The Ad-Aware 2007 beta testing phase is winding down with the final beta scheduled for May 7th. That means we are gearing up for the product's worldwide commercial release in June – yes, June!
This launch is laying the groundwork for Lavasoft's future efforts against the next generation of malware and other cyber threats, an industry showing no signs of slowing down.
This issue of Lavasoft News focuses on crime and punishment. Read about the organizations trying to catch the bad guys behind online fraud. And just who are the “bad guys”? We fill you in on how cyber crime works. We also have a follow-up on the much talked about privacy and anti-spyware legislations.
Read a few of last month's Letters to the Editor on anti-spyware legislation. Write to firstname.lastname@example.org with comments on what you see in this issue and what you would like to see in future issues of LN.
Ad-Aware 2007 Launch in June
Investigating Cyber Crime - Those Doing the Chasing
Creating Cyber Crime - Those Doing the Running
Legislating Online Fraud - An Update
Top 10 Most Famous Hackers of All Time IT Security
New Targets in Detection (April 2007)
To get all news on one, printable page, click here
Ad-Aware 2007 To Hit the Shelves in June
With the help of feedback from our Ad-Aware 2007 beta testers, the final betas are being tested, tweaked, and refined. At the time of our Beta Six release on April 20, over 200,000 people were actively working with the beta, providing key feedback to our development team. The final beta release, followed by a two week testing process, is scheduled for May 7.
Our loyal community has been spreading the word on our upcoming new product, which is already garnering a positive response within the security industry.
"The Ad-Aware 2007 Beta features improved detection of adware and hidden malware, a scanning engine that goes easy on your PC's system resources, and a snazzy new interface," according to one journalist at PC World.
Our beta testers and Ad-Aware SE users alike have been eagerly anticipating the final product. As many of you who have test-driven the Ad-Aware 2007 Beta have seen, Ad-Aware 2007 is a fully redesigned product, giving you the tools necessary to combat today's constantly changing threat landscape.
"They can be assured that Ad-Aware 2007 is not just an improved version of Ad-Aware SE. Ad-Aware 2007 is a completely rebuilt product that will allow us to form a base for future detection of replicating and polymorphic threats. In addition to that, incremental Definitions File updates allow us to be more aggressive in detecting threats, moving towards our goal of zero-day updates," Lavasoft's Security Center Director, Christopher Allansson, says.
Among the host of new features of Ad-Aware 2007 are a fully redesigned engine, advanced Code Sequence Identification Technology, enhanced Detection Database with incremental and automatic Definitions File updates, new graphical user interface, automatic scans and Web updates with the all-new scheduler, Ad-Watch TrackSweep, Hosts File Editor, a system restore point, and multiple browser support.
We have had many questions coming in from our Ad-Aware SE users about Ad-Aware 2007's compatibility with Microsoft Vista. While we have had every intention of launching Ad-Aware 2007 as Vista compatible software, product development has recently discovered a technical glitch required for Ad-Aware 2007 to fully operate with Vista, and in order to meet the launch date that we committed for our worldwide customers and to completely comply with Microsoft's requirements for the Vista program, the product will not be Vista compatible immediately when launched in June.
Lavasoft developers are determined to resolve the issue, and to promptly deliver a Vista compatible version. The new Ad-Aware 2007 product has been built with the capability to immediately distribute version updates and patches (something that was not possible with the SE versions) and all Ad-Aware users with a valid license will immediately receive the Vista compatible update as soon as the issues are resolved.
"We know that Vista compatibility is an important issue for our Ad-Aware users, and it is a priority for the Lavasoft development team. We are doing everything we can to address the issue as quickly as possible, so that we can release a Vista compatible version of Ad-Aware 2007 this fall," says Lavasoft's Chief Technical Officer, Adelmo Pozzi.
Investigating Cyber Crime – Those Doing the Chasing
Cyber crime is no flash in the pan. Unfortunately, it's here to stay. As it spirals out of control, the investigators assigned to catch the bad guys are overwhelmed and understaffed.
It must feel like one step forward, two steps back.
Thankfully, there are organizations out there helping regular law enforcement with the onslaught of cyber crime: organizations like the Computer Crime & Intellectual Property Section (CCIPS) of the U.S. Department of Justice, and the Department of Defense's Cyber Crime Center, both of which work with other government agencies, the private sector, academic institutions, and foreign governments to prevent, investigate and prosecute cyber crimes.
