Tuesday, October 24, 2006

Apple Says Some iPods Shipped With Virus. Apple Says Some iPods Shipped With Virus. Apple Computer this week warned customers that some Video iPods sold over the past five weeks were shipped with a computer virus capable of infecting computers running Microsoft Windows and exposing them to attacks by hackers. Apple said the virus was embedded in less than 1 percent of the Video iPods available for purchase after September 12, 2006. Greg Joswiak, vice president of iPod product marketing at Apple, said the company traced the virus back to a Windows machine used to test iPod software in the manufacturing process. Joswiak declined to say how many devices were affected, citing the potential impact on investors closely watching the company's earnings reports today. But he said Apple has corrected the problem and that all video iPods the company is currently shipping are virus-free. The virus (more accurately, a computer worm) variously dubbed "RavMonE.exe" and "W32/Rjump.worm" by different anti-virus vendors, first surfaced in June and attempts to spread to all memory storage devices attached to an infected computer. It also opens a "back door" on infected PCs that criminals can use to gain access to the machines. Joswiak said affected Windows users should be able to clean up the problem with up-to-date anti-virus software. Because the virus spreads to all removable media attached to an infected machine, any media inserted into the PC after the acquisition of the Video iPod should also be scanned for infection. From Apple's advisory: "After installing an anti-virus application, you should attach your Video iPod to your Windows computer and run the anti-virus program. If your Windows system is infected with this virus, an alert will be triggered and inform you that the virus has been detected and either quarantined or removed. You should then use iTunes 7 to easily restore the software on your newly purchased Video iPod." Apple said it has received fewer than 25 reports about the problem. But Ed Felten, director of the Center for Information Technology Policy at Princeton University, said many Windows users who have this virus on their machines may not have noticed, as it silently installs itself when the users merely plugs the device into their computer. "This type of thing is a risk that follows from fact that these are storage devices, but also that Windows is designed to accept programs from storage devices very easily," Felten said. "Twenty-five complaints translates into who knows how many people infected." Eric Gaertner, 19, of East Brunswick, N.J., said he noticed his Video iPod was infected on Oct. 6 when his anti-virus program threw up a warning after he plugged the week-old device into his Windows XP computer. Gaertner said he was able to delete the virus and the three infected files it installed, but that he remains bitter about the whole ordeal. "I paid $250 for this thing, and it's pretty ridiculous that Apple's quality control is not better than that, because a lot of people who might get an iPod probably don't have up to date anti-virus [software] installed," he said. The iPod news comes just days after McDonald's Japan recalled MP3 players it gave away as prizes to customers after learning that the devices shipped with spyware designed to steal sensitive data that users entered at financial and e-commerce Web sites. Last year, multimedia giant Creative acknowledged that roughly 4,000 of the company's Zen Neeon MP3 players shipped with a Windows computer worm embedded inside. One final note: I took a look this morning at the Internet servers (located in China) that the virus is designed to connect back to, but at the moment they do not appear to be online or accepting any connections. Update, 4:11 p.m. ET: The above post was edited to include comments from an individual whose PC was infected after plugging in a brand new Video iPod. [Security Fix] 10:50:21 PM  PermaLink   / trackback []

Attacks, Flaw Reports Mar IE 7 Release. Attacks, Flaw Reports Mar IE 7 Release. Microsoft released a major update of its Internet Explorer Web browser this week, but the red-letter occasion was stained by reports of anti-virus miscues, phishing attacks and what turned out to be untrue reports that the new product contains previously documented security flaws. First came a run of junk e-mail claiming to be from Microsoft that tried to get recipients to click on a link and download the latest version of IE (the link, as you may have already guessed, installs a Trojan horse program that opens a back door for hackers on infected PCs.) Then came reports of a vulnerability in IE 7 that was somehow carried over from the older IE 5.5 version. Vulnerability watcher Secunia said it developed a proof-of-concept attack using the bug that could allow a maliciously crafted Web site to steal any data a user may enter at a separate Web site. Not exactly, Microsoft responded. In a post to its Security Response Blog Thursday evening, Microsoft said the problem is related to a component of Outlook Express, the default e-mail client installed on Windows PCs. "These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in Outlook Express. While these reports use Internet Explorer as a vector the vulnerability itself is in Outlook Express," the company said. Microsoft urged users to temporarily disable anti-virus and anti-spyware software before installing the program, noting that IE 7 makes a large number of changes to the Windows registry, which the table of contents on Windows that determines which programs should be loaded when Windows or certain user accounts are started up. Some security software will block those changes. Finally, some of the top tech blogs have been less than impressed with IE 7, according to a round-up at USA Today. Computerworld also has a decent compilation of IE 7 coverage. I have traditionally been hard on Microsoft with respect to security in IE, and I don't think undeservedly so, either. I'm afraid it's going to take some time for Microsoft to win back some credibility on browser security (and plain old functionality) in the tech community. For my part, I was asked several times in today's Security Fix Live Web chat what I thought about IE 7. In retrospect, my response the final time I answered was probably below-the-belt, but it gets to the point I was just trying to make about trust. A reader asked: "Why should I bother upgrading to IE 7 since Firefox is a superior browser? IE6 works fine for the limited amount of usage I need." My response: "Would you leave a loaded gun sitting on the table in a house with toddlers? Hopefully not. Okay, that's a little harsh, but think of it this way: lots of things on Windows use IE's built in rendering engine, and if you have a more secure version of the browser available, why not switch to it? This advice is especially aimed at households where more than one person uses the PC. " Final note: If you want to install IE 7, keep in mind that it requires you to validate your copy of Windows. [Security Fix] 10:47:16 PM  PermaLink   / trackback []

