Today news reports noted that a major player in the world of spam has been indicted in Seattle for his activities, which included “mail fraud, identity theft, fraud, and money laundering.” Robert Alan Soloway’s Newport Internet Marketing Corporation “advertised a mass e-mail service that sent messages to an opt-in list of addresses, but didn’t actually use such a permission-based list” according to an article on Yahoo’s tech site.

One down, thousands to go.

One of the worst aspects of Solway’s activities is that they often involved the use of legitimate, but hijacked email addresses. In an effort to avoid spam filters that were intelligent enough to detect invalid domains, or those known to be used for spam activities, Newport Internet Marketing harvested in-use addresses from the Web, then used them in the “from” address field in spam messages. As a result, many innocent users across the Web were accused of sending spam, and were often blacklisted by ISPs that make use of automatic detection rules when choosing whether to reject mail messages. This is tantamount to using someone else’s return address on envelopes when sending death threats or extortion letters via the USPS. In the non-email world this is a pretty serious crime, but I’d be willing to bet there’s no statute on the books yet that covers electronic mail message forgery.

I also suspect legal loopholes that allow spammers to forge addresses without fear of prosecution will change in the near future, as more spam operations are tracked down and their owners indicted. Cyber law is becoming a major issue as Web use becomes more ubiquitous – especially as government officials in the US and elsewhere become more conversant with problems the online community has been aware of for years.

In this case, Solway also is alleged to have violated laws that are already on the books, which is probably one of the reasons he was chosen for prosecution. The Yahoo article notes that “[Solway's company] also sold software products that customers could use themselves to send out mass e-mails. However, the product often didn’t work and if it did, it sent e-mails using forged headers. He also failed to offer promised support services, according to the court documents.” Here we have fraud, breach of contract, and other common white collar crimes that should be relatively easy to prove, even though in some cases the software itself was sold with the intent of offering illegal services (e.g. the creation and sending of spam).

Interestingly, the accused is liable for over $750,000 dollars worth of damages; apparently this is the amount of money he made via his illegal activities. Not only will he lose (potentially) everything he’s made since 2003, but he’ll probably also rack up a hefty legal bill while defending himself.

My advice to the man: plead guilty, pay back the money, and face the time. Maybe he can teach PC skills to his fellow inmates while incarcerated.

Sometimes the newest trends aren’t all that new, but involve a new twist on an old game. Such is the case with a recent “innovation” in hacker activity, which has come to be known as “parasitic storage.”

In the 1990s, it was common for open FTP sites, user accounts, and other networked storage areas to be hijacked for what were termed “warez” (hacker-speak for pirated software) sites. Hackers would steal software and hide it in subtle ways, sometimes using UNIX hacks and special methods to prevent the casual user from stumbling across data hidden on their machines. Now, according to a study by Symantec, this idea has been expanded and refined to include stolen, often sensitive data such as credit card and personal information that’s being hidden on compromised machines within botnets. Rather than using such “zombie” PCs for sending spam and phishing messages, the botnet owners instead transfer files to these systems, hiding them using a number of methods and transforming their botnet empires into a massive, distributed storage network for stolen data.

Additionally, new ways of stashing data on remote sites are being used. The use of steganography, or the hiding of non-image data within image files (often using the least significant bit, resulting in, for instance, one text character per 3 pixels) has apparently become popular among identity thieves and others. This means that nearly any image file on your PC, or on the Web, could be altered invisibly and used as a repository for someone else’s data. You’d never know, unless an expert scanned the file and determined it had been altered from its original state.

Even more elegant schemes are in use, including a method known as “juggling,” which involves the storage of file segments on multiple machines. Distributing data across multiple, anonymous machines prevents the reassembly of the file’s data by anyone who lacks even one of the scattered segments. And they’re even using SMTP (the Internet’s mail transport protocol) for data theft: messages can be stored almost invisibly in a mail server’s buffers, accessible only to someone who knows where to look. An additional benefit is that this type of storage is ephemeral; if the mail server is shut down or crashed, the data vanishes. This is an excellent side benefit, since it makes law enforcement all the more difficult.

