Month: February 2010

“YOURLS is a small set of PHP scripts that will allow you to run your own URL shortening service (a la TinyURL). You can make it private or public, you can pick custom keyword URL. It comes with its own API.” http://yourls.org/

It’s installed on your web server (needs PHP 4.3 or better and MYSQL 4.1 with mod_rewrite enabled.)

“Benefits:

1. Not reliant on third party service
2. Sends link juice to your domain, not a service provider
3. Customize your short links
4. Build your brand (showing your URL)”

Story here.

Cool.

Thanks Andrew. Thanks Alex.

Tom Kelchner

 

At the ShmooCon hacker conference in Washington, D.C., last week two security researchers showed the very sensitive information that people inadvertently make available over peer-to-peer networks.

In their presentation, “Information disclosure via P2P networks: Why stealing an identity via Gnutella is like clubbing baby seals,” pen testers Larry Pesce and Mick Douglas said they found a lot of music, porn, malcode collections and the following:

— driver’s licenses, passport and tax return forms with Social Security numbers;
— someone’s will
— A retirement analysis form with savings account totals and income estimates;
— An IRS form with taxpayer identification number;
— A completed Turbo Tax form with personal information filled in.

The two have started The Cactus Project to help security specialists do similar research to help organizations tighten up the information they share over P2P. They list best-of-breed tools for conducting the research, including Mutella and the Gnutella Protocol on their site http://pauldotcom.com/cactusproject.html.

The Network World story quotes Douglas: “”We have to keep trying to educate people, but through this kind of research [security practitioners] can take steps to better protect their own organizations going forward.

Network World story here.

These guys are clearly having too much fun. Below is a quote from the pauldotcom.com site:

“I often say that we are in one of the only professions I know of which is destined to fail. You will have a breach and there will be compromises; you will get called out. In light of this reality I still find that information security professionals are a fairly happy lot. The trade-off for having the cards stacked against us is in that we get to work in one of the coolest fields.”  (http://pauldotcom.com/cactusproject.html)

Tom Kelchner

China Daily has reported that Chinese law enforcement officials raided a hacker training and resource operation in Hubei province with 12,000 members, shut it down and arrested three principals in November.

The paper said: “The three, who ran Black Hawk Safety Net, are suspected of offering others online attacking programs and software, a crime recently added to the Criminal Law. A total of 1.7 million yuan ($249,000) in assets were also frozen.

“Hubei province named Black Hawk Safety Net as the largest hacker training site in China, which openly recruited members and disseminated hacker techniques through lessons, Trojan software and online forum communications.

“Since it was established in 2005, the site had recruited more than 12,000 VIP members and collected more than 7 million yuan ($1.03 million) in membership fees. More than 170,000 people registered for free membership.”

The story also said: “According to a report released by the National Computer Network Emergency Response Coordination Center of China, the hacker industry in China caused losses of 7.6 billion yuan ($1.1 billion) in 2009.”

The New York Times reported that the shutdown actually occurred in November and quoted a noted China watcher as saying that the action was just “window dressing” since Chinese authorities have not shut down the well-known servers that were used to attack Google and other western companies recently.

Observers in the west have been trying to fathom the meaning of events in China ever since Marco Polo wandered there in the 13th century and lived to write a book about it. China is big, in some ways very disorganized and has a history of being strange to the rest of the world. It will be interesting to see if there are more take downs coming.

China Daily story here.

New York Times story here.

Update 02/09:

Dr. Johannes Ullrich of SANS said today on his Internet Stormcast that the Chinese press had reported that Black Hawk Safety Net was involved in using a botnet for denial-of-service extortion against Internet cafes. Authorities located them by tracing telephone calls. Ullrich described them as a “semi-organized group of script kiddies.”

Tom Kelchner

Sunbelt Software is supporting tomorrow’s Safer Internet Day, an awareness-raising initiative co-funded by the European Commission. Organizations in more than 60 countries are behind the campaign, this year focusing on the theme “Think B4 U post!”

