The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/aug1,2006.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is all commentary.

Permalink | Top

• Critical Flaw In McAfee Products
• X-Cleaner Spyware Remover
• The March of Dimes Pop-Up
• Filesharing Program Retesting
• Two ID Theft Bills In Congress
• The Corporate States of America

Permalink | Top

A McAfee spokeswoman has confirmed that consumer versions of several McAfee security products contain a very serious security flaw. The flaw allows an attacker to connect remotely to certain McAfee software programs and to run any sort of code the attacker chooses.

McAfee is testing a patch right now that should fix the problem. They expect to release the patch this Wednesday. The flaw does not affect 2007 versions of McAfee products.

The people who discovered the flaw have decided not to release exploit details just now, to avoid giving criminals the technical details before the flaw is fixed. This is a rare departure these days for those who discover such flaws.

Normally, this sort of thing would have been posted immediately to various "Full Disclosure" mailing lists, complete with full details of the flaw and, of course, numerous links to the discoverer's web site. It is nice to see that someone out there has heard of "Responsible Disclosure".

I don't know which is the lesser of two evils here. Do you remove the software to wait for the patch; and sit exposed and unprotected against whatever dangers there might be? Or do you leave the software going and hope nobody knows how to exploit it? Whatever you do, make sure you run that updater on Wednesday, if you have any McAfee products installed.

Permalink | Top

Program: X-Cleaner
Author: X-Block
Platform: Windows 98, ME, 2K, XP
License: $19.95 (Regularly $29.95. Discounted for SWI readers until August 9, 2006)
More Information: http://www.spywareinfo.com/downloads/x/
Purchase: http://www.spywareinfo.com/downloads/x/purchase.php

X-Cleaner Spyware Remover is an award winning spyware detector that finds and removes commercial spyware programs. X-Cleaner also features a unique mobile active-x spy scanning utility so you can login through your member's center and use it from public terminals.

One feature of the program even allows you to bypass hardware keyloggers which use no software that can be detected.

No installation required - simply download and use or you may install if you choose. X-Cleaner provides courteous support via e-mail for registered users. Software is delivered instantly via digital download and you can download new versions as often as you like for the first year.

You can even put this on a floppy disk and carry it to work in an envelope or in your shirt pocket. Insert floppy, scan and zap the keylogger or delete your surfing traces.

X-Cleaner was recommended by Kim Komando in her article for MSN, Danger, danger: 5 tips for using a public PC.

Features

1) New expanded detection and removal database.

2) General Interface Improvement- Users can now resize the program window to fit into their screen anyway they like, especially useful for the encyclopedia where they had to scroll right.

3) Bypass *hardware* keyloggers using onscreen keyboard for input- This is under the Expert tab for Deluxe Users only and makes use of the built-in based keyboard in Windows so that users can key in information without using physical keystrokes. This is very useful for sending sensitive material since hardware keyloggers (a growing threat X-Block is working on) evade anti-spyware which normally targets software loggers only. Given X-Cleaner's mobility in terms of file size, this is a useful little addition to have since you can go to an Internet Cafe- sweep for keyloggers (or use the full active-x scanner in the members area) and then use the software based keypad to evade hardware logging.

4) Direct link to online assistance integrated into software- as always X-Cleaner technicians are dedicated to providing prompt and professional e-mail support for even hard to remove cases of the spyware plague.

If you have any problems with the ordering page, please email Catherine: http://www.spywareinfo.com/email2.php. Anyone buying as a corporate customer and needing many copies of this program, please contact Catherine.

Permalink | Top

In the July 25 newsletter, I mentioned that I had spotted a pop-up ad for The March of Dimes.

I'll be honest. When I saw the ad the first time, I was outraged by it. "People donate money to this organization and this is how they spend it?" is the first thing that went through my head. I was two paragraphs into writing a nasty hatchet job about it before I calmed down.

It is a good thing I did calm down because, otherwise, I would have had quite a lot of egg on my face this week. And my cholesterol is high enough as it is, so that would just be bad all around.

A couple of days after that newsletter was published, an email came in from Jeff Bair, the head of online operations for The March of Dimes. I called his office and we discussed the pop-up ad.

The March of Dimes is not responsible for that pop-up ad. The adware company that uses it is not enrolled in the March of Dimes web site affiliate program. The March of Dimes has been scratching their heads since February, trying to puzzle out the origin of that pop-up ad.

The adware company does not have permission to use that ad. In fact, the ad promotes an event that took place over four years ago.

It is believed, by a number of people, that the adware company uses the ad to disclose itself. If you look very closely, you can read that this is the only ad that will show the adware's logo. Future ads will just pop-up out of nowhere, with no explanation.

