Thursday, June 28, 2007

Hong Kong E-Card Trojan

Last week, it was fake Father's Day email. Today I received an e-card invitation from a Hong Kong email address - Subject: You've received a postcard from a family member.

Now, several friends of mine live in Hong Kong, including Phil Braden, Authentium's co-founder, who recently went back to live in Hong Kong after ten years. But I'm not aware of any "family member" that would make use of a Japanese email address ( cloaked in a Hong Kong email address.

Maybe its a payback for the post last week on HK-based phishing toolkits.

According to Patrick Knight of our malware research labs, the link in the email does not lead to a greeting card (no surprise there) but instead leads to a payload, which, when downloaded, does a UDP scan of random IP addresses. Hmmm - sounds like the same guys.

Patrick will post further analysis on this Trojan when it comes to hand, but in the meantime, if you get an invite to download a greeting card or e-card, be careful.

Why The Internet is Not a Terrorist Target

I could write an entire post about the ironies involved in casting Justin Long, the guy who plays the Apple Mac guy on TV, as a computer hacker in the new Bruce Willis movie "Live Free or Die Hard." But I'm more interested in the plot line and its focus on cyberterror.

Cyberterror is a scary word.

Just saying the word "cyberterror" evokes images of uncontrolled warfare, destructive new technologies, and images of frightened, disenfranchised humans streaming from darkened cities, torchlights held high, children and teddy bears in tow.

The reality is, apart from the *possible* exception of the recent mass-shutdown of computer networks in Estonia, cyberterror hasn't yet arrived at any of our doorsteps. I think there is one very good reason why: terrorists, like us, *like* the Internet.

Back in 2003, IDC predicted that "a major cyberterrorism event will disrupt the economy and bring the Internet to its knees for a day or two" and went on to predict that the war with Iraq would "galvanize hackers" who would most likely use a combination of "denial-of-service attack, a network intrusion or even a physical attack on key network assets."

Q. Why didn't the terrorists attack?

A. Because the Internet is their infrastructure too.

The Internet not only enables free and anonymous communication, but also enables the global transfer of assets and funds, encrypted instant messaging (and instructions), instant creation of false identities, hard-to-police crimes, and the marketing of fundamentalist recruitment videos and propaganda to Internet users far removed from the source of such messaging.

Shutting down the infrastructure of the Internet, even if such a thing were possible, would harm terrorist agendas far more than it would help them. The two largest prolonged attacks on the Internet's root servers - in October 2002 and February 2007 - were both unsuccessful, and during the second attack, the attackers, who used "hundreds" of zombie computers pushing as much as 1Gbs worth of requests at the servers, were thwarted by an implementation of Anycast load-balancing technology.

Just "hundreds" of zombies? Five years between major attacks? Two servers affected out of thirteen after 12 hours? The Internet would not appear to be under serious threat, at least from the statistical point of view.

Various government organizations, including the DoD, appear to be of similar mind - or if not, at least understaffed relative to any perceived threat. The US Joint Task Force-Global Network Operations (JTF-GNO) has just 255 personnel directly employed and monitoring potential threats to GNO assets (which includes GIG or Global Information Grid assets only, not private or non-GIG public assets).

As for other public assets, private companies, and families and their service providers, the IT staff and police charged with protecting these entities are increasingly focusing their efforts on preventing the growing number of targeted attacks by criminals, rather than the "firesale" attack that formed the backbone of this movie.

That's really the reality of cyberterrorism today - cyberterror isn't about scaring the hell out of whole nations or towns, it's about scaring the money out of rich people.

My guess is once "Live Free or Die Hard" has run its course, a next generation of action films will start to reflect the kind of threats we're *really* seeing: highly-targeted, small-batch pieces of malware designed by well-funded criminals to make life really bad for a very small group of infrastructure users.

Note: Justin Long was very good in the film. The guy is the king of sotto voce. He has a long career ahead of him - and not just as a computer geek.

Wednesday, June 27, 2007

CA, IN Consumers: Your Email Address is not PI

Two states - California and Indiana - recently enacted laws designed to better protect electronically-stored personal information gathered from consumers in these states.

There's only one problem: Neither state views an email address as PI (Personal Information.)

The ramifications of this were recently on display when a phishing scam targeted 30,000 students of the Indiana University Credit Union.

The penny dropped for Christopher Soghoian, a graduate PhD student at IU (and Facebook security issue blogger), when he received a phishing email claiming to be from the credit union at a email address that he had just created and was not available publicly via any search engines.

He immediately assumed, rightfully as it turned out, that IU Credit Union's email address list had been compromised, and contacted the credit union to find out why that hadn't notified him of the problem. The details of the lengths he had to go to for IU to admit their list of accounts had been compromised are reproduced here.

His initial suspicion - that the server had been hacked - turned out to be incorrect. But the discovery that any one logged into the machine could have potentially downloaded and sold the information wasn't exactly comforting either.

So why didn't IU let the students know of the problem?

As it turns out, like California's SB 1386, Indiana Code 4-1-11, which details the rules on security breaches, doesn't view an "email address" as "personal information". Here's the relevant section:

Indiana Code 4-1-11-3
"Personal information"
Sec. 3. (a) As used in this chapter, "personal information" means:
(1) an individual's:
(A) first name and last name; or
(B) first initial and last name; and
(2) at least one (1) of the following data elements:
(A) Social Security number.
(B) Driver's license number or identification card number.
(C) Account number, credit card number, debit card
number, security code, access code, or password of
an individual's financial account.
(b) The term does not include the following:
(1) The last four (4) digits of an individual's Social
Security number.
(2) Publicly available information that is lawfully made
available to the public from records of a federal agency
or local agency.

California's definition of "personal information", included in code SB 1386, defines PI as "an individual's first name or first initial and last name in combination with any one or more of the following, when either the name or data elements are not encrypted: (a) Social Security number; (b) driver's license number or California ID card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. "

Governments need to enact provisions requiring companies to also notify their customers in the event of an email breach. Email is the primary vector associated with online frauds, such as phishing and hoax emails. Virtually all identity fraud scams start with an email.

There are significant technical and commercial challenges involved - not the least of which involves the potential use of a compromised vector to notify the consumer of the breach - but that doesn't mean the technology isn't available to meet these challenges.

Technology usually rises to meet the expectations of lawmakers. Knowing your email address has been compromised would be possibly among the most useful of consumer notifications.

Monday, June 25, 2007

Moby Malware Arrest

AFP reports that the alleged creator of the Moby virus was arrested in Valencia on Saturday by Spanish detectives, following a seven-month investigation.

The man is accused of creating and spreading over 20 different variants of the Cabir and Commwarrior worms to 115,000 phones running the Symbian operating system.

It isn't as destructive as some other mobile malware efforts, but the social networking aspects of the virus appear to have been well architected. According to AFP:

"The virus... was disguised as messages claiming to contain erotic images, sports information or virus protection software."

BlueTooth users needed to select "yes" when the virus-initiated dialog boxes appeared in order to be affected by the virus. It appears 115,000 users were convinced enough by the promise of antivirus updates, erotic messages and sports scores to do just that.

