The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/aug7,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

Get a good grip on your chair because this story might knock you right out of it. I've just finished picking myself up off the floor after reading about this.

While investigating a new mutation of the CoolWebSearch trojan, a Sunbelt researcher was astounded to discover that it was being used for identity theft. All manner of personal information is being uploaded to a publicly-viewable web server, including eBay passwords, Paypal passwords and passwords for bank accounts worth hundreds of thousands of dollars. Anyone who knows this web server's IP address can view all of this information!

[Update: New information reveals that the hijacker itself is not responsible for gathering and collecting the information. The keylogger is installed by the hijacker. See here for a more updated story.]

After initially rebuffing Sunbelt when they first made contact, the FBI now is said to be investigating the matter. Sunbelt also has tried contacting some of the victims of this identity theft.

CoolWebSearch is a particularly nasty browser hijacker with countless variations. They have hundreds, possibly thousands, of affiliated web sites who all feed traffic into coolwebsearch.com. Many of those affiliates use exploits for various flaws in Windows and Internet Explorer to install browser hijackers.

The motivation behind all of this, of course, is money. Coolwebsearch.com is nothing more than a collection of paid listings. If someone clicks the links on their web site, they are paid a small commission from the owner of the site being linked. In turn, CoolWebSearch pays their affiliates to drive traffic to their site.

They almost always have used unethical and possibly illegal methods to install this hijacking software. This is the first time, to my recollection, that they or one of their affiliates have done something so blatantly illegal. I have been practically begging the FTC to investigate CWS for well over a year. Although I am saddened that so many people have been victimized by this crime, I am glad that CoolWebSearch finally will be investigated for their activities.

We are going to keep an eye on this story. As we find more information about it, we will be posting it in SpywareInfo's news section. Keep an eye on this page or on this RSS feed for more information as soon as we see it.

Permalink | Top

Program: Privacy Guardian
Author: PC Tools
Platform: Windows 95, 98, ME, 2K, XP
Purchase Privacy Guardian: $19.95 (Normally $29.95. Use coupon code SPYWAREINFO) http://www.pctools.com/privacy-guardian/purchase/?ref=afl_spywareinfo

Purchase Spyware Doctor: $19.95 (Normally $29.95. Use coupon code SPYWAREINFO) http://www.pctools.com/spyware-doctor/purchase/?ref=afl_spywareinfo

Purchase both programs: $39.90 (Normally $59.90. Coupon code is activated automatically when using the following link) http://www.spywareinfo.com/rd/pctools080405

These coupon codes expire on August 11, 2005

Everything you do on your computer leaves a trail. When you surf to a web site, you leave behind internet cache, address bar history, web site visit history and cookies. When you open a document, Windows saves the filename into the registry. When you run certain programs, Windows saves a file into a temporary folder and sometimes does not delete it afterward.

You could spend an hour rummaging through your computer deleting your browser cache, cookies, temp files, address bar history and even those nearly impossible to delete index.dat files. You don't have to waste all that time and energy. Privacy Guardian makes doing these tasks quick and easy.

Privacy Guardian cleans all of these items with the click of a couple of buttons. You can choose which cookies to save so that you don't lose the ones you want to keep. Windows usually protects the index.dat file from being altered, so usually that forces you to reboot the computer in order to delete it. When Privacy Guardian deletes the index.dat files, it simply unloads the Windows graphical shell. That means you don't need to reboot.

In addition to erasing common Windows tracks, Privacy Guardian also includes plug-ins for common non-Microsoft programs which leave usage tracks, such as Netscape, Adobe Acrobat, popular download accelerator products and many more. If a plug-in is written for a program not included in the third party list, it can be downloaded with Privacy Guardian's update feature.

Privacy Guardian includes a file shredder function. If you drag files into the shredder window, they will be overwritten a number of times before finally being deleted. Privacy Guardian uses the US Department of Defense standard (DoD 5220.22-M), rendering them unrecoverable by standard file recovery methods.

Privacy Guardian is published by PC Tools, who also publishes Spyware Doctor. We have worked out a discount for this week which gives you $10.00 off of each program. You can buy either of them for $10.00 off, or buy both of them together and receive a $20.00 discount off the price. You can read my review of Spyware Doctor for information about that program.

If you are buying just one program or the other, the coupon code is SPYWAREINFO. If you have any problems with the ordering page or with the coupon code (SPYWAREINFO), please email Catherine http://www.spywareinfo.com/email2.php.

Anyone buying as a corporate customer and needing many copies of this program, please contact Catherine.

Permalink | Top

This is straight off the EFF web site.

