Monthly Archives: May, 2012

In Ad Network Nightmare, Microsoft Making ‘Do Not Track’ Default for IE 10

Microsoft announced Thursday that the next version of its browser, IE 10, will ship with the controversial “Do Not Track” feature turned on by default, a first among major browsers, creating a potential threat to online advertising giants.

That includes one of Microsoft’s chief rivals — Google.

The change could also threaten the still-nascent privacy standard, and prompt an ad industry revolt against it.

Do Not Track doesn’t attempt to block cookies — instead it sends a message to every website you visit saying you prefer not to be tracked. That flag is currently optional for sites and web advertising firms to obey, but it’s gaining momentum with Twitter embracing it last week.

The proposal also has the backing of the FTC, which has grown deeply skeptical of the online ad industry’s willingness to play fairly with users and has threatened to call for online privacy legislation. After initially opposing the idea, the online ad industry is now seeking to soothe the feds by hammering out rules that aren’t too tough on data collection. The hope then is that not many users avail themselves of the tool, and then not much has to change in how ad companies build profiles of users in order to sell premium-priced targeted ads.

But Microsoft’s announcement throws a wrench in those plans, since it’s likely that eventually something like 25 percent or more of the net’s users will upgrade to IE 10 over time and have DNT on by default. Microsoft said it’s making the change to better protect user privacy, and given the IE team’s recent history of including privacy technologies in the browser, that’s easy to believe.

We believe that consumers should have more control over how information about their online behavior is tracked, shared and used. Online advertising is an important part of the economy supporting publishers and content owners and helping businesses of all shapes and sizes to go to market. There is also value for consumers in personalized experiences and receiving advertising that is relevant to them.

Of course, we hope that many consumers will see this value and make a conscious choice to share information in order to receive more personalized ad content. For us, that is the key distinction.

But its chief online rival, Google has a thriving ad display business that uses the kind of tracking cookies that Do Not Track would block, though Google denies that’s why it opposed DNT early on. Microsoft’s third-party ad network is tiny in comparison — making the choice not too hard for the company to make.

But the change could backfire by undermining the loose coalition working to create a standard, in the web’s usual, messy, multi-stakeholder way.

Consider this scenario: If indeed the net’s major advertisers obeyed Do Not Track and IE 10 keeps the default,  more than a quarter of the net’s users would be opted out of behavioral ad tracking by default.

That’d be a far cry from a purely opt-in system that might be used by a single-digit percentage of opt-in users — those who likely don’t click on ads in the first place. So that could make the online advertising industry back out of the process and decide not to implement DNT — or to write its own rules for how it interprets DNT.

The move comes in the midst of a large and messy standards setting wrangling at the W3C over what “tracking” and “Do Not Track” actually mean. So for instance, how does it affect popular analytics programs and third-party plug-ins? Would a news site be able to track what users do on its own site? Does the flag mean “don’t collect information” or “don’t use the information to show targeted ads”? What happens if I’m logged into a site and have DNT turned on? And when users choose to turn it on or off in their browsers, what guidance if any should be given by the browser?

Justin Brookman, the director of consumer privacy at the Center for Democracy and Technology, applauded the move as pro-privacy, though he’s concerned about the timing.

“I hope this doesn’t throw a wrench into works on getting agreement on Do Not Track,” Brookman said. “But I like it when browsers compete on privacy.”

Brookman points out that years ago Apple set the default on the Safari browser to block third-party cookies, a far stronger protection against behavioral ad tracking cookies than Do Not Track, and that there’s a huge number of advertisements that aren’t based on tracking — they instead are based off the content of the page or the site the ads are displayed on.

But that’s not going to be an argument welcomed by the online advertising business.

Wired contacted the Interactive Advertising Bureau, which is on the W3C working group for comment, but the group did not send out its official response by press time.

Given federal and European regulators stance on online tracking and the online ad industry’s lackluster job of policing itself, something is going to change online. Even a widely used Do Not Track might still be a less burdensome change for online advertisers than a edict or badly-thought-out cookie mandate from governments.

“This is going to be painful either way,” Brookman said.

