit, hardly anybody uses anymore) won’t. Also, capitalism has come to the rescue: shortly after DidTheyReadIt was released, a competing company bought the DidTheyReadIt Google AdWord and started selling its Email Tracking Blocker, which it’s claimed will hide your e-mail presence from DidTheyReadIt and other products like it.

There are other antitracking methods. Some people have proposed turning off the automatic download of images in e-mail, but few e-mail products have this option–Outlook does, but only in the 2003 version, and even then, e-mail from people in your address book are exempt from this setting by default.

But there is a way to flag DidTheyReadIt-tracked e-mail in Outlook, at least for now: set a filter to catch any messages containing a reference to didtheyreadit.com, which is the server the tracking bug is downloaded from. You can’t see this code when you read the message, but it has to exist in the HTML body of the message for the service to work. At least this way you can see who’s bugging you, which is half the battle, and it turns the tables on the system, allowing you to reply to your senders with indignant messages asking why they find it necessary to track your e-mail reading behavior. However, while this simple filter works today, it won’t take much for DidTheyReadIt’s manufacturer to bypass it.

Ultimately, I expect that antispam programs will offer options to scan for tracking bugs and quarantine messages that have them. So, if you feel your privacy is being invaded when e-mail messages report back to their senders when you read them, you won’t have to wait long for more solutions to appear.

And if you feel it necessary to use DidTheyReadIt or products like it, I’d caution you that may not be worth it. While the tracking bugs are currently almost undetectable, they won’t stay that way forever. So don’t plan on being able to hide your use of this service for long. Also, keep in mind that the people I talked to called the tracking capability creepy, pushy, slimy, and other choice epithets. I’d guess that’s not the kind of impression you’re trying to make when you e-mail friends and associates.

http://reviews.cnet.com/4520-3000_7-5138076-1.html

Posted in Privacy | No Comments