FCC Issues Rule Allowing FBI to Dictate Wiretap-Friendly Design for Internet Services

Tech Mandates Force Companies to Build Backdoors into Broadband, VoIP

Washington, DC - Today the Federal Communications Commission (FCC) issued a release announcing its new rule expanding the reach of the Communications Assistance to Law Enforcement Act (CALEA). The ruling is a reinterpretation of the scope of CALEA and will force Internet broadband providers and certain voice-over-IP (VoIP) providers to build backdoors into their networks that make it easier for law enforcement to wiretap them. The Electronic Frontier Foundation (EFF) has argued against this expansion of CALEA in several rounds of comments to the FCC on its proposed rule.

CALEA, a law passed in the early 1990s, mandated that all telephone providers build tappability into their networks, but expressly ruled out information services like broadband. Under the new ruling from the FCC, this tappability now extends to Internet broadband providers as well.

Practically, what this means is that the government will be asking broadband providers - as well as companies that manufacture devices used for broadband communications – to build insecure backdoors into their networks, imperiling the privacy and security of citizens on the Internet. It also hobbles technical innovation by forcing companies involved in broadband to redesign their products to meet government requirements.

"Expanding CALEA to the Internet is contrary to the statute and is a fundamentally flawed public policy," said Kurt Opsahl, EFF staff attorney. "This misguided tech mandate endangers the privacy of innocent people, stifles innovation and risks the functionality of the Internet as a forum for free and open expression."

At the same time, the Department of Justice (DOJ) is asking airlines to build similar backdoors into the phone and data networks on airplanes. EFF and the Center for Democracy and Technology (CDT) submitted joint comments to the FCC arguing against the DOJ's unprecedented and sweeping new technology design mandates and anticipatory wiretapping system.

The FCC's new proposal to expand CALEA to airline broadband illustrates the fallacy of law enforcement's rationale for its CALEA request. The DOJ takes the position that broadband has "substantially replaced" the local telephone exchange, but this claim is reduced to the point of absurdity aboard an airplane and opens the door for CALEA to cover just about anything.

Ok. Wow. George Orwell just turned over in his grave, Ben Franklin just slapped his forehead in the Astral Plane and Tim Berners-Lee probably is pounding his head on his desk.

What I want to know is, just how are they planning to do this? Backdoor access built into the internet's infrastructure sounds like a ridiculous idea.

If it is going to be a simple matter of logging into a piece of hardware over a certain port and using a certain password, then you might as well write off the American portion of the internet. People discover backdoors in routers and other products all the time. A backdoor will be found and it will be distributed to all of the black hats out there. When that day comes, America will find itself without internet access. Even worse, we could wake up one day to the news that black hats have been logging every Paypal log-in, bank log-in and credit card purchase made on the internet.

A backdoor is unnecessary. Every Internet Service Provider can log every single packet that transfers through a customer's connection. All law enforcement needs to do is to produce a valid court order and the ISP can dump a person's activity log to a file and hand it over. Verisign even offers a service where an ISP can route their data through their network and they will filter out anything requested in a court order. Why does the government want backdoor access when it doesn't need it?

I sure would hate to sound suspicious of my government. They are such angels, aren't they? However, it sounds an awful lot like they want to be able to access this information any time they wish, without needing the cooperation of the ISP. The only logical reason they would want to do that would be if they plan to skip a certain step in the process, such as obtaining a valid court order. Naahhh... My government never would do that, right?

The reason claimed for wanting to expand CALEA to include the internet is because Voice Over IP (VOIP) is replacing standard telephones. They can do that already just by tapping the customer's account at the ISP but disregard that for the moment. Pretty soon they won't hear anything but gibberish anyway when they do tap VOIP conversations.

Phil Zimmerman is very close to producing a VOIP system that uses end-to-end PGP encryption to secure phone calls. We know already that the FBI can't crack PGP encryption. While investigating a mobster a few years ago, they were forced to install a keylogger to capture his PGP password because they had no other way to open his encrypted computer files.

So what are we going to end with up now? An internet with backdoor access, a paranoid government tapping into whatever it pleases - with or possibly without a court order - and criminals who likely won't be obstructed in any way by all of this. And quite possibly, other countries might disconnect their portion of the internet from the American network out of self-defense. I know I wouldn't want to connect to a network with a known backdoor.

Permalink | Top

This newsletter is a day late. I'm sorry about that. I meant to work on it Thursday night but I was sidetracked. I spent most of Thursday night listening to The Chris Pirillo Show. It was a very funny show and I couldn't stop listening.

