I Really Don’t Know

Spyware, OSX and Themes

Apple’s have been more secure than PCs for about as long as I can remember. It’s generally acknowledged, though, that a main reason for that is the lack of value in attacking one.

Seriously, writing a virus, some spyware or other piece of trojan software for the Mac would be pretty pointless with the market penetration they currently have. That’s not a dig – I’m a big Mac fan. I drool over the 17″ Powerbook whenever I pass one and if virtual pc for the mac were just that bit faster then I would seriuously consider it. But if you want market penetration for a piece of malignant code it’s not the platform to exploit.

With corporate and even home machines getting slowly more secure, the use of social engineering attacks, such as the email phishing scams for bank details, become more and more prevalent. One such misrepresentation attack that’s been around for ages, but appears to be on the increase is the use of flash, DHTML and other dynamic web content designed specifically to look like system dialogs. FUIs – Fake User Interface dialogs.

If you’ve spent any time at all on less reputable sites, for whatever reason, you’ll have seen them. Big exclamation icons with phrases like “you computer is infected with spyware, click here to disinfect”. Which should really read “this is an advert from a malicious spyware writer, click here to have your machine hijacked and/or infected”. If you want to see what I mean, look at examples of what was probably the first major campiagn of this type, by Bonzi. Oh, and the subsequent settlement to a class action lawsuit filed in Washington.

So, apart from the obvious benefit that a Mac isn’t vulnerable to the same exploits as a PC (a benefit you can get most of by browsing with Firefox instead of IE) there is another benefit. Everything on the Mac looks different. The window frames, the maximize, minimize and close buttons, the grey bevel buttons all look very different to a PC. This make it obvious to anyone using a Mac that the little dialog is an imposter and not part of the system.

As a poster on MetaFilter says so eloquently:

Of course, we Mac users are nothing but amused by those bogus “error” messages because, well… they don’t look like error messages to us, they look like cheap attempts to trick bumbling PC users into clicking through someplace they wouldn’t otherwise want to go…

You can achieve this effect on your PC, making it easier to recognise threats visually, by installing a skinning tool such as WindowBlinds. Making your windows look different to Windows could make the difference between clicking a dialog and not for many users.

Other, more traditional, tips & tricks can be found on Bruce Schnier’s blog.

not so luuuuurvely

thinking about this here screensaver a bit more I’ve decided this is a seriously flawed piece of kit.

Firstly, the idea is flawed. Spamer economics is based on very small, sometimes infinitesimally small margins, this applies to their mailings and is likely to apply to their hosting also. Even at its peak this screensaver is not likely to really impact them.

Secondly, the implementation is flawed. It clearly sends junk. Not only does this make it more likely to infringe regulation of some kind or another by being a deliberate attack, it also means that it’s content will be easy to filter – trivial in fact.

Thirdly, the implementation doesn’t send any kind of legitimate HTTP request. As most ISPs host many web sites on each machine they rely on a HTTP Host header in each request to identify whose site you’re asking for. As Make Love Not Spam doesn’t identify which site it’s asking for, and clearly identifies itself as a non-legitimate requestor it is unlikely that costs will ever be attrributed to the spammer. Not to mention the fact that the degradation in service will be affecting all the poor sites who, through no fault of their own, happen to be hosted alongside one of the targeted sites.

Finally – aren’t the spammers pissing away enough of the internet’s bandwidth without us pissing it away too? This isn’t the way.

luuuurvely

BBC via Clarke Ching via alan francis:

Internet portal Lycos has made a screensaver that endlessly requests data from sites that sell the goods and services mentioned in spam e-mail.M

Lycos hopes it will make the monthly bandwidth bills of spammers soar by keeping their servers running flat out.

Update: I did start to wonder if this was for real. I mean, there are probably laws that this screensaver violates – or should. But I took a look at what it’s doing. I turned on the logging on my firewall and it really does visit the sites, it makes several requests…

so, being suspicious I wondered if the domains might be bogus…

Domain Name ANYSOFT.BIZ
Domain ID D8128287-BIZ
Sponsoring Registrar GANDI SARL
Sponsoring Registrar IANA ID 81
Domain Status ok
Registrant ID O-876962-GANDI
Registrant Name Sergey Gachichiladze
Registrant Organization Sergey Gachichiladze
Registrant Address1 11, Ulan-Bator St.
Registrant City Moscow
Registrant Postal Code 117142
Registrant Country Russian Federation
Registrant Country Code RU
Registrant Phone Number +7.0957899432
Registrant Email whois@hqlists.com
Administrative Contact ID SG1094-GANDI
Administrative Contact Name Sergey Gachichiladze
Administrative Contact Address1 11, Ulan-Bator St.
Administrative Contact City Moscow

The screensaver appears to send junk messages such as:

<makeLOVEnotSPAM>6Ad;&o2RbS\{)Q&{q/<TN;z%?E|9uXv%%;m~C,dA}7.jGqD;|ym14Bck#N&aT[B+T</makeLOVEnotSPAM>
</TN;z%?E|9uXv%%;m~C,dA}7.jGqD;|ym14Bck#N&aT[B+T</makeLOVEnotSPAM></makeLOVEnotSPAM>.

So, surprisingly, judging by Starring, the company who came up with it:

Our business concept is to

help companies do things that give them something to say.

it appears to be for real.

in cahoots

This morning’s news includes an item about Internet bank Cahoot, run by the Abbey. Internet banking is something I know a little about, and listening to Tim Sawyer, head of Cahoot, had alarm bells ringing.

A wonderful quote posted on the BBC has Tim saying “We did not fail as an organisation because there was no risk of financial loss…”. I wonder if Cahoot customers agree? Or the Data Protection Act?

If you walked into a bank and asked for a balance on accounts you’d be asked for ID and if you weren’t it would be considered serious, so why does Tim not think that this was a failure? The bank’s legal responsibility is not only to protect your money, but also your information.

He also went on to talk about how, in order to see someone elses account details, you’d have to know their “confidential” customer identification. One of the commonly misunderstood fundamentals of username password systems such as Cahoot’s is that the username is not part of the secret. You have to assume it is known. I hope this was just bluff and blunder by a non-detail management professional rather than Cahoot’s real security model.

But more worrying is that bugs like this (which was a very simple breach) show that the developers working on this “browser based secure internet banking application” are actually building it in the same way they’d write a guestbook for their geocities homepage.

One of the problems of the web is that the barrier to entry for simple sites is so low, yet the complexity of writing genuine browser delivered applications is very high. Akin to writing complex win32 apps and certainly more complex than writing windows apps in VB.

Pollution Attacks, the proper name for what I said

After my previous post I got a number of comments back, one pointing me at a company (allegedly) involved in this, and the term “Pollution Attack” which describes one of the two attacks I described in the previous post.

I also discovered this article about the structure of KaZaA which I found interesting. It also mentions pollution attacks and the use of published lists of known genuine files and their content hashes. This uses the Sig2Dat tool to generate a KaZaA hash for any file.

Protecting Digital Assets

The success of un-restricted file-swapping services such as the original Napster and, more recently ED2K, Source Exchange, Kad and the odd other rely on two key points for their success. If the music industry _really_ want to stop piracy it should be surprisingly easy…

› Continue reading