Posted by Erica George
Thu, 28 Jun 2007 00:00:00 GMT
Jason Callina, a StopBadware senior developer, shares his notes on the ASC lunchtime discussion about the use of spyware in domestic abuse:
Cindy Southworth of the National Network to End Domestic Violence introduces a victim of domestic violence including abuse via spying and monitoring through software installed on her computer without her knowledge.
Cindy has been doing work to end domestic violence for 14-15 years. She grew up in a family of geeks which gave her a strong technical background that infoms her current line of work. Cindy chose to go down the path of social change and found a perfect combination of her skills in this topic.
She states that less than 10% of shelters have firewalls and similar security measures. This represents a serious security risks for victims of domestic abuse and others staying at shelters. This represents a very vulnerable segment of society.
—
The presenter (who is anonymous for obvious reasons) is educated, young individual currently volunteering with domestic violence issues doing service work. Consultant on several boards. She noted that she has young children who she is also concerned for. The conversation is structured as questions from Cindy with answers from the presenter.
Q: How did you end up getting in a relationship to the abuser?
A: After college, she was facing several options and was unsure what road to take in her life and career. She met a charming, handsome individual, who appeared to have an excellent personality and background profile. The start of the relationship was calm and without incident. Control issues started to pop up later in an incremental fashion. Abuser slowly integrated controlling behaviors into their relationship using tactics like defining the relationship parameters with family members and friends and insisting on the structure of her communication.
He attempted to define who she was through influential suggestions on changing her appearance and gradual control of other aspects of her life. Six months into the relationship he slowly integrated verbal attacks. Physical abuse started after a year. At first they seemed accidental and out of character for the person, but they continued and became a constant aspect of the relationship.
The abuser had them move frequently, to keep her isolated from friends and family. Due to the nature of the physical abuse she was concerned about her life and the life of her unborn child. She felt that he was directly trying to kill her unborn child through physical attacks on herself.
There were threats that if she was to seek help she would be killed. Her parents became concerned due to lack of contact and sent police to check on her. Abuser silently threatened to kill child while the police officer was present, but not in the officer’s view, so she lied to protect her child and herself. Threats were also made to her family and others.
Surveillance and Monitoring
He would have friends check on her and befriend them to make sure she was in line with what he expected of her behavior. He gained the trust of her co-workers and their impression was that he was very likable.
He began monitoring her cell phone to find out who she called and who had called her. He monitored her email and set up passwords so he would have access to all of her online accounts. The abuser also sent emails out in her name to her friends.
The abuser used keyloggers and other tracking mechanisms to monitor and control her behavior. Once he misinterpreted the results of the key logs, accused her of behavior she was not guilty of and almost beat her to the point of death. Computers were her last contact to the outside world and she had to stop using them to protect herself and her family. Court hearings eventually revealed that he was using spyware to track her movements.
Cindy states that most homicides occur at the point the victim tries to escape.
She used her computer at work to plan her escape. Thankfully he was not able to track the data on this machine. His technical level was low, yet it was easy for him to learn and use these technologies to his advantage.
Remaining anonymous
She only does research online, and commits no personal financial information on her computer. She rotates passwords and names every six months. Her children are allowed no web access to protect her familiy’s identity. She keeps multiple identities and uses them based on whatever task she is undertaking. No personal information about location is ever posted online, and she has changed her social security number and other trackable information.
—
Q & A from the audience:
Q: Are there resources available for abusers on how to implement these techniques and technologies?
A: Unfortunately, there are groups that target and share information on how to spy on your spouse and control their behavior. It has been suggested that some of these connections are made when individuals meet at mandatory classes for the prevention of domestic violence.
Q: Do restraining orders cover spyware?
A: Possibly, sometimes the restraining order will dictate that the abuser cannot contact the victim via a third party. Some law enforcement officials consider spyware to be a third party contact.
Q: What do people do when they suspect they are being tracked via spyware?
A: Use a safer computer, such as one at work or at a library or other public resource. It is to be noted that not using the home computer can be an indicator of knowledge of surveillance, so you need to be careful about drastic changes in behavior. If you think the computer is compromised, treat it like it is.
