Low-Tech Scareware

October 6, 2012

Once the first computer viruses, worms, and other malware had appeared on the scene, it was not long before software vendors, like McAfee and Norton, began to provide users with anti-virus software as a defense.  And then it wasn’t too long before the first scareware appeared to take advantage of that environment.  In one classic incarnation, scareware (which is essentially a “social engineering” attack) presented a message to the user, frequently in a pop-up window from a dodgy web site, saying that the user’s computer was infected with some dire virus.   The message would go on to say that terrible things were bound to happen; however, the user could return to serenity if (s)he purchased a special anti-virus program, which by lucky coincidence could be accomplished by simply clicking a link in the message.  The claimed infection was, of course, generally non-existent, and the anti-virus software worthless.  (It might erase some anodyne system file as “proof” that the infection had been removed.)

Usually, this was just a means of extracting money from gullible users, although it was always possible that the “anti-virus” software was the real malware.   If the user can be induced to install some arbitrary bit of software, the game is essentially over as far as defending the system goes.

This past week, Ars Technica reported that the US Federal Trade Commission [FTC] had filed six lawsuits in US District Court against 14 companies and 17 individuals the FTC says have been engaged in a similar scareware scam, with a twist: the initial approach was decidedly low-tech, via a telephone call.

By cold-calling victims and claiming to be from companies like Microsoft, Dell, and McAfee, the scammers directed users to a harmless error log on their computers and told them it was a sign of a serious infection, the FTC said. The alleged scammers went on to charge anywhere between $49 and $450 to “fix” the consumers’ computers.

The callers claimed that routine warning or error messages in  system log files indicated a grave malware infection, which they, by lucky chance, could fix.  (The means are different, but the basic idea of the scam is preserved.)   The FTC says that one company went so far as to purchase Google search ads, which showed up in searches for terms like “McAfee” or “anti-virus support”.

As with most of the original scareware scams, these callers apparently only wanted the money paid for their non-existent “services”, but the potential for something considerably worse is still there.

The basic lesson here is very simple, and applies to areas other than technology, too: don’t trust unsolicited phone calls, or E-mails, or …

Update Sunday, October 7, 16:30 EDT

Steve Bellovin, the FTC’s new Chief Technologist, has an excellent article on this case posted at the Tech@FTC blog.

The FTC’s New Chief Technologist

September 18, 2012

In my post yesterday, I talked about Prof. Ed Felten’s stint as the first Chief Technologist of the US Federal Trade Commission [FTC], and his comments on that experience.   Prof. Felten was successful at the FTC in at least one other important way: there will be a second Chief Technologist.

I am very glad to see that the FTC has made another excellent choice in appointing Prof. Steven M. Bellovin to the post.   Dr. Bellovin is a professor of computer science at Columbia University; previously, he worked for many years at AT&T Research. He has made many contributions to the development of the Internet, having served as a member of the Internet Engineering Task Force and the Internet Architecture Board.  He describes his research interests as “Networks, security, and especially why the two don’t get along”, and is co-author of the classic book, Firewalls and Internet Security: Repelling the Wily Hacker, first published in 1994, a copy of which has been on my shelves for many years.  Prof. Bellovin, in his new role,  has an introductory post on the Tech@FTC blog.

It seems to me that getting experts of the caliber of Ed Felten and Steve Bellovin involved in the FTC’s policy making process is a good thing from any reasonable point of view, and I think the FTC should be commended for making it happen.

Prof. Felten’s Take on Washington

September 17, 2012

Back in November, 2010, I wrote about the appointment of Prof. Ed Felten, of Princeton University, as the Federal Trade Commission’s Chief Technologist.   This was a term appointment, and Dr. Felten is now back at Princeton as a professor of computer science and public affairs.  He is also resuming his role as Director of the university’s Center for Information Technology Policy, and frequent contributor to the Freedom to Tinker blog.

Ars Technica has an interview with Prof. Felten, focused on his experience in Washington.

So what’s it like to be a geek in the land of lawyers? Ars Technica interviewed Felten by phone on Tuesday to find out.

The interview is short, but well worth reading for anyone interested in technology policy.  As the article points out, many people in policy-making positions in Washington have little to no technical background; many are lawyers.  And many of these people, regardless of their background, have some odd ideas about technology in general.

Computer scientists are a rare breed in lawyer-dominated Washington, DC, and Felten said it was sometimes a challenge helping policymakers understand the nature and limits of technology.

For example, he said a lot of people in Washington have a misconception that any problem “can obviously be solved if you try hard enough.”

In the absence of technical knowledge and understanding, many policy makers rely on getting advice from people they trust, on the basis of personal relationships.  This, of course, is at the root of the enormous lobbying business, but it is not all bad.  If the trusted people are actually competent, and not just pre-scripted automatons, it provides a means for technically qualified people to communicate their views.

… Felten said there are ways ordinary geeks can influence the policy process. The most important thing they can do, he said, is to develop relationships with people who do have direct connections to the policy process.

Although technology and science evolve quite rapidly, human nature has really not changed all that much.  Technical people ignore or discount personal relationship building at their peril.

Prof. Felten’s New Blog

April 30, 2012

In discussing technology policy and security issues here, I’ve frequently mentioned Professor Ed Felten of Princeton, director of the University’s Center for Information Technology Policy [CITP], who is serving a term as the Chief Technologist of the US Federal Trade Commission [FTC].  I’ve just discovered that, in his new capacity, he has recently started a blog, Tech@FTC; he describes the goal this way:

Our goal is to talk about technology in a way that is sophisticated enough to be interesting to hard-core techies, but straightforward enough to be accessible to the broad public that knows something about technology but doesn’t qualify as expert.  Every post will have an identified author–usually me–who will speak to you in the first person.  We’ll aim for a conversational, common-sense tone–and if we fall short, I’m sure you’ll let us know in the comments.

I have not yet had a chance to read all the posts that are there, even though there are not that many yet, but I am sure that they will be worth reading.  I’ll mention two recent posts that I have read.  The first explains why “hashing” data, such as Social Security numbers, does not make the data anonymous,  The second discusses why pseudonyms aren’t anonymous, either.  (I’ve previously written a couple of times about the difficulty of “anonymizing” data.)

I’m looking forward to reading the rest of what’s there, and to Prof. Felten’s future posts.  At the time his appointment to the FTC post was announced, I was pleased that someone so well-qualified had been chosen.  Reading the new blog reinforces that feeling.

%d bloggers like this: