Thursday, September 07, 2006

Commentary: As a computer nation, we are insecure

Consumer Reports recently published a study indicating that 20 percent of households in the United States are currently defenseless against online attacks in the form of viruses, phishing scams and spam e-mail because they do not have an anti-virus software installed on their computers. The study also found that 35 percent don't use software to block or remove spyware.

It is estimated that virus- and spyware-related damages to personal computers cost Americans billions of dollars annually. Fortunately, there are several options for avoiding cyber attacks.

The two top manufacturers of anti-virus software are McAfee and Symantec. Their products range from approximately $40 to $70, depending on the package selected, and can be purchased at most computer retail stores as well as online.

Alternately, Grisoft's AVG program is highly effective in terms of virus detection and can be downloaded for free at the manufacturer's Web site, www.grisoft.com.

Lavasoft's Ad-Aware, also free, detects spyware from pop-up ads very well and can be downloaded at the manufacturer's Web site, www.lavasoft.com.

The difference between the programs insofar as attack detection is minimal; however, preferences such as the user interface may affect your buying decision. For the typical Internet user, having these two free programs installed should be ample defense in the war against cyber attackers.

While improvements are being made every day in terms of punishment for offenders as well as technological advances to thwart attacks, cyber predators are not slowing down their efforts. According to the same survey, the odds of becoming a cyber victim are still about one in three, which has not decreased since last year.

Ultimately, it's up to each person to protect their computer and personal information from online attacks. Given the free programs that are available as well as relatively low-cost packages, there's no good excuse to leave a computer exposed to cyber threats.

Larry Fiorino, the founder and chief executive of G.1440, a Baltimore-based e-solutions firm, writes Web Sightings every week for The Daily Record. The opinions expressed are Mr. Fiorino's and not necessarily those of The Daily Record. He can be reached at 410- 843-3800.

Copyright 2006 Dolan Media Newswires
Provided by ProQuest Information and Learning Company. All rights Reserved.

Tuesday, September 05, 2006

Adware Firm Accuses 7 Distributors of Using 'Botnets'; Lawsuit Claims Defendants Spread Pop-Ups Via Hacked PCs

Byline: Brian Krebs

A major online advertising company that has been accused by security experts of fueling the spyware problem says it is taking legal action against seven people in six countries who, it claims, used viruses to spread ad software to thousands of computers without their owners' consent.

In a lawsuit filed yesterday in a federal court in Washington state, Bellevue-based 180Solutions names seven of its affiliates -- individuals whom it paid to distribute the company's software, which causes advertisements to "pop up" depending on which Web sites the users visit -- and accuses them of installing it on thousands of Microsoft Windows PCs that they had infected with computer viruses. The company seeks unspecified damages and a halt to their distribution of its software.

The legal action is the latest effort by 180Solutions to clean up its image following years of criticism for failing to more closely monitor its distributors and crack down on those who profit from installing its software illegally. Since January, the company says, it has severed ties with more than 500 distributors who were found to have installed its "adware" without the recipient's knowledge or consent.

180Solutions claims the affiliates used "botnets" -- large groupings of hacked, remote-controlled computers or "bots" -- to distribute and install their software. A single botnet can consist of thousands of computers, most sitting on desktops of innocent users who have no idea that a virus infection is allowing a hacker to use their PCs for illegal purposes.

Online criminals have long used such networks to steal sensitive information from their victims, distribute junk e-mail and to wage debilitating "denial of service" attacks that inundate Web sites with so much bogus traffic that they can no longer accommodate legitimate visitors.

Increasingly, however, botnets are being used to install spyware and adware. McAfee Inc., a computer security company based in Santa Clara, Calif., said it witnessed a 12 percent increase in the number of adware programs installed on computers in the second quarter of 2005, an increase it said was driven heavily by the proliferation of bot programs configured to install the adware.

The legitimate distribution method for 180Solutions contractors is to embed computer code into their Web sites that asks each visitor for consent to install, in exchange for access to content on the site. Each time a visitor agrees, the Web site owner earns a small commission, usually between 5 and 20 cents. 180Solutions requires its partner Web sites to prompt visitors for approval, but security experts have documented hundreds of sites that use security holes in the visitor's browser to quietly install the adware without permission.

Armed with a botnet of several thousand computers, distributors can make big money, and fast. LoudCash.com, a Quebec-based distribution firm bought by 180Solutions earlier this year, promises affiliates "big league payouts" and claims to offer the best per-installation rates in the industry, currently 25 cents.

LoudCash's site features a "revenue calculator" which prospective affiliates can use to estimate their monthly earnings. An enterprising hacker controlling a network of just 5,000 PCs -- and at least half of the target computers are located in the United States -- that bot master could make as much as $744 a day, or $22,346.25 a month, according to the company's calculator.

