[Az-Geocaching] [OT] Security Implications with Web Based Greeting Cards
listserv@azgeocaching.com
listserv@azgeocaching.com
Tue, 19 Nov 2002 12:06:41 -0800 (PST)
AND...not only all this, but according to www.truthorfiction.com (one
of my favorite websites, for checking out email urban legends and
such) the problem with FriendlyGreetings.com is not only true, but the
email addresses are collected for a spammer sending out porn.
Trisha "Lightning"
Prescott
On Tue, 19 Nov 2002, "Farquhar, Larry" wrote:
Message
Yep!
We had a few users at work already receive these greeting cards and
install the
software - without reading the EULA. It's a sneaky way to propagate a
virus,
legally :(
Larry Farquhar
Team "Wyle E"
http:\\www.happy-wanderers.com
-----Original Message-----From: Team Tierra
Buena [mailto:teamtierrabuena@earthlink.net] Sent: Monday, November
18, 2002 10:16 PMTo: listserv@azgeocaching.comSubject:
[Az-Geocaching] [OT] Security Implications with Web Based Greeting
Cards
Off-topic, yes, but I think it's important to get the word out
on this.
Have you ever clicked on an End-User License Agreement without
bothering to read it? Me, too, but after reading this article I'll
never
let one slip by again.
Steve
Team Tierra Buena
10/30/2002 Subject: Security
Implications with Web Based 03:32 PM Greeting Cards Have you
been receiving and sending a lot of Web based Greeting Cards? Ifyou
do, as
a co-worker told me today that he sends them to a lot of people,you
may
want to read this article.* SNEAK ATTACK THROUGH A LICENSE
AGREEMENTHave you ever received a Web-based greeting card from a
friend orrelative? They're common these days, and they seem to be
taken
forgranted, in that people trust the intent of someone who might
sendthem a greeting card. People like to be greeted with kindness,
sothey're inclined to look at and read the greeting card. It's one
ofthe feel-good things that many people simply can't resist.Have
you ever wondered why a company would spend its Internetresources
delivering free greeting cards on behalf of people with whomit
conducts no
business otherwise? How does such an entity profit fromthose
endeavors?
What might its motives be?Last week, a user posted an interesting
message to our HowTo forSecurity mailing list regarding one company
that
delivers Web-basedgreeting cards. That company, Permissioned Media,
runs a
Web sitecalled FriendGreetings.com, which lets one person send
another
personan electronic greeting card. The friendly facilitation seems
simpleand harmless, but it has a rather insidious side.When you
receive a greeting from FriendGreetings.com, the message saysthat
someone
sent you the greeting and that to read it, you must clicka URL that
takes
you to the Web site hosting the greeting. When youclick the URL,
you're
prompted to install an ActiveX control beforeyou view the greeting.
As the
greeting-card recipient, you wouldprobably assume that you must
install
the ActiveX control to view thegreeting; however, that's not the
case.
Instead, FriendGreetings.comhas designed the ActiveX control,
complete
with an End User LicenseAgreement (EULA), to interact with your mail
client software andharvest information about your email contacts.
After
the ActiveXcontrol obtains your private contact list information, it
sends
asimilar greeting card to everyone in your contact list,
probablyunbeknownst to you!If you took time to read the EULA from
FriendGreetings.com, you'ddiscover that the EULA clearly states
Permissioned Media's intentionto do just that. A section of the EULA
reads, "As part of theinstallation process, Permissioned Media will
access
your MicrosoftOutlook contacts list and send an e-mail to persons on
your
contactslist inviting them to download FriendGreetings or related
products."By accepting the EULA and installing the ActiveX control,
you
give thecompany permission to perform that activity.In essence,
the greeting cards that FriendGreetings.com deliversresemble many
worms
that travel the Internet: They're parasitic,intrusive, devious,
elusive,
and most of all, probably unwanted. Evensome antivirus vendors
issued
warnings about the greeting card lastweek. However, we can't
completely
blame FriendGreetings.com for itsuse because, although the company
counts
on most users' acceptance ofthe unread EULA, the EULA does spell out
some
of its intention. Byagreeing to the EULA, users agree to the ActiveX
control activity.Nevertheless, the lesson here should be obvious:
When you
encounter aEULA, don't take anything for granted. Read it word for
word
tounderstand exactly what you're accepting and think through what
theconsequences of acceptance might be.Permissioned Media bills
itself as a "behavioral marketing network"with more than 100 clients
that
advertise online. The company alsooperates Cool-Downloads.com. You
can
read Permissioned Media's EULA atthe URL below. Take note that it
grants
the company "the right to addadditional features or functions to the
version of PerMedia youinstall, or to add new applications to
PerMedia, at
any time." Yikes!http://permissionedmedia.com/license.htmIf you've
received a greeting card from FriendGreetings.com andinstalled the
associated ActiveX control, you might want to remove itssoftware
from your
system. To find out how, be sure to read therelated news article,
"Protect
Your Contact List: Read the EULA!" inthis
newsletter.http://www.secadministrator.com/articles/index.cfm?articleid=27122Source:
Windows & .NET Magazine Security UPDATE--brought to you
bySecurityAdministrator, a print newsletter bringing you practical,
how-toarticles about securing your Windows .NET Server, Windows
2000,
andWindows NT systems. (Contributed by Mark Joseph Edwards, News
Editor)
** Confidential **The information in this email is confidential and
may be proprietary or legally privileged. It is intended solely for
the addressee. Access to this email by anyone else is unauthorized. If
you are not the intended recipient, please reply to the sender that
you received the message in error and then delete or destroy the
message along with any attachments. Thank you.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Although no one can go back and
make a brand new start,
Anyone can start from now and
make a brand new ending."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~