Online Armor: Best Practices - 1

How to get the most out of Online Armor (without losing your hair)

In order to get the most out of Online Armor, you really need to understand what it's for and how it's intended to be used. If you understand these basic concepts, you'll understand what we're trying to do, how we're trying to do it - and hopefully how to make Online Armor slip into the background.

What's Online Armor for ?
When we first started developing Online Armor, it was called "BankSafe" and was designed to stop thieves emptying your bank account. It had a very, very simple purpose, though none of the banks in Australia seemed to be too concerned about this at the time.

As we developed it, we had other ideas. The scope of protection was extended to cover anticipated (and then-current) threats.

However, the basic principles remain the same:

• If a dangerous program is not allowed to run, it will not be able to do bad things
• If you do allow a program to run, and it starts to do things that are suspicious - tell the user about it.
• If a trusted program runs, and does something that looks suspicious, don't alert- because it's trusted.
  

It would be fair to say that Online Armor is for helping you keep bad things from happening to your computer, and to stop those bad things sending your data to the "bad guys". Designed to help you protect yourself against internet malice.


Any program that you trust, mark as trusted.
On my laptop everything I run is marked as trusted. If I did not trust it, it would not be on my laptop.

If you trust it, allow it to run as trusted. You'll get NO popups if you trust all your safe programs, and have less chance of any problems.

If you don't trust the program, uninstall it.

I know some users try to control what programs can do, to try and limit them, to try and give them "what they need". That's not what it was designed for. Stopping programs from doing things they need to do may cause unforseen issues. If you understand this and want to fiddle with it - great. If not - please don't.


Autoconfigure Trusted Programs for Internet
One feature of OA I was very proud of was the idea that we could auto-configure trusted programs to access the internet. I came up with this idea after hearing the CEO of one of our clients swearing that his personal firewall asked him "all sorts of ******* stupid questions and broke his computer".

Here's the logic:

• You install Yahoo Instant Messenger
• This is a safe, Trusted program.
• You want this to access the internet so that it can do what it does
• You do not know (or care) about listening, ports, UDP, TCP, "act as server" and all that nonsense - you just want it to work!
  

Dodgy Analagy time: Imagine a mechanic repairing your car. You ask him to do an oil change. He asks you do you want him to use this wrench or that wrench to undo the bolt. He asks you about the type of oil. He asks you how much oil to put in the car. He asks you which oil filter to fit.

How many times do you go back to that mechanic? Autoconfigure trusted programs is the equivalent of saying to the mechanic "Look buddy, do what needs to be done, I trust you, so get on with it already!"

Make use of the "Run Safer" feature

I've written about run safer before. In simple terms, what it does is to limit the rights of programs to limit damage they might cause.

Once you have trusted all of your programs - and uninstalled the ones you don't trust :) Then it's time to apply some run-safer settings to selected programs:

• Internet Explorer,Firefox,Opera,Any other web browser
• Yahoo, Skype, MSN, and any other chat program you use
• Outlook Express, Outlook, Incredimail, The Bat! and any email program that you use.
  

Now, you may think "But I trust these programs, and now you're telling me to limit what they can do?" - and the answer is YES!

Chances are, right now, you're logged in as a user with administrative rights. If you don't know what that means - then you definitely are - AND what that means is that programs that run get these rights too. They can do anything to your computer.

The problem arises when Great-Aunt Mabel gets infected - the virus sends you an email , you open it in Outlook Express and click the attachment. Boom. That program can now do anything on your computer it wants. Or, you're surfing a site and some strange file downloads and you accidentally run it. BOOM! That program too can do whatever it wants. The same applies to files you download through Skype (or your messenger of preference).

If you had used run-safer, then the running, malicious attachment or the downloaded file, or the file you got from Skype would be heavily restricted in what it could do.

Ok, you keep talking about Safe, trusted programs - what are they?
A safe trusted program is not dangerous. I know it sounds a little silly, but:

• Programs you download from Microsoft are safe, even if you think Microsoft is the Devil.
• Programs you buy on a CD in a store are safe.
• Programs you get from trusted sources are usually safe.
  

If in doubt, you can use Google (or Bing) to do a bit of research before you install.

