The Security Skeptic

The APWG has published its Global Phishing Survey: Domain Name Use and Trends in 2007. This report examines many phishing trends. The most interesting may well be the distribution of domains used by phishers according to generic and country code top level domain and the most worrisome may be the increased use of subdomain providers for phishing.

One reason why the APWG phishing survey is interesting is that it arrives at very different conclusions from McAfee's second annual "Map the Malweb" study. McAffee's lists (in order) Hong Kong, the People's Republic of China, Phillipines, Romania and Russia as the "most dangerous domains to surf and search on the web" and (in order) Finland, Japan, Norway, Slovenia, and Colombia as the safest.

Sidebar: I have a hard time wrapping my head around any phrase that includes "Colombia" and "safest" in the context of criminal activites, don't you? My immediate reaction was to Google "Colombia safest". Not surprisingly, I learned that Colombia's murder rate in 2003-2004 was nine times that of the U.S. and that Colombia is the ransom kidnapping capital of the world. Factor in drug trafficking and it's pretty clear few miscreants in that country have the time or patience to do e-crimes.

APWG's study uses an interesting metric - Phishing Domains per 10,000 - to assess whether one TLD has a higher or lower incidence of phishing relative to other TLDs. Applying this metric, APWG's top five are Hong Kong, Thailand, Liechtenstein, Romania and Chile. Among the safest TLDs you'll find European Union, United Kingdom, Germany, Argentina and Sweden.

The most curious result? McAfee ranks the INFO as the most risky generic TLD whereas APWG's metric ranks them as the safest.

Different metrics, data, measurement periods appear to contribute to the disparities in results. However, APWG casts a narrower net, including only domains that were proven to be associated with a phishing incident. McAfee's study web sites that contained adware, spyware, viruses, spam, excessive pop-ups, browser exploits or links to other risky sites in its "dangerous domains". Neither offer a glowing report, but no one I know would believe one if it were published :-O

Archived at http://www.securityskeptic.com/arc20080601.htm#BlogID694 by Dave Piscitello  

The Privacy Toolbox offers a list of 100 resources and guides to help users protect consumer and business identities and sensitive information. Toolbox is something of a misnomer. This is really a resources page - a good one, mind you - with links to guides that discuss all matters related to privacy, including how to protect your US Social Security number, how to freeze your credit rating should you suspect your identity has been stolen, how to remain anonymous when surfing, and how to complete obligatory web forms without disclosing your personal information (see 5 Disposable Web Accounts to Keep Your Identity Safe, brilliant!). Toolbox lists privacy related blogs, applications that cater to anonymity, confidentiality, and the protection of sensitive, personal information and sites where you can opt out of unsolicited credit card offers (visit OptOutPrescreen.com). Find the Privacy Toolbox here.

Archived at http://www.securityskeptic.com/arc20080301.htm#BlogID679 by Dave Piscitello  

Suppose you attempt to to purchase a product with a credit card on a site you've never visited before. You find the product you want, add it to your cart, and proceed to checkout.

You connect with HTTPS:// for that warm and comfy feeling everyone gets when they begin a *secure transaction*,-) But - oh my! - your browser warns you that some aspect of the certificate is suspicious; for example, the name of the server does not match the name in the server's certificate. This sometimes occurs when a company issues certificates from its own certificate authority, and that authority is not included in your browser's built-in list of trusted authority store. A similar warning may pop up if an e-merchant's certificate lifetime has expired. At this point, you can conclude that the merchant's web administration is possibly lax but the merchant may be reputable.

You are now faced with several choices. Abandon the purchase or restore your shaken confidence in this merchant by inspecting the certificate. If you choose the latter, and before you click on the popup that says, "yes, accept this certificate, get out of my face", you might want to try this.

Complete the checkout form, but fill in some of the personal and credit card fields with incorrect data; in particular, provide an incorrect credit card number. If the merchant accepts the purchase, you probably shouldn't trust the site and you ought to report the site to an antiphishing group. If the site tells you that the credit card (and personal) information is incorrect, try again, you can feel better about proceeding with the transaction.

This check is no guarantee against a very sophisticated deception. If you are uncertain, and especially if the buying opportunity is too good to resist, be suspicious and abandon the transaction.

Archived at http://www.securityskeptic.com/arc20080101.htm#BlogID666 by Dave Piscitello  

A recent post to an anti-phishing mailing list identified this clever and evil attack against domain name registrants. The attack exploits domain name renewal notice emails that registrars send to registrants. The attack uses similar social engineering and deception techniques as those used in identity theft and other phishing attacks. From the post...

"Phishing attacks against registrars allow for take-over of legitimate domain management accounts for use in future ROCK attacks - either through control of existing legitimate domains or via registration of new ROCK domains on an account that the registrar "trusts" since it's been used for valid purposes over a long period of time. With a domain take-over, you can reconfigure DNS to still work for the "real" site, while wild-carding all other host names - much the same way the ROCK group already operates, so take-down will be slowed considerably since the domain itself can't be deleted."

If I interpret this post correctly, the attacker (in this case, the notorious ROCK phishing group) proceeds as follows:

1. Use the WHOIS service to obtain the registrant's email contact information *and* the registrar for a domain name(s).

2. Set up a bogus registrar phishing site

3. Compose a renewal email that appears to be from the registrar and send this to the email contacts for the domain name(s).

4. Wait for registrants to fall prey to the deception.

5. When the registrant visits the bogus registrar web site, collect the registrant's account credentials via a bogus login page.

6. Use the collected account credentials to alter the registration record, i.e., to hijack the domain name or name service.

7. Use the domain name for illegal activities.

Once the attacker has control of the domain, he can attempt all sorts of illegal activities. The attacker can launch an attack against the domain itself (he controls the name service!); as colleague Danny McPherson of Arbor Networks points out, he can proxy or create a deception site at that domain name, insert an iframe, incorporate a BHO or other malware download to infect a visitor's PC. Or he can use the hijacked domains to facilitate fast flux attacks.

To conceal the illegal activities, the attacker will add records to the domain's legitimate zone file rather than replace the zone entirely to improve the odds that the hijacking may not be discovered quickly. This form of domain hijacking allows fast flux attackers to conceal the location of their illegal web sites even longer than before, and complicates takedown procedures that first responders and law enforcement might initiate because the domain name is not only used to abet phishing but to support the real business needs of the registrant that fell victim to the phishing attack and is thus not easily deleted from the TLD zone file.

It turns out that several of my domains are up for renewal. You can be certain that I paid close attention to each renewal email from my registrar and followed the widely recommended "safe practices" when opening and reading email. Read my Anti-Phishing page f and visit the Anti-Phishing Working Group or more information

Archived at http://www.securityskeptic.com/arc20071001.htm#BlogID655 by Dave Piscitello  

I read James Gaskin's column, The Fred Security System: Improve security for zero dollars with some interest and of course skepticism:-) Jim proposes that every company have a "Fred", a reasonably smart and suitably trained individual to whom email attachments can be forwarded for inspection. Fred uses his antivirus, anti-phishing and anti-spyware savvy and his amply fortified workstation to ferret out malicious email payloads and attachments that possibly adds a level of malware protection without increasing your budget.

My experience with Freds is that they don't always pan out the way Jim suggests. I've met lots of Freds. I call them Bob. But for now, let's stick with Fred.

I'm OK with educating users on the dangers of malware. I'm OK with giving users who show some savvy a reasonable set of malware detection tools. And I think that in very small businesses, having a Fred is a reasonable idea as long as the small business can escalate the problem beyond Fred to a competent, affordable, and trustworthy 3^rd party. I have several reservations, based on experiences with Freds in businesses small, medium, and large.

Fred is not 24x7 available. Fred's inspection capabilities and breadth of knowledge regarding malware are more limited than any automated system such as an email security proxy or Unified Threat Management appliance. Most importantly, Fred can't keep current with the insane pace and variation of malware attacks. Unless Fred is seriously over-qualified for his role, I speculate that Fred entirely ill-prepared to deal with never-before-seen or 0-day attacks (I hate this term, BTW).