New Bug Installs Legit Anti-Virus Program. New Bug Installs Legit Anti-Virus Program. Are you using a Microsoft Windows machine to cruise the Web but don't have up-to-date anti-virus software installed? No worries: A sophisticated new breed of malware identified this week will silently download and install a legitimate anti-virus program on your computer if it manages to sneak its way onto your machine. But this isn't a good thing, as the malware is really intended to make it easier for spammers to do their business. For several years now, the top method for sending spam has been to infect Microsoft Windows machines with malware that turns the PCs into "zombies" (or "bots") that bad guys can use to anonymously relay junk e-mail. Tons of malware in circulation today will actively search for and remove other hacking programs that may have already set up shop on infected computers. The goal for the spammers is efficiency -- they want to ensure their bot networks are not cluttered with competing malware that might otherwise slow the machines to a crawl and alert the victims to a problem. A new class of bot programs seeks to accomplish that task by downloading and installing a pirated version of Kaspersky Anti-virus, according to research published by Joe Stewart, a researcher for Atlanta-based SecureWorks. "Although we've seen automated spam networks set up by malware before ... this is one of the more sophisticated efforts," Stewart wrote. "The complexity and scope of the project rivals some commercial software. Clearly the spammers have made quite an investment in infrastructure in order to maintain their level of income." Stewart says the invader (which he dubbed "Spamthru" because the few anti-virus tools that did detect it as malicious assigned it a nondescriptive, generic name) also updates itself using a custom-made peer-to-peer (P2P) method similar to those employed by popular file-trading networks. Most bots are configured to connect to a central online chat or Web server that attackers can use to control the activities of infected PCs, but those control servers can be a single point of failure for the bad guys if the good guys succeed in convincing an Internet service provider to shut them down. By having P2P as a back-up, spammers can redirect zombie machines to a new control server if the master server is shuttered. All it takes is simply sending a command out to one of the infected PCs and having it relayed to the rest of the drone army. This is hardly the first time a bot program has tried to implement P2P. Others, such as the Phatbot family of malware, include built-in file-sharing capabilities, but the networks almost always choke after more than a few dozen infected machines try to exchange information. According to Stewart, the new bot can accommodate communications between several thousand PCs at once. People who spend a lot of time tracking down and combating botnets have long feared that P2P would become the normal mode of communications between infected PCs, and that spammers also would encrypt the traffic to make it difficult for the good guys to gather intelligence on botnet operations. While "Spamthru" does include encryption, the data-scrambling technique is used to prevent investigators from downloading the HTML code that each infected host is directed to send out in their spam runs. Should the spammers decide to encrypt all of the traffic traveling over a botnet's P2P channels, it could soon become a lot tougher for botnet hunters like ChangeIP.com President Sam Norris, a botnet hunter I interviewed earlier this year for a Washington Post Magazine article. In that piece, I wrote: "Norris shares that fear and worries that more botmasters will begin to exploit emerging peer-to-peer communication technologies of the sort that power controversial music- and movie-sharing networks like Kazaa and LimeWire. Such networks would allow enslaved computers to communicate instructions and share software updates among one other, so that they would no longer depend on orders from the master servers that Norris and other bot hunters search out and disable every day. "'When P2P becomes the norm with these bots,'" Norris says, 'that's when I call it quits with this botnet stuff, because, at that point, it will be pretty much out of my hands.'" [Security Fix] 10:43:56 PM  PermaLink   / trackback []

Canadian Privacy Law Blog: Ontario Commissioner unveils plan for privacy-embedded Internet identity Additional Resources: 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age Kim Cameron's Identity Weblog The LAWS OF IDENTITY The key to this site: an introduction to Digital Identity - the missing layer of the Internet. The IDENTITY METASYSTEM A proposal for building an identity layer for the Internet 10:40:48 PM  PermaLink   / trackback []

