loose wire blog

Singapore appears to be the source of a virus cleverly designed to hoodwink U.S. executives by appearing to be an emailed subpoena which mentions them by name, as well as their title.

The SANS Storm Center said three days ago that

We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information.

One problem, it's total bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way.

The report says that the server that the trojan reports back to is "hard-coded to an ISP in Singapore at this time," from where, according to Ars Technica, it "steals copies of any security certificates installed on the system."

(This, by the way, is calling whaling, since it is like phishing but is more targeted, and going for bigger phish, so to speak.)

The Inquirer says that the web servers delivering the emails are based in China, and, in language too loose to take seriously, "the cyber ruffians who later nefariously take control of the victims’ computers, based in Singapore."

There's no evidence the "cyber ruffians" are based in Singapore, as far as I can work out. The only possible connection could be the English and errors in the emails, which, John Markoff of the NYT reports, "led several researchers to believe that the attackers were not familiar with the United States court system and that the group might be based in a place that used a British variant of English, such as Hong Kong."

That said, just because an ISP may have been compromised doesn't mean that those involved are physically located in Singapore. Indeed, it would seem very unlikely they are; if they're smart enough to launch an attack like this, you'd have to bet against them being anywhere near the 'command and control' center itself.

Still, it's unsettling that an ISP may have been compromised. So far we don't know much more, though I've put in requests for more information. (The source of the information about Singapore appears to have come from someone at Verisign, whose Asian PR address bounces. So don't expect something anytime soon.)

The Japanese arm of antivirus vendor Trend Micro has announced its website had been hacked and its pages modified to service up viruses. In other words, if someone had visited their website chances are they'd have picked up a virus.

Not the sort of thing you expect from an antivirus manufacturer, and they're not being very forthcoming about it, either. While the company has announced that some of their website pages are found to be modified from March 9th to 12th, this is so far only in Japanese, according to asiajin. And that was yesterday. Nothing on their U.S. website yet.

Gen Kanai suggests it was because the company is using Windows 2000, and rips into TrendMicro both for the length of the breach and the lack of transparency: "If a security services/software firm can't keep their own web servers secured, and left their own hacked website up for 3 days, there's no logical reason to expect that their own security services are any better."

Not very reassuring. I've often recommended HouseCall but until this is sorted out and Trend Micro comes clean about this, I'm steering clear.

Whatever useful stuff the good guys come up with, the bad guys ain't far behind. A few months back I wrote about researchers at Carnegie Mellon coming up with a way to use CAPTCHA tools to help decipher words in text by the Internet Archive. The basic idea is that the effort to prevent spammers and others automating their intrusion into websites (signing up for stuff, comment spam etc) should not be wasted.

Now a sleazeball has found a way to do the same thing: get folk to decipher CAPTCHA texts through a small program, delivered by Trojan, that offers striptease in exchange for guessing the texts correctly (Trend Micro, via via Seth Godin):

A nifty little program which Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily-clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go” and “Melissa” reveals more of herself.

However, the “answers” are then sent to a remote server, where a malicious user eagerly awaits them. The “strip-tease” game is actually a ploy by ingenious malware authors to identify and match ambiguous CAPTCHA images from legitimate sites, using the unsuspecting user as the decoder of the said image.

As Trend Micro points out, the CAPTCHAs in this case are from Yahoo! Web site, suggesting that a spammer is building up Yahoo! accounts.

CAPTCHA Wish Your Girlfriend Was Hot Like Me? - TrendLabs | Malware Blog - by Trend Micro

Cellphone viruses: hype or hellish new threat -- a podcast I recorded for the BBC World Service Business Daily.

If you want to subscribe to an RSS feed of this podcast you can do so here, or it can be found on iTunes. My Loose Wire column for The Wall Street Journal Asia and WSJ.com, can be found here (subscription only; sorry.)

Thanks for listening, and comments, as ever, welcome.

To listen to Business Daily on the radio, tune into BBC World Service at the following times, or click here.
Australasia: Mon-Fri 0141*, 0741
East Asia: Mon-Fri 0041, 1441
South Asia: Tue-Fri 0141*, Mon-Fri 0741
East Africa: Mon-Fri 1941
West Africa: Mon-Fri 1541*
Middle East: Mon-Fri 0141*, 1141*
Europe: Mon-Fri 0741, 2132
Americas: Tue-Fri 0141*, Mon-Fri 0741, 1041, 2132

Thanks to the BBC for allowing me to reproduce it as a podcast.

You got to give scammers credit where credit is due. This latest wave of e-card spam at least exhibits some imagination on the part of the sender:

At first it was from a friend, then a colleague, then a classmate; now it's neighbors and worshippers sending you ecards. Good on them. I must confess I don't worship that often, and I haven't spoken to my neighbor since the Korean-funded mistress moved out from next door, so they're not likely to dupe me. But they might dupe someone. (If I got one from from a Fellow Technology Columnist, I might bite.)

Which would be bad, because the links contain a variant of the Storm Trojan, according to Urban Legends, which will turn your computer into a zombie and do some scammer's bidding.