There are very little technical forensics resources available to low enforcement agencies but if you are going to the police you need to keep the computer intact to preserve evidence. This entails not running anti-spyware or malware applications which could potentially destroy evidence.
If you are not going to the police and need to quickly remove all possible tracking capability wiping the computer is the best solution to keep you safe.
Leaving your computer unsupervised or having an open wireless connection could also leave you open to monitoring.
Keyloggers can come in the form of hardware and software. If you have a hardware logging mechanism in place the only way to protect yourself against it is to physically remove it.
Q: Does facial recognition on photos or tagging pose security risks?
A: Allowing friends to post information about you or tag your photos on social networks or other boards opens up a huge tracking potential. As facial recognition technology becomes more technically feasible it will also introduce a great degree of risk.
Q: What does she tell her children?
A: She limits the public exposure they have. They also use multiple identities and addresses on public record.
Q: Why isn’t he in jail?
A: Because the laws don’t adequately cover or punish domestic violence.
Q: Can you volunteer?
A: Yes – See the NNEDV website for information.
Q: When does abuse end?
A: Grimly, via the death of the abuser or when an abuser focuses on a new relationship.
Posted in all | Tags AntiSpywareCoalition, ASC, DomesticViolence, events, NNEDV, spyware
Posted by Erica George
Wed, 27 Jun 2007 23:47:00 GMT
Continuing our blogging of the ASC conference, StopBadware senior developer Liana Leahy’s notes on the panel on Internationalization of Spyware:
Vincent Weafer of Symantec – Spyware varies between nations.
Chris Boyd of Facetime – Shows where hijacked people are. The majority of the companies are based on the west/east coasts.
Spy Act, I Spy Act, Counter Spy Act is brought up. Legislation has been too slow, 4 or 5 years too late. Some have gotten pressure from the FTC.
Q8 Army: Radical, political websites, they hijacked you from these sites and put popups with political propaganda. Over the border, wasn’t much law enforcement could do.
YapBrowser, Zango, Safety Browser: Rogue web browsers, rogue anti-spyware applications. These applications include spyware and adware.
Vincent – Are we seeing more spyware coming from international sites and why?
Chris – Always been around, but under the radar. Cyberwar between US and Chinese hackers. All about money, getting as much adware on the computer until it dies. The problem is you can’t touch the guys overseas. Anti Malware Alliance in China, trying to sue the Chinese government because they are installing malware on people’s PCs
Australia: spyware control bill has gone nowhere. There are 22 countries and 21 more that have signed an agreement among nations to create laws to combat these issues. Spyware-esque.
Governments will say they don’t need spyware legislation, that existing laws will handle it.
One guy installed spyware onto his wife’s machine to check her bank balances. He got 4 months. There has been some hesitation, because the language is difficult. Describing malware and spyware is hard.
Is there a difference between US and Europe? European politicians haven’t a clue what spyware is and what it does and the threat. Germany under E.E. U.U. law, limits the sale of security software used for unlawful purposes. European banks are suffering from the same issues as US banks, thanks to online banking.
Any experience in Asia? Any examples? Japan has different issues. Their viewpoint is that their spyware is more about social engineering. One big fraud was a fake billing system. Less emphasis on downloading software in Japan. Rather having the software downloaded for you. People aren’t used to downloading software as much.
Is there a different between the users complaining about these charges? The Japanese are less likely to complain about it. So stuff is underreported because they are embarrassed to admit that they were ripped off.
Is it easier to hide overseas?
John Levine of CAUCE – It’s not hard to hide in the US. Domain registration is lax. They don’t check your personal data. It’s easy to register lots of domains and move them around. Each country makes their own rules to register a domain. Italy for example has rigorous rules. A lot of people target outside the US, because broadband in the US is slower. Japan and Europe is much faster. Europe has stronger privacy laws… And they are slow to act on complaints. Domain names are hard to trace, just tip of the iceberg.
Lindsey Wegrzyn of Earthlink – The problem we see in internationalization is that everything is compartmentalized. Lots of people have a hand all over the world. They jump on forums to find partners, there are 14 or 15 people involved. Cases take forever. You need to understand foreign agency’s laws to contact them. Understanding where the benefits are is helpful.