Photo: Jonney/Flickr


Flamer: A Recipe for Bluetoothache

W32.Flamer is possibly the only Windows based threat we have encountered which uses Bluetooth. It is yet another indicator that W32.Flamer is not only exceptional, but that it is a comprehensive information gathering and espionage tool. The CrySyS laboratory has previously documented the technical details of Bluetooth in W32.Flamer. But, what does this actually mean for potential victims targeted by Flamer? What can an attacker accomplish using Bluetooth?

The Bluetooth functionality in Flamer is encoded in a module called "BeetleJuice". This module is triggered according to configuration values set by the attacker. When triggered it performs two primary actions:

  1. The first is to scan for all Bluetooth devices in range. When a device is found, its status is queried and the details of the device recorded—including its ID—presumably to be uploaded to the attacker at some point.
  2. The second action is to configure itself as a Bluetooth beacon. This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area. And there is more. In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer (see Figure 1) and then stores these details in a special 'description' field. When any other device scans for Bluetooth-enabled devices, this description field will be displayed:

These are the facts of how Flamer uses Bluetooth. And what can the attacker do with this functionality? There are several potential avenues available:

Scenario #1 – Identification of victim social networks

By continuously monitoring the Bluetooth devices within range of a W32.Flamer compromised computer, the attacker can build a profile of various devices encountered throughout the day. This will be particularly effective if the compromised computer is a laptop because the victim is more likely to carry it around. Over time, as the victim meets associates and friends, the attackers will catalog the various devices encountered, most likely mobile phones. This way the attackers can build a map of interactions with various people—and identify the victim's social and professional circles.

Scenario #2 – Identification of victim physical locations

When compromising a victim's computer, the attacker has determined that this particular victim and their location is a high-priority target. While the building that the victim resides in can be known, the actual office is not identified. The attacker, however, could identify the location of compromised devices using Bluetooth.

Bluetooth operates over radio waves. By measuring the strength of a radio wave signal, an attacker can measure if he is she is getting closer or further away to a particular device. With the Bluetooth beacon turned on, and with the details of a particular compromised device available in the description field, it is straightforward for the attacker to identify the physical location of a W32.Flamer compromised computer or device.

An alternative to this is that rather than identifying the actual compromised computer, the attacker identifies a mobile phone which belongs to the victim. The Beetlejuice module already has retrieved a list of all the devices IDs which are near to the infected computer and so the attacker knows what devices belong to the victim. It is likely that one of the devices is a mobile phone which the victim carries most times. Now the attacker has the ability to passively monitor for the victim, without installing or modifying the victim's devices. Bluetooth monitoring devices could be placed in airports, train stations, or any transport hub, and listen for the ID values of any known victim device. Some attacks have even identified Bluetooth devices more than one mile away. The more sinister aspect of this passive sniffing is that it allows the attacker to pinpoint a victim and, therefore, more easily track them in the future.

Scenario #3 – Enhanced information gathering

As described in our previous blog, a substantial part of Flamer’s functionality is implemented in Lua scripts, or 'apps' which are downloaded from the FLAME 'app repository’. It would be trivial for an attacker to upload a new malicious Bluetooth Lua app into the FLAME store for download onto a compromised device. With increase functionality an attacker, having identified various Bluetooth devices in range, could perform numerous attacks:

  • Steal contacts from an address book, steals SMS messages, steals images, and more.
  • Use a device to eavesdrop. Connect a compromised computer to a nearby device and enable handsfree communication. When the device is brought into a meeting room, or used to make a call, the attackers could listen in.
  • Exfiltrate already-stolen data through any nearby device's data connection. This would bypass any firewalls or network controls. An attacker within one mile of the target could use their own Bluetooth-enabled device for this.

It is possible that there is undiscovered code within W32.Flamer which already achieves some of these goals. For example, although we have not found network code near the 'beacon' code, one compromised computer may connect to another computer using Bluetooth. If the second computer is using a secured network and was infected through a USB connection, potentially the only network available would be a Bluetooth connection back to the first compromised computer. The code to achieve this may already exist in Flame.

The various theories described here are all practical attacks, easily to implement by a skilled attacker. The sophistication of W32.Flamer indicates that the attackers are certainly technically skilled and such attacks are well within their capabilities.