Generally speaking - big companies like Amazon, Yahoo, Electronic Arts, Quicken and so on - let's call em the brand names - are not going to release malicious software.

I know Sony did something stupid a few years back, but this was stupid, not malicious. Online Armor is not designed to protect you from stupid.

Some programs that are not going to be safe:

• Something that tries to download automatically when you go to a web page is never going to be good.
• Something you receive in email is unlikely to be good.
• A web page that keeps popping up until you accept a program to install - this is almost always going to be bad, and it would be better to "end task" or power-off your computer.
  

If you followed my advice...
... then you should have trusted programs running on your computer. Your browsers and email clients should be set to Run Safer, which will help to protect you against dodgy drive-by downloads and email/messaging malware. You will have your trusted programs automatically configured for internet.

Using Online Armor like this should result in very few (if any) popups asking you hard questions that make you want to tear your hair out. Your programs will work. Runsafer will prevent (or at least limit damage) if you accidentally run something from a website you shouldn't have.

Watch out for the muppets :)

Muppets. They're everywhere.

I don't mean Jim Henson's friendly bunch, but the English term for someone lacking a bit of skill or intelligence. Though it's an insulting term, it's rather mild and quite cute - and the topic for today's blog post.

Why are muppets relevent to security?

The internet has democratised communications. Anyone with a keyboard and a thought can combine the two and reach people all over the world. Sometimes this is a good thing. Other times - not so good.

Anyone on twitter can shout out a thought - and have it reproduced. Businesses or indidivuals can communicate - and say things that are true, not true, right or wrong - and people will read it and disseminate it. How many internet hoaxes have you read about recently?

The problem arises when people say things with an air of authority that they know nothing about. For example, a muppet tweeted out a security alert yesterday saying that Online Armor contained advertising software. Obviously, it doesn't.

Rather than get upset, I did the right thing - tracked him down and told him about his mistake.

His reply was basically "McAfee alerted". I advised this was a false positive.

His response was "Hmmm, can't find that term in any McAfee help or support groups. Good luck with that!".

Be careful who you listen to

Typing the words "false positive" into google (without the quotes) finds multiple definitions, and quickly. So, we have some Jason Remington issuing public security alerts about our product - yet he has never heard of a false positive and couldn't find it on the internet. I think we have our first "Muppet of the Day".

When you read something, give consideration to the source.

The text of the tweet was "QZVX WARNS OF ONLINE THREAT:(Online Armor) Firewall FREE download contains ADWARE and other nuisance software that may harm your PC ."

I looked up the site in question - it's here. Hardly credible.

Get advice from the right place

There are a multitude of sources of good advice on the internet - techsupport alert, matousec security, spyware hammer, wilders security forums, calendar of updates, smokey security forums, vendor forums - and many more.

Where do you go for security advice? Have you any entries for the "Muppet of the day"? Let me know.


Mike

Ask Toolbar in Online Armor Free? Nearly...

There's been a lot of discussion about the Ask toolbar recently over at Wilders Security and the Calendar of Updates forums. We have a variety of vendors that are now bundling this bar with their products - something that I thought we'd never, ever do.

Then I read a thread over at Wilders where someone pointed out that for every time Ask bar was installed, the vendor got a dollar. I mulled over our OA Free download numbers and thought that this figure was highly likely to be inflated - but at a dollar per download - wow, that's some serious money.

Bundle Ask Toolbar and have an early retirement?

I then read a comment from BillP of Winpatrol fame saying that Ask had approached him - and - had he proceeded with them, he could have made enough money to retire in a few months. Bill basically told the guys to get stuffed - but there are a lot of other vendors that bundle the bar who didn't.

Having had two independent sources confirm just how much money could be made, I did what any self-respecting business owner would do - I contacted Ask to find out what the deal was. After all - if I could add tens of thousands of dollars to our bottom line every month, I'd be mad not to consider it, right ?

The Scoop

At the same time as I contacted Ask, Ask contacted me asking about business relationship opportunities. The chap on the phone I spoke with explained to me that the numbers quoted at Wilders were not quite reality - but for the purposes of basic math, we'll stick with the $1 per install

In other words, for a company like us - a small business out of Sydney - the Ask toolbar sounds like a dream come true. Call it free money. Call it monetizing our free product - we did both. Based on our download numbers we'd stand to make tens of thousands of dollars per month - all for including a harmless toolbar in our program.