New technologies have turned all of us, and mostly young people, into publishers of information, pictures, and videos. While bringing about new opportunities for personal expression and creativity, the same technologies can also conjure up embarrassing or even traumatic situations. For example, photos, once posted online, remain online and can be seen by anybody, even years after they have been posted. Therefore, children and teenagers need guidance to manage their online identity in a responsible way, to be in control of their own online identity.

“We are proud to be supporting Safer Internet Day. Whilst it is generally assumed that the latest generation will be the most technologically savvy, we see that children are taking increasingly liberties with their online identity and opening themselves up to a wealth of very real dangers,” explained Sunbelt Software CEO Alex Eckelberry. “By following this simple five point checklist they can enjoy the many social and academic benefits of the Internet safely.”

Sunbelt Software offers the following five-point checklist to both children and parents to enable a safer online experience:

1. Do not to open any emails that come from senders you don’t know. Many of those emails have luring titles like “You have won a lottery” or “Happy birthday, I have a present for you” and so on. Never open any attachments coming with such emails, as it is likely that in such cases you will install a virus or a worm in your PC.

2. Try to avoid suspicious websites, and if you accidentally enter one that seems strange, leave it immediately.

3. If pop-up windows alert you or ask you to agree to anything, immediately close them and never click on any button inside them.

4. Install antivirus software such as Sunbelt Software’s award winning VIPRE on your PC. This will protect your computer against viruses and other malware threats. Antivirus software needs to be regularly updated, and can provide added security such as content or website filtering.

5. Install a firewall, which will keep watch on all files that go in and out of your computer.

About Insafe

Insafe is the European Safer Internet awareness-raising network co-funded by the European Commission. It’s made up of national contact centers across the European Union and in Iceland and Norway, with partner organizations in Argentina, Australia and the US. Insafe aims at empowering users to benefit from the positive aspects of internet whilst avoiding the potential risks.

Further information is available at www.saferinternet.org or contact info-insafe@eun.org

Tom Kelchner

You’d think that a company trying to raise several hundred million with an initial public offering of stock would tell their affiliates to be on their best behavior for a while.

For example, maybe they’d discourage them from hacking government web sites to attract search engine hits on the word “bestiality,” then redirect browsers to the company’s site.

The sites:

The code:

Remember Adult Friend Finder? Penthouse Media Group (which also owns Penthouse magazine) purchased the online adult… ah… dating service in 2007 for $500 million. Well now they’re called FriendFinder Networks, Inc. In December, 2008 they filed with the U.S. Security and Exchange Commission for permission to make an initial public offering $460 million of stock.

That timing wasn’t too good given the near collapse of the global economy back then, so last month they amended their IPO filing in hopes of raising $220 million. Lead underwriters are Renaissance Capital and Ledgemont Capital Markets LLC. Co-managers are Merriman Curhan Ford and Lighthouse Financial.

See story “FriendFinder Still Sees IPO, But Less Capital Raised (FFN)”

In 2007 AdultFriendFinder.com settle an enforcement action by the Federal Trade Commission that charged that their explicit online pop-up ads violated federal law. The settlement bared them from “displaying sexually explicit online ads to consumers who are not seeking out sexually explicit content.” (Story here.)

Thanks Eric Howes.

Tom Kelchner

The U.S. Federal Trade Commission today announced that next Tuesday they will hold a news conference to make public details of “a law enforcement sweep cracking down on job and work-at-home fraud fueled by the economic downturn.”

The media advisory said that the news conference would feature the director of the FTC’s bureau of Consumer Protection David C. Vladeck, an assistant attorney general and the Ohio Attorney General. The advisory listed as “also attending” representatives of the U.S. Postal Inspection Service, Monster.com and Microsoft.

People who sign on as work-at-home employees from Internet ads (also called “money mules”) often are used as conduits for stolen funds that are transferred from the bank accounts of victim individuals or companies who have been scammed by phishing or spear-phishing. The money mules set up bank accounts into which stolen funds are transferred. They are instructed to keep a portion of the funds and wire the remainder to the scammers, who are generally outside the U.S.

In November, the FBI reported that it had been notified of about $100 million in attempted losses from such scams.

Prominent computer security blogger Brian Krebs ( http://www.krebsonsecurity.com/ ), formerly of the Washington Post, has reported extensively about losses from similar scams from small and medium size businesses in the last few months.