Social networking trumps common sense yet again. The 28-year-old creator of this virus will no doubt have plenty of time to reflect on his sociology skills - in jail.

Authentium's v5.0 mobile malware scanning engine protects against Moby and similar mobile threats.

False Positive Testing Automation

In the security software world, a "false positive" occurs when antivirus software mistakenly identifies a legitimate file as "malware" and quarantines it.

As every IT professional is aware, *every* antivirus company in the industry suffers from the occasional false positive. But we're collectively getting better: Avoidance of false positives has become a key service level metric, and because of this, process innovation and automation has received significant levels of new investment.

That doesn't mean the occasional screw-ups won't happen. Recently, one member of the antivirus industry released two definition files (two out of 320,000) that mistakenly identified two system files as malware. As normally happens with the release of a false positive, there was a fair amount of press.

One of the articles I read caught my interest. It seemed to be calling out the company in question for using "automated systems" to check for false positives. I thought this was unfair - and a little surprising, given their effectiveness.

Ten years ago, Symantec, McAfee, Command, and other antivirus companies were probably adding a handful of virus definition files a day to a database containing maybe 20,000 examples of malware, and updating our customers maybe once a week on average.

It was still possible back then to check these new entries manually.

Things have changed dramatically. Today, the Authentium (Command) 5.0 antivirus engine detects almost three quarters of a million viruses and variants, and it is by no means uncommon for us to add several thousand definitions a week, and push out new updates within an hour of the old.

Add to this number the rapid proliferation of new operating system files (Vista, for one), new application files, and web-based threats like spyware, and you start to get an idea a) why we love our malware researchers, and b) why automated systems designed to check for false positives are now permanently bolted into the racks at every antivirus company.

Sunday, June 24, 2007

Does Microsoft Own iPhone?

The US Patent and Trademark Office just granted Microsoft US Patent #7,225,409 for a "Graphical user interface for a screen telephone". The grant was made on May 27th, 2007.

The abstract of the patent, located here, describes "a graphical user interface for a web telephone and other telephony devices provides a unique combination of display elements that provide information and enable the user to access functionality of the device."

The illustration submitted with the patent application on August 25th, 1999, doesn't look much like an iPhone - and isn't exactly going to steal iPhone users away from Apple on the basis of looks:

That said, the claims granted by this patent are so broad - and the targeted devices so close to the iPhone market (PDAs, webphones, other computing devices) that you have to wonder if this little-talked about patent grant has the potential to enable Microsoft to make a claim to certain iPhone-related IP.

Take this extract, from the Summary of the Invention:

"the application program selection area provides a display of user interface controls that enable a user to select an application program, such as a web browser, address book, or answering machine/e-mail message retrieval application. In one implementation, the selection area is a button bar with control buttons that the user may select to initiate application programs or device features visually identified by the buttons..."

Or this, from Claim #1:

"A tangible computer-readable medium having stored thereon computer-executable instructions for implementing a customizable visual user interface on a screen display of a telephony device comprising: an application program for providing services to a user on the telephony device;"

Also from Claim #1:

"...execution of the one or more methods of the application programming interface is responsive to the input from the application for customizing the customizable visual user interface, wherein the telephony module includes an operator agent for determining a media mode of an incoming call"

More, from Claim #32:

"the customizable visual user interface comprising a branding area for displaying a brand graphic, wherein the branding area is operable to allow a user to connect to an internet location via the telephony device, and wherein the internet location is associated with the brand graphic"

Does that sound like a "branded home page short cut" to anyone else? I think I already have one of those on my Cingular BlackBerry...

These examples are really just the tip of the iceberg. The Microsoft patent - reproduced here - is quite dense, and filled with the kind of broad descriptions typically associated with software patents that could enable multiple engineering methods and variations.

I was particularly drawn to the idea that many seemingly commonly-used telephony user interface components might be represented as a novelty, and thus potentially granted a patent - such as the representation of a call slip within a telephony GUI (co-pending patent application Serial. No. 09/383,039 entitled "A COMMON VISUAL AND FUNCTIONAL ARCHITECTURE FOR PRESENTING AND CONTROLLING ARBITRARY TELEPHONE LINE FEATURES").

As with most patents, it is hard - nigh impossible, in fact - to read these patent claims without referencing *today's* innovations in your imagination. This will no doubt be a challenge also for judge and jury if Microsoft and Apple ever do end up in court over #7,225,409.

Note: I'd be very interested to get your commentary if you're an IP lawyer, post your reading of this patent.

Saturday, June 23, 2007

Friday Soap Box: How Australia Funds Health Care

Michael Moore's new film, SiCKO, is bringing health care into the spotlight.

I don't need Moore's film to help me visualize a solution to the current situation here in the US: the solution is clear to me every time I travel from the US (no explicitly-funded universal health care) back to Australia (explicitly-funded health care for everyone) and visit my father, who has Parkinson's disease, and needs a lot of care.

Back in the sixties, the health care system in Australia was a mess. Then, during one highly-chaotic political period in the seventies, something very sensible happened: a system was voted into place (MediBank - now MediCare) that had two very easily understandable attributes:

1. Health care will be provided to everyone, free
2. Health care will be funded by a 2.5% income tax "additional levy" (this has been adjusted up and down over the years, but you get the idea)

So let's run some numbers ($A):

2006 Medicare Budget: $18,000,000,000 (Wikipedia)
2006 Individual Tax Payers: 11,259,600 (Australian Tax Office)
2006 Avg Annual Taxable Income: $52,000 (Bureau of Statistics)

If a blanket levy of 2.5% is assumed, this creates a pool of $14.5b, pretty close to the required budget of $18b. Add in a 10% sales tax on the sale of pharmaceuticals and sports equipment (!) and you're pretty close to break-even.

If this calculation too simplistic? Of course it is. But I am old enough to remember how easy it was for the government to *message* this simple solution, and I'm still grateful that our various conservative, socialist, and sovereign leaders during that time of political revolution saw eye to eye on the need for a revolution in health care.

BTW, I'm sure my parents did an even simpler calculation when the scheme was announced: $52,000 x 2 people x 2.5% additional tax levy = $2,600 = $433 per family member per year.

That's a pretty small amount to pay - in total, per person - for a working, largely self-funding health system.

Friday, June 22, 2007

Phishing Kits: Made In Hong Kong?

According to IBM's X-Force Blog, 92% of the phishing web sites studied during the final week of May 2007 were associated with "phishing kits" - software toolkits designed by hackers to enable fast creation of multiple domains, and quick deployment of phishing scams.

The problem with the use of phishing kits is that criminals can automatically create multiple Internet domains faster than they can be taken down. For an indication of what this means, check out this graph from one of Authentium's antiphishing partners, the Anti-Phishing Working Group (APWG):

The trending line is pretty easy to imagine. The number of sites listed in April of 2007 is roughly 5x, or 400% larger, than the same month in 2006.

Which leads me to the subject of Hong Kong.

According to IBM, Hong Kong, with a total population of just one tenth of one percent of the world's population (6,900,000), was the listed jurisdiction for 44% of the domains associated with the 3,256 phishing toolkits their researchers analyzed over a one-week period at the end of May.