Sometimes, I hate the internet...

Here's the problem. Imagine that you could get paid a dollar for each unique user. Imagine that you were moderately skilled at writing malcious code and had no morals. You could make a lot of money real fast by surrupticously installing something like this. And that's what people did. Ask were tarred with this brush.

As we proceeded along the path with Ask, we took note of the questions that they asked us and the hoops we had to jump through to sign up as a partner. They were really, really concerned to prevent malicious folks from bundling their bar.

It was unfortunate that they had been abused by malware writers and scammers - I'd hate for that to happen to us if we paid bounties for installation of Online Armor - but they shouldn't be nailed for this forever. Not only do they try to run a clean ship , but they were also a victim, right ?

This thinking gave us a bit of confidence going forward - as did the fact that a lot of our competitors, from the rats and mice upwards had done this.

...but most of the time it rocks

We decided that we'd proceed with the Ask toolbar. The money looked great. The company was clean. Our competitors were doing it. There were shouts at some of the guys that did it - from a highly vocal crowd - but we figured that provided we did it the right way (no default opt-in, no tricky wording or saying that the bar was required for security purposes) we'd be ok.

I took this to our private test team. They hated it. I took it to our forum admins. They hated it too. I took it to our Beta team after someone came out and said "You would never bundle a toolbar would you ?" - and I said, "um, actually yes, we would". They hated it too.


A rock and a hard place

On one hand, we have a way to boost our business by the tunes of tens of thousands of dollars per month. In this economy, that sort of money is not to be sneezed at - hell, in any economy the chance to quickly add a quarter-million USD per year to the bottom line with minimal effort is not to be sneezed at.

Unfortunately, adding that bar would mean that our users would hate us. Vocally. Is it rational hatred? Who cares. Hate is hate, and Vocal is Vocal. We'd already noted one of the smaller players get slammed for their search bar antics.

In all of our discussions and observations, some key points kept getting repeated:

• Users do not expect a security tool to install unneeded items, even if that security tool is free.
• Default opt-in is the only way people will install due to inattention, accident or trickery of wording.
• Default opt-in is wrong.
  
• Users place a lot of trust in security vendors. They are trusted to do the right thing. Do not abuse that trust.
• Is it ethical to ask your users to install a product you would not install and use yourself?

Out of all of them, the last one got to me the most. I installed the bar and had a look. If this was on my computer, I would remove it.

In fact - the ICQ bar is even worse - the uninstaller didnt work correctly and now I find myself trying to do a google search and sometimes getting ICQ. It's really, really annoying. Do I want to really, really annoy our users?


The upshot.

When we started our Online Armor project, we somehow stumbled onto a simple formula. Listen to our users, and give them what they want. Provided they don't want free ponies and chocolate, it's a model that works rather well. Everyone wins.

Our users - the ones privvy to the pre-launch information told us pretty clearly "We don't want this, and we don't think it's right". When your friends are telling you it's not a good idea - imagine what people who don't have that relationship will say or do.

So - we've decided not to proceed with Ask, though they'd probably pay us nearly enough to buy a nice car.

When the numbers look good from a financial perspective, and "everyone else is doing it" - it's easy to fall into complacently thinking that all will be fine. It's not fine for security companies to bundle someone elses toolbar. We lost sight of that for a moment and nearly did everyone a disservice.

Why did we decide not to proceed? Well, the money sure would be nice but at what cost? Bundling this bar would lead to a loss of trust... and that's something you generally only get to lose once.

I'll get the car another day.

Phishing Scammer tries it on with CEO of an Anti-phishing software product “Online Armor”

So, I'm sitting there today working on something for a client when I received an unsolicted Skype Message with an "Important Business Proposal".

I normally mess with these guys a little, just to waste their time , but as I was on the phone to a client I just decided to get rid of him quickly.

As you can see - he was suprisingly honest about his ultimate intentions.

This is how the scam works

Mr Dutu, or Mrs Dutu is usually writing to you from a yahoo or other free email address. It usually doesn't address you by name. It always offers some opportunity - usually, the chance to get a share of millions of dollars in exchange for some assistance.

