Sunday, September 27, 2009

Fake Facebook profile draws defamation lawsuit

It seems that people can have Internet safety problems without even going online. In Chicago, a woman is suing four other minors for creating a fake Facebook profile of her son, with defamatory material, as well as invasion of privacy. The case bears some resemblance to the notorious Myspace case in 2006 in Missouri. The story is in “Chicago Breaking News”, here.

A photo copy of the actual complaint is here at "Chicago Bar-Tender".

This case will surely draw more attention from the major media outlets.

Monday, September 21, 2009

What happens if a computer virus is responsible for user's possession of illegal content?

I’ve written before about prosecutions of people accused of possessing digital (or camera-associated) images thought to be “child pornography”. On Feb. 3, 2007 I discussed here such a case in Arizona with a teenager (and later Internet stories did give some credence to law enforcement claims that the suspect knew what he was doing). There was a similar case in Britain in 2003, and there have been a couple high-profiles cases in the workplace, one in Massachusetts, and another with a substitute teacher (not very computer literate) in Connecticut in 2004. The media has reported a few other such incidents, such as in Canada, as I recall.

I checked the Federal statute, USC 2252, on the Cornell Law School database of US Code, and find the adverb “knowingly” used throughout. Furthermore the law offers an affirmative defense when fewer than three illegal images are possessed if the owner destroys them immediately. It sounds as if it is the computer user’s legal duty to destroy any such images if he or she finds them (as if a parent finds they were put there by a kid or guest in the home, or if any computer user, at home or at work, believes they could have been placed there by a virus or worm). The link for the text of the law is here.

Virginia’s state law is similar, if less specific, here. The "knowingly" adverb appears, and that seems reassuring.

The law doesn’t seem to be specific as to the home user’s need for due diligence in using firewalls and anti-virus products, or as to any liability when they don’t protect a user from an incident like this.

Yet, in the past, various articles have been written about possession (as in the Arizona case) as a "strict liability offense", maybe in some states. If that's true, a user would be responsible even if a virus was the cause and even if the user had installed anti-virus software, unless affirmative defenses were offered,

This problem has a “bricks and mortar” instantiation. In numerous cases, families have been accused of making and possessing c.p. when overzealous and untrained employees in photo processing labs call police about innocent “family pictures.” Another major example recenlty has been with cell phone "sexting" by minors, who are in a sense logistically "guilty" even if they don't understand the legal implications of what they are doing.

The ABC link for the story of a family whose children were taken away for a month after Wal-Mart employees called police on family photos is here, by Dan Przygoda, "Couple Sues Wal-Mart for Calling Cops Over Bath Time Photos: Children Were Taken Into Protective Custody Over Pictures Taken at Bath Time," here.

Sunday, September 20, 2009

Odds and Ends: Webroot and Vista backups: lightning strikes twice today

My new Dell XPS laptop with Vista ran into a couple more little security-related items today.

This morning, Webroot Spysweeper told me I had never run backup when I had a few days ago. I tried to log in to the backup center and got server errors. But it also warned me about a missed scheduled backup, since I turn the laptop off after bedtime. Once I ran the sweep manually (it takes 30 minutes and usually finds some spy cookies) it showed the backup account again.

(Note: later experience shows that Webroot shows "backup never un" until you sign on, after restarting a system.)

Later Microsoft tried to run the automatic backup, which failed on not enough disk space on the D drive. Why does Dell make this drive so small? The only item left for deletion from D is the Recycle bin. What sense does this make?

(Note: Best Buy/Geek Squad tells me that the problem is with Vista; the manufacturer fixes the Recovery Disk size, and Vista should accomodate it. They say ignore the warnings and use an external backup like Mozy or Webroot for your data.)

Tuesday, September 15, 2009

Internet Explorer is much stricter about data excecution prevention

A recent change in Internet Explorer often closes IE for “data exexecution prevention” on many websites. The IE message says that it encountered malicious code, but I’m sure that in most cases it wasn’t, and I suspect there will be a fix pretty soon. One problem occurs when trying to open another window in Blogger to load Picasa album pictures. Picasa always works when tried a second or third time (if the user manually saves the post first).

The Microsoft help page for DEP is here.

Perhaps the code in IE is trying to look for problems similar to that encountered by the New York Times recently.

Monday, September 14, 2009

New York Times ("Gray Lady") website hit by mal-advertising

Media outlets report that the New York Times was hit by “maladvertising” this past weekend by hackers who apparently got into the “banner feed”, resulting in the display of fake anti-virus software ads, which were common about a year or so ago in other places. Personal finance has a story by Aimee Picchi, here. The “Gray Lady” does not want this sort of thing associated with its brand.

Peter Kafka has a story “Home Delivery: The New York Times serves up some malware,” here. The Times has a curt “Note to Readers” dated Sept. 13 here.

I believe that I got one ad that did not want to go away until I closed the browser (but I think this happened once with the Washington Post, too). But I don’t think it was the “sex in the city” mentioned in the story (and it’s interesting that the ad also appeared on Mac OS machines). Webroot Spysweeper nearly always finds some sky cookies when it runs a full sweep. It sounds very unlikely that these ads have harmed anyone’s computer unless they actually tried to purchase something from the bogus ads.

Tuesday, September 08, 2009

Arlington and VA govt give out general home computer security tips

Arlington County VA, apparently in a partnership effort with Virginia state government, sent out a "Citizen's Information Security Advisory" to all home computer users on its homeland security email list today, advising consumers how to install automated security updates on all of these platforms:

(1) Microsoft XP and Vista (and other Windows) systems, the most common

(2) Apple MacIntosh, and homeland security views the Mac as vulnerable (as in the previous posting)

(3) Apple iPhone (apparently no updates for Blackberry?)

