Techdirt. Stories filed under "malware"

Australia's Spies Want To Put Members Of The Public At Risk By Using Them To Pass On Malware to Suspected Terrorists

Glyn Moody — Thu, 17 Jan 2013 20:17:22 PST

Last year we wrote about the German police using malware to spy on members of the public. Now ASIO, Australia's national secret service, has come up with a new variant on the idea:

A spokesman for the Attorney-General's Department said it was proposing that ASIO be authorised to ''use a third party computer for the specific purpose of gaining access to a target computer''.

The problem seems to be that even suspected terrorists are getting the hang of this security stuff: The department said technological advances had made it ''increasingly difficult'' for ASIO to execute search warrants directly on target computers, ''particularly where a person of interest is security conscious.''
So the idea seems to be to infect the computer of someone that the alleged terrorists know, and then use that trusted link to pass on malware: Australians' personal computers might be used to send a malicious email with a virus attached, or to load ''malware'' onto a website frequently visited by the target.
That probably seemed like a really clever ruse to the people who thought it up, but it overlooks some basic flaws.

First, that once ASIO has taken control of an intermediary's computer it can do anything -- including poking around to see what's there. After all, if intermediaries are known to suspected terrorists, it's possible that they too might be terrorists.

The authorities are insisting that the warrant to break into somebody's computer would not authorize ASIO to obtain "intelligence material" from it. But you don't have to be clairvoyant to predict that at some point in the future, "exceptional" circumstances will be invoked to justify doing precisely that: once security services start down a slippery stop, they never seem to be able to stop.

Secondly, as the German experience shows, if a computer has been compromised by malware in this way, it's not just the government agencies that can take control: anyone who has obtained the malware and analyzed it will be able to look for ways to send their own instructions. That could leave innocent members of the public vulnerable to privacy breaches and economic losses that would be directly attributable to the spy agency's digital break-in.

Finally, this approach seems to overlook the fact that presumed terrorists are unlikely to be best pleased with any person that unwittingly sends them government malware. If they notice and really are ruthless terrorists, they might decide to take revenge on that person and his or her immediate circle of family and friends. Either the Australian spy agency hasn't really thought this through, or it is being extremely cavalier with the lives of the members of the public it is supposed to protect.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Permalink | Comments | Email This Story

German Gov't Inadvertently Reveals Police Monitor Gmail, Skype, Facebook & Use Snooping Malware

Glyn Moody — Wed, 10 Oct 2012 03:02:05 PDT

Transparency is worth having for itself, since governments often tend to behave a little better when they know that someone is watching. But occasionally, requests for data turn up something big and totally unexpected because someone failed to notice quite what the information provided implies.

Here's a great example spotted by the annalist blog, which reports on a parliamentary enquiry about expenditures by the German Federal Ministry of the Interior, responsible for internal security. What was probably thought to be no more than a few dozen pages of boring and thus safe figures turned out to reveal something quite shocking:

The German ministry for home affairs and thus the German police clearly state that they are monitoring Skype, Google Mail, MSN Hotmail, Yahoo Mail and Facebook chat if deemed necessary. Money is spent on trojan viruses and we can be quite certain which company produces the IMSI catchers [used for "man-in-the-middle" attacks on mobile phones] used by German police.

It's been known for a year that the German police forces have been using malware to spy on citizens via their computers, but the latest revelations about surveillance activity go far beyond that. It confirms that even in countries where people are very sensitive about privacy, Internet snooping by the police is routine. It also emphasizes, once more, the importance of encrypting your communication channels where possible, and avoiding those where it isn't.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Permalink | Comments | Email This Story

Creepy Smartphone Malware Re-creates Your Home For Stalkers

Glyn Moody — Fri, 5 Oct 2012 19:39:00 PDT

It's become something of a cliché that anyone with a mobile phone is carrying a tracking device that provides detailed information about their location. But things are moving on, as researchers (and probably others as well) explore new ways to subvert increasingly-common smartphones to gain other revealing data about their users. Here's a rather clever use of malware to turn your smartphone into a system for taking clandestine photos -- something we've seen before, of course, in other contexts -- but which then goes even further by stitching them together to form a pretty accurate 3D model of your world:

This paper introduces a novel visual malware called PlaceRaider, which allows remote attackers to engage in remote reconnaissance and what we call virtual theft. Through completely opportunistic use of the camera on the phone and other sensors, PlaceRaider constructs rich, three dimensional models of indoor environments.

