Thursday, November 23, 2006

what is phishing?

phishing is a form of identity theft where the victim is enticed (typically by means of a message of some sort) to use what appears to be a legitimate logon page for some service (like online banking or paypal or ebay) but is actually a fake page designed to capture identifying information (like credit card numbers or login credentials) that enable the perpetrators to fraudulently pose as the owners of that information...

like email scams, phishing is usually about getting your money; however, unlike email scams where you are convinced to hand over your money, phishing just tricks you into revealing the information necessary for the phisher to take your money him/herself...

also like email scams, phishing is a form of social engineering - usually you're given some compelling reason to visit their fake logon page such as giving you the chance to undo a transaction that you never actually made or making mandatory updates to your account information...

back to index

what are email scams?

email scams are scams (confidence games) perpetrated over email... it's where someone sends you an email that tries to convince you to give them your money (or something else of value), whether for a pyramid scheme or a 419 scam or some other kind of hustle...

because they fool you into doing something you wouldn't otherwise do, email scams (and scams in general) qualify as a form of social engineering...

back to index

what is spam?

spam is a form of network abuse whereby one tries to force feed a (usually commercial) message to as many people as possible...

by force feed i mean that the spammer puts the message where people don't want it and can't easily ignore it - often they have to do something about it to get rid of it...

reaching as many people as possible is achieved either by sending the message many times to many people (such as with email spam) or broadcasting it in such a way that a single instance of the message will be seen by many people (such as with usenet spam) or both...

it may seem like this description isn't doing spam justice, that spam's impact is larger than what is implied here, that a message you don't want to see is a minor annoyance (like commercials on tv) in comparison to spam... well multiply that minor annoyance by 100 (or more)... a single spammed message really doesn't have a lot of impact and if we only got a single spam every now and then we wouldn't really be all that concerned about it... the problem with spam doesn't come from the nature of spam but rather from the sheer unrelenting volume of spammed messages... one popular statistic (at the time of writing) states that spam accounts for 85% of all email traffic - that's a lot of garbage to wade through to get useful content out of your email...

spamming can be done over any network that humans communicate (in some fashion) over such as email (conventional spam), usenet (usenet spam), instant messaging (spim), blogs (splogs), blog comments (comment spam), or even p2p networks...

[see this article on spam etymology for details on the origin of the term]

back to index

what is junk mail?

junk mail is an umbrella term for any unwanted email...

this includes email spam but it can also include those unfunny jokes your friends forward to you and those service updates from whatever online services you may have signed up for... and of course there's also the chain letters, scams, phishing, email worms, etc...

junk messages can also come in through other communication media as well, but junk mail is best known in part because email is such a mature and widely used medium compared to many of the others (like instant messaging or p2p)...

back to index

Monday, November 20, 2006

grey goo strikes again

looks like one of the more interesting things in security blog land today was a service outage over the weekend in second life caused by the infamous grey goo (virtual virus hits second life, grey goo hits second life, worms in second life, security, a human problem)... i'm not sure why they all chose this particular time to take notice of the grey goo in a malware context but at least now i know i'm not the only one who thought it was an interesting instance of game-related malware...

this particular case was pretty unremarkable, though, unless you take the golden rings (from sonic the hedgehog) into account... otherwise it really wasn't a big deal - it's not the first time and it's not the worst time... presumably the first time was the worst time because linden labs hadn't yet developed tools to cope with the problem of self-replicating code in the game, but now they have and this latest case saw new logins blocked (if you were already in the game you could generally stay in) for less than half an hour while they cleaned up the mess (as opposed to the head scratching and long-delayed resolution they went through when the problem first came up in october of last year)...

of course there's more to the story of grey goo than most seem to be reporting... last month i wrote about it, about it's classification, and about the counter measures linden labs developed - essentially behaviour blocking technology... the fact that grey goo continues to pop up from time to time illustrates the broader principle that behaviour blocking can't completely solve the virus problem... i suspect that the quick cleanup this time points to what essentially boils down to a signature based removal technique as well (which, for the time being at least, is a perfectly reasonable way to recover from the special cases that get around the primary defense), so linden labs continues to be an interesting example of anti-malware techniques and technology developing in the apparent absence of but parallel to the anti-virus industry...

Thursday, November 09, 2006

how to avoid codec roulette

does this sound familiar? you've gotten this video off the internet and when you try to play it you get informed that playing the video requires a codec you don't have...

this is actually a pretty old problem and the obvious solution most people hit on is find the codec and install it - and of course then you have to hope that it actually works and that it doesn't cause conflicts with other codecs or general system instability...

more recently a more insidious trend has emerged - the codec, rather than simply not getting along with other codecs or being poorly coded, is not a codec at all but is actually malware... this is a pretty clever form of social engineering because when a person makes a judgment about the safety of the whole thing it is at this point when they decide whether to try to watch the video in the first place and the judgment most will make will be that the video file is probably safe because video files generally are... at that point they become committed to watching the video even though the demand for the codec changes the entire safety equation - they pay no heed to whether or not the codec is safe, they just want to be able to look at this video they have in their hot little hands... you could almost think of it like a bait-and-switch scam...