That sort of easy money is a strong draw for hackers who already control botnets and are willing to use them as platforms for spyware and adware, said Sam Norris, president of San Marcos, Calif.-based Changeip.com, a company that helps Web sites remain reachable at the same domain name no matter how frequently their numerical Internet address changes. These "dynamic DNS services" allow botnet operators to periodically change the location of the Web servers used to control their networks, thus making them much harder to detect or shut down.

Norris said that each week he terminates several new Changeip.com accounts that appear to be connected with botnet and spyware activity. In the spring, Norris began tracking one customer who was using Changeip.com's services to control a botnet of 40,000 computers. Norris obtained a copy of the virus the customer used to infect machines and install the 180Solutions software; the programming code also contained an affiliate ID number issued by LoudCash.

Norris alerted 180Solutions to the activity, and the advertising company said it later traced that affiliate ID to one of the defendants. The bot program directed computers to download and install 14 different adware products, more than half of which were produced by 180Solutions, Norris said. The virus also included at least 30 other features, including the ability to capture all of the victim's Web traffic and keyboard keystrokes -- with a particular interest in Paypal user names and passwords. Other programs installed by the bot allow the attackers to peek through the user's Webcam, or steal PC game registration keys.

The lawsuit alleges that the defendants -- Eric de Vogt of Breda, the Netherlands; Jesse Donohue of South Melbourne, Australia; Khalil Halel of Beirut; Imran Patel of Leicester, England; Zarox Souchi of Toronto; Youri van den Berg of Deventer, the Netherlands; and Anton Zagar of Trbovlje, Slovenia -- used botnets to install 180Solutions' software. The company has notified the FBI about its findings, but an FBI spokesman declined to say whether the agency was investigating the claims.

Five of the defendants were contacted by washingtonpost.com but have not responded to requests for comment.

180Solutions attorney Kevin Osborn said the company does not know exactly how many illegal installations the seven former affiliates were responsible for, but estimates that in all they were paid at least $60,000 during the weeks and months that they worked for the company.

David DeLanoy, manager of partner development at 180Solutions, said the company's software is installed on about 20 million computers worldwide, but that so-called "rogue installs" account for just five percent of that user base. 180Solutions made more than $50 million in revenue last year through its software, which serves online advertisements for some of the nation's largest companies, including Cingular, Expedia.com, JP Morgan Chase, Monster.com and T-Mobile International.

But 180Solutions' estimates don't sit well with Ben Edelman, a PhD candidate at Harvard University who has documented the most egregious practices in the adware industry. (Edelman was hired in 2003 as an expert witness by The Washington Post Co. and other news outlets in their lawsuit against the Gator Corp. -- now Claria Corp. -- one of 180Solutions' biggest competitors. The media companies accused Gator of serving pop-up ads over the Web publishers' pages without their permission. Gator later settled the suit.)

"I'd estimate that more than half of [180Solutions'] 'users' have no idea they even have the software, let alone ever consented to installing it in the first place," Edelman said. "The company says in one breath that rogue installs account for just 5 percent of their user base, but they also say they have no real way of knowing which installs are legit, so I'm not sure how they could really draw that estimate."

Edelman said that if the companies do know which installations were fraudulent, it should already have devised a way to remove them.

"There is no reason for them to have waited this long, except to receive the revenue that those installs bring in," Edelman said.

Eric Howes, a spyware researcher at the University of Illinois at Urbana-Champaign, said 180Solutions is not only a major cause of the spyware and adware problem, but that it also is in a position to significantly clean up the problem.

Howes pointed to the turnaround in the past year of WhenU, once reviled for its aggressive adware installation tactics. Last year, for example, the company announced it would no longer allow partners to install its software through Microsoft ActiveX, a component of the Internet Explorer Web browser that adware company affiliates have long used to conduct illegal "drive-by" installations.

"WhenU pretty much put an end to the problem of sleazy installs of its software, so we know it can be done," Howes said. "180's enforcement division has really got to get up to speed, because I've seen no evidence they have a robust enforcement division, other than when they occasionally track down leads that people in the anti-spyware community hand to them."

DeLanoy said the company is putting new technologies in place that will allow it to better track how its software is installed and by whom, and ensure that users agree first. In the meantime, 180Solutions is using its ad-serving network to display pop-up notices warning customers that its software may have been installed on their computers without their consent and providing instructions on how to uninstall it.

Later this year, the company also will begin uninstalling its software from computers on which it has reason to believe that the software was installed in violation of the company's terms, DeLanoy said.

Changeip.com's Norris commended 180Solutions for its actions, but said the company and other adware vendors need to be far more aggressive in policing their affiliates.

"Right now there are a lot of people distributing their software like this and getting away scot-free, and every day we're seeing more and more people getting into this," Norris said.

Viruses and spyware have created a huge market for security software and services. At-home computer users invested more than $2.6 billion in software to protect their computers during the past two years, according to a study released this month by Consumer Reports. Even with those protections in place, however, consumers spent more than $9 billion on computer repairs and parts due to damage inflicted by viruses and spyware.

