Tag Archives: Spyware

Carrier IQ’s Opt-Out Data Collection Patent

ZDNet writes here about an Carrier IQ patent that outlines keylogging and ability to target individual devices . Which is interesting. But Carrier IQ owns a dozen patents, including this one, which to me is much more interesting. This patent indicates what Carrier IQ software could do—not what it does—but it is revealing nonetheless:

A communication device and a data server record and collect events and event-related data to create an activity record. A user of the communication device may request that events and related data be recorded and collected using a configuration option on the communication device or through an interaction with the data server. Data are grouped into data sets and uploaded to the data server either automatically or upon user approval. The data server uses the uploaded data to create an activity record which the user may access through a website. The user uploads additional data which are associated with the activity record. In some instances, the data server embeds a link pointing to the additional data in an entry in the activity record corresponding to an event associated with the additional data.

Basically this patent offers a way for a “user”—which could be either the user of the device or the service—to have a record of everything they do:

image

While most of the patent is clearly about a product that would create a ‘lifestream’ for the user—where they can access all the things they’ve done with the device, including photos etc, in one tidy presentation, there’s clearly more to it than that. Buried in the patent are indications that it could do all this without the user asking it to. It’s paragraph 0023 which I think is most interesting:

A user of a mobile device requests that events and event-related data be collected by a data server and data collection begins. Alternately, data collection may be a default setting which is turned off only when the device user requests that data collection not occur. In yet another embodiment, a request from a server can initiate, pause, or stop data collection. The mobile device is configured to record events performed by the mobile device as well as event-related data. Typical events that the mobile device records include making or receiving a phone call; sending or receiving a message, including text, audio, photograph, video, email and multimedia messages; recorded voice data, voice messages, taking a photograph; recording the device’s location; receiving and playing an FM or satellite radio broadcast; connecting to an 802.11 or Bluetooth access point; and using other device applications. The data most often related to an event include at least one of: the time, date and location of an event. However, other event-related data include a filename, a mobile device number (MDN) and a contact name. Commonly, the mobile device records events and provides a time, date and location stamp for each event. The events and event-related data can be recorded in sequence and can be stored on the mobile device.

This seems to suggest that

  • basically all activity on the phone can be logged
  • the software can be turned on by default
  • the software can be turned on and off from the server

All this information would be grouped together and uploaded either with the user’s permission or without it:

[0025] The mobile devices may be configured to store one or more data sets and upload the data sets to the data server. In one embodiment, the data sets are uploaded automatically without user intervention, while in other embodiments the mobile device presents a query to the user beforehand. When the mobile device is ready to upload one or more sessions to the data server, a pop-up screen or dialog may appear and present the user with various options. Three such options include (1) delete session, (2) defer and ask again and (3) upload now. The user interface may present the query every time a session is ready to upload, or the user may be permitted to select multiple sessions for deletion, a later reminder or upload all at once. In another embodiments, the uploading of sessions may occur automatically without user intervention. Uploads may also be configured to occur when the user is less likely to be using the device.

This point—about the option to collect such data without the user’s say-so—is confirmed in [0030]:

Although typically the device and the server do not record, upload and collect data unless the user requests it, in other embodiments the communication device and the server automatically record, upload and collect data until the user affirmatively requests otherwise.

And in [0046]:

In embodiments where participation in the data collection services is the default configuration for a mobile device (e.g., an “opt-out” model), it is not necessary to receive a request from a user prior to recording data.

An ‘opt-out’ model is hard to visualize if this is a product that is a user-centric lifestream.

While patents only tell part of the story, there’s no evidence of any such consumer-facing product on Carrier IQ’s website, so one has to assume these capabilities have been, or could be, wrapped into their carrier-centric services. In that sense, I think there’s plenty of interest in here.

Singapore Details ‘Waves’ of Cyberattacks

Officials and delegates from APEC economies were targeted ahead of last year’s Singapore meeting with malware-laden emails faked so they appeared to have been sent by Singapore government officials on the Organising Committee.

Singapore officials have said the attacks were not the first on the country. Although Singapore regularly highlights threats to national security—including Islamic terrorism—the admission that it has been the victim of cyber attacks is, according to the Straits Times, its most detailed account.