The use of 3D reconstructions overcomes a potential problem with ordinary spyware: there's often too much data whose significance is unclear. That makes finding anything interesting hard. The solution here is to combine all the data into a unified, virtual reconstruction that can then be navigated by snoopers looking for significant items just as they might if they were rooting through your physical space.

The full academic paper "PlaceRaider: Virtual Theft in Physical Spaces with Smartphones" (pdf) makes for fascinating reading, even if it doesn't seem to understand the difference between "theft" and "surveillance". It includes the following rather fanciful description of how this 3D-spying capability might be used. It's rather over the top, but it gives an idea of what's theoretically possible:

Alice does not know that her Android phone is running a service, PlaceRaider, that records photos surreptitiously, along with orientation and acceleration sensor data. After on-board analysis, her phone parses the collected images and extracts those that seem to contain valuable information about her environment. At opportune moments, her phone discretely transmits a package of images to a remote PlaceRaider command and control server.

Upon receiving Alice's images, the PlaceRaider command and control server runs a computer vision algorithm to generate a rich 3D model. This model allows Mallory, the remote attacker, to immerse herself easily in Alice's environment. The fidelity of the model allows Mallory to see Alice's calendar, items on her desk surface and the layout of the room. Knowing that the desktop surface might yield valuable information, Mallory zooms into the images that generated the desktop and quickly finds a check that yields Alice's account and routing numbers along with her identity and home address. This provides immediate value. She also sees the wall calendar, noticing the dates that the family will be out of town, and ponders asking an associate who lives nearby to 'visit' the house while the family is away and 'borrow'; the iMac that Mallory sees in Alice's office.

Well, maybe not. But what's more interesting is the way that smartphone malware is able to gather enough information to allow the detailed reconstruction of complex spaces. The paper includes some impressive 3D reconstructions from apparently random images that have been stitched together. These and the research project that produced them are a salutary reminder that useful as they are, smartphones also bring with them new dangers that need to be considered and, ultimately, addressed. Follow me @glynmoody on Twitter or identi.ca, and on Google+

Permalink | Comments | Email This Story

NSA Chief Says NSA Doesn't Need Access To Your Info... As Whistleblowers Say They're Already Getting It

Mike Masnick — Wed, 11 Jul 2012 09:25:00 PDT

The American Enterprise Institute (AEI) recently held an event about cybersecurity and cybersecurity legislation. The keynote speech was from NSA boss General Keith Alexander. He of course talked about why he supports cybersecurity legislation, such as CISPA and other proposals that will make it easier for the NSA access private content from service providers -- much of which, reports claim, they're already capturing and storing. Alexander has claimed that the NSA doesn't have "the ability" to spy on American emails and such, and reiterates that claim during the Q&A in this session, insisting that the Utah data center doesn't hold data on Americans' emails (and makes a joke about just how many emails that would be to read). That's nice for him to say, but so many people with knowledge of the situation claim the opposite.

In fact, in a story that has received almost no attention, the EFF was able to get three whistleblowers to speak out on the NSA's massive spying infrastructure:

In a motion filed today, the three former intelligence analysts confirm that the NSA has, or is in the process of obtaining, the capability to seize and store most electronic communications passing through its U.S. intercept centers, such as the "secret room" at the AT&T facility in San Francisco first disclosed by retired AT&T technician Mark Klein in early 2006.

So it's interesting to pay attention to what Alexander has to say in pushing for cybersecurity legislation. You can watch the full video below, if you'd like: Much of what he talks about online involves basic malware and hack attacks. These are definitely issues -- but are they issues that we need the military (which the NSA is a part of) to step in on? His "quote" line is that these attacks represent the "greatest transfer of wealth in history." That is a pretty broad statement, and there's almost no evidence to support it. He points to studies from Symantec and McAfee on the "costs" of dealing with security issues -- but remember, those are two of the biggest sellers of security software, and have every incentive in the world to inflate the so-called "costs." Also, seriously? The "greatest transfer of wealth in history"? Has he paid absolutely no attention to what's happened on Wall Street and the financial world over the past decade? Does anyone honestly believe that the amount of money "transferred" due to hack attacks is greater than the amount of money transferred due to dodgy financial deals and the mortgage/CDO mess? That doesn't pass the laugh test.