Perhaps the most well-known law enforcement agency in a full-fledged battle to take down cyber cooks is the FBI (the Federal Bureau of Investigation).
According to the Bureau's website, its cyber mission is first and foremost, "to stop those behind the most serious computer intrusions and the spread of malicious code."
The FBI has several cyber operations, including a Cyber Division at FBI headquarters, specially trained Cyber Squads at 56 field offices across the United States, Cyber Action Teams that travel the world to assist in computer intrusion cases, and 93 Computer Crimes Task Forces around the country. Six years ago, the FBI also established the Internet Crime Complaint Center (IC3), a joint effort with the National White Collar Crime Center.
Unfortunately, prosecutions in a lot of cyber crime cases remain relatively few, as the nature and scale of the problem continues to grow.
One of the top problems for investigators today: Botnet controllers. In addition to being tech savvy, they move quickly and are well-practiced in evading the law.
"It's not impossible to track these guys down, but it's technical," Joe Stewart, a senior researcher with the SecureWorks security agency told CBC News Online. "It takes people that really understand the guts of these things, and unfortunately there are not enough of these people in law enforcement."
The Department of Justice is doing its best to assist local and state law enforcement in the fight against e-crime as these agencies often do not have computer experts on the payroll. The department recently released a manual providing details on how to investigate everything from cyber-stalking to spam and illegal hacking.
With no end in sight for cyber crime, several post-secondary institutions across the States have made it their mission to educate a new generation of e-crime fighters.
The University of Texas at San Antonio recently announced it will open a cyber security research center in June that will train students to become "cyber warriors."
The Cyber Defender Program at the University of North Carolina is one of only 22 universities in the U.S. with a program specifically designed to combat online hackers.
"We're very unique in combining the technical know how and also the criminology aspect," said program chief Dr. Bill Chu.
Students major in Criminal Justice with a minor in Software and Information Systems, or vice versa. According to Chu, many students who graduated with the combination major/minor have gone on to work for such agencies like the FBI.
If you think you or someone you know has been victimized by a cyber thief, the Internet Crime Complaint Center (IC3) is one of the places to turn. There is a complaint form available online here.
Creating Cyber Crime – Those Doing the Running
We know that cyber crime is flourishing and we know that investigators are struggling to keep up. But just who are the perpetrators of these attacks?
In the early days of online fraud, it was young, computer savvy whiz-kids hacking into government systems for fun and for the prestige. Today's attacks are carried out by a wide variety of cyber criminals from all walks of life.
According to ThinkQuest online library's Cyber Crime section, there are certain characteristics that define each and every cyber criminal: a substantial amount of technical knowledge; contempt for the law or feeling above the law; a manipulative and risk-taking nature; and an active imagination.
Criminals the world over have jumped on the cyber crime bandwagon, seeing the Internet as an opportunity to score: it is not a system owned by one individual, company or government; and there is almost unlimited access to a wealth of information of all kinds. These days it is our personal information cyber crooks seem to be most interested in because that is where the money is. To get the goods, it requires an entire network of people.
"This is... a community of criminals that is changing and adapting over time. It's a guy in his twenties in a rundown apartment in Ukraine or somewhere else in Eastern Europe who has a network of computers on which they're communicating with thousands of other people who he has never met in person, and who could be in any country around the globe. And these people are involved in a web of criminal activity," said Craig Morford, a leading authority on IT-related prosecution.
It is a tangled web they weave.
Just as in traditional organized crime the anatomy of a cyber scam, like phishing, includes several levels of organization – a hacker, a spammer, a data broker, documents and merchandise, a cashier and a money launderer.
According to Guillaume Lovet, the author of "Dirty Money on the Wires: The Business Models of Cyber Criminals", there are four groups involved in cyber crime:
Coders – these are the veterans of the hacking community. They have contacts, experience and produce ready-to-use tools like Trojans and bots for the so-called labor force – the 'kids'. According to Lovet, coders can earn a few hundred dollars for each illegal activity.
Kids – these are the newbies, generally teenagers - hence the name. They buy, trade and resell things like spam lists, php mailers, proxies, and credit card numbers. The money reportedly isn't as good for 'kids'. They generally take in less than $100 a month.
Drops – these are the people who convert the virtual money stolen in cyber crime into real cash. They are usually situated in nations lacking decent e-crime laws. Lovet claims Bolivia, Indonesia and Malaysia are currently popular. The 'drops' provide so-called safe addresses and legitimate bank accounts for goods and money to be sent to.
