Posted by: David Harley | January 25, 2016

Support Scams – the Industry doesn’t like them either

For Graham Cluley’s blog, David Bisson summarizes the story of how Symantec ended its agreement with one of its partners after Jérôme Segura reported for Malwarebytes on how the partner was using tech support scam techniques to trick customers into buying Norton Antivirus and a year’s support at prices well in excess of the pricepoint set by Symantec.

I commented (again) at some length on the AVIEN blog: Support Scams and the Security Industry.

David Harley

Posted by: David Harley | January 4, 2016

Barbies and Crystal Balls

[Parts of this article were originally published on the ITSecurity UK blog here and here, and on WeLiveSecurity here.]

It’s traditional at this time of year for security researchers to risk their credibility by offering their predictions as to what will happen in information security in the next 12 months. Usually in multiples of ten. Or at least the unhidden one-tenth of the researcher iceberg spending enough time in the public eye to attract the attention of journalists and their own PR departments.

Apparently there’s a perception that the public loves a list, even if it’s a list of sort of glamour-free topic that preoccupies the security industry.

Happily, my own accelerating slide into old age, grumpiness, and the obscurity that tends to accompany (semi-)retirement has allowed me to avoid the worst excesses of this tradition in recent years. Though I don’t say that it’s totally without interest. As I said elsewhere some years ago:

Security prognostication isn’t science: it’s more like science fiction, and classic science fiction isn’t about the future, but the present. A view of the future refracted through today’s trends may be through a glass darkly, but it’s not valueless.

And while I don’t intend to make any predictions about developments in malware/anti-malware technology, perhaps I will mention some issues that I think will be discussed over the coming months.

  • The Internet of Things. Of course. After all, it represents an ever-widening attack surface. And since we tend to be quite sensitive to any threat to children and/or health, anything involving toys like the Pink Fink or healthcare devices as discussed here. And indeed, recent crises involving Hello Kitty and VTech indicate the risks are not trivial. (And to think I used to tell people that my small daughter’s Vtech computer had the safest operating system I knew…) It’s not just criminals who are interested in this stuff either: though if your opinion of politicians is as high as mine, you may already have considered that. However, there are plenty of less dramatic possibilities.
  • Tech support scams. Even though the security industry, with a few exceptions, takes very little notice of them, they continue to make a lot of money from their victims. Small-ish sums for individuals, but more than enough to keep some unpleasant individuals richer than they should be, and now increasingly found going far beyond mere deception, keeping company with ransomware and other malware.
  • Ah yes. Ransomware. (For some reason I keep typing that as ‘ransomeware’: strange, since I’ve never actually read ‘Swallows and Amazons‘…) I’ve been worried enough by the way its technology has become more sophisticated and the mounting volumes of people it is affecting to have started a vendor-neutral ransomware resource page. It’s a little piecemeal at the moment, but it does at least provide a starting point for people looking for more information.
  • The death of anti-virus. Again. Especially around RSA and Infosecurity, when companies in other areas of security are desperately seeking column inches at the expense of the ‘traditional’ anti-malware industry. (When I was more PR-friendly, I used to make this prediction every year, and I was never disappointed…) Well, old-school anti-virus in the sense of self-replicating malware and static signatures is long dead, and rightly so. But there’s more to security software than that, and replacing one solution du jour with another is not enough.

OK, it’s not a top ten. But it’s providing me with more than enough issues to worry about at the moment. Nevertheless, while I was working on the above list, I was persuaded to contribute to a ‘brief, occasionally tongue-in-cheek view from a number of ESET researchers on what they expect 2016 will bring.’

So these were my additional thoughts:

  • More convergence between tech support scams and real malware, especially ransomware.
  • Increased targeting of platforms other than Windows for pop-up fake alerts and for ransomware.
  • In the UK at least, NHS sites will continue to be slammed by security bloggers for squandering their pitiful resources on direct healthcare instead of upgrading computer systems.
  • More toys will follow the Pink Fink (a.k.a. Hello Barbie) into the Internet of Things (IoT), despite concerns about privacy and the continued attention of researchers probing for scareworthy vulnerabilities.
  • Understandable panic about terrorist attacks and other manifestations of physical violence will be translated into calls for the weakening of encryption and the abolishing of privacy.

If you’d like to see what my colleagues at ESET North America thought (and their suggestions are certainly worth reading), you can read them here: ESET predictions and trends for cybercrime in 2016.

