Monday, the FTC released a report publishing principles and recommendations for consumer privacy. The report, “Protecting Consumer Privacy in an Era of Rapid Change” (summary and full report[PDF]) provides what the FTC considers best business practices around privacy. These best practices are not regulations, but they are intended to serve as guidelines for legislators in drafting privacy regulations. And they can also serve as a framework for the federal government’s own privacy policies and personal data practices.
At the core of the report, and in broader privacy circles, we see discussions center around three foundational elements of privacy: knowledge, consent, and control.
- Knowledge. The collection and use of information should be transparent. Consumers should know what is being collected, how it is being collected, how it is being used, and how it is being shared.
- Consent. Consumers should be presented with a mechanism for agreeing to these practices. The recommendations did not mandate an “opt-in” versus “opt-out” approach: whether the default policy if the consumers don’t take any specific action would be not to collect (“opt-in”) or to collect (“opt-out”). But the report does advance the notion that it is insufficient for organizations to provide an all or nothing approach, where conditions on use of a service or product requires you to submit to full data collection.
- Control. Consumers should have choices as to whether and to what degree, to participate in data collection, and how that data could be used; and companies should make those choices simple for consumers to understand and to execute.
Consumer attitudes about privacy and data collection is undergoing a fundamental change, driven by online data collection practices. Historically in the US, businesses have traditionally been given broad latitude in their actions as long as they are not fraudulent or deceptive. However, we’re witnessing a full 180-degree turn in consumer attitudes, which is what’s behind the FTC’s actions. Consumer concern over personal data collection and use by businesses is reaching critical mass, and it’s driven by concern over Internet powerhouses such as Google and Facebook, mobile carriers and ISPs, and the shadow worlds of online advertising networks and data brokers. Restraints on businesses over their privacy practices are inevitable.
Unfortunately, not all the consumer privacy news these days is good. More about that in my next post.
Inaccurate spelling means more than poor marks at school, it is a billion dollar business opportunity for typosquatters. At a single IP address, the AVAST Virus Lab has identified 8,600 typosquatting sites, registered variations of well-known sites or brands. Two identifiable targets were the Craig’s List online classified ad service and YouTube, other site addresses were parodies of Hotmail, Google, and YouTube – basically everyone.
After going to one of the identified typosquatting sites, visitors are redirected to one of several hundred “quiz” sites where they receive an offer of a “free” prize such as an iPhone. The sites typically make money through premium phone calls, selling advertisements, and reselling the emails collected from visitors.
Spelling errors are a huge moneymaker on the internet. A Harvard research paper estimated that a major search engine alone could be making nearly a half billion dollars annually just on pay-per-click ads from typosquatting sites. Add in the other search engines and the revenue from the sites identified by AVAST, and typosquatting could easily be a billion dollar market.
“It is not technically malware, but it is online fraud and features like AutoCorrect in Microsoft Word have really let people get lazy with their spelling,” pointed out Jindrich Kubec, head of the AVAST Virus Lab. “The popularity of Craigslist with this one gang gives us a great sample set to demonstrate the types of spelling errors the bad guys are looking for.” Read more…
The RSA Conference – the largest gathering of security vendors and the companies who buy their products – was held in San Francisco last month. Avast was in attendance, and I had the pleasure of moderating a panel on mobile security. Mobile security was also one of the top topics permeating the entire event. What I heard on the panel and throughout the conference, and what has been reinforced from my discussions with analysts and consultants to businesses, should have you all pretty worried.
The good news is that businesses want to embrace employees use of mobile phones and tablets. And it’s not just the biggest companies doing so: even small businesses are eager adopters of mobile technologies. After all, employees are more accessible and more productive when they can use their mobile devices for work. However, these are your devices; they are not the company’s and shouldn’t be treated as such. And that’s the challenge.
Businesses have legitimate concerns that these devices are inherently insecure, and that consumers don’t always secure their devices to the same level businesses do their PCs. They are also concerned about all the corporate data that these devices contain or can access, and that their loss or theft can compromise a company. And they are concerned that people will misuse their access to this data now that it’s on their person device.
The problem is that businesses want more security and control over your phone then they should have or even need: even more control than they have over the PCs they provide you.
- Because there are malicious apps, they want to keep a catalog of every app you install and be able to remove those applications without prior notice to you.
- Because mobile devices can hold private corporate data, they want the ability to wipe all data on your phone, also without prior notice to you.
- Because you could potentially misuse the phone by transferring corporate data between a business app (like email) and a personal app (like Facebook), they want to be able to monitor everything you do on that phone: your call logs, your text messages, all your social networking activity, all your browsing activity.
This blatant company disregard for employees’ privacy and property all in the name of security has gotten completely out of hand. One product that was given prominent attention at the conference basically rooted your device to put a monitoring and management layer underneath the operating system. Besides taking any semblance of control of your device away from you, this procedure would likely lead to voiding the warranty for many of your devices, especially Apple devices.
