Mozilla is pissed. The company sent a cease-and-desist letter to the makers of government spying software FinFisher, saying it is using Firefox’s branding to “lie and mislead as one of its methods for avoiding detection.”

Mozilla wrote a blog post about the issue yesterday, saying Gamma International, the creators behind FinFisher, are “tricking people into thinking” the spyware is FireFox by using “Firefox.exe” as FinFisher’s filename, as well as providing Firefox source code to anyone who looks at the underlying code. The company worked with Citizen Lab to determine the fraud, which found multiple accounts of this happening in the wild. This includes a spyware attacks in Bahrain and Malaysia as well as in a promotional demo of the spyware.

FinFisher is known in the security community as a surveillance product that governments buy to spy on specific targets. As Ars Technica notes, it’s rumored that governments also use it to spy on its own citizens. The United States, Australia, Britain, Canada, Germany, India, and many more are said to use FinFisher.

“As an open source project trusted by hundreds of millions of people around the world, defending Mozilla’s trademarks from this type of abuse is vital to our brand, our users, and the continued success of our mission,” Mozilla privacy and public policy lead Alex Fowler said in the blog post. “We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma’s customers to violate citizens’ human rights and online privacy.”

Mozilla assures people that the browser software itself has not been compromised and is in no other way associated with FinFisher. The company says that this isn’t the first time people have abused its brand, using it for malware schemes.

Firefox photo via pelican/Flickr

Rocra is the latest in spyware attacking government entities around the world. The virus is a new piece of malware that Russian security firm Kaspersky Lab has discovered. It’s flown under the radar for five years — and it is still in use to this day.

Rocra, short for Red October, spies on governments with a number of “info-stealing modules,” or facets of the malware that nab and send back documents and other data from that computer. Created in 2007, it steals the usual data suspects, such as documents, PDFs, and a number of other file types, but it also specifically looks for the extension “acid.” This is created by an encryption program called Acid Cryptofiler used by NATO and some European Union organizations.

Cyber-espionage has become a big concern, as more reports of state-sponsored attacks surface. While there’s thus far no evidence to suggest that this is a state-sponsored attack, governments such as the United States are getting more serious about cyber-attacks and talking about beefing up preparation for them. Recently, outgoing Defense Secretary Leon Panetta said that we could be facing a “cyber-Pearl Harbor.”

Kaspersky belives that the malware writers are likely Russian-speaking, given a number of Russian phrases that show up in the malware’s code.

Kaspersky does not outright name the organizations that were infected by Rocra, but it did specify that the malware targets government organizations, scientific research organizations, embassies, and consulates. The majority of these infections were in Eastern Asia, though Kaspersky did find some in Western Europe and North America. The research firm discovered this by monitoring its cloud security tools and setting up a “sinkhole server,” or a server that monitors all traffic going in and out of the malware’s command and control server. From the sinkhole, Kaspersky learned that IP addresses out of Switzerland, Kazakhstan, and Greece contacted the command and control server most frequently.

The malware can also “resurrect” itself once a previously infected computer is wiped. When it is first installed, Rocra adds itself as a plug-in to Microsoft Word and Adobe Reader, according to Kaspersky. After the machine is “clean,” the attacks can send a document to the computer that revitalizes the virus when opened.

Furthermore it attacks more than just regular computers; it can also steal information from mobile phones (including the iPhone and Windows phones) as well as record data from network switches and routers.

A computer is infected with the malware through a simple social engineering attack. That is, the criminals will send a phishing email to their target in the hopes that they open an attachment.

hat tip The New York Times; Spying image via Shutterstock

Ubuntu is one of the most popular versions of Linux. Stallman is talking about its new network search feature, which he believes spies on the users:

Ubuntu, a widely used and influential GNU/Linux distribution, has installed surveillance code. When the user searches her own local files for a string using the Ubuntu desktop, Ubuntu sends that string to one of Canonical’s servers. (Canonical is the company that develops Ubuntu.)