I wouldn’t be surprised to learn hackers are still hiding files on open FTP sites though, since many system administrators aren’t aware of this weakness and many others aren’t experienced enough to lock down these sites. This vulnerability, like the SMTP hack noted above, isn’t confined to UNIX - Windows servers running IIS often operate both SMTP and FTP servers. Any system administrator who simply accepts out of the box behavior for such sites, and fails to monitor activities on his or her servers, may find systems compromised. For that matter, their Web sites could be serving altered images containing sensitive data, and they’d probably never know it. Clever people, these hackers.

The bad news: the volume of spam continues to increase.

The good news: no one seems to mind anymore.

That, in a nutshell, is the results of a survey by the Pew Institute’s public policy division, which found that while more people are seeing an increased volume of spam in their business and personal mailboxes, “fewer people say spam is ‘a big problem’ for them.” The survey suggests several factors are contributing to this change in attitude, and I’ll offer another the report may not have considered.

First, the users surveyed said the pornographic nature of spam they were receiving had “moderated” as of late, suggesting the content was less graphic than in the past or that less spam was pornographic in nature. Since pornography is certainly one of the primary concerns of parents whose young children use the Internet, the advent of less graphic spam might help alleviate their concerns. Such “moderation” might be thought of as the electronic equivalent of the plain brown wrapper used by traditional mail: out of sight, out of mind.

The next factor, which I find personally unsurprising (and somewhat gratifying, since I’ve made this assertion myself), is that users are becoming increasingly sophisticated in their online affairs and are making use of spam prevention and other security technologies in order to minimize the impact of unsolicited mail on their daily activities. Again making an analogy to regular paper mail, it could be said more users are filing “no junk mail” notices with their local post office. Some items may still leak through, but the vast bulk of solicitations simply aren’t delivered to the user’s mailbox. I’ve long made use of this technique as my method of choice for dealing with spam: my ISP marks suspected spam with a special identifier, and I use a Eudora mail filter to move it all to a “junk” folder. Once a day I review this folder’s contents briefly to make sure a legitimate message wasn’t caught by mistake, then the folder is emptied to make room for the next day’s load.

Another factor, which I’ll suggest even though the Pew report didn’t mention it, is that a great deal of spam is more an annoying than an actual hazard. The real threats to online security today involve phishing schemes and identity theft, which often go hand in hand. The increasing sophistication of “cloned” Web sites and phishing methods represent a much larger hazard to online consumer, who may be duped into handing over personal data or installing spyware that steals it from their hard drives. While garden variety spam hawking pornographic services or discounted prescription drugs is annoying and wastes our time, it pales in comparison with the risk presented by phishing schemes and identity theft. We can throw away junk mail with ease, but recovering stolen personal data or rebuilding a vandalized credit record is much more difficult.

While it certainly won’t cause a reduction in the amount of spyware being sent by phishers and scam artists, the US House recently passed legislation making such software officially illegal and punishable by a 10-year term in prison. Some would call this a useless, feel-good piece of legislation with little chance of accomplishing anything other than wasting the paper on which it’s printed. While I can be just as cynical as the next guy about our (or any other) government’s ability to provide real responses to legal challenges, I really don’t feel this particular law is a waste of time.

First, it gives law enforcement officials a legal leg to stand on in regard to cases involving phishing and the planting of illicit software by thieves and scam artists. Until now, we’ve had to rely on a patchwork of laws relating to fraud or other related offenses. No legislation was on the books explicitly stating that planting software on someone else’s machine and using it to obtain data about that person without their explicit permission was illegal. This makes it more difficult to obtain a conviction.

Second, and probably more importantly, the mere presence of such legislation and the fact that it came before the House in the first place shows that this issue is on the radar. Given a statistic mentioned in the article (which is probably wrong or misleading, but important nonetheless) that “up to 90 percent of computers in this country are infected with some form of spyware,” cyber crime is gaining prominence as a serious social issue. Episodes of identity theft are on the rise, and we’re all aware of numerous episodes involving compromised government and commercial databases containing the personal data of millions of citizens.

