Sunday, January 25, 2009

Privacy for me but not for thee

Via BoingBoing, I found this article, which shows that the UK government has no (or at most very little) respect for the privacy of individual citizens. According to the article, there is a clause in a pending piece of UK legislation which would
allow ministers to make 'Information Sharing Orders', that can alter any Act of Parliament and cancel all rules of confidentiality in order to use information obtained for one purpose to be used for another.

Now, admittedly, I am not an expert on UK law, but allowing such information sharing orders would seem to basically nullify any types of privacy protections which currently exist. It's almost as if the British government doesn't care about privacy at all.

...of course, we know that can't be true, since just a week earlier, British MPs (members of parliament) had attempted to pass a law which would have exempted records of their expenses from freedom of information act requests (see this article, also via BoingBoing). I guess this is just one more example of how government officials care deeply about privacy - but only if it's their own information that they're trying to keep secret.

Wednesday, January 21, 2009

And They're Off

We're a little less than a month into the new year, and there's already a strong contender for biggest data security breach of '09. Actually, the breach, which involved a compromise of Heartland Payment Systems took place in 2008, but it wasn't publicly disclosed until yesterday, so I'm classifying it as a 2009 breach. However, whatever year the breach is placed in, it's potentially a monster, with over 100,000,000 accounts at risk. We don't know the full extent of the breach yet, but this is one to keep an eye on as potentially not only being a candidate for the biggest breach of 2009, but also as having the potential to dethrone TJX as the biggest breach ever.

Wednesday, January 14, 2009

Malwarebytes Link

As a (most likely final) follow up to my posts (here and here) on removing Antivirus 2009, I contacted Malwarebytes and asked if they had an alternate site where you could download their tools without being blocked. In response, they sent me this link to their free product. I can't guarantee that it will work, and I'm not planning on purposefully getting infected just to test it. However, if anyone happens to stumble across this blog looking for a way to remove the virus, the above link might do the trick.

Tuesday, January 13, 2009

Government spurs security improvements

Well, we still don't know if (as I predicted here) Obama will be the first email friendly president. However, we do know that there is now a PDA which has been certified by the NSA for top secret voice communication. Sadly, the price tag is a hefty $3,350, which will keep it out of the hands of most private citizens (including me). Still, that's no object for Obama, and I wouldn't be at all surprised if he uses this device (or something like it) to avoid having to give up email.


Friday, January 9, 2009

Hallmark E-Card Virus

Today I received an email (actually, several emails) with yet another virus. Unlike Antivirus 2009, which has the potential to trick unsuspecting users by masquerading as a legitimate program, this one, which appears to spread via email attachment would only catch the absolutely most unsophisticated. Indeed, unlike some email viruses, this one doesn't even bother trying to personalize the emails it sends out. Instead, it uses the following generic message:


You have recieved a Hallmark E-Card from your friend.

To see it, check the attachment.

There's something special about that E-Card feeling. We invite you to make a friend's day and send one.

Hope to see you soon,
Your friends at Hallmark

Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy.

I'm not sure what to say about it, except that anyone who trusts a card from an anonymous "friend" who wants them to open an email attachment probably has so many viruses on their system already that one more won't do much damage (either that or an antivirus program strong enough to protect them from themselves - something I recommend all users get regardless of their sophistication).

Thursday, January 8, 2009

Removing Antivirus 2009

I've received a number of hits on my previous post about some legal issues regarding Antivirus 2009 which I suspect are from people looking for how to get rid of the malware but can't get to the big antivirus sites because Antivirus 2009 has blocked them. For anyone looking for how to get rid of the program, here's my advice:

1) Don't expect to download a tool to fix the problem. The nastiest feature of Antivirus 2009 is that blocks downloads from the major antivirus websites. In particular, Malwarebytes, which is recommended in a number of places to deal with Antivirus 2009, is blocked.

2) Get to a clean system. Just because you can't download the proper tools on a compromised system doesn't mean you can't download them at all. Go to another computer and download the tools you need. Malwarebytes Anti-Malware, mentioned above, can be downloaded here.

3) Send the tools from the clean system to the compromised system. The most obvious way to do this is via a flash drive. However, the version of Antivirus 2009 I dealt with (surprisingly) allowed me to send the mbam-setup.exe program though email.

4) Once the tool (whatever it is) is downloaded, rename it to .bat. With the version of Antivirus 2009 I dealt with, it wouldn't let mbam-setup.exe execute, but it would let blank.bat (what I renamed mbam-setup.exe) run just fine.

