Category: Uncategorized

Johnny Long (one of my favorite whitehack hackers) has an entertaining video about his life. Worth watching/listening to.

The Long Journey To Africa from Johnny Long on Vimeo.

Alex Eckelberry
(Thanks Mubix)

Good reference. 

Alex Eckelberry
(Thanks Donna)

Well, it’s a start.  PDF and SWF exploits are a major infection vector right now.  Getting security updates rapidly and proactively are essential.

Vulnerabilities are no longer an opportunity to bash Microsoft.  All software vendors (and even more for ubiquitous developers, like Adobe, Winzip, etc.) have to be extremely proactive on this front.

Blasted three months ago for being slow to fix a zero-day vulnerability in its popular PDF viewer, Adobe today promised it will root out bugs in older code, speed up the patching process and release regular security updates for Adobe Reader and Acrobat.

Link here.

Alex Eckelberry

Has to be Sophos.  Because of this.

I just wish I’d have thought of it first.

Alex Eckelberry

This is so creepy I don’t really know what to say.  It’s also a great way to keep lots of security people employed, picking up the phone.

But if you happen to know what to say, you can create your own billboard here! 

Alex Eckelberry
(Thanks Rob)

You may have noticed a bit of a different voice here in the blog.  Tom Kelchner, our recently-hired research manager, is now guest blogging. 

Tom has worked for many years in the anti-virus industry, as an Information Security Analyst with ICSA Labs, and then as Senior Threat Engineer with the EarthLink Threat Research Group in Orlando, Fla. He is a former newspaper reporter in Harrisburg, Pa., and government public relations specialist, having served as Deputy Press Secretary to former Pennsylvania Governor Robert P. Casey. He also served as an electronics technician on various submarines during a six-year enlistment in the U.S. Navy.

He does not, however, blog about surfing, commodities pricing or blown CPUs. 

Alex Eckelberry

Microsoft has rather quietly announced on the Microsoft Software Developer’s Network blog (link here) that the memcpy(), CopyMemory() and RtlCopyMemory() commands will be retired soon in an effort to eliminate the threat of memory overwrites.

The blog piece said, “I am ‘proud’ to announce that we intend to add memcpy() to the SDL C and C++ banned API list later this year as we make further revisions to the SDL.”

The command, available in Microsoft and many C-related languages, has been responsible for the problems that led to a number of Microsoft Security updates including:

• MS03-030 (DirectX)
• MS03-043 (Messenger Service)
• MS03-044 (Help and Support)
• MS05-039 (PnP)
• MS04-011 (PCT)
• MS05-030 (Outlook Express)
• CVE-2007-3999 (MIT Kerberos v5)
• CVE-2007-4000 (MIT Kerberos v5)

Developers can easily update code by replacing calls to memcpy() with a safer call to memcpy_s(), which requires an extra parameter: the size of the destination buffer.

Sunbelt Software Vice President Michael St. Neitzel said: “That’s what I’ve been doing for years. When you’re dealing with buffers, you really have to make sure you don’t overwrite them. A string that is not null terminated can easily override string buffers, since in Windows they typically have a defined size such as the fixed path length.

“A bad programmer will manage to do this insecurely. It’s like giving a powerful sports car to an amateur. The anti-lock brakes, electronic stabilization program and automatic speed reducing aren’t going to protect him from having an accident. But an experienced driver can disable all of those things and not scratch the car. Driver, developer – both may make mistakes.”

Tom Kelchner

It’s tonight. Readwriteweb has a pretty good overview of the event, including this:

• Wolfram Alpha is not a general purpose search engine – it does not directly compete with Google and if you treat it like Google, you will inevitably be disappointed
• check out the copious amount of examples from the homepage – they will give you a good idea for the type of queries that Alpha can handle best
• here is one thing we can almost guarantee: you will be disappointed at first (especially if you were expecting a Google killer)
• Alpha is a great tool, but it takes some time to learn about its limits and strengths. Unlike Google, some searches simply won’t return any result at all

Article Link.

Alex Eckelberry

This might be one of the first indications of a not-so-good trend.

In the “Gadgetwise” column of the N.Y. Times, under the title “Five Controversial Ways to Speed your PC” (link here) writer Paul Boutin suggests uninstalling anti-virus applications as a way to speed up a PC. He also said the threat from viruses and malware was overhyped.

Well, we don’t think it’s ever been overhyped and we REALLY don’t suggest turning off malware protection.

Yes, in recent years, many malware scanners have slowed down, largely because of the vast, exponentially rising surge of new threats. Some of the big name scanners seriously need to be rewritten.

Boutin specifically mentioned in his column that Symantec’s Norton 360 “dragged my Toshiba’s performance to a crawl.”

There is nothing more frustrating than a really slow machine when you’re trying to get something done, and, yes, I remember turning off an anti-virus application many years ago. It was the days before the World Wide Web. Boot-sector viruses were a problem. My machine had no contact with the outside world except for an internal email system and occasional disks. I did turn the scanner back on before I shut down the machine for the day and I didn’t leave disks in the drive. So, I don’t think that was a badly reasoned choice. But, that isn’t true today.