John – How do you attack this? Depends on who you know. Given the number of countries, following their trail is hard.
Vincent – Are you seeing technical differences in Europe, S.A., Middle East?
Chris – A lot of stuff is quite generic (the code itself, old stuff that’s been around). Chinese hijacks aren’t just whackamole games with password stealers. A lot of the code is old, but what they do with it is new. Middle East, quite sophisticated root kits.
Clerik: malicious spyware from China. They are not as educated and aren’t used to computers as we are. But they will learn soon.
Criminalization, Adware commercialization: A single global marketplace, or niche markets?
Chris – It’s still scary. Chinese vs. America black-hatters. They are working together and sharing code. There is a cross-network but it’s not structured. It’s still territorial.
John – Transmitting money around the world. The cat is out of the bag, it’s easy to shift money around the world.
Vincent – What can we do that will help the situation? Education? Awareness? Corporations? Building relationships?
Chris – UK High Tech division crime squad. Impossible to get a hold of people. Tracking down law enforcement is useless. Accessibility of law enforcement would help.
John – Same answer. Educating law enforcement and giving them the expertise to ask the right questions is key.
Lindsey – Cooperation is key. Getting legislation into action for countries that agree to pursue this. Resources is also an issue for folks.
Clerik – Talk to your legal system to push through legislation. Try to convince users to make backups.
Questions from the audience:
US Safe Web Act. FTC power to go internationally to get information. Is this a viable option?
Lindsey – hasn’t used it because it’s not helpful. She’s not as familiar with them. Hasn’t heard good things about it. Instead they use personal contacts. People contact across the board are key.
Josh – Please talk about Government sponsored malware in China
Chris – Ministry of Media Affairs have created software (malware), that installed from various Chinese websites. You can support your government by hijacking PCs. Folks are trying to sue the government with spectacularly bad results. A lot of this stuff comes from Chinese domains where the url is random letters and numbers. but some of them are legitimate in China. There’s no way to contact these domain owners. Is it malicious or has the site been hijacked?
Audience – Has anyone used CertCn to determine who owns these domains?
Chris – Yes, folks are helpful. There are people out there who are fighting this. Personal experience, these organizations have been more positive. The Certs are quite good. What is deemed acceptable..
Chris – Software that installed all come with Eulas.. When you are presented with a eula that’s in a different language, it’s useless. A lot of Chinese hijacks are being pushed via IM channels. Skype network. once
Posted in all | Tags AntiSpywareCoalition, ASC, events, spyware
Posted by Erica George
Wed, 27 Jun 2007 15:20:00 GMT
Continuing our live-blogging of the Anti-Spyware Coalition conference, here are StopBadware intern Josh Friedman’s notes on the Technical Discussion of Spyware panel:
This talk is half short presentation and half Q&A. It opened with the presentations.
Ryan Hicks covered stealth issues of malware. He thinks that root-kits are some of the most popular stealth technology. Ultimately, once a system has been compromised it cannot be trusted. Root-kits began as an academic exercise but have developed into threats that are in the wild en masse. Botnets are integrating rootkit technology. Kernel mode threats are becoming more prevalent in all malware.
Richard Smith spoke about the new features in Internet Explorer 7 that attempt to address some of the issues of spy-ware. He broke attacks into two vectors, exploits (ie. drive by downloads) and social engineering.
New features in Internet Explorer 7:
- Protected Mode: Runs the browsers in a sandbox with a limited file-system and limited registry.
- Buffer overflow protection: “Address Space layout randomization” makes it difficult for exploit code to execute system calls.
- ActiveX Opt-in: If a control is installed on a computer, it cannot be used until the user authorizes the use of it. Hundreds of ActiveX controls are available to the browser.
As an aside, he mentioned that he thinks that MS should just use the hardware chip ability to make data pages as non-executable in the processor.
Possible new vectors of attack in Vista:
Silverlight – Allows executable code within the browser. Many different languages can be used to write Silverlight code. Buffer overflow(s) already found. Instant Search – Processing code for file types is often susceptible to multiple vulnerabilities.