To put it another way, 1,433 of 3,256 phishing web sites were found to be associated with "ccTLD’s (country code Top Level Domains) of .HK (Hong Kong)".

The problems with this go beyond the scope of one blog post, but IT professionals will recognize one of the most salient issues: dealing with foreign jurisdiction-based hosting companies, such as those located in Hong Kong, places a lot of demands on policing organizations such as the APWG, when it comes to trying to "take down" one of these sites.

Here's an excerpt from the APWG May report:

"More problematic has been the recent widespread adoption and marketing of domain “privacy” services, which has created a method for scammers to hide illicit registrations. It’s nearly impossible to track criminal registrations through such services, as they are created explicitly to make it difficult to contact a domain name’s true owner."

And it's not just criminal sites - even legit/zombie sites present logistical issues when a "take down" is attempted. Here's what happened when APWG staffers tried to "take down" a legit site identified as an originating point for a phishing scam:

"The site was located on a server that had apparently been hacked through a vulnerability in a commonly used blogging software package. Unfortunately, the hosting company did not have staff in-place to handle the incident at the time of the report, and did not respond to requests for action. This is an all too common issue, as many hosts – especially on weekends – can take 12-24 hours to read their abuse queues and may not answer their phones."

A hosting company that doesn't answer the phone on the weekends? Sounds to me like that "24 to 48 hour lag" in taking down a phishing site is going to persist for a little while yet - unless we start mandating either that a) employees should not check email over the weekend, or b) that hosting companies should know their customers.

Note: Gunter Ollmann suggests using caution when interpreting this data and so do I: the Hong Kong domains listed in any analyzed kit may not correspond to any of the domains utilized in a scam by a criminal. In these days of increasingly-sophisticated spear-phishing attacks, it's best to plan your defense based strictly on your analysis of each individual attack.

Hit Man Spam

I thought most people had heard of the Contract Killer or Hit Man phishing scam. However, after watching CNN's coverage of the story today, and witnessing the reaction of the folks in the room with me, it would appear I was wrong.

Here's what this email scam looks like:

This scam, which first appeared in December 2006, is kind of a reversal of the traditional Nigerian 419 scam - instead of someone promising to hand you money because you happen to have the same last name as a lottery winner, the sender of this scam email offers *not* to kill you if you send them cash.

Variations on this theme include various warnings listed from Hollywood movies ("DO NOT CALL THE POLICE/FBI!") and $US dollar amounts four to five times greater than the $20,000 fee listed here.

Bottom line: if you get an email from someone who says they've been contracted to kill you, unless you're Tony Soprano, or are chronically late on making good your local bookie, it's a scam.

Note: As reported by Consumer Affairs back in January, some of the scammers have added a neat twist: they follow up the original email with an email claiming to be from the FBI's London office.

In the follow-up email, the "FBI's London Office" claims that they have information on an individual wanted for murder, including the fact that your name has been found on a " hit list" they now have in their possession, and then asks you to contact them to "assist" with the investigation.

Monday, June 18, 2007

Smarter Policeman, Smarter Catch

I took some lumps over the weekend based on my previous comments about George Ledin's virus class at Sonoma State.

To clarify, my previous post about George Ledin's class was not in support of hiring virus writers, it was in support of hiring smarter virus *researchers*: i.e. the folks that police the Internet and keep us safe.

While I accept the premise that someone could potentially come out of one of George's classes and do something bad, my view is the very same possibility exists when someone exits gun-training at a police academy.

People predisposed to doing bad things will. Hackers don't need Ledin's course - they can already access everything they need to know about writing a computer virus from the Internet, or their local library, courtesy of the First Amendment.

From the standpoint of policing criminal activities, however, it is important to me that every virus researcher at Authentium is able to navigate and understand the broadest possible range of criminal strategies and techniques associated with online crime.

Virus writers tend to favor a particular approach when coding their threats. Virus research is a different game - as several experts have previously stated, virus researchers need to be able to analyze and react to a multitude of different techniques.

I think the approach George Ledin is taking has the potential to enable a broader understanding among his students of the various techniques in use, which in turn could enable a higher quality of analysis.

I fully accept this may not be the popular view, and that some of my colleagues may disagree with me, but I personally believe "the smarter the policeman, the smarter the catch", and I believe Ledin's hands-on approach to research could help create some "smarter policemen".

When Good Coders Turn Bad

It can be argued that ethical hacking creates more good, by ensuring vulnerabilities are spotted by friends, rather than foes. But what happens when a "good" computer programmer suddenly turns "bad"? Shouldn't permanent consequences apply to that person?

In other industries, the consequences of disobeying authority, rules, laws, and ethical standards are clear.

Disbarment, excommunication, impeachment, license revocation and restraining orders are used every minute of the day by courts, prosecutors and lawyers to ensure that standards and authority are respected, and keep criminals out of our legal system, health system and law enforcement system - and DUI criminals off the roads, and violent offenders out of people's homes.

Lawyers, doctors, dentists, politicians, policemen, soldiers, bus drivers - when people from these professions are convicted for a criminal offense related to their expertise or position, they can be disbarred, impeached, dishonorably discharged, or otherwise dealt with, according to a strict code.

In most cases, though their may retain their expertise for the rest of their lives, they lose the right to make money from their credentials ever again. Which is how it should be.

But what of wayward computer science graduates? Does a s'kiddie or coder/criminal currently place anything permanently at risk when he/she decides to move over to the Dark Side and do wrong?

Would he/she think about their actions differently if committing a criminal act meant that their credentials - their college degree, technology licenses and certifications, developer association ties, network access credentials - could be permanently revoked or nullified, upon conviction?

Currently, there are nothing like these forms of punishment in our still-emerging industry. Criminals are able to leave jail and set up businesses, based on their new-found notoriety, and some achieve levels of adulation quite out of proportion to the amount of good they do in the world.

This is the equivalent of a lawyer, having been disbarred for dishonesty, being invited to join a prestigious law firm to become their in-house expert on fraud.

It also places a lot of pressure on the legal system. Because no industry standard such as disbarment exists, judges have to "make it up" in cases involving electronic criminals. They understand they cannot remove expertise from the criminal - so they make up punishments that approximate the removal of credentials: no Internet access, no computer access, etc, for a period of time usually equivalent to a third of the jail time.

This is ad hoc, and not the same as disbarment. It does not send a clear, up-front message to people prior to the commitment of a felony that they need to respect laws - or at the least, certain ethical standards - or they will lose the right to practice their craft, if the crime is serious, forever.

As an industry, maybe it's time to get together and start putting some teeth behind a code of ethics in the form of revocable credentials - so judges and other figures of authority can start excluding convicted felons from using technologies in ways that could hurt legitimate users.

Note: There are some commentators out there who still believe that committing crimes using software is cute, excusable, and totally cool.

It isn't. See you in jail.

Sunday, June 17, 2007

Bono: Turn (RED) Into Red Hat

Yesterday, I bought the latest Vanity Fair - the "Africa edition", guest-edited by Bono, with Queen Rania on the cover.

As I flipped through the magazine, noting the same old (RED) marketing campaign partners, it made me mad: There is *so much more money* out there that could be going to this campaign, and to Africa.

The reason it isn't is because the structure of the (RED) licensing campaign is antiquated and non-scalable.

To be crazy-successful, (RED) needs to be able to scale upwards from the handful of manufacturers and embrace every potential contributor in the world. Which means (RED) needs to become the world's first GPL (General Public License) charity.

Here's an example of money being left on the table, and how GPL would transform (RED).

Back when the (RED) campaign to raise money for AIDS in Africa launched, I decided I wanted to help. So I called up the (RED) campaign and made them a pitch.

The gist of the offer was - Authentium's security technologies are available to more than 40 million homes, via some of the world's largest ISPs. Let's create a great-looking red consumer security suite, call it SECU(RED), include some links to other (RED) partners, and offer it to 40 million people. A nominal *2% take-up* could generate $8mm for the campaign.

They basically said "Thank you but we've got more on our plates than we can handle right now."

So I called a friend who knows Bono and asked if he would pass the message along. He basically said "Look, he's probably getting two thousand eight million dollar ideas thrown at him every day."

Therein lies the problem.

If you think I'm alone in feeling frustrated at not being able to help, here's what it says on the idea submission section of the Product (Red) web site:

"We regret that we are not able to accept any new ideas for (RED) products or partnerships. We have been so overwhelmed by the response to our launch that we can't keep up."

Bono and team, one small change could enable much more fund-raising to occur. Making the change to GPL would enable *every* potential money-raising opportunity to be explored with minimum impact to the (RED) organization, and maximum impact on Africa.

It would enable any manufacturer that qualifies to create a product under the (RED) brand name, providing they adhered to the license terms, and submit earnings back to the campaign at a rate fixed by the license: Earnings that would then be available to fulfill more promises in Africa.

It would be transforming.

Worried about quality? Then create a simple qualification process, and back it up with an equally-simple product certification process - in other words, turn (RED) into "Red Hat". That way, manufacturers can know the rules up front, be certified, and participate in the program.

Product (RED) has the potential to be mind-blowing, and a transforming business idea. But it is stuck in second gear right now. Like many great ideas before it, it isn't scaling.

(RED) could achieve massive scale - and become the Linux of charity organizations - by adopting GPL.

Saturday, June 16, 2007

Los Alamos Emailed Nuclear Secrets

Back in January, several officials at the Los Alamos National Security plant, which designs and builds nuclear weapons, used an "open e-mail network" to share classified information on "the characteristics of nuclear material in nuclear weapons".

That's according to information released yesterday to the press by House Representatives John Dingell and Bart Stupak.

In a letter to U.S. Energy Secretary Samuel Bodman, obtained by UPI, Rep's Dingell and Stupak said the e-mails had resulted in "the loss of control of top-secret restricted data."

According to Wired's Danger Room blog:

"The breach occurred when a consultant to the LANS [Los Alamos National Security LLC] board, Harold Smith, sent an e-mail containing highly classified, non-encrypted nuclear weapons information to several board members, who forwarded it to other members, according to a Washington aide familiar with the investigation who asked not to be named because the information is sensitive."

The Albuquerque Journal reported Friday that a security team from Lawrence Livermore National Laboratory was sent to recover the laptop computers used to send the e-mail and arrived and took possession of the laptops within six hours of the breach.

No definitive word yet, however, on whether these laptops were the same laptops used to receive the data - and whether or not the email server (or servers) were checked into quarantine alongside the client machines.

(In fact, of the five or so reports I've read on this emerging story, not one has even mentioned "e-mail server" as a possible point at which the data may still reside.)

Los Alamos officials have thus far declined to comment on this story, citing "national security" concerns. Expect to hear more about this next week. According to the Wall Street Journal, National Nuclear Security Administration spokesman Bryan Wilkes said: "As a matter of federal law, we don't confirm, deny or acknowledge allegations of security violations."

Don't Believe Your Eyes

As evidenced by the reaction to my spot on Fox News this week and the subsequent entries and comments in this blog, this week is, apparently, "Spoof Week".

Let's leave the world of Paris Hilton and caller ID spoofing and take a brief look at some other fast-growing ways spoofing is changing the world we live in.

1. Forgers and Pirates.

A good friend of mine travels the world selling "bank note papers and inks". He maintains a photo album filled with forgeries that I suspect may be one of the larger private collections of fake currency.

One time, we used it as the basis for a Saturday afternoon parlor-game: guess the real bank note. It was impossible. The forgeries were just too good - I would never have guessed that criminals had the capability to create such perfect replicas.

According to Carratu International, counterfeiting is responsible for around 10% of all world trade, and a primary source of funding for terrorists. In a recent report on the $210 million trade in fake cosmetics, the World Customs Organization estimated that 70% to 80% of Asia Pacific counterfeiting profits were used to finance organized crime and terror groups.

Money raised from selling counterfeit CDs was the primary source of funding of the Madrid train bombings in 2004 which killed 191 people. Allegedly, the recent bombings in Mumbai were funding through the sale of fake currency printed in Pakistan.

2. Drug Spoofing.

Illegal drug-taking is a risky pastime - and not just because you may get caught by the law. Many times, the drug sold as "heroin" is not heroin at all, and this can lead to death, or acute medical problems as in the story of the two "frozen" addicts.

The World Health Organization (WHO) estimates that 8-10% of the global medicine supply chain is counterfeit – rising to 25% or higher in some countries. In one recent study in South East Asia, 53% of antimalarial drugs were found to be fake. In Pakistan, a survey by the Daily Times in 2006 showed 40% of drugs were fake.

Drug counterfeiters aren't just targeting illegal drugs - according to the New York Times, counterfeiters are targeting online buyers of Viagra, Levitra, Oxycontin and sleeping pills. US FDA investigators have also found fake statins (used in preventing heart attacks) and fake Tamiflu.

Still think your online drugs aren't being spoofed? In Hamilton, Ontario, Canada, a registered pharmacist, Abadir Nasr, was charged by Canadian federal authorities with selling counterfeit Norvasc heart medication after five customers who bought it died of heart attacks and strokes.

According to the Washington Times, Canada is an emerging hub for fake drugs. In 2003, the FDA and Customs confiscated thousands of drug shipments headed for the United States. When opened, nearly half claimed to be of Canadian origin, but, according to FDA and Customs officials, 85 percent of them were from 27 other countries, such as China, Iran and Ecuador. 30 percent of the drugs were counterfeit.

Here's a list from the FDA of the top ten Canadian sites known to supply fakes:


Experts estimate that future growth in the illegal trade in drugs will out-pace the sale of legitimate pharmaceuticals and generate $75 billion in revenues for its owners by the year 2010, a 92% increase from 2005.

It can happen here department: As recently as yesterday (June 14, 2007), counterfeit tubes of Colgate toothpaste turned up today in dollar stores in the United States.

Warning: the counterfeit toothpaste contains diethylene glycol. Counterfeit cough syrup from China containing diethylene glycol killed dozens in Panama last year.

3. Faking Authority.

As any veteran of Central American conflicts or resident of Baghdad could tell you, the spoofing of a police or military uniform can have potentially lethal consequences.

Is that really a police officer at my front door? At that checkpoint? Should I stop?