Although it’s hard to read too much into the statements made to judge who may have been behind the attacks, it’s interesting that Singapore is drawing attention to this—not least because there’s bound to be speculation about just this point. The current flood of WikiLeaks cables about this very issue is a coincidence. But the description of the attacks fits a pattern familiar to security experts:

Between September and November 2009 APEC officials, and delegates of several APEC economies were targeted with Trojan-laden emails “with the aim of infiltrating their computers and extracting privileged information.” There were at least seven waves of such attacks, focusing on members of the APEC organising committe and APEC delegates whose email addresses were published on websites or in APEC mailing lists. (APEC, Asia-Pacific Economic Cooperation, is a forum for 21 regional economies set up in 1989. Singapore hosted meetings throughout 2009 culminating in a leaders’ meeting in Singapore from November 14-15.) 

The attacks were first mentioned in a speech by Ho Peng Kee, Senior Minister Of State For Law & Home Affairs, who told a seminar on Sept 28 that “Singapore has its fair share of cyber attacks.” More details were  added in an internal but publicly accessible Ministry of Home Affairs magazine, the Home Team Journal, by Loh Phin Juay, head of the Singapore Infocomm Technology Security Authority and reported in the Straits Times on Saturday, December 4.  (The Straits Times called the perpetrators “cyberterrorists”.)

Loh wrote in the magazine article that “between 2004 and 2005, the Singapore government saw waves of Trojan email attacks which were commonly referred to as the Trojan Riler attacks.” The attacks came in four waves over a span of two years, he said, in the form of more than 900 emails targeting officials in several ministries.  

Loh Phin Juay said that the first two waves in the 2009 attacks used PowerPoint and PDF attachments to emails puportedly warning about possible terrorist attacks on the meeting. A subsequent wave included “legitimate information relevant to the APEC 2009 meetings”—in this case an invitation to an actual APEC symposium.

Some of the malicious emails “contained details of actual APEC events (date, time, venue) not known to the general public.” This suggests to me that either the first wave was successful in gaining access to some sensitive information, or, less likely, that those perpetrating the attack were already privy to it (raising the question why they didn’t use that information in the first wave.) Both officials said no significant disruption was caused by the APEC attack.

Singapore last year set up a special body, the Singapore Infocomm Technology Security Authority (SITSA), “to safeguard Singapore against infocomm technology (IT) security threats. SITSA will be the national specialist authority overseeing operational IT security. SITSA’s mission is to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage.”

Neither official speculates about the origin of the attacks. In his speech Ho Peng Kee referred separately to Operation Aurora, a cyber attack from mid 2009 to December 2009 on dozens of Western companies including Google, which alleged the attacks began in China. Loh Phin Juay referred in his article to GhostNet, a cyber espionage network which had its command and control network based in China and which penetrated government and embassy computers in a number of countries, including some in Southeast Asia. (Singapore was not mentioned in reports of the compromised computers.)

But he writes that “to date, the perpetrators of GhostNet remain unknown,” and neither man links the Singapore attacks to either event. The Trojan Riler was, according to Symantec, first discovered on September 8, 2004; It has been associated with corporate espionage but also the GhostNet attacks.

Nightmare on Spyware Street

A case in Connecticut has exposed the legal dangers of not protecting your computer against spyware, as well as our vulnerability at the hands of incompetent law-enforcement officers.

Teacher Julie Amero found herself in a nightmare after spyware on her school computer popped up pornographic images in front of students. Instead of realising this was spyware at work, the state accused her of putting them there and forcing her pupils to watch.

In June of 2007, Judge Hillary B. Strackbein tossed out Amero’s conviction on charges that she intentionally caused a stream of “pop-up” pornography on the computer in her classroom and allowed students to view it. Confronted with evidence compiled by forensic computer experts, Strackbein ordered a new trial, saying the conviction was based on “erroneous” and “false information.”

But since that dramatic reversal, local officials, police and state prosecutors were unwilling to admit that a mistake may have been made — even after computer experts from around the country demonstrated that Amero’s computer had been infected by “spyware.”

It seems the nightmare may be coming to an end, but not without a price. She’s had to admit to one misdemeanour charge and surrender her teaching licence. She’s also been hospitalized for stress and heart problems.

The lesson? This was a school computer, and it seems the school failed to install the necessary updates and protection to prevent the spyware from loading itself. That’s probably something Amero should be exploring with her lawyers.

