Sunday, December 28, 2008

Missouri, Illinois pass cyberbullying laws; several prosecutions already occur in MO, emphasize text messages


New cyherbullying laws have been passed in Missouri, and one in Illinois that takes effect Jan. 1, 2009. The Illinois law might apply to “third party” postings in a webstie and could conceivably raise Section 230 questions.

In Missouri, the law prohibits communications (including text messages, phone calls and web postings) that cause emotional distress, and has been criticized already as too vague. Already there have been a number of prosecutions. The term "emotional distress" can be subject to interpretation (like reputation, it's in the eye of the beholder) so users need to be careful.

There is a story by Joel Currier in the St. Louis Post Dispatch, “New cyber-bullying law being used in the St. Louis area,” here.

According to Wired Magazine's blog, seven people have already been charged in Missouri. The story by Kim Zetter is here. Most of the prosecutions involved text messages rather than profiles and blogs.

The laws were, of course, motivated by the case against Lori Drew, who was convicted of federal misdemeanors but not prosecuted under Missouri law.

Tuesday, December 23, 2008

Virginia state government warns on infected USB storage devices


The Commonwealth of Virginia issued a security advisor to state government agencies and subscriber home users today (Dec. 23, 2008) about the possibility that some USN (Universal Serial Bus) storage devices contained malware (as firmware). The advisory suggests that Windows users disable to autorun feature first and then scan the virtual drive with a virus scan before completing installation. Arlington County distributed this advisory to home subscribers today.

The web link is here.

One would wonder about other devices connected through USB's, like camcorders. But I haven't seen any reports of such.

Picture: Topographical map of VA, drawing by me in 4th Grade, around 1952.

Tuesday, December 16, 2008

Critical bug in Microsoft Internet Explorer reported (whats new?)


Computer World is reporting that all current versions of Internet Explorer (6, 7, and Beta 8) have a critical bug. They story by Gregg Keizer is here. Arlington Virginia's emergency warning network sent out this cyber alert this morning!

The Microsoft Security advisory 961051 is here. Microsoft characterizes the vulnerability as “an invalid pointer reference in the data binding function of Internet Explorer”. The concept of “bind” is similar to that on the mainframe familiar to DB2 users.

Some security experts recommend disabling “oledb32.dll” if one continues using IE, until there is another security fix this month.

A DLL (dynamic link library) is an executable file that permits programs to share code to execute common functions. There is a writeup on removing dll’s on the Spyware Remove database here. Wikipedia’s discussion is here.

A few applications require Internet Explorer and don’t run on other browsers. One example is Netflix’s movie viewer. Some companies offering work-from-home customer support jobs require the use of Internet Explorer specifically. These are all issues, as other browsers like Mozilla ought to be acceptable in these circumstances.

Yahoo! Tech has a more alarming story on Dec. 17 (by "Christopher Null"), with computer experts warning that a new wave of fraud is inevitable in Microsoft doesn't patch this problem quickly. Use any other browser, they say. It's probably not wise to use IE right now with any application requiring logon with password (like a banking site). Hopefully, Microsoft will have a patch in a few days, but this sounds like a difficult fix.

They don't use the word "Microslop" for no reason!

Update: Dec. 18, 2008

Microsoft pushed a fix to IE this morning. It took about one minute to install. It looks like it replaced a few DLL's. A restart was required. (Microsoft also pushed a fix to Real Player.)

Saturday, December 13, 2008

Geek Squad: some ad hoc impressions about home PC security


Yesterday’s meeting with a Geek Squad “double agent” resulted in some new perceptions about Internet safety for me.

One of the most interesting is that the best anti-virus companies seem to vary from year to year. According to the conversation, McAfee is no longer at the top of the heap. Maybe it was best five years ago. (It also launches too many unnecessary processes.) The recommendation now is for Spysweeper. (I could not get the home page to come up this morning.) But he also said no one should subscribe to automatic renewal, because the best package relative to the threat matrix changes from year to year.

He also said that MacIntosh (note the spelling, with Mc it is a different trademark and business!) is orders of magnitude more secure and more stable than any windows system. Whatever the controversy about anti-virus on the Mac, it is simply much less of a target. But I know there is disagreement about this in the literature, as with a recent posting here.

The Best Buy Geek Squad page for virus removal is here.

He also said that the AOL dialup program is dangerous in the modern Windows environment, because it opens unprotected ports that hackers can use. AOL has lost its position in the business compared to how it was in the early and mid 1990s, when it was the leading ISP and content provider. Those almost sound like the good old days now.

Friday, December 12, 2008

Facebook taunts help trigger bullying lawsuit against a Connecticut prep school


Taunts on Facebook and in text messages figure in to a lawsuit against a Connecticut girls’ high school, Miss Porter’s School. A girl, Tatum Bass, who was expelled in November claims she was bullied online and in person by other students for an unpopular plan for a prom. A typical story is by Vanessa de la Torre on the Hartford Courant, “Miss Porter’s School Sued over Expulsion,” link here. The story was also reported Dec. 12 on ABC “Good Morning America.”

Again, social networking site content is showing up in litigation.

Thursday, December 11, 2008

Homeland Security Secretary Chertoff speaks about cybersecurity strategy


Today Michael Chertoff, Secretary of Homeland Security, gave a brief lecture “Cyberspace and National Security” and the Armed Forces Communications and Electronics Association, link here. He was introduced by AFCEA president Kent Schnieder. Most of the audience consisted of uniformed military officers.

Chertoff opened with a mention of how Estonia’s Internet was brought down, and how the Russian invasion of Georgia was manipulated in cyberspace. He mentioned a possible breach that could have exposed 40 million financial account holders. The problem seemed to have to do with a problem involving domain name integrity deep within the Internet, but it could have caused further loss of confidence in financial institutions, already an issue with the financial crisis.

He said that national cybersecurity policy should stress three areas: (1) front lines of defense and firewalls; (2) anticipating the full range of possible threats (3) understanding the social environment, such as disgruntled employees and (by inference) asymmetry. He stressed the nature of a public-private partnership.

He posed, in answer to an audience question, the legal question as to whether an international cyberattack is an act of war, and said that is a good question for lawyers.

An audience member asked about a possible Russian attack on DOD, which apparently has not been made public.

Also, the Second Annual Online Safety Conference “Safe at Any Speed: Rules, Tools and Public Policies to Keep Kids Safe Online” was held at the Newseum recently and shown on C-span, link here. I’ll look more into this shortly.

Wednesday, December 10, 2008

More warnings today about embarassing or incriminating self-portrayal (or material by others) on the Net: it lasts forever


Here we go again. On both the Today Show and on ABCs “The View” today media commentators warned about the risks of posting racy photos on the web, or even of allowing others to take them (and then post them). College admissions officers (up to 38% now) and employers (and once in a while, prosecutors) are looking, whether it’s completely ethical or not. Besides photos, students should be wary of playing “Gossip Girl” and writing disparagingly about colleges or employers that they visit, according to reports.

“The View” took the position that teens simply don’t understand that what’s out there is “for life” because it’s digital, and their parents grew up in a generation that had never known “this problem.” The broadcasters warned that Myspace and Facebook privacy settings really don't prevent public distribution of unflattering materials.

About.com (in the “Young Adults” column) has an interesting story by Jackie Burrell, “Facebook, MySpace and Internet Perils: 5 Online Dangers That Have Nothing to Do With Internet Predators” link here. The prosecution scenario in Ohio is chilling, especially that the recipient of the photos could be prosecuted when the receipt could have been involuntary. Maybe that's just Ohio. But the article mentioned other legal scenarios, as well as colleges, grad schools and employers.

Reputation, I say, is in the eye of the beholder.