All this must be really hurting what is left of the e-card greetings industry (when was the last time you received an e-card? A real one, I mean?) Indeed, a press release from the Greeting Card Association warning users about these scams offers advice to recipients that is so tortured it's hard to imagine anyone would bother following it:

For consumers who are unsure if an e-card notice is legitimate, the Greeting Card Association recommends that they go directly to the publisher's website to retrieve an e-card, rather than clicking on a link within the e-mail.
-- Manually type the name of the card publisher's website URL into your browser window.
-- Locate the "e-card pick up" area on the publisher's website.
-- Take the card number or retrieval code information contained in the e-mail and enter it into the appropriate box or boxes on the publisher's e-card pick-up area.
-- If you are unable to retrieve the e-card, you will know the notification was a scam, and that it should be deleted.

Seriously. Who is going to do all that? My advice: if you care enough about the person, send them a real card. Or leave something on their Facebook wall.

This week's column in the Journal (subscription only, I'm afraid) is about something called the Yoggie:  

This small computer is called the Yoggie Pico, launched May 29 by an Israeli company called Yoggie Security Systems. The idea is that you should protect your computer not by installing firewall, antispyware, antivirus and antispam software on it, but by installing all that stuff outside it. In other words, network traffic gets diverted and screened first by the Yoggie Pico, where it kills off all the bad stuff before passing the clean traffic onto your computer. The thinking, says Yoggie's marketing director Avi Dardik, is that instead of your computer being the battlefield, "the war is being waged outside the laptop."

The review is largely positive, although I did find what I believe were false alarms of weird activity -- not too important since they don't pop up and tell you. But since the review was finished I have noticed some weird behavior that Yoggie is now investigating, and which you may want to consider if you're thinking of buying.

One is that my laptop started failing to reboot -- it would stick on the startup screen and stay there until I removed the battery and let the memory drain. I am not certain the Yoggie was to blame, but it seems the likely culprit. The other thing I noticed is that the password-system is not perfect: I suspect that if you change a password (there are two -- one for the console, one for the enabling) the software may not always remember it. Certainly if you upgrade the drivers the password will reset to the default one. Yoggie say they haven't come across these quirks but have promised to investigate.

Other quibbles I didn't have time to mention: The Yoggie can get warm. And at least on one occasion dangerously hot. I would not want to use it with kids around -- ironically one group of people the product is targeting, with its parental filters. Yoggie said they are aware of this, as they are of the fact that Yoggie does not communicate with Windows' own security controls; so expect Windows to keep telling you you don't have protection even when Yoggie is running.

All that aside, I still think Yoggie is a great product. I think the idea of outsourcing security to a device sitting outside the computer is a natural one, and will, as Yoggie claim, create a new category of security device for ordinary users. Yes, it's absurd that this kind of thing has to be farmed out, but it makes a lot of sense.

It's not new but this chart from Sophos shows just how much of the bad stuff is coming from China. The chart shows the top ten countries hosting malware (viruses etc) in June. China is usually top, and is likely to remain so with nearly 60% of the world's bad stuff sitting on its computers:

Most of these websites are legitimate sites -- they've just been hacked by the bad guys. Someone one day is going to make a lot of money cleaning up those computers.

This week's WSJ.com column (subscription only) is about mobile viruses -- or the lack of them. First off I talked about CommWarrior, the virus any of you with a Symbian phone and Bluetooth switched no will have been pinged with anywhere in the world.

CommWarrior isn't new: It has been around since March 2005. But this isn't much comfort if you find yourself -- as a lunch companion and I did -- bombarded by a dozen attempts to infect our phones before the first course had arrived. So is CommWarrior just the thin end of a long wedge? Yes, if you listen to the Internet-security industry. "I can personally assure you that mobile threats are reality, and we have to start taking our mobile security seriously," says Eric Everson, who admittedly has a stake in talking up the threat, given that he is founder of Atlanta-based MyMobiSafe, which offers cellphone antivirus protection at $4 a month.

But the security industry has been saying this for years about viruses -- usually lumped together under the catchall "malware" -- and, despite lots of scare stories, I couldn't find any compelling evidence that they are actually causing us problems beyond those I experienced in the Italian restaurant.

For reasons of space quite a bit of material had to be dropped, so I'm adding it here for anyone who's interested. Apologies to those sources who didn't get their voices heard.

Symantec, F-Secure Security Labs and other antivirus companies call FlexiSPY a virus (though, strictly speaking, it’s a Trojan, meaning it must be installed by the user, who thinks the program does something harmless). “In terms of damaging the user, the most serious issue at the moment is commercial spyware applications such as FlexiSPY,” says Peter Harrison, of a new U.K.-based mobile-security company, UMU Ltd.

Not surprisingly, however, Mr. Raihan isn’t happy to have his product identified and removed by cellphone antivirus software, though he says his protests have fallen on deaf ears. “We are a godsend to them,” he says of the mobile antivirus companies. “They are fear-mongering as there is not a significant problem with viruses in the mobile space.”

Some interesting detail on the Estonian Cyberwar. This ain’t just any old attack. According to Jose Nazario, who works at ARBOR SERT, the attacks peaked a week ago, but aren’t over:

As for how long the attacks have lasted, quite a number of them last under an hour. However, when you think about how many attacks have occurred for some of the targets, this translates into a very long-lived attack. The longest attacks themselves were over 10 and a half hours long sustained, dealing a truly crushing blow to the endpoints.

