Month: April 2010

It was only a matter of time before the merest of “iPad” mentions on sites such as Twitter would result in autospammed messages like this:

These bots will fire a message claiming “we need someone to test and keep one iPad” (or simply “Free iPad here”) to anyone discussing the latest gadget to hit the streets, sending you to various promotional sites like the one below:

You’ll have to fill in a big chunk of personal information and “receive the incentive gift package by completing two reward offers from each of the Top, Prime and Premium reward offer page options…completion of reward offers most often requires a purchase or filing a credit application and being accepted for a financial product such as a credit card or consumer loan.”

Me? I’ll wait for the sales, thanks.

Christopher Boyd

Tomorrow the UK’s Information Commissioner’s Office (ICO) gets the power to fine businesses up to £500,000 for significant breaches of the country’s Data Protection Act.

News site V3.CO.UK quoted Information Commissioner Christopher Graham in January: “As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people.”

They also wrote that “The new powers have been welcomed by many in the industry, who have hitherto seen the ICO as a largely toothless watchdog.

“Jonathan Nugent, a solicitor with PricewaterhouseCoopers Legal, argued that they should help to tackle the threat of continued data breaches.”

Commentators said the new powers should prompt IT departments to seriously review their procedures to be sure they are in compliance with good data safety practices. Enterprises also should begin or expand employee training to be sure customer’s personal data is safeguarded.

The Commissioner’s Office was granted the fining power by action taken by the Secretary of State for Justice in January. Initial provisions for the power to impose fines were in a 2008 Criminal Justice and Immigration Act.

Story here.

— Tom Kelchner

I’m almost certain this shouldn’t be on the Nokia.de webspace, lurking under the “online.nokia.de” subdomain:

Don’t worry though, Admin – they “just changed your index”.

This isn’t the first time Nokia domains have come under attack. The above defacement – by an Albanian hacker called “Spammer” – seems eager to let the webmaster know they can help with the bugs, but I’m pretty sure an email would have been just as useful. Nokia.de have been notified of the defacement, but I’ve had no word back as of yet.

Christopher Boyd

Mozilla.org has made public a report that says its Firefox browser has 30 percent market share worldwide. Assuming it’s true, that is a six percent increase since a news story last November.

The Mozilla Metrics report 1Q2010 says the browser has 39.2 percent penetration in Europe (152.7 million users) and 29 percent in the U.S. (100 million users.) Mozilla claims 350 million users worldwide. Adoption is quickest in Russia (20 percent increase in the first quarter) the report said.

Mozilla Metrics Report here.

In November, ZDNet reported the following browser adoption statistics:

“Internet Explorer 6 is the most commonly used web browser, according to web analytics firm Net Applications. At the time of writing, IE 6 had 23 percent of the market, while IE 7 and 8 each held 18 percent. Rival browser Firefox 3.5 had 14 percent, while Firefox 3 had 9 percent. Overall, Internet Explorer had 65 percent market share, while Firefox had 24 percent.”

Tom Kelchner

Don’t run your PC with admin privileges

Sometimes in life you know something is a risk, but you don’t know how BIG a risk it is until somebody actually checks it out. There was a German scientist in Russia who repeated Ben Franklin’s kite-in-the-thunder-storm experiment but didn’t live to write up his results.

Los Angeles security firm BeyondTrust has released an analysis of Microsoft’s 75 security bulletins last year. They came to the startling conclusion that if users had operated their computers without administrative rights they would have eliminated 64 percent of their risk from Microsoft vulnerabilities!

That’s a NO COST way to eliminate 64 percent of risk!

The key section in their report:

“By examining all of the published Microsoft vulnerabilities in 2009 and all of the published Windows 7 vulnerabilities to date, this report quantifies the continued effectiveness of removing administrator rights at mitigating vulnerabilities in Microsoft software.

“Key findings from this report show that removing administrator rights will better protect companies against the exploitation of:

• 90% of Critical Windows 7 vulnerabilities reported to date
• 100% of Microsoft Office vulnerabilities reported in 2009
• 94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009
• 64% of all Microsoft vulnerabilities reported in 2009”

BeyondTrust apparently has made risk management through eliminating unnecessary privilege a successful business model. Their site is here: http://www.beyondtrust.com/

Setting up a non-admin account for normal use has been good advice for years. Maybe this report will help emphasize it to a lot of users who wouldn’t have thought it important enough to bother with.