Saturday, December 06, 2008

Facebook email video attachments could be infected


There are numerous media reports about a virus spread by emails from Facebook users. Apparently the attachment prompts you to ugrade your Flash player first (which seems to be common with many legitimate videos), whereupon you get infected with the “Koobface” virus that makes your machine into a botnet zombie.

A typical story is by Brennon Slattery in PC World, “Facebook Virus Turns Your Computer into a Zombie,” Dec. 5, 2008, link here.

A typical report is McAfee’s from October 2008, here, but there are multiple versions of this worm.

Facebook says it has removed this problem.

Thursday, December 04, 2008

VA may tighten school bullying laws, including cyber issues


The DC Examiner, in a story by William C. Flook printed on p 20 today December 4 2008, reports in its “Virginia General Assembly” column that state representative David Englin (Democrat, Alexandria) wants to expand Virginia’s anti-bullying law to prohibit “intimidation” and “harassment” and particularly to protect students with disabilities.

Presumably the law would prohibit cyberbullying, even from home computers, and would prohibit bullying based on actual or perceived sexual orientation.

The Examiner story did not yet appear online.

The legislation may have been motivated in part by the Missouri Lori Drew case, in which state officials could not find that a law was broken, Ms Drew was convicted of federal misdemeanor charges, as reported earlier on this blog. Several other serious cases have occurred around the country, including one on Long Island, New York.

A website called “Bully Police” has an analysis of the current Virginia law here (original Virginia reference, based on the concept of "character education", is here), and also a column from Minnesota here. Here is another resource on cyberbullying that it gives.

Tuesday, December 02, 2008

Apple recommends multiple anti-virus packages


Today, Dec. 2, Apple posted a recommendation that its customers (using various versions of Mac OS) use more than one anti-virus protection package. Apple recommends Intego VirusBarrier X5, Symantec Norton Anti-Virus, and McAfee. The link (which has a survey interrupt) is here.

Information Week has a longer story by Thomas Claburn today, link here.

Claburn notes that Microsoft’s market share, at least with Linux thrown in, is not what it was, so it is not quite as attractive a “target”, relatively speaking, as it used to be. Furthermore most major Apple products (like iTunes) are available on Windows machines and more and more windows users find that they need them. Claburn seems to feel that the underlying BSD Unix foundation architecture for the Mac is less easily compromised. However, I know of cases (back to around 2001) where entrepreneurs running small ISP servers from Unix servers have been compromised and have had to rebuild their machines (to use their vernacular).

I'm not aware that "multiple packages" are recommended even for Windows, where they could interfere. Many people have both the Microsoft firewall and a regular (like Norton or McAfee) personal firewall.

I bought an iMac in February 2002, when it was new, and have not found it to be more stable than Windows as a whole. I've had trouble with Internet Explorer locking up and becoming unusable. I use it to watch DVD's right now. I may decide that I need a (much!) newer Mac if I get FinalCut.

Update: Dec. 3

Apple has reversed itself, with a Cnet download.com blog entry "Apple deletes Mac antivirus suggestion," by Elinor Mills, link here.

Thursday, November 27, 2008

Report says major spamming botnet has returned; home users should monitor with caution


A disturbing story in Computer World, Nov. 26, by Greg Keizer, says that the Srizbi botnet has resurrected itself after being knocked off line by the closing of McColo. A company called FireEye reportedly tried to monitor the efforts of the spamming “service” but was unable to stop it from connecting to new domains in a daisy-chain fashion, apparently largely in Estonia. The title of the story is “Massive botnet returns from the dead, starts spamming: Criminals regain control after security firm stops preemptively registering routing domains” and the link is here.

I had not really noticed that much drop off in the spam in my AOL mail box after the story Nov. 13 about the disabling of the spam “service” by other ISPs. Once in a while, I still notice some sender-id spoofing. But others say that worldwide spam was cut by two-thirds.

Tuesday, November 25, 2008

"Wired" tells story of Kaminsky's discovery about DNS vulnerability


The December 2008 issue of Wired has a chilling story by Joshua Davis, “Secret Geek A-Team Hacks Back, Defends World Wide Web,” link here. The print version has on its cover the byline caption “Fatal Error: The Hole in the Internet”, and the story starts with a page with an abstract art illustration on p 200, with the word “Collapse”.

Programmer Dan Kaminsky (his company is “IOActive”) discovered, on his own, a serious flaw in the “I trust you” concept of the original DNS (domain name service) mechanism as implemented in 1983. In some ways, the flaw may resembled similar flaws in email servers that allow forging of email headers and sender-ids common with spam. The flaw, if discovered by hackers, could have led to catastrophic corruption of financial institution websites and misdirection of money.

Kaminsky performed some potentially dangerous experiments at home, and soliloquized, “I just broke the Internet.” Pretty soon, he had contacted security experts, and an emergency meeting was arranged at Microsoft headquarters in Redmond, WA. Security experts from Finland and the Netherlands and emergency twelve hour plane rides, and told Kaminsky and others not to discuss the issue even by cell phone. It’s curious how the community reacted: that one programmer’s (or researcher’s) discovery could imperil the communications of the entire planet if the individual, who legally “owns” the intellectual property associated with the discovery, released it to the world on his own. (That’s the theme of the play [Howard Davies] and film “Copenhagen”. ) Microsoft (as well as Nominum, Red Hat, Ubuntu, and Sun) designed an emergency patch which many companies implemented quietly on Tuesday, July 8, 2008. However a permanent solution would require new levels of DNS authentication throughout the Internet, including, especially, cell phones and wireless.

Russian physicist Evgeniy Polyakov demonstrated the problem at a hacker convention in August 2008, as discussed on my consumer ID security blog here.

Kaminsy, according to the article, is a bit of a polarizing figure, saying that darker problems lie ahead. Could he be referring to EMP?

Friday, November 21, 2008

Web of Trust extends service to popular email services


PRWeb Release Newswire announced that “Web of Trust” service is now offered for three popular email services: Google Gmail, Windows Live Hotmail and Yahoo! Mail. WOT checks embedded email links for various security issues including scams.

The link for the story is here.

WOT has been downloaded by 1.9 million users and has information on 20.8 million websites.

Today I saw an email (not caught by AOL security) with a Yahoo meetings logo that, when linked (it was a Yahoo link from India) led to a Nigerian scam offer. This one was bizarre, offering to deposit millions of dollars into a bank account almost immediately. It was one of the most elaborate Nigerian scam attempts I’ve seen, abusing the Yahoo! trademark to look legitimate.

Thursday, November 20, 2008

"Myspace case" goes to trial: would it be ex post facto law?


The trial of Lori Drew started in Los Angeles on Nov. 18, technically on a charge of conspiracy and three charges of unauthorized access another party’s computer network, in conjunction the tragedy in 2006 when Megan Meier took her own life after believing she had been rejected by a boy who, in fact, did not exist but was a hoax.

This case is said to be the nation’s first cyberbullying trial. But it is disturbing in that it seems to be a “creative” or ex post facto prosecution. The Computer Fraud and Abuse Act, USC 1030, was amended in 1996 and in 2001 by the USA Patriot Act but had been intended to prevent hacking, not social impersonation. The link is here.

The AP story Greg Risling is here.

Update: November 26, 2008

Lori Drew was convicted of three misdemeanor counts of "accessing protected computers without authorization to obtain information to inflict emotional distress on" a minor (CNN). She could get one year in prison and a fine of $100000 for each count. She was acquitted of the felony conspiracy charge. There are multiple media reports today on this story.

Saturday, November 15, 2008

Home computer and Internet users need protection of legal reforms


There does seem a need to pursue some legal reforms to protect home and perhaps small business computer and especially Internet users (perhaps even cell phone users, too) from “chilling” legal exposures. While recently I’ve written about media perils for bloggers, there seems to be a need to rethink possible risks for ordinary users even when just surfing or accessing material.

