If it walks like a duck, quacks like a duck, looks like a duck, it must be a duck…
If software on computer communicated to third parties like malware, altered settings like malware, behaved like malware, it must be malware. You would think so but there is a threat to computer security that does not get classified as malware.
It gets around being classified as malware by making the user accept the software as part of an installation of other software. For example if you look at the Top 10 downloads from Download.com at the moment you will see at number three there is a program called YouTube Downloader, with nearly 800,000 downloads in the previous month.
When you install the software you get a typical install process for Windows, but with an additional option page for a Toolbar:
While there is an option to decline (which we strongly recommend you use!), most users do not. There is no informed consent for the user that they are about to install a potentially unwanted program, which will make changes to your computer. But if you click ‘Accept’ the toolbar takes over you browsers and your PC. In nature, this would be called a parasite, as it feeds on the others in a symbiotic relationship.
As the user has clicked ‘Accept’ to the legalese terms they have agreed to allow it control of their computer. Following the trail, brings you to a company called Spigot whose slogan is ‘Turn on the revenue’. In case you don’t realise it, they mean revenue for application developers by using your internet data, mined by the toolbar! You are the cash cow, as they make money on selling marketing information based on your surfing habits.
These terms include:
The information we collect is for basic reporting purposes only, and includes the following:
a) Date and time of installation
b) Date and time of un-installation
c) Originating IP address and the user’s country at time of installation/un-installation
d) Toolbar status in Internet Explorer or Firefox (i.e. if a toolbar is hidden or displayed in the browser)
e) Partner ID at time of installation
f) Toolbar version at time of installation
Information we collect during Toolbar Usage
We do not monitor the web pages you visit. When you perform a search, your search may be sent through our servers in order to ‘optimize the search result’. This will record the following anonymous usage information:
a) Date and time of search
b) Originating IP address
c) Partner / Channel ID of your Toolbar
d) Toolbar version
e) Search term
In addition, your web browser will communicate to us the same information it gives to every web server on the Internet. This could include information such as your computer hardware and software attributes, cookies for our site, and the URL of web page you are requesting.
How we use the Information we collect
Information we collect from you is used on an aggregate basis and for reporting purposes only. For example, we measure the total number of Toolbar installations per month in order to pay our partners, the total number of Toolbar searches conducted per month to measure growth patterns, the number of Toolbars used in Microsoft Internet Explorer or Mozilla Firefox per month to study browser trends, and so on. All information is collected in aggregate and never measured on an individual basis.
Information collected by Third Parties
Search results pages you visit when performing a search using the toolbar are provided by our search engine partners (i.e. Yahoo, Baidu, Yandex, eBay, Amazon). These search engines can track the following:
a) Search term that was entered into the search box
b) Originating IP address and the user’s country or OS language setting
c) Sponsored listings or other advertisements that were clicked on
d) That the search request came from the Spigot Toolbar and its associated revenue tag
The toolbar does not collect personally identifiable information or monitor your surfing behavior.
When you conduct a search using the toolbar, our content providers who supply search results (i.e. Yahoo, Baidu, Yandex, eBay, Amazon) may set or access cookies on your computer. The cookies are used for the purpose of measuring referrals from our toolbar on an aggregate basis and are not tied to your personal information. Many browsers offer users the option of declining cookies. If you do not wish to accept cookies, please modify the settings in your browser.
The toolbar communicates with our servers from time to time to check for available software updates such as bug fixes, patches, enhanced functions and new versions. By installing the toolbar, you agree to automatically request and receive updates. If you wish to turn off automatic updates, you can do so from the “Options” menu in the toolbar.
You can easily uninstall the toolbar in the traditional Add/Remove programs section in Windows, or from the toolbar by selecting
Options > Help > Uninstall.
You can easily hide or deactivate the Toolbar in Internet Explorer or FireFox by selecting View > Toolbars, and then unselecting the checkbox for the toolbar.