But there’s a bigger issue. We need, as individuals, to take more reponsibility for the computers we use—to learn the basics of protecting them from attacks, and to be able to at least identify what the problem is when something like this happens. It may have taken a techie guy to clean the computer in this case (I admit spyware is really hard to get rid of) but knowing, roughly, what the problem is should be the bare minimum of our working knowledge of the computers we use.

Connecticut drops felony charges against Julie Amero, four years after her arrest – Rick Green | CT Confidential

links for 2008-09-15

Is That a Virus on Your Phone or a New Business Model?

This week’s WSJ.com column (subscription only) is about mobile viruses — or the lack of them. First off I talked about CommWarrior, the virus any of you with a Symbian phone and Bluetooth switched no will have been pinged with anywhere in the world.

CommWarrior isn’t new: It has been around since March 2005. But this isn’t much comfort if you find yourself — as a lunch companion and I did — bombarded by a dozen attempts to infect our phones before the first course had arrived. So is CommWarrior just the thin end of a long wedge? Yes, if you listen to the Internet-security industry. “I can personally assure you that mobile threats are reality, and we have to start taking our mobile security seriously,” says Eric Everson, who admittedly has a stake in talking up the threat, given that he is founder of Atlanta-based MyMobiSafe, which offers cellphone antivirus protection at $4 a month.

But the security industry has been saying this for years about viruses — usually lumped together under the catchall “malware” — and, despite lots of scare stories, I couldn’t find any compelling evidence that they are actually causing us problems beyond those I experienced in the Italian restaurant.

For reasons of space quite a bit of material had to be dropped, so I’m adding it here for anyone who’s interested. Apologies to those sources who didn’t get their voices heard.

Symantec, F-Secure Security Labs and other antivirus companies call FlexiSPY a virus (though, strictly speaking, it’s a Trojan, meaning it must be installed by the user, who thinks the program does something harmless). “In terms of damaging the user, the most serious issue at the moment is commercial spyware applications such as FlexiSPY,” says Peter Harrison, of a new U.K.-based mobile-security company, UMU Ltd.

Not surprisingly, however, Mr. Raihan isn’t happy to have his product identified and removed by cellphone antivirus software, though he says his protests have fallen on deaf ears. “We are a godsend to them,” he says of the mobile antivirus companies. “They are fear-mongering as there is not a significant problem with viruses in the mobile space.”

Technorati Tags: , , , ,

When Chatbots Go Bad

Richard Wallace of the A.L.I.C.E. AI Foundation, Inc. and creator of the Alice chatbot says his creation (sorry, can’t find a permalink) may have been lured to the dark side:

I have received a multitude of emails recently from subscribers to MSN Instant Messenger services, from people who have chatted with a clone of ALICE on their system who have suspected that this clone is downloading spyware onto their machines. The threat of malicious bots releasing viral software has appeared before, but this is the most serious incident so far. Like many clones of ALICE, this one appears to contain the basic AIML content containing my email address and references to the A. I. Foundation, which of course has nothing to with malicious software. But it directs people to complain to me.

New Scientist quotes Richard as saying that “this is insidious because compared to other bots, she does the best job of convincing people that she is a real person.” I’m not quite clear as to how this happens, but it would appear that anyone chatting with these Rogue Alices would be infected with spyware via MSN chat.

If so, is this the start of something? As chatbots get better, can we expect them to spread through every online social tool, infecting us with their sleaze and reducing our trust levels to zero.

Microsoft’s Spyware Gate

Microsoft have launched a new version of their Antispyware application, now rebuilt and renamed Windows Defender. Initial reports are favorable, including Paul Thurrott, who is good on these kind of things:

Windows Defender Beta 2 combines the best-of-breed spyware detection and removal functionality from the old Giant Antispyware product and turns it into a stellar application that all Windows users should immediately download and install. Lightweight, effective, and unobtrusive, Windows Defender is anti-spyware done right, and I still consider this to be the best anti-spyware solution on the market. Highly recommended.

Expect this program to become part of the next Windows operating system, meaning that spyware is going to be kept out of most computers by default. This is a good thing. What is less good is that it lets Microsoft decide what is and what isn’t spyware, giving them one more gate to control. Also, spare a thought for all the companies that have been selling antispyware software for the past few years; I can’t see many of them surviving past Windows Vista.