7 Laws for Privacy-Embedded Internet Identity. 7 Laws for Privacy-Embedded Internet Identity. Ann Cavoukian, the Information and Privacy Commissioner of Ontario, has released a whitepaper augmenting Kim Cameron's seven laws of identity with privacy protections: 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age (PDF). I'm busy travelling, so I can't print and read the entire document right now, but here are excerpts form the commission's press release: The next generation of intelligent and interactive web services ("Web 2.0") will require more, not fewer, verifiable identity credentials, and much greater mutual trust to succeed. Identity systems that are consistent with the Privacy-Embedded Laws of Identity will help consumers verify the identity of legitimate organizations before they decide to continue with an online transaction. These Privacy-Embedded Laws offer individuals: easier and more direct user control over their personal information when online; enhanced user ability to minimize the amount of identifying data revealed online; enhanced user ability to minimize the linkage between different identities and actions; enhanced user ability to detect fraudulent messages and websites, thereby minimizing the incidence of phishing and pharming. Corresponding Privacy-Embedded Principles Take, for example, Law #1, Personal Control and Consent, which emphasizes that individuals should be in full local control of their own identity information, and exercise informed consent over how their identity information is collected and used by others. One privacy benefit of applying this principle is that identity credentials could be stored locally and securely on a user's own computer rather than in a centralized online database. Another example: Law #2, Minimal Disclosure for Limited Use: Data Minimization, speaks to building technical identity systems that minimize the amount of identity information used and disclosed in a given online transaction. In the privacy world, a cardinal rule is that the identification provided should be proportional to the sensitivity of the transaction and its purpose. Why should a credit card number ever be used to verify one's age? Put another way, why isn't there a credential that allows people to prove they're over 65 without revealing all of their other identity information? If someone can prove she is a bona fide university student to gain preferential access to online resources at other educational institutions, then why is her name needed? These privacy-enhanced solutions are all possible under the Privacy-Embedded Laws of Identity. "We call upon software developers, the privacy community and public policymakers to consider the Privacy-Embedded Laws of Identity closely, to discuss them publicly, and take them to heart," Dr. Cavoukian declared. "In joining with us to promote privacy-enhanced identity solutions at a critical time in the development of the Internet and e-commerce, both privacy and identity/security will more likely be strongly protected." [via Canadian Privacy Law Blog] Posted in Privacy, michaelzimmer.org] 10:38:47 PM  PermaLink   / trackback []

Microsoft Releases Guidelines for Customer Privacy. Microsoft Releases Guidelines for Customer Privacy. Microsoft publicly released a 49-page internal document, called Microsoft's Privacy Guidelines for Developing Software Products and Services outlining recommendations for both Micorsoft and other software developers to help them protect customer privacy when building applications that deal with sensitive information, such as Web sites or Web-based features that send personal information over the Internet. Here is an excerpt from the introduction: Protecting customer privacy is critically important. In many areas of the world, privacy is considered a fundamental human right. Additionally, protecting customer privacy can increase loyalty and be a market differentiator. Customers are getting increasingly frustrated with software and Web sites that do not clearly communicate the behaviors that impact customer privacy and the controls available to them. Currently, there are no industry-wide practices to help standardize the user experience and the software development process. For some, ignoring this growing frustration has led to an erosion of trust, negative press, and even litigation. The software industry as a whole would benefit from establishing a higher bar for respecting customer privacy. Giving customers more information about how their privacy may be impacted (i.e. transparency) coupled with improved controls can empower customers and raise their level of trust. At the same time, it is important not to annoy customers with a barrage of notices that ultimately may be ignored. The purpose of this document is to propose a baseline for establishing this higher bar. It offers guidance for creating notice and consent experiences, providing sufficient data security, maintaining data integrity, offering customer access, and supplying controls when developing software products and Web sites. These guidelines are based on the core concepts of the Organisation for Economic Co-operation and Development (OECD) Fair Information Practices and privacy laws such as the EU Data Protection Directive, the U.S. Children's Online Privacy Protection Act of 1998 (COPPA), and the U.S. Computer Fraud and Abuse Act (as amended 1994 and 1996). In the interest of developing a common set of industry best practices for privacy, we invite the community and other interested parties to participate in an open dialogue. This document is only a starting point; there are other important topics that are not yet addressed such as adware and location based services . With the help of industry and subject matter experts, improvements and additional topics can be incorporated over time. We've been calling on Google to take a leadership role within the web industry on user privacy. Seem Microsoft beat them to it. I'll have time for a closer reading of this later, and will post my thoughts then. [michaelzimmer.org] 10:35:39 PM  PermaLink   / trackback []

