It's been an interesting few weeks for Myspace - there's been a number of scams and dubious programs making their way across countless user profiles. The "fun" clearly isn't over yet, because check out the latest piece of scammery doing the rounds on everybody's favourite social networking site...

A while ago, there was a particularly nasty scam going around the Myspace network, called the Myspace Adult Content Viewer. If you visited a fake profile, you'd see this gigantic popup appear telling you to download "something" to be able to view the page. Of course, anyone doing so would find their PC hit with various Adware and Spyware bundles.

Well, the creators have decided to mix things up a little, because here we have their latest piece of social engineering (at least, we're assuming it's made by the same people because it follows the methods and techniques used with the Adult Content Viewer, plus the name is almost identical which is a bit of a giveaway) - the "Free Myspace Viewer". Visit a fake profile carrying this thing, and you'll see this appear on your screen. Note how they tell you the content is "securely protected" - because there's nothing like making people think your rogue install is actually some sort of security feature! At this point, depending on the fake profile, you may or may not see this appear when you click the popup. It's an image verification screen - another nice piece of trickery designed to lure inexperienced users in. Before you ask - yes, the code generated really is random every time - it's a fully functional (if slightly pointless) Captcha. Someone's put a little effort into this one.

Eventually, you'll download the application, run it and.... a fake Codec is your reward, of the Zlob variety! Needless to say, you really don't want one of those things installed on your PC, because of the varierty of not-so-wonderful programs they've been known to install. Namely, any one of a number of completely fake "security programs", many of which are listed here.

The domain details for the site the installer downloads from is listed as Ukranian, and the hosts? Estdomains, who (amazingly enough) provide the hosting for many of the programs that can be installed as a result of this hijack.

We know from past experience with these kinds of Myspace hijacks that the payload will often change daily, so you can never quite be sure what you're going to end up with. Do yourself a favour and steer well clear of these things!

Thanks to Burnt Pickle for the tip.

Posted by Paperghost at 01:49 AM | Permalink

In Internet News Week our V.P. of Marketing Frank Cabri makes a notable quote along the lines of our usual rapier wit-wielding MVP- Chris Boyd. (e.g. describing IM safety along that "Ben Stiller and Circle of Trust Kind of Thing".)

"Some organizations' ears are ringing from this consumerization of an IT trend and the fact that employees are bringing in unsanctioned applications through the back door," Cabri said. "Organizations are hearing about it from us, from some of the industry analysts, and in many cases, seeing it first hand on their networks."

And yet there are still many that aren't aware of the issue and usage continues to grow. The recent Mark Foley case in the U.S. Congress where, in which Instant Messaging was used to send inappropriate messages to a teenage congressional page, is a case in point.

"Sometimes it takes a Mark Foley-like situation to happen in your own organization to raise awareness of the risk and the impact," Cabri noted. "Obviously, our goal is to help customers before this happens."

"Lets face it, no business wants to get 'Foley'ed' on a national level -- the business consequences of this could be extremely negative."

Ouch- "Foley'ed"- adapt coinage indeed. Frank is, of course, referring to the recent Mark Foley Scandal that recently emerged in IM.

Learn More: See a brief video of Kailash Ambwani, our CEO at Facetime Communications...as he covers why words like "guarantee", "rumor" or incidents like the Mark Foley Scandal and failing to monitor IM (or other greynets) can lead to big problems, especially if you are a big company.]

This cascade of events is one of the drivers that is forcing big companies to take a hard look at their corporate policies, especially with regulatory challenges like:

- Gramm-Leach-Bliley Financial Modernization Act (GLBA)

- Sarbanes-Oxley Act of 2002 (SOX)

- Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Will the Foley Force raise awareness of the issues? Good question and more pertinent than ever now December 1st approaches. What is the big deal about December 1st? It is "E-discovery Day" when things could get more tedious and potentially more costly for the Enterprise if they are not prepared.

E-discovery refers to finding and producing documents stored in electronic form in response to litigation or regulatory requirements. Civil litigants, regulators and criminal prosecutors as a matter of course now ask for copies of selected e-mail communications or make broad requests for all electronic records. After Dec. 1, changes are set to take effect in the Federal Rules of Civil Procedure make e-discovery a standard part of federal proceedings.

So where can you start if you are a large enterprise? First, figure out how much instant messaging traffic is going on in your network-you might be surprised not only by the traffic, but the other insidious malware that rides along. Facetime has a free tool called the RTMonitor that can help with this or you can contact them for a demo.

Best Practices for Emerging Compliance Challenges: Electronic Messaging and Communications (ReymannGroup):

[Download IM Compliance and Regulations Document [PDF] This paper is a great primer on what you need to know.

Some might be wondering...just what is Instant Messaging (IM)? We use it everday, it has been around for a decase, but because of its ephemeral nature we tend to treat it differently. I consulted Archive.org for some background...