Canonical CEO Mark Shuttleworth talked about the feature on his personal blog, prophetically subtitled “here be dragons.” Essentially, searching your files on your computer is also, by default, an online search. That online search includes potentially relevant results from Amazon, and if you buy something, Canonical gets a cut. This is not advertising, according to Shuttleworth:

“We’re not putting ads in Ubuntu. We’re integrating online scope results into the home lens of the dash.”

That extremely fine, perhaps microscopic distinction has escaped some of Canonical’s customers, who are wondering why, in the first place, a desktop search should be integrated with an online search, and why, in the second place, that online search wouldn’t be a Google search instead of a online retailer.

As JunCTionS says in a comment on Shuttleworth’s blog post:

Sorry if this is clear to everyone else, but you don’t seem to mention any typical websearch engine. I imagine there are even more Ubuntu users that use Google than those that use Amazon. Will it also search Google?

… it sounds to me that this would be more useful than an Amazon search engine.

For Stallman, however, the core issue is not advertising, although that’s certainly unwelcome. The core issue is the exchange of personal user information … even though Canonical does not send any personal information to Amazon, running the Amazon search query on its own servers based on information that it retains.

That has failed to mollify RMS, who wrote that “it is just as bad for Canonical to collect your personal information as it would have been for Amazon to collect it.”

Shuttleworth’s answer seems to be: just trust us. After all, we control your machine anyways — we have administrator privileges on your computer:

We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf.

Don’t trust us? Erm, we have root. You do trust us with your data already. You trust us not to screw up on your machine with every update. You trust Debian, and you trust a large swathe of the open source community. And most importantly, you trust us to address it when, being human, we err.

That is not very compelling or simpatico.

In a post on the Canonical blog today, the company addressed the issue again, at least to a degree. After running through the new capabilities — searches for the Beatles will bring up their music on Amazon, where it can be instantly purchased without opening a browser — Canonical says that privacy has been a primary concern while developing this service:

Privacy is extremely important to Canonical. The data we collect is not user-identifiable (we automatically anonymize user logs and that information is never available to the teams delivering services to end users), we make users aware of what data will be collected and which third party services will be queried through a notice right in the Dash, and we only collect data that allows us to deliver a great search experience to Ubuntu users.  We also recognize that there is always a minority of users who prefer complete data protection, often choosing to avoid services like Google, Facebook or Twitter for those reasons – and for those users, we have made it dead easy to switch the online search tools off with a simple toggle in settings.

Aside from the issue of how unusual it would be for someone to be searching their own computer for commercially-useful queries like “the beatles,” or “Lord of the Rings movie,” this is unlikely to satisfy privacy advocates.

And it most certainly will not satisfy RMS.

photo credit: Maurizio Scorianz via photopin cc, Hat tip: Ars Technica

The Federal Trade Commission will prevent seven computer rental companies from spying on customers in a new settlement reached today. The businesses were caught stealing pictures, screenshots, and sensitive information from customers.

“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said FTC Chairman Jon Leibowitz in a statement. “The FTC orders today will put an end to their cyberspying.”

A company by the name of DesignerWare licensed the spyware out to the seven rental companies. The software was intended to track the location of rented computers in the case a unit was stolen, lost or abandoned. It also let the rental company shut down the computer if the renter stops paying. The FTC came down on the the businesses for not informing their customers that the software was installed and tracking the units’ locations.

But the software goes further than that. It has a separate function called “Detective Mode” that makes up the majority of the spyware. In this mode, administrators at the rental company logged keystrokes, took screenshots, and turned on the computer’s camera to take pictures of the surrounding area. The FTC says bank account information, private emails sent to doctors, and pictures of children, as well as “partially undressed individuals” were all stolen by the rental companies.

The FTC names Aaron’s, ColorTime, and Premier Rental Purchase as three of the rental companies involved.