A common theme is the widow of a Nigerian official (or just a corrupt Nigerian official) wants to move $250M (usually spelled as TWO HUNDRED AND FIFTY MILLION DOLLARS) out of the country. He or she just needs a partner overseas.

They offer a split of the money. Often there is the chance of further profits (we'd like to invest in real-estate in your country, and we will give you 10% of the profits). Quite often, they thank God for His mercy in finding someone as kind as yourself to help them.

So, you're probably asking yourself - how does this scam work? They want to send you $250M - it's going to your bank account - what's the catch? This scam has been going on for years, and it's called Advanced Fee Fraud.

Had I accepted this guy's offer, here's what likely would have happened:

• He'd ask me for some ID - passport and bank account details for the money
• He's send me some official looking documentation - fake of course - which would allow me to claim the money from some third party. The third party would probably also have a free email address too (like Yahoo or Hotmail).
• The third party (Notary, Bank Manager) would contact me about claiming my money - and here's the catch - there's a $20 fee for stamping the document. Or a $200 fee.
  
• Mr Dutu would claim not to have this money, but of course, since I will soon get 10% of $250M, $200 is not much to pay.
• I'd send the money - and the documents would be "stamped".
• Once they'd got me for $200 - there would be some other issue... and the costs would keep rising and rising until they couldn't get any more money out of me.

It's a sad fact that in tough economic times, people get desparate and take risks or chances that they wouldn't normally take in the hope of the "one big win" that would solve all their problems. You can imagine being in dire straights, and having invested $2,000 or so , thinking another $500 can't hurt.

Don't get caught out.

I've told the guy to go and find an idiot. Don't let it be you - seriously - if it looks too good to be true, it probably is. The chance that some corrupt official is going to send you $250M dollars and let you keep 10% of it is pretty remote to say the least.


Don't be the Idiot: Mr Dutu Returns

It was a Friday afternoon, and about an hour since my chat with "Mr Dutu" - too early to go for a beer, too late to do much work. I could see he was still online.

So I thought I'd ask him a few questions...

[3:56:08 PM] Mike Nash says: Any luck yet ?
[3:56:48 PM] Mr. Robert Dutu says: just 1
[3:56:54 PM] Mr. Robert Dutu says: for over three hours
[3:57:07 PM] Mike Nash says: :( Business getting slow for you?
[3:57:13 PM] Mike Nash says: May I ask, how much you make doing this ?
[3:57:47 PM] Mr. Robert Dutu says: be my victim and you will get to know how much i can make from you
[3:58:05 PM] Mike Nash says: (rofl) Very good :)
[3:58:10 PM] Mike Nash says: You're a funny guy
[3:58:20 PM] Mr. Robert Dutu says: thanks (handshake)

I ended up chatting with him for about an hour - and I have to say, he was a funny guy. A criminal, sure - but he claimed he was from Ghana, and had been doing this for only three months. He even tried to get some money out of me - but despite how amusing the guy was, he's still a criminal, and relies on trickery and social engineering to get what he wants - which is cash.

[3:58:51 PM] Mike Nash says: Seriously, do you really find many people that fall for this scam still? Though, I read in the newspaper than something like $100M leave the country each year
[3:59:23 PM] Mr. Robert Dutu says: what scam?
[3:59:31 PM] Mr. Robert Dutu says: this is real
[3:59:34 PM] Mike Nash says: The advance fee fraud

[3:59:42 PM] Mr. Robert Dutu says: i will send you details on it
[4:00:11 PM] Mike Nash says: Over Skype?

[4:00:23 PM] Mr. Robert Dutu says: This message has been removed

***Note - he pasted here the generic phishing email - which described how we'd share $16M. It was really, really well written in comparison to those that I'd normally get. ***

[4:01:11 PM] Mike Nash says: Nice. That's actually quite well written. And instead of $250M , you're saying $16M...