That is what passes for disclosure at this adware company - very small text in a pop-up window, displayed just once and only AFTER the thing already has installed itself. Obviously they have missed the entire point of having a disclosure in the first place.

Permalink | Top

I am starting to regret ever creating this list of file sharing programs. If history is any indicator, the information on half the listings will be inaccurate a week from now.

I had intended to have the entire list of programs retested by now. Unfortunately, I was late starting on it, due to the distraction of another project that popped up unexpectedly. I also wasted two days attempting to set up a dedicated test computer. I have only barely begun updating the list, but I should be finished with it this week.

I also changed the format of the list. Rather than simply declaring something to be "clean" or "infected", I decided to turn each listing into a checklist. I simply report what I see when I test a program and leave it at that.

Since each listing has far more information now, I will not be publishing it in the newsletter. I will announce it when I finish and you can visit the list itself, if you are interested in the information.

Permalink | Top

"Laptop containing personal information for 24 million consumers stolen!" How many times have you seen some variation of that headline in the last year? It's a wonder we all haven't had our identities stolen four times over in the past twelve months.

My question is, why are these morons carrying around these huge databases on their laptops? Are they crazy? This why people invented SERVERS. You put the database on a server and the employees who need it can log into it remotely. If the laptop is stolen, someone changes a password on the server and we don't have millions of people nervously checking their credit report every day for the next three years.

You want to know what is really scary? The theft of laptops containing all the information needed to open a line of credit in the names of millions of people is NOTHING NEW. This sort of thing has been happening for years, probably for as long as there have been laptops. We are hearing about them now only because the companies who lost them have been required by new state laws to report it.

There is an effort underway to correct this problem. That is, there is an effort to correct the problem of having to report the theft, not the problem of the databases being stolen.

House Resolution 3997, the so called Financial Data Protection Act of 2006, is one of two bills floating around the US House of Representatives to address the situation. It really should be called the Financial Industry Protection Act of 2006.

What this misnamed piece of... "legislation"... proposes is that, when someone loses a laptop with the personal information of hundreds of thousands of people, the company that lost it can decide for themselves whether or not they should tell the people whose information was compromised. It also conveniently nullifies those troublesome state laws that otherwise would require them to contact those persons immediately.

HR 3997 requires a company to perform an internal investigation, if they believe someone may have lifted part of their database. Before it is required to tell *anyone* about the theft of data, the company ITSELF must decide if any of the following three conditions are met:

• That a breach of data security is reasonably likely to have occurred
• That such information has been or is reasonably likely to be misused in a manner causing substantial harm or inconvenience against the consumers to whom such information relates to commit identity theft
• That such information has been or is reasonably likely to be misused in a manner causing substantial harm or inconvenience against consumers to whom such information relates to make fraudulent transactions on such consumers' financial accounts

Here is the kicker. Even if the company knows for a fact that someone stole all or part of their database, they still can come to the conclusion that no theft of data occurred.

SAFE HARBOR FOR PROTECTED DATA- As set forth in the standards and guidelines issued pursuant to subparagraph (A), a consumer reporter may reasonably conclude that a data security breach is not likely to have occurred where the sensitive personal financial information involved has been encrypted, redacted, requires technology to use that is not generally commercially available, or is otherwise unlikely to be usable

If, despite all the ways they might weasel out of it, they are required to inform anyone that the theft has occurred, this is how they must go about it (with my comments in brackets):

ORDER OF NOTICE- The notices required under this section shall be made promptly to the entities described in paragraphs (1) [The US Secret Service] and (2) of subsection (c) [The government agency that regulates the company], then promptly to any appropriate third parties [No idea who that would be], and then without unreasonable delay to any consumers described in subsection (e)(1)(C) or (e)(2)(A)(iii) [The people whose identities are at risk], in accordance with such subsections.

Take note of the fact that the actual victim sits on the bottom of that particular totem pole. That, more than anything else, should tell you whom this bill was written to protect.

HR 3997 is designed to provide maximum protection for the information brokering and financial industries. Protection for consumers, what little there is of it, is almost an afterthought.

Now, let's look at House Resolution 4127, The Data Accountability and Trust Act. Whoever drafted this particular bill must be one of those rare persons in Washington who remembers that the government is supposed to work for the people, not against them.

HR 4127 does not require an investigation into whether or not the theft of data has led to misuse. It spells out, in remarkably clear language, that the first act of a company that loses a database must be to warn the people whose information was in it. And they must do this immediately.