(c) 2005 Washingtonpost Newsweek Interactive
(c) 2005 Gale Group

Taking Internet security off the backburner: it's the whole company's job, not just IT

Identity theft, spyware, adware, spam, phishing, pharming, online fraud--these modern-day threats require CEOs to constantly reassess the emerging dangers of the Internet and reconsider what they're doing to protect the company, employees and customers.

Not focusing on Internet security is like opening the cash register to hackers and thieves. I know from experience. When I joined Network Solutions in 2001, our fraud rate was an astounding 19.88 percent. One out of five dollars was a fraudulent transaction. Nothing was being done about it; today, our fraud rate is 0.18 percent, lower than the most popular offline merchants.

Yet today, the problem of security is worse for business than it was in 2001. The types of security violations have multiplied. The creativity and savvy of hackers and scamsters has grown. Why should businesses care? If your systems are infected, the cost and disruption of a cleanup are large. If you sell online, a sense that the Internet cannot be trusted means customers spend less. Even if you sell nothing on the Internet, it can be a powerful tool to reduce costs for your business, such as Internet-based customer support. If customers feel their information is not secure, they will not use the medium. Even more, if your business is the one publicized for a security breach, who is going to trust you with important information necessary to transact business with you? If someone puts up a Web site that looks like yours and collects customer information, when the word gets out will customers still come to you?

Internet security must be a top-level priority. The first step: Don't fall into the trap of thinking that Internet security is solely the job of your information technology team. Frankly, most IT people do not think like crooks. Even when the IT department has the capability to design protective systems, that alone will not stop the bad guys. As long as employees can communicate with the outside world from their desk, you have a hole. So the responsibility of Internet security rests with every single employee who has any connection to the outside world (including those who manage online logistics, inventory management, and e-billing), anyone who sends an e-mail.

At Network Solutions, we filter out millions of spam messages daily, and in addition, we post security alerts and tips on our internal Web site and ask all employees to notify the IT department of any suspicious e-mail activities or network performance issues. We scan desktop systems daily for adware, spyware, viruses and worms. At times, we even disable communications systems such as Instant Messenger if we learn other companies are experiencing security violations through them. This helps keep our own systems clean and cuts down on the chance of a violation of customer information through the back door. Regardless of how strong your security policies and programs are, people are still both the biggest risk factor and the best defense.

And don't think that the world's biggest companies are the biggest targets. The vast majority of these security breaches happen in small businesses. No matter what size business you run, the bottom line is that your bottom line is only as good as your Internet security. Some basic measures we should all make a priority:

  • Realize that security is not the real cost. Not having proper security measures and focus in place is the real cost--the cost of fraud, the cost of cleanup, the cost of lost customers--which could put you out of business.
  • Internet security is not just an in house concern. With many more services being outsourced, it's vital that confidentiality and protection of sensitive materials be maintained both contractually and by checking the provider's security history.
  • Quick communication should be automatic when security breaches occur, internally and with external partners. This is not the time to hide bad news (in fact, it is illegal to hide a security breach under the laws of several states).
  • Limit the collection of sensitive personal information. We're seeing a move away from using such sensitive data as social security numbers as identifiers.
  • If it's sensitive, encrypt it. A firewall is no guarantee. Consider encrypting customer data you store and getting an SSL digital certificate to secure data in transmission. It gives customers a much greater sense of security.
  • If you have a Web site, get a site seal. This allows customers to know the site is yours, not a phishing or pharming operation to steal their information, which more than half of them fear.

While these precautions do require the focus of the business community, we need to make systems as user-friendly as possible. Dedication and attention to detail is one thing; an overloading and complex burden on users is another. Internet security is only as strong as peoples' compliance.

The Internet has changed the way in which we all conduct business, almost all for the better. Yet we also need to get serious about making business on the Internet safe. It's the only way we can continue to make people feel confident about the Internet. And that confidence is the only way we'll see this medium reach its full potential.

(c) 2005 Chief Executive Publishing
(c) 2005 Gale Group

Yahoo and Symantec unveil joint consumer Internet security service

A joint consumer Internet security service has been unveiled by Internet company Yahoo Inc and security solutions company Symantec Corp.

The two companies will offer the Norton Internet Security product from Symantec to Yahoo's customers, while Symantec will gain access to the customers using Yahoo services. The agreement is expected to help the companies compete against competitors such as software company Microsoft Corp and Internet search engine Google Inc.

The co-branded Norton Internet Security product will be marketed by Yahoo and Symantec through the Yahoo network, which incorporates online services such as Yahoo Search, Yahoo Mail and Yahoo Toolbar. Symantec will offer its anti-virus and online firewall protection on Yahoo's Online Protection for broadband users and provide Norton Spyware scan for the Yahoo Toolbar.

Yahoo customers can sign up for a free 30 day trial of Norton Internet Security, which blocks viruses, spam and adware, and then purchase a USD49.99 12 month subscription, which includes a USD20 discount for Yahoo users.

(c) 2006 M2 Communications Ltd.
(c) 2006 Gale Group