In other words, government has started to catch up with the idea of the electronic society and the ramifications of our transition to a massively online culture. No longer are users of the Web confined to geeks, nerds, and other socially marginalized groups; now, Mom and Pop are online. They’re banking, investing, buying things in online stores that account for increasing percentages of large retailers’ annual sales, submitting tax forms, and balancing their checkbooks. That means they store everything from birth dates to SSNs and license numbers on their PCs, where any hacker can make off with them with relative ease.

Government is now coming face to face with the blinding reality of large numbers of voters who use the Internet on a regular basis. In fact, these voters often read about data loss and hackers in their online newspapers, or receive e-mail from a relative whose accounts were hijacked after they fell for an online scam.

These same voters have found the Web sites maintained by their elected representatives, and I suspect said representatives have been asked what they’re doing about the problem. Maybe even a few representatives have been scammed.

The new law may not have a lot of initial impact, but it’s an additional tool in the arsenal and it’ll be followed by others. With luck, and some diligence, the phishers and scammers might be persuaded over time to find other prey.

Today I received a really interesting piece of news: I’ve become an EBay Power Seller, at the Silver Level! I was impressed and somewhat stunned, since I barely use my account and certainly haven’t produced enough volume to earn such an esteemed title. The mail looked legitimate enough, with all the right images and fonts. Being the suspicious sort I immediately checked the embedded URL, certain I’d see it was a fraud from Russia or some hapless home user’s hijacked Windows box.

Surprisingly, the link began with a legitimate EBay host name (us.ebayobjects.com) so I decided to check further. Sure enough, someone’s gotten clever and has realized people are now scrutinizing embedded links far more closely before visiting them. Here’s the full URL in all its glory:

http://us.ebayobjects.com/6k;h=http://62.48.234.67/eBayISAPIsignin.ebay.com/reg.php

What we have here is a redirection attack that uses a legitimate site as its anchor. The first part (the ebayobjects.com component) is valid, but the subsequent “http://64.48.234.67″ is where you’ll be forwarded if you click on the link. The rest of the URL (the eBayISAPIsignin…part) is a spoofed version of EBay’s legitimate login sequence, which is actually “eBayISAPI.dll”. This is similar to other scams, in which the host name embedded in the URL looks something like “www.ebay.com.ip.alcatel.fr” (I just made that one up, incidentally). Here, the ebay.com component is followed by the rest of the phishing host’s name, which in this example actually resides somewhere in France.

In both cases, the links begin with legitimate-looking host names. The phisher’s hope is that the recipient won’t look further than the initial location, which contains valid looking information. This attack has become common enough that EBay is offering a set of “how to spot phishing scams” pages that attempt to educate users in the methods used by these criminals.

Now that I’d spotted the mail as an obvious fake, I decided to check out the headers to see where it actually originated. Dissecting the headers on a mail message is relatively simple, but first you need to tell your mailer that you want to see the full message headers; in Eudora, this is accomplished by clicking on the “blah, blah, blah” button at the top of the message. The salient bit of the header is as follows: “Received: from User [203.125.97.238].” This tells me the mail came from “User” (an invalid address…note the lack of an “@ebay.com” or other domain suffix) at host 203.125.97.238. Tracing this address, it ended up being located somewhere in Singapore and was likely a hijacked PC being used as a zombie by a scam artist.

Phishers are developing new attack methods all the time, in response to increased user awareness and mail clients that are becoming more capable of detecting bogus embedded links. My current copy of Eudora, for instance, warns me whenever a displayed URL doesn’t match the alleged site. Other mail clients are following suit, so thieves are now resorting to more sophisticated and (dare I say it) elegant means. It’s a cat and mouse game, and there’s little chance it’ll end anytime soon.

A new Vista weakness was revealed today. This one lies in the UAC, or User Account Control, subsystem and relies on the use of a piece of malware known as a “proxy infection tool,” which basically performs legitimate work while installing hacks or disabling security features in the background. A more detailed description of the weakness can be found in an article on Yahoo’s site, as well as other locations around the net.

