[Az-Geocaching] [OT] Security Implications with Web Based Greeting Cards

Farquhar, Larry listserv@azgeocaching.com
Tue, 19 Nov 2002 06:45:15 -0700


This is a multi-part message in MIME format.

------_=_NextPart_001_01C28FD1.E42AC28D
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Yep! We had a few users at work already receive these greeting cards and
install the software - without reading the EULA. It's a sneaky way to
propagate a virus, legally :(

Larry Farquhar=20
Team "Wyle E"=20
http:\\www.happy-wanderers.com <http://www.happy-wanderers.com/> =20

-----Original Message-----
From: Team Tierra Buena [mailto:teamtierrabuena@earthlink.net]=20
Sent: Monday, November 18, 2002 10:16 PM
To: listserv@azgeocaching.com
Subject: [Az-Geocaching] [OT] Security Implications with Web Based
Greeting Cards


Off-topic, yes, but I think it's important to get the word out on this.
=20
Have you ever clicked on an End-User License Agreement without bothering
to read it? Me, too, but after reading this article I'll never let one
slip by again.
=20
Steve
Team Tierra Buena

10/30/2002 Subject: Security Implications with Web Based=20
03:32 PM Greeting Cards=20


Have you been receiving and sending a lot of Web based Greeting Cards?
If
you do, as a co-worker told me today that he sends them to a lot of
people,
you may want to read this article.

* SNEAK ATTACK THROUGH A LICENSE AGREEMENT

Have you ever received a Web-based greeting card from a friend or
relative? They're common these days, and they seem to be taken for
granted, in that people trust the intent of someone who might send
them a greeting card. People like to be greeted with kindness, so
they're inclined to look at and read the greeting card. It's one of
the feel-good things that many people simply can't resist.

Have you ever wondered why a company would spend its Internet
resources delivering free greeting cards on behalf of people with whom
it conducts no business otherwise? How does such an entity profit from
those endeavors? What might its motives be?

Last week, a user posted an interesting message to our HowTo for
Security mailing list regarding one company that delivers Web-based
greeting cards. That company, Permissioned Media, runs a Web site
called FriendGreetings.com, which lets one person send another person
an electronic greeting card. The friendly facilitation seems simple
and harmless, but it has a rather insidious side.

When you receive a greeting from FriendGreetings.com, the message says
that someone sent you the greeting and that to read it, you must click
a URL that takes you to the Web site hosting the greeting. When you
click the URL, you're prompted to install an ActiveX control before
you view the greeting. As the greeting-card recipient, you would
probably assume that you must install the ActiveX control to view the
greeting; however, that's not the case. Instead, FriendGreetings.com
has designed the ActiveX control, complete with an End User License
Agreement (EULA), to interact with your mail client software and
harvest information about your email contacts. After the ActiveX
control obtains your private contact list information, it sends a
similar greeting card to everyone in your contact list, probably
unbeknownst to you!

If you took time to read the EULA from FriendGreetings.com, you'd
discover that the EULA clearly states Permissioned Media's intention
to do just that. A section of the EULA reads, "As part of the
installation process, Permissioned Media will access your Microsoft
Outlook contacts list and send an e-mail to persons on your contacts
list inviting them to download FriendGreetings or related products."
By accepting the EULA and installing the ActiveX control, you give the
company permission to perform that activity.

In essence, the greeting cards that FriendGreetings.com delivers
resemble many worms that travel the Internet: They're parasitic,
intrusive, devious, elusive, and most of all, probably unwanted. Even
some antivirus vendors issued warnings about the greeting card last
week. However, we can't completely blame FriendGreetings.com for its
use because, although the company counts on most users' acceptance of
the unread EULA, the EULA does spell out some of its intention. By
agreeing to the EULA, users agree to the ActiveX control activity.
Nevertheless, the lesson here should be obvious: When you encounter a
EULA, don't take anything for granted. Read it word for word to
understand exactly what you're accepting and think through what the
consequences of acceptance might be.

Permissioned Media bills itself as a "behavioral marketing network"
with more than 100 clients that advertise online. The company also
operates Cool-Downloads.com. You can read Permissioned Media's EULA at
the URL below. Take note that it grants the company "the right to add
additional features or functions to the version of PerMedia you
install, or to add new applications to PerMedia, at any time." Yikes!
http://permissionedmedia.com/license.htm

If you've received a greeting card from FriendGreetings.com and
installed the associated ActiveX control, you might want to remove its
software from your system. To find out how, be sure to read the
related news article, "Protect Your Contact List: Read the EULA!" in
this newsletter.
http://www.secadministrator.com/articles/index.cfm?articleid=3D27122


Source: Windows & .NET Magazine Security UPDATE--brought to you by
Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems. (Contributed by Mark Joseph Edwards, News Editor)





** Confidential **
The information in this email is confidential and may be proprietary or =
legally privileged. It is intended solely for the addressee. Access to =
this email by anyone else is unauthorized. If you are not the intended =
recipient, please reply to the sender that you received the message in =
error and then delete or destroy the message along with any attachments. =
Thank you.