A blog piece he did in January “Top 10 Ways to Get Fired as a Money Mule” is not only a good description of the work-at-home scam, but is very funny as well.

FTC media advisory here.

Tom Kelchner

This is really bad for so many reasons.  It certainly doesn’t help their security.

And yes, it’s completely legitimate.

Alex Eckelberry

If you like VIPRE Enterprise, you can vote for it here for the Network Computing Awards 2010.

Alex Eckelberry

Mozilla yesterday posted a notice on its AMO blog (that’s an acronym for their add-on site addons.mozilla.org) that two add-ons have been found infected with Trojan code: Sothink Web Video Downloader v. 4.0 and all versions of Master Filer.

Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen and Master Filer contained Win32.Bifrose. According to the blog, Masterfiler was downloaded 600 times before it was removed from the site Jan. 25 and Sothink was downloaded more than 4,000 times before it was removed Feb. 2.

Mozilla said “AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.”

Blog post here.

Update 02/10:

It turns out that the Sothink Video Downloader 4.0 was NOT infected. It was tagged as malicious because of a false positive in the scanner that Mozilla used at the time.

Mozilla posted the following yesterday:

“Since that disclosure, we’ve worked with security experts and add-on developers to determine that the suspected trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware. The same investigation also confirmed that the Master Filer extension included a valid instance of a trojan. Our estimate of 6,000 affected downloads has been revised to under 700. The Sothink Video Downloader has been re-enabled on AMO.”

Mozilla’s update here.

Tom Kelchner

Ok, it’s not my personal favorite color, but this is a new special being run for the Valentines Day weekend by our web team.  

Alex

Funny and too close to the truth:

When you finally do get through to an agent, you’ll hear something like: “Welcome to DSL technical support, my name is Larry how can I help you today?” You give Larry your account number and begin to explain your situation, knowing all the while that this is a formality. As soon as you stop talking he’ll begin the same dance you’ve danced every time you call tech support.You conclude your exhaustive rundown of your case history. There’s a beat, and then Larry responds, “I understand sir. Can you tell me. Is your computer plugged in?”

Link (Warning: off-color language).

Everything we aim not to be in our support.

Alex Eckelberry
(Thanks Jamie)

USA Today is reporting that federal law enforcement agencies have taken more than 170 complaints about Haiti earthquake relief scams. They expect more on social networking sites such as Facebook and Twitter. The scams include spam email, fraudulent web sites and in-person scams.

The story advises those wishing to check on the legitimacy of a relief organization to check the web site of the American Institute of Philanthropy ( http://charitywatch.org/ ), which rates charities.

The Institute says that charitable organizations should spend 75 percent of the cash they raise on their charitable work and no more than 25 percent on fund-raising expenses. Its web page lists several dozen legitimate charities providing relief for the victims of the Haiti earthquake here.

Story here.

Tom Kelchner

Wired magazine has run a story on a phishing scam in Europe, New Zealand and Japan that resulted in the loss of 250,000 carbon credit permits worth $4 million from six companies.

The phishing emails spoofed the German Emissions Trading Authority and said that the victim companies needed to re-register their accounts with the authority. When victims entered their information on a fraudulent web page from the link in the phishing emails the scammers accessed their accounts, transferred emissions credits to accounts they controlled then sold them. The amount the scammers made hasn’t been disclosed.

Wired cited information from the BBC and the German newspaper Der Spiegel.

Story here.

User education. User education. User education. User education.

Tom Kelchner

Psychologists doing research at Leeds University in the UK found that people who spend an excessive amount of time on the Internet show signs of depression, although they did not determine if the on-line behavior caused the depression or if depressed people spent more on line.

Catriona Morrison, the lead author, wrote in the journal Psychopathology: “This study reinforces the public speculation that over-engaging in websites that serve to replace normal social function might be linked to psychological disorders like depression and addiction.”

The research is the first such study of people in the west. The researchers analyzed the Internet use and depression levels of 1,319 people in Britain between the ages of 16 and 51. They concluded that 1.2 percent were “Internet addicted” and “spent proportionately more time browsing sexually gratifying websites, online gaming sites and online communities. They also had a higher incidence of moderate to severe depression than normal users.