There’s some older stuff here, from F-Secure, which shows that it’s not (just) a government initiative. And Dr Mils Hills, who works at the Civil Contingencies Secretariat of the UK’s Cabinet Office (a department of government responsible for supporting the prime minister and cabinet), feels that cyberwar may be too strong a term for something that he prefers to label 'cyber anti-social behaviour'.

Indeed, what surprises him is that such a technologically advanced state — which uses electronic voting, ID cards and laptop-centric cabinet meetings — could so easily be hobbled by such a primitive form of attack, and what implications that holds:

What IS amazing is that a country so advanced in e-government and on-line commercial services has been so easily disrupted. What more sophisticated and painful things might also have already been done? What else does this indicate about e-security across (i) the accession countries to the EU; (ii) NATO and, of course, the EU itself?

Definitely true that this is probably just a little blip on the screen of what is possible, and what governments are capable of doing.

(Definition of Cyberwar from Wikipedia here.)

The BBC has asked me to make some predictions about the coming year, something I'm always loath to do because I seem to get it wrong. Anyway, here are my notes. They're based in part on my own bath-time musings, and partly inspired by the thoughts of others (tried to credit them where relevant.)

1999 just took longer than we thought, that's all

Web 2.0 is not just about AJAX, mashups, blogs and all that. It's about building a platform. That's now been done. All we need to do now is let people use it. That is already happening, but it will REALLY happen in 2007:

Delivery will get better

RSS will stop being something we have to keep explaining to people, because they'll be using it. It will be seamless -- a way for anyone to join something, whether it's a newsletter, a service, a MySpace group. It will stop being known as Rich Site Syndication or Really Simple Syndication and be Really Simple, Stupid.

Content will get better

The real improvement in computers will be the rise of the dual- and four-core processor, i.e. one that uses more than one chip. Think of it as the computer having more than one brain. This will speed up, and make easier, the editing of video and other multimedia content. Our computer, in a word, will no longer be an expensive typewriter. With faster connection speeds, too, video will be the thing that really makes the Internet compelling to people who were previously uninterested. What we watch on YouTube will get better. Individuals will have their 15 megabytes of fame. But this will couple with a rise of content generated specifically for the Internet, further blurring the lines between TV and computer viewing. Silicon Valley is no longer a tech center, but a media one.

The demise of big software

The rise of online applications will in turn blur the distinction between what is going on in your computer and what is going on at the other end of the line -- the server. Vista will seem more like a farewell than a big hello, as big software from big companies locking in users to specific ways of doing things will give way to open source alternatives like Ubuntu. Microsoft will fight this tooth and nail, but I'm sure they already know it.

The mainstreaming of social media

 Web 2.0 is really all about breaking down barriers by making it easier to do stuff, and to mix it up with other people doing stuff. In a way what the Internet has always been about. Expect the influence of blogs to further pervade those last few citadels that have been resisting it, breaking down walls within organizations -- internal blogs that flatten hierarchies and build up feedback mechanisms for employees to talk back to their bosses. Think government departments. Think universities, schools and anywhere else where hierarchies exist. This won't be a one way street: anonymous bloggers in places like Microsoft and China may find themselves outed and lynched.

The rise of the maven

As the Web gets bigger, Google will need to reinvent itself to keep up. Web 2.0 offers some great ways to find stuff through other means, leveraging the knowledge of others who have gone before. We will acknowledge the contribution, and marketers will acknowledge the power, of the maven: the person who seems to somehow know stuff, and is ready to share it. Tagging, blogging, and other social tools will be recognized as extremely powerful ways to do this.

The demise of the big computer

The cellphone will get better at what it does, and we'll grow to trust it more. We'll stop calling it a cellphone and just call it a wearable device, or something snazzier I can't think of right now. One day we'll think it quaint that we had to sit in one place to do stuff, or near an outlet, or within range of a WiFi signal. Cellphones don't have those limitations and this will start to hit home in 2007:

Teenagers will show us the way. Again

They're already sharing everything via Bluetooth, creating networks on the fly (that, incidentally, fly under the radars of commercial networks and marketers). They share videos, ringtones, songs, games, either by exchanging content or playing against each other.

Space-shifting

The cellphone has already redefined what space is, and that will continue. Sexual liaisons involving public figures will be recorded by one party as insurance against future hard times. Cellphone television will become more popular, not just because it's mobile but because it's personal, a time to be alone under the sheets, on a bus, waiting for a friend, stuck in traffic. Maybe not this year, but soon they'll be pluggable into the hotel TV. This is tied into the idea of personal space being something you control, either through presence, or through intermediary services where you only ever hand out personal details of your virtual self.

The End of the iPod

The iPod will decline in importance as the music-phone takes center stage. I didn't think this would happen because cellphone manufacturers mess up the software on the phone, but they're getting better at it. Even Nokia. So expect most people, starting with teenagers who don't want more than one gadget and probably can't afford them, to switch to one device. This will again throw open the mobile music/MP3/DRM debate, and iTunes will start to look a bit wobbly until Apple gets something sorted out so non-iPod users can download from the site easily and cheaply.

The downsides

It's not all fun and games. Bad things are going to continue to happen, and there's not much we can do about them. It's partly just the normal process of utopians being pushed aside by realists, but it's also about an ongoing debate about how to, or whether to, police a space that seems largely unpoliceable.