Impersonation of law enforcement officers happens here in the US too - but most US criminals don't bother to go this far. Need to get inside a home in an upscale neighborhood? Just wear a clean shirt, drive a utility vehicle, and explain you're from the gas company.

Think those utility guys won't look real? Here's a uniform from Amazon marketplace - one of hundreds of sites selling both fake and real uniforms and ID's - including police badges.

As for that utility van, if Borat (Sasha Cohen) can buy a used Post Office van for 600 bucks in less than an hour, criminals can too.

4. Phishing and Phidgeting.

Electronic spoofing is undergoing an unprecedented rise in sophistication. Gone are the days of the "explosive virus" - you won't be seeing many more of these on the evening news.

Today's online criminals are building small-scale distribution viruses that are designed to act like highly-targeted "mail merge" marketing campaigns, with a view to infecting sub-sets of highly profitable target demographics, such as the members of a business networking site, or association - check out the Better Business Bureau attack.

Today's criminals are also building widgets with other people's brands on them with a view to phidgeting, or "phishing using widgets". Either that, of they're hard at work modifying the code of other people's applications in order to redirect traffic to hacker sites.

Other hackers simply present consumers with fake security products like WinAntiSpyware 2007 that are designed not to actually scan your machine, but to induce you to enter your credit card details.

Unfortunately, even security professionals are still catching up with all this. I recently went to the site of a large consumer bank. Right in the middle of their "Security Alert " page, no doubt maintained by an expert, they stated (I'm paraphrasing, in order to protect the bank's identity):

"To protect yourself against phishing, you should check to see if your name is at the top of the email. The bank will use your name, but criminals are not likely to address you by name."

Folks, this is 100% *incorrect*. If an email shows up from your bank with your name in it, the chances are increasingly good that it was generated by a criminal, not by the bank.

Fortunately, Authentium has an answer to the problems presented by phishing and phidgeting. Those of you who have read my posts before know what it is. The rest of you might want to watch this video.

Friday, June 15, 2007

The Strange Case of USC vs. McCarty

University of Southern California has an enviable reputation as an education facility, and an endowment of $3.2 billion. It generates half a billion dollars a year in research funding.

The very same USC recently sued a would-be-student for $140,000 after he reported some security vulnerabilities on their web site to a security firm.

Eric McCarty is a young guy in his twenties who went to USC's web site with the intention of becoming a student. He says, upon looking at the site, he wasn't sure if USC's online application process was secure enough to protect his personal information.

So he ran a couple of tests and found that the site had a serious vulnerability - a SQL injection could be performed on the home-grown authentication software, allowing an attacker to circumvent the security and access *any* of the forms in the database - a database which at the time contained data on 275,000 individuals.

McCarty then contacted a reporter at SecurityFocus, which then contacted USC, and informed them of the vulnerability.

Now, California has some excellent laws that detail what organizations must do if personal data is compromised. USC had to follow them - which meant contacting anyone potentially facing data loss or otherwise affected by the vulnerability.

Contacting all these people about the vulnerability cost USC $140,000 - a cost they decided to recover by suing McCarty - the person who originally discovered the breach.

Which is where things get really weird.

According to the FBI, as quoted in SecurityFocus, an email found on McCarty's computer shows that he targeted the school because he was denied admission.

Yet McCarthy, from the standpoint of SecurityFocus' reporting, appears to have acted without malice and done very little - if any - damage, based on his unauthorized testing of the web site.

Upon finding the hole, he did the right thing - he reported it to responsible, third-party authorities who reported it to USC, ahead of their publication of the problem.

The reaction he would have received had he reported it directly to USC cannot be known. But as the CEO of Authentium, a security software company, I have called in more than a few security alerts and I find companies can be surprisingly blase about security vulnerabilities - unless threatened with publication. McCarty did the right thing.

And now for the (un)happy ending.

According to the Computer Science Institute, at the time of the suit, Eric McCarty simply did not have the resources to fight USC, so he negotiated a settlement with the university and the State Prosecutor and agreed to pay almost $36,800 in monthly installments of $500 for the next 72 months (6 years), and spend six months under house arrest.

And I thought universities were supposed to improve the human condition.

USC's motto is palmam qui meruit ferat - "Let whoever earns the palm bear it". USC, it's pretty apparent that you "earned this palm" with your sloppy coding. You should have borne the cost of telling people affected by this vulnerability yourself, not foisted it off onto McCarty.

Virus Composition 101

There's been a lot of negative press around Dr. George Ledin's computer science course at Sonoma State College ever since Ledin announced he would be encouraging students to write computer viruses and other forms of malware.

According to an article by Erik Larkin at PC Magazine, three unnamed security firms have even sent Ledin letters saying they will not hire any students that take this course.

This kind of thinking is as dumb as two bricks.

All malware (computer virus and spyware) researchers need to understand how viruses are distributed - just like soldiers need to understand how bullets are distributed.

Could people potentially get hurt by stray bullets/viruses? Of course - which is why training of this sort *always* takes place in a controlled environment - like a rifle range, a research facility, or an off-network computer science lab.

Are Ledin's trained researchers going to be better-placed to understand the threats we're seeing, based on this course? Of course they will be; "doing" results in "knowing".

Could some students potentially create some malware with a view to perpetrating evil at the end of this course? Maybe - but the same information is available from Barnes and Noble. And I very much doubt anyone would attempt this from inside a security software company - that would result in an extremely quick trip to jail.

Authentium to George Ledin's students: if you're interested in a job, we'll look at your resume. Based on your training, our assumption is that you're going to do a better job helping us detect and defeat malware than someone without this knowledge.

Update: I should have said "Sharp", not "Authentium" in the last para. For one thing, Robert Sandilands (who disagrees with this stance) does the hiring in the lab, not me.

Friday Soap Box: Black Gold and Fair Trade

Coming back from London on Virgin last week, I watched "Black Gold" - a film that documents the plight of coffee farmers in Ethiopia.

Now, I am a dedicated capitalist and profiteer. But like most capitalists, I know better than to starve my suppliers: nothing good comes from this.

The coffee industry has chosen to ignore this principle, and instead is putting such a squeeze on these farmers that many are leaving coffee cultivation and migrating to narcotics, such as chat.

The reason for growing narcotics is simple: their children are starving and need to eat, be medicated, and educated. The narcotics can be easily grown and sold at market price.

When I got off the plane in Miami, I resolved to start buying at least some free trade produce. I put in an order for some fair trade coffee.

I very much doubt that Starbucks, Nestle and Kraft will notice I'm buying $20 less of their non-fair trade products every week, but they might if you start doing this too.

Last night, my first pack of "fair trade" Ethiopian Harrar coffee arrived in the mail box. I researched the firm I bought it from , and they are buying this coffee directly from the Ethiopia Farmer's Union featured in the film. Next baby step: reduce use of Nestle at the office.

If you're interested in learning more about this, and helping rebalance things, here's a link.

Thursday, June 14, 2007

Vista Loses Its Virginity

This week, Microsoft issued the first-ever security patch for Vista.

The patch, issued this past Patch Tuesday, MS-07-032, is classified as "moderate", and plugs a hole in Vista's Access Control Lists.