[4:01:29 PM] Mike Nash says: So, what's the next step?
[4:02:20 PM] Mike Nash says: Actually, I work for a security ecompany - this is why I am so interested

[4:02:22 PM] Mr. Robert Dutu says: wait, i have a client
[4:02:25 PM] Mr. Robert Dutu says: he is discussing positive
[4:02:26 PM] Mike Nash says: ok

It was interesting the way he refered to his victims as clients. He offered me the chance to see the chat history with his "client" - but then it went a little bad...

[4:04:29 PM] Mr. Robert Dutu says: and put it on the internet right?
[4:04:36 PM] Mr. Robert Dutu says: no
[4:04:44 PM] Mr. Robert Dutu says: you will spoil my job
[4:04:54 PM] Mike Nash says: Not a chance!
[4:05:01 PM] Mike Nash says: There's already lots of articles about it
[4:05:14 PM] Mike Nash says: and I bet, you do not use this account for more than some days at a time, right ?
[4:05:22 PM] Mike Nash says: Next time it will be some other name
[4:06:08 PM] Mr. Robert Dutu says: why all this question
[4:06:16 PM] Mr. Robert Dutu says: do you want to join?
[4:06:25 PM] Mike Nash says: No, I don't :)

[4:06:34 PM] Mr. Robert Dutu says: good
[4:06:48 PM] Mr. Robert Dutu says: what is your job?
[4:06:51 PM] Mike Nash says: I think I could improve the text of your letter a bit - but it is better than 99% of the ones I receive normally
[4:07:05 PM] Mike Nash says: I work in security industry, we write a personal firewall product
[4:07:20 PM] Mike Nash says: it also detects things like keyloggers
[4:07:37 PM] Mr. Robert Dutu says: very good
[4:07:45 PM] Mr. Robert Dutu says: what is your pay?

I made up a number, and told him, and then added:

[4:09:12 PM] Mike Nash says: what's yours?

He was very very evasive about how much he earned, until he told me that he'd only ever made EUR50 from a woman in the Philipines. Of course, he could be sitting there in a $5000 chair in his private compound saying that for all I know.

[4:09:56 PM] Mr. Robert Dutu says: sorry for my late reply
[4:10:00 PM] Mr. Robert Dutu says: was busy with a client
[4:10:07 PM] Mr. Robert Dutu says: you earn alot of money

[4:10:09 PM] Mike Nash says: I like the way you call them clients
[4:10:21 PM] Mike Nash says: It implies a certain professionalism
[4:10:26 PM] Mr. Robert Dutu says: thanks

[4:10:35 PM] Mike Nash says: Cost of living here is higher.
[4:10:47 PM] Mr. Robert Dutu says: if i ask you to send me some money will you?

[4:11:20 PM] Mike Nash says: What would I recieve in exchange for a payment?
[4:13:17 PM] Mr. Robert Dutu says: am back
[4:13:24 PM] Mr. Robert Dutu says: that is the point
[4:13:34 PM] Mr. Robert Dutu says: nobody wants to give anything out for free
[4:14:21 PM] Mr. Robert Dutu says: but if i promise you $16million usd i will end up getting more than your pay from you
[4:14:40 PM] Mr. Robert Dutu says: you might even go to the extent of taking loan for me
[4:14:54 PM] Mr. Robert Dutu says: which is very improper

This is actually quite sad. I've read stories in the paper of this - but never seen the scammers side of it before. He drifted off into trying to get a bit of sympathy from me, and then started to ask me for money...

[4:34:37 PM] Mr. Robert Dutu says: can you be of any assistance?
[4:34:39 PM] Mike Nash says: It's a Friday - everyone thinks of the weekend, and the pub
[4:34:41 PM] Mike Nash says: wrong time of day

[4:34:46 PM] Mike Nash says: No, I can't really help you
[4:34:52 PM] Mike Nash says: you're committing a crime
[4:35:03 PM] Mr. Robert Dutu says: i know
[4:35:11 PM] Mr. Robert Dutu says: and i accept the fact that i am GUILTY
[4:35:32 PM] Mike Nash says: But you still won't tell me how much you make :) I'll bet your computer is more powerful than mine
[4:35:41 PM] Mr. Robert Dutu says: and will not hesitate to be prosecuted when the law catch up with me
[4:36:17 PM] Mr. Robert Dutu says: there is no specific amount
[4:36:33 PM] Mr. Robert Dutu says: i take whatever you can give me
[4:36:58 PM] Mr. Robert Dutu says: even if is 100 or 50 $
[4:37:04 PM] Mr. Robert Dutu says: i will seriously appreciate it
[4:38:06 PM] Mr. Robert Dutu says: and i know my God will forgive because i pray to him to replenish the pockets of my clients with double of whatever they loss