He does insist that worse attacks are coming, but provides no basis for that (or, again, why the NSA needs your info). In fact, according to a much more believable study, the real risks are not outside threats and hackers, but internal security screwups and disgruntled inside employees. None of that requires NSA help. At all.

But it sure makes for a convenient bogeyman to get new laws that take away privacy rights.

Alexander, recognizing the civil liberties audience he was talking to, admits that the NSA neither needs nor wants most personal info, such as emails, and repeatedly states that they need to protect civil liberties (though, in the section quoted below, you can also interpret his words to actually mean they don't care about civil liberties -- but that's almost certainly a misstatement on his part):

One of the things that we have to have then [in cybersecurity legislation], is if the critical infrastructure community is being attacked by something, we need them to tell us... at network speed. It doesn't require the government to read their mail -- or your mail -- to do that. It requires them -- the internet service provider or that company -- to tell us that that type of event is going on at this time. And it has to be at network speed if you're going to stop it.

It's like a missile, coming in to the United States.... there are two things you can do. We can take the "snail mail" approach and say "I saw a missile going overhead, looks like it's headed your way" and put a letter in the mail and say, "how'd that turn out?" Now, cyber is at the speed of light. I'm just saying that perhaps we ought to go a little faster. We probably don't want to use snail mail. Maybe we could do this in real time. And come up with a construct that you and the American people know that we're not looking at civil liberties and privacy, but we're actually trying to figure out when the nation is under attack and what we need to do about it.

Nice thing about cyber is that everything you do in cyber, you can audit. With 100% reliability. Seems to be there's a great approach there.

Now all that's interesting, because if that's true, then why is he supporting legislation that would override any privacy rules that protect such info? If he really only needs limited information sharing, then why isn't he in favor of more limited legislation that includes specific privacy protections for that kind of information? He goes back to insisting they don't care about this info later on in the talk, but never explains why he doesn't support legislation that continues to protect the privacy of such things:

The key thing in information sharing that gets, I think, misunderstood, is that when we talk about information sharing, we're not talking about taking our personal emails and giving those to the government.

So make that explicit. Rather than supporting cybersecurity legislation that wipes out all privacy protections why not highlight what kind of information sharing is blocked right now and why it's blocked? Is it because of ECPA regulations? Something else? What's the specific problem? Talking about bogeymen hackers and malicious actors makes for a good Hollywood script, but there's little evidence to support the idea that it's a real threat here -- and in response, Alexander is asking us all to basically wipe out all such privacy protections... because he insists that the NSA doesn't want that kind of info. And, oh yeah, this comes at the same time that three separate whistleblowers -- former NSA employees -- claim that the NSA is getting exactly that info already.

So, this speech is difficult to square up with that reality. If he really believes what he's saying, then why not (1) clearly identify the current regulatory hurdles to information sharing, (2) support legislation that merely amends those regulations and is limited to just those regulations and (3) support much broader privacy protections for the personal info that he insists isn't needed? It seems like a pretty straightforward question... though one I doubt we'll get an answer to. Ever. At least not before cybersecurity legislation gets passed.

Permalink | Comments | Email This Story

Trojan Author Includes Integrated Chat, Challenges Security Researchers Digging Through His Code

Mike Masnick — Wed, 27 Jun 2012 00:31:00 PDT

Here's a fascinating story, found via Boing Boing, of some malware (a password stealing trojan targeting Diablo III players) that included some sort of integrated chat function, which the researchers at AVG only noticed when the hacker reached out to them while they were searching through his code. Imagine their surprise when up popped a dialog box asking them what they were doing: Hacker: What are you doing? Why are you researching my Trojan?

Hacker: What do you want from it?

The AVG folks continued to chat with the guy for a little while, which is how they realized just how powerful the trojan was and how much it could do. The guy controlling it demonstrated this to them by remotely shutting down their machine after talking to them for a little while.

