Phishing worsens, but defenses exist

Visit a rogue website and lots of nasty things can happen to your computer. You won't even see it happen because you'll be looking at free porn or you'll be gambling with the "free money" the website "gave" you. While you're otherwise occupied, the website will run through a series of tests to see what vulnerabilities your computer has. When it finds one, it will install something you don't want. This is how the bad guys are able to take control of millions of computers worldwide.

I spoke with Jess Kalish of IS3, the company that makes the free ZillaBar and other applications that are designed to protect computer users from the scum that settles on the Internet pond. The full interview (about 11 minutes long) will be part of the Technology Corner podcast for today's program. I encourage you to listen to it.

Here's how to obtain the free Technology Corner podcast from Apple's Itunes service.

The ZillaBar in action

The ZillaBar is supposed to be effective against phishing, but that's all. IS3's goal, of course, is for you to try (and then buy) some of their other applications, such as StopZilla, which includes real-time protection against spyware, malicious browser helper objects, keyloggers, Trojans that install "back door" access to your computer, browser home page hijackers, and such.

In practice, I found that it's not very effective against phishing. After installing the ZillaBar in IE7, I waited for a phishing e-mail to arrive. It took about 5 minutes. The message was clearly fraudulent.

		Here's the fraudulent e-mail. It's full of clues.   Click any of the images for a larger view.
		Before enabling the ZillaBar, I decided to see how good Microsoft's built-in anti-phishing technology is. This is a new feature in IE7.
		The address bar turned red, there is a warning adjacent to the address bar, Microsoft intercepts the request, and I'm warned not to proceed. Only a fool would continue.
		I turned off the ZoneAlarm anti-phishing filter and disabled Microsoft's anti-phishing filter.
		Unfortunately, the ZillaBar provided no warning at all and took me right to the site, which displays a fake Verisign emblem and asks for enough information to gain access to my account. I have been unable to follow up with IS3 to determine what the problem is. This may be a problem with Internet Explorer 7 or I may have misunderstood how it's supposed to work. Whatever the cause, at this time I cannot recommend using the ZillaBar.

Overall: Pending full review and based on others' reviews. (3 cats)

I've modified the rating from 0 cats to 3 cats based on ratings by others. When I've had time to review a version that works with IE7, I'll modify this summary again.
I wish the ZillaBar really did intercept phishing sites because this would be helpful for people who are still using Internet Explorer (which is most of the world). IE7 has its own built-in anti-phishing that does work and other browsers have the capability built in or available as an extension. I hope to be able to post a follow-up report that says the ZillaBar is working. That seems somewhat unlikely because I've made several follow-up enquiries but have had no response. In the meantime, IS3's website is here.

Sometimes protective software gets in the way

When I tried to download and install the ZillaBar, I had trouble. It wasn't the fault of IS3, but a firewall can silently block access to a site that you really do want to visit. It took a few minutes for me to figure out what the problem was. Because I was grabbing screen shots along the way, it took a little longer than it might have otherwise.

		Obtaining the download and getting the ZillaBar installed turned out to be more complex than expected, but not through any fault of IS3. My preferred browser is Firefox, so I tried that first. No go.   Click any of the images for a larger view.
		Internet Explorer 7 (beta 3) worked the same way. Both Firefox and IE7 include some security features, so I thought I had run afoul of one of those.
		So specifically allowing is3.com to display pop-ups even though that clearly wasn't the problem. Other settings in IE7 weren't getting in the way, either. This was turning into a first class puzzle.
		I could see the link for downloading applications, so I followed it to the download page.
		Still no graphics, but I can see the ZillaBar link.
		It appears that I'm moments from success. All I have to do is download the file ...
		Clearly something is blocking access to the site. It could be something new in IE7, so I grabbed the URL and went back to Firefox.
		Firefox allowed me to download the file, or so it seemed.
		There's the file, right at the top of my download list.
		But running is is unsuccessful.
		This time I grabbed the download file name and pasted that into the location bar.
		And that failed.
		As it did in IE. So clearly the problem isn't IE or Firefox. It's either a website problem or something on my end that's blocking the connection.
		I didn't see anything obvious on the router that could cause the problem. Because I wanted to take a look at the ZillaBar, I connected to the computer at my office and used IE to connect to the IS3 site.
		I then download the file to the office (15 miles away),
		transferred the file to my local computer,
		and installed it.
		Success! (Even if I still can't see the IS3 site's images.)
		I tried looking at a variety of "free porn" sites Google found (it's a sacrifice, but somebody has to do it). The ZillaBar never warned me. Now it's time to solve the puzzle.
		So here is the rest of the story. My suspicion that a firewall was getting in the way was accurate, but I had looked at the wrong firewall. The hardware firewall wasn't blocking, but the new version of Zone Alarm blocks phishing and other rogue sites by default. Zone Alarm seems to think ztopzilla.com is a site that should be blocked!
		Once I had Zone Alarm's full attention and I explained to it that I wanted access to the site ...
		... I got where I wanted to go.

