StopBadware Blog :

Goldsmith: Govt. should set PC security standards

Thu, 02 Jul 2009 12:25:00 -0400

In a New York Times op-ed piece today, Harvard Law School Professor and Berkman Center Faculty Co-Director Jack Goldsmith called on the federal government to regulate consumer-level PC security:

Our digital security problems start with ordinary computer users who do not take security seriously. Their computers can be infiltrated and used as vehicles for attacks on military or corporate systems. They are also often the first place that adversaries go to steal credentials or identify targets as a prelude to larger attacks.

President Obama has recognized the need to educate the public about computer security. The government should jump-start this education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network.

Obviously we at StopBadware agree strongly with the first paragraph. Rather than taking a position on the second, I pose these questions that would have to be answered about Prof. Goldsmith’s policy recommendations:

Would computer security standards be based on technology (e.g., computers must have real-time anti-virus scanning), principles open to interpretation (e.g., computers must be kept updated with security fixes), or something else? In any case, who decides on these standards and how do we ensure that they are kept current and do not benefit the software industry more than they benefit national security?
If ISPs are expected to play gatekeeper, how do we build transparency and a fair, responsive appeals process into the system? What happens when an ISP blocks my connection because they think I’m sending spam, when in fact I’m operating a high-volume, opt-in mailing list?
If the government "jump-starts this education," who will actually provide the education? After all, blocking a user from the Internet because his computer is infected does not educate the user, it just creates a motivation for the user to become educated. Is the responsibility of helping the user to clean up and protect his PC the ISP’s? The government’s? StopBadware’s? Or is the user just expected to be on his/her own?

These are not trivial questions, but there is precedent for answering all three successfully. Our Badware Guidelines have been a helpful tool in identifying applications that dip below a certain level of community expectations. Our independent review process keeps a check on our data partners’ autonomous detection of badware websites. And our BadwareBusters.org community and StopBadware security tips have proven a useful educational resource for website owners with compromised sites.

Despite these successes, there are many differences between Prof. Goldsmith’s proposal and StopBadware’s independent, voluntary system. And setting minimum security standards for computers is a different animal than setting behavioral standards for applications. It remains to be seen whether the questions above can be adequately answered within a system like the one described by Prof. Goldsmith.

New partner, new site reports

Tue, 30 Jun 2009 12:02:00 -0400

We’re very pleased to announce that, as of today, Sunbelt Software has joined Google as a data partner, providing updated data about badware websites to our Clearinghouse. (See the press release.) Sunbelt’s research director, Eric Howes, has helped us out for a long time as part of our working group, and it’s great to have the company on board in a more formal way. The new data allow us to extend and deepen our analysis of, and insight into, the badware website landscape.

Adding a new data partner required us to rethink our database design and our Clearinghouse report page layout, so we’ve been hard at work redesigning everything. The new report (example) incorporates more information—both current and historical—than our old report page, and it displays Sunbelt’s and Google’s data side by side with our independent review history.

Do you have suggestions for future improvements to our report page or feedback on the changes? Let us know over at BadwareBusters.org!

China's Green Dam is badware and so much more

Sat, 13 Jun 2009 07:38:00 -0400

StopBadware assisted the Open Net Initiative in evaluating China’s Green Dam filtering software, which the Chinese government recently mandated be installed on every new PC in the country.

The software violates our guidelines due to a lack of disclosure about some significant unexpected behavior. While the software advertises itself as protecting children from harmful content such as pornography and violence, it also filters political speech without notice. Also not mentioned is the fact that, if such political speech appears in an application window, whether Internet Explorer or Notepad, the window completely shuts down without advance notice and without saving the user’s work.

Based on our and ONI’s research, and also other research posted online, the software has additional flaws, as well, ranging from poorly implemented features to security vulnerabilities. The biggest flaw of all, though, appears to be China’s policy of mandating such a product. As ONI’s report, released yesterday, concludes:

The mandate requiring the installation of a specific product serves no useful purpose apart from extending the reach of government authorities. Given the resulting poor quality of the product, the large negative security and stability effects on the Chinese computing infrastructure and the intense backlash against the product mandate, the mandate may result in less government control.

Those interested should read the full report, which explains both the software’s behavior and the national reaction to the software, in detail.

Microsoft Morro to proxy Internet traffic? Not likely.