Deceitful Charity Lottery

Co-Author: Avdhoot Patil

Lottery scams are not new to the world of phishing, so phishers are always seeking new fake lottery strategies. Phishers gained interest in schemes that involved donating to charity using lottery prizes. They utilized the idea in a phishing site which claimed that a popular bank was organizing a lottery for its customers and that a portion of the prize money would be donated to charity. Phishers believed that customers would be duped by the twin advantages: winning prizes and donating to charity. The phishing site was hosted on servers based in Iowa Park, USA.

A link to login was provided on the phishing site urging customers to enter their credentials. The link lead the customers to a phishing page that prompted the customer for their name, ticket number, and email address:

Figure 1. Phishing site asking for full name, ticket number and email address

After the required information was entered, the phishing site displayed the customer’s lottery ticket details, namely, the ticket number and the winning reference number. The lottery account balance was highlighted as EIGHT HUNDRED THOUSAND POUNDS. A button, labeled transfer, was provided at the bottom of the page to transfer the lottery prize to the customer’s bank account:

Figure 2. Phishing site prompting for lottery ticket details

After the transfer button was clicked, the phishing site asked for details of the customer’s bank account to which the prize money was to be transferred. The details included the customer’s account name, account number, bank name, and country. Finally, customers were asked to choose the charity organization they wished to donate to. If customers fell victim to the phishing site, phishers would have successfully stolen their confidential information for financial gain.

Figure 3. Phishing site asking for bank account details

Figure 4. Phishing site asking the customer to choose a charity organization

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.

Bitdefender Internet Security 2012 Review

Introduction I do examine Security Software now and then to see what’s going on, if there are any new developments and what the state of affairs is when it comes to consumer grade Antivirus and Firewall software. Countermeasures are useful, especially when it comes to less tech savvy users (which we may happen to live [...]

Read the full post at

Congress Looking Happy to Reauthorize Broad, Secret Spying Powers

Rep. Jim Sensenbrenner (R-Wisconsin) said the spy package was necessary. "Foreign terrorists remain committed to the destruction of our country." Photo: Wikimedia Commons

House lawmakers of both stripes in a Thursday hearing seemed amenable to the Obama administration’s request to continue giving the government broad, warrantless electronic surveillance powers over American citizens — though some suggested Americans or at least members of Congress deserved to know how many people have been caught up in the dragnet.

At issue is the FISA Amendments Act, expiring legislation authorizing the government to electronically eavesdrop on Americans’ phone calls and e-mails without a probable-cause warrant so long as one of the parties to the communication is outside the United States. The communications may be intercepted “to acquire foreign intelligence information.”

That bill was signed into law in July 2008 as a way to legalize the Bush administration’s warrantless wiretapping program, and it expires at year’s end. Then-senator and presidential candidate Barack Obama voted for the measure, though he said the bill was flawed and that he would push to amend it if elected. Instead, Obama, as president, simply continued the Bush administration’s legal tactics aimed at crushing any judicial scrutiny of the wiretapping program, and his administration is now demanding that federal lawmakers extend the legislation for at least another four years.

“Reauthorizing this authority is the top legislative priority of the intelligence community,” James Clapper, the director of national intelligence, and Eric Holder, the attorney general, wrote (.pdf) to the top leaders in both the House and Senate.

During an 80-minute hearing before the House Subcommittee on Crime, Terrorism, and Homeland Security, lawmakers seemed willing to go along.

“Foreign terrorists remain committed to the destruction of our country,” said Rep. Jim Sensenbrenner (R-Wisconsin), the committee’s chairman. “We have a duty to ensure the intelligence community can gather the intelligence it needs to protect our country and our citizens.”

The FISA Amendments Act generally requires the Foreign Intelligence Surveillance Act Court to rubber-stamp terror-related electronic surveillance requests that target Americans’ communications. The government does not have to identify the target or facility to be monitored. It can begin surveillance a week before making the request, and the surveillance can continue during the appeals process if, in a rare case, the secret FISA court rejects the surveillance application. The court’s rulings are not public. The bill also gives the government broad powers to force companies like Google and Facebook to help the NSA keep tabs on foreigners.

While no lawmakers outright objected to reauthorizing the measure, some suggested there needed to be more accountability from intelligence agencies on how the legislation is being used in practice.

Not much is publicly known of the program. Citing anonymous sources, The New York Times wrote in 2009 that the interception of communications “went beyond the broad limits established by Congress.”