Permalink | Comments | Email This Story

This Is Reporting? Fox News Ties Flame Malware To Angry Birds Because Both Use Lua

Mike Masnick — Tue, 5 Jun 2012 05:05:00 PDT

We're often told that the big media companies need to be saved because of all the important expensive reporting work they do. And then we see something absolutely ridiculous, such as Fox News linking the infamous Flame malware to Angry Birds... because both use the Lua computing language (found via Slashdot):
This is, of course, a complete pointless linkage, which seems to serve no purpose whatsoever, other than (perhaps) to attract the attention of those who are obsessed with Angry Birds (an admittedly large group of people). But just because two programs are written in the same language, it doesn't mean... well, it doesn't mean anything of importance whatsoever. Instead, it just seems like Fox News and its "Chief Intelligence Correspondent" Catherine Herridge needed to fill some space and came up with something entirely pointless. But, you know, we need those big professional news companies because of deep, hard-hitting stories like this one.

Permalink | Comments | Email This Story

Flame Malware Signed By 'Rogue' Microsoft Cert, Once Again Highlights Problems With Relying On Certs

Mike Masnick — Mon, 4 Jun 2012 19:37:00 PDT

We've discussed in the past just how dangerous our reliance on Certificate Authorities "signing" security certificates has become. This is a key part of the way we handle security online, and yet it's clearly subject to abuse. The latest such example: the now infamous Flame malware that targeted computer systems in the Middle East was signed by a "rogue" Microsoft certificate -- one which was supposed to be used for allowing employees to log into a remote system. Microsoft rushed out a security update over the weekend, but that doesn't change the core problem: the whole setup of relying so heavily on secure certificates seems to be increasingly dangerous.

Permalink | Comments | Email This Story

F-Secure Explains Why It Missed Spotting Flame, Despite Having Seen It Two Years Ago

Mike Masnick — Mon, 4 Jun 2012 16:29:00 PDT

With all the attention on the Flame malware, there's a great post over at Wired by F-Secure's Chief Research Officer, Mikko Hypponen, explaining why various security firms totally missed Flame (and Stuxnet and DuQu) for quite some time -- despite samples having been sent all the way back to 2010. What's refreshing (even as it's surprising) is to see someone so forthright about this being a failure on his part:

What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.

It's so rare to see someone admit to a mistake -- especially one that seems so big (even if it doesn't really impact most people outside of the Middle East. Part of the problem, he notes, is that spotting this kind of thing is just beyond what companies like his can do:

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense, with network intrusion detection systems, whitelisting against known malware and active monitoring of inbound and outbound traffic of an organization’s network.

He later concludes: "We were out of our league, in our own game."

Of course, this is the nature of a security system that is based on reacting to threats, rather than preventing security holes and risks, as he more or less explains. In the end, there's a bit of a cat and mouse game going on here, and no one's going to be able to catch all malware. But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.

Permalink | Comments | Email This Story

New Malware Targets Bitcoins To Steal

Mike Masnick — Fri, 17 Jun 2011 12:57:41 PDT

It's been fascinating to watch the back and forth discussions about Bitcoin. The big story recently was the supposed "theft" of $500,000 worth of Bitcoins. But, perhaps a lot more interesting is the report of new malware specifically targeting Bitcoins. The malware specifically looks for a Bitcoin wallet, which it then looks to email to a specific server. Among the many concerns people have raised about Bitcoins, this one hadn't received that much attention earlier, but could potentially scare a lot of people. The lack of traceability is one of the selling points, but it also has a downside in these types of situations.