In the settlement, the FTC banned both DesignerWare and the seven rental companies from using “Detective Mode.” The FTC specifies that customers must be made aware of any activity on their computers, including GPS tracking, and also banned the use of a “fake software registration screens” that the rental companies used to phish private information from customers.

hat tip The Hill; Spying image via Shutterstock

Spotflux is a desktop application for Mac and PC, so any service, from Skype to web to browsing, that encrypts your connection through a virtual private network (VPN). It also keeps your personal activity from being tracked and your browsing history away from prying eyes. Finally, it checks for inbound threats like malware and spyware.

“There is a large gap between what consumers are willing to share online, and what’s actually being shared without their consent,” said co-founder Dean Mekkawy. “We created Spotflux to give consumers the opportunity to take back control of their privacy online. We don’t break the basic functionality of the web, our goal is to stop tracking cookies from harvesting your information when you are on third party.”

An example of Spotflux in action? When the government of Iran tried to block Internet access for its citizens last month, the more than one thousand Spotflux users in Iran were able to continue accessing the web, while remaining safe from the sort of deep packet inspection that might tip off the repressive regime. “We’re not trying to liberate any particular part of the world, but another big part of our mission is making sure the web is open to everyone.”

How big of a market is this? “Everyone online today has lost control of their privacy.  Big companies like Facebook, advertisers, employers and governments look at everything you do online,” said John Backus, founding managing partner, New Atlantic Ventures. “We invested in Spotflux because of these emerging privacy concerns and its universal appeal to the 1.2 billion people using the Web. Consumers, policy makers and activists are fighting the privacy issue hard but they often face a daunting and cumbersome process. Spotflux has removed the burden for more than 100,000 customers across 121 countries – before its formal launch – demonstrating that consumers are actively seeking a more secure, more private, more open Internet.” With the initial round of funding, Mr. Backus joined the board of directors.

Right now the service is drop dead simple, one click to download, one click to install, and toggle to turn it on or off. Mobile is the next big step the company would like to take. Eventually they will craft a sort of freemium model, allowing for some granularity in terms of privacy settings or a version that works with governments and enterprise.

There will also be a process of educating users. “When you go to a site and see, oh 10 of my friends have liked this, it’s because there is a tracking cookie that identifies you,” says Backus. “So when that stops working, users will have to think hard about the trade off of allowing themselves to be followed around the web.”

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Mobile security company Lookout Mobile released a new app today to show just how many mobile threats exist.

The app, called Mobile Threat Tracker, opens up to a view of the earth, shadowed like nighttime. A glow across the globe suggests Lookout Mobile users. It shows attacks in real time as Lookout Mobile’s security application detects and deflects them. This is then translated into what seems like a shooting star. You can travel around the globe by swiping your finger side to side to see attacks in progress. You can also look at analysis for the week on the top three threats and see what kind of threats those were. For instance, this week mobile users saw 60 percent more malware attacks than spyware attacks, including the attacks RuPaidMarket, Legacy, and DepositMobi.

Lookout Mobile creates antivirus software for both iPhones and Android smartphones, the latter of which bear the brunt of mobile malware attacks. Recently, the company created its Lookout Labs division to create more mobile products, separate from its antivirus arm. These mobile products serve the company by showing just how prevalent threats are. Its Carrier IQ app, for example, helps people detect whether spying software is on their phones.

One of the developers in the division, who just goes by Yuri, came up with the idea for Mobile Threat Tracker as a way to answer questions Lookout frequently hears from users like, “Are there really mobile threats?” or “What are the most common mobile threats?”

“I thought it would be interesting to build an application showing the many threats that Lookout detects across the world, telling the story of these individual users at a macro level,” he said.

Lookout recently reveled its top mobile threat predictions for 2012. Smartphone users should be looking out for more SMS fraud, which comes through an infected application and charges you money based on sent text messages. Also in the mix are malicious advertising links in applications and mobile botnets. Indeed, Lookout predicts that a smartphone user has a 30 percent chance of clicking a malicious link over a year.

Currently, Mobile Threat Tracker is only available on Android. You can download the free app here.