At this point, he went all religion on me and talked about washing his sins and so on. Then back to business:

[4:44:16 PM] Mr. Robert Dutu says: i take whatever you can give me
[4:44:23 PM] Mr. Robert Dutu says: even if is 100 or 50 $
[4:44:33 PM] Mr. Robert Dutu says: or more
[4:44:35 PM] Mr. Robert Dutu says: i will seriously appreciate it
[4:45:27 PM] Mike Nash says: I'll bet you will
[4:45:38 PM] Mike Nash says: I have this image in my head, of you in the bar after with all your friends
[4:45:52 PM] Mike Nash says: "This guy thought he was clever, but I still got him to send me $100. Who wants a cigar?"

[4:46:52 PM] Mr. Robert Dutu says: (rofl)
[4:46:56 PM] Mr. Robert Dutu says: very funny
[4:47:01 PM] Mr. Robert Dutu says: i don't smoke
[4:47:10 PM] Mr. Robert Dutu says: i only drink ocassionally

More talking about money, and then:

[4:49:31 PM] Mr. Robert Dutu says: i know at the end of this conversation you will publish our chat
[4:49:40 PM] Mr. Robert Dutu says: but that is not a problem
[4:49:46 PM] Mr. Robert Dutu says: i am still very sincere
[4:49:55 PM] Mike Nash says: Actually, I published already just the funny part

[4:51:53 PM] Mr. Robert Dutu says: why?
[4:52:15 PM] Mike Nash says: because usually, if I say something like that, they do not reply and move to next victim. It was different
[4:52:33 PM] Mike Nash says: It is like a policeman warning a car thief to drive carefully
[4:52:46 PM] Mr. Robert Dutu says: ahahahhahaha

It was getting late, and I was ready to go home... this is where he came up with his classic:

[4:54:17 PM] Mr. Robert Dutu says: how do i get you to send me some money?
[4:54:40 PM] Mike Nash says: Unfortunately, you will not get me to send you money.

[4:54:58 PM] Mr. Robert Dutu says: don't be stinge my friend
[4:55:20 PM] Mr. Robert Dutu says: it will not cost you anything to send some money to a stranger who is in need

[4:55:41 PM] Mike Nash says: You probably make more money than me. Will you send me some?
[4:56:18 PM] Mr. Robert Dutu says: yes $16million usd but we will have to finance the transfer together
[4:56:27 PM] Mike Nash says: HAHAHAHAHAHAHAHAHA!
[4:56:39 PM] Mr. Robert Dutu says: yes
[4:56:44 PM] Mike Nash says: Touche!
[4:56:51 PM] Mr. Robert Dutu says: and we share it at the end 50% each
[4:57:12 PM] Mr. Robert Dutu says: $8million usd for you
[4:57:31 PM] Mr. Robert Dutu says: this is a life time opportunity

[4:57:33 PM] Mike Nash says: You know, if you ever give up the scam business, you'd have a great career in comedy
[4:57:53 PM] Mr. Robert Dutu says: if i were you i will grab opportunities like this with both hands
[4:58:02 PM] Mr. Robert Dutu says: and become rich overnight
[4:58:28 PM] Mike Nash says: but we already know it is a scam, and you hate to do it
[4:58:30 PM] Mr. Robert Dutu says: look my friend am not a scammer
[4:58:32 PM] Mike Nash says: I havent been drinking
[4:58:42 PM] Mike Nash says: so I am not likely to change my mind
[4:58:55 PM] Mr. Robert Dutu says: ;(

Unfortunately, after this gem he pretty much went back to trying to phish me with the $16 million. A shame. I really enjoyed the chat with him (some parts have been edited out for length) - and at some point when he was telling me about life over there (wherever there actually was) I felt sorry for him - he was very, very good at his job and had a good sense of humour about him.


Mike