Thursday, November 27, 2008

Report says major spamming botnet has returned; home users should monitor with caution

A disturbing story in Computer World, Nov. 26, by Greg Keizer, says that the Srizbi botnet has resurrected itself after being knocked off line by the closing of McColo. A company called FireEye reportedly tried to monitor the efforts of the spamming “service” but was unable to stop it from connecting to new domains in a daisy-chain fashion, apparently largely in Estonia. The title of the story is “Massive botnet returns from the dead, starts spamming: Criminals regain control after security firm stops preemptively registering routing domains” and the link is here.

I had not really noticed that much drop off in the spam in my AOL mail box after the story Nov. 13 about the disabling of the spam “service” by other ISPs. Once in a while, I still notice some sender-id spoofing. But others say that worldwide spam was cut by two-thirds.

Tuesday, November 25, 2008

"Wired" tells story of Kaminsky's discovery about DNS vulnerability

The December 2008 issue of Wired has a chilling story by Joshua Davis, “Secret Geek A-Team Hacks Back, Defends World Wide Web,” link here. The print version has on its cover the byline caption “Fatal Error: The Hole in the Internet”, and the story starts with a page with an abstract art illustration on p 200, with the word “Collapse”.

Programmer Dan Kaminsky (his company is “IOActive”) discovered, on his own, a serious flaw in the “I trust you” concept of the original DNS (domain name service) mechanism as implemented in 1983. In some ways, the flaw may resembled similar flaws in email servers that allow forging of email headers and sender-ids common with spam. The flaw, if discovered by hackers, could have led to catastrophic corruption of financial institution websites and misdirection of money.

Kaminsky performed some potentially dangerous experiments at home, and soliloquized, “I just broke the Internet.” Pretty soon, he had contacted security experts, and an emergency meeting was arranged at Microsoft headquarters in Redmond, WA. Security experts from Finland and the Netherlands and emergency twelve hour plane rides, and told Kaminsky and others not to discuss the issue even by cell phone. It’s curious how the community reacted: that one programmer’s (or researcher’s) discovery could imperil the communications of the entire planet if the individual, who legally “owns” the intellectual property associated with the discovery, released it to the world on his own. (That’s the theme of the play [Howard Davies] and film “Copenhagen”. ) Microsoft (as well as Nominum, Red Hat, Ubuntu, and Sun) designed an emergency patch which many companies implemented quietly on Tuesday, July 8, 2008. However a permanent solution would require new levels of DNS authentication throughout the Internet, including, especially, cell phones and wireless.

Russian physicist Evgeniy Polyakov demonstrated the problem at a hacker convention in August 2008, as discussed on my consumer ID security blog here.

Kaminsy, according to the article, is a bit of a polarizing figure, saying that darker problems lie ahead. Could he be referring to EMP?

Friday, November 21, 2008

Web of Trust extends service to popular email services

PRWeb Release Newswire announced that “Web of Trust” service is now offered for three popular email services: Google Gmail, Windows Live Hotmail and Yahoo! Mail. WOT checks embedded email links for various security issues including scams.

The link for the story is here.

WOT has been downloaded by 1.9 million users and has information on 20.8 million websites.

Today I saw an email (not caught by AOL security) with a Yahoo meetings logo that, when linked (it was a Yahoo link from India) led to a Nigerian scam offer. This one was bizarre, offering to deposit millions of dollars into a bank account almost immediately. It was one of the most elaborate Nigerian scam attempts I’ve seen, abusing the Yahoo! trademark to look legitimate.

Thursday, November 20, 2008

"Myspace case" goes to trial: would it be ex post facto law?

The trial of Lori Drew started in Los Angeles on Nov. 18, technically on a charge of conspiracy and three charges of unauthorized access another party’s computer network, in conjunction the tragedy in 2006 when Megan Meier took her own life after believing she had been rejected by a boy who, in fact, did not exist but was a hoax.

This case is said to be the nation’s first cyberbullying trial. But it is disturbing in that it seems to be a “creative” or ex post facto prosecution. The Computer Fraud and Abuse Act, USC 1030, was amended in 1996 and in 2001 by the USA Patriot Act but had been intended to prevent hacking, not social impersonation. The link is here.

The AP story Greg Risling is here.

Update: November 26, 2008

Lori Drew was convicted of three misdemeanor counts of "accessing protected computers without authorization to obtain information to inflict emotional distress on" a minor (CNN). She could get one year in prison and a fine of $100000 for each count. She was acquitted of the felony conspiracy charge. There are multiple media reports today on this story.