The bold type highlights the problem. It claims it only monitors your search terms without identifying you but your IP address is like a fingerprint. It always leaves a trail on every computer you communicate with and all those in between. The legal issue is that on its own an IP address is not classed as personal data, for example compare the UK stance with the US approach. In reality, every email you send, website you visit or post on a public forum can log your IP address. Combined with your email address or forum username and you can have personally identifiable data.
In addition some toolbars ‘optimise’ the search results to preferred companies whose activities may not be strictly legal or could be classified by some people as scam merchants.
Until these legal issues are resolved, Anti Virus and Computer Security companies cannot classify Toolbars as malware without risk of litigation from the companies involved, says a lot about the money involved here.
So there is a stalemate situation where you know its bad software but your security defences let it through as if it was ok. For now, all we can advise is when you install new software, read the install pages and look out for Toolbars and changes to your search engine and browser settings. If you see one, untick all options and decline it! Weasel words to look for include ‘Community‘, ‘Conduit‘, ‘Spigot‘ and ‘Mybrowserbar‘ amongst many… Clues to look for are those companies who don’t tell you where they are and have no publicly checkable address showing.
Say No to Toolbars and rid the Internet of another parasite by cutting off their revenue stream, namely your information.
One of the most common questions asked, is how did I get a virus on my Windows computer? Simple answer – human error.
To get a virus to infect your computer you had to do / not to do one or more of the following scenarios:
- Use Windows with no firewall and never update Windows (Windows XP Service Pack 2 or older, ME, 98, 95 users – that means you). The virus is sent by bad people to every computer on the Internet. Your lack of a firewall allows the bad code to enter your computer and without any other security the code will run. The computer is then in the control of the bad guys.
- Use Windows with a firewall, update Windows occasionally, but have no Anti Virus software. The firewall stops the bad guys code but you receive an email or instant message with an attached file, from person known or unknown (doesn’t matter!). You open email and double click on the attachment. Bad guys code runs, no Anti Virus which may stop the code, bad guys have control of your computer.
- Use Windows with a firewall, update Windows occasionally, use up to date Anti Virus software, but also use Internet Explorer to browse the Internet. You visit a web site. The trusted web site receives adverts from a third party but bad guys manage to get their bad code sent as an advert to all web site visitors of the trusted web site, including yours. Firewall does not help as you want your computer to communicate with the Internet. The bad guys code is new so not stopped by your Anti Virus software. Your Windows is not fully up to date and the bad guys use a known problem with Windows to get their code to run. The bad guys have control of your computer.
- Use Windows with firewall, up to date Anti Virus, Windows is fully updated, and you use Firefox. The bad guys publish a new message on FaceTubeHive which links to their bad website, under excuse of a funny / rude / surprising / adult / flash video (delete as appropriate). You click on link to see the mentioned funny / rude / surprising / adult / flash video (delete as appropriate). As you have never updated your Adobe Flash Player, the bad guys’ code uses a known problem with the software and the bad guys have control of your computer.
- Use Windows with firewall, up to date Anti Virus, updated Windows, updated Office, updated all installed applications, use Firefox instead of Internet Explorer with Adblock Plus and NoScript plugins. However you wanted to speed up your old computer / remove viruses from your computer / remove spyware from your computer (delete as appropriate) and clicked on a link to software that claimed to do just that. Guess what, the software is a fake and the bad guys wrote it. It is new code so not detected by Anti Virus software, and now the bad guys have control of your computer.
- You use Windows with firewall, up to date Anti Virus, updated Windows, updated Office, updated all installed applications, use Firefox instead of Internet Explorer with Adblock Plus and NoScript plugins, hardened to equivalent of Secure IT Foundation Standard Level 4 (highest!). Your kids use the computer and want to play a new game, they click randomly on links in Google / use eMule / use Bittorrent / use Limewire (delete as appropriate) and download bad guys’ code. They double click on the file and it goes to run. The kids are prompted to enter the administrators password which they do not know. They moan and whine, so you give in and enter your password for them. The bad guys’ code runs and they now have control of your computer.
