Warner and the RIAA – we’ll all pay!

This weekend the recording industry appears to have thrown it’s toys out of the cot, and I predict it could have negative consequences for computer security.  I have absolutely no evidence to back this theory up, but after you read this post you can decide if I have a point or if I’m talking through the proverbial.

What makes me think this are two unrelated news reports which while dealing with separate subjects both relate to the dilema the music industry has faced for the last few years. 

Firstly, news that Warner Music is pulling videos from YouTube sounds very much like a tantrum of primadonna proportions. Warner and YouTube had an agreement which saw Warner paid for each of its music videos watched plus a small contribution for advertising alongside the video.  Something has gone wrong with this agreement which will no doubt become known over the coming days. So Warner appears to have walked away taking its videos with it.

Then in this other story, the RIAA has said it will stop suing individuals caught filesharing music and will instead work with ISPs to have repeat offenders internet service cut. Apparently in the last five years 35,000 people have been sued an average of around US$3,500 which has actually left the RIAA out of pocket. RIAA Chairman and Chief Executive Mitch Bainwol is quoted in the article as saying  “We’re at a point where there’s a sense of comfort that we can replace one form of deterrent with another form of deterrent,”.  Nothing about the fact that they were fighting a losing battle and haemoraging money there.  Mitch Bainwol should be in politics, but of course then he wouldn’t be paid as much as he does now protecting rightsholders interests – or not.

How does all this relate to security?  If I can’t watch my vids on YouTube I’m going to go elsewhere.  There are other legitimate video sites out there but Warners will have to have an agreement with them for me to legally watch the content.  Otherwise I could go underground, where the bad guys are who might be trying to infect my computer and incorporate me into their botnet to use me for all kinds of nasty crimes much more serious than watching a couple of music videos without paying.

Likewise with the filesharing issue. Ok so I won’t get sued but I might lose my internet connection.  But maybe there is a way to secretly download content in an annoymous fashion that even the ISPs can’t monitor because it’s encrypted.  If there isn’t (and there is) then there soon will be.  It will of course be created and promoted by human rights activistis and good on them. But where technology goes so do the bad guys and it won’t be long before the system intended for swapping stirring anthems about freedom of speech becomes used for spreading malware, spam, scams and other nasties.

The truth is, there are just too many people posting too many files on to too many websites.  I don’t intend this to be a place to argue the copyright issue.  I think we are still a long way off from resolving that one. But keep an eye on what new modes of distribution emerge and what new threats come with them.

How to be worth more than 89p on Facebook

 According to Trend Micro, an email address along with a date of birth full name from a facebook account is worth 89p (NZ$2.33) to a cybercrook.

To avoid having your identity stolen, Trend say you should look for the padlock, use social networking privacy settings, protection software and vary your passwords.  The advice is good and just what you would expect from a commercial operation that makes its money by convincing people that they will be secure if they just rely on the right technology (theirs of course) and set it up properly. Even the password comment suggests the technology will save you here.  There’s no suggestion that your new password need be a good one and hard to guess, just different from last week, month, year or other website.

Perhaps what they’re suggesting is that  if it’s going to cost more than $2.33 worth of time and effort for a cybercriminal to get your details, then maybe they will move on.  This tactic resembles one I used when as a student I used to go door to door selling  invisible markers that came with bright stickers. The line when something like this: “If you’ve got a sticker and the neighbour hasn’t, guess where is the burglar going to go?”

Of course there were multiple reasons why this might not be the case, but it made me a lot of commission. For example, if you have a sticker but leave your front door open and your stickerless neighbour keeps theirs closed, who’s going to get home and find their brand new double cassette ghetto blaster missing (yes it’s a while since I was a student).  Likewise, even if you both lock your dooors and windows, but your ghetto blaster is proudly displayed in the front window, you’ll probably have to go next door to listen to your Def Leopard tracks for a while.

So where does the analogy fit in or is this just pointless reminicing about the 80′s?  

Well think of the open window.  Even with a password, good privacy settings and anti-malware on your machine, if you join networks or groups on social sites anyone else in those groups can usually see your pages. And usually anyone can join those groups.  For example if you join the New Zealand network on Facebook, then potentially anyone in the New Zealand network can see everything you post. This includes your date of birth, full name and email address if you were foolish enought to post these.

So Trend should also say ‘Don’t join any networks (which kind of makes social networking a whole lot less fun).

They should also warn you to restrict the amount of personal identification you post ( don’t display your wares in the front window) and think very carefully before responding to messages or opening unexpected attachments least they fall victim to social engineering or malware such as Koobface. 

Just because you have a sticker on your letter box doesn’t mean you shouldn’t lock your door.

Contextual Malware in Context

A recent report from MessageLabs (‘Now part of Symantec’ – in case you missed it) outlines that organisation’s predictions for the threat landscape in 2009.

Once you stumble through the Malware Makes It’s “Mash-up” parargraph (which I had to read three times before it made sense) it makes for thought provoking reading.  MessageLabs predicts that next year the bad guys are going to use personalised web based accounts such as webmail or social networking profiles to send concise and more believable messages to targeted users. The messages will draw users into the scams slowly over a number of contacts rather than reveal themselves at the outset.