Saturday, November 15, 2008

Home computer and Internet users need protection of legal reforms

There does seem a need to pursue some legal reforms to protect home and perhaps small business computer and especially Internet users (perhaps even cell phone users, too) from “chilling” legal exposures. While recently I’ve written about media perils for bloggers, there seems to be a need to rethink possible risks for ordinary users even when just surfing or accessing material.

One thing, there has been discussion of a need to clarify downstream liability concerns if a person’s machine is hijacked, along with security education, standards for anti-virus packages, and even an “Internet driver’s license”.

Consumers, as we know, face sudden civil liability exposure if they illegally download copyrighted materials, especially songs and movies. Most of the exposure in practice seems to come from P2P networks, particularly for users who set themselves up as “nodes.” However, parents have been sued (starting with phone calls, often) for activities of their kids or even visitors who used their computers. Another exposure would come from making illegal copies of software or movies. The theory is, of course, is that the vendor is entitled to and needs the income from original sales. But I can remember back in the 1960s taping phonograph friends’ phonograph records, even though I bought hundreds of them. In the 1980s, before buying compact discs as they came out (and they were expensive then), I made cassette copies of some of my own records just to preserve them from wear. Was this illegal? In the early 1990s, there were controversies when companies sometimes made diskette copies of dialup software for on-call employees to take home, before the Software Publishers Association started auditing companies for violations. Moviegoers have, in a few occasions, been arrested and prosecuted for trying to camcord trailers of films in theaters.

If an Internet visitor views an illegally uploaded video from YouTube, is she guilty of infringement herself? The Internet visitor in this case is not always in a position to know if the video infringes or was posted without permission. It would sound as though that could be comparable to music downloads, but I’ve never heard of people being sued for surfing and saving copies for their own use. (They could be sued if they posted the copyright materials somewhere else). Nevertheless, it sounds like, by analogy to the P2P suits, there could be a theoretical exposure for consumers that the law should address. The issue could come up in the Viacom litigation.

The other exposure could come with “accidental” possession of child pornography (from machine infection, as discussed Nov. 11, even in the workplace) by mere searching and surfing. Someone may not know from the title of a domain that illegal content is present. One might encounter the problem while moderating comments for a blog or doing legitimate research. It appears that police sometimes track home users visiting materials being tracked by the National Center for Missing and Exploited Children. This makes sense for some overseas material that the US cannot shut down readily. But if illegal material is hosted domestically, it seems prudent that it be taken down immediately rather than left up to expose visitors possibly to accidental viewing and accidental “strict liability.” Police stings, such as those described by Wired Magazine in early 2003, have been set up (with Yahoo! groups and with some Usenet groups) but if the enticing material was illegal, why wasn’t it just shut down immediately? It is legal for police to impersonate minors in order to attract and prosecute criminal behavior, and this happens in every state and in most western countries including Britain and Canada. But that doesn’t mean posting illegal content and therefore having law enforcement or a cooperating company “possess” it first under technically illegal circumstances. There need to be definite legal limits on what kinds of “entrapment” are acceptable.

Home users rightfully expect to be able to depend on common sense, and in general will not have the legal expertise to know reliably if they could get into trouble. Home users also believe that if they visit sites or services hosted by reputable companies they will be all right. Of course, these companies cannot be required to prescreen what is published (that’s the Section 230 and DMCA safe harbor issue) and depend on user feedback to notify them of infringing or illegal materials. (They are required to act on copyright claims and on child pornography, in varying circumstances.) Users (not legally sophisticated) might believe that they are protecting themselves by flagging or reporting content that is remotely questionable, burdening ISPs or publishing services and employees who themselves lack legal training.

All in all, this sounds like an area that needs major legal reforms.

Thursday, November 13, 2008

Company involved in spam distribution is taken off Internet

Today, Nov. 13, the Washington Post reports on p D1 (Business) that a company allegedly involved in much of the spam sent in the United States everyday has been connected from the Internet.

Technology and security topics writer Brian Krebs has a story in the print and online versions, “Web Host of Groups that Traffic Spam Kicked Offline”. But more interesting is Krebs’s own blog entry “Spam Volumes Drop by Two-Thirds After Firm Goes Offline,” with all kinds of colorful charts and graphs (enough to please Jake Gyllenhaal’s “pie chart” character in “Rendition”), link here. Kreb’s blog entry gives a link to another detailed story explaining how a spam provider can get cut off. The company is McColo, in San Jose, CA, and the two ISP’s that took action are Global Crossing and Hurricane Electric. An Atlanta security consultant, SecureWorks, commented that McColo could have been involved in as much as 75% of all spam in the U.S. It’s important that the cutoff occurred as a result of actions within the private sector, not the government or FBI.