Permalink | Comments | Email This Story

Copyright Pre-Settlement Virus A Lucrative Scam

Mike Masnick — Mon, 7 Mar 2011 21:56:00 PST

With all of the highly questionable pre-settlement lawsuits out there demanding cash from people to avoid a lawsuit for copyright infringement, we've heard of a few different scams designed to use the same tactics: accuse someone of copyright infringement and demand cash to avoid a lawsuit... even if the operation demanding cash has nothing to do with the copyright holder. One recent example of this was a bit of malware that, once installed on a computer, would generate fake infringement warnings from the RIAA/MPAA, demanding cash settlements. TorrentFreak points us to a report from Brian Krebs who got his hands on some documents from ChronoPay, the operation that was used to handle the payments in this scam, showing just how lucrative the scam has been. The documents only cover the past two months, but in that time, 580 people paid up, handing over $283,000 to scammers. Of course, this is only marginally less legit than the standard shakedown from various lawyers who are working with the copyright holders. But, the success of these scammers' operations is almost certainly driven in part by the success and press coverage of those lawyers who are sending out those mass pre-settlement letters. People are hearing about this and thinking any such threat is legitimate, even when it's a pure scam. Of course, this means you should only expect to start receiving plenty more such scam requests, demanding you pay up to avoid a lawsuit. Kinda makes you wonder if it will make the "actual" letters sent by copyright holders less effective as people just assume they're scam letters.

Permalink | Comments | Email This Story

Is Malware To Blame For Plane Crash That Killed 154?

Mike Masnick — Mon, 23 Aug 2010 08:22:34 PDT

As someone who flies all too frequently, I'd be lying if I said I wasn't a bit spooked by a report that the Spanair flight 5022 crash from two years ago may have been caused -- at least in part -- by malware on a computer that failed to detect three technical problems. Apparently, the computer which monitored those things got some sort of trojan horse, and may have failed to set off the necessary alarms because of this. As for how the computer got infected... it sounds like investigators still are not sure, but someone sticking in an infected USB stick or some other remote network connection seem like the most likely culprit. Of course, the reports seem woefully lacking in details. It's unclear how a trojan would block some software from alerting the crew that there was a problem with the aircraft. Honestly, the report seems to raise a lot more questions than it answers, and if it's actually true, it makes me wonder why we're relying on software that can be disabled via some random malware to watch for life-and-death safety issues on airplanes...

Permalink | Comments | Email This Story

Ad Scammers Getting Harder To Spot

Mike Masnick — Wed, 4 Aug 2010 00:19:52 PDT

When we've discussed adblockers in the past, one important point that many people have raised is the growing likelihood of scammers "buying" ads as a method of distributing malware through popular sites. Apparently, that business of "malvertising" is getting more and more popular... and more and more sophisticated. Joshin4colours points us to a story about a super sophisticated "malvertiser" who went to great lengths to appear legit. In another discussion about that case, it's suggested that somewhere around 50% of "self-service" advertising setups may be part of some kind of scam. I'm not sure I quite believe that number, but if the number is even half of that, it does raise questions about how online ad buying and ad placement works, and how it will work in the future. Perhaps this will finally drive companies who insist on banner ads, rather than more effective forms of advertising/marketing, to rethink their position.

Permalink | Comments | Email This Story

ISP Tries To Charge Users To Block File Sharing... Ends Up Installing Malware That Exposes Private Info

Mike Masnick — Tue, 15 Jun 2010 06:16:03 PDT

Jaime Novoa was the first of a few of you to point us to a series of links about how French ISP Orange has started offering a service to let subscribers pay 2 euros to "block" file sharing services on their connection. The theory, of course, is that this service "protects" you from getting any strikes. Of course, you could also do that for free -- by limiting yourself and encrypting your connection, but that's a separate story. Beyond the fact that this system involves a secret blacklist that could very well block legitimate uses as well, lots of folks started digging into the service and discovered that the software in question is basically malware and ridiculously insecure that more or less broadcasts the private info of anyone who uses it for anyone else to see. So, not only is the program costly, limiting and useless, but it's a massive security and privacy problem as well. All because of three strikes/Hadopi.

Permalink | Comments | Email This Story

Scammers Using Mock Copyright Lawsuit Threats To Get People To Download Malware

Mike Masnick — Wed, 31 Mar 2010 04:05:00 PDT

With companies like Digiprotect, Davenport Lyons and ACS:Law busy sending out tens of thousands of so-called pre-settlement letters that threaten people (often on very little evidence, if any) of copyright infringement, but allow them to pay up to avoid a lawsuit, is it any surprise that out-and-out scammers are jumping into the game as well? Ben alerts us to a warning from US-CERT of a new email scam, which involves the scammers sending out legitimate looking emails pretending to be from a law firm, telling the recipients they're being sued for copyright infringement. The details are supposedly in a file at a URL provided in the email. When a visitor goes to that URL and downloads the file, they get malware instead. Yes, it appears that the malware scammers are now learning from the best in the business...