One thing, there has been discussion of a need to clarify downstream liability concerns if a person’s machine is hijacked, along with security education, standards for anti-virus packages, and even an “Internet driver’s license”.

Consumers, as we know, face sudden civil liability exposure if they illegally download copyrighted materials, especially songs and movies. Most of the exposure in practice seems to come from P2P networks, particularly for users who set themselves up as “nodes.” However, parents have been sued (starting with phone calls, often) for activities of their kids or even visitors who used their computers. Another exposure would come from making illegal copies of software or movies. The theory is, of course, is that the vendor is entitled to and needs the income from original sales. But I can remember back in the 1960s taping phonograph friends’ phonograph records, even though I bought hundreds of them. In the 1980s, before buying compact discs as they came out (and they were expensive then), I made cassette copies of some of my own records just to preserve them from wear. Was this illegal? In the early 1990s, there were controversies when companies sometimes made diskette copies of dialup software for on-call employees to take home, before the Software Publishers Association started auditing companies for violations. Moviegoers have, in a few occasions, been arrested and prosecuted for trying to camcord trailers of films in theaters.

If an Internet visitor views an illegally uploaded video from YouTube, is she guilty of infringement herself? The Internet visitor in this case is not always in a position to know if the video infringes or was posted without permission. It would sound as though that could be comparable to music downloads, but I’ve never heard of people being sued for surfing and saving copies for their own use. (They could be sued if they posted the copyright materials somewhere else). Nevertheless, it sounds like, by analogy to the P2P suits, there could be a theoretical exposure for consumers that the law should address. The issue could come up in the Viacom litigation.

The other exposure could come with “accidental” possession of child pornography (from machine infection, as discussed Nov. 11, even in the workplace) by mere searching and surfing. Someone may not know from the title of a domain that illegal content is present. One might encounter the problem while moderating comments for a blog or doing legitimate research. It appears that police sometimes track home users visiting materials being tracked by the National Center for Missing and Exploited Children. This makes sense for some overseas material that the US cannot shut down readily. But if illegal material is hosted domestically, it seems prudent that it be taken down immediately rather than left up to expose visitors possibly to accidental viewing and accidental “strict liability.” Police stings, such as those described by Wired Magazine in early 2003, have been set up (with Yahoo! groups and with some Usenet groups) but if the enticing material was illegal, why wasn’t it just shut down immediately? It is legal for police to impersonate minors in order to attract and prosecute criminal behavior, and this happens in every state and in most western countries including Britain and Canada. But that doesn’t mean posting illegal content and therefore having law enforcement or a cooperating company “possess” it first under technically illegal circumstances. There need to be definite legal limits on what kinds of “entrapment” are acceptable.

Home users rightfully expect to be able to depend on common sense, and in general will not have the legal expertise to know reliably if they could get into trouble. Home users also believe that if they visit sites or services hosted by reputable companies they will be all right. Of course, these companies cannot be required to prescreen what is published (that’s the Section 230 and DMCA safe harbor issue) and depend on user feedback to notify them of infringing or illegal materials. (They are required to act on copyright claims and on child pornography, in varying circumstances.) Users (not legally sophisticated) might believe that they are protecting themselves by flagging or reporting content that is remotely questionable, burdening ISPs or publishing services and employees who themselves lack legal training.

All in all, this sounds like an area that needs major legal reforms.

Thursday, November 13, 2008

Company involved in spam distribution is taken off Internet


Today, Nov. 13, the Washington Post reports on p D1 (Business) that a company allegedly involved in much of the spam sent in the United States everyday has been connected from the Internet.

Technology and security topics writer Brian Krebs has a story in the print and online versions, “Web Host of Groups that Traffic Spam Kicked Offline”. But more interesting is Krebs’s own blog entry “Spam Volumes Drop by Two-Thirds After Firm Goes Offline,” with all kinds of colorful charts and graphs (enough to please Jake Gyllenhaal’s “pie chart” character in “Rendition”), link here. Kreb’s blog entry gives a link to another detailed story explaining how a spam provider can get cut off. The company is McColo, in San Jose, CA, and the two ISP’s that took action are Global Crossing and Hurricane Electric. An Atlanta security consultant, SecureWorks, commented that McColo could have been involved in as much as 75% of all spam in the U.S. It’s important that the cutoff occurred as a result of actions within the private sector, not the government or FBI.

The story notes that companies are held responsible for acting on legal infractions of customers in limited circumstances, such as with the DMCA takedown provision, or specifically if they learn credible evidence of child pornography on their servers.

I checked my own AOL spam folder and haven’t noticed a significant drop since Tuesday yet.

Tuesday, November 11, 2008

In the workplace, Internet security problems can lead to false criminal charges


Previously I’ve mentioned the possible legal risks of home computers that are not properly protected (in conjunction with such proposals as an “Internet driver’s license”) but even work computers can be compromised and present a risk to employees. In fact, it is the workplace cases that get media attention now, and they may be becoming more common.

In Connecticut, a substitute teacher (Julie Amero) was arrested and convicted after a school computer went haywire and showed pornography in front of middle school students. The fact pattern in the case is quite disturbing. Apparently she was told not to touch the computer. Then, when the defense wanted to present evidence that the school’s network was poorly secured and that the computer could have been infected, the evidence was not allowed in court. It seems that the trial court at first simply did not understand how this kind of risk can come about. There are plenty of blogs about this case. One of them is by Andy Carvin on PBS, July 11, 2008, “No Resolution Yet for Julie Amero,” link here. The Carvin blog entries refers to some detailed op-eds in the local Hartford paper, the Courant. There is also a suggestion that the prosecution has dragged its feet on dropping the charges out of embarrassment.

There is no question about this: to be fair, law enforcement agencies and courts need to be brought up to speed just on how internet security issues play out and can endanger people, even in the workplace, and at home. They simply haven’t gotten the message in many jurisdictions around the country.

Another good blog entry is by Lindsay Beyerstein on the Huffington Post, Jan. 23, 2007, link here.

The Council for Secular Humanism has a thoughtful discussion of her case (as well as the excessive “enemy jurisprudence” sentence in Arizona for teacher Morton Berger in a c.p. case) here, by Wendy Kaminer.

Julie Amero has a Defense Fund entry on Blogger, here.

PC World has a good article, on June 16, 2008, about a Massachusetts worker who was accused of c.p. possession when it was later found that his state-issued laptop was poorly secured, link here, by Robert McMillan from IDG news, here.

The site Techdirt has a brief comparison of the Massachusetts case with the substitute teacher case in Connecticut, dated June 18 2008, here.

In the home computing environment, besides the case reported here Feb. 3, 2007 in Arizona, there was a case in Torquay, England in 2001, written up in the The New York Times by John Schwartz on Aug. 11, 2003, “Acquitted Man says virus put porn on his computer”, here. The concerns are that defense attorneys could abuse this theory as well as the fact that innocent people will be wrongfully prosecuted and have to spend huge sums defending themselves. Again, law enforcement (around the world, not just in the U.S.) needs to rein in on this problem. In the U.S., the "strict liability offense" concept (that theoretically holds the computer owner absolutely responsible for what others do to it, even if this theory is rarely followed) is also a problem, and probably could not survive a constitutional test.