Instant Messaging (IM) is an electronic messaging service that allows users to determine whether a certain party is connected to the messaging system at the same time. IM allows them to exchange text messages with connected parties in real time.

To use the service, users must have IM client software installed on their workstations. While there are many types of IM clients, they all tend to function in a similar manner. Client software may either be part of an agency's IT network and available to only registered users, or be public and available to anyone on the Internet. The client software logs into a central server to create connections with other clients logged in at that same time. Users create and exchange messages through their local client application.

Other important points:

* In addition to sending messages, users may have the ability to attach and exchange electronic files such as images, audio, video, and textual documents. This capability depends on the configuration of the individual client software as well as on protocols established at the client server.

* Depending on the software, users who are online may have the ability to respond to messages.

* Users may also block other users with whom they do not want to exchange messages.

* Users may only communicate with others using the same or a compatible client software.

How does IM differ from email?

Fundamentally, the difference between IM and email is the notion of presence. This means that users of the IM system are aware that other users have logged in and are willing to accept messages. Unlike email, IM content can only be sent to users who are logged in to the system and accepting messages. If users are not logged in, others do not have the ability to send them messages.

Because IM is not predicated upon an open standard, there is no uniformity regarding message transmission and structure.

Remember Instant Messenging will be treated like an e-mail- IM, despite its ephemeral or fleeting nature, it is a document- a document that should be factored into your archive equation if you want to cover the bases soundly and not get "Foley'ed"....let's go back to Archive.org...

Does IM content qualify as a Federal Record?

The statutory definition of records (44 U.S.C. 3301) [Google Government Research Query on 44 U.S.C. 3301] includes all machine readable materials made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business. Agencies that allow IM traffic on their networks must recognize that such content may be a Federal record under that definition and must manage the records accordingly. The ephemeral nature of IM heightens the need for users to be aware that they may be creating records using this application, and to properly manage and preserve record content. Agency records management staff determine the record status of the IM content based on the overall records management policies and practices of their agency.

I think in light of the recent scandal (and how many don't we know about...) we probably will see agencies taking a new look at their IM practices- it is potentially too costly to ignore. This isn't the only scandal either, there are others, but they tend to focus around e-mail, again don't discount the ephemeral nature of IM, like the "Boy's Club Case" as reported by Baselinemag.com.

Peratis wanted WestLB to search for e-mail and Bloomberg messages from mailboxes of 19 current and former equities executives, human-resources representatives, bank managers and others, using more than 170 terms. These ranged from Quinby's name and initials, to employment-related words like "fire" and "bonus," to derogatory sexual slang...

In this case I don't know if IM was enabled or factored into discovery. However, according to our recent studies- it often is enabled, whether IT is really aware of it. Odds are after the Foley Case- e-mail will not be the only prime target for discovery- discovery that can be quite expensive to dig up if an Enterprise is not prepared.

Posted by Wayne Porter at 09:49 AM | Permalink

FaceTime just released a study on the state of Greynets and here are some highlights and in future entries we will talk about the implications of this study as it relates to the Enterprise.

FaceTime Communications
2006 Greynets Survey Key Findings

Survey confirms that greynets continue to be dangerous if left unmanaged, introducing significant risks to the business. End users continue at an increasing rate to take business communications into their own hands, downloading and using what ever resource they choose to get their jobs done, wherever and whenever.

How is Instant Messaging and other greynets used at work?-

IM usage—and by extension, other similar greynet apps—is driven foremost by its convenience: three in four employees use IM because they need "immediate answers …from co-workers" (76%).

Endusers also see IM as a productivity tool—two-thirds use it to "to multi-task" (62%) while another third use it because "email is too slow" (33%). (The take-away users, often the most advanced are the ones introducing greynets into the Enteprise because they want to be more productive!)

- IM usage is increasingly complex: 60 percent of IM users have accessed advance features (55%), such as file transfer (29%), web conferencing (24%), VOIP (15%)video or (12%).

- Not surprisingly, two in three endusers have sent IMs while multi-tasking (88%). Around half have IM'ed colleagues on the same conference call (57%). Even colleagues in the next cube are not safe—44% of IM users have sent a message to a physically adjacent co-worker or while having a face-to-face conversation with someone else (40%).

- Six in ten IM-users have sent attachments, application files or links to external websites as part of an IM (57%). About one in five endusers (17%) have sent company plans (15%), information about company finances (5%) and even passwords or login information (4%)

What are end user attitudes toward greynets?

- Four in ten endusers (41%) have downloaded or installed applications that are not approved by their company’s IT department.