A proxy hack is a reasonably nefarious, yet fairly common way to infect a system. All that’s required is for someone to download and use a small application, usually passed from user to user via e-mail with a note containing verbiage like “this is really cool, you should try it out.” Sometimes the message is actually from a trusted friend, but on other occasions it’s been sent by a bot or hacker. Once the user activates the application, it tries to install its payload, which can be anything from a virus to a proxy hack such as the one described here. This is a classic Trojan Horse attack, in which legitimate-looking software is used to deliver another piece of code. However, the attack will only succeed if the user is already a member of the local Administrator group since the UAC bars most accounts from this level of privilege. A Microsoft spokesperson said that “the successive social engineering attempt will only be successful if the user inadvertently clicks on the malicious shortcut. In fact, at this point, the user must be part of the local administrator’s group or provide administrator credentials at the UAC prompt.”

But what is the UAC in the first place? It’s a new subsystem, introduced in Vista, that changes the way in which administrative privileges are handled. In the past, most Windows user accounts on a machine were automatically granted “local Administrator” privileges, which permitted installation of new software, starting and stopping of services, and so forth. The new paradigm puts most users outside the Administrator privilege level, but allows the temporary elevation of privileges in certain cases. To quote Microsoft’s description of the service, “[t]he main goal of User Account Control is to reduce the exposure and attack surface of the operating system by requiring that all users run in standard user mode. This limitation minimizes the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malware that has infected their computer.

With User Account Control, IT administrators can run most applications, components and processes with a limited privilege, but have “elevation potential” for specific administrative tasks and application functions.”

This is a great idea, since most operating systems offer administrative privileges only to certain accounts unless the system administrator specifies otherwise. Providing automatic access to administrative rights by generic users is a recipe for disaster, and Microsoft is doing the right thing by moving away from the old model. So with Vista you log in as Joe User and have only user-level rights until an administrative task is necessary, at which time the UAC will ask for an Administrative ID/password. If you don’t have that level of access, the request fails. This prevents malware installation attempts from succeeding behind the scenes when you run that cute little application that someone e-mailed to you - the one containing the virus or Trojan.

The UAC adds a level of indirection that, in effect, makes you responsible for whatever happens to your machine. So the moral is: think before you grant an application an Administrative level of access, since you’re now responsible for the consequences.

I spend a lot of time behind a keyboard, writing everything from C to Word documents and e-mail. Over the years I’ve found the hardware involved is just as crucial, if not more so, than any other component of a running PC. The keyboard is your primary interface to the machine, along with the mouse (AKA “rodent”) and monitor. A cheap unit with poor tactile sense, poor spacing, or other bad design elements can be just as distracting as a crashing CPU or dim monitor; a good one can make typing a joy. I’ve used everything from the infamous “Chiclet” keyboard on a Commodore PET to the tiny devices included with some recent PDAs.

This is an area where Microsoft, in my opinion, got it right. Back in 2000 I invested an ungodly sum of money (a whopping $60) in an original Microsoft Natural Keyboard, with the split key regions that make it look a bit like Mr. Sulu’s console from Star Trek. At the time I was skeptical, and I bought it because I was in a pinch and other stores in London were closed for the evening. After a week or two of settling into the new style, I decided they could have it back when they pried it out of my hands. I was happy to see a recent Wall Street Journal article that mentions these little jewels. The author had the same experience – after a bit of an adjustment period, she really liked the Natural interface.

Now, I don’t personally care about the “special feature” keys that the designers included in order to make Windows functions easier to activate. My unit included the then-new “Windows Command” key and it’s the least used of all included keys, in fact. What I really like about this model is that it reduces stress on your hands, and allows you to place them more comfortably when typing. Rather than artificially straightening your wrists, you leave them in a slightly angled position (aligned with your forearms) on the desktop, which makes typing a whole lot more comfortable. Mind you, I still use my laptop’s built in unit and find it very comfortable, but I’d much rather type long documents on the Microsoft unit.