Saturday, November 01, 2008

Switched and AOL update "sneaky" virus list; warning on 2 Facebook-related items


AOL and Switched.com have upgraded their recommendations with a new list of the “14 sneakiest viruses”, by Dan Reilly, link here. I last covered his column on Oct. 10, but many of the viruses in this list are important news. One is a fake email involving Barack Obama, but the most interesting may be W32.Koobface worm which can hijack your Facebook account and conceivably cause Facebook to discontinue your account. There is another Facebook Trojan Troj/Dloadr-BPL. There is also a MacIntosh OSX virus called OSX/Hovdy-A. Zlob can corrupt your Wi-Fi router, possibly endangering neighbors who don’t use secure Wi-Fi connections properly. Mebroot hides in a master book record and involved bogus financial sites. The clipboard attack involves Firefox or Mozilla.

But perhaps one of the most important is the recently discovered Microsoft security flaw which was discussed here Oct. 23. McAfee's Threat Center discusses this Microsoft problem (with a "Breaking Advisory") and lists a number of threats and unwanted programs here. The McAfee virus search page (to check the threats listed on Reilly's list to see which DAT files cover them) is here.

I have noticed that Mozilla has the irritating habit of caching the last website you closed, and then hanging and not completely closing until you click again. In rare cases, Mozilla seems to run away with computer CPU usage and require that the system be restarted. This seems to need another fix.

Friday, October 31, 2008

Network Solutions warns that domain name registrant companies are being targeted by phishing


Network Solutions has advised domain registrants that recently a party has been circulating “phishing” emails that appear to come from Network Solutions or from other registration companies to domain name owners.

Network Solutions recommends that anyone who responded to such an email immediately change their account passwords, as instructed.

Many times, a phishing email will appear to offer legitimate links which, when the cursor is passed over them, don’t match.

ISP’s have sometimes been imitated by phishing attacks, with AOL often being used. Paypal and Ebay are often imitated, and many of these seem to get past spam filters.

The Network Solutions blog ("Solutions Are Power") entry warning about this problem, by Shashi Bellamkonda, is here.

Thursday, October 23, 2008

Microsoft releases major patch for XP, Server 2003


Microsoft has announced the release of a security patch to its Windows server systems today (Oct. 24), a couple weeks before the normal November updates. It is considered critical in Windows 2000, XP, and Server 2003, and could allow a targeted worm attack. It is thought to be less serious in Windows Vista. Home users and companies with automatic update turned on may get small updates soon (perhaps one file) and should install and restart immediately, as soon as the updates arrive.

The news story, by Robert McMillan, is in Network World, here. Arlington County VA emergency emails system sent out an announcement of the story to subscribers, as it normally warns of cyber threats.

Another company involved in commenting on the fix is the DigiTrust Group, here.

Tuesday, October 21, 2008

Botnets are still a serious issue for home and small business users; major International Botnet Task Force conference held


The Business Day Section (p B1) of the Oct. 21 New York Times features an alarming report about Internet botnets by John Markoff. The title of the story is “Beware the Digital Zombies: A robot network is seeking to enlist your computer,” link here.

The story relates the reality that botnets are becoming an increasing peril to everyday Internet commerce and perhaps even self-expression. The story gives some general discussion of Microsoft’s plan to fight them, including cooperation with many overseas governments and inserting moles or sensors into “bot-herders” and pretend to do malicious things without actually doing them. It is common for crime rings to expect newcomers to carry out assignments to prove they are not informants.

The story says that now an unprotected early XP computer will get infected within five minutes, sometimes in only thirty seconds, when connected to the Internet by broadband. Presumably service packs 2 and now 3 are supposed to make this much less likely. And Vista is supposed to be safer (that is a controversial topic). Even so, a purchaser of a new Windows computer should probably complete as much anti-virus installation as possible before connecting to the Internet, and then download all the applicable security updates from Microsoft and from the anti-virus company (like McAfee), and run a batch full scan, before using heavily. Since these downloads and installs take time, it’s possible that with such a process a new computer purchaser will detect some problems. The story indicated that the best security software does not discuss all vulnerabilities.

The news story refers to a group called the Shadowserver Foundation. Worldwide, it appears that at least 300000 computers are silently infected by botnets.

An organization called the International Botnet Task Force is supposed to convene today in Arlington VA. I could not find a web url for them, but Microsoft mentions the group in its white paper “Bots, Botnets and Zombies” here. Microsoft says it has deployed Sender-ID as part of the solution for spam since 2003. Would a microcharge for each sent email also be an effective way to fight spam?

The NY Times doesn’t discuss the speculative topic of possible home user liability. There have been a few cases where home users have been disconnected by broadband ISPs for too much activity. ABC News reports at least one case (discussed here Feb 2007) where a teenager faced child pornography charges for material that he claimed could have been placed by a hacker (those charges, in Arizona, would be dropped). There has been loose talk of an “Internet driver’s license” to include demonstration of knowledge of how to use security products, and there is talk that it should be presented in public schools (you have to find the teachers first, however). The concept of conceivable home or small business user liability is a potentially very sensitive one for public policy makers, who would have to remain very wary of unintended consequences and chilling effects.

Friday, October 17, 2008

Be careful even when moderating comments on your blog


Bloggers who allow comments (most do) should not only turn on comment moderation but should also probably be careful about embedded links in comments that are offered. In a few occasions, links that appear to be legitimate may actually link to hostile sites offering harmful downloads, fake anti-virus software, pornography, or content that is patently illegal to even possess.

There are two ways this happens. If you run your cursor over the link, you may see a different URL appear. That is one warning sign. In many cases the blogger will reject the comment and mark it as spam, if the publishing service or ISP offers spam reporting. One precautionary technique, available with some blog publishing services, is to require the comment-offered to sign on with a captcha, to avoid automatically generated comments.

But sometimes even the actual URL looks legitimate. Yesterday, on one blog on another domain (billboushka.com/wordpress) I got a comment (which of course I rejected in monitoring) that gave the URL of what appeared to be a legitimate networking profile on members.work.com. It appeared to come from the Muscogee County School District (in Georgia). I checked the link (of the specific profile) as I was moderating, and saw it was an “adult” site. McCafee Site Advisor remained gray for this link, but was green for the site as a whole. I suspect there are trademark law issues here, which I will take up soon on my trademark law blog.

This "school district" reference with adult content apparently also occurs at feel.crossfacer.com (blogs) and at kyokuyou.com (boards), both references marked green by McCafee site advisor on searches.

The computer showed 100% CPU use, although that might have happened before, when I was in Microsoft Word. (Once in a while, Word seems to stall, and so does Firefox; I’m not sure why.) I restarted the machine and the CPU problem went away. I ran fill virus scan and it found no problems.

Friday, October 10, 2008

"Switched" and AOL offer "12 sneakiest" cyberthreats; GPcode "author" apprehended


Switched-dot-com (from AOL) offers a list of the “twelve sneakiest computer viruses” here. Some of them include (1) fake anti-virus software (item 12 on their list) (2) Gpcode, which can encrypt most files on your hard drive and demand “ransom” for a decryption key (item 10), and (3) a clipboard attack (which can also sell fake anti-virus programs) and (4) Mebroot, which apparently can install from unsafe websites, and then installs keylogger programs to track your logon to any number of financial sites.

The most noteworthy might be Gpcode, which surfaced in 2005 and has been hard to track down, and anti-virus program has had trouble isolating it. Zdnet had a major article by Dancho Danchev about this ransomware in June 2004 On Sept 30, 2008 Infoworld ran an article by John E. Dunn, “Police ‘find’ author of notorious Gpcode virus: Gpcode ransomware virus was the work of a single person believed to be a Russian national” here. McAfee apparently has a DAT file that would detect the latest version as of June 9 2008, link here.

Thursday, October 09, 2008

McAfee Security Center offers much "stricter" virus scan


On Oct. 9 McAfee replaced its Security Center on Home XP machines, at least. The new virus scan runs slower and contains a progress bar graph. It also is stricter, and, when going through the registry keys (HKLM’s and HKU’s at the end of the search) may pick up unwanted programs with a link to instructions for removal.