According to Microsoft, the vulnerability this patch addresses "allows non-privileged users to access local user information data stores including administrative passwords contained within the registry and local file system".

Authentium says: labeling this vulnerability "moderate" is like labeling a runaway truck on a freeway "litter". If you use your PC to do anything important at all, allowing non-privileged users to peer at administrator passwords inside the registry could result in what us technology experts refer to as a "FUBAR" situation.

Vista users, you should download this patch and install it immediately. Vista 64 bit users, please click here.

Wednesday, June 13, 2007

3 Ways To Protect Against Caller ID Spoofing

I just got off air from an interview with Bill Hemmer of America's Newsroom on Fox News.

The subject of the interview was "Caller ID Spoofing" and the ease with which hacker sites like SpoofCard enable businesses to be impersonated. Here's a screen shot of what the incoming call looks like - in reality, any name or number can be used:

Bill of course did a great job summarizing the issue in the couple of minutes we had - in fact, when the make-up person came back into the room after watching the spot from outside the studio, she said "wow, that's really scary."

And of course, she's right. Caller ID is something we've come to trust, and now the sad fact is we can't trust caller ID anymore. Like an email address, caller ID is so easily spoofed that it has no value as an authentication technology: in fact, your caller ID is more of a liability these days - if a hacker has this, they can use it to pretend to be you at financial institutions like Western Union that still believe in this technology.

Anyway, in case you missed the spot, the experts here at Authentium suggest you take the following steps to avoid having your identity, or your voice mail, compromised as the result of someone using a spoofed caller ID.

Recommendation 1: PIN or Password-Protect Your Voice Mail

Many cell phone operators, including T-Mobile and ATT, use caller ID as the authenticating mechanism for voice mail. Users of sites like SpoofTel and SpoofCard know this (including, apparently, Paris Hilton, who was blacklisted by SpoofCard for unauthorized activity related to this kind of thing) , and will use your number to call and listen to your voice mail.

The cost to them? Around $0.07 a minute. That's what FoneGanster, another site, was charging for a hundred minute card this morning when I took a look.

Recommendation 2: If You *Must* Provide Information Over the Phone, Only Provide This Information to Someone You Know

The easiest way to remove the possibility of caller ID-related crime is to *know* someone at every place you do business, and know them well enough so you can recognize their voice on the phone.

That way, if you absolutely *need* to share personal information over the phone, you will be able to do so - or at least be able to call and check if the request that has been made is legitimate.

Recommendation 3: Do Not Call Phone Numbers in Emails Claiming to be from Banks or Other Corporations, Even If The Email is Addressed to You Personally

One of the emerging phishing strategies is the combining of phishing and marketing technologies, such as mail merge, with automated voice response technologies. In these scams, a number is included in the email for you to call.

Don't call these numbers. Ever. Hackers are increasingly making use of AVR approaches ("please enter your credit card number you're calling about, followed by the phone number associated with this account") that sound real, but are designed to steal the four things they covet most - your name, your social security number, your credit card, and your phone number.

Tuesday, June 12, 2007

Engel Antispoofing Bill Heads to the Senate

Good news. U.S. Congressman Eliot Engel’s bill to stop the use of spoofed Caller IDs to con people out of their personal information (ostensibly to drain their bank accounts), was approved today by the House by a unanimous voice vote.

It now heads for the Senate.

The bill, H.R. 251, the "Truth in Caller ID Act", makes it illegal for anyone to alter a caller ID with “intent to defraud or cause harm” (EPIC's Mark Rottenberg supplied this language to ensure the few legitimate uses of this technology remain lawful).

The penalties are not nearly harsh enough - a year in jail/$10,000 in fines - and it's not going to stop international criminal gangs from signing up and using in-market sites like, but for consumers sick and tired of seeing evil and stupidity go rewarded, it's a start.

Congressman Engel deserves a lot of credit for tackling this issue.

Happy Father's Day Trojan

Be careful opening emails offering an online Father's Day card.

According to Mary Landsman of, the email may be a variant of the Zapchast Trojan. Zapchast is a particularly nasty piece of work that initiates an IRC session that allows a criminal to take remote control of your machine.

I haven't seen a copy of this email myself, but Mary says the threat can be identified by "poor spelling, lack of an identified sender, and a link that may or may not be visible". In the visible link version, the link ends in ".exe".

You should avoid clicking on *any* link ending in exe, unless you're fully-aware of the consequences.

Authentium antivirus technologies detect all known variants of Zapchast, so if you're using one of our products, or behind an email gateway that has our technology installed, you're fine.

The Siege of Estonia

As most regular viewers of CNN are probably aware, the city of Tallinn in Estonia recently removed the statue of a Soviet soldier from a central park and moved it to a military graveyard in the suburbs.

Many Russians took this news badly - both in Estonia and at home. While Estonians had their own reasons for hating the statue, Russians viewed the statue as a symbol of their role in the liberation of Tallinn, and inevitably, protests and a political firefight followed.

Then, as the controversy grew, a new phenomenon occurred: in the weeks that followed the outbreak of anger, Estonia became the first state to experience a new twist on one of the oldest battle strategies there is: the siege.

In this instance, the siege involved stopping the normal flow of data in and out of the country. This was accomplished by packet flooding - i.e. by flooding Estonia's computer networks and connected devices with massive amounts of meaningless data.

The result was dramatic - the packet flood siege shut down whole networks, preventing communication, transactions and normal commerce.

Speculation continues as to the source, but Estonia insists that Russia - or Russian patriots - initiated the flood.

Assuming Russia did carry out this siege, they are not alone in having this capability, according to the Department of Defense. We should assume the US, the originator of the Internet, has this capability. And, according to a DoD report published last month, China has been building up its capabilities in this area, with a view to possibly taking out Taiwan's computer networks. Here's an excerpt:

"The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks... a limited military campaign could include computer network attacks against Taiwan’s political, military, and economic infrastructure to undermine the Taiwan population’s confidence in its leadership."

Most IT organizations have experienced some form of flood attack, and seen the effects: late nights, lost productivity, underutilized assets and, in the worst instances, data corruption or loss, but this is the first time I'm aware of that a whole country has been targeted.

As indicated by this event, an attack on a country's data infrastructure could potentially have long-term effects, in addition to the short-term disruptions to commerce, food production, utilities and the ability of law enforcement to ensure security.

Estonia may be small, but there is no reason a similar attack could not be mounted on IP blocks in the US, in Israel or Palestine (where one of the world's fiercest cyberbattles continues), or anywhere else where political interests collide.

Though telecommunications are regulated by federal bodies in virtually all countries, data security and network security practices do not come under the command of a unified group in any of the countries I have visited - except China. We may need to rethink this.

Monday, June 11, 2007

Cloaking Technology is Bad News

We analyzed a cloaking service today that could potentially enable some disastrous security breaches. The name of the service is "SpoofCard".

The service, available online to anyone, is a spoofing service. It allows anyone with a credit card to sign up and call a number using any phone number you enter (including the phone number of a legitimate business), and a fake voice of your choosing.

Yes, you parsed that "Voice Changer" feature correctly: SpoofCard allows you to disguise your voice while calling on your fake (or spoofed) phone number, and even swap gender.