My experience is that Fred is not zero-cost. Fred is being paid, ostensibly to satisfy a role other than malware ferret. Hours Fred devotes to ferreting out malware don't appear in the security budget but affect productivity elsewhere. This is security through budget obscurity. It's also my experience that Fred doesn't scale. One Fred can perhaps deal with malware in an office of 10-25, but how many Freds will you need for an office of 50, 100, 1000?

I suspect that if you study costs carefully, you'll find that even a single Fred costs more than the gateway antispam inspection software that even SMB/SOHO firewalls and unified threat management (UTM) appliances cost today. I'll venture that you could buy a Watchguard, SonicWall or Netscreen UTM with annual subscription for virus/spam/IPS definitions probably for than the cost of buying Fred lunch for 6-8 months (possibly depends on how much Fred eats).

Will a malware gateway/UTM improve security without increasing your budget? Of course not, nor will it break your budget.

One last life-lesson regarding Freds. All my SMB consulting is pro bono or deeply discounted as favors to friends, schools, and parishes. In all these networks, I find Freds. The difficulties I've experienced when dealing with nearly all Freds (or cleaning up after them) is that they cannot resist opportunities to play sys admin. They read about a registry setting and can't wait to change it on everyone's system. They read about secure browser settings, run to every novice's desktop and rejoice in having made the network a safer place. They wreck havoc on innocents who find that they can't use their browser as they've been taught, who encounter errors they don't understand, who learn to lock their offices to keep Fred at bay, and who roll their eyes when the consultant comes in to remedy wounds Fred has inflicted.

User Freds as you would a topical cream for a rash or insect bite: apply in small doses, monitor carefully, and never conclude it is an effective substitute for a physician's knowledge and expertise. If you want a Fred rather than a UTM appliance, however, you may as well train Fred to be a sys admin because that's what he'll very likely try to be.

Archived at http://www.securityskeptic.com/arc20070901.htm#BlogID647 by Dave Piscitello  

Colleague and friend Marcus Ranum wrote a really interesting article and review of executable control software for Windows XP. The article, Execution Control: Death to Antivirus, documents Marcus' long struggle to deal with malware on Windows XP. In typical Ranum fashion, Marcus delivers one scathing criticism and condemnation of vested self interest after another as he explains why he punted Norton AV from his security software inventory, how he began hunting for a "default deny" approach to managing executables on his personal computers, how the honeymoons with two commercial products ended in divorce, and how he finally found a freeware soul mate in the form of ExeLockdown from Horizon Data Sys, Inc..

Unfortunately, while Marcus has found a security soul mate, the rest of us won't be so fortunate. I visited Horizon DataSys to download a copy of the freeware and it's no longer available. I used the real time chat to ask a company rep why it was no longer available and he explained that "we are creating a better version that will work in enterprise environments as well as Vista. The old version was offered as freeware and was more of a support issue without any revenue."

While I can't blame a company for wanting to earn a profit and focus support on for fee products, it's hard to understand why they can't leave the freeware available for users sophisticated enough to use it without support. I also can't fathom how any company that has the good fortune to get as respected an authority as Marcus Ranum to write something positive about its product would "leave the money on the table" by taking the product out of circulation. Isn't it possible that the cachet a company earns from word of mouth like, "oh, yeah, that's the company that has that neat execution control program Marcus wrote about" is worth a token support effort for a freeware program? Some day, someone will explain marketing to me.

Archived at http://www.securityskeptic.com/arc20070701.htm#BlogID629 by Dave Piscitello  

While updating my antispyware resources pages, I discovered that the hyperlinks to articles I'd written for SecurityPipeline were redirected to DarkReading.com. I contacted the editors, who explained that Security Pipeline's content was not carried over to the new

publishing platform when Dark Reading was created. Dark Reading's editor, Tim Wilson, did grant me permission to publish these articles at Core Competence's site, and you can now find the following articles here at the Security Skeptic:

• When It Comes To Anti-Spyware Tools, Accuracy Is Key

• Legislation Won't Stop the Spyware Juggernaut

• How to Keep Spyware Off Your Enterprise Network

• Blocking Spyware at the Network Gateway

I also took the opportunity to update the Spyware resources pages and have added several recent articles, reviews and recommendations for antispyware freeware.

Archived at http://www.securityskeptic.com/arc20070701.htm#BlogID626 by Dave Piscitello  

One of the most commonly email harvesting methods used by spammers is spambotting, where automated software is used to search web sites and harvest email addresses. For a while, many folks tried to thwart harvesting by what I'll call @ avoidance, i.e., including an email address in a format such as user [at] domain. Spambots are now sophisticated enough to search for this and other permutations of email addresses.

If you must post your email address on web pages, a better method is to add CAPTCHA-based email protection. A CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) program creates a test or challenge a human being can correctly answer but that a spambot cannot. The most commonly used CAPTCHA technique is one where a user must type words that have been displayed, often in a distorted form. Another for, ESP-PIX, presents the user with a set of images and the user must identify an object that is common to the displayed set.

Some wonderful folks at Carnegie Mellon University provide a simple means to add CAPTCHA to your web site. Visit The reCAPTCHA Project to generate HTML to CAPTCHA-proect your email address. Enter your email address in the reCAPTCHA Mailhide form, cut-paste-customize the HTML, and include wherever you publish your email address.

For example, my blog pages no longer include mailto: HTML statements. Instead, I've included a hyperlink in my left navigation bar. Click on that link and you'll be challenged in this manner:

Answer correctly and you'll see

My email address is pretty much out in the wild, but I'm adding it on my site to illustrate a point and hopefully help others mitigate spam.

Archived at http://www.securityskeptic.com/arc20070601.htm#BlogID621 by Dave Piscitello  

In BlogID608 I mentioned IT Security's 103 Free Security Applications, and promised to test and review some of these. As promised...

Spyware Terminator is a very nice and complete antimalware package. At first, I was hesitant to even install this package because I recalled a similarly named scamware product, Spyware X-Terminator. After poking around other antispyware and malware info-sites, I sorted through the conflicting opinions and misinformation before concluding these were indeed different packages.

Spyware Terminator provides real-time protection, spyware removal and quarantine. Spyware Terminator provides two levels of scanning: full and quick, and the latter lived up to its name by completing a scan in under 1 minute on three different Windows machines. Spyware Terminator provides a rudimentary host intrusion prevention system by building a list of installed, spyware-free programs and only allowing these and other applications identified by you or the developers as known-to-be-safe applications to execute.

The installer provides an integrated version of the popular open source-based WinClamAV antivirus software. WinClamAV is based on the same antivirus engine as the version I'm using on my MacBook and I'm just as comfortable installing and using it on a Windows machine. On my test systems, I ran Spyware Terminator without interference or conflict with AVG 7.5 Professional antivirus (I used this instead of WinClamAV on one PC) and other antispyware software (SpywareGuard, Spybot Search and Destroy). Automatic updates, beginner/advanced/expert configurations and a file analysis utility (to test if a file is suspect-ware) make this a useful antispyware package. A commercial version is available for organizations who want to centrally administer antispyware measures on all machines connected to a network.

Archived at http://www.securityskeptic.com/arc20070501.htm#BlogID612 by Dave Piscitello  

Everyone knows about and receives spam. Many folks also receive spam on instant messaging (SPIM), IP Telephony (SPIT), and even short messaging services (SPASMS). Now, even the chat channels of popular online games like World of Warcraft are attracting spammers.

So from the original coiner of the acronym SPASMS, I give you SPOG - spam on online games.

I play WoW with my colleagues and my son. It's a nice break from the real world; in WoW, I encounter a much higher percentage of pleasant and generous characters than the real world. I get to whack the heck out of something with impunity. I learn crafts and trades. And until recently, I had a high signal-to-noise ratio on the chat channels. Unsolicited advertising is now invading my leisure world! This is NGAT (not good at all) and I am definitely not ROFL (rolling on the floor laughing).