Fri, 12 Jun 2009 11:41:00 -0400

A blog post at PC World by Frank Ohlhorst implies that Microsoft’s forthcoming free anti-malware product, Morro, will proxy users’ Internet traffic:

Morro will work by routing all of a users Internet traffic to a Microsoft datacenter, where the Morro application will process the traffic and identify and block malware in real time, by examining all of the rerouted traffic.

This seems very unlikely. First, the technical challenge of handling, and analyzing in real time, the Internet traffic of hundreds of millions of Internet users would be outrageous. Second, this would have tremendous privacy implications, and Microsoft has recently been pretty good at staying out in front of such issues.

An intern here at the Berkman Center e-mailed the article’s author to question his characterization of Microsoft’s new service. Ohlhorst answered that the Windows-based client would route traffic to Microsoft’s servers for analysis and back to the client, similar to "how Panda’s hosted security works."

I suspect Ohlhorst is referring to Panda’s Cloud Antivirus. If so, the comparison is probably closer to the truth than his explanation of it. Panda’s service has a client that monitors the PC for new processes and, when one is found, sends a cryptographic hash of the executable up to "the cloud" to learn whether the process is malware. This is, at least in theory, more efficient and effective than each client downloading definitions each day. Several AV products from other vendors use some variation on this theme, sending hashes, URLs, or sometimes even entire suspicious executables to a central server for analysis and/or checking against an updated block list. My educated guess, from what I’ve heard about Morro and seen elsewhere, is that Morro will do something similar, but will not route all of a user’s Internet traffic to Microsoft.

President Obama address nation on cyber security

Fri, 29 May 2009 11:28:00 -0400

Within the past hour, President Obama addressed the nation from the White House to emphasize the importance of cyber security, to announce the release of the administration’s report of its 60-day cyberspace policy review, and to announce the creation of a new White House position, the Coordinator of National Cyber Security.

This represents an enormous step forward in national awareness of the role cyber security in general and malware in particular play in our economy and our physical security. Having the "leader of the free world" describe the threat of botnets and spyware on national television will expand press and citizen interest in this issue.

As important as the threats, though, are the freedoms that the President discussed. He emphasized the importance of preserving both personal privacy and net neutrality while securing our infrastructure. He also pointed out that this will require a collaborative effort amongst individuals, schools, corporations, and governments from the local level through the national level, not just in the U.S., but internationally, as well.

The attention is an important start, but of course execution is the key. Melissa Hathaway, Cybersecurity Chief at the National Security Council, posted some information about the policy review she led, as well as links to the report (PDF) and to the papers that informed the report. Based on a preview of the report that Melissa Hathaway delivered at the Kennedy School last night, I expect the administration is moving in the right direction. I look forward to reading the report, and I encourage others to do so, as well. Meanwhile, it’s up to all of us to work together to build a safer Internet. StopBadware looks forward to playing a role in bringing together the people, the organizations, and the data that make this possible.

SBW, ASC, NCSA launch Chain of Trust initiative

Tue, 19 May 2009 15:07:00 -0400

Today at the Anti-Spyware Coalition (ASC) public workshop in DC, StopBadware, the ASC, and the National Cyber Security Alliance (NCSA) launched the "Chain of Trust" initiative. From the press release:

Developed by the Anti-Spyware Coalition (ASC), National Cyber Security Alliance (NCSA) and StopBadware.org, the Chain of Trust Initiative will link together security vendors, researchers, government agencies, Internet companies, network providers, advocacy and education groups in a systemic effort to stem the rising tide of malware.

[snip]

The first order of business in the Chain of Trust Initiative is to map the complex, interdependent network of organizations and individuals that make up the chain. Only by identifying all the vulnerable links and understanding how they connect to one another can malware fighters get a handle on the problem and begin to develop consensus solutions.

For those interested in ideas coming out of the workshop, feel free to follow the tag #asc09 on Twitter, flickr, and other tag-enabled sites.

Silent patching works, but at what cost?

Wed, 13 May 2009 15:43:00 -0400

Last week, the ZDNet Zero Day blog summarized a report by researchers from Google Switzerland and ETH Zurich as follows:

Google’s decision to silently update the Chrome browser — without the user’s knowledge or consent – has put the company at the head of the pack when it comes to securing modern Web browsers.