------_=_NextPart_001_01C28FD1.E42AC28D
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2719.2200" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D601254313-19112002><FONT face=3DArial color=3D#0000ff =
size=3D2>Yep!=20
We had a few users at work already receive these greeting cards and =
install the=20
software - without reading the EULA. It's a sneaky way to propagate a =
virus,=20
legally :(</FONT></SPAN></DIV>
<DIV><!-- Converted from text/rtf format -->
<P><SPAN lang=3Den-us><B><FONT face=3DArial size=3D2>Larry =
Farquhar</FONT></B></SPAN>=20
<BR><SPAN lang=3Den-us><FONT face=3DArial size=3D2>Team "Wyle =
E"</FONT></SPAN>=20
<BR><SPAN lang=3Den-us><FONT face=3DArial size=3D1><A=20
href=3D"http://www.happy-wanderers.com/">http:\\www.happy-wanderers.com</=
A></FONT></SPAN>=20
</P></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
  <DIV></DIV>
  <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
  face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B> Team =
Tierra=20
  Buena [mailto:teamtierrabuena@earthlink.net] <BR><B>Sent:</B> Monday, =
November=20
  18, 2002 10:16 PM<BR><B>To:</B> =
listserv@azgeocaching.com<BR><B>Subject:</B>=20
  [Az-Geocaching] [OT] Security Implications with Web Based Greeting=20
  Cards<BR><BR></FONT></DIV>
  <DIV><SPAN class=3D505280905-19112002><FONT face=3D"Book Antiqua"=20
  color=3D#0000ff>Off-topic, yes, but I think it's important to get the =
word out=20
  on this.</FONT></SPAN></DIV>
  <DIV><SPAN class=3D505280905-19112002><FONT face=3D"Book Antiqua"=20
  color=3D#0000ff></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D505280905-19112002><FONT face=3D"Book Antiqua"=20
  color=3D#0000ff>Have you ever clicked on an End-User License Agreement =
without=20
  bothering to read it? Me, too, but after reading this =
article&nbsp;I'll never=20
  let one slip by again.</FONT></SPAN></DIV>
  <DIV><SPAN class=3D505280905-19112002><FONT face=3D"Book Antiqua"=20
  color=3D#0000ff></FONT></SPAN>&nbsp;</DIV>
  <DIV><SPAN class=3D505280905-19112002><FONT face=3D"Book Antiqua"=20
  color=3D#0000ff>Steve</FONT></SPAN></DIV>
  <DIV><SPAN class=3D505280905-19112002><FONT face=3D"Book Antiqua"=20
  color=3D#0000ff>Team Tierra Buena</FONT></SPAN></DIV>
  <DIV><SPAN class=3D505280905-19112002></SPAN><BR>10/30/2002 Subject: =
Security=20
  Implications with Web Based <BR>03:32 PM Greeting Cards =
<BR><BR><BR>Have you=20
  been receiving and sending a lot of Web based Greeting Cards? =
If<BR>you do, as=20
  a co-worker told me today that he sends them to a lot of =
people,<BR>you may=20
  want to read this article.<BR><BR>* SNEAK ATTACK THROUGH A LICENSE=20
  AGREEMENT<BR><BR>Have you ever received a Web-based greeting card from =
a=20
  friend or<BR>relative? They're common these days, and they seem to be =
taken=20
  for<BR>granted, in that people trust the intent of someone who might=20
  send<BR>them a greeting card. People like to be greeted with kindness, =

  so<BR>they're inclined to look at and read the greeting card. It's one =

  of<BR>the feel-good things that many people simply can't =
resist.<BR><BR>Have=20
  you ever wondered why a company would spend its Internet<BR>resources=20
  delivering free greeting cards on behalf of people with whom<BR>it =
conducts no=20
  business otherwise? How does such an entity profit from<BR>those =
endeavors?=20
  What might its motives be?<BR><BR>Last week, a user posted an =
interesting=20
  message to our HowTo for<BR>Security mailing list regarding one =
company that=20
  delivers Web-based<BR>greeting cards. That company, Permissioned =
Media, runs a=20
  Web site<BR>called FriendGreetings.com, which lets one person send =
another=20
  person<BR>an electronic greeting card. The friendly facilitation seems =