Gibson, “Microsoft has been so slow in making simple changes that could have prevented many of the problems that we have had [as users].”
Some notable information shook out of the Q&A session:
Ryan, on detection of rootkits – The most popular way to find rootkits is via ‘cross views’ where you compare multiple different methods of looking at various parts of the system and see if there is a discrepancy.
Gibson, on the nature of the problem – Ultimately, it is the trust of a transparent system like the PC that is being subverted. Most spy-ware issues now occur from hacked sites and not ad-ware laden seemingly legitimate downloads. Web 2.0 means that there are now servers that are functioning as a clearing house for anonymous visitor’s content.
Ryan, on security – Security is hard, some bugs are not even bugs and they are not bad design decisions or incorrect code; it is just the confluence of many factors.
Ryan, on analysis in virtualized environments – When it comes to virtualized environments, there is really just a trade off between time and making sure you catch all the tricks of the mal-ware. There is a trend for some mal-ware to just waste a researcher’s time. For example, when running in a non-virtualized testing environment in Soft-ice, some mal-ware detects Soft-ice multiple times and will change it’s behavior.
Ryan, on the next generation of protection – Future anti-viruses programs will likely hook into the system in a way in which all transactions on the system can be logged.
Posted in all | Tags AntiSpywareCoalition, ASC, events, spyware
Posted by Erica George
Wed, 27 Jun 2007 14:28:00 GMT
We’re live-blogging the Anti-Spyware Coalition conference taking place today at Harvard Law School. Check for updates on the sessions throughout the day from StopBadware’s staff and interns.
The first session is a keynote by Steve Gibson, a veteran security expert, credited with coining and popularizing the term “spyware” and writing one of the first adware removal programs, OptOut. Here are my (rough and paraphrased) live notes on his talk:
The problem of bad software isn’t new. There were viruses even on “SneakerNet” – the early days of gated internet services like CompuServ. The internet has created a more connected playground for the bad guys.
“Spyware begets adware and demonware and preinstalledware and… you-can’t-remove-it-ware.”
Hardware vendors now look for money by contracting to pre-install software on brand-new machines. “It takes forever to boot” and the performance isn’t as expected, in part because it’s loaded down with pre-installed software. Typical users don’t know how to even try to uninstall this stuff, and many programs don’t even have an uninstall option.
The nature of the platform being open, “anything that can happen, will happen.” There’s a constantly increasing list of real threats. These are real problems, and they affect people’s lives all the time.
Some of this could have been avoided. We’re putting the huge potential of the computer industry at risk. Browser scripting is now relied on for “Web 2.0” applications, but it’s also causing real problems for ordinary users when exploited. Why should anyone’s browser allow third-party cookies enabled by default? There’s a “tyranny of the default” because most users don’t understand how to change their computers’ settings. Some of these problems should be easy for the software industry to solve.
Viruses and spyware aren’t just a game for hackers anymore. As exploiting computers has become profitable, it’s drawn in organized crime. Hackers finding new vulnerabilities now can sell them to the highest bidder. Systematic exploitation of the computer user has become a business model.
There is no easy solution. The PC is no longer changing in revolutionary leaps, but evolving slowly. There is no “next killer app.” Users have most of what they need already, and are becoming more and more frustrated. Those of us on the side of the user simply must do the best jobs we can. Educate users, but try not to over-frighten. Keep pushing back, on every front – technical, legislative, education.
The ultimate sadness is when users give up on computers and the internet. Our goal is to keep that from happening.
Q – How do you differentiate spyware from adware, etc.?
A – User knowledge. If the user is fully informed about what’s going onto their computer and what it is going to do, in a way that actually makes sense and is easy to see instead of buried in a license agreement, then it’s fine.
Q – Public policy protects people from doing things like selling their children. Can’t it protect them from selling their personal information, no matter how many disclaimers there are? Users aren’t fully aware of the consequences of giving away their information.
A – Yes, we need to find ways to protect users from their own limited understanding of what they’re agreeing to.
Q – Could there be a long-term benefit to ISPs taking a more interventionist approach?