Users will also be targetted via their mobile phones, weaving an ever more elaborate and believable trap containing the victim’s online accounts, friends and their mobile services. And the initial attack vector could be a sophisticated and almost undetectable piece of malware hidden within a virtual machine running on their own computer, or for that matter any other machine into which they enter any personally identifiable information.

The guts of the article is that the criminals are getting cleverer, perhaps realising that the general public is also becoming wiser to the old scamming techniques. After all, who really ever falls for the old Nigerian scam? One answer to that question is here, but increasingly the crims are going to rely on the trust we have within our existing online networks. Users of the big three, Facebook, MySpace and Bebo are learning this the hard way.  Take a look at the comments on just about any Bebo account and you’ll see posts from users of the Bebo mobile service (identified by the logo next to the comment).  Some are obviously phishing attempts but others are not so obvious.

What red-blooded teen user of Bebo wouldn't respond to this?

These messages are targetting the ‘MyFaceBo’ demographic.  The language is there, lack of correct grammar and all, the content is about right, and the message is coming in using a mobile which surely a scammer wouldn’t bother with, would they?

As we operate more and more in interconnected spaces we are all going to have to be more careful about who and what we trust, and as usual the youth market is experiencing the cutting edge of technological change.

2009 is looking like it is going to be an interesting year. Perhaps it will be the year security awareness training comes of age?

Mac Attack

Antivirus vendors Intego systems  are reporting on their website of a new variant of the old Trojan Horse exploit this time named OSX.RSPlug.D

What is significant here? The first three letters of the name. OSX of course is the Macintosh operating system from Apple.  The same system which many Mac aficionados purport to be superior to other operating systems because of it’s inherant ‘invulnerability’ to exploits despite there being evidence to the contrary (Month of Apple Bugs). Mac users still brazenly operate online without the most basic of anti-malware systems in place, by choice. Misleading advertising by Apple doesn’t help of course.

This latest threat does however seem to rely on the user visiting dodgy pornography sites (although it could work on any video site) and being tricked in to downloading and installing a ‘codec’ to watch their chosen distraction.

As is their right, Itego claim that ‘The best way to protect against this exploit is to run Intego VirusBarrier X5′.Unfortunately they are probably right.  Mac users have been trained to believe their systems are invulnerable and of course it was only a matter of time before the bad guys cottoned on to this. Even though this is not the first trojan for macs, we are now surely at a point where there needs to be some serious back-peddling on the part of Apple and all the mac evangilists out there. 

Lets not forget too that fame is not the motivator for the crims that are writing this stuff.  You get more money for exploits which work because they are not yet patched. So just because there isn’t a huge list of Mac viruses out there, that doesn’t mean Macs are immune.

The Mac community needs to learn, like the windows community is, that we are all responsible for the security of our own devices.  To be secure we need to learn to smell a rat, and when a clever trickster does get the better of us a bit of anti-malware running in the background might just save our skins.

Your Computer Might Be At Risk!

A couple of weeks ago the geeky part of the mainstream media was reporting about a malware scam involving pop-up windows, bot-nets and rather dubious anti-virus software called Antivirus2009. The scam is not new, and in the instance I came across the attack vector was a piece of paid advertising on very reputable and well frequented news website. As is the Redmond way, Microsoft carefully analysed the trend and released their own response two weeks later after all the fuss has died down – an entry in their security blog yesterday. The piece referred to a study released on September 22nd (which of course pre-dates all the fuss) from North Carolina State University titled “New Study Highlights Risk of Fake Popup Warnings for Internet Users”.

The researchers found that most people are unable to distinguish fake warnings from real ones, but sshhh, don’t tell the criminals that. The professor of psychology and co-author of the study notes that:

companies and other credible entities may want to incorporate additional unique features into the real messages to allow people to differentiate between genuine warning messages and fake popups. However, he says, “I don’t know if you could develop a legitimate message that could not be duplicated and used illegitimately.”

This thinking is partly right but takes the wrong approach. A warning system that cannot be ‘faked’ does need to be developed. But rather than using ‘additional unique features’ the system should be simple, consistent, and probably open source.

Consider for a moment the warning systems in your car. Self contained, consistent (the low fuel light is always going to look the same) and reliable. It’s only when cars started getting complicated computer management systems that these warnings became oddly suspicious at times.

Computer alerts need to be extremely simple, reliable and trustworthy. Complexity is the enemy of security so additional features won’t work, not for long anyway before they are faked. As computer users we are trained to click OK or Close and the crims play on this.

So perhaps real warnings just need to say something like ‘I’ve detected a virus’. And that’s it. No options, no further warnings and no way to get rid of the message until the user takes some other action which is consistent and secure. Like perhaps a bios linked key stroke built into the secure kernel which fires up a trusted anti-malware product. Then even if the warning is faked, only the trusted product is run.

I’m no programmer so for all I know this may be impossible. But a system like this, which worked the same way on all platforms would be easy enough to train users to on.

Oh and by the way, I was a bit hard on the MSDN blog team earlier. There is actually some very good info on their Security at Home site.