The other handy thing about this unit, and hopefully its younger cousins, is that it’s solidly built. Too many generic units included with current PCs are flimsy, tiny, and have terrible key feedback that seems designed to make the experience as nasty as possible for the user. When I managed services for a large university, I kept our older IBM PC keyboards around for years after we upgraded to newer machines. Students loved the weight, the feel, and the reliability of these things, which were built like tanks and designed to take just about as much punishment. A good keyboard is worth the investment; and may prevent a case of RSI or carpal tunnel. If you spend significant time pounding keys, you’ll be much happier.

There’s been a lot of talk in recent months about “Green” initiatives designed to lower energy usage and save fossil fuels. Everything from high-efficiency fluorescent lamps to energy saving autos are being developed in response to global warming and energy consumption concerns.

High technology is another area that should be focused on in some detail, since the spread of PCs and other devices to households and businesses has, in some respects, increased overall energy consumption. It’s also decreased usage in other areas, but we’ll talk about that shortly.

No one can argue that home PCs use energy. A generic PC usually includes a 200 Watt power supply, but this figure shouldn’t be used as a consumption figure since it’s almost never reached. That 200 Watt figure represents the maximum capability of the power supply, which is only used in maybe two cases: 1) for a few milliseconds when the power is flipped on, and 2) if every connector in the machine is maxed out with high usage devices. My own generic machine is monitored by a UPS (Uninterruptable Power Supply) to prevent errors and outages during power-related failures; it reports that my PC uses an average of about 130 Watts. My system is unusual, since there are 4 cards on the bus as well as 2 DVD drives (one is a burner), 3 hard disks, and a floppy consuming power at any given time. Most users would probably find their machines use 110-120 Watts, which is about the amount of power consumed by 2 standard incandescent light bulbs.

Of course, the monitor also uses power. The amount depends on the size and type; while some people think LCD units use much less energy than old cathode-ray tube units, this isn’t always the case. My 19″ LCD unit is rated at 2 Amps, while an older tube-type monitor in the closet says 1.8 Amps on its rating plate (note: Wattage = Volts x Amps, so 2 Amps at 110V equals about 220 Watts). Other systems, such as laser printers, can take tremendous amounts of power (mine uses 11 Amps, or about 1200 watts) when running. This is an excellent reason to keep such devices in “standby” mode or powered off completely when not in use.

In addition, we also need to think about the heat load a running piece of equipment imparts on your home’s ventilation systems. In the winter, a PC or two can take some of the load off your furnace since each running unit generates heat, but this advantage is largely negated in the summer, since your air conditioner will work much harder to offset the extra heat emitted by your machines. For that matter, light bulbs and other electrical devices also emit heat and should be shut off whenever possible in order to take some stress off your AC unit.

All this said, it’s also true that the increasingly ubiquitous nature of home PCs, especially those with fast network connections, help save energy in some respects. People who would have climbed into a car to go shopping or visit a bank can now perform these tasks online, thus saving gasoline and moving the energy impact to a more efficient delivery service. It would be difficult to calculate the overall net energy budget of the modern, networked household against pre-networked equivalents, but I suspect we’ll eventually see at least a minor net savings as more tasks are performed at home. Time will tell.

Today, Comcast announced a new modem that’s been tested to a blazingly fast 150 megabit/sec, which is significantly faster than anything else on the market today. This is great news for video-hungry home users and others who have a need for speed; current products can only support up to 50 megabits/sec. The new product conforms to the DOCSIS (Data Over Cable Service Interface Specification) 3.0 standard, which can be viewed in more detail at Cable Labs’ web site. To give some perspective to this accomplishment, the demonstrators “downloaded the 32-volume Encyclopaedia Britannica 2007 and Merriam-Webster’s visual dictionary in under four minutes, when it would have taken a standard modem three hours and 12 minutes.” They also said the same operation over a dial-up modem would have taken weeks (at the old 56k standard).