It should be:
You use Windows with firewall, up to date Anti Virus, updated Windows, updated Office, updated all installed applications, use Firefox instead of Internet Explorer with Adblock Plus and NoScript plugins, hardened to equivalent of Secure IT Foundation Standard Level 4 (highest!). Your kids use the computer and want to play a new game, they click randomly on links in Google and download bad guys’ code. They double click on the file and it goes to run. The kids are prompted to enter the administrators password which they do not know.
- They moan and whine so you contact your IT Security professional and ask is this file safe to run. They check and say yes or no. You listen and kids may or may not have a new game to play. If not, you explained it was a computer virus and not a real game. You even told them the example of a Xmas present with a loaded mouse trap inside to explain that all that looks shiny may not be what it looks like. If you must demonstrate use your own fingers!
- You have some IT knowledge, upload the suspicious file to http://www.virustotal.com, and it comes back clean. You test it in a virtual computer using VMware or similar and find no problems or suspicious firewall traffic. Nothing happens, kids get new game the next day.
Anything less than full security all the time, is all it takes to give your computer to the bad guys.
Even with the highest level of security there are no guarantees and occasionally the bad guys get lucky and write code that goes through all defences. Only up to date backups will save you then, assuming you do make backups.
Prepare for the worst and you should be ok. Hope for the best and it won’t be ok. Security can be so simple.
It has been difficult to avoid the news stories regarding a Dutch company called Diginotar and the prediction of the end of Internet security as we know it. Some stories have been based on facts, while others have clearly been written just to sell news or by those who have little comprehension of how the Internet and computers work.
To help explain the saga we have written a FAQ based on queries we have received.
Who is Diginotar?
Diginotar is a private company set up in 1998 to supply electronic identity management products including the issuing of ‘digital certificates’ for secure Internet transactions. In 2004 the Dutch government trusted Diginotar with the responsibility for providing digital certificates for all government / citizen interactions under a scheme called ‘PKIoverheid‘.
What are digital certificates?
Digital certificates are part of the technology which allows a home computer user to communicate securely over the Internet for important transactions like banking, paying bills, interacting with government services online etc.
Each time you see padlock in your browser, or the address bar turns green or you see https:// in the address you browser has established a secure channel over the Internet using complex mathematics to provide encryption.
If you think that most of your Internet activity does not involve using a secure channel, you can liken it to using a postcard to send a message to a friend in the real world. Anyone can read the message between you and your friend. This may be fine for arranging a meet in a bar but you would not the world to be able to view your banking transactions in the same way. This is where digital certificates come in, to provide secure electronic communications.
Each major company who wants you to communicate with them purchase digital certificates from companies like Diginotar, called Certificate Authorities officially. These Certificate Authorities verify the identity of the company wishing to buy a certificate, and issues the company with a unique code. When you want to establish a secure channel with your bank, your browser receives part of the unique code and checks that is really does belong to the company it claims to be. This proves that you are talking to the right company and allows a secure channel to start.
How does my browser know the identity of my bank?
Your browser e.g. Google Chrome, Apple Safari, Mozilla Firefox, Microsoft’s Internet Explorer etc all contain a list of trusted Certificate Authorities including Diginotar, each represented by a unique code. These companies around the world are trusted to provide digital certificates, some government owned but mostly private companies.
When your browser wants to verify the identity of the company or organisation e.g. a bank, it obtains the unique code from the digital certificate for the bank and mathematically checks it that it is valid with the unique code stored by the browser for the issuing certificate authority. If all checks pass then a secure channel is started. The proper name for this secure channel is an ‘SSL‘ connection.
The digital certificate gives you trust that you are communicating with the right organisation or company. Extra checks are made for a scheme called Extended Verification SSL certificates. When used, these ‘EVSSL‘ certificates are the type that make your browser address bar change colour to green, which highlights the verified nature of the company you are communicating with.
So what actually happened?
Based on the information published by Fox-IT BV, a major Dutch computer forensics company sited close to the Secure IT Foundation base in Rotterdam. It seems that hackers gained access to Diginotar’s internal computer systems as early as 6th June 2011. The hackers then attempted to make their own digital certificates. On the 10th July they succeeded in making a certificate which allow them to impersonate Google. The hackers continued for 10 more days making hundreds of digital certificates for major companies and computer systems.