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Carrier IQ is an insanely invasive bit of software, and it’s on at least 100 million phones, entirely without the owners’ knowledge.

If you use an Android device, there’s now a simple way to find out if Carrier IQ is already installed on your phone.

We first showed you how Carrier IQ works earlier this week. Basically, it’s low-level mobile ware that tracks everything you do — your apps, your phone calls, your locations and even your text messages, perhaps keystroke by keystroke — and then stores the data and sends it to your mobile carrier.

One mobile developer, Trevor Eckhart, took it upon himself to find out how Carrier IQ actually works, and the Internet has been in an uproar over the blatant invasion of privacy ever since.

We wouldn’t be sounding the alarm about this software if it wasn’t incredibly widespread. In early 2009, when Carrier IQ was raising a $20 million finding round, the company said its software was already installed on 35 million cell phones through seven mobile vendors.

However, by the middle of last year, when the company raised another $12 million round, it told VentureBeat its software had been deployed on more than 90 million mobile devices by 12 leading vendors worldwide.

So if you’re concerned about your privacy or if you just want to know whether or not Carrier IQ is on your Android phone, here’s the app to check out: Carrier IQ Detector [Android Market link].

This new app comes from Lookout Labs, a mobile security firm. Lookout’s Tim Wyatt writes, “While there are a number of blogs that have posted instructions on how to detect and/or remove Carrier IQ software, these are largely technical in nature and difficult for the average user to follow.”

Wyatt notes that it is still unclear just how invasive or unwarranted Carrier IQ’s tracking of data might be, but he does say, “We’re encouraged that the mobile community is paying increasing attention to privacy risks associated with their mobile data.”

While knowing whether or not you’re currently running Carrier IQ is half the battle, actually getting the software off your phone is, especially for the less technical, an almost impossible task involving rooting the phone and installing a new mobile OS. Several guides for Carrier IQ removal are available online, but perhaps the best course of action is for consumers to raise a stink about the software, get carriers’ attention, and force these companies to take our collective privacy a bit more seriously in the future.

That growth rate — fueled all by word of mouth — has been possible because of the combination of the explosion in malware and the popularity of the freemium model, where users can get a measure of protection for free and pay extra for premium service. Over time, the San Jose, Calif.-based company says it has detected more than 5 billion pieces of malware during its history.

“The big antivirus companies started 15 years ago, but our solution is less than three years old and it is built to deal with the problems we have today,” said Marcin Kleczynski (pronounced Kleh-chin-ski), founder and chief executive of Malwarebytes. (He is pictured below).

Malwarebytes works alongside antivirus software from vendors such as Symantec and McAfee. Like using a seatbelt and an airbag together, antivirus and anti-malware go together because they attack the problem from different directions. Malwarebytes cleans off machines that are already infected, while the pro version stops your machine from getting infected in the first place. Generally, the company can push out a fix for a particular piece of malware within an hour of discovery. That’s important because malware can spread to thousands of people within five minutes. And that’s one reason why the big antivirus vendors recommend it.

The company traces its roots back to 2004, when Kleczynski was working as a computer technician and found that machine after machine had been disabled by malware. His own home PC got infected and he took to the internet forums to get advice about fixing it. That took more than three days.

Kleczynski started building a Rogue Remover anti-malware program and released it in 2006. By 2008, the company formally incorporated and spruced up its user interface. In late 2008, Kleczynski brought aboard security and e-commerce expert Marcus Chung as chief operating officer and moved to San Jose.

The company has been profitable from the outset and hasn’t raised money. Today, Malwarebytes says it is opening a European office (headed by Fernando Francisco) and is announcing it has acquired hpHosts, which tracks blacklisted websites, ad servers, and tracking servers. That deal ensures that Malwarebytes protects against the newest malevolent internet protocol addresses and blocks the web servers that are used to distribute malware. hpHosts also uses the blacklist to persuade internet service providers to shut down malware-producing servers.

“The point is we can protect the internet community as a whole by stopping malware from being distributed to millions of people,” Kleczynski said.