Tom Kelchner

This is an interesting historical quirk, more than anything else – but I thought it merited a blog post. If you’ve seen me rattling around the Internet pre-Sunbelt, you might be aware I have a bit of a sparring history with a company called 180 Solutions / Zango.

Or, as The Register once put it:

“…its chief tormentors – Ben Edelman, an assistant professor at the Harvard Business School, and Chris Boyd, former security researcher at Facetime Security – continued to document evidence of malpractice by Zango years after the FTC settlement.”

Anyway. While looking for random things to play with on Download.com, I noticed this:

A nice collection of Zango files. Quite a few installs too, from the looks of it with one program alone totalling 2,326 downloads. All of the files were added on 10/01/2004, which could either be the 10^th of January or the 1^st of October, depending on whether or not you’re a confused Englishman like myself.

Here’s an obligatory close up shot of one of the pages:

“In exchange for free access to games, users are shown 2–3 websites while browsing online”. All of the Zango files offered up are pretty tame, but I find it a little surreal to think that all of these files have remained on Download.com through the years while this, this, this, this and, well, all of this took place.

You can still download the files and run them (assuming your security software doesn’t block it, of course) but no program will spring to life – instead, you’ll see the following message appear in a browser window:

Yes, all of the programs appear to be dead which is a shame as I was really looking forward to playing David Vs Goliath. Or not, as the case may be…

Christopher Boyd

Scum on the run

Security blogger Brian Krebs is reporting some good numbers that show spammers are no longer registering their domains in China (.cn) since that country started requiring actual on-paper registrations and business licenses, which precludes anonymous registration.

AND their new top-level domain of choice, Russia (.ru), is going to make life for sca/spammers difficult there. “Russia’s Coordination Center for domain registration will require individuals and businesses applying for a .ru address to provide a copy of a passport or legal registration papers.” Krebs wrote.

Krebs had statistics from researchers at the University of Alabama at Birmingham which he cross checked with data from computer forensics investigator Andy Fried of the Internet Systems Consortium, in Redwood City, Calif. Fried found the same radical shift from .cn to .ru registrations.

So, where next?

The big question hovering over all of this is: “where are they going to go next? What rogue state is going to smell money and let them in for a price?”

That might not be entirely a bad thing. Spam exists because it’s an incredibly cheap way to advertise. Raising the cost of doing business just might reverse its explosive growth. Funny how markets operate.

Krebs blog here: “Spam Site Registrations Flee China for Russia”

Tom Kelchner

Tom Gallagher, senior security test lead with Microsoft’s Trustworthy Computing group, was extensively quoted in news stories today as he described how his group found 1,800 software flaws in Office 2010 by running millions of “fuzzing” tests.

According to ComputerWorld, “Microsoft was able to find such a large number of bugs in Office 2010 by using not only machines in the company’s labs, but also under-utilitized or idle PCs throughout the company. The concept isn’t new: The Search for Extraterrestrial Intelligence (SETI@home) project may have been the first to popularize the practice, and remains the largest, but it’s also been used to crunch numbers in medical research and to find the world’s largest prime number.

“’We call it a botnet for fuzzing,’ said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The fuzzing network originated with work by David Conger, a software design engineer on the Access team.”

“Fuzzing” was in the computer security news headlines last week after Baltimore, Md., researcher Charlie Miller won the CanSecWest security conference Pwn2Own hacking contest for the third time. Miller said he’d used fuzzing to find 20 security vulnerabilities in Adobe Reader, the Apple Safari browser, Mac OS X and PowerPoint. He declined to tell the companies about the flaws but demonstrated his fuzzing technique told them to use it themselves.

If fuzzing, which obviously can find 1,800 software bugs at a crack, becomes extensively used Charlie Miller might be in line to become the first cyber saint! A computer security landscape without vulnerabilities would be a different country indeed.

Note to the darkside: don’t worry, there’s still social engineering.

ComputerWorld story: “Microsoft runs fuzzing botnet, finds 1,800 Office bugs”

Sunbelt Blog: “Firefox, IE8 and Safari hacked at CanSecWest“

Tom Kelchner