Permalink | Comments | Email This Story

An Olympian Spammer Discovers That Reputation Is A Scarce Good You Don't Want To Destroy

Mike Masnick — Wed, 17 Feb 2010 15:41:08 PST

Given what the Olympics have become lately, I have to admit to not paying attention to any of it so far. I heard the news of the luger's death, and that's been about it. So perhaps more people already knew about this, but apparently one of the mogul skiers has a bit of a reputation as a spam/spyware purveyor. It sounds like the guy is now out of that business, but what's fascinating is how his reputation has been tarnished over all of this, despite winning Olympic medals. The Canadians wouldn't let him on the team ~~this time around~~ years back, due to their dislike of his activities, so he switched his citizenship to Australia, and basically, it sounds like everyone hates him:

After Begg-Smith's second place finish in Vancouver this week, one Australian news organization published an article calling him--in the headline, no less--a "sourpuss." Another, the Sydney Morning Herald, labeled the Olympic athlete as "Mr. Miserable" and speculated that he was "simply flying a flag of convenience" with no real ties to Oz.

Canadians were more direct. Facebook groups such as "Dale Begg-Smith is a sourpuss" and another calling him a "traitor" have popped up. Twitter messages after the mogul race have included "traitor," "fake Canadian and all-around jerk," plus other phrases entirely unsuitable for a family publication.

Obviously, some of that hatred is due to him switching citizenship, but the article explains why his spamming/spyware activities are a large part of it as well (and may have resulted in the citizenship switch). I find this interesting not just because of the Olympic angle, but because of the reputation angle.

Reputation is a rather valuable "scarce good," and destroying your reputation through shady activities can come back to bite you for a long, long time, even if you do plenty of other amazing things. Just ask Metallica.

Permalink | Comments | Email This Story

Microsoft Exec: Piracy No Longer A Threat To Us, Because Pirates Will Get Destroyed By Malware

Mike Masnick — Thu, 3 Dec 2009 07:12:00 PST

Ok, perhaps the title is a bit of an exaggeration, but it certainly appears to be what a Microsoft exec in the Philippines implied in a recent interview concerning Windows 7. Basically, he said that using unauthorized copies of the OS were really unsafe, so doing things like online banking or other sensitive stuff on such software could put users in serious danger. Of course, that makes you wonder what Microsoft has done to make unauthorized copies of the software so dangerous to use...

Permalink | Comments | Email This Story

It Doesn't Matter How Many Twitter URLs Are Malware... Only If People Are Clicking

Mike Masnick — Fri, 30 Oct 2009 04:57:26 PDT

Security companies love using stats to make something appear to be a bigger problem than it really is. Take for example this claim that links to malware are "abundant" on Twitter. The problem is that this is totally meaningless. Because you only see the tweets of people you follow, if spammers are putting up malware links, it only matters if anyone's following them and then clicking on the links. The number of links that point to malware alone is meaningless, because one "spammer" could just post a ton of malware links, but that won't mean a thing if no one is following them. The real question should be how often are people getting malware because of clicks on Twitter. Unfortunately, that data isn't provided.

Permalink | Comments | Email This Story

Proof Of Concept Skype Wiretapping Malware Released

Mike Masnick — Mon, 31 Aug 2009 01:25:38 PDT

One of the benefits of Skype was that, due to the way it works (P2P, encrypted communications), it made it much more difficult to do any sort of wiretap. This has upset various governments who are used to having the ability to wiretap any voice communications. However, it's never impossible. The most obvious way is to simply create some sort of trojan that gets installed on one user's computer that has audio recording abilities -- and Symantec is going around hyping up the fact that source code for just such a trojan has been released. Of course, even Symantec admits that there's no evidence of the code actually being used in the wild -- it seems more like a proof-of-concept. On top of that, it's hardly a new idea. Nearly a year ago, we talked about how German authorities were accused of using something that sounded quite similar. Still, it is a good reminder that even if you're using an encrypted Skype call, at either end of that call, the audio is decrypted, and a well-placed recording system can capture it.