One way to measure whether something is acknowledged as A Problem is to search to see if someone's invented A Solution. Sure enough, if you Google "World Warcraft spam" you'll find antispam plugins like Spam-Guard Plus, which "monitors say, yell, tell and numbered chat channels for spam and automatically ignores spammers for the rest of the session". (Source squelch - I love it)

Archived at http://www.securityskeptic.com/arc20060601.htm#BlogID534 by Dave Piscitello  

Colleague Anton Chuvakin posted a solid and up to date article on spyware on O'Reilly's WindowsDevCenter website. In the article, Anton offers a good taxonomy of spyware and an equally good explanation of countermeasures and recovery procedures. Anton reiterates one piece of advice I routinely see in antispyware articles:

"As far as responding to a spyware infection, the only guaranteed 100 percent effective measure a user can take is to rebuild a system. Only this will guarantee removal of all traces of malicious software from a system."

Home users are most accustomed to rebuilding a system from scratch from the OEM recovery disks. This method has the unfortunate consequence of providing you with a clean, default installation. Users must then reinstall applications and reconfigure security settings. In some cases, users may lose configuration data they haven't stored elsewhere, including Internet access settings and (woefully) all those passwords they may have stored using password management software or (yikes!) Notepad.

I recommend that users, home and professional, invest in disk imaging software. When you purchase a new computer, and before you connect it to the Internet and browse the web, install all the software you most commonly use - Office, security software, etc. Configure the security settings you will rely upon as your security baseline. Now make a complete image of your C:\ drive using the imaging software. If you ever have to recover your Windows OS following a spyware or virus infection, reinstall the "recovery image* you created.

In BlogID #298, "Beyond my documents", I recommend disk partitioning. Follow the recommendations in this item, make certain that you back up configuration data and your recovery image on a partition other than C:\, and you'll be able to recover your PC to a more complete and secure state from a spyware infestation. You may have to reinstall some applications you installed after you created your recovery image, but in my experience, you will reduce your effort from several hours to 30-40 minutes. Remember: if you want a clean recovery image, you can't surf the web, read email, transfer files, IM, or use any application that my store or upload cookies, files, scripts or executables on your computer.

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID507 by Dave Piscitello  

Despite the real and present dangers Internet Identity Thefts, Phishing and email scam attacks pose, we cannot afford to overlook measures we can take to protect our identities and credit from attacks in the real (physical) world.

Financial institutions, law enforcement agencies and attorneys recommend a number of ways you can protect against credit card theft and misuse, check fraud, and unintentional disclosure of personal information that can be used by impersonators, extortionists and other malicious or malevolent persons. A short list of some of these follows...

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID501 by Dave Piscitello  

I received several comments shortly after boasting that I had successfully blocked DoubleClick. There are many ways to block advertisers. I have used cookie blocking, manipulating domain name resolution, and configuring a "blocked site" policy in a firewall.

Blocking Ad cookies is simple and can be done by configuring a browser to block 3^rd party cookies, which are often written to your computer by ad tracking companies. Read how to do this in IE 6.0 here. The same feature is available in Firefox via the Cookies tab of the Privacy Option under Tools. Many antispyware software also provide cookie blocking. (An interesting feature of Firefox allows remove a cookie and block a site from ever setting it again).

An advertiser must open connections to its ad server to collect the information it stores in the cookie it has placed on your computer. These connection attempts are programmed into web pages you visit (the site hosting pages with such hidden connections pays the advertiser for its tracking and targeted marketing services, and is called an affiliate). Fortunately, an advertiser must use the DNS to resolve the domain name of its ad server to an IP address. By modifying your PC's hosts file so that ad server names resolve to localhost (127.0.0.1), you redirect connection requests to your own PC. These will fail quickly. The rest of the page you visit will load. You may see an error similar to the one I captured in BlogID #487, but this depends on how the page is programmed. Either way, DoubleClick can't collect information from you. You can point domain names of all the ad servers you wish to block to localhost, including DoubleClick, AdTech, Honesty, Profero, ValueClick, and hundreds of others. Find lists of ad server lists here. If you run Active Directory on your network and want to block ad servers uniformly across all client PCs, create a group policy to replace the user host file at logon. This trick may also thwart hijacking spyware that alters the user host file.

You can also block ad sites by including the domain names or IP addresses of the ad servers in a blocked site list at your firewall. Your firewall may drop attempts to connect to the blocked site, or it may return an "unreachable" error. Both will cause an 404/http error (page not found). Firewalls and proxies that block sites can also be configured with custom 404 errors, so an admin can advise users that ad blocking is in effect.

But admins shouldn't expect users to go out of their way to thank them.

Archived at http://www.securityskeptic.com/arc20060101.htm#BlogID488 by Dave Piscitello  

Chris Powell has written an eBook that provides a wealth of information and good advice to protect against phishing attacks. The book is written with non-technical Internet users in mind. Written in "plain speak", Online Predators Revealed makes powerful use of interesting analogies and provides plenty of simple-to-follow advice to help even school age children avoid phishing and web spoofing attacks.

Archived at http://www.securityskeptic.com/arc20051201.htm#BlogID484 by Dave Piscitello  

Spyware was a hot topic at the NWW Security Tour 2005 Q & A sessions. One attendee asked for opinions on running multiple spyware solutions on the desktop. It's pretty common for anti-spyware specialists to recommend that you run more than one antispyware solution in posts to antispyware forums like SpywareInfo.com. The most common recommendation is to run both a reputable commercial solution (Aluria, WebRoot, SunBelt CA eTrust...) alongside a freeware product (typically Spybot Search & Destroy), and complement this with a reputable antivirus solution.

One oft-cited upside of running multiple solutions is to increase breadth of detection: one solution may detect spyware that the other overlooks (or does not yet have a definition to distribute). Another upside is that one solution may perform a more complete removal of a spyware package (i.e., running a 2^nd removal tool immediately following the first may result in the detection of a Registry setting that should have been removed for completeness by the 1^st tool but had not). The downside is that the products somehow interfere with each other, or even the antivirus solution.

The humorous side, as I mentioned in this SecurityPipeline article, is that "some products point accusing fingers at each other".

Given the number and combinations of antimalware software you could install, I can't absolutely guarantee you'll have no adverse effects by installing more than one antispyware solution. I can only tell you that I've installed combinations of commercial antispyware software alongside Spybot S & D, SpywareBlaster and SpywareGuard on every PC and laptop in my office and have not experienced any ill effects.

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID467 by Dave Piscitello  

Christopher T. Beers has performed a fairly comprehensive review of seven antispyware products for SecurityPipeline.com. In Review: Spyware Detectors, Beers reviews products from CA eTrust, F-Secure, McAfee, Trend Micro, Lavasoft, Sunbelt, and Webroot. The analysis is very thorough. A really clever and useful feature of this review is that it lets the reader adjust the product feature weighing factors. You fire up a Java applet, adjust weight of factors you are most interested in, and the Report Card recalculates the product scores. I've always complained that weighing factors selected in comparative tests weren't useful, and now the tuner's in my hands - cool!

Archived at http://www.securityskeptic.com/arc20051001.htm#BlogID466 by Dave Piscitello  

Once some folks learn to recognize phishing email, they ruminate over the fundamental evil inherent in a phishing attack, and become tempted to protest or retaliate in some way. Resist temptation! Here's why...

Always bear in mind that phishers are criminals. Most sensible people would resist the temptation to stroll into a hideout and ask all the burglars present to stop surveilling your home, because they would justly fear (physical) retaliation. Visiting a phishing web site is essentially the same act. You are putting yourself at the mercy of whatever measures the phisher chooses to employ at his web site to protect himself, or to do more evil. Phishing web sites are not safe neighborhoods. Consider:

• While you are satisfying your indignation completing a web form with "leave me alone you evil SOB" in all the forms fields, the web site may be uploading a keylogger to your PC.
• Should you find an "unsubscribe" mailto or link at the phishing web site and add your email address, you are simply confirming to the phisher that your email is actively in use and inviting more spam and phishing email.