these sorts of fake codecs have been getting a fair bit of attention by the security related press and a lot of people have been trying to address the problem by coming up with lists of bad codecs and the sites distributing them... many of these same people criticize the classic anti-virus model of enumerating bad things as being a broken model so i'm not sure why they think their own ad-hoc enumerations of badness are any better... at any rate, lists such as this fail to address a significant part of the socially engineered problem - once a person decides to watch the video they are much less likely to think about the safety of the codec they're subsequently asked to install in order to get at that content they are trying to watch...

another much more to the point way of addressing the problem is to just tell people don't install codecs... this advice would certainly work, but people who have videos they can't watch have an incentive to not listen to that kind of advice... it's not like you can tell people that the video is probably a fake because there are so many legitimate codecs out there that aren't installed on computers by default that legitimate videos asking for legitimate codecs is actually still a very probable scenario...

as an aside i'd like to admit something to you - i am a consumer of video content, i have been for quite a long time and i played codec roulette back in the day before codecs became a major malware attack vector... codec roulette pissed me off because it was so much work sometimes to find just the right codec... there was even a point where i tried re-encoding the videos so that i'd wind up with files that were all the same format, but even that required the codecs...

it turns out that a solution to the hassle of the old-school codec roulette works pretty good for the new malware enhanced version of codec roulette as well... the reason is because the solution to the hassle of codec roulette is to find a player that will play just about anything without ever having to find and install codecs... armed with such a player, supposed video that needs a codec you don't have becomes a much more suspicious scenario and so one that people are less likely to fall for...

for me, that media player was the vlc media player (which i supplemented with real alternative for realmedia files)... there may be others (in fact there probably are) that handle even more formats but i don't recall the last time i encountered a video i couldn't play right out of the box or even if i've encountered any such files since moving to this solution (even video downloaded from youtube, or mkv files which i'd never even heard of until i had one and found that yes vlc handles them too)... i have no idea how well vlc handles DRM contaminated video files but i don't need or want digital rights malware on my computer anyways...

so consider this a bit of safe-hex for video consumption... get a player that can play just about everything and then when a video you can't play comes along consider it suspicious by default and don't bother with it because it's probably not going to be good for your computer...

Friday, November 03, 2006

malware creation in academia

i wrote about one instance of academic malware writing not too long ago... in that case a virus was made to prove that viruses could be a threat on what was essentially a tricked out windows box (paging captain obvious)...

another pair of incidents have grabbed people's attention recently even though they aren't exactly new... one involves mobile malware created and released for download by the university of santa barbara which symantec actually linked to and then quickly removed the link (thanks guys, it's nice to see i'm not the only one trying to follow an anti-malware linking policy) and which predictably (and rightly) drew criticism...

and of course there's also our old friends from university of calgary (who gained infamy for running a course where the curriculum involved writing viruses, which many people spoke out against) deciding to branch out into spam and spyware... this too drew criticism, and rightly so... if you're anti-drugs then you don't create/use/sell drugs, if you're anti-violence then you don't create violent situations (at least not intentionally), so how can you pretend to be anti-malware if you create malware? have we forgotten what the prefix anti- means?

well, not everyone has forgotten what it means - the anti-malware industry, for example, remembers quite well and for the most part will not hire those who create malware (although not all sectors of the anti-malware industry are as principled as others)... ed moyle thinks the av industry is being unfair to punish students for taking such courses, but he misses the point - it's not a punishment, it's a consequence... there are plenty of fields where previous breaches of the fields' mores disqualifies you from being employed in those fields... police, firefighters, even school bus drivers have to be people you can trust not to do something that is a taboo in the context of their respective jobs... any job you can think of has a similar requirement because all jobs involve trust at some level... i hardly think it's unreasonable to expect that people who create malware shouldn't be able to get jobs in the anti-malware industry...

on the other hand, when a professor or academic adviser teaches or endorses this type of pursuit knowing full well what the consequences will be for the students (and the professor in question most certainly did), certainly more than the students themselves, then shouldn't the finger of blame spend some time pointing in his general direction? and if the professor later compounds that affront by branching out into addition malware fields so as to disqualify his students from even more segments of the anti-malware industry, can there be any question about whether he's serving his students' interests or if he's teaching them material they'll actually be able to use in the fields they would otherwise expect to be able to use it in (i know if i learned about viruses i'd expect to be able to put it to use in the anti-virus field)...

of course proponents of this kind of training will talk a good game about needing to understand how malware works, but what most fail to recognize (or perhaps they're just hoping your own thinking is sloppy enough to miss this) is that learning how a thing works and learning how to make that thing are actually quite different... learning how to make a thing is not required in order to learn how it works - i don't need to know how to make a shiv in order to know how a knife works, i don't have to learn how to build a car in order to make it go... moreover, just because you wrote malware X doesn't mean you know how it actually works, all you really know is how you intended it to work - making malware doesn't really teach what you'd expect it to... were these malware creation activities to be replaced with reverse engineering of existing malware, the students would learn not only how the malware worked but they would also learn a skill that would be directly applicable to a career in the anti-malware industry and they might even wind up being sought after by multiple competing anti-malware vendors... wouldn't that serve the students' interests better? wouldn't that better prepare them to use the knowledge they gain in the field it applies to best?