Speed is key; I recall the days of text-only 300 baud (bits per second) telephone modems and having the ability to read the text faster than it could be scrolled to the screen. The faster the modem, the more information you can send and receive in a given period of time without bogging down your system. But before everyone gets too excited and queues up to buy one of the new devices, which won’t be commercially available for some time, we all need to remember that the local cable speed is only one component in the overall cable experience, just as the telephone system’s local loop is only one part of a DSL connection. In order, the string of devices and transport media involved in a network request includes the PC’s internal subsystems, its built in network card (often rated at 100 megabit/sec), the cable or DSL device, the cabling system to the local office or distribution point, the trunk line to the provider’s main Internet Core connection, the Core connections themselves, and the network/system at the receiving end.

In order for the new systems to achieve their full potential, each and every link in the chain would need to be rated at, and configured for, 150 megabit/sec communications. Fiber’s capacity is theoretically unlimited, but intervening devices such as routers, switches, and other active components are often limited to much lower bandwidth, based on the service provider and other factors. Just as the chain is only as strong as its weakest link, the speed of a given connection is constrained by its slowest component. If you’re streaming video from Company X’s server, and that company’s network connection is only 10MBPS, then that’s all you’ll get. Even if the connection is 150MBPS, system load and network traffic levels will affect the final rate. If the server is busily serving hundreds of simultaneous data streams, its own internal limitations (e.g. disk or system bus speeds, CPU capacity, and memory size) could make that data stream run much more slowly than the network’s capacity.
Obviously, this advance should stimulate another round of upgrades by ISPs and companies that serve content on a large-scale basis. It’ll be interesting to see where we are in terms of network capacity and speed by 2017!

A few days ago, Symantec released a report discussing a new type of Trojan attack that takes advantage of the Windows Activation process in an attempt to steal user data and credit card information. It’s an interesting and scary twist on Trojan attacks, since it combines several techniques (phishing, social engineering, redirection of legitimate service requests, etc.) into a single, apparently very clever model. Symantec has dubbed it “Trojan.Kardphisher” for purposes of tracking and containment.

The scariest thing about this case is that it’s extremely well handled and designed, while most Trojan and other attacks suffer from basic problems such as incorrect English syntax, badly formatted screens that are obviously the product of amateurs, and an overall poor design that detracts from the overall effort. While we security-conscious types love poorly designed attacks (they’re that much easier to detect and guard against) we also have to admire one that’s been created with such care. Not only does this Trojan shut down your PC if you answer “no” to its “do you wish to activate Windows now?” query, but it also disables the Task Manager so that it’s extremely difficult to locate and kill the offending process.

A truly nefarious aspect of this attack is that the only real difference between it and the official Windows Activation screens is that the Trojan includes an extra form, with fields requesting a credit card number, ATM PIN, CVV2 (card security) code, and expiration date. It does so while insisting that “your card will not be charged,” but hopefully most people will not be deceived by this assurance. Indeed, the very presence of an ATM PIN request should set off major “danger Will Robinson!” warnings for anyone who might otherwise be tempted to fill out the form, and is probably its biggest weakness since there’s no way a legitimate request would include a PIN request. There’s also no notation on the forms that SSL (encrypted) transmission is in use; the lack of such an informational/warning message is also indicative of a bogus request when financial data is at stake.

I suspect we’ll see many similar attacks in the future, since they’re more likely to succeed than “click here to get a free gift!” advertisements and alleged warnings from banks. Certain banks are, in fact, already taking steps to ensure customers are not redirected to bogus phishing sites. Last year, Bank of America launched a “site verification” system that allows customers to choose a personalized “SiteKey” consisting of a small image of their choice, which is associated with a customer-generated text string. When a user visits the bank’s site, the first thing they should see is their user-personalized image/text combination. If they see something else, they can be pretty sure they’ve been sent to a bogus site. As more online merchants adopt measures to prevent customers from being deceived by cloned sites, hackers and thieves will be forced to adopt new, even more subtle methods. The Trojan.Kardphisher attack is probably a good example of the next generation of attack methods, and should be kept in mind whenever unexpected requests for personal or financial data appear on our screens.