The story notes that companies are held responsible for acting on legal infractions of customers in limited circumstances, such as with the DMCA takedown provision, or specifically if they learn credible evidence of child pornography on their servers.

I checked my own AOL spam folder and haven’t noticed a significant drop since Tuesday yet.

Tuesday, November 11, 2008

In the workplace, Internet security problems can lead to false criminal charges

Previously I’ve mentioned the possible legal risks of home computers that are not properly protected (in conjunction with such proposals as an “Internet driver’s license”) but even work computers can be compromised and present a risk to employees. In fact, it is the workplace cases that get media attention now, and they may be becoming more common.

In Connecticut, a substitute teacher (Julie Amero) was arrested and convicted after a school computer went haywire and showed pornography in front of middle school students. The fact pattern in the case is quite disturbing. Apparently she was told not to touch the computer. Then, when the defense wanted to present evidence that the school’s network was poorly secured and that the computer could have been infected, the evidence was not allowed in court. It seems that the trial court at first simply did not understand how this kind of risk can come about. There are plenty of blogs about this case. One of them is by Andy Carvin on PBS, July 11, 2008, “No Resolution Yet for Julie Amero,” link here. The Carvin blog entries refers to some detailed op-eds in the local Hartford paper, the Courant. There is also a suggestion that the prosecution has dragged its feet on dropping the charges out of embarrassment.

There is no question about this: to be fair, law enforcement agencies and courts need to be brought up to speed just on how internet security issues play out and can endanger people, even in the workplace, and at home. They simply haven’t gotten the message in many jurisdictions around the country.

Another good blog entry is by Lindsay Beyerstein on the Huffington Post, Jan. 23, 2007, link here.

The Council for Secular Humanism has a thoughtful discussion of her case (as well as the excessive “enemy jurisprudence” sentence in Arizona for teacher Morton Berger in a c.p. case) here, by Wendy Kaminer.

Julie Amero has a Defense Fund entry on Blogger, here.

PC World has a good article, on June 16, 2008, about a Massachusetts worker who was accused of c.p. possession when it was later found that his state-issued laptop was poorly secured, link here, by Robert McMillan from IDG news, here.

The site Techdirt has a brief comparison of the Massachusetts case with the substitute teacher case in Connecticut, dated June 18 2008, here.

In the home computing environment, besides the case reported here Feb. 3, 2007 in Arizona, there was a case in Torquay, England in 2001, written up in the The New York Times by John Schwartz on Aug. 11, 2003, “Acquitted Man says virus put porn on his computer”, here. The concerns are that defense attorneys could abuse this theory as well as the fact that innocent people will be wrongfully prosecuted and have to spend huge sums defending themselves. Again, law enforcement (around the world, not just in the U.S.) needs to rein in on this problem. In the U.S., the "strict liability offense" concept (that theoretically holds the computer owner absolutely responsible for what others do to it, even if this theory is rarely followed) is also a problem, and probably could not survive a constitutional test.

Saturday, November 01, 2008

Switched and AOL update "sneaky" virus list; warning on 2 Facebook-related items

AOL and have upgraded their recommendations with a new list of the “14 sneakiest viruses”, by Dan Reilly, link here. I last covered his column on Oct. 10, but many of the viruses in this list are important news. One is a fake email involving Barack Obama, but the most interesting may be W32.Koobface worm which can hijack your Facebook account and conceivably cause Facebook to discontinue your account. There is another Facebook Trojan Troj/Dloadr-BPL. There is also a MacIntosh OSX virus called OSX/Hovdy-A. Zlob can corrupt your Wi-Fi router, possibly endangering neighbors who don’t use secure Wi-Fi connections properly. Mebroot hides in a master book record and involved bogus financial sites. The clipboard attack involves Firefox or Mozilla.

But perhaps one of the most important is the recently discovered Microsoft security flaw which was discussed here Oct. 23. McAfee's Threat Center discusses this Microsoft problem (with a "Breaking Advisory") and lists a number of threats and unwanted programs here. The McAfee virus search page (to check the threats listed on Reilly's list to see which DAT files cover them) is here.

I have noticed that Mozilla has the irritating habit of caching the last website you closed, and then hanging and not completely closing until you click again. In rare cases, Mozilla seems to run away with computer CPU usage and require that the system be restarted. This seems to need another fix.