“What is clear is that for a small subset of people, excessive use of the Internet could be a warning signal for depressive tendencies,” Morrison said.

Story here.

The “Internet addiction” headlines mostly have been from Asia recently, where marketeers have been trying to convince the public that 10 percent of them are Internet addicted and in need of rehab camps (complete with military-style discipline, beating deaths and electro-shock therapy) that cost thousands.

See our blog piece “China bans use of electroshock therapy” from August.

In the U.S., what is believed to be the first Internet addiction treatment center, called “reStart Internet Addiction Recovery Program,” opened last summer near Fall City, Wash.

See our blog piece “First Internet addiction treatment center opens in Washington state”

Tom Kelchner

VIPRE is among nine finalists in the Security Product of the Year category of the 2010 Network Computing Awards competition. Voting on the Network Computing web site will continue until Feb. 22.

“The Network Computing Awards were launched to recognise the companies, the products and the services that have most impressed the readers of the UK’s longest established computer networking publication.”

“Categories have been refined to recognise the hardware, software and managed services that can assist an organisation in operating securely, efficiently and responsibly in today’s world.”

Awards will be presented on 4th March at Guoman Tower Hotel, London.

More information here. 

Tom Kelchner

 

Our good friends at Broomfield, Colo., security firm eSoft have found an interesting scam to trick Internet users into installing the Hotbar adware: a fake Firefox download site.

The eSoft researchers are theorizing that an affiliate of Pinball Publisher Network (PPB). is responsible. Pinball bought the Zango assets after that pestilent operation failed last spring.

However Sunbelt Software Spyware Research Manager Eric Howes did some more digging and found that PPN offers the download file on a site they own so affiliates can send customers victims there for downloads.

The PPN home page notes that PPN is itself distributing the custom Firefox installer that PPN put together and digitally signed from this web site:

http://freesoftwaredl.com/

The PPN setup wizard says that the distribution of Firefox is “sponsored” by Hotbar. We’re wondering what that means. In reality, they’re taking a distribution of Firefox and infecting it with adware.

We blogged about the Pinball Publisher Facebook fan site last week.

eSoft blog piece here.

The real site to download a legitimate copy of the Firefox browser is here:
http://www.mozilla.com/en-US/firefox/personal.html?from=getfirefox

Tom Kelchner

Update 02/04:

PPN made and signed the installer that both PPN directly and their affiliates indirectly are distributing. That’s why PPN is responsible for what’s going on at the affiliate site that eSoft found — the affiliates are only promoting a download created and hosted by PPN itself. PPN itself is running a web page that promotes the same bundleware install that the affiliate site is offering.

Thanks Eric

Our researcher Adam Thomas found this little gem today. It’s distributed with other malware, cracks and drive-by downloads. It purports to be a security warning from your Windows operating system.

Notice the “Visa, MasterCard, etc” – it doesn’t even bother to list all the cards it accepts.

The really cool thing about it is that it takes FAKE credit card numbers as well as real ones!

Thanks to Sunbelt Software researcher Francesco Benedini for help with the analysis.

Tom Kelchner

No one is sure why the Pushdo botnet is running a distributed denial-of-service-like attack against over 300 major web sites including the CIA, Mozilla labs, SANS and Twitter, according to the Shadowserver Foundation. Pushdo is also called Cutwail and Pandex.

The botnet has been spewing initial SSL connection requests, causing servers to return an SSL negotiation error. The attacks don’t appear to be of sufficient intensity to knock any of the target sites off line and possible could be a mechanism to mask the botnet’s other traffic.

SecureWorks said Pushdo is sending the SSL packets to port 443. The botnet also uses that port for command-and-control traffic.

Last June, MessageLabs estimated that the Pushdo botnet, believed to be the world’s largest, was comprised of 1.5 to 2 million bots that pumped out 74 billion spam messages per day (51 million per minute.) They said 14 percent of the bots were in Brazil, 14 percent in South Korea and 10 percent in the U.S.

Story here.