Leave protests to automated services like BlueSecurity (bluesecurity.com), report abuse to spam to antispam services like spamcop (spamcop.net), to antispam vendors (Barracuda, Postini, et. al.), or to the FTC (forward spam to UCE at FTC.GOV).

Archived at http://www.securityskeptic.com/arc20050901.htm#BlogID459 by Dave Piscitello  

Time for another question from the Network World Security Tour. I promise this series won't devolve into a text version of StrongBad eMail from HomeStarRunner.com...

How can spyware websites continue to operate once they are discovered?

Once spyware infests a computer, its mission is to spy upon the PC user, or to redirect or force the user to visit an affiliate web site. A second and equally important goal for spyware is to evade detection, so that it can continue its primary mission. Several observations can be made from this behavior.

• Spyware is stealthware. It's hard for an average user to know which web site installed spyware on his PC; in fact, most spyware-affiliated websites are discovered by antispyware software research teams and antispyware activists who trawl the net in search of offenders.
• Legal action is not "rapid response. Once spyware-affiliated web sites are discovered, the first response by antispyware software vendors and activists is commonly one of technology and countermeasure (e.g., add the site to a blacklist, analyze the spyware installer sample to obtain a signature and identify removal procedures, etc.). This is in my opinion the right response because it can have a material and immediate affect. Moreover, reporting and "hunting down" spyware-affiliated sites is a time-consuming process of tracking down the operators, determining which if any laws have been broken, and obtaining the cooperation of judicial and law enforcement systems to terminate operations or take the operators into custody is formidable for professionals, and more than the average user can tackle with any hope of success.
• The numbers work against us.Even if (enforceable) international laws existed, the number of spyware-affiliated web sites is estimated in the hundreds of thousands, making the task of enforcing the laws practically impossible.

As you see, it's not a simple matter of "weak international laws" as was suggested by the tour attendee who submitted this question. Spyware is yet another example of a virtual arms race, and for the moment, we're losing the battle.

Archived at http://www.securityskeptic.com/arc20050901.htm#BlogID458 by Dave Piscitello  

Blue Security's approach to combatting spam has attracted its fair share of criticism. Blue combines a proactive Do Not Mail Registry with an automated protest campaign against spammers. Most of the criticism is off target. In several articles, it's clear the critics didn't understand the approach; in other editorials, the critic is exercising his Internet-given privilege to flame.

Blue's protest, performed on behalf of its Do Not Mail subscribers, is a tightly controlled email and forms submission response. It's not a DOS-like retaliatory strike at merchant email accounts, web submissions pages, and access circuits as described by several critics. If any of the critics had taken the time to open-mindedly discuss Blue's methodology with their CEO Eran Reshef, they'd have learned that the response is proportionately bounded: one spam, one complaint. Disclosure: I know Eran well. If you spend any meaningful time talking with him, you'd have to wonder how anyone could conclude that this guy would design a service to "go postal" on spammers.

Blue does what individuals can do themselves: find a party responsible for the spam and complain. Blue does this more scientifically, with more coordination, and to a greater scale than individuals can. Blue wants to change the spam value proposition and ROI, which is ultimately the only way we will ever effectively defeat spam. It's reasonable, proportionate, and ethical.

Marcus Ranum recently wrote an excellent editorial debunking the claims that Blue's approach is unethical. You can read it at http://www.ranum.com/security/computer_security/editorials/bluesecurity/. In the editorial, Marcus gives a thoughtful and thorough analysis of Blue's process. Frankly, it should be required reading for folks who have been publicly critical of Blue Security. Marcus also considers criticisms and concerns that have been brought to the public's attention and explains why they are inaccurate, difficult to corroborate, or just plain silly.

The editorial (thankfully) has a good measure of Marcus' wit and keen edge. You really ought to find time to visit the page and read it.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID446 by Dave Piscitello  

My article on assessing antispyware software is available at SecurityPipeline.com. This article debunks the myth that users and administrators can draw useful conclusions regarding the quality of antispyware products based on numbers of spyware detected, and offers a better basis for comparison. The full article can be found here.

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID440 by Dave Piscitello  

Good enterprise IT organizations appreciate the importance of orderly processes and centralized control. These characteristics are evident in the software, technology, and workflows they employ to manage complex networks. As they deploy currently available technology to combat spyware, enterprise IT departments have not lost sight of the requirements that will help integrate antispyware measures into standard desktop administration. More...

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID439 by Dave Piscitello  

Roger Seeholzer (Adjunct Professor, University of Maryland University College Europe) contacted me some time ago, asking permission to use graphics from Phishing columns I'd written for Loop as resources for a presentation at CSI 2005. I agreed, and he's graciously returned the favor by sending me a copy of his presentation. You can find it here [pdf], and you can find my columns at http://www.securityskeptic.com/phishing.htm

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID436 by Dave Piscitello  

I've written a white paper for Aluria Software that explains the threats and issues spyware poses to businesses small and large. The white paper also identifies ten requirements that businesses should consider when evaluating business-suitable antispyware solutions. The paper concludes with an assessment of how Aluria Software's Paladin product meets the requirements I identify.

You can download the white paper in pdf format from Aluria Software.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID424 by Dave Piscitello  

An on-demand version of my presentation on business-grade anti-spyware is available from TecWeb. During this webcast, I offer my list of top ten requirements for businesses seeking to deploy antispyware measures at the desktop. Find the registration page at TechWeb Today.

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID423 by Dave Piscitello  

Channel Viewpoint has posted a re-hash of an article I wrote earlier this year for Watchguard Technologies. Profiting from IE's 'problems' is written to help organizations where business practices impede a switch from Microsoft's built-in browser to an alternative. The article explains how organizations can reduce the spyware threat through central IE policy definition and distribution via Active Directory, and more.

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID418 by Dave Piscitello  

Preparing for a security session I moderated at Interop in Las Vegas, I began thinking about the subject of unsolicited messaging. The session, entitled "Is the end in sight, or will SPAM, SPIT and SPIM spin entirely out of control?", seemed to overlook one category of unsolicited messaging that has recently become a burden to cell phone users - spamming short messaging systems.

Colleague Caleb Sima at SPI Dynamics has done several presentations explaining how it's possible to DOS certain cell phones using SMS. In some cases, the subscriber is billed for thousands of unsolicited messages. In others, the phones freeze. And of course there are messages that you simply don't want to receive (The Do Not Call List notwithstanding...).

I realized that I had not seen an unique acronym applied to SMS spam, and one quickly came to mind: SPASMS - Spam Against Short Messaging Systems!

You saw it first here.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID397 by Dave Piscitello  

Layered defenses have become standard procedure for blocking the current generation of security threats. To block against viruses, spam and intruders, organizations deploy countermeasures at the network gateway and again in individual client systems.

Until now, layered defense against spyware was difficult or impossible. There are plenty of desktop anti-spyware products, but almost none that are server-based. But vendors are moving to fill that gap.

Read the rest of this article at SecurityPipeline.com

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID393 by Dave Piscitello  

Antispyware legislation is doomed to repeat history.

Advertising (adware) lobbyists are succeeding in distracting lawmakers into a debate over whether different kinds of software are - or are not - spyware. Congress has already exempted cookies and web bugs as "not spyware". The banana peel is now accurately positioned to help both Houses slide down the slippery slope every consumer and legitimate business hoped they'd avoid.

Nothing good can come from examining each advertising-enabling technology to determine whether it is or is not spyware. Every software, like every knife in the cutlery drawer, and every gun in the pickup rack (remember where I live) can be used for good or evil.