- Among the most popular applications deployed by endusers are streaming audio or video services (77%), web-based email (70%), web conferencing (57%) and public instant messaging (48%). Almost half of all endusers have deployed browser plug-ins (46%) [NOTE: these apps are particularly well-suited at evasive techniques that bypass network security requirements.]

- Seven in ten IM users have sent personal or non-work related IMs while at work, over company networks (70%)

- Unfortunately for IT managers responsible for network security, one-fourth of IM users deploy IM in order to have "private, unmonitored communications" (26%).

- Not surprisingly, if endusers knew their IM communications were monitored, they would change their usage patterns: almost half would "pay more attention to company guidelines" (45%), while one-third would simply "use IM less often" (31%), be more cautious about clicking on links (31%) or simply pick their words more carefully (21%)

So what’s the problem?

- In a broad market research survey of US-based IT managers, 81 percent report a security incident has resulted in the last six months from employee use of "greynet" applications".

- Spyware and adware are the most commonly reported incidents (75%), followed by viruses (57%), malware such as keyloggers (28%) and rootkits (22%).

- Seven in ten IT managers indicated that spyware and adware attacks are occurring at the same rate (36%) or more frequently (33%), compared to the prior six-month period.

- Greynets app usage may also result in business-related incidents. In the past six months, half of all IT managers report business incidents resulting from Greynet application usage (52%). Among these managers, the most commonly reported issues are: downloading of adult materials (50%), copyright violations (39%) and violations of corporate communications policies (33%).

- Seventy percent of IT managers report a wide range of network and computer issues that result from greynet application usage. Three-fourths of these managers report enduser system slowdowns or crashes (76%), followed by slowdowns in network traffic (68%), corrupted files (39%) and corrupted applications (30%).

Existing security infrastructure is not effective in combating greynet threats

-Survey respondents were asked to assess their own company networks in terms of their capacity to intercept the kinds of IMs allegedly sent by former Congressman Mark Foley. Only 11 percent of IT managers indicated that their networks would have been "very effective" at intercepting such communications. In fact, 31 percent of IT managers rate their networks as "not at all effective" at preventing these kinds of messages from being delivered.

What is the cost to businesses?-

Not surprisingly, these incidents may require remediation or repair of affected PCs or servers. Three-fourths of IT managers report having to make repairs or changes to computers as a result of greynet-related security incidents (72%).

- On average, IT managers report 14 incidents per month. Each incident requires 11 hours of work, on average. Based on an estimated average salary of $70 per hour, salary-related costs average almost $150,000 per year—just for greynet related repairs to enduser computers.

- IT managers who are involved in other security-related tasks may spend as much as 71 hours per month, on average, engaged in activities such as maintenance of network or enduser hardware, archiving and logging, research new technologies and so on....

more to come...

Posted by ObiJan at 12:52 AM | Permalink | TrackBacks (1)

There have been a lot of articles and posts about Zango.  Most of them focus on the installation practices, lack of user notification and even how the company recently received a fine by the FTC.

This piece is not one of those.  Instead of talking about the Zango software, I would like to have a brief look together at the theoretical business model that drives Zango. 

Some relevant snippets from the Zango site:

Web publishers, content creators and providers aren't able to earn a living from their products. <Snip> online consumers have proven reluctant to pay a monthly subscription fee for access to online content and entertainment. <Snip> Zango has developed a unique solution to this economic dilemma. <Snip> With the Content Economy model, consumers are able to access and enjoy web content and entertainment for free, because when they search or browse online for products and services, they see ads from Zango advertisers. <Snip> Web publishers and content providers get paid by Zango for distributing their creative assets. Zango earns revenue from online advertisers, and thus, keeps this new Content Economy alive and thriving.

I see!  Visitors will never pay to see online content, so the content creators will never get to see a dime from their work.
So Zango's self-proclaimed raison d'etre is to provide these starving "long tail" creators/artists with some income so they can keep producing the content that everybody likes, instead of needing to beg for spare change at a mall entrance.

Surely, that's a noble cause, no?  Let's see...

Required background reading

For those of you who have not heard about "Revver", a small primer.  It's fairly similar to things like "YouTube", but with a twist. 
Here's a hypothetical (all names where made up by me) scenario:

1. Michelle, "content producer" uploads a movie of her cat doing funny moves onto Revver.
2. Tony, who owns a website neatopetsandstuff.com, signs up for Revver as a "publisher" and embeds the "Revver player code" onto some of his web pages.
   
3. Alex, is surfing neatopetsandstuff.com and moves to the video page.
4. Revver embeds some ads into Michelle's cat video and streams it to Alex.
5. Alex, watches the movie, has a few giggles, and clicks the ad that was embedded in it.
6. CrazyCatfoods Inc., who's ad was shown and clicked on pays Revver a fee for the click.
7. Revver pays out 20% of the fee to Tony, 40% to Michelle and pockets the rest
8. Everybody is happy and goes on their merry way.
   