A dual identity crisis

Mainstream media's identity crisis will be compounded by an identity crisis among bloggers. The rise of pay-me blogging, where bloggers get paid for writing about specific companies or products, will lead to some scandals and make people explore more deeply the ethics of blogging, and how they're not that much different to the ethics developed by journalists over several hundred years. This won't however, lead to the demise of blogging, but the rise of a sort of online press corps, with its own associations and rules, both written and unwritten. Many bloggers will end up being journalists, and the best journalists will move effortlessly and happily through the blogosphere. Many already do.

Keep up, grandma

Things are moving so fast the slow will look like they're running backwards. If 2004-6 were anything to go by, 2007 will move quite quickly. Some folk I spoke to said that not much has popped up this year that's exciting, and that's true, in a boiling frog type way. It's the earth shifting that is changing, and we need to change with it. Young people just get it, but us digital immigrants need to not just learn the lingo but keep up with the fast-changing slang. Oh, and MySpace won't be the place to hang out in 2007; it'll begin to look like a sad school hall dance arranged by the teachers.

The Rise of the Snoop

We tend to make a distinction between these things, but they're actually all part of the same thing. Spam is getting worse, and it's not just an invasion of privacy but an invasion of our productivity (91% of email is spam.) Music and video files will also rise as vectors of trojans, malware and other PUPs. GPS devices married to phones will enable people to track their employees, spouses or offspring, and further empower stalkers. Cellphone monitoring devices like FlexiSpy will get better at distributing themselves, and will be powerful not just in the hands of eavesdropping acquaintances but identity thieves. The rise of virtual worlds will also lead to the rise of virtual identities and virtual identity theft, along the lines of CopyBot. Expect to see cellphone eavesdropping and data theft from cellphones to surge. And we'll start to realize that Google isn't as cuddly as it looks; it's a snoop, too.

From my PR intray, some surprisingly interesting little odds and ends:

LocalCooling is a 100% Free power management tool from Uniblue Labs that allows users to optimize their energy savings in minutes and as a result reduce Greenhouse Gas emissions. The software "automatically optimizes your PC's power consumption by using a more effective power save mode. You will be able to see your savings in real-time translated to more evironmental terms such as how many trees and gallons of oil you have saved."

Electronic Arts Inc. today announced SimCity for mobile, which "lets mobile phone users create and manage the growth of a living city in the palm of their hands. Originally created by Will Wright, SimCity is now available on major U.S. carriers." Not sure how this works, as there's nothing yet on EA's site. It does sound a bit like milking a cash cow or is it flogging a dead horse? 

CyberDefenderFREE is "a full internet security suite that can operate  standalone, or complement existing security software to add an existing layer of early-alert security to the desktop." As far as I can work out, this is a competitor to Windows Defender although it seems to include a collaborative element, where users report either manually or automatically dodgy software and sites they've come across. I think.

This is probably the way to go with USB drives — security features that the user has to follow, or else the device won’t work.  Verbatim’s new Store 'n' Go Corporate Secure USB Drives’

mandatory security features safeguard all device contents with a complex password. Hack resistant feature locks down device after 10 failed logon attempts, protecting your data from dictionary or brute force hack attempts.

Of course, Verbatim are aiming this at corporate and government types, but I’d be interested to see this kind of thing used by ordinary folk too, perhaps as part of a handshake between host computer and USB drive. Internet cafes, public terminals at airports etc could encourage users to plug in their drives (as opposed to either blocking the ports or hiding them) so long as they have certain security features in place to prevent transmission of viruses, sending of spam or botnet controlling, or whatever bad people do at public computers.

Email is not something to get too upset about, until you lose one to downtime by your provider of choice. And then you realise that it is too important to be left to free services, or even a domain hoster.

I use a hoster called Hostway, and they went spectacularly down last week. (This despite the fact, or perhaps because of it, that Hostway launched a new service recently offering 150 GB of space for $10 a month.) It was only about a day, but several domains I based there lost email access when their storage failed. Now I have no idea who might have been trying to reach me and couldn’t because of bounced emails, what newsletters I’ve been removed from because of bounced emails, what email newsletters I may have missed

Now this kind of thing happens, but it made me realise that losing one email is the same as losing all of them if you don’t know which email it is, since it may be the important one you’ve been waiting for offering you money/marriage/a new nose. Email is different to hosting a website: a website can go down, and you’ll lose some traffic, but it will come back up again. Email is a stream of discrete bits of information, and there’s no way of telling whether there are any missing.

In short, a good hoster needs to guarantee that, should something go wrong, no email is left behind. Hostway have not, so far not been able to assure me of that. They say that emails lost during the outage have been recovered, but as far as I can work out that does not refer to those lost because of the outage — in other words, those emails that were stored on their servers and not recovered by users before the outage hit. (Emails to their technical staff about this were responded to with pasted notifications from their support team, which didn’t address this issue.

This surprises me, but shouldn’t. They are listed by Netcraft as the second most reliable hoster last month and I’ve not had many problems with them. But they are a domain hoster, which means that bullet-proof email is not top of their priorities. As Syd Low of AlienCamel puts it (declaration of interest: I’ve been using Syd’s email service the past few years, and it’s rock solid), there are three types of email service: bundling services (like Hostway), free services (like Gmail) and paid services (like AlienCamel) which provide Web access, lots of redundant backups to make sure no email goes missing, plus anti-spam, anti-virus and anti-phishing features.