HR 4127 requires information brokers to allow the people described in their database to inspect the information. If the consumer disputes what is in the information, the company is required to post a statement or a summary detailing what is under dispute.

The two bills agree with each other in a few areas.

Both bills require that companies which deal with information about consumers must take measures to protect the security of the data. Both bills, unfortunately, preempt any state law relating to this issue. Both bills rule out any possibility of a victimized consumer suing the company that caused their identity to be stolen. Both would expire after ten years.

While 4127 does preempt some tougher state laws, it also preempts several weaker state laws. In a few states, you have to prove that your identity has been stolen and is being used fraudulently, before they will allow you to order a freeze on your credit.

Overall, HR 4127 is the legislation that will do us the most good. These companies snoop into our lives and build dossiers that would have made the old KGB proud. When their foolishness leads to that data being stolen, they should be required to let people know their identities are at risk. People's lives can be ruined, emotionally and financially, when their identities are used to commit fraud.

Please, call or write to your Congressional representative and ask them to support HR 4127 and to withdraw any support from HR 3997. 3997 protects information brokers, at your expense. 4127 protects you.

Permalink | Top

"The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money." -Alexis de Tocqueville

I wish de Tocqueville's prediction had been correct. Someone is being bribed all right, but it sure isn't the public.

I want to draw everyone's attention to something I discovered, while researching the two bills in the previous article.

When a bill is considered in the House of Representatives, it has a main sponsor and a number of co-sponsors who want to have their name attached to it. I found a very stark pattern while looking at the co-sponsors of these two bills.

HR 3997 is the bill that protects information brokers and the financial industry, by giving them numerous ways to weasel out of having to disclose the theft of personal information. In 2005 and 2006, the sponsor and co-sponsors of HR 3997 have received $3,895,620 in campaign contributions from the financial, insurance and real estate industries.

HR 4127 is the bill that very bluntly protects consumers by requiring the industry to disclose such thefts immediately. In 2005 and 2006, the sponsor and co-sponsors of HR 4127 have received $1,094,654 in campaign contributions from the financial, insurance and real estate industries.

One person, Deborah Pryce of Ohio, is a cosponsor of both bills and received over half a million all by herself. Take her out of the equation and the numbers are even worse. With Congresswoman Pryce's numbers removed, the backers of HR 3997 received $3,384,122 from the financial industries, while the backers of HR 4127 received only $583,156.

Do you see that pattern I was talking about?

Now, you could dismiss this easily by saying that HR 3997 has 24 co-sponsors compared to 15 for HR 4127. Before you do that, you should look at the amount of campaign contributions each cosponsor took in individually. I am sure you will notice a pattern there as well.

Here is a list of the sponsor and co-sponsors of HR 4127, the bill that is friendly to consumers and bad for the financial industry. Next to their names are their state and Congressional districts. Next that is the amount of campaign contributions each one received from the financial, insurance and real estate industries and in which two-year period.

H.R. 4127
Sponsor:
Rep Stearns, Cliff $57,500 (2005 - 2006) $79,500 (2003 - 2004)
co-sponsors:
Rep Baldwin, Tammy [WI-2] - $13,500 (2005 - 2006) $20,750 (2003 - 2004)
Rep Bass, Charles F. [NH-2] - $23,000 (2005 - 2006) $36,700 (2003 - 2004)
Rep Blackburn, Marsha [TN-7] - $33,000 (2005 - 2006) $63,750 (2003 - 2004)
Rep Bono, Mary [CA-45] - $12,000 (2005 - 2006) $24,431 (2003 - 2004)
Rep Dingell, John D. [MI-15] - $41,000 (2005 - 2006) $101,150 (2003 - 2004)
Rep Eshoo, Anna G. [CA-14] - $42,000 (2005 - 2006) $63,000 (2003 - 2004)
Rep Ferguson, Mike [NJ-7] - $67,106 (2005 - 2006) $113,000 (2003 - 2004)
Rep Gillmor, Paul E. [OH-5] - $112,500 (2005 - 2006) $107,000 (2003 - 2004)
Rep Inslee, Jay [WA-1] - $9,000 (2005 - 2006) $34,000 (2003 - 2004)
Rep Pryce, Deborah [OH-15] - $511,498 (2005 - 2006) $157,700 (2003 - 2004)
Rep Radanovich, George [CA-19] - $18,100 (2005 - 2006) $29,700 (2003 - 2004)
Rep Ross, Mike [AR-4] - $35,000 (2005 - 2006) $166,028 (2003 - 2004)
Rep Schakowsky, Janice D. [IL-9] - $24,800 (2005 - 2006) $35,850 (2003 - 2004)
Rep Shadegg, John B. [AZ-3] - $53,000 (2005 - 2006) $114,250 (2003 - 2004)
Rep Upton, Fred [MI-6] - $41,650 (2005 - 2006) $78,200 (2003 - 2004)

Now, take a look at the campaign contributions collected by those who support the industry-friendly HR 3997.