Finally a security breach was detected by Diginotar on the 22nd July and an unnamed security company was called in to report, which they did on 27th July 2011. The same day, other security experts began to report unusual use of Google’s digital certificate and the next day traced it and it was being used in Iran. Diginotar went public on the security breach on the 30th August 2011, with the consequence that Diginotar’s validity as a certificate authority has been revoked by most browsers in recent updates.
While information is still being gathered and full facts may never be known publicly, it appears that the Iranian authorities have been able to intercept ‘secure communications’ with any of the companies impersonated by these rogue digital certificates by anyone using an Iranian computer network for about a month. In addition there was a potential for people outside of Iran to have been redirected to websites under the Iran authorities control, allowing for interception to occur to non Iranian citizens.
A similar attack on another certificate authority was made earlier in March 2011 on a US company called Comodo, which Comodo blamed fully at the Iranian authorities. However in this case only 9 rogue digital certificates were produced and the incident was stopped in a much shorter time frame than Diginotar.
How does this affect my home computer?
You may have noticed Mozilla and Google updated their browsers recently and Microsoft issued a patch via Windows Update. These changes remove the use of Diginotar as a valid certificate authority. If you visit a website using on of the rogue digital certificates then you should get a message not to trust the website you are communicating with. If you see a browser warning about the website’s authenticity then it is best not to continue the session and seek expert advice.
Outside of The Netherlands and Iran, most people will not see any impact from this security breach. Secure communications in Iran have become significantly harder but the most affect country so far is The Netherlands. Diginotar also managed part of the PKIoverheid system for secure Government communications so there has been some disruption to the service while new digital certificates have been issued to replace Diginotar supplied certificates. Thankfully the Dutch government had the sense to use multiple suppliers so the digital certificates issued by Diginotar have been replaced by one of the other three accepted certificate providers, without collapsing the whole Dutch system.
Is the problem now solved?
The dust has yet to settle and there are claims that other certificate authorities like Diginotar have also been compromised, however until new information is confirmed it does appear that the matter has been finalised. Diginotar’s continuing ability to trade is certainly going to be questioned as the initial findings from Fox-IT show Diginotar to be well below best practice for a security business.
Although it can seem like we are only the bringers of bad news, once in while though we do have our good news. Our Secure IT Foundation site now has had over 750,000 visitors so hopefully a percentage of these have learned something about home computer security from our advice…
If you only ever update your computer’s operating system and applications once every few months, if at all, then it is time you checked your updates as June proved to be a busy month for security exploits used to take over your computer.
Java has been updated to Version 6 Update 26
Sumatra PDF has been updated to version 1.6, but do choose not to install the plugins for browsers.
Microsoft issued 16 new security updates for multiple versions of Windows. Link only works for Internet Explorer users sadly. If you have already installed the June updates, there has been an update released on the 28th June to fix an additional problem with TLS/SSL.
Apple released new versions for Itunes, Quicktime and MobileMe. From Windows run Apple Software Update but mind their trick of showing you items not installed in the hope you leave then selected!
While you are running updates, Skype also should be updated from the built in check for updates option.
If that hasn’t got you rushing to patch your PC, then either you do not consider your computer’s security important yet or you have already installed Secunia’s PSI application to check your patch level on a regular basis for you…
Once upon a time Apple Mac users were happy people, laughing at Windows users suffering with virus problems… As Macs became more popular, the malware and virus writers have turn more attention to the Apple operating system OSX. Now a fake Anti Virus program can run on a Mac without needing a password. This brings Mac security on a level par with Windows.
Perhaps as the Windows users have years of experience dealing with viruses and malware, the naivety and now abundance of Apple’s user base makes them ripe for the picking.
You can read the recent timeline of Apple’s security model failing here and then install the AV for Mac from Sophos for free before you get caught out. Don’t be a smug mac user, get protected and resign yourself to being no more secure than the Windows user next to you. Read the history of Mac viruses and find they pre-date Windows viruses by a few years!
The quicker Mac users accept the change then the quicker they can move on and begin to deal with the problem… Denial of a problem has always works so well with computers.