(4) Adobe Reader and Flash software, which might apply to both platforms above

(5) Firefox, even though Firefox is typically thought to be safer than Internet Explorer; Microsoft bundles IE updates with its regular automated security updates.

As noted on my IT blog, Microsoft recently had to back out and reissue an update to Vista (KB 973879); the reissued update seems to work properly (and not cause blue screens when devices are disconnected).

The link supplied by Arlington County is here.

How vulnerable are Mac users compared to PC users? Some blunt words.

Do Mac users really need to be diligent and install and maintain antivirus software? Mary Landesman, of, says, bluntly, well, do you connect to the Internet? Her article and FAQ page is here.

Many of the vulnerabilities are more subtle than just compromise of your machine; they have to do with “social engineering” in one form or another, including phishing.

She provides some particular discussion of man-in-the-middle attacks, the “carrier” problem (as in the real world of infectious diseases) where a less-affected user can pass along infection to others. Her link for MITM and redirection attacks is here

One of the most dangerous potential threats here would be “domain name spoofing”, which created a huge alarm among security experts, including international meetings and sudden patches by Microsoft (and maybe Apple) in the middle of 2008. These could, just by their very logic, affect Mac users as much as PC users.

Monday, September 07, 2009

Media raises concerns about ordinary user password security

The Washington Post has an alarming, “un-gentle” story (front page, Labor Day, Monday Sept. 7) by Tom Jackman here, and Evan Haning has a similarly probing story on WTOP here about Internet password security. The visitor can search for the entities discussed in the stories and draw his or her own conclusions. I won’t make any accusations here.

Yes, people who have jealous ex “lovers” can become marks on the Web, and this sounds like a new dimension of danger, but it’s probably not new. Attorney John W. Dozier covered some of this material on his recent book on reputation that I reviewed on the books blog Aug. 27. I could say, leave some of this to a screenwriter’s imagination (especially for a Sony “Screen Gems” kind of movie), but it would be possible to set someone up and frame them on the Web just as in real life in 50s Hitchcock movies.

The basic rules of password security have remained the same. As far back as 2000, companies were checking employee’s passwords for “strength” (and were warning employees that they were responsible for misuse of their logons); and most sites today enforce strong pw’s and require more novel security questions with more unique answers. Change your pw’s frequently, especially if your computer is shared by others or if you have to travel a lot. If you are in a position to check your financial accounts frequently online, do so (accounts that are frequently visited are much less often compromised; if you cannot visit them frequently, pw security is even more critical). Most of all, be wary of the old phishing tricks. Reputable companies do not invite you to submit personal information by email (except when going to “reputable” third party sites for credit card payment). Be wary of “bad sites” (refer to a site advisory service like McAfee Site Advisor or Web of Trust). Use common sense. I guess one could say, don’t make enemies, or be aware if you think you have. Another tipoff for possible problems: if you repeatedly get calls (not just spammy emails, but actual calls) for “job offers” that sound inappropriate for your background, or that seem motivated by some kind of agenda. Also, practice wireless safety; it’s safer to pay and subscribe to a more secure national service (Verizon) than use free motel or restaurant wireless.

As for computer security, I don’t know if the jury is in that the Mac is necessarily “safer” than a properly protected modern Vista or Windows 7 (soon) PC. But it seems, in my experience, that Spysweeper provides more warnings than does McAfee about possible hazards. It’s a good idea to scan for spyware and sky cookies as well as conventional viruses.

MSN has some password tips (by Michael Scalisi from PC World) here.

Sunday, September 06, 2009

Senate makes Cybersecurity Act even more vague and more "dangerous", inviting eventual presidential shutdown

The "conservative" Washington DC Examiner has an important editorial Sept 1“Don’t let a president turn off the Internet”, link here. It refers to Jay Rockefeller’s Cybersecurity Act of 2009, S 773, Govtrack reference here. Electronic Frontier Foundation currently (Sept. 6) features the link on its strike page. However Rockefeller has reportedly revised the language to make it even more vague.

The editorial says that Obama wants to be the digital age’s “Harry Truman” and goes on to describe Truman’s seizure of steel mills in 1952, because of the Korean War. A national cybersecurity emergency, perhaps like the recent DOS attack on some government agencies (somewhat a matter of incompetence), could easily result in shutting down the “people’s” voices like social networking sites and blogging platforms. The concerns articulated by attorney John Dozier, in the book I reviewed Aug. 27, might eventually be perceived as serious enough to trigger presidential intervention.

Tuesday, September 01, 2009

Koobface goes after social networking site users

Andrew Brandt has written a major account of how he “tested” Koobface malware on Twitter, Myspace, and Facebook, and gives some details as to how each service tries to deal with malware. With Myspace he had some particular annoyance in having to repeatedly change passwords.

The account in the Webroot-sypsweeper blog is here. The blog entry points out that Koobface propogates itself by sending apparently malicious links.

Brian Krebs of the Washington Post has a (“Security Fix”) blog entry “Getting Friended by Koobface” here. The worm has allegedly created fake domains based on names of people, a potential “online reputation” problem touched on by John W. Dozier in the book that I just reviewed last week on my book reviews blog.

There had occurred a much more sinister domain name fraud potential problem documented on another of my blogs (the "id theft" blog) in Aug 2008, the great "Internet Scare", entry here.

I noticed that I could not log on to my Myspace account, which I use very little; but the blog is still there (one entry).

I note today that I to suspend temporarily automatic Vista updates because of the faulty KB973879 update, explained here on another blog.