For example, it will flag the keys for the Viewpoint toolbar, which seems to be installed by a number of services. It is considered unwanted because it can transmit non-personal information to servers. Networktechs has an article on how to remove them, here.

It also will flag Nielsen rating services as potential “spyware”. I was recently contacted by Nielsen to participate in their survey of Internet surfing. I installed from their website, and found after a week that it was not transmitting data from my IP. I uninstalled it, but found McCafee found the registry key anyway (NetRatings). Nielsen is the company well known for television ratings. Advertisers are interested in sampling web users. I worked for NBC back in the 1970s and worked tangentially on a Nielsen Ratings project from the mainframe perspective, so I know that this is a legitimate activity. Of course, many users will not want to allow any outside marketing service to sample their activity.

Friday, October 03, 2008

Domain name registration companies checked for shoddy practices (by ICANN)


Shaun Waterman of United Press International is reporting that ICANN (the Internet Corporation for Assigned Names and Numbers) is investigating two domain registrars with almost one million domains between the two of them, for not adequately identifying registrant information so that their contact information becomes available through WHOIS or through a legitimate private registration setup.

Registrants would be transferred to other registration companies if these registrants are shut down.

The action is important because domain registrants without valid contact information or mechanisms are thought to be a major source of spam and of phishing attacks or various scams.

An original UPI story, originally published May 29, 2008 is here and it requires registration to see.

A newer related story appeared Oct. 2 (same author), here and requires registration.

The Washington Times reprinted the story Friday Oct 3 on p A14, “Economy,” under the name “Domain Registrars Warned on Oversight.”

ICANN has its version of the story dated Oct. 1 “Breach notices sent to joker.com and DNS.com.cn: Registrars given 15 days to fix their Whois investigation efforts” here.


My own favorite WHOIS site is Domain Tools (which used to have the odd address whois.sc).

Thursday, October 02, 2008

List of 12 "don'ts" published on AOL; Ziggs lets users track searches against their name


AOL today provided a switched.com story with “12 things you should never do online”. The link is here (look to the bottom of the page for the orange banner link). Most of the items – in fact all of them – should be familiar by now. They do include not conducting personal transactions at public Wi-Fi hotspots, not using the same password on more than one account (at least more than one important account). They also include not posting personal or sensitive information even on supposedly “private” social networking sites.

It’s important to distinguish between being known publicly for having authored or published something (on the web, in print, in video, or any or all of these), and actually sharing personal information (like social security numbers, home address, etc). One can be a celebrity without sharing personal information. Generally, celebrities, for example, don’t make any personal contact information available at all to the public on the Internet. You have to contact them through agents.

There are some measures that webmasters can take to protect personal privacy, including private registration of domain names (which means that the domain name company secures a way for legitimate parties to contact you). Many people, including webmasters with fewer financial resources to have agents like celebrities have, publish their cell phone numbers online, along with PO Box or UPS land mail addresses only. One potential problem is “reverse phone number look ups” available from companies like Intellius and others that sell personal information reports, which could theoretically be used for stalking or other illegal reasons. Generally, this has not been a big problem in the United States. It might be bigger overseas. Congressman Moran told me that such companies operate “barely within the realm of what is legally permissible” and admitted that maybe they should be more regulated. Further complicating the discussion is the observation that a lot of identity theft results from carelessness and lack of due diligence from lenders -- which could be fixed.

Of course, many people post personal contact information like cell phone or home phone or even address for what they view as innocuous purposes, such as on job sites to be contacted for potential employment. Again, there is a lot of work to be done to make all of this a lot safer.

Ziggs offers its members a service to let members know anytime anyone has searched for their profile online. AOL today broadcast a headline that called this “creepy” while providing a link to the same Switched.com story; but I don’t see the harm in that. Ziggs is a site for “professional social networking” and has been somewhat active in the "online reputation" debate.

Thursday, September 25, 2008

ISP's should allow users to specify their own security question (Sarah Palin incident on Yahoo!)


Computer security experts recommend that users with email and any online accounts use more caution with typical security questions. The recent incident where Republican Vice Presidential nominee Sarah Palin’s Yahoo! email account was compromised generates a flaw in the security question system. If the user has posted the answer to the question before somewhere or if it is generally known by others, someone could guess the information and get into the account. Security experts say that ISP’s like Yahoo! and many others should begin allowing users to specify their own security questions.

In the mean time, users should code answers that they do not believe others know (particularly, don’t use an answer that you’ve posted on the web previously). Don’t use the real name of your “Iams” cat; make up one, or, better yet, user letters and numbers in a nonsense combination. That is, make the answers to the security questions like strong passwords. They also say you can link your account to another one where you could have your account information emailed. Many people keep their access information on hard drives on files not made public, but it is conceivable that in some cases this information could be compromised, particularly on a laptop that could be lost physically.

Matthew Sheffield as a detailed Analysis/Opinion pages on the Palin incident (“…how easy it is”) on p A4 in the Nation Section of the Washington Times, Sept. 25, link here.

In the past, it was common for companies, especially in sensitive jobs, to warn employees about keeping their mainframe passwords secret, and in some cases, not to leave themselves signed on when away from their desks.

Wednesday, September 24, 2008

Technical publisher issues warning on rootkits


Michael Kassner has an article in the Tech Republic blogs, “10 Things” series that affects Internet safety mainly in the workplace or especially for small businesses with home networks, especially Unix or (more likely) Linux machines.

The article is “10+ Things You Should Know About Rootkits,” link here.

The term refers to programs that allow one to get to the root or admin (or kernel) layer on a Unix or Linux server and execute malware without knowledge of system administrators. Generally they get loaded by users clicking on email links or sometimes through IM. One particularly disturbing feature is polymorphism, which might change internal operating system machine code and make normal security or anti-virus software inoperable. There are also firmware rootkits.

I had an earlier domain on a friend’s webhosting from 1997 to late 2001. Over the fourth of July in 2001 (before 9/11), while the friend was away, the kernel of his Unix machine was infected by a rootkit. Fortunately, a rackspace cohost was able to get his sites back up in about four hours while he was gone, but he had to do a complete rebuild of his Unix system. It would appear that a direct Internet connection could cause an incident like this if a machine is not adequately protected. Another problem that small business webhosting ISP servers had in the late 90s and early 2000’s was a tendency to be vulnerable to prankish DOS attacks, which were met by slowing down and bouncing the incoming packets. Since about 2000, there has been a tendency for small hosts to be absorbed by larger companies, as they have trouble competing with them, particularly in terms of maintaining stability.

Thursday, September 18, 2008

WOT offers a new video on fake anti-virus software


“Web of Trust” has issued a newer version of its video regarding fake anti-virus software. The video is called “An Epidemic: Fake Anti-Malware Products” and the link for direct viewing (5 minutes) is here.

This video starts with a fictitious search, and clicking on a link that, instead of bringing up an html or asp type web page, starts a windows-like application to scan your system, and then goads you into giving your credit card number to purchase the product. The name of the product is likely to change every few days to make it impossible for credit card companies to help you with refunds.

The links wind up in search engines very quickly, before they can be evaluated by WOT or McCafee. Many of them may have overseas domain names, but not necessarily. Many may give legitimate sounding excerpts of text that are unrelated to the virus search. (Unauthorized celebrity sites may be prone to such abuse, which would give celebrities legal resource on the grounds of trademark infringement or “right of publicity” actions if they chose.)

Web of Trust also has a Press Release dated Sept. 17 on this problem, here. Web of Trust, like McAfee, offers a pop-up report on search engines, which may something like “Site Has Been Infected” for fake anti-virus sites. The main practical problem is finding the abusing site in time.