Rivals include Lavasoft, Spybot, SUPERAntiSpyware, and Prevx (owned by Webroot). Malwarebytes says its detection engine is newer and more innovative because it doesn’t require a huge manual effort from security researchers to identify and counteract new malware. It is a hybrid of heuristics, behavior and a signature engine that is designed to detect and block malware that other vendors can’t detect.

“This is a significant step in the growth of Malwarebytes,” said Marcin Kleczynski (pronounced Kleh-chin-ski,) Malwarebytes founder and CEO, in an interview.  “We acquired a key technology to expand our product features, expanded operations into the EMEA region, and our momentum is clearly growing with more than one million new users every month.”

Malwarebytes comes in two versions: a free download that cleans consumer computers of malware as well as a professional version which offers real-time protection against malware, automated scanning, and automatic updating. The pro service has a 14-day free trial. Roughly 2 million or so pro versions have been sold.

The company has earned itself some die-hard fans, such as Sylvain Chamberlain-Nyudo, an artist, sculptor and painter who previously worked as a software developer. Chamberlain-Nyudo, who lives near Tupelo, Miss., searches the internet all day long for imagery and research for ideas that can become the foundations of paintings. And that means he gets hit with Trojans and other malware that are planted in those pieces of art. Quite often the antivirus software doesn’t do any good. With Malwarebytes, Chamberlain-Nyudo can disable those attacks and fix the problems. And the anti-malware software also allows him to block the offending sources of the attacks.

“I have used malwarebytes in its various forms for some years now,” said John Casaretto, an enterprise technology consultant.  “I definitely heard about it through word of mouth and later used it in advanced malware cleaning and found it to be the best tool of its kind there is – bar none.”

The challenge now is keeping up with the pace of malware, with new 2,000 to 3,000 new pieces coming out every hour. Malware now is harder to perceive, working quietly in the background as a user does other tasks. And much of it comes from China and Russia and has roots in organized crime.

Malwarebytes is available in 36 languages and is available in a wide array of retail stores. The company has less than 40 employees. At some point, the company will move into both the enterprise and mobile markets. Kleczynski said the company’s goal is to hit 223 million downloads and more than 5 million units sold by 2013. At the current rate of growth, that’s possible.

Charles Kolodgy, an analyst at IDC, said that the endpoint security technology market — which includes anti-malware software — is expected to grow 8 percent this year to $7 billion.

“We don’t have hundreds of researchers,” Kleczynski said. “We reduced the problem by creating a smart engine, where we only have to add maybe 50 digital fingerprints a day. We reduce the problem to a more manageable size and move quickly.”

The Federal Bureau of Investigation (FBI) made two arrests in one of the most widespread cyber scams in history. One of the scams had more than one million victims and incurred over $74 million in losses. The identities of the suspects have not  been released. Today law enforcement agencies around the world are continuing to investigate the scams.

More than 40 computers, servers, and bank accounts were seized yesterday in Operation Trident Tribunal (I’m personally feeling slightly let down by that operation title). Twelve  countries participated in a crackdown targeting two international cyber crime rings peddling “scareware,” false warnings that targeted victims via pop-ups and fake online ads. In some instances, the scareware rendered computers completely inaccessible.

In the first of the two international rings, the FBI’s Seattle office began looking into a scam that ultimately claimed an estimated 960,000 victims who lost a total of $72 million. Investigators say victims were directed to webpages featuring fake computer scans. Once their computers were infected, victims were notified by pop-ups that their machines had all sorts of viruses and they should buy the antivirus software being advertised— all at a bargain price $129. No arrests have been made in this scam.

The two arrests were made in the second crime ring, first investigated by the FBI’s Minneapolis office. The individuals are suspected of using online advertising to spread “malvertising,” using a phony advertising agency that claimed to represent a hotel chain that wanted online advertising space on a Minneapolis newspaper’s website. After the ad was verified by the paper and posted, the defendants changed the ad’s computer code so that visitors to the site became infected with a malicious software program that launched scareware on their computers. That scheme cost an unreleased number of victims $2 million. The only detail of the arrests made public is that they were made “abroad.”