There are an unlimited number of scenarios I can think of in which this technology would enable a crime to occur, or at least enable the pre-conditions to a crime:

1. Unauthorized voice mail access
2. Business Call Center spoofing
3. Medical Center spoofing
4. Law Enforcement spoofing
5. Bank Call Center spoofing
6. Stalking and abuse

We signed up for SpoofCard and tested several of these scenarios today, using an Authentium corporate mobile BlackBerry connected to the Cingular Network.

The results were unequivocal. The faked phone number went through to my voice mail on the first try (I have since enabled the PIN again - what a pain).

The business spoof was chilling - we used the number of the business and there was no way of telling this was not a legitimate call - and no way of back-channeling the information to find out the caller's identity.

There was no way of knowing that my "bank" was not my actual bank, or my local police station was not my local police station in our testing. The caller ID came up right on-screen, the voice sounded authentic.

Even the female voice disguise (a free option) sounded effective. and at the end of the call, SpoofCard provided an interface to the call history, so I could check out who I'd spammed/scammed:

I looked up via Whois and of course, like many of the companies in this area, they are using WhoisGuard, and probably a US-based hosting company. No other information was available.

What public good SpoofCard provides, I have no idea. I cannot think of one legitimate reason why this technology should exist.

I also cannot, for the life of me, understand why, during this time of rampant ID fraud and the war on terror, at a time when people are literally dying to protect our assets and way of life, we are not paying closer attention to regulating cloaking technologies that could enable crimes.

Sunday, June 10, 2007

Extraordinary People

In Oslo recently, on a gloriously sunny Sunday, I got to visit the Kon-Tiki museum with my Norway-resident brother, and see first-hand the original balsa-wood raft I first read about as a kid growing up in Australia in The Kon-Tiki Expedition.

The raft was build in Peru by Thor Heyerdalh, a Norwegian anthropologist and adventurer, who used it to cross the Pacific Ocean and prove humans had once traveled between between South America and Polynesia.

I bought Heyerdahl's life story "In the Footsteps of Adam" at the gift store on the way out, and immediately plunged into it. It was an inspiring read. During his years working as an anthropologist and biologist, he encountered a hell of a lot of resistance, but ultimately succeeded in building bridges between leaders, scientists, and cultures, using nothing but water.

It reminded me of someone else.

Five years ago, I found myself at the back of a crowded plane headed for the West Coast. As I slumped down into my seat, the mousy-haired woman in the window seat next to me smiled and said hello. She asked me if I was headed to the West Coast for business, or pleasure.

"Business," I told her.

"What do you do?" she asked.

"Software," I replied. "What business are you in?"

She smiled and said "I swim. I'm a swimmer."

Now, I've sat next to countless executives, mysterious government operatives, aid workers, soldiers, artists, crazy people - and sportsmen and women - on planes over the years. The lady looked to be about forty years old, and her physique did not strike me as that of an athlete.

But the story she went on to tell was astounding.

She'd started swimming as a hobby, at 9. At 14 she and some friends decided to swim 26 miles from LA to Catalina. They succeeded. At 15, she broke both the men's and women's records for swimming the English channel. At 18, she became the first woman ever to swim between the north and south islands of New Zealand, and a year later swam from Denmark to Sweden.

In 1987, she swam the Bering Strait, smacking through the thin sheets of ice that formed on top of the water after the ice-breaker passed with her arms. Upon reaching the Russian side of the strait, she reunited families from her US escort party with USSR cousins that had not seen each other for thirty years - and was toasted by Reagan and Gorbachev at their Reykjavik summit.

She had followed this up with a swim from Argentina to Chile, a swim from Bolivia to Peru (becoming the first person to cross Lake Titicaca), and a swim from Egypt to Israel. She was now planning, she said, to swim around a peninsula in Antarctica.

She asked me if I knew anyone that would sponsor her. It would cost $40,000. She would be swimming for a mile and half in temperatures that no one had ever swam in before - around 35 degrees Fahrenheit. There would no doubt be news crews covering the event - a chance that corporate logos would be visible during her swim.

I told her I would try. But secretly, I thought she was crazy for even thinking about swimming in Antarctica waters. *Not* helping her raise money would probably save her life, I reasoned. We got off the plane and we said goodbye.

Five years passed. Then one day, I was walking past a Barnes and Noble and spotted a book called "Swimming to Antarctica".

The book was, of course, the story my fellow passenger, Lynn Cox had told me on the plane. Not only had she raised the money, and completed the swim to great public acclaim, but she had moved on to build a successful career in writing and public speaking.

I bought the book. It was every bit as good as our plane ride. Lynn, I don't know where you are planning to swim next, but if you need help finding a sponsor, I owe you one.

Note: Lynn's latest book is Grayson - a true story about her encounter with a whale while swimming off California. There are glowing reviews on book sites from Anne Rice, Jane Goodall, Oliver Sacks, Carl Hiaasen, and Temple Grandin.

I'm sure it's as inspiring as the first.

"Ogle Maps" Privacy Concerns are Real

Google Street View, a feature recently introduced into Google Maps, captures images of buildings, cars - and people - at street level using a fleet of vehicles, including black Volkswagen Beetles outfitted with 11-lens rooftop cameras that capture images using patent-pending technology supplied by Immersive Media. Here's a picture of one of the cars:

The results are astounding for the cities that Google Maps has already rendered images for. Here's the results of a search for a steak house near where I used to live on 9th Ave in Manhattan (note full-sized bull above the entrance):

Contrary to some reports, the resolution of many of the images rendered by this system can be quite high. Street signs, signs displaying parking rules, and license plates were clearly readable using the Google Street View zoom-in feature at many locations I visited - especially those on the West Coast.

Here's a zoom-in from an image taken at 75 E. Santa Clara St in San Jose. You can not only see what is printed on the sign ("12 MINUTE PARKING") - you can see the rivets and the dents.

This has raised issues on some blogs that marketers may use this unprecedented power to populate their databases with demographic data and further differentiate the "haves" from the "have nots" - by peering into their front and back yards.

Others have complained about privacy - about the possibilities of being spotted hiding keys in flower pots, showering, strolling in the park, or having pictures of their kids snapped while on the way to school - perhaps in front of a clearly visible address or sign.

After viewing some of the images, I agree that some modification is needed.

Example 1: Here's a Street View image of a guy picking his nose in downtown San Jose. (I put the black box over his face because I don't want to make his life any worse that it probably already is, but on Google Maps he is clearly recognizable.)

Example 2: Here's a Street View image of a woman that is currently traveling through the blogosphere (black box again added by me).

Example 3: The image below is interesting because there are so many analogs: being spotted going into an AA meeting or a shelter, entering a cancer treatment center, going to a meeting of activists, entering an outlawed church... Google removed women's shelters prior to launch of Street View because of concerns raised by women's groups.

Example 4: Here's a Street View image captured of a policeman apparently giving a driver a citation on the corner of Fulton and Laguna Streets in San Francisco (the license plate is *almost* readable but not quite).

Example 5: In possibly the most thought-provoking example in this posting (for those of us that have kids), here's a shot of some kids lying on the lawn outside their house. You can't see their faces, but on Google Maps, their address is, of course, displayed.