Pirillo spent nearly half the show terrorizing telemarketers. Three of them, in the same three hour period, called the phone number used for calling into the show. He actually put a pre-recorded interview on pause just so he could torture a telemarketer live on the air. Several of us were in his chat room egging him on. One woman lasted nearly five full minutes as she struggled to deal with his insane questions. That was five minutes of peace for someone else who wouldn't have been so amused about her call.

My last newsletter generated some colorful emails. If you don't remember, I stated that I would be more embarrassed to admit to being a telemarketer than a drug dealer. A few emails were from actual telemarketers. One in particular called me out for talking about something I don't understand. Telemarketing is work and if I would ever done it myself, I wouldn't be so quick to demonize them.

Well sorry sweetheart, but I have done telemarketing in a previous life. And I was so disgusted by it that I nearly was fired from my job.

Let me explain. About eight years ago, I worked for a certain newspaper in Savannah, GA, in the circulation department. The employees at my level (district manager) were required, once a month, to sit in the circulation office after hours to make cold calls. We were given a phone book and told to call people and try to sign them up for a newspaper subscription. We couldn't leave until either we met a certain quota or until the Metro manager became bored of watching us on the phone and told us to go home, whichever came first.

All of us district managers hated it. It was not our job to do telemarketing and we were not paid for working after hours (no labor union at that paper). Most of us were disgusted by the idea of bothering people at home.

After my third month in that job, I decided that I'd had enough of it. I and most of the other district managers held a secret meeting earlier that day. We decided that we were going to march into the circulation director's office and flatly refuse to do any more calls. And we did. And although I think I had a letter of reprimand put into my personnel file (they wouldn't let me see my file), that was the end of cold call night. I believe they started doing it again after I finally quit that job the following year.

Sometimes, you just have to stand up for your principles, consequences be damned. If you know it's wrong and you don't want to do it, don't.

Incidentally, we district managers absolutely hated it when a new subscription was generated by the in-house telemarketing people. Nine times out of every ten, those people didn't want the paper and they almost never paid their bills. When our paper carriers would try to collect the subscription fee, many of these people told them that they had signed up just to get the telemarketer off the phone. Every now and then, we would find a "subscriber" who never signed up at all. You see, the telemarketers were paid a commission for each subscription, so many of the sign-ups were bogus anyway. I remember one "subscriber" who turned out to be a seven year old boy who had answered the phone that day.

If you'll remember, last week's column was inspired by the fact that telemarketers are trying to override the "Do Not Call" (DNC) laws in certain individual states. What I experienced at the newspaper explains part of the reason why telemarketers hate these DNC laws and why they want to overturn them. Many people are baffled as to why telemarketers even would want to call someone who registers their number on one of these lists. Surely, if they took the trouble to opt out of sales calls, they are unlikely to buy anything.

That is a sound, logical assumption. It just happens to be wrong. Actually, a DNC list protects people like the ones we had to deal with at the paper, the people who sign up just to make the telemarketer go away. You know the person I am talking about. You probably have a friend or family member like this. They tend to be shy and they take great pains not to offend anyone. Rather than telling a telemarketer to go away, they will sit on the line and listen to the entire pitch and be too embarrassed to interrupt. Likely as not, they will buy something so as not to appear to be rude.

I had a girlfriend like this once. Any time I wanted to call her, I had to send her an instant message or page her first. Otherwise, she would not answer the phone. She could not tell a telemarketer to go away. She simply did not answer her phone unless she knew about the call ahead of time. What she did about door-to-door salesmen I can't say. Maybe she never answered her doorbell either.

These people are a telemarketer's best friend because it is very hard for them to say "no". These people are very likely to sign up for the DNC list. Their best customer is now off-limits and that's why telemarketers hate the DNC law. For people like that, the DNC law does more than eliminate a minor annoyance. It is protection from a problem they could not deal with before the law went into effect.

That the "Do Not Call" list is effective is undeniable. MCI recently closed a call center in Maryland and gave 300 telemarketers their walking papers. MCI cited the DNC list as a reason for closing the call center.

Do I feel sorry for them? Absolutely not. That's 300 fewer people who otherwise might bother us at dinner to pitch MCI's long-distance service. I place telemarketers in the same category as spammers. Big surprise here, I'm sure, but I have no sympathy when spammers are put out of business either.

Besides, it is hard to feel sorry for people in an industry that will continue to call a person even after they die, unless the surviving family members pay them to stop. I could have sworn it was illegal to ask for payment in exchange for being put on a DNC list. Apparently, it is not. Maybe I'll start my own DNC list and keep calling people until they pay me to stop.

One of the reasons the telemarketing people want to override the DNC laws of certain states is because of an unfortunate loophole in the Federal DNC law. If you have done some sort of business with a company in the last eighteen months, the DNC law permits them to call you, even if you are on the DNC list. According to Indiana's Attorney-General, all you have to do is buy a cup of coffee and the coffee shop now has permission to bother you at home for the next year and a half.