Countries that contributed to the crackdowns are Ukraine, Latvia, Germany, Netherlands, Cyprus, France, Lithuania, Romania, Canada, Sweden, the United Kingdom, and the U.S.

“In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants,” Apple said in a release. “The update will also help protect users by providing an explicit warning if they download this malware.”

The software is commonly known as MacDefender, MacProtector, and MacSecurity, and scares users into thinking they have a virus. Users then provide their administrator credentials and the programs pretends to scan the hard drive. Upon completion of the scan, the program says viruses are found and asks for credit card information to pay for removal.

“Its ultimate goal is to get the user’s credit-card information, which may be used for fraudulent purposes,” Apple noted.

Last week, a ZDNet reporter said Apple was aware of the problem and had told its representatives to not confirm or deny the existence of the malware program.

Apple now has a support document online that tells users how to avoid or remove MacDefender if the situation arises.

Federated Networks is one of 70 companies chosen by VentureBeat to launch at the DEMO Fall 2010 event taking place this week in Silicon Valley. After our selection, the companies pay a fee to present. Our coverage of them remains objective.

Today at the DEMO conference, Federated Networks plans to step up and take on one of the largest players in Internet security, Symantec, by unveiling its own cybersecurity suite designed to be cheaper and faster for the typical consumer.

The cybersecurity company will begin offering a security suite for about one-tenth the price of products like Symantec’s Norton Antivirus and McAfee’s antivirus programs.

Along the way to unseating the giants, Federated aims to replace the SSL encryption protocol that most websites use today with its Application Secure Layer Protocol. In so doing, it hopes to prevent a particular form of intrusion on e-commerce transactions called man-in-the-middle attacks, as well as better-known phishing threats, where hackers try to trick consumers with fake banking or shopping websites. The software also targets keystroke-logging and other input-logging spyware programs, which can be used to capture users’ passwords.

Federated Networks was founded in 2005 but has since worked in stealth mode under David Lowenstein, the board chairman of The Princeton Review. Lowenstein also has experience with several other public companies, including SourceCorp and Capital Environmental Services.

The software developer currently employs 11, and has raised about $5 million over several rounds of funding.

http://c.brightcove.com/services/viewer/federated_f8/980795693

As if we needed another reason to fear malware, authorities investigating the 2008 crash of Spanair flight 5022 have discovered that the plane’s computer system — which is used to keep track of technical problems — was infected with malware, according to a report by the Spanish newspaper El Pais.

The crash took place during takeoff from Madrid-Barajas International Airport, and left 154 dead, with 18 survivors. An early investigation by the U.S. National Transportation Safety Board revealed that the plane had taken off with its slats and flaps retracted, and that there was no audible alarm thanks to a power failure with the takeoff warning system, TechNewsDaily reports. The system also failed to report two other events.

That leaves a total of three separate technical problems that, if properly detected, could have prevented the flight from taking off, according to an internal Spanair report (in Spanish, of course). The airline figures that the malware infection was to be blame.

The malware was apparently a type of Trojan horse — software that sneaks onto a computer and allows hackers to gain access to a computer system. It could have gotten onto the computer in a variety of ways — including via an infected USB stick, an infected file downloaded to the computer, or by merely visiting a malicious website with an insecure browser like Internet Explorer 6.

Not everyone is convinced that the El Pais report is accurate, however. On security guru Bruce Schneier’s blog post, many commenters are pointing out that the Pais report is full of errors.

While the accuracy of the report is still up in the air, it certainly brings to light the topic of computer security around integrated systems. Schneier himself has long believed that the Blaster worm may have been a major factor in the 2003 blackout that affected the Northeast U.S. and Canada. And as someone who was knee-deep in IT support at the time, and saw how Blaster could take down a major organization’s network in minutes, I’m inclined to agree with him.

Photo credit: soypocholapantera on Flickr