The web bug and adware exclusions really irritate me. Would these same congressmen allow anyone to access telephone usage records? Even in the post-Patriot Act era and from a Republican congress, this seems unlikely. How different is telephone wiretapping from granting anyone an implicit license to add an "IM-bug" to track every instant message, and why does a law enforcement agent require a court order for the former, but (presumably) not the latter?

Let's pause a minute and re-think whether tracking technology is the problem, or whether the problem is really deception.

With this Congress, perhaps we should use the "guns don't commit murders, people do" approach. Software doesn't commit espionage, ...

Antispyware legislation should be easy to write.

• If it is installed without notice, consent, or the ability to opt-out, it's spyware.

• If the intent is to copy and transmit information or monitor behavior without your knowledge or consent, it's spyware.

• If the notice is not crystal clear in describing intent and copious in identifying what information is to be copied, transmitted, and monitored, it's spyware.

We have precious little control over personal information left.

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID389 by Dave Piscitello  

I received an email from Ken Lloyd of Spywaredata.com asking if I would provide a reciprocal link at my spyware page for his site. I visited the site and found an impressive and well-organized spyware database. Spywaredata has searchable categories for Processes

Linked Service Providers, BHOs, Toolbars, ActiveX, StartUp files and Search Engines. For each spyware, the site identifies the directory path, classID, spyware company, variants, and the number of infestations reported. I asked Ken about these statistics, and he replied as follows:

SSI was created over a year ago to track and subsequently identify the latest Spyware threats actually affecting the Internet. If you are familiar with the new Microsoft's "SpyNet" project that was released a few months ago, SSI performs analogously and has been actively identifying spyware since January 2004. Here is how it works:

User's download our free SSI software and simply double click the program icon. SSI immediately scans your computer for any active spyware then that information is presented to you. At that time you can choose to have this information analyzed against our real-time database. The results are promptly presented to our users with removal instructions. In addition, if we find unknown spyware we can then ask the user if they would like to upload these files for our technicians to take a closer look.

SSI is designed to be extremely easy for our users to understand and use. And with that we have processed over 210,000 scans.

I ran Ken's SSI on three PCs here, all protected by different antispyware software. SSI ran, uploaded the results, launched Internet Explorer (Firefox support is in beta), and presented a results page. SSI detected several unknown file types (e.g., Shavlik's patch management software, HFnetchkPro4, some XP SP2 dlls), and found a copies of ICONSPY and ViewPointMedia. From this page, I visited the "remediation" page, where I found instructions on how to remove the pest. SSI appears to be yet another useful tool to add to the never quite complete antispyware toolkit.

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID386 by Dave Piscitello  

Recently, a fellow security professional asked if he could use some of my anti-phishing material in a presentation he was preparing for an upcoming CSI conference. Revisiting the presentation I gave at IPComm 2004, I recalled (and related) a dialog I had with an attendee about an interesting behavior modification program .

The attendee was an IT admin. With the approval of management, IT created a phishing email and hosted its own bogus web site based on a real attack, then emailed every employee in the company. Employees who responded to the link and completed the form received a subsequent email from IT advising them that they had fallen victim to a phishing attack, and they were now obligated complete "remedial therapy", in the form of a 30 minute anti-phishing seminar after close of business (mandatory attendance).

Two weeks later, IT modified and the re-attempted the phishing attack. The numbers of respondents were smaller. Again, employees who fell victim were required to attend a seminar.

IT now repeats the process routinely, and the number of phishing victims is now dramatically reduced.

I wish I could acknowledge the attendee since this is a simple but creative phishing countermeasure, and someone deserves kudos for dreaming it up. I'm just paying it forward...

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID383 by Dave Piscitello  

Poor PayPal seems to be the most popular lure among phishers these days.

I receive phishing emails almost daily warning me that my PayPal account is under review for security reasons. The most recent spate of these uses HTML in a particularly insidious manner to deceive even those recipients who are savvy enough to be wary of embedded hyperlinks.

Many antiphishing resources, including my own, warn people to make use of the browser status bar to assure that they are visiting the same URL they "see" in an email, by hovering the mouse over the hyperlink in the message, which will show the "real" URL they will visit should they click on the link.

The new phishing method uses HTML form to prevent recipients from availing themselves of this antiphishing method. The raw HTML for this deception is reproduced below:

<FORM target="_blank"  ACTION=http://rds.yahoo.com/*http://www.google.com/url  METHOD=get>
<INPUT TYPE=HIDDEN NAME=q VALUE=http://rds.yahoo.com/*http://www.securityskeptic.com/%6D%61%6E%75%61%6C/webscr/>
<input type=submit style="color:#000080; border:solid 0px; background:#white;" value=https://www.paypal.com/cgi-bin/webscr?cmd=_update>
</form>

I've substituted my own domain name, hhi.corecom.com, where the phisher typically puts his deception web site. What recipients see when this is used follows.

Try hovering over the hyperlink. Nothing happens. Now click it, and you'll reach my 404 Error page - of course, in a phishing email page, you'd end up at a deception web page.

Increasingly, too, PayPal phishers are including many legitimate links to real hyperlinks at PayPal, e.g.,

To receive email notifications in plain text instead of HTML,
update your preferences <a href="https://www.paypal.com/us/PREFS-NOTI" target="_blank" > here</a>

This is all part of selling the deception.

HTML is a really wonderful and powerful language, but it is so easily manipulated for malicious purposes that you should really consider whether you need your email to be "pretty".

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID382 by Dave Piscitello  

Spyware has reached such epidemic proportions that legislators in the US Congress as well as state legislatures are responding to public outrage by drafting bills to prohibit its distribution, stem abusive practices and protect Internet user privacy. Unfortunately, pending and recently enacted anti-spyware laws are considerably flawed and could actually cause more harm than good. In fact, many experts believe we'd be better off if we'd simply put more effort into enforcing existing laws that prohibit fraud and deceptive business practices. And nearly all knowledgeable parties acknowledge that spyware is a technology problem that requires a technology solution. More...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID380 by Dave Piscitello  

Most people who read my blog are familiar with the SANS Top 20 Vulnerability list. Trend Micro, Vexira, and in fact, most antivirus companies host lists of the current most prevalent malware. PC Pitstop hosts a similar list of the Top 25 Spyware.

The rankings are derived from results of approximately 50,000 PCs that visit the site to run a signed ActiveX control spyware scanner (signed, how refreshingly unique!).

PC Pitstop acknowledges that their Top 25 rankings are biased. PC users who visit frequently to test for and remove pests based on the scan results will have less spyware than a randomly sampled population (the site apparently doesn't weed out repeat visitors). Still, it's an interesting list.

I ranted earlier this week about informed consent and disclosure. Legislators ought to study PC Pitstop's privacy policy and the excruciating detail they provide regarding cookie use, information collection and use, and "what they do to your PC". They tell you what they do; how they do it and why; how you can review what they do; and give you the opportunity to decline. Legislation doesn't have to be any more complicated than insisting that advertisers be as diligent as PC Pitstop. Well done...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID379 by Dave Piscitello  

Mitch Wagner, my editor at SecurityPipeline.com, wrote an editorial recently about the fuss adware vendors are making over the fact that their ware is really not spyware. Whether their ware spies or not is quite honestly irrelevant to the vast number of users (and SecurityPipeline readers). Choose any name you wish, adware is unsolicited, unwanted, and intrusive. But, for the sake of a blog entry, let's find an appropriate name.

So far, "scumware" is the most generic, appealing, and accurate label. SearchSMB.com defines scumware as "any programming that gets on your computer from Internet sites without your consent and often without your knowledge. Scumware is a general term that encompasses spyware, adware, annoyware, malware, parasiteware, unwelcome cookies, and various forms of viruses".

This definition works for me and everyone I asked today:-)

Why do the FTC, state and federal legislators insist on trying to narrow the definition of spyware, when most of the affected population would prefer to leave it as broad as possible? Users want to know what is being installed on their computers, and for what purpose, and want the right of informed refusal and consent. And make the default selection "refusal". This is exactly the opposite of what occurs today with all scumware.