Indeed, the report noted that, unsurprisingly, the less user intervention and aggravation required to update the browser, the more likely the browser is to be up to date on a given user’s machine. It concludes by trumpeting Google’s own Chrome browser as a success for using silent updates that successfully keep users’ browsers patched. It goes on to encourage other browsers to adopt a similar strategy.

While the technical mechanism in question sounds like an effective and efficient way to update browsers, the lack of user control inherent in Chrome’s system is concerning. There is no clear notice during installation or operation of the software that it will be updating itself automatically. (I didn’t read the entire EULA, but then, neither will most users.) There is also no obvious place in the program’s options screen for disabling this feature, in case you want to test using different builds or have some particular objection to auto updates or a particular change in a newer version.

StopBadware has always been committed to the principle that users should be presented with the information and options necessary to make decisions about how software is installed, updated, and used on their computers. Google should be applauded for seeking new ways to increase browser security, but it should also be held to the highest standards for disclosure and user choice.

What are your thoughts about Google Chrome’s silent updating? Let us know over at BadwareBusters.org.

Don't forget the ASC public workshop

Tue, 12 May 2009 11:15:00 -0400

There’s still time to register for the Anti-Spyware Coalition public workshop next week in Washington, DC. And, best of all, press, government, ASC members, educational and nonprofit attendees attend free! (Corporate attendees pay only $250 for a great all-day workshop.)

Complete details and registration links can be found here.

Canadian Parliament considers anti-malware law

Thu, 30 Apr 2009 12:24:00 -0400

The Canadian House of Commons is considering bill C-27, the Electronic Commerce Protection Act. In addition to providing civil penalties for unsolicited commercial e-mail (spam) and the unauthorized interception of e-mail (man in the middle attacks), it provides for similar penalties for the unauthorized installation of software.

The specifics of the software installation section of the bill are interesting. (Disclaimer: I’m not a lawyer, this isn’t legal advice, etc.)

The law would only apply to software installed "in the course of a commercial activity." Commercial activity is defined broadly (and circularly, with reference to activity of a "commercial nature"), but I think I understand the meaning.
The law would require "express consent" of software installation, which is explicitly stated to include "clearly and simply" describing the "function, purpose, and impact of every computer program that is to be installed." (Note that this is similar to section IIA of our badware guidelines, though it does not explicitly include the part about potentially unwanted behaviors.)
A party responsible for installing (or presumably distributing for installation) a piece of software would be required to provide contact info, valid for at least a year, through which someone could request the removal of the software. If the request is due to an inaccuracy in the disclosure, the installing/distributing party must assist in removing or disabling the software from the user’s computer.
All penalties are in the form of fines, intended to be commensurate with the extent of the violation. Maximum fines are CDN$1,000,000 for an individual and CDN$10,000,000 for any other party.

This legislation seems pretty good, and I particularly like that it focuses on a simple, clear expectation of informed consent. Of course, much of the badware problem is global, so this won’t be a panacea, but at least it will help the Canadian government go after certain types of badware that originate within their borders. Still, a few questions about the legislation:

Why is installing software without consent only an offense when it occurs "in the course of a commercial activity?" Stalking, espionage, mischief, and politics are all non-commercial motives to install spyware or malware without consent.
Who is/are the party/parties responsible for installing software via a drive-by download? Is it only an offense if the drive-by occurs on a commercial website?
Why no criminal penalties (e.g., prison sentences) for egregious cases where there is a clear intent to cause harm?
I found the section about providing contact information unclear. What, exactly, is a company supposed to do when someone calls to say, "I want this software removed from my computer?" The company is only expected to assist with removal if the disclosure was inaccurate, so what about when the user wants to remove the software for some other reason?

I think this legislation could be valuable even without answering these questions, but it would be really nice to know how these questions will be addressed. Do you have thoughts on this legislation? Let us know in the comments!

Ascentive products removed from active alerts list

Mon, 27 Apr 2009 16:23:00 -0400

After a few months of ongoing communication with StopBadware, Ascentive (operator of the website FinallyFast.com) has released new versions of its PC SpeedScan Pro and Spyware Striker Pro products. Both appear to address all of the issues that led us to labeling them badware. We have therefore updated and archived both alerts. Thanks to the company for keeping us informed about new releases.