Although I can't imagine how the coffee shop would end up with my phone number by selling me a cup of coffee, that is really not the point. The state laws that the telemarketers want to override have closed that loophole. In those states, telemarketers cannot make calls to people on their DNC lists, even if they have bought a metric ton of coffee beans from them.

For the rest of us, even if we are registered on the Federal DNC list, we might have to deal with telemarketers working for companies with which we have done business. This is the best way to deal with that situation once you realize you have a telemarketer on the line. Tell them to place your phone number on their company's "Do Not Call" list. They are required, by law, to honor your request. If they call you again anyway, not only can you sue them for $500, they can be fined $11,000 by the Federal Trade Commission. You also should find out which company is responsible for the phone call and then stop shopping there.

Even if telemarketing were outlawed entirely, we still would have to deal with mountains of junk mail. While researching this story, I came across a page that explains how to opt-out of receiving "pre-approved" credit card offers, coupons and other generic junk mail. It won't stop all junk mail but it should reduce it. Your mailbox might receive a small stand of trees as opposed to an entire tropical jungle each year.

Permalink | Top

CNet news published an interesting article about Google a few weeks ago. Google has, in databases which currently are separate from each other, some extremely detailed information about their users. Between Gmail, personalized home pages, desktop search, Google's toolbar, their web accelerator program and the cookies left from searching Google's search engine, Google could quite a lot of information about you, if they chose to tie all of that together.

CNet wonders how long Google's policy of "do no evil" can last. To make their point, CNet published personal details about Google's CEO, Eric Schmidt. The information they published was all found through an in-depth session with Google's search engine. It was a good point and they made it well, but I believe that it was distasteful and unnecessary to publish that. Google apparently agrees and were pretty offended by it. They have forbidden their PR people to return calls from CNet for a one year period.

It seems difficult to believe that Google would ever abuse the trust they have built with their users. Google usually is the example used when explaining how companies should operate. Their toolbar, for instance, makes it perfectly clear that it might gather information about browsing habits, turns that feature off by default and leaves it up to the user to decide if they want to turn it on. Most software companies can't be bothered to make their software so polite.

People trust that Google has no evil intentions with their toolbar, so most people turn on Page Rank and let the toolbar track which sites they visit. People trust that Google has no evil intentions with their personal information, so they sign up for Gmail or the personalized home page feature.

Still, they do have an awful lot of information about some of us. They could build a profile of individuals that would be so accurate that you'd think an author had spent years writing a biography. Google now is a publicly traded company. They have shareholders who expect a return on their investment. How long will Google withstand the temptation to start tying all of those various databases together? How long before they are tempted to bend the "do no evil" rule?

One thing that already mars Google's good guy image, and I have written about this before, is the fact that they refuse to make the updater in their toolbar optional. I have written about automatic software updaters several times and made my opinion very clear on the subject. Software should not be installed on a person's machine without their knowledge or consent, ever.

I originally learned of this non-optional updater after it caused a problem for one of the regulars at the message board. Something in the newest version conflicted with another toolbar and ended up damaging both of them. The person was unable to keep Google from updating her toolbar, so she was forced to remove it.

There is just something wrong with a software developer who believes he should have the final decision about installing or not installing software on the user's computer. Sorry, pal. This is my box, paid for with my money. I decide when software is installed on it, not you.

This same issue caused a problem with a friend of mine just the other day. She had the toolbar buttons arranged to her preference and was used to them being where she left them. Well, every time the toolbar updates itself, without her permission, it rearranges those buttons, also without permission. So rather than deal with this rude behavior, she simply has deleted the toolbar.

Ahem. Hey, Google. *tap* *tap*

You guys really need to do something about that updater. That thing is rude and it is costing you users. The good guys don't install code on other people's computers without asking. If it is going to bruise some poor code monkey's ego to make his precious updater code optional, send him to a shrink and tell him to get over it. You are supposed to be the good guys, remember?

Permalink | Top

This coming Tuesday, August 9, is Patch Day at Microsoft. Patch Day is the one day per month when Microsoft releases new software fixes on their Windows Updates web site. One of those patches will be to fix a "critical" problem with Windows, so make sure you visit the site and install those updates.

Those people using a pirated copy of Windows who are unable to install regular updates still can install security updates. Non-security updates are blocked if Microsoft determines that your copy of Windows is pirated. Security updates are not blocked, even if you do fail the new piracy check. Please, update your machine so that you don't end up taking part in the spread of some new virus or worm.