header image
January 31st, 2006 by dm Law & Policy, Vulnerabilities none Comments

Because ISPs are directly affected by their customers’ infected computers "running crazy" around the Internet, some providers are starting to be more aggressive in their customer relations.

Easynet, a UK Internet Service Provider (ISP), is contacting customers it believes may be infected with the Nyxem virus. When a computer is infected by Nyxem, it visits an online Web counter that counts how many PCs have been infected. Easynet is monitoring traffic to this Web counter and sending a warning to every user that visits it, explaining that their machine could be infected.

Although it seems like a nice idea, the number of new viruses and the number of infections every day suggests that an ISP can do only so much to notify and help its customers. No ISP can afford to keep a force on its payroll to react to malware attacks against its customers. While individual attacks, such asa the Nyxem virus, may deserver particular attention, this method of fighting malware is unefficient.

January 31st, 2006 by dm Spam none Comments

People who were trying to predict the success of a movie at the Sundance festival could just do a simple spam filter analysis. Unspam Technologies, based in Park City, Utah, have tweaked a spam filter and have used the results to predict (with certain success) the success of a movie.

Two of the films they selected, a documentary called "God Grew Tired of Us" and a drama called "Quinceañera" won the festival’s coveted jury prize awards Saturday night.

Here’s how Unspam did it - instead of filtering spam, they modified the filter to look for the signs of a successful film based on data from 10 years of Sundance film guides, which include descriptions of each movie, along with information found in the Internet Movie Database and box office figures.

Despite missing some movies which were successful, the spam-filtering technology (based on Bayesian classification system) may prove to be useful in other areas. Oscars, anyone?

[Via InternetNews.com -]

January 31st, 2006 by dm Spyware, Vulnerabilities none Comments

In a high-profile Windows Metafile attack, users visiting AMD’s website forums started receiving all kinds of anti-virus and anti-trojan notices by their security software. The reason - the forum webpages were modified to include a link to a malicious Windows Metafile image hosted on a .biz site (which are famous for their predominantly non-legitimate use.)   

While not necessarily a hacking attempt, the incident shows how recent Windows vulnerabilities can be combined with relaxed forum posting guidelines to create a wide-scale attack. Reports indicate that AMD’s forum pages have external php scripts that are loaded with the iframe tag in the webpage. One of those scripts, in turn, calls up a 16 kilobyte image called xpladv586.wmf that was being hosted at a *********[edited out].biz, which is a well-known adware site. [CNET has a screenshot]

It is interesting to follow-through on the story and see if AMD would seek any damages against the operators of the site purportedly trying to install adware.

January 31st, 2006 by dm Spyware none Comments

  • First, it was the consortium. Then the guidelines came.

The Anti-Spyware Coalition, having as members software and media companies such as Sun, Google, McAfee, has announced standard guidelines for defining spyware and for testing anti-spyware products.

"Few product testers currently document their test samples or methodology," the companies said in a statement. "Many use very small sample sets in their testing environments. As a result, there is no distinguishable benchmark for comparison."

While having some firm standards and benchmarks for comparison is nice, hopefully fighting spyware does not become a lower priority than creating guidelines, definitions, or otherwise red-taping the process.

[Via CNET News.com, CA -]

January 9th, 2006 by dm Forensics, Law & Policy, Phishing none Comments

A Massachusetts man has been charged (and will be indicted on Jan. 18 at Suffolk Superior Court) with hacking into dozens of eBay customer accounts and incurring up to $32,000 of fraudulent charges. Sean Galvez of Boston has been indicted on one count of larceny and 10 counts of unauthorized access to a computer and identity fraud committed during 2003.

According to the prosecution, Galvez is believed to have illegally accessed and taken over more than 40 eBay accounts, then used them to buy gift certificates for eBay’s half.com merchant site. While it is not clear how Galvez obtained control over these 40 accounts, it is believed to be either via phishing or by purchasing them from another. According to sources close to Massachusetts’ AG office, the prosecution strongly believes that the source of eBay accounts is a phishing scam. eBay reported the incident to the United States Postal Service after the affected users reported being locked out of their accounts.

It is nice to see that eBay and law enforcement are working together to prosecute crimes which lately have stolen the headlines. What is somewhat bothersome is that the incident occurred in 2003 and yet Galvez is just being indicted in 2006. Also, considering that there were only 40 eBay accounts affected (a relatively minor case, compared to thousands of records) it begs the question how long would a major (multi-thousand) scam take to investigate and prosecute?

January 5th, 2006 by dm Spam none Comments

A small Iowa-based Internet Service Provider has been awarded slightly more than $11 billion in a judgment against a Florida-based spammer, James McCalla. United States District Judge Charles Wolle issued the ruling in December 2005 imposing the fine for sending over 280 million unsoliticed email messages. The order also prohibits McCalla from using the Internet for three years.

Although this judgment sounds nice to the plaintiff (and to all who hate spam), it is uncollectible. No spammer, no matter how successful, can pay anything close to this amount. Also, spammers have reputation of wisely protecting their assets, usually offshore, in anticipation of similar judgments against them. This judgment, and especially its amount, has been highlighted in the press as of great importance. After all, $11 billion is quite a nice amount and catches the attention of the reader. However, the significance of this judgment is mostly the ban on McCalla to use the Internet for three years. As mentioned above, the monetary portion of the judgment is likely to be uncollectable. Thus, the ban, although not bullet-proof, will actually provide an enforceable (in US courts) mechanism to prevent the spammer from engaging in similar activity for the next three years.