Using your mobile devices for work purposes should not require you giving up all your privacy rights or giving your company effective ownership of your device, without having to pay for it. If your company is letting you use your phone or tablet for work purposes, especially if it’s for more than email, then you should take a close look at your organization’s mobile policies – not just for what you should or should not be doing, but for what your company could be doing.
Does this situation seem familiar? I have just downloaded an awesome application which should contain thousands of new desktop pictures. The site name is www.bestsoftwareforever.com and wow, it must be pretty good. So, I run it and then this avast! AutoSandbox popup appears. Oh guys, why are you annoying me? I know what I am doing.
In few seconds, the AutoSandbox scan ends and another message appears: “This file appears to be malware”. Oh @$#%%, what is this application about? Probably it is a fake application which would harm my private data stored on the hard drive. Luckily, avast! and the AutoSandbox feature saved me this time.
The scope of behavior for AutoSandbox has been expanded for the new avast! 7.
The new AutoSandbox is now able to scan and analyze the behavior of selected files. In addition, this feature is connected to the FileRep cloud feature which identifies new files for additional analysis. So now we are able to warn you even before we have had the opportunity to examine this malware in our Virus Lab. This is a marked difference from the previous avast! 6 which was limited to only sandboxing suspicious files.
It also happens that the AutoSandbox toaster appears for programs which you are pretty sure are not infected. And in many cases, this can be intensely irritating: especially if you are a vendor of the application and you don’t want it to be marked as a potentially harmful program. In avast! 7, there is a new option to disable AutoSandbox. This might be useful for software developers when, for example, their internal application builds are being AutoSandboxed as low-reputation files.
Several reasons why we activate the AutoSandbox:
- Static analysis finds the file suspicious
Static analyses checks file content and looks for suspicious strings in file headers similar in virus definitions. Main static analysis reasons are:
- Application is not signed
It’s not mandatory to have a signed application, but signed software is statistically less likely to be harmful.
- Use of executable file encryption/compression
App writers and installers(self extracts) like executable compression/encryption because it makes reverse engineering more difficult. But, it is also used by malware to hide from antivirus scanners. A compressed/encrypted file without a digital signature is doubly suspect.
- The file prevalence/reputation is low
All new unknown files are potentially dangerous. Whenever they have become widespread, there will not be a reason to AutoSandbox them anymore.
- The file origin/source is suspicious
Freewebs and some file distribution servers have a reputation for paying less attention to the quality and origin of their software than official distribution servers. This is a long-run issue of reputation and income management.
- The file is executed from a remote/removable media
Running an application from the USB drive may cause the AutoSandbox dialogue box to appear –but the same app from your local hard drive may not. That is because many harmful apps are spread through removable media, increasing the odds of potential danger.
- Generic heuristics/suspicious context
- Invalid digital signatures
- Suspicious file names
- And there are more…
The guiding principle is that we secure your computer not only from known viruses/malware but also from viruses/malware which have not yet been uncovered.
So, the next time if you see an AutoSandbox popup appearing for your new application, read the message carefully. If you are not sure, run the app first in the AutoSandbox to prevent potential damage.
We like to think that the avast! voice telling us that our virus database has been updated is almost like a pleasant song, something to cheer us all up, reminding us that nobody needs to sing the PC blues.
So it’s great to know we’re not alone, and that our users also think this way. Here’s an example by “Ferrett Steinmetz,” an Ohio-based writer, who recently tweeted:
A quick read down Mr. Steinmetz’s twitter wall shows similar cleverisms about a large number of subjects. You can follow him on twitter @ferretthimself.
For nearly the past two years Avast has used iYogi to provide free phone support to our users, primarily our free users. With over 150 million users around the world, we naturally have some users that desire phone support. Delivering free phone support to the users of free products is obviously a challenge. As such, the freemium support model used by iYogi and others was very useful. With this support, Avast users received free phone support for any issue to do with Avast. Then, after helping the user, the user would be offered an opportunity to upgrade to an annual iYogi remote support package for any issue with their computer.
In general this model worked very well and provided free phone support to 20,000 – 30,000 Avast users a month. Customer satisfaction levels were also very high with just sporadic complaints. However, as Krebsonsecurity.com, a well-known blog on cybercrime and security issues, highlighted yesterday, at times this model did not work correctly. Instead, iYogi service representatives appear to have attempted to increase sales of iYogi’s premium support packages by representing that user computers had issues that they did not have.
Avast is a very non-traditional company in that positive referrals and recommendations from our user base drive our product usage. We do not distribute our products in retail, via computer manufacturers, or other similar channels. This model has served us well and has made us the most popular antivirus product in the world. Last year we added over 30M new users on top of almost 30M new users in the previous year. As such, any behavior that erodes the confidence our users have with Avast is unacceptable. In particular, we find the behavior that Mr. Krebs describes as unacceptable.