My lesson from all this: email is too important to entrust to people who don’t take it seriously, or who aren’t getting money for your business. Of course, no one wants to pay for something they’re getting for free, or more cheaply, but sometimes free and cheap is not enough.

Three men have been arrested in the UK and Finland following an investigation into internet fraud. The three are a motley bunch, according to The Sunday Times: a 63-year-old from England, a 28-year-old from Scotland and a 19-year-old from Finland. Together they are alleged to have formed a gang called M00P. They are accused of being behind a virus known as Ryknos, Breplibot or Stinx-Q, which apparently allowed the gang access to commercial information through a back door. Thousands of computers, most of them in the UK, were infected. Infection here means total control over the computer in question. The virus was first spotted in November 2005.

What’s particularly interesting about this, and doesn’t seem to be mentioned in the mainstream press, is that the virus used a vulnerability created by Sony’s much despised DRM copy-protection software — a program installed as part of software to play Sony’s CDs on computers, but which would secretly install extra code designed to protect the CD from being copied beyond a limited number of times. The virus basically piggybacked the hole left by Sony’s software, so unless users who had installed Sony’s software had removed it, they were at the virus’ mercy.

The virus was well targeted and used clever social engineering tricks. It was tailored to businesses, disguised as a requested update for a photo attached to an email that read, in part, “Hello, Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.” Who’s not going to click on that? I know I nearly did.

If those detained were involved, it’ll be interesting to hear what they’ve got to say about the Sony rootkit (which has long been abandoned. Great piece on the saga by Wade Roush in this month’s Technology Review.

Further to my earlier post about what I felt was Symantec’s somewhat tardy and insubstantial public response to the discovery of a serious vulnerability in its own Antivirus software, I don’t feel much more at ease after an email exchange with their PR folk. First off, Symantec has, by midday in the Asian day, come up with a fix which can be downloaded here.  “Symantec product and security teams,” the media statement says, “have worked around the clock since being notified of this issue to ensure its customers have the best protection available.”

That’s good. And quick. But not, I fear, good enough in PR terms. Why has Symantec worked around the clock to find a solution but not made the same effort to let interested people know of the problem in the first place? There’s been no press release on the web site, for example, only a media statement emailed to those journalists who enquire. When I asked Symantec’s PR about this. and requesting a comment to my original post, all I got was a copy of the media statement and a link to the original security advisory. So I where I could find the “media statement” online, where customers, readers, users and the media could find it? Their response: “Symantec posts security advisories [here]. Please contact Symantec Public Relations for any information you need.”

Sorry, but I don’t think this is sufficient. Security advisories are for specialists. This is not a specialist problem. It’s a vulnerability that affects everyone who uses the software, and people need to know about it. (A Google search throws up more than 130 stories on the topic.) Symantec, I feel, needs to be upfront about the problem and blanket everyone with information, not bury it. Symantec occupies a hallowed position in the Internet world, since journalists, users and others turn to it for supposedly objective views on the state of Internet security. Symantec makes the most of this position, straddling telling us about the problem and selling us the solution for it.

Perhaps I’m overstating things here, but I feel Symantec has let us down. I need to know that if I’m entrusting Symantec with defending my valuable data and office network, it’s going to tell me if there’s a problem with that defence. It’s no good hiding, as Symantec PR does in its response to my email that “There are no exploits of this vulnerability. Symantec strongly recommends customers to follow best practices and apply the patches as soon as they become available from Symantec.” First off, there are no known exploits. I don’t see how Symantec can be 100% sure of this. One has to assume that if there’s a hole in your defensive wall, someone is going to see it. Especially if it’s been publicised. Now the world has known there is a problem with Symantec’s software since Thursday. It’s now Monday. I’m assuming the bad guys too read these websites and news agencies.

So while the argument that you should throw all your effort into plugging the hole and then telling your customers you’ve built a plug might work if the vulnerability wasn’t publicised, this wasn’t the case. It was splashed all over the shop. Symantec’s position on this process is “that we are responsible for disclosing product vulnerabilities to our customers, but in general, no vulnerability should be announced until we have developed and thoroughly tested a patch and made it available to licensed customers.” (For a list of all Symantec product vulnerabilities, look here.) This clearly wasn’t going to happen here, because the vulnerability was already made public, for better or worse. And the process of “disclosing product vulnerabilities to our customers” seems to be somewhat weak here; if the vulnerability is an obscure one, perhaps an advisory might work. But more people than just a sysadmin needed to know what was happening and yet no one, unless they really looked on Symantec’s site, was any the wiser. Still aren’t, actually, since no press release is available.

Some lessons in here. Sometimes just keeping readers, journalists, bloggers, customers in the loop helps, even when it’s bad news.

I am starting to be a bit concerned about the future of blogs, but there’s no question a blog is the best way to get information out to people quickly, especially if it’s about the Internet, technology or tech-related stuff. It needn’t be a blog, but it needs to share the blog’s most powerful features – speed, easy to use and easy to find, and deliverable by the best mechanism we’ve come across so far: RSS.