Permalink | Comments | Email This Story

Turns Out Diebold's ATMs Insecure As Well; Scammers Install Malware

Mike Masnick — Wed, 18 Mar 2009 21:33:00 PDT

Diebold is pretty well known for being in two separate, though similar, businesses: ATMs and e-voting machines. Its e-voting machines have always had a terrible reputation, with security flaws and bugs galore (the company recently has tried to hide from all the negative publicity by renaming the e-voting division as Premier Election Solutions). However, many people kept asking how the company could get so many things so wrong when it came to e-voting, but still get its ATMs working properly. Of course, as has been noted in the past, the way ATMs work is quite different, and mistakes are likely to be spotted quickly.

However, it's now coming out that Diebold's ATMs also have security problems. Slashdot alerts us to the news that Diebold has issued a patch after discovering that some scammers have been able to install "card sniffing" software on a variety of Diebold ATMs allowing the scammers to get all your card details. Is that Premier Banking Solutions I hear knocking?

Permalink | Comments | Email This Story

One More Reason Not To Blindly Trust What A Computer Tells You

Mike Masnick — Mon, 2 Feb 2009 01:32:32 PST

By now, you've probably heard the news that Google had a bit of a "glitch" this past weekend, whereby it warned people that every single site in existence (including Google) was rated as potentially dangerous and could put malware on your computer. It lasted for about an hour Saturday morning, causing amused chatter around the web. But, of course, it does highlight one key issue: whenever we end up with various "automated" warning systems, we tend to start believing what the systems tell us -- even when we know they're fallible. It's something worth remembering -- not to say that computer models are bad, just that we almost always underestimate how much weight people put on them once they're in place, no matter how much we intuitively understand that it's just a model.

Permalink | Comments | Email This Story

Connecticut Finally Drops Charges Against Julie Amero

Mike Masnick — Mon, 24 Nov 2008 08:41:00 PST

In a case of what appears to unfortunately be "too little, too late" Techmeme points us to the news that Connecticut officials have finally agreed to drop felony charges against Julie Amero. As you may recall, Julie Amero was a substitute teacher who was randomly surfing some webpages on a classroom computer while students were working on some projects. On one webpage, the computer started opening a never ending series of windows showing pornographic pictures -- symptomatic of a computer infected with some malicious spyware. However, Connecticut police and prosecutors chose to try Amero on felony charges, threatening to put her in jail for 40 years, and getting a conviction.

After numerous security experts brought attention to the case, a judge finally granted a new trial, and Connecticut police and officials refused to admit a mistake and still intended to try Amero. However, as noted above, the state finally worked out an agreement with Amero, where the state dropped most of the charges, after Amero agreed to plead guilty to a single charge of disorderly conduct (a misdemeanor) and give up her teacher's license. The article also notes that, due in part to stress from the case, Amero has been hospitalized and is in declining health.

It's great that Connecticut finally decided to drop the charges, but the whole thing remains a travesty. It's unclear what Amero did that was "disorderly conduct" or why she deserves to lose her teacher's license. On top of that, the fact that the state still refuses to admit its mistakes in the case is a tremendous shame. A bunch of technically illiterate folks basically destroyed this woman's life and still stand by what they did.

Permalink | Comments | Email This Story

Zango May Have Worked Things Out With The FTC, But What About The MPAA?

Mike Masnick — Tue, 19 Aug 2008 07:49:57 PDT

We've pointed out for years the various questionable activities performed by adware firm Zango (or one of its earlier incarnations). The company has gone through so many changes it's tough to follow, but every time it insists that it has somehow "cleaned up" its act, it doesn't take long for researchers to find evidence to the contrary. For a while, the company was in hot water with the FTC for tricking people into downloading its adware. It eventually settled with the FTC, paying a hefty fine. These days, once again, the company insists that it's reinvented itself to focus on the "casual gaming market."

However, that doesn't appear to be the case. I recently saw a presentation from the company where it didn't mention casual gaming at all, but instead called itself a "publisher" of content -- though it was quite vague and evasive about just what kind of content. Perhaps that's because it doesn't want parties like the MPAA to know. As Ben Edelman had noticed a few months ago -- and now more and more security researchers are finding, Zango's software is being offered up by folks who are promising fully pirated movies.