The Electronic Privacy Information Center and the American Civil Liberties Union urged lawmakers Thursday that, if they were to re-adopt the legislation, the government should be more transparent and perhaps report the number of Americans and foreigners whose communications were captured. It’s a position opposed by the Obama administration but one seemingly supported to some extent by Rep. Bobby Scott (D-Virginia.)

“We should not be surveilling Americans with this low standard without significant oversight,” Scott said during the 80-minute hearing.

Jameel Jaffeer, director of the ACLU’s Center for Democracy, said the measure was unconstitutional. But oversight was nevertheless needed if lawmakers reauthorize the package.

“The act’s effect is to give the government nearly unfettered access to Americans’ international communications,” he testified.

The committee took no action. Sensenbrenner announced at the hearing’s conclusion that the committee would have an opportunity to meet privately for a classified briefing with Clapper and others next week to discuss the legislation.

Sensenbrenner suggested that providing the data about the secret spy program might “give the other side an indication of the extent of the operational strength of our national security agencies.”

Marc Rotenberg, the executive director of the Electronic Privacy Information Center, who had testified moments earlier, replied: “I don’t see how it would.”

The government has long provided statistics on the number of traditional FISA warrants they apply for and receive each year, including the number of U.S. persons targeted. Similar statistics are required of National Security Letters.

“There should be greater public accountability,” Rotenberg said during his testimony.

Rep. John Conyers (D-Michigan) suggested at least Congress should not be kept in the dark about how the law is being used. “I come to this hearing disturbed by how little we know and how much more we need to know,” he said. Intelligence officials refuse to even tell lawmakers (.pdf) how many people are being subjected to surveillance under the FISA law.

Meanwhile, the Supreme Court two weeks ago agreed to decide whether to halt a legal challenge to the act.

After a surprise appellate court decision last year that reinstated the ACLU’s challenge, the Obama administration asked the Supreme Court to overturn the decision. The government said the ACLU and a host of other groups don’t have the legal standing to bring the case because they have no evidence they or their overseas clients are being targeted.

Without comment, the justices agreed to review the lower court’s decision at a yet-to-be determined date. It marks the first time the Supreme Court has agreed to review any case touching on the eavesdropping program that was secretly employed in the wake of 9/11 by the Bush administration, and eventually largely codified into law four years ago under the FISA Amendment’s Act.

A lower court ruled the ACLU, Amnesty International, Global Fund for Women, Global Rights, Human Rights Watch, International Criminal Defence Attorneys Association, The Nation magazine, PEN American Center, Service Employees International Union and other plaintiffs did not have standing to bring the case, because they could not demonstrate that they were subject to the eavesdropping.

The groups appealed to the 2nd U.S. Circuit Court of Appeals, arguing that they often work with overseas dissidents who might be targets of the National Security Agency program. Instead of speaking with those people on the phone or through e-mails, the groups asserted that they have had to make expensive overseas trips in a bid to maintain attorney-client confidentiality.

The plaintiffs, some of them journalists, also claim the 2008 legislation chills their speech, and violates their Fourth Amendment privacy rights.

Without ruling on the merits of the case, the appeals court agreed with the plaintiffs last year that they have ample reason to fear the surveillance program, and thus have legal standing to pursue their claim.

What the Skywiper Files Tell Us

On May 28, my colleagues Peter Szor and Guilherme Venere posted a blog on Skywiper and listed various key filenames. Since then, I have searched these files, as well as some others that appear to be linked to this threat, in our collections. The following table summarizes these investigations.

After I finished creating this table, I noted that:

  • The PE header timestamps are not corrects. They took place between January 1992 and October 1994. They were changed before the files were spread.
  • When available, the Time Date Stamps for the debug info entries seem valid: from January 2011 to October 2011. They are coherent with those visible in the export sections. This information suggests when these files were developed. Among these, one file (advnetcfg.ocx) was sent to VirusTotal in May 2011. The others were sent this year, between May 28 and May 30.
  • Older files were probably created between June 2008 and September 2010. They appeared at VirusTotal between May 2009 and October 2010. Perhaps some are old versions of this threat.

Stay tuned, we shall continue our investigations.

Copyright © 2015. Powered by WordPress & Romangie Theme.