But what was that about Hello Barbie? Well, I described here how Barbie is in trouble again, though at least she isn’t spreading viruses this time. It could certainly be said that she’s still failing as a role model, though. At any rate, the Campaign for a Commercial-Free Childhood is worried enough by Hello Barbie, a Wi-Fi enabled version of the doll with an embedded microphone intended to transmit what the child who owns it says to cloud-hosted voice recognition software.

The CCFC article articulates concerns that analysis of the child’s conversations will be used to elicit information about the child’s interests and family, and that play will be driven by Mattel rather than the child. Mattel’s policy on the data it collects, including audio data, is stated here and much is made of its limited nature. According to an article in The Register dating back to the announcement of the Pink Fink, Big Blue are moving in a similar direction with a Green Dinosaur. (This is starting to look like a Rainbow Coalition with overtones of Zippy and Bungle.)

It may not have escaped your notice that this is the (probably inevitable) next step from furry devices like Teddy Ruxpin and Furby, which only played back pre-recorded material and had no recording capability. It’s a big step, though. I have no grounds (apart from nearly seven decades of scepticism and downright cynicism) for disbelieving Mattel’s assurances that children will not be bombarded with advertising, but the acceptance of this level of ‘eavesdropping’ with the potential for conversational data to be transmitted far beyond the walls of home and reviewed by outsiders has ‘interesting’ and disconcerting implications, despite Mattel’s own safeguards. Other parties may be less scrupulous.

There’s no word yet on whether NSA staff will be banned from bringing their Barbies to the office.

A happy and prosperous new year to you. Don’t let the bugs byte.:)

David Harley
Small Blue-Green World
ESET Senior Research Fellow

 

Posted by: David Harley | December 21, 2015

Washington Sues iYogi

Commentary for AVIEN on the State of Washington’s legal action against iYogi, accusing the company of a range of activities suggesting tech support scamming: iYogi tech support – sued by State of Washington.

Also added to the AVIEN Tech Support Scam Resources page.

iYogi bear in trouble again with Ranger Smith and State of Washington?

David Harley

Posted by: David Harley | December 17, 2015

Facebook Memes: Check Before Spreading!

It’s not unusual to see dubious memes spreading on Facebook (and elsewhere) but I’ve seen so many today I feel obliged to comment on some of them.

  1. A post claiming that photographs of military emblems are considered ‘inappropriate’ by Facebook, including a representation of the badge of the Royal Engineers. The meme I saw today referred to the Royal Air Force, but the same false claim has made often in the past with reference to services in the US. For Snopes, a site that has for years done a great job of evaluating possible hoaxes, Kim LaCapria points out that ‘ the Marines, Air Force, Army, Coast Guard, and Navy, all … maintain verified Facebook pages on which their emblems are frequently and proudly displayed.’ The Royal Engineers Facebook page here is generated by Facebook itself and does include the RE badge. Ms LaCapria suggests that rumours of this sort may derive from instances where emblems are posted along with other material that may violate its community standards, and that other material has caused the post to be removed.
  2. A post claiming that photographs of the St George’s Cross (the national flag of England) is being blocked resembles claims that people posting photos of the US Confederate flag would risk being blocked from social media sites including Facebook. Thatsnonsense.com asserts that claims of the removal of such photos because they may offend people are often exploited by far right groups. In fact, Facebook itself encouraged its users to modify their profile pictures by overlaying them with the French tricolore as a gesture of solidarity with those killed recently in Paris. Mixed signals from Facebook? Probably not, given the number of times the cross of St George gets posted there.
  3. Another meme compares the number of people in the US killed by Jihadist attacks – 45, according to the meme – to the number of people killed by ‘gun violence’ from 9/11 to 2013 – 406,496, according to the same meme. Apparently the latter figure is based on CDC figures. I’m no friend to the US gun lobby, but feel compelled to point out that the figure seems to be based on a rather lax definition of ‘gun violence’. According to Iain Overton, author of Gun Baby Gun, that figure breaks down as follows: 237,052 suicides; 153, 144 homicides; 8,383 unintentional; 3,200 undetermined; and 4,778 as a result of ‘legal intervention’. I don’t say those aren’t disturbing figures, but defining them all simply as ‘gun violence’ is potentially misleading and isn’t very helpful.

Unfortunately, Facebook has taken on the role of dissemination of uncritically accepted hoaxes and half-truths that used to make managing corporate email such a pain. It’s really worth checking the validity of these claims, even if the person who shares them with you is your best friend. You know what Abraham Lincoln said

David Harley

Posted by: David Harley | December 8, 2015

Copyright and Social Media: article for ESET

Recently I saw an enquiry from someone who wanted to repost an interesting article in a Facebook page but was worried about the legal implications. I expanded my response at the time into a lengthier summary of the main issues as I understand them, for an article for ESET.