You want effective legislation? Focus on informed consent. Force software vendors to a pure "opt-in" model, something that never materialized in postal delivery. Identify what constitutes deceptive and unauthorized use and installation of software. Make it illegal to install software without expressed user approval, and make vendors write intelligible terms of use and scope of application. With legislation of this kind, most folks will make intelligent opt-in decisions when asked whether they want Windows update or WhenU. Which ,of course, is exactly what adware vendors are most fearful of.

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID377 by Dave Piscitello  

David Glosser has written an antispyware open source Perl script that runs on a Windows host under ActivePerl and TieRegistry. The Perl script scans the registries of all the computers of a Windows domain for the existence of Browser Helper Objects (BHOs), a common form of spyware. The host computer must be a member of the domain and have remote access privileges to the registries of the computers in the domain.

Remote BHO Scanner doesn't remove spyware. It does provide a report of BHOs discovered in the domain. This is an interesting tool for administrators who might want to routinely scan for BHO infestations. The reports will probably help admins convince more senior management that spyware is indeed a corporate as well as consumer problem.

David indicates that Bleeding Snort has volunteered to host Remote BHO Scanner. David also indicates that more information can be found at http://www.mgmg-interactive.com/mgmg/malware.html.

I've only toyed with this script thus far, but it's a very interesting and different way to tackle a growing spyware problem.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID363 by Dave Piscitello  

Colleague Scott Pinzon referred me to an excellent post describing one frustrated dad's attempt to trace a spyware infestation back to the folks who make money in this nasty business. Read Follow the Money; or, why does my computer keep getting infested with spyware?

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID357 by Dave Piscitello  

Microsoft began offering free downloads of the beta version of the antispyware software they recently acquired (Giant). I'm a bit late to the review gate, but here's my anecdotal assessment.

The beta only runs on licensed systems. You must run the Microsoft validation agent, which ironically means you must allow ActiveX controls in your IE settings. Frankly, since this is a beta, I question whether Microsoft would have earned more mileage offering the product without qualification. Spyware's a huge problem, and I think they not only missed a major marketing and distribution opportunity but an opportunity to serve the Internet community as well.

Giant had a reputable product before Microsoft acquired it, and while Microsoft may have standardized the look and feel, they seem to have adopted an "ain't broke, don't fix it" approach. The product has the features you should expect from quality antispyware software, and some interesting features I hadn't seen before. Realtime protection monitors dialup, messenger and WiFi activities; changes to Internet safe site lists, winsock lsps, windows services, critical .ini files, as well as shell, scheduler, and TCP/IP changes. Protection from directory trojans, startup, BHO, registry, IE settings, installed component spyware is also present. You can create restore points and schedule full or custom scans.

Microsoft's default security settings are all over the map. Auto-protection against spyware is enabled following installation and reboot. You must run a Setup assistant to enable auto-updates, and you must choose Real-time Security Protection. I would like to see these run by the default.

Memory footprint is modest: two processes, gcasserv.exe and gcasDtserv.exe, are only 12 Megabytes. The UI is clean and intuitive. I like the results reports, which complement the customary threat enumeration, recommended action, and threat level with a sidebar containing the initial paragraphs of a detailed description of any threat detected; an assessment of the risk, and a link for more information.

I configured an infected PC to run a daily autoscan. The initial, full scan of three partitions totalling 20 MB took 20 minutes, about par for other products I've tried (some were faster, others slower).I ran the antispyware beta on a PC with XP SP2 that had been "protected" by the freeware tandem, SpywareGuard and SpywareBlocker for about 2 months. The beta detected two threats (whenusavenow, and the brodcast/DSSagent). This result neither convinces me that Microsoft's product is excellent or that SG and SB are lame, but only reaffirms my conviction that no single antispyware product is up to the task. New spyware seems to be appearing at a pace rivaling spam, not worms, and even Microsoft will have a hard time employing enough software engineers to level the playing field.

Like many antispyware products, Microsoft's beta provides a means for users to upload suspected spyware for analysis. Microsoft offers an opt-out for its Spynet Community. I'm a committed opt-in kinda guy so this annoys me. Probing further, the link to Microsoft's privacy policy regarding Spynet Community explains that Microsoft will explicitly ask for and not disclose personal identifying information to 3rd parties except those who will perform services on Microsoft's behalf (good), but it also indicates that Microsoft will use such information to contact individuals with surveys, product notifications, etc. The policy doesn't identify exactly what information it collects: if only privacy policies from Microsoft were as detailed as its EULA.

Overall, this is a good start for Microsoft. Microsoft claims it intends to provide its customers "with new tools to help protect them from the threat of spyware and other deceptive software" but I am not clear how Microsoft plans to make the tools available. Will this will be a separately priced product, integrated with antivirus (what's the deal there, anyway?) and the Service Pack 2 Security Center?

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID354 by Dave Piscitello  

Spyware is challenging spam and viruses for the top spot on IT worry lists. Spyware poses considerable threats and risks to enterprise networks and remediation and countermeasures are now being regarded as critical to network security. More...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID350 by Dave Piscitello  

Data Source Object (DSO) exploit is one of the removal-resistant spyware that I've mentioned in several articles. Despite running Spybot Search and Destroy version 1.3, my son's computer was infected by this because he (OK, I) did not have the correct advanced settings. SupportCave has a page that explains how to remove DSO Exploit with a small executable, DSOstop2, and how to set Spybot Search and Destroy correctly deal with this spyware.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID349 by Dave Piscitello  

The average Internet user has difficulty distinguishing viruses from spyware. SecurityPipeline launched a series on spyware with my article by this title. More...

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID346 by Dave Piscitello  

Merijn, author of the highly useful helpware, HijackThis, has written another little pearl called BHOList.

BHOList scans your PC for installed Browser Helper Objects and Toolbars, and distinguishes legitimate BHOs from evil ones. For each BHO it discovers, BHOList identifies the ClassID, filename, owner, and a hyperlink to the software producer.

BHOList also provides a simple frontend utility to a list of Browser Helper Objects and Toolbars maintained by Tony Klein, and will download all the known and categorized BHOs maintained at several antispyware activist sites.

Find BHOList at http://www.spywareinfo.com/~merijn/downloads.html, along with HijackThis and a handful of equally helpful software developed by this remarkable young man from the Netherlands.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID338 by Dave Piscitello  

Kephyr Bazooka is one of the respected free spyware scanners. Using Google sponsored links and carefully contrived META Description and Keyword tags, Vendors of the suspicious XoftSpy spyware remover infringe on and plays off Bazooka's good name and reputation.

I searched "Bazooka spyware" at Google, and the first response to this query is an advertisement page at one of the XoftSpy online shop domains. The page says, "Bazooka spyware scanner just detects spyware and does not remove it. An excellent alternative is ..."

Like most deceptive advertising, there is a half-truth here. Bazooka is indeed only a scanner. But this doesn't mean that Xoftspy is a better scanner. Of course this page doesn't claim that Xoftspy is a better scanner.

Manipulating search query replies is something I expect from porn sites, not security companies. All the genuinely useful work Kephyr Labs invested in Bazooka scanner is undermined by misleading META tagging on a commercial product's page. For the record, the META tags on the offending page are:

META NAME ="description" CONTENT="Bazooka is a spyware and adware scanner that detects spyware and adware on your system. It does not remove it. XoftSpy both detects and removes spyware and adware."

META NAME ="keywords" CONTENT="bazooka spyware, killer,destroyer,remover,eliminator,eraser"

I'm singling out XoftSpy here, but at least a half-dozen other companies pull this same nonsense with Bazooka, AdAware, and SpyBot Search and Destroy.

PLEASE don't support these folks. The degree to which they undermine the trust we place in search engines is a source of embarrassment for the entire security community.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID336 by Dave Piscitello  

You think viruses, worms, blended threats and spam are bad? Spyware is worse. More...