This image worries me more than the other examples. I cropped the photo so the address of this residential house would not be visible, but on Google Maps, the address of this house is clearly displayed - that being the point.

Obviously, Google didn't set out to create a privacy problem. In my experience, "good intentions" usually drive most engineering initiatives, and I've no doubt Google wanted to create something useful with Street View.

That said, Google has to provide a solution for this - it is only a matter of time before someone gets captured on camera making love to their legal spouse, the physical proximity of two people becomes misinterpreted resulting in the end of a marriage, or, worse, kids get targeted by criminals based on information provided by a Street View image.

The Orwellian dilemma posed by the need to simultaneously protect political and religious freedoms while protecting the community using surveillance is beyond the scope of this post.

The Electronic Frontier Foundation has placed the responsibility for fixing the issue of privacy violation at Google's doorstep. This is appropriate. Google, as publisher, is the only company that can enable a fix.

A fix would be relatively easy to implement by Google. Face-recognition technology is a fairly evolved science these days. It should not be a challenge for Google to integrate face recognition capabilities and reverse the normal logic to enable distortion or "blurring" of facial features.

License plates may be a bit trickier, but I'm sure Google, with almost $12b in cash in the bank at the end of the most recent quarter, could easily find a way of solving this issue too.

Some believe the system might already have face-blocking technology built into the system (this is a joke, folks, but there is a real image at the end of this link).

Note: If you haven't yet tried Google Maps Street View, it is, aside from these addressable concerns, an amazing technology. Check out the Bright Food Shop using this link - this is my favorite breakfast place in Manhattan. The ease of sharing this information with you demonstrates the kind of good intentions and usefulness that Google's engineers had in mind when they invented Street View.

Friday, June 8, 2007

Thanks Fox News

By the way, I forgot to thank America's Newsroom co-anchor Megyn Kelly and the folks over at Fox News yesterday for bringing the Julie Amero story to the attention of the public.

From the time the Authentium team first briefed Fox News back in February, it took them less than a day and a half to bring this to air, and they did so in their traditional "fair and balanced" debating approach. Luckily for Julie, Megyn was on the "defense" side of the courthouse.

Finally, Alex Eckelberry at Sunbelt Software deserves a ton of credit for keeping this case in the public eye - probably the most credit of anyone in our industry. I first heard about Julie Amero's plight from Alex and I'm sure a lot of other people did too. Alex, well done.

Localizing Internet Services

Like a lot of executives, I travel a lot. As I travel, I notice that web pages are becoming more and more localized in the geographies I visit.

Choice of color, the amount of white space, and choice of animation styles (and the amount of animation displayed) are some obvious examples, but increasingly what I am seeing is the fast-emerging influence of culture - or, better expressed, the influence of people wanting to preserve their culture - on the Internet.

How does this need express itself?

Web service localization tools are no longer a "nice to have", but essential. Instant recoloring, translation, re-skinning, and multi-feature UI design - "reinterfacing" as it is called around Authentium - is becoming a must-have component of the deals we're in.

In our area of security and secure applications, geography and language-specific malware filtering and URL "go list" databases are also making their way up the agenda - to the very top in some meetings. Language-specific malware detection and geographically-focused "go lists" (i.e. "walled gardens") - such as those enabled by our platform - are the future.

Google's multi-language UI was ahead of the game on this topic in many ways - possibly because one of the founders is from Europe, a place profoundly aware of differing languages and needs. However, presenting the Google home page in fifty two languages is a trivial task. Many other companies are going to fail to meet this challenge, because the task is just too great.

Prediction: Integrating the amount of additional analysis and infrastructure required to identify and effectively deal with the kinds of geographic-specific malware we're seeing is going to prove to be an impossible task for any single security company, or government organization. The big guys will try and buy in these capabilities and will succeed - but pay billions of dollars in the process, and ultimately fail.

I don't intend us to take the same approach. Authentium will continue its strategy of licensing technology from multiple in-market vendors.

The insurance/choice that multiple vendors provide in this kind of process is invaluable, and in the end, it better promotes market-driven quality and service-levels, client choice, and in-market entrepreneurial activity: a concept that the anti-globalization folks can certainly get behind.

Wednesday, June 6, 2007

Judge Tosses Out Amero Verdict

It would appear that reason (and blogging) has prevailed.

Judge Hillary Strackbein today ordered a new trial be granted to Julie Amero, the substitute teacher previously found guilty of exposing children to pornography on a school computer, on the basis that flawed evidence was presented by the Norwich police detective "expert" witness.

In her ruling, Judge Strackbein criticized the blogging community for attempting to "improperly influence" the court. Judge to computer experts: don't call us, we'll call you. If we ever call a new trial, that is.

Which is highly, highly unlikely.

By the way, David Smith, the Norwich prosecutor, deserves credit for reversing his position publicly. As much as I hate the fact that he prosecuted this case in the first place, it takes guts to admit you were wrong.

Tuesday, June 5, 2007

Critical Alerts in the Blogosphere

Last week, US CERT reported a bug in an out-of-market product - a bug we fixed a number of releases ago.

As I have previously stated, *zero* Authentium customers are affected.

This is an old engine. Product has not shipped with this engine in over a year, and all of the old engines have been swapped out per our normal updating process.

Unfortunately, headlines like "we fixed the bug a year ago" do not sell newspapers - or bring visitors to blogs or security sites. Which is why in virtually every report, you'll inevitably find a "critical alert" headline, then eventually, down the page, the objective truth behind the story.

The guys who write the headlines know what they're doing. With a billion computers humming away every day on the planet and two billion more cell phones plugged into networks, headlines like "critical security alert" are meaningful to everybody. So they get picked up.

The next thing that happens is that more news reports appear propagating the urgent aspect of the story and the story gets picked up and repeated - call it the "Digg factor."

Responding to this is painful. Correcting this bias can take weeks of painstaking presentation. Emotions don't count in this phase of things - this is the grunt work of corporate blogging, and it follows three basic rules: continue to push out the facts (and only the facts), repeat as often as necessary via as many channels as possible, and don't get emotional.

Yes, it's a lot of work. But that said, I wouldn't have it any other way. Third party blogging and free expert commentary are what make the Internet such a valuable place. That some of us have to do an extra blog posting every now and then is a pretty small price to pay.

Friday, June 1, 2007

ActiveX Issue is Old News

Will Dorman over at CERT has discovered a buffer overflow vulnerability in an old version of our Command Antivirus engine.

It does not affect anyone using a current version of our product.

As CERT notes, the issue was resolved with the release of our 4.93.8 engine a year ago.

Note: Secunia has posted some wrong information on their site. This vulnerability *does not* affect all 4x versions of our software, as quoted by Secunia in their posting - this is wrong. We're working on getting them to rectify their post on this.

CERT's information advisory, which they published after extensive consultation with our team, is correct. Our thanks to Will Dorman and his team there for ensuring the right information was posted.

Bottom line: if you've updated your Command Antivirus software at least once in the past year, or using product delivered in the past year, you're fine. Robert Sandilands, our head Virus Researcher has also posted on this subject on his blog here.