A – I dislike the idea of imposing those requirements on them from the government level. ISPs don’t want to take any responsibility for content filtering of any sort, but now they do tend to block ports. The technology certainly exists to identify and sequester a bot-infested machine. But we’re a long way from making that happen, policywise. It would be expensive for the ISPs, and they would also need protection from liability. Really, the way we see this problem needs to change. We need to take proactive actions against bot networks. We need research to set up honeypots, get infected, and trace back to the botnet masters. Right now, we’re being too reactive, and we need to become more proactive.
Posted in all | Tags AntiSpywareCoalition, ASC, events, spyware, SteveGibson
Posted by Erica George
Tue, 26 Jun 2007 20:51:00 GMT
StopBadware is proud to play host to the annual Public Workshop of the Anti-Spyware Coalition tomorrow, on the campus of Harvard Law School. The Anti-Spyware Coalition is a group composed of anti-spyware software companies, academics, and consumer groups – including StopBadware.org – dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies.
Keynoting speakers will include Steve Gibson of Gibson Research Corporation, a pioneer in spyware research; Edward Flynn, the Springfield, MA Commissioner of Police; and a domestic violence survivor who was a victim of stalking using spyware. Some day-of registrations may be available.
Posted in homepage, all | Tags AntiSpywareCoalition, ASC, events, spyware
Posted by Liana Leahy
Wed, 20 Jun 2007 17:15:00 GMT
StopBadware is proud to announce the availability of Review Request History on our Stopbadware.org website. In an effort to be as transparent as possible with our data and status of the review request process, details of a specific review request can be found on our Stopbadware.org website.
On the Report Search page, all sites reported to our clearing house will display a new column called History. When a site owner clicks the black  icon, a page displays a blue box at the top with the date the site was initially submitted into the clearinghouse.
Sites with a red  icon contain additional appeals information. When a Review Request is initiated, another blue box appears displaying the date the appeal was created, the last time the appeal was updated, and the current status of the appeal.
The grey boxes represent correspondence from a site owner to us. The text of this correspondence is displayed only if the user specifically requests that this data be made public by checking a checkbox on our Review Request form.
Correspondence from us to a site owner will either be encapsulated in an orange box or a green box depending upon the status of badware found on the site.
We’re very excited about this new functionality as it will allow site owners to see the status of their request as well as all correspondence back and forth. We have additional enhancements planned for this functionality as well, so stay tuned!
Posted in all | Tags History, Review, reviews, stopbadware
Posted by Liana Leahy
Tue, 19 Jun 2007 19:02:00 GMT
Where is our fearless leader?
Where is our partner wrangler?
Where is our badware fighter?
Where have all the cowboys gone?
We love badware cowfolk with their badass swaggers and ability to thrive under pressure. A rugged individual, ready to battle badware who is brave and loyal is enough to make any badware researcher weak in the knees. But where have all the cowboys and gals gone?
I suppose the reality of the cowhand’s work is gritty, dusty, and difficult. Wrestling badware is commonly depicted as a hard and lonely existence.
Are you our hero? Can you ride, rope, brand, as well as cook and entertain? Our white knight will oversee communications and community integration efforts and work closely with our working group and an advisory board regarding the direction of our project. She or he will conduct strategic outreach and communications with civil society, private sector, technologists, academia and policymakers.
StopBadware is the “neighborhood watch” for the internet oriented toward finding collaborative, community-minded solutions to combat destructive applications and programs. Our goal is to focus on organizing technical expertise and the public’s user-knowledge to identify and research ‘badware’ and to raise public awareness.
What does all that really mean? Can you wrangle a bunch of partner relationships from driftin’ like tumbleweed in a twister? Will you enjoy wrestlin’ badware in a non-profit, academic, mission-driven setting?
Will you accept our challenge or ride off into the sunset alone? No need to interview with a white hat and tight jeans. We just need a leader with true grit, heroic tendencies and a sense of humor.
For more information and to apply, check out the job posting on the Harvard University Job Site.