January 3rd, 2006 by dm Hacking, Law & Policy none Comments

An Oregon man has plead guilty to launching a distributed denial-of-service attack against the E-commerce giant eBay. According to the Department of Justice press release, the man admitted to launching the attack in July and August 2003 with an army of infected computers he had amassed by using a worm program.

The guilty plea under 18 U.S.C. §1030(a)(5)(A)(i), (a)(5)(B)(i), (c)(4)(A) and 2 carries a maximum statutory penalty of ten years imprisonment and a $250,000 fine. According to the guilty plea,

Mr. Clark and his accomplices accumulated approximately 20,000 "bots" by using a worm program that took advantage of a computer vulnerability in the Windows Operating System – the "Remote Procedure Call for Distributed Component Object Model," or RPC-DCOM vulnerability. The "bots" were then directed to a password-protected Internet Relay Chat (IRC) server, where they connected, logged in, and waited for instructions. When instructed to do so by Mr. Clark and his accomplices, the "bots" launched DDOS attacks at computers or computer networks connected to the Internet. Mr. Clark personally commanded the "bots" to launch DDOS attacks on the nameserver for eBay.com. As a result of these commands, Mr. Clark intentionally impaired the infected computers and eBay.com.


Damages

Although court documents estimate total damages of the DDoS attack at "at least $5,000" over a one-year period, not a major damages case, the amount is set at $5,000 or more intentionally by the prosecution to satisfy 18 U.S.C. 1030 requirements for at least $5,000 in damages. Real damages in computer crime cases are hard to estimate and often the amount of damages can make or break a prosecutor’s case. For example, in a case of computer hacking, often the only litigable issue is whether the cost to recover from the hack and to put protective measures exceeds $5,000. Lost time and  productivity are often calculated, although it is unclear whether IT employees’ time should or should not be counted against these damages.

In short, one of the critical factors of a computer crime prosecution becomes the determination of damages. Although $5,000 is not a high amount to meet, in many hacking cases, this amount may not be reached due to poor response, inability to calculate intangible damages, etc.

January 2nd, 2006 by dm Identity Theft none Comments

In somewhat unclear statement issued a week ago, Visa acknowledged that a U.S. merchant "may have experienced a data security breach" that compromised credit card account information.

An investigation by CNET has been able to get an even unclear response by Visa,

..[N]o other information was
available at this time, including the name of the merchant, the number
of accounts involved or when the event occurred.

Is this a major security breach or just a small vendor-related incident? Usually, in similar circumstances, the name of the affected vendor quickly surfaces, but in this case the name of the vendor and the number of affected customers are unclear. According to California law, a vendor has to notify its California customers for breaches in the security of their data. The fact that there has not been a major announcement in California, at least, may indicate that the incident is still under investigation and disclosure may not be feasible.

[Via News.com]

January 2nd, 2006 by dm Law & Policy, Spam none Comments

Not a landmark case by any means, but the BBC reports on a EU spam case settlement brought by an Internet businessman against a Media Logistics, a UK-based firm for sending unsolicited bulk E-mail. The case was brought under anti-spam EU law, the directive on privacy and telecommunications, which gave individuals the right to fight the growing tide of unwanted e-mail by allowing them to claim damages.

Mr. Roberts, the plaintiff, received unwanted email ads from Media Logistics and filed an action against the company. The company did not defend the case and the judge issued a default judgment for Roberts. In a subsequent settlement, Media Logistics agreed to pay £300 (270 + 30 filing fee) to Robers and settle the dispute out of court.

Although a tiny victory with no precedent value in UK courts, this shows that EU spam laws have some teeth. "Some" teeth, because it is not clear how the court would have decided the case had Media Logistics appeared in court and defended on the merits.

January 2nd, 2006 by dm Spyware, Vulnerabilities none Comments

What a great way to start the new year - a zero day vulnerability in WMF format. And while many of us are enjoying time away from the desks, adware/spyware/phishers are not wasting time and building on the vulnerability.

Websense’s Security Labs alert has a great writeup on how adware vendors are using this vulnerability to install spyware on Windows computers.

Currently the Exfol and Freecat.biz websites are distributing exploit
files that are utilizing the WMF vulnerability, which allows the
un-authorized running of applications. The files are Trojan
Downloader’s which download and run files from the freecat.biz website
and are named: pawn001.exe through pawn009.exe. Upon viewing any of the
MWF files the end-users machines downloads and runs one of the
aforementioned files. The files themselves are designed to install
several pieces of Potentially Unwanted Software. In several cases these
report that your machine has been infected with Spyware and that you
may have security problems on your machine. You are then prompted to
purchase software from one of the affiliates in order to clean your
machine. At this time the current prices we saw was $29 per quarter
year.

It is interesting that the company peddling this software is registered in the Vanuatu (in South Pacific) and the sites are (as of the time of this posting) hosted in South America. Of course, it is possible for a legitimate business to be registered in the Vanuatu and host ouf of South America, but somehow this arrangement has a bad odor.

[Via ZDNet -]