  simple<BR>and harmless, but it has a rather insidious =
side.<BR><BR>When you=20
  receive a greeting from FriendGreetings.com, the message says<BR>that =
someone=20
  sent you the greeting and that to read it, you must click<BR>a URL =
that takes=20
  you to the Web site hosting the greeting. When you<BR>click the URL, =
you're=20
  prompted to install an ActiveX control before<BR>you view the =
greeting. As the=20
  greeting-card recipient, you would<BR>probably assume that you must =
install=20
  the ActiveX control to view the<BR>greeting; however, that's not the =
case.=20
  Instead, FriendGreetings.com<BR>has designed the ActiveX control, =
complete=20
  with an End User License<BR>Agreement (EULA), to interact with your =
mail=20
  client software and<BR>harvest information about your email contacts. =
After=20
  the ActiveX<BR>control obtains your private contact list information, =
it sends=20
  a<BR>similar greeting card to everyone in your contact list,=20
  probably<BR>unbeknownst to you!<BR><BR>If you took time to read the =
EULA from=20
  FriendGreetings.com, you'd<BR>discover that the EULA clearly states=20
  Permissioned Media's intention<BR>to do just that. A section of the =
EULA=20
  reads, "As part of the<BR>installation process, Permissioned Media =
will access=20
  your Microsoft<BR>Outlook contacts list and send an e-mail to persons =
on your=20
  contacts<BR>list inviting them to download FriendGreetings or related=20
  products."<BR>By accepting the EULA and installing the ActiveX =
control, you=20
  give the<BR>company permission to perform that activity.<BR><BR>In =
essence,=20
  the greeting cards that FriendGreetings.com delivers<BR>resemble many =
worms=20
  that travel the Internet: They're parasitic,<BR>intrusive, devious, =
elusive,=20
  and most of all, probably unwanted. Even<BR>some antivirus vendors =
issued=20
  warnings about the greeting card last<BR>week. However, we can't =
completely=20
  blame FriendGreetings.com for its<BR>use because, although the company =
counts=20
  on most users' acceptance of<BR>the unread EULA, the EULA does spell =
out some=20
  of its intention. By<BR>agreeing to the EULA, users agree to the =
ActiveX=20
  control activity.<BR>Nevertheless, the lesson here should be obvious: =
When you=20
  encounter a<BR>EULA, don't take anything for granted. Read it word for =
word=20
  to<BR>understand exactly what you're accepting and think through what=20
  the<BR>consequences of acceptance might be.<BR><BR>Permissioned Media =
bills=20
  itself as a "behavioral marketing network"<BR>with more than 100 =
clients that=20
  advertise online. The company also<BR>operates Cool-Downloads.com. You =
can=20
  read Permissioned Media's EULA at<BR>the URL below. Take note that it =
grants=20
  the company "the right to add<BR>additional features or functions to =
the=20
  version of PerMedia you<BR>install, or to add new applications to =
PerMedia, at=20
  any time." =
Yikes!<BR>http://permissionedmedia.com/license.htm<BR><BR>If you've=20
  received a greeting card from FriendGreetings.com and<BR>installed the =

  associated ActiveX control, you might want to remove its<BR>software =
from your=20
  system. To find out how, be sure to read the<BR>related news article, =
"Protect=20
  Your Contact List: Read the EULA!" in<BR>this=20
  =
newsletter.<BR>http://www.secadministrator.com/articles/index.cfm?article=
id=3D27122<BR><BR><BR>Source:=20
  Windows &amp; .NET Magazine Security UPDATE--brought to you=20
  by<BR>Security<BR>Administrator, a print newsletter bringing you =
practical,=20
  how-to<BR>articles about securing your Windows .NET Server, Windows =
2000,=20
  and<BR>Windows NT systems. (Contributed by Mark Joseph Edwards, News=20
  Editor)</DIV></BLOCKQUOTE></BODY><P><FONT size=3D2></FONT>&nbsp;</P>
<P><FONT size=3D2></FONT>&nbsp;</P>
<P><FONT size=3D2>** Confidential **<BR>The information in this email is =
confidential and may be proprietary or legally privileged. It is =
intended solely for the addressee. Access to this email by anyone else =
is unauthorized. If you are not the intended recipient, please reply to =
the sender that you received the message in error and then delete or =
destroy the message along with any attachments. Thank =
you.</FONT><BR></P></HTML>

------_=_NextPart_001_01C28FD1.E42AC28D--