Tuesday, July 23, 2013

Ransomware trojan exploits child pornography risk to users; can ordinary retail repairs be legally risky to users?

On Nov. 11, 2009 I had discussed here the grim possibility that hackers could plant child pornography on an unsuspecting user’s computer.  The Associated Press was conducting a study on the issue in 2009, but not a lot of news came from it.

On July 20, I posted on the “protecting minors” blog (see the left side of my “doaskdotell.com” site) a story about some states requiring computer repair technicians to report c.p. that they encounter to authorities.  This would possibly put technicians in a position of making legal judgments on content that they are not prepared to make.  As with general concerns about surveillance, a police investigation could involve searching all of a user’s or business’s computers, or might migrate into other areas of possibly illegal content (like copyright), so there could be a broad issue here.

This problem should not be confused with a new “ransomware” Trojan that tells the user that his or her computer has c.p. on it and will not be unlocked until the user pays a “ransom”.  The only way to get the computer back up is to remove the virus (typical source, from Anvisoft, here).  If the user does not know how, she must take the computer to a technician.  But understand the difference.  The computer does not have illegal content on it; it is only the ransomware that is illegal.  A technician will not have to report the user to police for this problem.
Some time in the last couple of years, Geek Squad (as part of Best Buy) has been including a provision that the consumer signs when turning in any hardware to be repaired, words to the effect that the consumer is “on notice that a product containing child pornography will be turned over to the authorities”.   Hopefully authorities could clear a problem that is not illegal very quickly, but otherwise the hardware owner could probably expect a knock on the door at home or work from the police.  (That’s probably more likely than the theatrical scenario of an arrest when picking up the item.) 
But what is objectionable seems to be the obvious “Catch 22”; a computer user with an infected computer but not having seen any illegal content pop up cannot know for sure that it is not there.  In most states (as with federal law)  to break the law the user must “knowingly” acquire and view the illegal content, but in practice the defense could be very difficult and expensive, and the user’s arrest might be reported widely in the media, destroying his reputation even if he is later cleared by a virus infection. (In the more distant past, some states, like Arizona, seemed to act as if owner responsibility was one of absolute liability.) 
How commonly does this issue occur?  There has not been a lot written about it since 2009.  But, regarding technician reporting, there is a story from Houston (link) and another from Hartford (link), both in 2012.  It's not clear what would have led technicians to even see the illegal images; normal scanning with tools wouldn't show them, and they are not supposed to go looking for them deiberately. 
Apparently, a user who has P2P file-sharing may be at greater “risk” than one who does not (such as the issue with a case in Wyoming in 2007, discussed on the Nov. 2009 posting).  But even without it, a deliberate infection by a hacker could be possible the same way making a machine a zombie for a DNS attack is possible.  But usually there is very little motive to do so – ironically, that point can make defense more difficult.
One possible route to illegal possession would be visiting supposed "adult sites", where the user believes that all images are of individuals 18 or older (the federal standard, regardless of age of consent), but some in fact are not, and become cached.  Users normally depend on federal laws which require "adult video" film producers to verify the age of actors to protect them legally. It might not always work. 
It’s also possible for people to be ensnared if their machines are distributing illegal material without their knowledge (often through P2P), as the National Center in Alexandria works with the FBI to monitor such traffic.  It's possible that more automated tools, to detect illegal images by watermarks during distribution or even in "the cloud" (as from automated disk backups like Carbonite) will become possible and even common in the future. 
Society (the law enforcement and prosecutorial community, and the media as whole) is very intolerant of this problem because minors can be the ultimate victims.  Unfortunately, innocent people can be ruined by the crossfire, although this seems to be rather rare.  It seems as though there needs to be more attention to consumer responsibilities, as to what they should be expected to do to keep their computers and noses clean.  Formal training and adult education come into play, as would the idea of certification or “Internet driver’s license”. A few states, like Florida, have become more diligent in spelling out user responsibilities. Fr example, users who inadvertently find c.p. on the web are expected to call police immediately to clear themselves (link). 

