Tuesday, 25 May 2010

Openness, Copyright, Apache and BS

This in from F-Secure.
It is basically a trojan that pretends to be some sort of evil right-holder representative detecting infringing material on your computer, and demands payment in return for a bogus immunity from prosecution. Does not matter if you have infringing material or not. Only works on Windows, any version.

Quite a lot of people are vulnerable to this sort of extortion, considering that almost nobody checks their downloads for legality. In general, copyright online is ignored, even though we all know there are people prepared to cane us hard for it.

Interestingly, a basic BS test is failed at the opening title: "Copyright Violation: Privacy Content Detected". Privacy content? Surely a legitimate rights-holders organisation (or rather: their lawyers) would write "private content" for better English - or use more accurate legal terms like "infringing", "illegal" or "unlawful"? Copyright violations involve material that is publicly available, and so cannot be considered private at all.

What's more, lawyers are much more likely to act on behalf of their clients by mail, not through an anonymous application. Thus alerted, the message later on that the information will not be forwarded to the rights holder if you pay up reveals the lie.
...all data collected will be passes to copyright organisations and to the court...
Puh-lease: a real legal document is not going to mess up the English like to start with and "copyright organisations" is what the writers are claiming to be one of.

F-Secure make malware scanning tools, and have an online service which they tout on the same page reporting this scam. Now, the problem with that is the number of malware-scanner scams that do exactly this. So statements like:
You can use our free Online Scanner at ols.f-secure.com to check your system.
... themselves fail a BS test.

So how do you demonstrate that your claim is legit when so many identical claims are fraudulent?

In this case the company also provides the data on the malware that will allow you to independently verify it.
The malware is typically located in c:\documents and settings\USERNAME\application data\IQManager\iqmanager.exe. We've seen two versions so far. MD5 hashes of them are cedc2c35bf967027d609df13e937946c and bca3226cc1cfea416c0bcf488082e5fd.
You don't have to use their service so no need to visit the site or use the online scanner (never use an online scanner). Thus you can, at least, verify the information on the web-page even if you don't trust the page itself. This sort of thing is called "transparency" and is a powerful protection against scamming when it is used right.

While the software itself only runs on Windows, the basic vulnerability is the failure to do a basic BS test. You'll see this all the time on TV demonstrations like The Real Hustle (someone accepting your assistance walking does not normally support themselves by grabbing your wrist - they'd use your shoulder, for eg. - so if someone does this, you transfer their hand) which also fails the same BS test: if the mark is a target of opportunity, then how did they set up those multiple camera angles?

In the free software world we have seen a similar gotcha in the Apache crowd. The admin recieves a message from a user to the effect
I am having some problems browsing projects at [your hosting service] URL: http://tinyurl.com/evil-xss-attack
Some admins visited the site, falling victim to the attack which gets their passwords and from there, everybody's passwords for the entire site. From there, other projects were compromised.

Yet the message fails the basic BS test as follows:
  • a legitimate complaint is specific, not vague. You get told what the problem was and which projects the problem is associated with.
  • you don't report a url to the admin using tinyurl. For those who don't know, tinyurl is a legitimate redirecting site used where the actual url is too long to be convenient - maybe it breaks the flow of the narrative (a 10-line url will do that) or it gets broken by new-lines in an e-mail making it unclickable. Neither situation applies here.
These are not just in hindsight - they are well established and aged conventions in reporting problems. The accepted practise for an admin who does get a vague report to ask for details before investigating. I'm not saying that there are no genuine problem reports which are also vague, I'm saying that these are not legitimate reports for investigation. It follows that if you have a genuine report, be specific and verifiable.

However, if you read the link, you'll see how openness and transparency limited the admittedly disastrous effects of this. All places where transparent processes were used were protected. Yet one person still comments:
Don't tell everyone the details of your security measures, let the hackers find out.
That is exactly the thinking that got them into this mess in the first place! If the security measures are any good, then it does not matter who you tell. If they are not so good, then the good guys you tell will say so and why and you can fix them. Further, the analysis is useful for anyone else running Apache servers (which is most web servers). It's a heads-up of an important collection of vulnerabilities, an in-field test of common security measures, and a best-practise guide. Makes everybody safer.

No comments:

Post a Comment