Keeping the Keyloggers out of the Basement

Here’s a product about to be announced that claims to really protect users against keylogging — when bad guys capture the keystrokes you make and then transmit it back to base: StrikeForce’s WebSecure (PDF file):

The basic idea, StrikeForce’s PR guy Adam Parken tells me, is that “keystrokes are encrypted at the hardware driver and delivered directly to the browser.” This, he says, “gets around the OS, messaging service, etc. where keyloggers normally hide.” It looks a bit like this (from a WebSecure presentation):

Websec

If that makes any sense. The grey boxes are the bits in between the keyboard and the network, and they’re all places that keyloggers hide. Anti-keylogging programs, as I understand them, are usually merely programs that try to guess what’s going on, and, if they see something sleazy, warn the user. Usually this is based on a prior knowledge, or library, of known keyloggers or known keylogging tricks.

WebSecure, instead, according to the press release, “automatically encrypts every keystroke at the keyboard level, then reroutes those encrypted keystrokes directly to the Web browser, bypassing the multiple communication areas that are vulnerable to keylogging attacks.”

WebSecure is going to be demoed at DEMO here sometime in the next 24 hours or so. If they do the job seamlessly and as promised, WebSecure could be quite a useful tool for companies and end users. But it’s an area long tackled and never conquered by security software developers, so I’m not holding my breath.

The Smell of Sterile Burning

There’s a growing noise about Sony’s apparent attempt to install digital rights management software usually associated with bad guys trying to maintain control of a compromised computer: Mark’s Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far:

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.

The comments below Mark Russinovich’s post reveal not only growing frustration with such clumsy attempts to control what users do with CDs they buy from legitimate sources, but it may also prompt a class-action suit against the company in the U.S. since early versions of the End User Licence Agreement on the software may not have covered such software installation. A representative of SF-based Green Welling LLP has posted a comment asking to hear from “any California residents that have experienced this problem before the EULA was changed. We have looked at many DRM cases and Sony went too far with this particular scheme”. (The End User License Agreement originally, according to Russinovich, made “no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall”.) Bruce Schneier asks whether Sony may have “violated the the Computer Misuse Act in the UK? If this isn’t clearly in the EULA, they have exceeded their privilege on the customer’s system by installing a rootkit to hide their software.”

Sony deny that their software is malware or spyware: Their FAQ says “the protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system. Also, the protection components are never installed without the consumer first accepting the End User License Agreement.”

According to eWeek, the technology has a name: ‘sterile burning’. And it’s built by a British company called First 4 Internet, whose CEO, Mathew Gilliat-Smith, is quoted as saying it’s not a rootkit but part of a copy protection system designed to balance security and ease of use for the CD buyer. First 4 Internet call it XCP for Extended Copy Protection which “aims to provide effective levels of protection against the unauthorised copying of digital audio and data files without compromising sound quality and playability. XCP helps to protect the rights of Artists and Record Labels while accommodating consumer needs for ‘fair use’ copying.” More specifically, it

protects the content of an audio disc without compromising playability or quality. By using a range of methodologies, including the construction of multiple protection layers, limiting the ROM player accessibility to the provided player software and encapsulating the Red Book audio content, XCP can be used by content owners to help protect digital content from unauthorised copying.

It was first shipped by Sony BMG in March. A new version has been developed with features which, eWeek says, “respond to many of the questions Russinovich raised in his analysis” and will be available in new Sony BMG CDs. But will it be too late by then? Who in their right mind would risk buying a Sony BMG CD?

ZoneAlarm’s Impressive About-turn, Or How To Do Blog PR Right

A day ago I vented my disappointment at a sneaky marketing gambit inside ZoneAlarm’s otherwise excellent free firewall software, which scared the user into running an external spyware scanner in the hope of getting them to upgrade. This morning I received word from their PR department that this promotion “has been turned off. The wording was not optimal, and we sincerely regret any inconvenience or frustrations it caused our users. Also, your story has prompted us to create a new approval process for any outbound promotions including multiple departments, to ensure that we maintain the highest integrity in our marketing efforts.”

I’m very impressed. I’m not suggesting my post prompted this — it sounds like it was in the works anyway — but this kind of close and timely monitoring of blogs is just the kind of iniatitive PR departments should be involved in, and just what I was going on about in a recent diatribe about Nokia, who seem little interested in customers who have less than perfect experience in the company’s ‘Care Centres’.

Good work, ZoneAlarm.