Because search engines now very quickly index new sites, it is difficult for them to address this problem. Search engine companies will remove such links when requested, following their own procedures.

It is important to note that the phrase “web of trust” has also been used in the media to described a “darknet”, a limited P2P (peer-to-peer) network of anonymous users seeking to escape attention from authorities. John Markoff has a story in the New York Times back on Aug. 1, 2005, “New File Sharing Techniques Are Likely to Test Court Decision,” here. The Court case here was MGM v Grokster, concerning business models based on copyright infringement. The article discusses the efforts of a Scottish programmer named Ian Clarke.

This blog had discussed an earlier video by WOT on Aug. 19 2008.

Wednesday, September 17, 2008

Be careful when visiting "unauthorized" celebrity websites


The NBC Today show this morning noted that a lot of web surfers are getting infected by “unauthorized” celebrity fan sites, that apparent offer a lot of dangerous free stuff for download. Last year the biggest problem was Paris Hilton; now it seems to be Brad Pitt. Reuters has a blog entry this morning “Don’t Mess With Brad Pitt in Cyberspace” by Belinda Goldsmith, link here.

The safest place to learn about celebrities (including photos, videos, and message boards) is probably imdb.com. Wikipedia has interesting articles about many celebrities, who automatically meet the site's "notability" requirements.

But, of course, many visitors want to see a lot more and use search engines to look up celebrities (as they would their own friends). One good idea is to look at the search engine results with McAfee Site Advisor or Web of Trust turned on. Most of the sites are probably merely silly and harmless. There are questions about the legality of unauthorized sites created by others and the celebrity’s “right of publicity”. Celebrities generally don’t create their own sites to promote themselves, but they often create sites for charities they support or political causes they work on (Leonardo Di Carpio and global warming is a good example, link here), or for specific television shows that they run or movies they are in (which are generally set up by networks, studios and distribution companies, not the celebrities themselves). If the site is flagged, read the report first before visiting it. Rarely, it’s possible to get infected by visiting such a site at all (this has been a problem with fake anti-virus downloads that had false domain names and then start a Windows box application to either a download or invite the visitor to download. I’m not sure why a browser gets fooled by a file marked .html and still runs an exe file; it would seem that browser security updates should prevent that. In a few cases, such sites have been created before McAfee gets around to rating them, or before their viruses are logged in DAT files. Generally search engine companies remove them when they learn about them.

A few people have been infected by fake anti-virus software which even without prompting a download. Sometimes an infection might be discovered by a running of a virus scan with an updated DAT file.

It's important to remember that McAfee will downgrade some sites for being linked to too many yellow or red sites. Bloggers should keep this in mind. There have been some problems with McAfee incorrectly flagging links ("false positives") in emails on AOL when read by Mozilla browsers.

Always stay alert online. If you bank or do brokerage online, always watch your numbers frequently and make sure nothing unusual has happened.

Tuesday, September 09, 2008

Employers and small businesses need to beware of legal pitfalls with their computing and Internet practices


Bill Detwiler offers a video on the Tech Republic blogs, “Three Ways You Might Be Breaking the Law with Your Computer, the video belonging to the “IT Dojo” series. The primary link, which plays the 7-minute video, is here.

He also gives a secondary link, on the same blog, of a list of “ten things” written by Debra Littlejohn Shinder.

Detwiler takes the caution to note that he is not a lawyer and is not giving legal advice.

Detwiler’s main concern is for employees of a business, which could be a small business, making violations of the law for which an employer could be held legally responsible.

One concern is well known, the Digital Millennium Copyright Act, or DMCA. He warns that the ownership of circumvention tools is itself a violation, and the presence of such tools on an employee's computer or on the employer's premises could cause liability for the boss. The US Copyright Office Summary is here.

A second act is the No Electronic Theft (or NET) act, which makes electronic theft a crime regardless of whether done for monetary gain. This refers to 17 and 18 USC. The Department of Justice has a link here. This law makes making and keeping illegal copies of copyrighted material a violation even if not posted on the Internet or offered commercially. The typical example is making illegal copies of DVD’s in violation of the FBI warning on most DVD’s. Theoretically it’s illegal to make a copy on your computer of a copyrighted story even if you don’t post it. A better known example is making illegal copies of software, which in the early 1990s was often done just with floppies. (“Microsoft often writes on its software CD’s: do not make copies of this CD”.) For example, it’s at least technically illegal to make a copy of connectivity software to give to an employee to take home to be on call. (This would happen even in my own office in the early 1990s until it caused controversy and the practice was stopped by management.) You have to purchase a properly licensed copy. I know from some personal circumstances there could be a legal issue in some cases over who owns the computer from which the oncall support is done (and now that becomes a relevant question in protecting the privacy of the employer’s consumers – does the employee have a working firewall at home, etc.).

In general these are concerns for employers and businesses. They could be concerns for very small businesses or perhaps even solo individuals (especially self-employed contractors who work from home). So far we haven’t heard of the Software Publisher’s Association auditing the computers of for-pay bloggers, but I suppose it could happen. More likely, a software vendor can detect the use of a pirated copy of software with various centralized detection tools.

Another warning in the video concerns the legal right of Homeland Security of customs to search and even seize laptops, cell phones and similar devices at border crossings.

Finally, the video warns about a bill in Congress, HR 4279 “Enforcement of Intellectual Property Rights Act of 2008,” also called “Prioritizing Resources and Organization for Intellectual Property Act of 2008” link here on govtrack.

I note that as far back as 1985, when I worked for Chilton (a credit reporting company in Dallas) we were warned about the Texas computer crimes law whenever we signed on to the mainframe.

Also: Advisory about New Scam by email:

In an unrelated story, the NBC Today show today reported a scam whereby phishers offer rental keys to people, desperate affordable housing, for who send them money, for houses not even on the rental market.

Friday, September 05, 2008

Some Dell laptops have wireless vulnerability; fix offered by Dell


Dell has advised users of a potential vulnerability in its wireless network adapter cards. It may affect some but not all laptops.

Select Dell™ Wireless cards offered on Latitude™, Dell Precision™ Mobile, Inspiron™ and XPS™ laptops could have a security vulnerability that would let a hacker manipulate the data packets received by the laptop and trigger an error condition. This could allow a hacker to obtain privileges access any files on an affected laptop in some cases. Apparently the vulnerability could exist even when the user is not connected to a wireless network.

Earlier this week I got prompted to install Microsoft Service Pack 3 on an XP Pro Inspiron Laptop. In my first regular book, I got an “8021x” error from Dell. Wikipedia indicated that the error has to do with IEEE wireless connections. However, I reported the error through Microsoft and I immediately got a supplementary update from Microsoft. I installed, and the next book the error went away. I did not use a wireless connection and worked using a broadband cable connection instead. But theoretically, I could have been exposed. McAfee scans have not found any problems. I will look into this further soon, and report. The laptop machine is left turned off most of the time.

The Dell link is here. Dell will assign a Journal ID for each visit by a registered Dell customer. The advisory gives details as to how to download a security fix to the wireless handlers in the operating system from Dell.

This advisory was emailed today by Arlington County (VA)’s cyber-alert system, which also gets some advisories from CERT.

It would be interesting to see if Microsoft (XP and Vista) can somehow address this vulnerability separately with further security updates (without needing to go to Dell), with a generic fix that could prevent similar problems with any vendor. I would think this would be a very high priority.

Thursday, September 04, 2008

McAfee publishes family Internet security guide


McAfee has published a spiffy “10-Step Internet Safety Flan for Your Family”, a PDF document at this link.

McAfee says that the chance of any one person becoming a victim of a cybercrime is about 25%.

