Monday, June 18, 2007

BBC story on FBI "recall" of infected home computers


BBC News (from the British Broadcasting Company) is planning to contact up to one million home or small business personal computer owners whose computers have been hijacked and turned into “zombies” for sending spam, or possibly for participating in denial of service attacks against visible controversial targets, or as conduits for steganography. The exercise is called “Operation Bot Roast.”

One high profile spammer, Robert Alan Soloway, has been arrested during this investigation and could face 65 years in prison.

Among the labs that can scan the Internet to look for infected “botnet” machines are F Secure, Trend Micro, and Kaspersky Labs.

McAfee has recently offered its subscribers a Site Advisor service, where it scams sites for known problems that could compromise a home computer’s security or lead to unwanted emails.

Some problems that sites have, however, come from legitimate software bugs and not malware. For example, for a while Microsoft Word (the 2002 version) would sometimes insert or propagate extraneous and erroneous links into webpages that it converted to HTML, because of a bug in the way its XSL translator applied the span keyword. The resulting page would appear to misdirect users when clicking on links (that could appear hidden under text not intended to be linked), which normally a sign of a malware website. Microsoft now only supports later versions of Word.

An infected machine, when traced, will show that an inappropriate modem really was sent from the IP address associated with the machine, which is not the case when the sender-id in an email is spoofed.

As far as I know, so far owners of infected machines have not been prosecuted for violations of law that occur when their infections result from hackers, malware, visiting infected sites, or viruses. But it would seem logical that the possibility would exist, or that in the future prosecutors might want to treat certain things as strict liability offenses.

Parents have been prosecuted for illegal activity of their kids, and when a family computer can be used by unknown visitors to a house, there is a risk of additional security problems and conceivably erroneous arrests and prosecutions, since IP addresses can be traced. Similar concerns occur in the workplace. See the previous story on the apparently wrongful conviction of a substitute teacher.

The BBC story is here.
AOL featured the story today on its home page as a warning to home users that a knock on the door could come from the fibbies.

Thursday, June 07, 2007

Malware leads to conviction of substitute teacher

USA Today on June 7, 2007 reported that middle school teacher Julie Amero will get a new trial in Norwich, CT on a case where she had been convicted in January 2007 on endangering the welfare of students when, in October 2004, the computer in her classroom served up pornographic popups after several kids surfed to a site about hair styles. Journalists have discovered that the school system did not have effective firewalls or popup controls on their computers and were not blocking ineffective sites. Apparently the site in question was associated with spam and (from a school system point of view) socially objectionable products. "Security Fix: Brian Krebs on Computer Security" has a major blog analysis in The Washington Post, “Substitute Teacher Faces Jail Time over Spyware,” Jan. 25, 2007, here.

It is amazing to me that a teacher (regular or substitute) would be held responsible for web content delivered by malware because of lack of proper system security, that is relatively easy to install now (such as McAfee Site Advisor, discussed here). Furthermore, she was a substitute. I’m not sure of the situation in Connecticut, but in many states substitutes do not have to be licensed, and often take one-day short term assignments where they do not know the classroom well. This case points out a flaw in the way substitutes are hired and managed. The classroom management skills expected of substitutes have been a matter of controversy in many states. According to the story, other teachers did not come to the aid of the substitute, and short-term substitutes may not be perceived by kids as morally legitimate authority figures, and may not obey (like discontinue inappropriate surfing) when told. In practice, it is often very difficult to prevent kids from surfing to inappropriate sites, and school districts are well advised to block sites with strict filters (Fairfax County, VA, for instances, blocs MySpace, and many other sites considered to have content objectionable for a public school environment).

Even if acquitted on retrial (that sounds likely given more modern awareness of spyware and popups), the substitute may have enormous personal financial losses from this work experience. This is not good for substitute programs.