From the Ashes of Blue Frog

The Blue Frog may be no more,  but the vigilantes are. Seems that despite the death of Blue Security in the face of a spammer’s wrath, the service has built an appetite for fighting back. Eric B. Parizo of SearchSecurity.com reports on a new independent group called Okopipi who intend “to pick up where Blue Security left off by creating an open source, peer-to-peer software program that automatically sends “unsubscribe” messages to spammers and/or reports them to the proper authorities.”

Okopipi has already merged with a similar effort known as Black Frog and has recruited about 160 independent programmers, who are dissecting the open source code from Blue Security’s Blue Frog product. The idea seems to be the same: automatically sending opt-out requests to Web sites referenced in received spam messages, the idea is to over-burden the spammer’s servers (or those of the product he’s advertising) as a deterrence and incentive to register with Okopipi. By registering he can cleanse his spam list of Okopipi members.

Some tweaks seem to be under consideration: Processing will take place on users’ machines and then on a set of servers which will be hidden to try to prevent the kind of denial-of-service attack that brought down Blue Frog.

Possible problems: I noticed that some of the half million (quite a feat, when you think about it) Blue Frog users were quite, shall we say, passionate about the endeavour. These are the kind of folk now switching to Okopipi. This, then, could become an all-out war in which a lot of innocent bystanders get burned. The Internet is a holistic thing; if Denial of Service attacks proliferate, it may affect the speed and accessibility of a lot of other parts of it, as the Blue Frog experience revealed. (TypePad was inaccessible for several hours.)

Another worry: Richi Jennings, an analyst with San Francisco-based Ferris Research, points out on Eric’s piece that project organizers must ensure that spammers don’t infiltrate the effort and plant backdoor programs within the software. “If I’m going to download the Black Frog application,” Jennings said, “I want to be sure that the spammers aren’t inserting code into it to use my machine as a zombie.” I guess this would happen if spammers signed up for the service and then fiddled with the P2P distributed Black Frog program.

Another problem, pointed out by Martin McKeay, a security professional based in Santa Rosa, Calif., that spammers will quickly figure out that the weak link in all this is it rests on the idea of a legitimate link in the email for unsubscribing, and that spammers will just include a false link in there. Actually I thought the link Blue Frog used wasn’t unsubscribe (which is usually fake, since if it wasn’t would then pull the spammer back within the law) but the purchase link. How, otherwise, would folks be able to buy their Viagra?

One element I’d like to understand better is the other weakness in the Blue Frog system: That however the process is encrypted, spammers can easily see who are members of the antispam group by comparing their email lists before and after running it through the Blue Frog/Black Frog list. Any member who is on the spammer’s list will now be vulnerable to the kind of mass email attack that Blue Frog’s destroyer launched. How is Okopipi going to solve that one?

Windows’ Gaping, Seven Month Hole

Quite a big hooha over this latest Microsoft vulnerability, and I readily ‘fess up to the fact that I didn’t really take this seriously. Seems like I wasn’t the only one.

But folk like Shawna McAlearney of SearchSecurity.com points out that the delay of 200 days between Microsoft being notified and their coming out with a patch is appallingly long. “If Microsoft really considered this a serious or critical vulnerability for nearly all Windows users, it should have been a ‘drop-everything-and-fix’ thing resolved in a short period of time,” Shawna quotes Richard Forno, a security consultant, as saying. “Nearly 200 days to research and resolve a ‘critical’ vulnerability on such a far-reaching problem is nothing short of gross negligence by Microsoft, and is a direct affront to its much-hyped Trustworthy Computing projects and public statements about how security is playing much more important role in its products.” Strong stuff.

So what is all the fuss about? The vulnerability in question can, in theory, permit an unauthenticated, remote attacker to execute arbitrary code with system privileges: That means a ne’er do well could do anything they want in your computer. And while it hasn’t happened yet, to our knowledge, it’s only a question of time, according to Scott Blake, vice president of information security at Houston-based BindView Corp.: “We believe attacks will be conducted remotely over the Internet, via e-mail and by browsing Web pages. We expect to see rapid exploitation — it’s simply a case of when it materializes.”

Paul Thurrot, of WinNetMag, weighs in with his view, pointing out that the flaw is a very simple one: “attackers can compromise the flaw with a simple buffer-overrun attack, a common type of attack that Microsoft has wrestled with since its Trustworthy Computing code review 2 years ago.”