It recommends placement of a family compute in high-traffic areas. There is some emphasis on family teamwork, and on careful education as soon as a child (a tween) is old enough to begin to use the Internet.

The computer is seen as a family asset, not as property of an individual member. Obviously, older teens who are responsible enough will have goon reason to have more independence in their use, especially for school work.

One could think of learning to use a computer and especially the Internet as a bit like learning to drive a car.

The paper warns about strangers on the Internet, with all the well known dangers.

It also recommends strong passwords and systematic checks that security software and firewalls work.

The paper doesn’t say this, but other security experts have said that normally there is no legitimate reason for a minor to own a webcam.

Thursday, August 28, 2008

Firefox 3.0.1 gets a bit jumpy


Earlier this week Firefox prompted me to download and install browser 3.0.1

I thought I would note a few behaviors. If I happen to be in a site requiring login and I simply click out, the next time I start Firefox 3.0.1 it comes back on at that page instead of a default page. Maybe I have to play with it to change that (I didn’t see an obvious solution in the toolbar). But that could pose a problem for some users if they don’t fully log out of a site when finished (especially if multiple people can use the computer, as in a family room).

Some cookies are lost, others are not. Some passwords on some sites do not save, and in one case a cookie remembered an out-of-date password. I don't know why the new Mozilla behaves this way.

McAfee SiteAdvisor also prompted me to download an update for its communication with the new Firefox. By the way, McAfee SiteAdvisor is very strict, giving some professional news sites (like a Jacksonville, FL newspaper now and previously TV station WJLA in Washington DC) yellow ratings for sending too many emails; news organizations should work with McAfee and WOT for ratings policies on this issue promptly!

There is some discussion of the extra warnings that Firefox 3.0 gives when a site’s secure connection (https) has expired or not been properly issued by a third party. However Mozilla offers an add-on from Carnegie-Mellon to bypass this. The news story is on Networkworld, “Mozilla garners praise over Firefox security feature, Carnegie Mellon Firefox add-on aimed at avoiding user confusion, hacker attacks”, Aug. 26, 2008. by John Fontana, link here.

Sept. 3


I also downloaded and installed Google Chrome. It is very fast with Google products. When browsing, it does not connect with McAfee SiteAdvisor.

Friday, August 22, 2008

Consumer Reports has major article on home computer security


The September 2008 issue of Consumer Reports has some valuable perspectives and tips on home consumer security. The basic TOC link is this.

On p 23 there is a report on a survey in the article called “Protect Yourself Online: The Biggest Threats & The Best Solutions.”

The overall picture of home computer security is improving. CR seems to believe that Windows Vista represents an improvement and is likely, over time, to result in fewer serious problems for home users than has XP (or previous operating systems). It may be worth considering an upgrade even for current XP users. MacIntosh users tend to report few infections, although the general view is not to be complacent.

One particularly disturbing problem is “news spam” where spammers design fake stories intended to get quick search engine rankings, and actually may be infected with malware or fake antivirus downloaders. Some of these sites are overseas (particularly Romania) and may not get filtered out quickly enough by search engines and by safety products like McAfee Site Advisor or Web of Trust. It’s a good idea to click on news stories from sites from known companies (and glance at the mouse preview first to make sure they match). The article also mentions a disturbing router vulnerability that could allow whole domain names to be spoofed, a problem mentioned at the Black Hat convention (by a Russian physicist) and difficult for ISP’s to fix completely without a lot of investment. (See my “consumer identity security” blog on Aug. 9.) The hope is that security companies and Vista can develop sophisticated screening for this specific problem.

On p 26 CR presents an article “7 Online Blunders.” The first is not to keep tabs on whether your anti-virus and firewall program subscriptions are up to date and whether the packages are working and loading updates. The article feels that major virus programs do work if properly installed and maintained. On p 34 CR compares a number of anti-virus packages, including Bitdefender (one of the best), McAfee, Norton, F-Secure, Microsoft’s own, and a free package including Avira. CR feels free packages (or bundled) may be good enough; I might wonder about liability concerns (previous post) if a regular subscription were not used. Child filters are mentioned.

CR also warns about clicking on email links (especially in phishing situations), about strong and varied passwords, and particularly about the recent epidemic of fake anti-virus software offers (3% of the time, they have created detectable infections, even if accidentally launched and then canceled).

CR recommends using a separate credit card for Internet shopping (unless you really watch your cards online – I do) and don’t use debit cards. https links are safer, but in rare cases even these had had problems. The more often you check bank information or any accounts you are responsible for (like publishing sites) the safer you are. Unused accounts that are not often checked can represent a risk..

Thursday, August 21, 2008

Do we need an "Internet driver's license"?


Recently I found a white paper by Robert B. Standler dating back to 2004, “Possible vicarious liability for computer users in the U.S.A.?”, link here.

The “obvious” question is whether home or small business users could or should be held liable if their computers are hacked and used as “zombies” in botnet “denial of service” (DOS) attacks. A more remote possibility is whether they could be held (in civil or criminal circumstances) responsible for crimes committed with their computers without their knowledge, or for illegal content on it. Sometimes the law regards certain matters as “strict liability offenses” although most of the time, in actual practice, it seems the law takes into consideration whether the computer owner knew or could or should have known about the illegal activity.

Standler makes some interesting analogies. The first comparison is to state laws holding automobile owners responsible if they leave keys in the car, and the cars are stolen and someone is injured. Not all states do this, but some states regard an improperly secured vehicle as an “attractive nuisance.” Car rental companies are especially vigorous in warning customers about this possibility. Similar liability may exist with cars not in safe condition. He goes on to discuss the public health concept of “herd immunity” with respect to vaccinations (a real controversy now, possibly complicated by the autism debate) and even makes some comparison to agricultural and ranching issues known in the 19th Century (and inspiring the plots of some western movies).

In April 2008, Wired published an article “Zombie Computers Decried as Imminent National Threat” here.
And in June 2007 Wired has also published “Desperate Botnet Battlers Call for an Internet Driver’s License” here.

Okay, I could carry the rhetoric further. I’ve heard a couple people say that no one should be allowed on broadband, at least, until they can cleanse a harddrive and rebuild their machine themselves from installation discs. It can happen to anybody, they say. Usually this kind of talk comes from super-techies, the kind who got in to the business of open systems in the early and mid 1990s.

Personally, I think that the comparison between cars (and motor vehicle licenses) and computers with broadband connections (and “Internet licenses?”) is a bit incomplete. Standards for the safe operation of automobiles have long been known and in legal practice, even if the media often reports new safety issues in that area. With open-system computers (mainly Microsoft and Apple, and perhaps Linux) the actual “rules” of best practice, to be expected of “average” home users, are still a bit murkier.

It is true, if you buy a modern computer from a reputable source, receive all the recommended operating system security updates, and purchase a subscription anti-virus program from a reputable vendor (most likely McAfee or Norton or one of a few others), and practice common sense in computing (don’t fall for phishing, don’t open unknown attachments, and don’t visit the porn sites) you’ll probably be all right. By and large, security updates and anti-virus software and firewalls do work pretty well (actually amazingly well) with little effort by computer users, and at only modest cost. One problem, however, is that if there is a problem, getting customer support for mail-order vendors or from anti-virus companies can be challenging, more so than in the automobile world.

Companies that hire people to work from home as customer service agents have to become concerned with home computer safety. Some of them require that the employees purchase windows machines used for work only, and monitor the computers themselves from central servers, perhaps adding an element of safety.

Still, there are a lot of “controversies” about which there are legitimate differences in opinion. Is McIntosh really “safer” than the Microsoft PC? Is Mozilla safer than Internet Explorer? Is it safer to turn off your computer or Internet connection when you’re not home, or let the security updates load all the time (it’s probably easier on your hard drive to leave it on, and only slightly more expensive as to power use)? Or can you count on properly installed security software.