One not infrequently sees estimates that a huge percentage of all the traffic on the Internet is devoted to, well… ahem… viewing photos and videos of people with no clothes on. That means a lot of people are visiting sites that are notorious for the distribution of malware. Even sites where the people in the pictures keep their clothes on have been loaded — intentionally or by hackers — with malware that you can download accidentally. Wanna buy a completely useless AV Scanner for $49.95? Can I interest you in a nice browser plug in that will give you just loads of advertising and show you what a slow machine REALLY looks like?

And, God, don’t even get me started on the crap that people (or botnets) forward in e-mail. A good estimate is that more than 90 percent of e-mail is spam and a frightening amount of that is intended phish your bank account or Paypal account login or anything else with a monetary value that might be on your PC or in your head.

It’s here, it’s weird and it’s coming to a PC near you in a couple of new ways every day.

So, if you’re thinking of joining a trend and turning off your malware scanner to squeeze some more speed out of the old Toshiba, just consider a faster scanner, like Vipre.

Sunbelt Software’s Vipre was written from the ground up last year and achieves its lightening speed from some rad new technology. (Check it out here).

Tom Kelchner

Dear Lord. One wonders how many lives may have been or will be potentially ruined by this:

“As a matter of public safety, the Alcotest should be suspended from use until the software has been reviewed against an acceptable set of software development standards, and recoded and tested if necessary. An incorrect breath test could lead to accidents and possible loss of life, because the device might not detect a person who is under the influence, and that person would be allowed to drive. The possibility also exists that a person not under the influence could be wrongly accused and/or convicted.”

Link here (via /.). Further commentary by Schneier here.

Alex Eckelberry

Actually, a very good article in this issue of Processor. Nothing radically new here, but the writer understands the problem and states it clearly.

“The day of the [AV] scanner being the main line of defense is dead . . . it’s just that most people don’t know it yet,” says AVG’s Thompson. Last year alone, AVG added more than 650,000 signatures to its antivirus engine. “There are 20,000 to 30,000 unique binary samples every day. The bad guys know how to beat a scanner.”

It’s also worth noting that tests that focus on virus detections are completely useless in evaluating an anti-malware solution. Today’s malware is a totally different, vicious animal — and detection is also only part of the picture. Remediation is as important as detection to enterprise customers.

More here.

Alex Eckelberry

The so-called “Google tax”, where an adwords vendor pays for traffic that would have gotten to them anyway, is a long-running problem that most marketers simply pay as a cost of doing business.

To understand the problem, you can simply search for a popular corporate name like “delta airlines” — the “first” result is a paid adword (“sponsored link”) from Delta.  Many people click on the paid link, not realizing they just cost Delta some money.  Delta very likely knows this but takes it as a cost of doing business — they do want to make sure you go to their site.

These types of problems are a part of any marketers cost of doing business.  Years ago, we had the problem of adware pushing affiliate links to sites which a user would have gotten to anyway (like someone searching for “Dell” and getting a popup for a Dell affiliate — Dell ends up by paying a commission to someone they didn’t even need to). 

Ben Edelman came out with an interesting piece yesterday which expanded on the problem.  If you’re involved in PPC marketing, it’s worth reading his article.

Alex Eckelberry

 

Robert LaFolette, our creative director, put together this propaganda video of Clearwater, Florida for the Clearwater Downtown Partnership. The photography featured is his from a new book, Clearwater in Pictures.

Yes, it really does look this nice. And yes, we’re still hiring…

Alex Eckelberry

Yes, it’s humor.

I want a REAL VIRUS. One that causes mass chaos across the entire
planet, and does so in the real world, not just in stories created by
bored news reporters trying to make a buck. Hell, why not create a
computer virus that actually spreads the swine flu to every linux user
on earth. After all, most windows users hate linux users, so lets
wipe them off the face of the earth. If you recall, linux users like
to boast that they’re so called “superior” operating system is virus
free. Lets prove them wrong and put them in their rightful place once
and for all. I dont know about you, but I’m damn tired of them
thinking they are superior human beings to everyone else just because
they are too damn cheap to actually pay for a copy of Windows, and
would rather spend their entire lives in some cheap rented basement
filled with damp mildew because they are too busy trying to get their
computers to work, than to actually get a job.

Alex Eckelberry

The internets are buzzing — pictures of an allegedly naked Rihanna were posted on Friday.

Inevitably, the curious or libidinous will search for these pictures. And they just might find a few suprises.

Right now, if you search for “rihanna nude” on Google, you might get some odd results.

The third search result is a page on Microsoft’s Technet, pushing malware. And just further down, is another link which leads to malware.

Here’s how the technet.com page looks (this has already been reported and should be gone soon):

Which when clicked, leads to a celebsxx net, a malware site pushing a malicious fake codec.

Further down, a seperate search result leads to a page at uvouch.com, with a similar fake video image, which when clicked leads to another malicious fake codec site, fonblog net.

The malware campaign itself is nothing special. Just a fake user profile, with a simple animated gif linking to a malware site.

Same type of thing happening with Malin Ackerman (female star of the Watchmen).