Whether this business model is sustainable or not, only time will tell.  While I am no particular fan of ever-present advertising, this seems to be a fairly acceptable way of rewarding content providers.  Besides, it smells like Google, who recently purchased YouTube a similiar model ,  and we all know that they "aren't evil".

The only beef I have with Revver is that their license/member agreement seems to be genetically engineered to be hard to read .  My nose and ears started to bleed before reading halfway through it, so I gave up.  Let's keep that story for another time.

On with the story...

Let's examine some of the inner workings of this "Content Economy" in detail.

Looking for giggles

Lets assume an average user is browsing the Zango site, looking for something funny.  Scanning through the listings on the homepage, he skips over the screensavers and celebrity nude stuff, and finds "Karate cat casts a spell", which seems to be good amusement for a few minutes.  He clicks the big "Watch" button and moves to a comfortable position in his chair.

Geek mode on

On a technical level, here is what happens in the browser:

• Clicking the link will launch a Javascript function that redirects the browser to http://www.zango.com/Destination/Catalog/Play/?pid=5639
  Yes, that means that having Javascript enabled is required to move from one page from another.  At this point I already hear many old-school developers yell "WTF?  Those folks can't type A HREF anymore or what?".  Guys, sit back for a second.  This is not a newbie mistake, this is intentional.  Stay with me here.
• The destination page is loaded by the browser.  Scrolling over some external includes, we find this at the top of the page.
  

   <script language="javascript" type="text/javascript" id="Script1" >
   if(!DetectClient.detectClient())
   location.href="/destination/catalog/contentGateway.aspx?pid=5639";
  </script>

  The only purpose of this code is to verify that the user has the Zango client installed, and if not immediately redirect them to the "You must install" page at http://www.zango.com/destination/catalog/contentGateway.aspx?pid=5639
  In short, this "protects" the content page from being seen by anybody who hasn't been "Zango-ed".
• The old-schoolers are yelling again: "What? A protection in Javascript?  That's about as effective as a glass hammer!  If I disable  javascript in my browser and go directly to that page, I can see the content!".  Yes, true.  But that requires a level of technical sophistication that is clearly outside the Zango target audience.  Now go defragment a filesystem or something while I finish the story.
• Scrolling further down the source, we come to the actual delivery of the movie:
  

   <embed src="http://media.revver.com/broadcast/12625/video.mov/2690" 
   pluginspage="http://www.apple.com/quicktime/download/" 
  

This code will use the Apple Quicktime player control (or install it straight from the Apple site if it is not installed) to open and play the movie at http://media.revver.com/broadcast/12625/video.mov/2690

Wait a minute...

Lets have a closer look at that URL again:

Summary points

• Zango was not involved in the creation of this "content".  They did not create the movie, they did not pay for its creation.  They just used an API to retrieve the information off the Revver site. The tagging and indexing was done by Revver as well.
  
• Zango did not pay for the bandwidth costs of streaming this content. The content (and even the accompanying thumbnails) are served directly from Revver's servers.
• Zango did not pay a license fee to show this content to visitors.  Revver does not charge anything to become a "publisher".
  
• Zango gets paid whenever a visitor clicks an ad in a Revver video on their site.  This occurs regardless of whether the user has the Zango software installed or not.
  

Questions for Zango

1. Since (I assume) the Zango software only gets installed once on an end-user's computer, and that end-user may visit and consume thousands of other "free" content, how do all those content creators benefit?
   In other words, if I'm a content creator and use the Zango Cash Gateway system to monetize my content, and the visitor already has the software installed, will I get paid at all?
   Given that "Zango has more than 20 million "opt-in" users and an average of 200,000 new consumers opt-in every day" (Ref: Zango) and that the number of US Internet users is about 200 million (Ref: Nielsen), that does not seem like an unlikely scenario, right?
   
2. Does Revver know the exact details of this setup?  Is this in accordance with their "member agreement" ?
3. All the "install Zango pages", (e.g. http://www.zango.com/destination/catalog/contentGateway.aspx?pid=5639) link directly to http://static.zangocash.com/Setup/Zango/Setup.exe, without any parameters being passed to indicate which movie enticed the user to download your software. 
   If you don't track which movie initiated the install, how can you ever pay the creator of a movie for an installation generated on your site? (And yes, I did check the cookies too)
   
4. Given this example, how exactly does the creator of this content benefit from Zango software being installed to view their video?  Are they getting paid at all?  (Don't talk about any Revver payouts, because that is not your doing.)
5. In this very particular case, I would like to hear how you are going to send a cheque to somebody who sent in their "cat movie" to a Chinese TV station's "funniest home videos" show, in 1993.
   

Posted by ObiJan at 10:00 AM | Permalink