YouTube shared user data with studio lawyers. YouTube shared user data with studio lawyers. In what really shouldn[base ']t be that big a surprise, it has been reported that YouTube provided personal information about a user to a Hollywood film studio: On May 24, lawyers for Viacom Inc.[base ']s Paramount Pictures convinced a federal judge in San Francisco to issue a subpoena requiring YouTube to turn over details about a user who uploaded dialog from the movie studio[base ']s [base "]Twin Towers,[per thou] according to a copy of the document. YouTube promptly handed over the data to Paramount, which on June 16 sued the creator of the 12-minute clip, New York City-based filmmaker Chris Moukarbel, for copyright infringement, in federal court in Washington. [sigma]Its prompt legal capitulation suggests that YouTube users who post copyrighted material should not expect the company to protect them from media-business lawsuits, said [an IP lawyer]. Yes, YouTube has a vast amount of information about its users identities & habits (which will soon be the property of Google). And, like most websites, their privacy policy states they will [base "]release personally identifiable information[sigma]if required to do so by law, or in the good-faith belief that such action is necessary to[sigma]respond to a court order, subpoena, or search warrant.[per thou] The issue here is to what extent web site owners will fight legal requests for user information. Did YouTube consider fighting the subpoena? Will Google? (FYI, my privacy policy states that [base "]Any subpoena or attempts by government agencies or private sector organizations to gain access to any information that you give us will be vigorously challenged to the best of our abilities.[per thou] The limiting factor being my bank account.) [michaelzimmer.org] 10:31:11 PM  PermaLink   / trackback []

# Privacy: Search Engine Privacy Standard Proposed. # Privacy: Search Engine Privacy Standard Proposed. Virante, a SEO & Internet marketing company, has propsoed a new privacy standard to prevent search engines from tracking certain search queries. The standard is called #Privacy, and is pretty simple: "Pound Privacy" is a campaign to create the first standard for search engine query privacy. The implementation is fairly straightforward: If you append the phrase "#privacy" at the end of a query on any search engine or site search, your query should not be tracked by IP or cookie, and should not be made public in keyword tools. It is that simple. This is an interesting propsal, and a way to give search engine users much more control over the infromation search providers can collect. But it isn't a complete solution to the problem of search engine privacy. In the #Privacy paradigm, the collection of user information is still the default - users must take action to prevent certain searches from being collected. Further, there are no real ways to ensure that search engines actually abide by the addition of the #Privacy instruction. In fact, Virante's proposal allows search engines to ignore the flag "when the query indicates that a crime is being committed." Not sure what that is supposed to mean, or who gets to decide what searches fit that category. #Privacy is an interesting idea - a good first step. But I think a better solution would be one where search engines are prevented from collecting information on their users altogether. Short of that, there should be limits on the kind of information collection, how long it can be kept, etc. Users should have the ability to see the information on file, correct errors, and delete information as they see fit. Forcing users to append their searches with a tag in order to protect their privacy accepts the premise that search engines should be allowed to collect personal information by default. And that is what must change. [found via Canadian Privacy Law Blog] UPDATE: More light criticism of the # Privacy endeavor: Seth Finkelstein notes an obvious flaw in the comments: appending such a tag to your searches merely notifies anyone watching that "This is a really interesting search! Hot stuff here!" And Michael at Better Software... reminds us that any search engine results clicked would still, by default, send the search query to the host's site through the HTTP "referer" header. (He also sees this entire proposal as perhaps just a means to get "a bit of nice publicity" for Virante, which is probably why I (subconsciously?) didn't provide a link to the SEO firm in the first place). UPDATE 2: And Emergent Chaos rightfully calls it a "silly idea." [michaelzimmer.org] 10:28:25 PM  PermaLink   / trackback []

Researchers See Privacy Pitfalls in No-Swipe Credit Cards - New York Times MHERST, Mass. -- They call it the "Johnny Carson attack," for his comic pose as a psychic divining the contents of an envelope. Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers. Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen. The demonstration revealed potential security and privacy holes in a new generation of credit cards -- cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald's restaurants and many movie theaters. 10:25:48 PM  PermaLink   / trackback []

Privacy Pitfalls in No-Swipe Credit Cards. Privacy Pitfalls in No-Swipe Credit Cards. A NYTimes article notes the various privacy concerns with contactless credit cards whose data is relayed by RFID without need of a signature or physical swiping through a machine. Incredibly, cards are being deployed without any encryption (contrary to what the banks are saying): The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate "128-bit encryption," and J. P. Morgan Chase has said that its cards, which it calls Blink, use "the highest level of encryption allowed by the U.S. government." But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder's name and other data was being transmitted without encryption and in plain text. They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. "Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?" Mr. Heydt-Benjamin, a graduate student, asked. Unbelievable. [michaelzimmer.org] 10:22:07 PM  PermaLink   / trackback []