Case in point: Symantec, one of the world’s biggest makers of antivirus software, are red-faced after EEye Digital Security revealed on Thursday that it had found a software vulnerability inside Symantec's Anti-Virus Corporate Edition 10.0. As darkreading says, the vulnerability  requires no user intervention and could be used to create a worm. This is an important event, and Symantec need to let their customers, and people in general, know about this as soon as possible. So why is the company’s website making no reference to the exploit, except for a “Symantec Client Security and Symantec AntiVirus Elevation of Privilege”, which cannot mean anything to anybody except the smallest circles (an Elevation of Privilege, is, according to Microsoft, “the process by which a user obtains a higher level of privilege than that for which he has been authorized. A malicious user may use elevation of privilege as a means to compromise or destroy a system, or to access unauthorized information.”)

No mention in the heading of a vulnerability, or a problem with the very software that is used by a lot of people. Unless you really know what you’re looking for, the advisory doesn’t really shed much light on the issue. Nor does Symantec’s main website: While the main page includes a link to the advisory under its Recent News tab on the left of the page, with the less than informative “AntiVirus Notice: Norton Customers Not Affected; Advisory for Corporate Customers”, I could find no press release two days after the vulnerability had been found and been acknowledged by Symantec. The latest Symantec news release is from Wednesday, the day before the vulnerability was found, and there’s nothing there I can find that relates in any way to the issue at hand. This despite there definitely being a statement out there, because eWeek quote a statement from a Symantec spokesman sent to the magazine.

I’m requesting a comment from Symantec to see what they say about this. Apologies if I’ve missed something here, but my feeling is that Symantec need to be very upfront about this kind of thing — a vulnerability in a piece of software its customers rely on to keep out the bad stuff — and to inform readers, journalists, users and investors in a faster, more open and more informative way than they did so far. A blog would be the perfect place to start.

The Blue Frog may be no more,  but the vigilantes are. Seems that despite the death of Blue Security in the face of a spammer’s wrath, the service has built an appetite for fighting back. Eric B. Parizo of SearchSecurity.com reports on a new independent group called Okopipi who intend “to pick up where Blue Security left off by creating an open source, peer-to-peer software program that automatically sends "unsubscribe" messages to spammers and/or reports them to the proper authorities.”

Okopipi has already merged with a similar effort known as Black Frog and has recruited about 160 independent programmers, who are dissecting the open source code from Blue Security's Blue Frog product. The idea seems to be the same: automatically sending opt-out requests to Web sites referenced in received spam messages, the idea is to over-burden the spammer’s servers (or those of the product he’s advertising) as a deterrence and incentive to register with Okopipi. By registering he can cleanse his spam list of Okopipi members.

Some tweaks seem to be under consideration: Processing will take place on users’ machines and then on a set of servers which will be hidden to try to prevent the kind of denial-of-service attack that brought down Blue Frog.

Possible problems: I noticed that some of the half million (quite a feat, when you think about it) Blue Frog users were quite, shall we say, passionate about the endeavour. These are the kind of folk now switching to Okopipi. This, then, could become an all-out war in which a lot of innocent bystanders get burned. The Internet is a holistic thing; if Denial of Service attacks proliferate, it may affect the speed and accessibility of a lot of other parts of it, as the Blue Frog experience revealed. (TypePad was inaccessible for several hours.)

Another worry: Richi Jennings, an analyst with San Francisco-based Ferris Research, points out on Eric’s piece that project organizers must ensure that spammers don't infiltrate the effort and plant backdoor programs within the software. “If I'm going to download the Black Frog application,” Jennings said, “I want to be sure that the spammers aren't inserting code into it to use my machine as a zombie.” I guess this would happen if spammers signed up for the service and then fiddled with the P2P distributed Black Frog program.

Another problem, pointed out by Martin McKeay, a security professional based in Santa Rosa, Calif., that spammers will quickly figure out that the weak link in all this is it rests on the idea of a legitimate link in the email for unsubscribing, and that spammers will just include a false link in there. Actually I thought the link Blue Frog used wasn’t unsubscribe (which is usually fake, since if it wasn’t would then pull the spammer back within the law) but the purchase link. How, otherwise, would folks be able to buy their Viagra?

One element I’d like to understand better is the other weakness in the Blue Frog system: That however the process is encrypted, spammers can easily see who are members of the antispam group by comparing their email lists before and after running it through the Blue Frog/Black Frog list. Any member who is on the spammer’s list will now be vulnerable to the kind of mass email attack that Blue Frog’s destroyer launched. How is Okopipi going to solve that one?

Bobbie Johnson, technology correspondent at The Guardian is reporting that Blue Security is killing off the Blue Frog, saying it “could no longer continue to operate in the face of an escalating threat to the internet from a malicious Russian spammer known only as PharmaMaster.” The Blug Frog had been under serious attack from PharmaMaster, knocking it and much of Canada off the air via Denial of Service attacks on its servers.

Eran Reshef, the founder of Blue, said his company, which recently drew $4.8m (£2.5m) in funding and counts several senior industry figures as directors, was simply unable to become trapped in a war against a criminal group. "This is something that's really got to be left to governments to decide. To fight the spammers you really need to spend $100m."