I should probably make it clear that I’m not a lawyer, and not able to offer legal advice in that article (or anywhere else). The legislation relating to IP (intellectual property), copyright, patents, trademarks and so on, is a complicated subject (and widely ignored and difficult to enforce on the web). So while I hope to have cast a little light on a difficult subject, I can’t offer authoritative legal advice.

The article is here: Copyright and social media.

David Harley

Posted by: David Harley | December 4, 2015

Terrorists, hoaxes and malware

And here’s another example of how social engineering and real malware sometimes seem to merge. A story my colleagues at ESET Ireland brought to my attention by Craig Charles about “Brutal Terrorist Attack” hoaxes go viral, and my comments for the ITSecurity UK blog: Terrorist Attacks, Hoaxes and Malware.

David Harley

Posted by: David Harley | December 4, 2015

Support scams and malware

It’s a bit of a stretch from tech support scams to ransomware, but I’ve added a ransomware information page to the AVIEN site to accompany the tech support resource page already there. (Announcement here.)

And, almost immediately, a story came up about a site that was serving a support scam, a data-stealing Trojan, and ransomware – Cryptowall, no less. So maybe it wasn’t such a bad call after all.

David Harley

Posted by: David Harley | November 26, 2015

Tech Support Scams Beginner’s Guide

Tech Support Scams: a Beginner’s Guide – a blog for IT Security UK. I thought maybe it was time we reconsidered what we tell end users what they need to know about support scams, as the scammers change their approach from cold-calling to pop-up fake alerts.

Also added to the AVIEN page PC ‘Tech Support’ Cold-Call Scam Resources.

David Harley

Posted by: David Harley | November 16, 2015

Hotel Key Cards: not usually a Security Issue

I first heard alarming stories about hotel keycards over a decade ago, though I don’t think I’ve written about the issue recently, or outside the healthcare organization I then worked for: I only started to blog publicly some time after I started writing for ESET. (My earliest blog piece for ESET seems to have been published in February 2008, though I’d been writing other articles for them for a while.)

The story that circulated when I first heard it concerned chain messages claiming that you shouldn’t let hotels have your key card back because they store potentially sensitive personal information such as the customer’s name, partial home address and credit card information, as well as more obviously relevant information (room number, check-in date, check-out date). The suggestion is that your data might be leaked or stolen when you return the keycard before it is re-encoded for the next visitor.

The story seems to derive from a case investigated by Pasadena police in 2003, and on the basis of information that was not intended to be shared with the general public until its accuracy was verified and actually referred to a somewhat different issue of stolen keycards being re-used by criminals as cloned credit cards. In a subsequent retraction, the Pasadena police stated:

As of today, detectives have contacted several large hotels and computer companies using plastic card key technology and they assure us that personal information, especially credit card information, is not included on their key cards. The one incident referred to appears to be several years old, and with today’s newer technology, it would appear that no hotels engage in the practice of storing personal information on key cards. Please share this information with anyone who has a concern over the initial information send out to others as a precautionary measure.

The rumour was debunked by the ever-reliable Snopes site long ago, but I’m guessing from the fact that  has just revisited the topic for Kaspersky suggests that the story is still circulating, though I can’t say I’ve seen it recently myself.

David Harley

Posted by: David Harley | November 16, 2015

Tech Support Scams and the FTC

Commentary from me for the AVIEN blog, and added to the tech support scam resource page there, regarding an interesting article from The Register – FTC fells four tech-support operations in scammer crackdown – by Shaun Nichols, about the FTC’s latest move in the war against support scams.

The FTC (the US Federal Trade Commission) has turned its attention to ‘four companies and four individuals in its legal complaint (PDF) alleging violations of both the FTC Act and the US Telemarketing Act’.

The violations cited here are in the form of fake system alerts, fake browser alerts, or fake security software alerts that advise the victim of a ‘problem’ with their device and direct them to a ‘helpline’ purporting to represent one of the major operating systems, not only for old-school computers (Windows, OS X, Linux) but for mobile devices such as smartphones.

A preliminary injunction ordered by The United States District Court for the Eastern district of Pennsylvania prohibits the named parties from fraudulent marketing and billing (though you’d think that would be illegal anyway), and effectively freezes their assets while the FTC’s complaint is investigated.

David Harley

« Newer Posts - Older Posts »

Categories

Follow

Get every new post delivered to your Inbox.