Friday, July 19, 2013

Again, Asquared finds spyware, apparently causing W7 to freeze, missed by all other antivirus vendors

While away on a road trip recently (yup, relinquishing the right to walk-off wins), I left my Dell XPS computer (originally Windows Vista, converted to Windows 7 at the beginning of 2011) with the Geek Squad to look at a freeze-up problem that could occur once per boot cycle.  On certain sites, mostly those with heavy advertising, the PC would freeze, and unlock itself when the track pad was tapped repeatedly, where it would finally beep repeatedly and unlock, usually executing one app (often Windows Media Player) repeatedly and opening many windows that needed to be closed.

The Geek Squad tested the computer with almost all major vendors (Webroot, Kaspersky, McAfee, Norton, and Trend Micro) and found no viruses.  But, as repeated in June 15 of 2012, Asquared (Emisoft) found traces of spyware that could hang a processor.  The infection was difficult to remove and took several cycles of work.  The Geek Squad report did not identify the viruses other than as adware. 
Geek Squad removed the desk top gadgets (apparently -- they didn't come up).

I had established alternate user id's, which I now see are there after all (I first thought they had been removed.)  I had found that sometimes at startup the system could hang on bringing up “owner” if there was not a least one other user.  This seems related to spyware, according to Geek Squad. 
Before the beginning of 2012, I had an older form of Webroot Spysweeper whose scans would quarantine “spy cookies” (it always had considered “Doubleclick” a spy cookie), and perhaps about ten viruses, every one of which was related to adware when looked up on the Sophos virus dictionary. 

Update: 11:30 Friday evening, the same "freeze" happened once going to a CNN story (with lots of ads on the page).  It unlocked pretty quickly this time. See my "Information Technology Job Market" post today for details.

Thursday, July 18, 2013

Microsoft tools: Malicious software removal and Windows Defender: Even in Windows 8, are they redundant if you have third party security packages?

While I wait for a Dell XPS machine to come back from Geek Squad (and the repair is taking longer than lexpected -- a sign of a virus infection after all, I suspect), I thought I would note the Windows Malicious Software Removal Tool, which updates in Windows Update once a month, and can only remove "already present" infections, apparently.

CNET has a writeup for Microsoft here. Michael Horowitz has a blog entry for Computer World on "What you don't know about ..." the product here. It seems a bit redundant if you have a fully working third party program.

And then, there is something else, Windows Defender, an antispyware tool whose update seems to happen automatically almost daily and seems to take a while to install when noticeably packaged with other updates so that its install is watched.  In Windows 8, it is upgraded to an antivirus program.

Apparently the enhanced Windows Defender for Windows 8 caused some "conflict of interest" with third party vendors however, making its use (or decision not to use), trickier, as explained in PC World y Brad Chacos here.

Indiana University has an explanation here.

In Windows 7 environments, I usually get pestered to run Windows Defender, which seems redundant. 

Tuesday, July 09, 2013

"The best security software brand" seems to change every year

The folks at Best Buy and Geek Squad say that the antivirus and Internet security vendor of choice changes every year.  Right now, cloud-based security is becoming easier to use (you don’t have to wait for huge data signature replacement downloads, which with some versions of Kaspersky has been annoying).  So I have Webroot Secure Anywhere on two machines. 

It still appears you can only have one main vendor on one machine at a time.
McAfee has gotten bad-mouthed under the table in recent years, but here’s an account by Pat Calhoun of Stonesoft, on the McAfee firewall, (Website url) link  

McAfee himself has become an eccentric figure in recent years, but in the mid 1990's personal goal was to eliminate all computer viruses.  
How much do third party firewalls add that Windows Firewall (in Windows 7 and 8, at least) doesn’t?  That’s never been clear. 

The Webroot Secure Anywhere Firewall always reports a large number of connections (over 100), just for a home user!  

Picture: The Nikon digital camera (Ashton's Cool Pix) can create a "David Lynch" effect.  Warm milk, anyone? 

Wednesday, July 03, 2013

Texas teen jailed after Facebook "threat" is taken literally and out of context

The possibility of facing arrest and prosecution because a sarcastic comment made online, in social media or maybe even a conventional blog or website, needs to be taken seriously.

Justin Carter, 19 was arrested in February in 2013 Comal County near San Antonio, Texas. He has been held in jail, pending $500000 bond, awaiting trial.