Please note that, for step 4 above to work, you might have to restart Windows in safe mode. A description of how to do that can be found here.

Please also note that the above 4 steps (including restarting in safe mode) might not actually work. The version of Antivirus 2009 which got onto my grandmother's computer let me run the antivirus setup program, but blocked the antivirus program itself. My next step after step 4 would have been to create a rescue CD and use that to boot from. However, my brother who also happened to be visiting that weekend had different advice: since my grandmother's computer was brand new, why not reformat the hard drive and just reinstall everything my grandmother wanted? In the end, that's what happened, since I would have been required to go back to my house (across town) to get a rescue CD, while my brother could reformat the hard drive immediately. It's an extreme measure, but I can testify that it certainly worked for my grandmother.

Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.

Wednesday, January 7, 2009

Will Anyone be Ready for the Next Level of Identity Theft Protection?

The Massachusetts and Nevada Models

Brace yourself for the countless retrospectives to appear in the coming months, touting 2008 as an eventful year for so many reasons: an historic presidential election, a meltdown in the financial and real estate industry and resulting economic maelstrom, Michael Phelps winning a record-breaking eight gold medals in the Beijing Olympics – the list goes on.

One notable characteristic of 2008 that may go unnoticed by the mainstream commentators, but is no less remarkable, is the continuing wave of consumer protection legislation enacted by state legislatures in the wake of spiraling incidents of identity theft. In addition, an otherwise lethargic Congress has managed to enact a cybercrime law, signed by President Bush in early October, called The Identity Theft Enforcement and Restitution Act of 2008. This law makes it easier for prosecutors to bring hacking and other cybercrime charges against an individual, eliminating the minimum $5,000 in damages requirement. It also makes it a felony, during any one-year period, to damage ten or more government or financial institution computers, and directs the U.S. Sentencing Commission to consider increasing its penalty guidelines for those convicted of identity theft, computer fraud, illegal wiretapping or breaking into computer systems. Combined with the issuance early in 2008 of the FTC’s Identity Theft Red Flag Guidelines, these new legislative and regulatory initiatives are designed to combat what has become a crime wave of increasing dimensions.

The proactive trend of the state legislatures began several years ago with California’s data security breach notification and security freeze laws, resulting in 44 states and the District of Columbia enacting the same or similar laws. The momentum has continued with many states strengthening identity theft laws concerning the protection from the public of social security numbers and personal information from credit cards. Massachusetts has moved in another new direction with a law that will become effective on May 1, 2009. The law was an addition to Massachusetts Laws Chapter on Security Breaches, and was as expanded upon by administrative regulations. It applies to anyone who owns, stores or maintains the personal data about a resident of Massachusetts. The data that is stored electronically must be encrypted before it is transmitted over a public network or transmitted wirelessly, especially on portable devices such as laptop computers and Blackberries, as well as other portable devices such as flashdrives, cellphones and CDs. For this reason, according to some commentators, the law is a little ahead of its time, since the technology for encryption of portable devices is just starting to be developed.

In addition to the computer system security requirements, the law imposes a duty to protect and standards for protecting personal information. Its requirements are similar to the federal Identity Theft Red Flag Guidelines requirements, effectively extending the federal regulations’ applicability well beyond the original class of “creditors,” as defined in the Guidelines, to all types of businesses. It requires the development and maintenance of a comprehensive, written information security program, that includes the designation of an employee responsible for the program, identifying foreseeable risks, ongoing employee training, employee compliance with policies and procedures, and processes for detecting and preventing security system failures. It requires disciplinary measures be imposed for violations of the program rules, the prevention of terminated employees from accessing records, and the taking of reasonable steps to verify that third-party service providers have the capacity to protect the personal data. It imposes data collection and retention standards and requires access be limited to those persons reasonably required to know, as well as restrictions on physical access.

Nevada has also enacted a similar law that went into effect October 1, 2008. NRS 597.970 takes a different approach than Massachusetts to applicability, so that it only applies to businesses operating or “doing business in” the state of Nevada, without regard to where their customers reside. It imposes an encryption requirement as well, by simply stating that businesses in the state of Nevada “shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” Of course, as with the Massachusetts law, the devil is in the details. The Nevada law defines “encryption” broadly to mean the use of any protective or disruptive measure (including cryptography, enciphering, encoding or a computer contaminant) to prevent or disrupt access to, or the normal operation of, any device, system or network, or to cause such data to be unintelligible or unusable. The definition raises more questions than it answers. While the definition of “personal information” is similar to that found in many data security laws, the questions of who is a customer and what constitutes “doing business” in Nevada have no clear answers. It could arguably apply to businesses with no physical presence in the state of Nevada, but which do business through an internet website.