Posted in all | Tags berkman, cowboy, director, manager, project, research, stopbadware
Posted by Erica George
Tue, 19 Jun 2007 14:53:00 GMT
Google’s anti-malware team has announced a new Safe Browsing API to give developers access to its badware and phishing block lists. The API will allow developers to download an encrypted list, and to perform client-side lookups to check suspicious URLs.
Google’s team says in its announcement, “The API is still experimental, but we hope it will be useful to ISPs, web-hosting companies, and anyone building a site or an application that publishes or transmits user-generated links.” The team is actively seeking feedback.
(Disclosure: Google is one of StopBadware’s corporate partners.)
Posted in all | Tags blocklists, Google
Posted by Liana Leahy
Mon, 18 Jun 2007 20:46:00 GMT
Having a need to consolidate all of my instant message friends, I recently downloaded Trillian v3.2.5.1 from www.download.com.
Of course, I quickly clicked past the license agreement. Who has time to read ALL that? I clicked Agree and moved on.
The next screen asked me WHERE I would like to install Trillian. Well, the default path is fine with me. Again, I don’t have time for this! I need to install the software and get on with my day. I don’t have time to check out the “More Options” button at the bottom left part of the screen that reveals the hidden check boxes that would have allowed me to prevent the application from installing to my Start Menu and Desktop. Wish I had been paying attention. I could have saved myself the trouble of hunting down the preferences screen after-the fact to turn off these features once the product is installed.
Click click click… where’s the installer? I have things to do!!
In my zeal to get on with my day, I blew past the Weather Channel Desktop installation. This application has been reported to sometimes camouflage malware, particularly if it is installed into c:\windows or c:\windows\system32. As a badware researcher, I should have known better and been on the lookout for bundled applications that I don’t want. But who has time? I’m busy saving the internet from badware!
And what’s this? The Ask Toolbar? The Ask Toolbar claims it does not collect any personal information and is completely “spyware”-free and “adware”-free. But it has a bad rap because users are often tricked into installing them under false pretenses. Like…. trying to download Trillian and then clicking the Next button too fast without unchecking the ‘Enable address bar search feature’ checkbox. Or how about the extra checkbox you need to uncheck called ‘I accept the license agreement and want to install the Ask Toolbar’. The screen kind of looks like the EULA that I clicked past a few screens ago. But then again, I’m in a hurry. Perhaps I was day dreaming that I already accepted the EULA. And I need to accept the EULA before the application I want will install, right?
Ah… a sigh of relief, I’ve arrived at the screen with the installer status bar that means that I’ve survived the deluge of advertisement and have been blessed to receive the program.
Oh but wait, I have the option to choose Trillian basic or Trillian pro. Well heck! I’m a pro… I want pro… oh, but dang I have to jump through more hoops to install this product because it’s not freeware and costs $25 bucks.
Well…ahem, I’ll just back button to basic and stick with the free stuff. I work at a non-profit after all.
Because Trillian does follow the StopBadware Guidelines for “Disclosure and Consent”, it’s not really badware. But aren’t you sick of bundled products? I wanted to install Trillian, but now I’ve got these two extra things doing stuff that has nothing to do with Trillian software. Is this a “deceptive door opener”? Hmmmm, there’s an article on the subject on ZDnet: Edelman on ‘Deceptive Door Openers’ and Ask toolbars.
The point is that even a badware researcher can too easily click through the installation process and end up with more than she bargained for… and next time, I may end up with some nasty virus or spyware or root kit, oh my!
Perhaps I should have gone straight to the ceruleanstudios.com website to download the product instead. That’s gotta be more safe and free of these annoying and possibly infected bundled products right?
Bummer, the link just brings me back to www.download.com.
Posted in all | Tags AskToolbar, Trillian, WeatherChannelDesktop
Posted by Erica George
Mon, 18 Jun 2007 20:02:00 GMT
Christopher Null at Yahoo’s The Working Guy blog has posted a short and simple guide for dealing with a spyware infestation on your computer. Christopher walks through steps to take if your machine has been infected, in clear terms that you don’t need to be technical to understand. Whether or not you’ve ever dealt with a badware infection, this is a great resource to bookmark and share.
Posted in all | Tags resource, spyware
|