Mobs – professional criminal organizations that use coders, kids and drops. Organized crime makes good use of 'safe drops', and often recruits coders onto their payrolls.
Organized crime mobs from eastern Europe, most often Russia, Ukraine and Romania, have joined forces with hackers in recent years, a cooperation resulting in a slew of simple to sophisticated online attacks.
"Because organized crime is so well-entrenched there, and tolerated by authorities to some extent, they're the ones who are moving into it most aggressively," James Lewis, a senior fellow at the Center for Strategic and International Studies, told Wired.
In these countries, where corruption runs deep, economies are less than booming, and young techies lack opportunity, cyber crime has become too appealing to pass up.
For a more in-depth look at the inner workings of cyber crime, read Guillaume Lovet's full article "How cybercrime operations work – and why they make money" at Out-Law.com.
Crime and Punishment – A Legislation Follow-Up
Anti-spyware bills that would provide a national standard to regulate the spyware industry in the United States are still working their way through the legislative process, while pressure is mounting for uniform anti-spyware and consumer privacy regulations.
At the end of April, a House subcommittee made another step forward by approving the Spy Act (Securely Protect Yourself Against Cyber Trespass), which will next move to the full committee for consideration. The legislation would impose strict regulations on the types of actions software is allowed to perform, and allow the U.S. Federal Trade Commission to seek fines up to $3 million U.S from spyware creators.
The U.S. Congress has attempted for years to pass spyware and adware legislation that would override the web of existing state legislation. While some critics maintain that a sweeping bill could interfere with unintended consequences within the security industry, others are asking for greater authority to penalize spyware vendors.
FTC Commissioner William Kovacic called for increased punishment for spyware purveyors in the form of imprisonment, in answer to a question on whether or not the FTC is sufficiently equipped to combat the spyware threats PC users face, posed at a Senate Commerce Committee hearing.
"Many of most serious wrongdoers we observed in this area, I believe, are only going to be deterred if their freedom is withdrawn," Kovacic said at the hearing in mid April to discuss the Federal Trade Commission's 2008 budget request.
Part of the FTC's requested budget increase of $17 million U.S. would, according to testimony, provide new employees for the consumer protection mission's Privacy and Identity Protection Program, with $100,000 U.S. being used specifically to increase enforcement efforts to combat spyware.
Security breaches and data leaks have brought up another area of contention with members of the security industry, including major technology companies, vocalizing the need for uniform data security legislation to be passed in the U.S.
Microsoft Chairman Bill Gates called on Congress to pass an "all-inclusive" consumer privacy and security law by the end of the year in a recent speech to an audience of FTC officials, state attorney generals, and congressional representatives.
Gates addressed the need for federal laws to require transparency on data collection, grant users access to their own data and provide clear procedures for companies to follow when data breaches occur.
Senator Patrick Leahy followed up on Gates' speech with his own plan to move forward this year with his Personal Data Privacy Act, a broad bill that would impose fines and prison time on those who intentionally conceal information related to security breaches that cause economic damage.
"Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer, yet our privacy laws haven't kept pace," Leahy said in a statement.
Privacy advocates are also on the forefront of bringing about change for consumers' online privacy. American Betty Ostergren is taking matters into her own hands to enact change in personal data protection measures at the state and local level. Ostergrens's mission is to stop county and state government officials around the U.S. from posting personal public data on public records online, a practice which she says fuels identity theft and cyber crime.
Some states have responded to concerns by setting deadlines for removing certain private information from public records, while others have passed laws allowing citizens to send in written requests to remove their private data from online records. The state of California announced earlier this spring that, due to identity theft worries, it shut down online access to public records with sensitive data.
Identity theft concerns are also on the mind of a federally convened task force, which on April 23rd urged Congress to pass a new national strategy for punishing identity fraud.
Although identity fraud is already illegal in the U.S., the new plan calls for rewriting existing laws to punish the use of malicious spyware, increasing prison sentences for particular electronic data theft, and allowing victims of ID theft to receive monetary compensation for both direct financial losses and lost time when recovering from the crime. The panel also recommended creating a National Identity Theft Law Enforcement Center, enabling regulatory agencies, law enforcement, and the private sector to pool their information resources.
Government Agencies Score Poorly in Cybersecurity Survey
Public Exploit of Windows DNS Server Bug
Skype Worm on the Loose
Keyloggers Used to Hack WoW Accounts
iPod Virus Discovered