Reshef is quoted as saying "it's a dirty little secret that there is no real way to totally prevent denial-of-service attacks - if the attacker is prepared to put enough money in, then they can beat you every time."

A surprising conclusion, if true (Bobbie has checked around and says it is so.) Certainly I think Reshef is right that it’s up to governments to deal with this kind of thing; Blue Frog was good in principle, but its supporters began to sound more like vigilantes than a serious and kosher effort to combat spam.

Google’s new Trends search is a lot of fun, and useful too. See how some things have taken off over the past couple of years, like Web 2.0:

and Wikipedia (the lower graph is for volume of related pieces on Google News, the upper for ordinary Search):

while others, such as WiMax, are more gradual:

Interest in others, meanwhile, seems to have peaked. 2005, for example, seems to have been RSS’ year:

whereas folk started to get less obsessed about spam in 2004:

Some terms just seem to have leapt out of nowhere, such as “botnet”:

while almost the whole history of interest in others, like phishing, are captured in the three and a half years covered by Google Trends:

Until now, most spammers sent their stuff through open relays — Internet-connected computers that were either unprotected, or else had been compromised by viruses or trojans into sending the spam without the owner being aware. But that is changing, says AppRiver, and it has big implications for how spammers work and may render useless today’s big thing: email authentication.

Up until now, AppRiver says, ISPs could presume that if they forced a system to authenticate their message before sending it, they could be trusted because spammers couldn't have access to the authentication mechanism. Authenticating a message basically means you must use a password to send an email as well as to receive it. Before, so long as you knew the correct server for your ISP, you didn’t need a password.

What the bad guys are doing now, AppRiver says, is hacking into the ISPs, figuring out those passwords, and then sending their email through those compromised accounts. This is not only a security risk, it increases the chance for the spammer that those emails will now get through, since they come from what are called “trusted systems” — email servers that require authentication. A survey in April by the Email Sender and Provider Coalition found that 16 of the 18 top U.S. ISPs were applying applying authentication to outgoing e-mails, and eight of those ISPs were also checking for inbound authenticated e-mail and applying some sort of filter to the mail as a result, according to ClickZ News.

AppRiver's Chief Science Officer, Peter McNeil, predicts that as this tactic becomes widepsread, sender reputation services touted by the big boys — Microsoft’s Sender ID, for example — would effectively wither on the vine. In the meantime, it’s going to mean that for those spammers who have perfected this new art, their junk is more likely to get through than other junk because it appears to be authenticated. (More on all this at SearchSecurity.com, which wrote a piece on it while I was still trying to figure it out.

What’s intriguing about this Blue Security/Blue Frog episode, where angry spammers attack the anti-spam company with a Distributed Denial of Service (DDoS) attack, which in turn directs traffic (unwittingly or wittingly, it’s not clear yet) and temporarily brings down blog hoster TypePad, is this: The guy behind Blue Security, Eran Reshef, is founder of Skybox, a company “focused on enabling the continuous enterprise-wide assessment of vulnerabilities and threats affecting corporate networks.”

This is at best somewhat embarrassing for Reshef, and for Blue Security, at worst it exposes him and the company to ridicule and lawsuits. Getting involved in battling spammers is not a task taken on lightly, and the one thing that Blue Security had going for it was that it seemed to know what it was doing. Users download software and register their email addresses in a central database. Spammers are encouraged to remove those email addresses; if they don’t, the software will respond to subsequent spam by visiting the website advertised and automatically filling the order form. If enough people have the software running this, in theory, creates an overwhelming amount of traffic for the spammer and brings their business to a halt. Blue Security now says it has tens of thousands of members.

But then came last week’s attack. Reshef initially said that that no such DDoS took place on the www.bluesecurity.com server, something contested by some analysts. He has since said that a DDoS did take place, but against operational, back-end servers  and not connected to his company’s front door. This, he said, he only spotted later. He says that when he redirected traffic to his blog at TypePad there was no DDoS on the bluesecurity.com website; that, he says, came later. This appears to be borne out by web logs provided to TechWeb journalist Gregg Keizer.

Blue Security’s handling of this raises more questions than it answers. Many are highly technical and not ones I understand. But there are some basic ones. Was the company not prepared for spammers to retaliate? Did it not have any procedures in place? Why did it redirect traffic to TypePad without informing them first? Why did it not coordinate closely with its ISP? And why, given Reshef’s expertise on DDoS attacks with Skybox, was he not able to spot the DDoS attack on his backend servers?

I’ve been trying to make some sense of this recent drama involving Blue Security, an anti-spam registry that effectively tries to deter uncooperative spammers by overwhelming their servers, and recent outages at TypePad and LiveJournal apparently caused by a revenge attack by spammers on Blue Security. (Here’s some more information on Blue Security and the Blue Frog.) The outages were caused when Blue Security redirected the spammers’ attacks on its website to the company’s blogs which were hosted on TypePad and LiveJournal.

So what really happened?