H. R. 3997
Sponsor: Rep LaTourette, Steve C $142,500 (2005 - 2006) $172,248 (2003 - 2004)
co-sponsors:
Rep Bean, Melissa L. [IL-8] - $216,732 (2005 - 2006)
Rep Biggert, Judy [IL-13] - $158,581 (2005 - 2006) $183,803 (2003 - 2004)
Rep Castle, Michael N. [DE] - $134,772 (2005 - 2006) $222,485 (2003 - 2004)
Rep Cleaver, Emanuel [MO-5] - $40,500 (2005 - 2006)
Rep Foley, Mark [FL-16] - $95,500 (2005 - 2006) $189,223 (2003 - 2004)
Rep Gillmor, Paul E. [OH-5] - $112,500 (2005 - 2006) $107,000 (2003 - 2004)
Rep Harris, Katherine [FL-13] - $78,500 (2005 - 2006) $238,060 (2003 - 2004)
Rep Hinojosa, Ruben [TX-15] - $87,000 (2005 - 2006) $112,086 (2003 - 2004)
Rep Holden, Tim [PA-17] - $40,500 (2005 - 2006) $79,200 (2003 - 2004)
Rep Hooley, Darlene [OR-5] - $170,044 (2005 - 2006) $261,766 (2003 - 2004)
Rep Jones, Walter B., Jr. [NC-3] - $54,588 (2005 - 2006) $97,209 (2003 - 2004)
Rep Kennedy, Mark R. [MN-6] - $325,966 (2005 - 2006) $301,677 (2003 - 2004)
Rep McCotter, Thaddeus G. [MI-11] - $37,500 (2005 - 2006) $58,028 (2003 - 2004)
Rep McHugh, John M. [NY-23] - $20,000 (2005 - 2006) $22,000 (2003 - 2004)
Rep Moore, Dennis [KS-3] - $292,183 (2005 - 2006) $334,794 (2003 - 2004)
Rep Ney, Robert W. [OH-18] - $390,921 (2005 - 2006) $398,733 (2003 - 2004)
Rep Pearce, Stevan [NM-2] - $129,335 (2005 - 2006) $74,250 (2003 - 2004)
Rep Price, Tom [GA-6] - $14,000 (2005 - 2006) $36,750 (2003 - 2004)
Rep Pryce, Deborah [OH-15] - $511,498 (2005 - 2006) $157,700 (2003 - 2004)
Rep Renzi, Rick [AZ-1] - $239,396 (2005 - 2006) $315,986 (2003 - 2004)
Rep Scott, David [GA-13] - $135,563 (2005 - 2006) $185,195 (2003 - 2004)
Rep Shays, Christopher [CT-4] - $208,666 (2005 - 2006) $155,250 (2003 - 2004)
Rep Tiberi, Patrick J. [OH-12] - $238,875 (2005 - 2006) $236,787 (2003 - 2004)
Rep Wolf, Frank R. [VA-10] - $20,000 (2005 - 2006) $33,000 (2003 - 2004)

I won't even say it. Draw your own conclusions.

All of this data was collected from The Library of Congress and from opensecrets.org. It is all public information that you can look up for yourselves. Keep the information in mind later this year, when these people come home and ask you to re-elect them to Congress.

Permalink | Top

Check out FlyingHamster.com for the latest news headlines relevant to spyware, privacy and safely using the computer.

There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

FlyingHamster is updated every day - and several times during the day and night. It is updated continually, even on the weekends. We hope it will keep you informed on a daily basis - and keep your internet time a bit safer. As soon as I can get around to it, I will add FlyingHamster's RSS feed to SpywareInfo.

FlyingHamster belongs to my partner, Catherine. It is a free service, supported in the same way as SpywareInfo, by offering high-quality software at a discount. This week, FlyingHamster has a discount on Firetrust Mailwasher. Go check it out.

Running SpywareInfo has become an expensive thing to do. We are using three separate servers to display the site and to protect it from denial of service attacks. This is not a cheap web site to host.

If you would like to help with the costs, there are two options. There is PayPal for those who have a Paypal account or don't mind signing up for one (it is free).

Thank you very much for your contributions.

You can also purchase t-shirts, hats, bumper stickers and other items from our CafePress storefront .