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID335 by Dave Piscitello  

One sure way to avoid identity theft is to resist clicking on hyperlinks embedded in potential phishing email addresses you receive. Now, even that "best practice" appears to be in question. Liberty Identity Theft Services and others report a no-click (zero-click) phishing attack, where simply opening an email message is enough to cause a malicious script to be executed.

The attack makes use of "preview windows" in email clients - yes, that convenient little window pane that shows you part of an email just became a window *pain*.

The script combines spyware and phishing techniques. From the spyware toolkit, the script employs browser hijacking: it modifies bookmarks (favorites) and redirects users to a spoofed web site. The site where the user is redirected is your basic phishing web site, i.e., one that presents what appears to be a legitimate request for personal, account and credit credit card information. (If you're unfamiliar with phishing in general, and what a phishing web site look like, read Anatomy of a Phishing Expedition.)

This attack might seem a bit more subtle than typical browser hijacks - users might not visit the modified bookmark and so may be unaware of the change - but phishing web sites don't remain online very long, so there's still a small window of opportunity. If you are running anti-spyware software such as SpywareGuard, you should be protected against browser hijacking. If you don't have browser hijack protection, you might try disabling the email preview feature on your email client. I suggest you consider one of the anti-spyware solutions I recommend here.

What a pane... er... pain.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID328 by Dave Piscitello  

During an NGN 2004 Boston session, Antispam: analyzing the alternatives, Paul Judge of CipherTrust offered an intriguingly simply root cause analysis of why spammers are motivated to spam:

"That’s where the money is..." More...

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID325 by Dave Piscitello  

I was asked by Watchguard Wire to comment on the deceptive marketing practices certain "anti spyware" products employ to increase sales. As part of accumulating resources for my Spyware Resources page, I've installed and tested more than a dozen purported anti-spyware packages to find which are most effective. The deceptive practices of more than a few "anti" spyware vendors are pretty ugly. Read my full commentary at Watchguard Wire.

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID313 by Dave Piscitello  

Every network client must have antivirus software. We've been told so for years, and the message is finally sinking in. Network admission and integrity control are poised to enforce it today in enterrprise networks and hopefully soon for public Internet access as well. Concern over spyware is increasing so rapidly that I fully expect that antispyware, too, will be a prerequisite for network logon. The problem I foresee is that, if we instrument poorly, network admission will end up like the queues at customs and immigration services: long, slow, tedious, and frustrating. More...

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID309 by Dave Piscitello  

CoolWebSearch is one of the more insidious and treacherous browser hijacking nuisance-ware you will ever have the misfortune to experience. The miscreants behind this crudware have created a truly nasty beast. PestPatrol's Spyware Encyclopedia identifies over 70 CWS variants. They are resistant to detection and removal, and while present, they turn your "web experience" into a visit to hell.

The CoolWebSearch Chronicles offers a fascinating chronology of CWS through April 2004 (39 variants). It's an entertaining and valuable read for anyone who is trying to understand spyware.

Archived at http://www.securityskeptic.com/arc20040901.htm#BlogID310 by Dave Piscitello  

My Loop columns on phishing and spoof email are frequently visited. I've replied individually to enough emails about phishing to conclude I really ought to pull my resources together and make them available online. Visit phishing resources.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID300 by Dave Piscitello  

You think viruses, worms, blended threats and spam are bad? Spyware is worse...

Spyware is software - a program file, a browser helper object, or a dynamic link library, for example - installed on your computer, without your knowledge and permission. Sometimes called adware, nastyware, crapware, scumware, and worse, it's all aggravating, and intrusive. It's enough to turn pacifists into violent activists. In some respects, spyware evokes the same kinds of emotional reactions as a Republican National Convention.

I've been investigating spyware for a series of articles I wrote for Watchguard and Loop. Much of the spyware out there is unsolicited advertising: marketing invertebrates monitor your web browsing and direct advertising to you based on the sites you've visited. The former is annoying and maybe embarrassing: you can't begin to imagine what that one innocent visit to hotgirlsofcleveland.com does to your Internet experience.

I mention in all my articles that adware "data mining" also poses a privacy issue to individuals and a vector for sensitive information disclosure for businesses.

Then there's the "And you thought it was YOUR PC" problem. Beyond relentless advertising, spyware and adware often hijack a computer browser, driving users to alternative search sites, or even to competitors of e-merchant sites users are trying to visit. My son's PC was infected with a particularly nasty, blended threat of a spyware/adware package. It seized his browser and hosed his Google toolbar. It took any search he attempted and redirected him to some deceptive practices search site. It also warned him that he had spyware (how kind), and invited him to use Spyware Stormer (which is a rogue antispyware, BTW).

I also explain how spyware can be as malicious as trojans incorporated into a blended threat attack. Keyloggers may be installed as part of the package. Spyware may turn ugly on you. Try to remove it, and spyware may self-destruct and leave your Registry, browser configuration, and DLLs damaged beyond recovery. My son learned a "life lesson" last week, when we reinstalled Win2K Pro on his PC. That life lesson happens to include "Play with P2P, die with P2P"...

Antispyware appears to be abundant. but I'm sorry to say that deceptive practices and crapware taint the antispyware product market. Rogue spyware may offer free scans, but many produce long lists of false positives to frighten you into purchasing the product. Others, as I mentioned above, blast you with popups and other forms of unsolicited and misleading advertising: isn't this what you're trying to eliminate?

I've created a spyware resources page here. Please use it! You'll find dozens of articles explaining spyware and recommending removal and protection strategies. You'll find my personal recommendations for combating spyware here as well.

This page is an active work in progress. I welcome you to comment here or at Loop and contribute to the list of resources I've begun.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID299 by Dave Piscitello  

Mich Kabay posted a helpful column for people interested in understanding how to recognize phishing. Catching Phish describes a recent phishing scam, and is a nice compliment to my columns at LOOP, Recognizing and responding to spoof email messages and Anatomy of a phishing expedition.

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID287 by Dave Piscitello  

I've seen a definite drop in the spam delivered to my email accounts. Over the past two weeks, my Postini service has blocked 98.3% of spam, approximately 30 per day. I last spot-checked my spam filter efficacy by sampling April 3 through 16. At the time, Postini correctly detected and blocked 4858 spam email, which is well over 300 per day! What accounts for the order of magnitude decrease?

At the same time, I'm getting many more email messages with viruses attached: approximately 10 per day are blocked by my ISPs antivirus gateway, but I've also received and blocked about 2-3 per day at my desktop.

How do these compare with your spam and worm figures?

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID278 by Dave Piscitello  

Everyone who hates spam has to be delighted over the conviction and sentencing of Howard Carmack, the Buffalo Spammer. An Erie County, NY judge sentenced this low-life to 3.5-7 years for identity theft. How do I know he's a low-life? Well, the judge whacked him with a maximum sentence because he had prior felony convictions (fraud, money order forgery). Howard will keep busy in prison working to pay part of the $16 million judgment awarded to Earthlink in an earlier civil suit.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID273 by Dave Piscitello  

Before legislators (e.g., the FTC) can issue a regulation prohibiting a behavior or act, they must define that behavior and act. Many security professionals and attorneys worry that defining the behaviors and acts that constitute spam and spyware will provide "operating space" for spammers, trackers, pests, and spies. Specifically, if we define what constitutes inappropriate (sneaky) commercial applications of software delivery; secret information collection (tracking); and what Steve DelBianco aptly calls resisting removal behavior in software, we also define a sandbox in which developers can create intrusive applications that look and feel like spyware, and cookies that track user behavior, but operate within the definition of the law.

As DelBianco correctly asserts in his column, spyware is the quintessential 21^st century bad business practice. He speculates, and I concur, that additional legislation may do more harm, where enforcement of existing laws prohibiting unfair and deceptive business practices may do more good. Bad business behavior is bad whether in the virtual or real world.