There’s another area, too. Our culture allows, even encourages, people to promote themselves in public on the Web, when people have little or no legal training as to the risks with copyright, libel, etc. This cultural change would have been unimaginable in the publication world before the Internet, where due diligence was part of publication. True, the actual incidence of litigation is extremely low compared to the volume of users and “self-publishers.” But insurance companies scratch their heads, as they have no idea how to assess this new kind of “risk.” And, true, the “reputation defense” business has more recently encouraged “ordinary people” to pull back a bit from self-promotion outside of an income-paying job.

It's well to remember that there are some downstream liability protections in the law, such as the 1996 Telecommunications Act "Section 230" (when "hosting" material "published") by others. From a federal and constitutional perspective, the Supreme Court (with MGM v Grokster) seems to be heading toward a doctrine where downstream liability exists when a party's "business model" or purpose seems predicated on attracting legal infringement; but at a conceptual level, such a legal standard could become ambiguous.

We’ve come a long way from the mid or late 90s, when most security hazards were spread with floppy diskettes or by email attachments. Continuous broadband is almost a necessary utility now, just to receive the massively large security updates (often while you sleep). But broadband itself was rocky for the first couple or years it was in frequent use, and the security issues really didn’t start to get a lot of press until, say, 2003. So the issues simply haven’t been around long enough for society, through democratic political institutions, to develop reliable standards. Libertarians want a free marketplace, and let the tort law fall where it may. Okay, then you risk frivolous litigation over “downstream liability” issues and maybe even wrongful seizures or prosecutions. Furthermore, you may risk arbitrary behavior by "private" ISP's if you depend on them to pull the plug on individual users who allow their machines to become infected (and you might run into other issues brought up in the network neutrality debate, as with recent concerns over ISP monitoring for excessive P2P use). We do, as a culture, need to sit down and sort this out. We need to present it to kids in public schools, too. But only the big players in the industry (the big telecommunications companies, the software vendors like Microsoft and Apple, the open source people like Linux, and search engine and news companies like Google, Yahoo!. etc,, as long as the standards people like ICANN and W3C) can provide the guidance that political institutions – and schools – need. We do need a culture of “communications citizenship.” Most of us just don’t know enough, yet, to define it. Even other social issues and presence (or absence) of family ties and environments come into play.

Tuesday, August 19, 2008

Web of Trust produces videos on PC "cleansing" products


Web of Trust is producing a series of videos about how some “computer cleansing” products, advertised with search engines, seem to be fraudulent.

One such product is PC Doc Pro. WOT loaded a machine with Windows Vista Ultimate with no other programs except the regular Microsoft updates and Internet connection. PC Doc Pro found over 500 “problems”, some of which it would fix “free,” the rest for a “trial” for $29.95. The video (about 5 minutes) shows how WOT works with search engines, in a manner comparable to McAfee SiteAdvisor. The filmmaking technique itself is interesting, making computer application sequences visually interesting enough to be suitable for a short documentary film festival entry. The link for this first WOT video is here. When I viewed it, it loaded a little slower than YouTube usually does.

WOT president Deborah Salmi gives these networking contacts:
Twitter.
LinkedIn.

I've written before on this blog about "fake anti-virus" programs, such as XPAntivirus. Some of them may appear as links to legitimate searches, often on overseas sites of sites not yet reviewed by SiteAdvisor, WOT, or any similar service. Some security advisors recommend doing a ctl-atl-del (not even "canceling" the application) to look at all running processes and not using the computer until it is thoroughly checked. This has happened twice to me, and I have never found that anything was downloaded or any registry key added or changed, and have found no problems with subsequent McAfee scans, since I did not allow the operation to continue. Fake sites (those that appear to have legitimate URL's ending in "html" but intending to load malware) may become a more serious problem, as demonstrated with the domain name controversy at the recent Las Vegas Black Hat convention.

Monday, August 18, 2008

"News", as well as phishing, could appear in computer worms and trojans


We’ve gotten used (and desensitized) to warnings about emails seeking personal information, such as phishing attacks from banks or brokerages, and also from companies like paypal, Ebay, and ISP’s. And we’ve been warned responding to emails proposing getting something for nothing (“Nigerian scams”) and offering frivolous entertainment like greeting cards. Another variation is phony communication about tax liabilities or refunds, purporting to come from the IRS, which does not contact people by email for legal purposes.

In the 1990s the most common risk from email came from downloading an opening an attachment. Now, merely clicking on an attachment could start a malware application (such as a fake anti-virus script). In rarer cases, merely previewing or opening the email itself could start a malware application. (One of the first of these was “Bubble Boy” back around 1999, as I recall.) Modern email programs offered by larger ISP’s (which screen for viruses), in combination with anti-virus packages (like McAfee or Norton) running on a system properly maintained with operating system updates (as from Microsoft) generally offers reasonably effective protection from these possibilities. One problem in practice is that downloading these updates requires a stable broadband connection or a secure subscription wireless connection (don’t use a restaurant “hot spot’), that not everyone has access to. Making sure that this capability is routinely available to everyone like other basic utilities (electricity) is becoming a major national infrastructure issue, requiring investment and public policy decisions, connected to the “network neutrality” debate.

It’s important to realize that the range of subject matter in virus or worm attacks may expand. Recently there was a malware item purporting to come from CNN. “News spam” could become a threat in the future, and has occurred before. In 2007, there was a trojan that tried to solicit personal information by pretending to offer detailed information about a Brazilian plane crash (and its victims). The link in NetworkWorld is here.

Another possibility is that a spammer could claim to have a “tip” about an impending incident, or about the location of a terrorist like Osama bin Laden (seeking to exploit potential public interest in the government’s announcement of a reward for capture). This possibility is complicated by an additional hypothetical scenario of the Tom Clancy or Jeffrey Deaver spy-fiction world. Someone has a real tip, and uses spam to communicate it. It's not clear whether this has ever really happened, but I can imagine (as someone with a new novel on his own hard drive) why it might. What did the CIA admit after 9/11: “we had a failure of imagination”. And, we all know the truism for the gullible, “I read it on the Internet.”

I have received a few possible “tips” in my eleven years of being visible online, and four or five times I have contacted the FBI. I don’t claim “reporter shield” with something like this, particularly as an amateur. I’ve had a least one extended telephone conversation in 2005 about one of the emails that I got. The government, when receiving something like this, is supposed to match it to other tips from unrelated sources to determine credibility, since most of these items are probably hoaxes or just spam items. An issue after 9/11 was the inadequate communication among government agencies about the random information it receives. At the same time, the Administration promoted measures (like the Patriot Act) that compromise privacy and civil liberties while being slow at improving its own inter-department communication and on upgrading the skill level of its own information technology people.

Recently I got a bizarre email from France that appeared to suggest the ability to compromise oil production in Nigeria. There was a link in the email. I typed in the URL rather than clicking and found that the site was legitimate (and checked out as green with McAfee). Further, I found that an earlier National Geographic issue (that is, a clearly credible and neutral mainstream journalistic source) had backed up the “complaints” on the site. I wrote the email up on my international issues blog Aug. 15 (link). but I also sent it to NBC news with some explanation, figuring that a major news organization (that once employed me) could investigate and corroborate to determine credibility and notability for being on the air. So, some emails like this may actually be legitimate, may communicate real perils, and need serious attention from authorities (especially overseas) and major news organizations. On the other hand, disgruntled overseas parties may want to use "amateurs" as well as regular news organizations to broadcast their causes and grievances.

McAfee has a list of (news-related) “hoaxes” that may be useful, here. I didn’t see last week’s incident there, at least yet.