• Blue Security’s web site has been under attack for most of this past week, via a distributed denial-of-service (DoS) attack which basically tries to overwhelm a site with traffic sent from as many computers as possible (the site is now back up);
• To try to deflect the attack, which effectively suspended its service, Blue Security changed its Internet address to its TypePad blog;
• This overwhelmed SixApart’s servers, temporarily affecting all its blogging services, including TypePad and LiveJournal;
• Meanwhile, spammers presumably linked to the DDoS attack sent threatening emails to, apparently, anyone on the list of the Blue Security do-not-intrude registry. Blue Security works by building a network of users who report spam. The source of the spam is then contacted and then asked to remove all email addresses of its members from their spam lists. If they fail to do so, software installed on users’ computers fills out forms on websites linked to in any subsequent spam, creating a wave of traffic to the spammer’s web site, that, in theory, brings the spammer’s activities to a stop.
• The spammer, or another spammer, then contacted Blue Security via ICQ instant message, to taunt and threaten the company, apparently in a bid to stop its activities.
• The spammer, or another spammer, has also been sending emails containing Blue Security contact and registration information. This might have been done in the hope of getting recipients to complain to those email addresses and phone numbers to further overwhelm the company’s resources.

This account is not uncontested. According to a Blue Security press release:

• Blue Security claims that it was not the victim of a DDoS attack, but that the spammer — identified as PharmaMaster –– persuaded a staff member of a top-tier Internet Service Provider to block Blue Security’s IP address at the backbone. This would have blocked all traffic from outside Israel, where the Blue Security web site is located.
• Blue Security then closed its web site and posted a note on its blog (hosted elsewhere.)
• Shortly afterwards, Blue Security says, PharmaMaster launched a DDoS attack on any site associated with Blue Security, causing outages at five top hosting providers, a major DNS provider and a popular blog site.
• Blue Security has denied reports, including one by the Associated Press, saying that its do-no-intrude lists have been compromised. Blue Security works by allowing compliant spammers to run its email list through a program which compares it with a special encrypted list of Blue Security members. While the spammer is not able to see or access the Blue Security list, Blue Security members’ email addresses will be removed from the spammer’s list. This is done, in part, so individual Blue Security members are not then known to a spammer, and so the spammer cannot gain access to the Blue Security registry for spamming purposes. The AP report suggests the spammer has figured out a way to work out which email addresses belong to Blue Security members by merely comparing its own list before and after running it through the Blue Security removal process. Those email addresses no longer on the spammer’s list must be Blue Security members, the report says.

This account is contested by some security analysts, who point out what they say are some inconsistencies in Blue Security’s account:

• Elsewhere Blue Security’s Eran Reshef acknowledges that Blue Security didn’t just post a note on its blog, but it redirected traffic from its bluesecurity.com URL to the TypePad blog. He is quoted as saying he didn’t anticipate that the spammer would launch a DDoS attack on such a large player. “I didn't think he was so crazy as to attack them,” said Reshef. This raises the question: Was this done before or after the DDoS began? Rashef says it was.
• If Blue Security’s routing was changed internally, as Blue Security suggests, there should be a record. One analyst says he can find no record of anything “fishy.”

Blue Security clearly has its supporters. An article on one website has received, at the time of writing, more than 200 comments. The Blue Security blog’s single post received more than 100 before comments were closed.

Perhaps one of the most interesting aspects to all this is how clearly at least one spammer perceives Blue Security as a threat to its business. Not only is it trying to scare the company and members of its registry into abandoning their approach, but it is also adopting more open tactics: contacting the target directly via ICQ, perhaps in an effort to intimidate or negotiate, and to email and post comments to the above websites to try to scare members into removing their names from the registry and uninstalling the software that returns spam to the sender’s servers.

You don’t need to agree with Blue Security’s tactics to acknowledge they must be making some kind of impact for this to happen. What is perhaps a little bit scary is that Blue Security don’t seem to have been ready for this attack, and reveal some naivety and lack of understanding about how the Internet works by merely redirecting the assault to other servers. Not only would this not solve their problem, it also exposes them to legal action by the companies behind the redirected servers if it emerges that they were not informed beforehand. Still a lot of questions to be answered on this one.

I started writing about phishing a long time ago, it seems now. It must be at least two years, I think, maybe more. Then it seemed a very obscure activity, and I can recall one editor being less than impressed with the whole issue. Now it’s bigger than even I thought it might be. [Insert some statistic here to illustrate size of problem, usually cobbled together by someone hoping to make money out of scaring people.] But it remains scary, because phishers are getting better. Don’t be taken in by the rather pathetic attempts that sometimes land in your inbox. Phishing — the art of relieving you of the contents of your bank account/online auction account etc — is going to remain with us, and get more sophisticated.

So “solutions” are always interesting. And here’s another one, which reveals imagination on the part of the folk developing it, and, I suspect, how convoluted and advanced the war is going to become. BioPassword, a Seattle-based company, yesterday introduced what it’s calling “the industry’s first multifactor authentication software solution that authenticates users and reduces fraud over the Internet.” In English, this program allows companies to figure out, based on two different methods, whether you’re you signing into your account with them, or someone else. What’s interesting about it is the second method uses the way you type: Are you a pecker, a touch-typist, or what?

BioPassword are calling themselves the “first” because other methods use as their second authentication factor something that’s not actually software driven — something you know (your mother’s maiden name), something you are (a biometric) or something you have (i.e. a smart card). None of these are cheap, and once the bad guy knows it (your mom’s maiden name), or has it (a copy of your thumbprint, a smart card) he’s in for keeps. They’re also claiming their solution is cheaper than all these, because it’s built into the software. Another advantage, they