In the real world, we invite and consent to the installation of satellite dishes, cable TV and telephone connections and wiring in our homes and offices. We consent to security monitoring by a certified alarm company. Most of us would be outraged to find that surveillance cameras, recording devices, and microphones to collect information regarding our lifestyles would accompany the installation of any of these services. We expect to maintain control over who comes and goes in our homes and offices, and what they do while they are present on our property. It's not unreasonable for us to seek the same control over our computers, handhelds, and mobile phones. Spyware strips us of such controls.

The issue runs deeper than whether a cookie or music player application records the web pages I've visited and music I choose. It's a matter of trust versus violation of trust. Distinguishing spyware from adware from acceptable cookie and tracking ware isn't nearly so much a matter of technology as it is of trust.

I believe that legitimate adware, supportware, cookie, and tracking technology should provide:

• notice of installation;

• a description of all the activities it will perform and anticipated resource utilization;

• a description of the kinds of advertisements it will display, and manner of display;

• full disclosure of any information it will collect, the purpose of collection, and the parties to whom the information will be disclosed;

• a local log function that provides the user with the means to corroborate these claims; and

• a clean, non-resistant removal procedure.

Most importantly, all software should have opt-in installation and features selection facilities.

For example, a good business offers a free version of a media player with the following conditions stated during installation: (1) the user accepts entertainment-oriented ads; (2) the user agrees to the company gathering information limited to music titles and artists, movie titles, directors, producers, and actors, and play frequency; and (3) the company is permitted to sell this information, along with the user's name and address, to entertainment companies for the purpose of direct advertising. If the user declines (opts out), the media player will not install unless the user pays for and registers the product. The company gets something from you, and you get a media player from the company.

Notice that the music player is not "free"; it's using your CPU, memory, and bandwidth to profit by information it collects and ads it presents to you. Consider this real world analogy, illustrating a bad business practice. You purchase aspirin at Jocko's drug store, and have it delivered. Jocko's delivery van arrives, and three workers mount a neon "End Erectile Dysfunction now: buy vi@gr@ at Jocko's Drugstore" sign on your bedroom window, then use your electricity to power the darn thing. Meanwhile, Jocko's delivery boy rifles through your medicine cabinet, recording all your prescriptions. This is an unacceptable business practice. Many spywarez operate in exactly this manner. In the real world, we'd contact the Better Business Bureau or perhaps the police, and haul Jocko to court. We'd take advantage of existing laws and similar codes of practice enforced in countries throughout the world to hold Jocko accountable for unfair and deceptive business practices.

Before we begin writing new laws for spyware, let's see how much of the spyware cesspool we can clean up applying the laws we already have.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID256 by Dave Piscitello  

Phishing must be a hot topic. Gartner says it is so it must be so: you know how much stock I put in what Gartner says.

No matter. Phishing is a pretty serious problem, but it really is an ailment we can manage with education rather than technology. I've written a complementary article to the Recognizing and responding to spoof email messages I wrote for LOOP earlier this week. Read Anatomy of a Phishing Expedition.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID247 by Dave Piscitello  

I recently received a suspicious email, purportedly from eBay, requesting that I log into a web page to verify my account information. If you're curious how I and my partner, Lisa Phifer, examine email messages to determine if they are valid or bogus, read my Loop column, Recognizing and responding to spoof email messages.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID244 by Dave Piscitello  

I've written an editorial for LOOP describing my further conclusions regarding the value of antispam gateways versus antispam desktop products.

The article is posted at loop.interop.com.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID236 by Dave Piscitello  

I tracked spam arrival and disposition over a two-week period (April 3 - 16). I was curious whether I could increase the efficacy of my antispam measures by complementing the Postini service my ISP offers with a desktop antispam product.

My Postini configuration is basically the default settings. The service works well enough for me that I've only had to add 5 whitelist addresses, and I don't bother at all with the blacklist. I randomly chose a desktop antispam plug-in for Eudora and left it, too, at default settings.

From April 3 through 16, Postini correctly detected and blocked 4858 out of a total of 4906 spam messages, an admirable 99% efficiency. Postini incorrectly blocked 10 messages as spam. Of these, four were from the same, legitimate maillist source, and two were from friends with a propensity for profanity. Two whitelist entries would make Postini outstanding for my spam handling.

Of the 48 spam that were delivered to my desktop, only 26 were blocked by the antispam product I selected. Granted, I did not tune the product at all, but the results are still disappointing. Even more disappointing is how dependent on whitelisting the desktop antispam product was. Until I added three maillist addresses, ~50 legitimate messages per day were tagged as spam. Even with the whitelist entries, Antispam/MAX tagged an additional 35 messages as spam.

There's no commercial market for this kind of user involvement, especially if users can rely on an antispam gateway for highly dependable spam processing. I'll stick with Postini and uninstall the plug-in.

My wife has a Yahoo! pop3 account, and so cannot make use of my Postini service. To help her manage spam, I've since looked at into two other products: SpamAssassion for Windows, and Mailwasher. SpamAssassion is a very popular and highly regarded open source tool, and my *NIX friends recommend it. But anything that requires the average consumer to install PERL and compile is just too much trouble no matter how simple the configuration might be.

Mailwasher is more intuitive, according to my non-technical wife. Mailwasher checks email while it's at the server. It fetches mail headers, and you select any or all of three dispositions (Delete, Bounce, Blacklist). If you are uncertain, you can preview the message. Click "Process Mail" and it acts according to the dispositions you selected. Click "Mail Program" and it launches the default mail client. You right-mouse click to add email addresses to your white list. If you are a gearhead, you can go fiddle with options, but the KISS principle seems to work just fine here. We'll use Mailwasher for a few weeks and report more again.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID232 by Dave Piscitello  

This is a disturbing trend. I've received three email messages recently from companies offering an antispam solution. What's amusing is that all three messages made it through my ISPs Antispam gateway and the desktop Antispam plug-in I'm testing in Eudora. So the question is, "if the folks who write Antispam products are clever enough to mask their messages, what faith should we have that any product will ever be "five nines" effective?

Perhaps I'm overreacting: Death2SPAM may have purchased my email address from a site that shills email addresses for a living.

Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID229 by Dave Piscitello  

More of the same. Yet another game of cat-and-mouse.

Just prior to Comdex, I was dismayed that the efficiency of my antispam measures had seemingly collapsed. Spammers were obfuscating words by using special characters, as in p0rn.graphy and fr33 s3x.

Pornography and other undesirable email was slipping through my ISP's spam gateway at an alarming rate.

What's alarming?

I receive 300-400 spam messages per day, a consequence of having my email associated with so many web pages where I've published articles online. Until late October, my spam gateway was catching over 97% of the spam (I know this because every 2 weeks, I visit my quarantine area, and I keep a rough count of spam that arrives, and calculate "efficacy"). Suddenly, I'm receiving 30 or so spam per day, which is a drop in efficiency of nearly 10%.

Two weeks and a gateway update from Postini later, my spam gateway efficiency is at 97%.

Cat and mouse, or chess if you choose.

Spammers analyze how antispam software is detecting their activity, and adjust their techniques accordingly. Antispam software vendors study the new "attack" and adjust accordingly.

So... are both sides making enough money for this to go on ad infinitum?

Archived at http://www.securityskeptic.com/arc20031201.htm#BlogID174 by Dave Piscitello  

Dr. Paul Judge posted a very interesting view about SPAM at ComDex Loop, The Ins and Outs of SPAM Defense.

Does anyone find it frustrating that we can only react to SPAM and not block it at the source? Like DOS attacks and network level probes, we are completely hamstrung by our inability to enforce and validate traffic sources: at the IP address level as well as the application level, we are too willing to deal with "garbage in" rather than isolating sources and pruning/blocking them.

Yes, source (address) validation is a very difficult problem. But if we choose to ignore it or concede it's hopeless, then we will forever be locked in a game of network cat and mouse.

Archived at http://www.securityskeptic.com/arc20031101.htm#BlogID166