Anti-spam measures can also protect against phishing

The company that provides website hosting for Technology Corner includes SpamAssassin. I have to admit that I've not always been a fan of SpamAssassin, but my opposition was based on seeing a system that hadn't been set up properly. SpamAssassin examines every piece of mail that arrives and rates in on a large number of criteria. The application can then tag messages it considers spam by coding the subject line or by adding an X-header. I have it code suspected spam with *S* at the beginning of the subject line and, because I set the trigger point liberally, I can be virtually certain that anything marked spam is spam. This procedure catches more than 98% of the spams I receive and misidentifies real messages as spam so infrequently that I can disregard that concern.

That creates an ideal solution. I can automatically examine and discard all messages that have *S* in the subject line. Occasionally I turn off the automatic deletion and examine the incoming messages to confirm that my assumptions are still viable. I did that on October 3 and here's what I saw.

		Overnight I received well over 100 messages. The ones in purple have the *S* marker and would have been automatically deleted if I'd had automatic deletion enabled. Click any of the images for a larger view.
		The messages shown in purple are all spam. Once they've been deleted, these messages remain. The ones I've highlighted are easily identified as spam – either from the subject line or the addressee. I have several addresses that rarely receive legitimate messages and all that's required is a quick glace to eliminate the crap.
		After eliminating the spam, I was left with about 20 messages I wanted to see.

Nerdly News

Notice anything strange about last Friday?

Oh, sure, it was Friday the 13th. You probably noticed that. So did I. But I missed -- and unless you're someone who intensely observes every date looking for a pattern, so probably did you -- that the digits that make up the date did something that hasn't happened since January 13, 1520.

What happened in 1520 was repeated in 2006 according to Heinrich Hemme, a physicist at Germany's University of Aachen. The individual digits of 1/13/1520 add up to 13: 1+1+3+1+5+2+0=13.

So do the individual digits of 10/13/2006: 1+0+1+3+2+0+0+6=13.

If you suffer from paraskevidekatriaphobia (pair.uh.skee.vee.dek.uh.tree.uh.FOH.bee.uh, according to WordSpy) and also triskaidekaphobia or, according to WordSpy, tridecaphobia (try.dek.uh.FOH.bee.uh), Friday would have been doubly uncomfortable for you. Paraskevidekatriaphobia is a fear of Friday the 13th and tridecaphobia is fear of the number 13.

So if you were a little on edge Friday, now you know why.

Bugety, bugety, bug

This month's Microsoft patch day offered a record number of patches that covered both the operating systems and Office products. Users who run Windows, use the Office suite, and also have .Net framework products saw a total of 26 individual patches. And almost immediately another problem surfaced.

PowerPoint 2000, PowerPoint 2002, and PowerPoint 2003 are all vulnerable to an attack that security vendor Secunia considers to be "highly critical". The company has one higher-level threat, but explains that the "highly critical" designation is usually used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure.

Microsoft program manager Alexandra Huft posted a warning: "The reported proof of concept may allow an attacker to execute code on a user’s machine by convincing them to open a specially-crafted PowerPoint file. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time." It is, of course, only a matter of time.

The temporary solution: Do not open untrusted Office documents. That doesn't mean just making sure a PowerPoint presentation is from someone you know, but also ensuring that the sender actually sent you the file and that it was created by someone who is trustworthy.

Annoying legal disclaimer

My attorney says I really need to say this: The TechByter website is for informational purposes only. I assume no responsibility for its accuracy, although I do my best. The information is subject to change without notice. Any actions you take based on information from the radio program, the podcast, or from this website are entirely at your own risk. Products and services are mentioned for informational purposes only and their various trademarks and service marks are the property of their respective owners. TechByter cannot provide technical support for products or services mentioned.