We had initial reports of this behavior a few weeks ago and met with iYogi’s senior executives to ensure the behavior was being corrected. Thus, we were shocked to find out about Mr. Krebs’ experience. As a consequence, we have removed the iYogi support service from our website and shortly it will be removed from our products. We believe that this type of service, when performed in a correct manner, provides immense value to users. As such, over the next weeks, we will work with iYogi to determine whether the service can be re-launched.
In the meantime, users can receive support via the other support options provided on our website. We will also work to ensure that any users that feel they have been misled into purchasing a premium support receive a full refund. We ask that users send any complaints or concerns to email@example.com or even to myself, the CEO, if desired, firstname.lastname@example.org.
When we attempted to open the URL, it was redirected to dumb.cn.mn which triggered the blocking action. The only content on dumb.cn.mm is one word – GOTCHA!
Senior Virus analyst, Jan Sirmer confirmed the attack when we couldn’t repeat the block. “The site, smcitizens.com, was hacked for sure, and redirects to a black hole site,” he said. “Malicious script on the site is checking visitor’s cookies, which is the reason why you don’t see the warning more than once.” Read more…
Running the customer service department here at the AVAST headquarters brings with it a huge variety of challenges – keeping over 150 million users satisfied is no easy task – and we see a whole range of emails from complimentary caricatures to concerning complaints.
During the past week or so, we have received some complaints and it appears that some of our customers are being targeted by a new scam. Luckily only a handful of customers have contacted us regarding this so far, but they report receiving phone calls from “Avast customer service” reps who need to take control of their computer to resolve some issue and who, for a fee, wish to charge them for this privilege.
I would like to set the record straight – here at AVAST, we never phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either. We currently offer free and premium in-bound phone support for our English speaking customers (and also Spanish from next week) and we remain happy to assist as much as we can via email and our ever-popular user forum, but we do not make unsolicited calls – not for sales, not for support, and certainly not to try to scam our loyal customers.
We do always advise our customers to stay alert – online, and in this case, on the phone. Never disclose your credit card details to anyone unless you are specifically contacting them to make a purchase, never download software you are unfamiliar with, and never give access to your computer (remotely or in person) to someone you do not trust.
Stay Alert – Stay Safe
While taxpayers are the regular target of springtime malware schemes, this year the bad guys are aiming for the accountants.
A series of imposter emails are threatening recipients with the removal of their professional accreditation if they fail to respond promptly. The tax-phish appear to be from organizations such as the American Institute of Certified Public Accountants(AICPA), Better Business Bureau(BBB), and Intuit tax services.
After clicking on the email, users are redirected through a hacked legitimate site to the final malware distribution center where their computer can download fake antivirus or another malware package selected by the bad guys.
This spam campaign started in the last week of February. A tax-themed attack is a traditional feature of March and April as Americans prepare their income tax returns.
The tax-time malware is the latest example of the BlackHole Exploits Kit at work – and shows that the bad guys’ graphic and language skills are improving. Read more…
Last Friday, the German federal government decided on a law against internet scammers and subscription traps – the so called “button” solution. Sites like www.software-und-tools.de often cheated unsophisticated and often defenseless surfers, taking from them a three-digit sum while the surfers just thought they were downloading a freeware program. I’m happy with this new law – even if it is years too late and probably not comprehensive enough.
Using the example of www.winload.de, a well known page here in Germany, I want to introduce a relatively new scam today that is, unfortunately, also used by supposedly reputable sites.
Those currently downloading software through the www.winload.de portal must read the content of the page below the download button – where most users will not scroll – very carefully. (Update: After informing the website owner the Opt-Out infos are now visible above the download button) If you simply click the “Download” button, you will experience a surprise. After installation, the settings for the homepage and the search provider are changed – without any prior notice within the setup. In addition, an unsolicited toolbar is installed whose license conditions allow the operator to:
- Change of the default search engine in your Internet Browser’s built-in search box
- Change of the default Homepage of your Internet Browser
- Add an alternative “Page not Found” functionality
- Add other search related services
- Install updates on the PC
- Send notifications to the user
- Collect location-based information
- Collect information contained on your Social Network account and/or site
According to our tests, the provider of this toolbar does use these new rights! The browser’s built-in protective mechanisms, for example the query as to whether the user wants to use the new toolbar is circumvented. The toolbar and the changed browser-settings are retained, even if the downloaded software, which the computer owner considers (wrongly) to be the culprit, is uninstalled. Incidentally, the uninstallation of this toolbar using the provided uninstaller was unsuccessful in Windows 7 Ultimate 64 bit.
We at AVAST wish that the law against internet scammers and subscription traps would be extended. An end user neither wants his account to be hacked nor does he want his PC to be equipped with dubious toolbars using fictitious facts, and which henceforth provide him with unwanted ads and pass on his Facebook data. Until there is a reaction from the legislature, we will detect such downloads as malware – because that’s what it is in the view of our users.