It makes you wonder if Zango recognizes that dealing with the MPAA may be a lot less pleasant than fighting the FTC. Of course, maybe the MPAA recognizes that when pirated movies come with intrusive adware like Zango, it only gives pirated movies a bad name.

Permalink | Comments | Email This Story

Latest Sneaky Web Attack: Hijacking Your Clipboard To Post Spammy Links

Mike Masnick — Mon, 18 Aug 2008 17:09:00 PDT

Spammers and scammers keep upping the game against security researchers, sometimes in creative ways. And, in fact, it would appear that the latest sneaky trick making the rounds is almost admirable in its sneakiness. For example, take a look at this latest hack, which hijacks your clipboard, and repeatedly places a link to a site for fake security software. The hijack takes place through flash advertisements (even those found on legit sites), which is all the more reason to use AdBlock or FlashBlock or NoScript or something to protect you. However, what it's banking on, is the fact that plenty of people quickly cut and paste links they want to send around or post in other blogs and forums. When done quickly, many people won't even notice that they're not pasting the link they thought they cut from elsewhere -- thus getting lots of folks to inadvertently spam links. This must be incredibly annoying for those who get hit with it, but that doesn't take away from the creativeness of the attack itself. Even security researchers, like Mikko Hypponen, are grudgingly tipping their hats on this hack: "It is a pretty clever technique. Our work would be so much easier if our enemy would be stupid."

Permalink | Comments | Email This Story

College Classes On Malware Writing Still Piss Off Anti-Virus Firms

Mike Masnick — Mon, 4 Aug 2008 01:28:03 PDT

Over five years ago, we wrote about a college that was starting to offer a new computer science class in writing computer viruses. And, of course, various anti-virus companies went ballistic, claiming how dangerous it was. Yet, as we pointed out at the time, anti-virus companies don't have the greatest track record in actually stopping viruses -- so it seemed only reasonable to teach people to better "think like the enemy." Anyway, it appears not much has changed. Theodp writes in to let us know about an article in Newsweek about a very similar course being taught at Sonoma State University by George Ledin, where students are tasked with creating their own malware.

Once again, various security companies are condemning the technique, even sinking so low as to compare Ledin to A.Q. Khan, the Pakistani scientist who sold nuclear technology to North Korea. They even insist they won't hire his students -- which seems particularly short-sighted. As Ledin points out, it appears that this is really more about the security companies wanting to keep the world more scared than they need to be of malware, so as to pretend that they're the only ones who can solve the "problem" -- when the truth is they're not very effective at it. He complains that anti-virus firms keep their code secret (thank you, DMCA). He points out that if they were willing to open it up, and let lots of folks work on improving it, it would get much, much better. All he's trying to do is help more people understand the enemy without first having to work at one of those companies that's been so ineffective in stopping malware -- in the hopes that maybe some of his students can actually come up with a better soltuion.

Permalink | Comments | Email This Story

Connecticut Still Wants To Try Julie Amero

Mike Masnick — Thu, 10 Jul 2008 13:24:30 PDT

You may recall the case of Julie Amero, a substitute teacher in Connecticut who was found guilty of charges that she had showed pornography to children in her classroom, and who faced 40 years in jail. The problem was that the police and the prosecutors seemed unable to understand what had actually happened. The computer in the classroom had been infected by malware, which tossed up porn pop-up ads. It wasn't that she was surfing porn, but that the computer had malware. As news of this wrongful conviction got out, more and more security experts tried to explain to everyone involved why Amero was not the guilty party. Eventually, the judge agreed, and struck down the guilty verdict.

However, the state still has not dropped the case.

In fact, as reader Phil K lets us know, the state has no intention of dropping the case, and appears to want a new trial. No one involved in the case will explain why they won't drop it. In fact, they won't even apologize for what was clearly a wrongful prosecution in the first place. The prosecutors, the police and the school Amero worked for haven't said a word. The fact that they're planning to go through another trial over this matter suggests they still don't even realize what they did.

Permalink | Comments | Email This Story