In December, in an argument over a video game (“League of Legends”) with an online acquaintance, he had written, on Facebook,  a statement that taken very literally, might sound like a threat to carry out a school shooting.  From the context, however, most people would probably understand it as sarcastic, if perhaps offensive now. It’s common to refer to this sort of exchange as “trash talk”. The family was reported as living near an elementary school -- but in a metropolitan or suburban area, who doesn't?
A woman in Canada noticed the posting, took it literally, and called police. Apparently the posting had been allowed to be public (not restricted to friends or whitelisted). 
CNN has a detailed and disturbing story and video by Doug Gross about the case here. CNN also offers several blog postings including comments by the father. CNN covered the story July 3 on the CNN “New Day” show.

NPR has a similar story, which reports a grand jury indictment, here, in its "Tech Matters" column. NPR reports that the teen's dad says the teen has been beaten up in jail.  It is noteworthy that this seems to be a state prosecution, and federal prosecutors did not seem to be involved. 

NPR reports a petition for Carter’s release.
The offense, under Texas law, could carry eight years in prison.
Prosecutors and law enforcement reportedly feel caught in a bind, with possible “political consequences” for letting him go, so soon after the notoriety of the Newtown, CT incident December 14.

Would the lack of an arsenal of weapons (which hopefully is the case) make law enforcement more comfortable?

The Facebook conversation might well have occurred before the Sandy Hook incident.

The whole case could be viewed in the context of the NSA leaks.  Metadata would allow the NSA to know of someone (like a Holmes in Colorado) had suddenly started accumulating an arsenal.  Maybe this can be shared with law enforcement, but that sounds murky.   

It is very easy for Internet content, posted in a free-entry and “it’s free” environment, to be interpreted out of context, especially by law enforcement or school officials who believe they are under political pressure from the public over scares about public safety or child welfare.  I had talked about that on the main “BillBoushka” blog, July 27. 2007, about an incident that happened when I was substitute teaching in 2005. Things calmed down when officials bothered to look at related postings establishing a context.  Police seem to be treating this Facebook case the way the TSA would treat “jokes” in the security line at the airport. It's interesting, though, that local or state authorities seem more sensitive than federal on this one.    

Update: July 7

The legal guys (Fisher and Herrmann) covered this problem on Saturday on CNN.  Both thought this was overzealous prosecution based on public emotion.  There reports that the Facebook posting contained lines like "JK" and "LOL".

What if someone makes a threat in a comment on a blog (or forum)?  Would Section 230 protect the host?  Would it matter if comments were monitored?.  Sounds like an important line of questions.

Update: Dec. 5

Here is a case in Maryland where discussing an attack against judges on Facebook contributed to a conviction and prison sentence, WJLA story here.  

Tuesday, July 02, 2013

Webroot reports on odd TOR-based rootkit offering hackers "licenses"

Danco Danchev has a Webroot Threat Blog entry on “TOR-based” and “commodolized” malicious software which (in rootkit form) can be licensed!  It seems to focus on “form grabbing” from SPDY.   The link for the story is here.  Webroot tweeted the story today.  

It’s interesting that TOR is involved with this one, since TOR is often used in countries with authoritarian governments by activists, and some people in the IS recommend using it to avoid NSA monitoring. I don’t worry about that, but I can understand that some people do.

The report mentions the idea that hackers who lose the code can lose their “licenses”, an odd concept.  It also doesn’t work (yet) in Windows 8.
I’m not sure what malware based on it would do, other than, it seems, grab information from common “e-forms” common on websites that invite people to set up new accounts.  It’s pretty obvious it could grab credit card information and try to generate bogus charges before the owner notices.

That brings up another question.  Is it a good idea to use the same credit card form most online activity?  (And that’s credit card, not debit, which is definitely asking for it).  Probably, and it’s a good idea if it comes from the bank where you do most of your checking, so you can conveniently monitor it for invalid charges every day or two.

Once a credit card is compromised and closed out by the bank when reported, many companies or public utility or transportation systems can automatically invalidate items purchased on it, such as rail or transportation passes. 

Here’s something odd I’ve notice about Webroot Secure Anywhere: the daily scan runs much faster than it does in Windows 7.  Why?