The Massachusetts law is enforceable only by the Massachusetts Attorney General. However, the Nevada law does not limit enforcement to its attorney general, nor does it contain any specific penalty provisions, so that the potential for a private lawsuit (including a class action suit) exists with no limit on damages. Companies operating nationally should consider whether their existing policies and procedures regarding the transmission of personal data meet the encryption and other requirements of these laws.

Whether the Massachusetts and Nevada laws forecast a trend or whether they are isolated anomalies remains to be seen. But if recent experience with state enactment of security breach notification and security freeze statutes is any gauge, these two laws may very well signal the beginning of the next wave of state law initiatives designed to combat the growing phenomenon of identity theft.

Tuesday, January 6, 2009

Reviews and Comparisons

Recently, I discovered (or, more accurately, was informed of) the site NextAdvisor, a web page which provides comparisons and reviews for a variety of services, including (of particular interest to readers of this blog) Identity Theft, Security Software, and Online Backup Services. They also have a blog which has quick summaries of recent identity theft news items. The blog appears to be updated relatively regularly, and the articles are fun in an offbeat sort of way (for example, this article about a mother who pretended to be her daughter for cheerleading tryouts). Definitely a site to consider for some quick info or tidbits on identity theft.

Sunday, January 4, 2009

Antivirus 2009

Over the holidays I had the intriguing experience of watching a computer get hijacked by a nasty piece of malware: Antivirus 2009. According to this article from Bleeping Computer

Antivirus 2009 is a new rogue anti-spyware program from the same family as Antivirus 2008 and Doctor Antivirus. Antivirus 2009 is installed and advertised through the use of misleading web sites that attempt to make you think your computer is infected with a variety of malware. Once installed, Antivirus 2009 will scan your computer and list a variety of fake infections that can't be removed unless you first purchase the software. These infections are fake, though, and only being shown to scare you into purchasing the software.

What that article doesn't make clear is the fact that Antivirus 2009 (or at least the variant I was dealing with) will also cause a substantial slowdown in your computer's performance, and will cause your browser to display all manner of annoying pop-ups. The other point about Antivirus 2009 that that article doesn't make clear is that Antivirus 2009 includes some relatively sophisticated countermeasures to prevent people from removing it from their system. For example, the variant I was dealing with stopped by grandmother's computer (where it was installed) from accessing websites of antivirus vendors (e.g., AVG) and technical web sites which had instructions on how to remove it (e.g., Bleeping Computer). Additionally, it also detected and prevented execution of removal tools that I was able to download on another system and install on the infected computer. I have to admit, I was impressed by the countermeasures the creators of Antivirus 2009 had included, as they made it MUCH harder to remove than the last virus I had to deal with (slammer).

Anyway, as impressed as I was by the measures Antivirus 2009 took to prevent me from disabling it, the more interesting aspect of the program is that it even exists at all. Antivirus 2009 isn't just a program that enrolls a computer in a botnet where it can be rented out for pump and dump schemes or to spew fake Viagra spam. Instead, it appears to be connected with a business selling subscriptions which could, in theory, be shut down (or at least taken off the web). Therefore, it should be possible to file suit against the business connected with Antivirus 2009 (i.e., the people selling the software using bogus virus notifications). My guess is that either the people behind the software don't know that what they're doing is illegal (highly unlikely) or they think that whatever profit they can make between the time they released their software and the time a court inevitably shuts them down will be enough to compensate them for their efforts in creating their malware. Either way, the fact that Antivirus 2009 exists raises serious questions about whether the law can function as a deterrent to even the most blatant cybercrime.

PostScript: One other point of interest on the Antivirus 2009 front: both the FTC and Microsoft have filed suit against fake antivirus companies (see here). My suspicion is that these suits will accomplish nothing, as the companies are probably set up with pseudonyms, and the people behind them will vanish into the woodwork long before any court can find them. However, I would very much like to be wrong, and I would be quite happy to see the FTC and/or Microsoft being awarded (and collecting) some sizeable judgments.

Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.