…and plenty of other celebrities. A search of the Uvouch site itself is telling. The top results here all point to similar malware links (Megan Fox, Zoe Saldana, Tila Tequila, and so on):

So, no big surprises here. A spicy subject. Sex. Not-so-perfectly secured social networking environments. The result? Boattloads of people getting infected.

Alex Eckelberry

Proxybl is a new blacklisting service that lists open proxies (commonly used in malware, but sometimes used for legit purposes).

Nice site.  You can visit it here.

Alex Eckelberry

Apparently advertised on newstarget.com, this product just about takes the cake for serving a large load of horse manure.

The advertisement:

NON-U.S. INTERNET SECURITY SOLUTION CD AVAILABLE: FAR BETTER THAN NORTON ETC

It has now been established that the National Security Agency (NSA) works with/controls Microsoft, Norton, McAfee, and others, in pursuit of the Pentagon’s vast BIG BROTHER objective, directed from the ‘highest’ levels (not the levels usually referred to) which seek to have every computer in the world talk direct to the Pentagon or to NSA’s master computers.

This should come as no real surprise since the cynical spooks even assert this ‘in-your-face’ by advertising ‘INTEL INSIDE’, which says exactly what it means. More specifically, NSA has made great strides in this direction by having a back door built into Microsoft VISTA. Certain computers, especially those labeled with the logo of the ‘fully collaborating’ firm Hewlett Packard, have hard-core setups which facilitate the remote monitoring and controlling of personal computers by NSA, Fort Meade. We now understand that if you are using VISTA* you MUST NOT enable ‘file and printer sharing’ under any circumstances. If you say ‘YES’, so to speak, to ‘file and printer sharing’, your computer becomes a slave at once to NSA’s master computers. DO NOT ENABLE SHARING.

Unfortunately, this abomination is so far advanced that this may not be the only precaution that needs to be taken. As long as Microsoft continues its extensive cooperation with NSA and the NSC (National Security Council), the spying system which assists the criminalized structures, and thus hitherto the Bush-Clinton ‘Box Gang’ and its connections, with their fraudulent finance operations, NSA may be able to steal data from your computer. The colossal scourge of data theft is associated with this state of affairs: data stolen usually include Credit Card data, which the kleptocracy regards as almost as good as real estate for hypothecation purposes. Even so, you can make life very much more problematical for these utterly odious people by NOT USING U.S.-sourced so-called Internet Security and anti-virus software. Having been attacked and abused so often, we offer a solution.

We use a proprietary FOREIGN Internet Security program which devours every PC Trojan, worm, scam, porn attack and virus that the National Security Agency (NSA) throws at us. We are offering this program (CD) to our clients and friends, at a premium. The program comes with our very strong recommendation, but at the same time, if you buy from us, you will be helping us finance ongoing exposures of the DVD’s World Revolution and the financial corruption that has been financing it.

The familiar US proprietary Internet Security programs are by-products of US counterintelligence, and are intended NOT to solve your Internet security problems, but to spy on you and to report what you write about, to centralized US electronic facilities set up for the purpose. You can now BREAK FREE from this syndrome while at the same time helping us to MAINTAIN THE VERY HEAVY PRESSURE UPON THE CRIMINALISTS WE HAVE BEEN EXPOSING, by ordering this highest quality FOREIGN (i.e., non-US) INTERNET SECURITY SOLUTION that we have started advertising on this website. This offer has been developed in response to attacks we have suffered from the NSA nerds who appear to have a collective mental age of about five years, judging by their output.

• To access details about the INTERNET SECURITY SOLUTION, just press THE LIVE LINK YOU HAVE JUST READ, or else press SERIALS in the red panel below. This opens up our mini-catalogue of printed intelligence publications. Scroll right down to the foot of that section, where you will see details of this service. When you buy this special product, you will also, as we clearly state above, be paying a special premium by way of a donation to help us finance these exposures.

The premium contains a donation for our exposure work and also covers our recommendation based on the Editor’s own experience that this INTERNET SECURITY SOLUTION will make your Internet life much easier. Some versions have a ‘Preview before downloading’ feature.

*VISTA: Virtual Instant Surveillance Tactical Application.

The cost? $300!

If you want to read more for humor purposes, you can find an article at the “World Reports” website at worldreports.org/worldreports/internet_security_solution (I’m not linking to them, so they don’t get any SEO benefit, but the site itself looks safe enough).

Now, if these guys ever got into the snakeoil registry cleaning business, they could really cash in.

Alex Eckelberry

My first professional job in the software business was with Borland in 1987.

This is admittedly painful for many Borland alumns.  But I suppose all things must come to an end.

It was a heck of a company.  I learned the software business there, acquired many of the guiding moral principles that are still with me today — and I had a lot of fun.

Alex Eckelberry

Over the past several months, researchers have seen a small number of phishing attempts taking advantage of a feature in older versions of IE called MIME Sniffing. It’s a weak attempt to bypass spam and phishing filters, by having a non-HTML link in an email.

It’s a pretty dumb hack, frankly. But it’s mildly interesting to observe.

Basically, a phisher takes advantage of a vulnerability in IE versions 4 through 7, where you can have the web server tell the browser that the content type is a particular type of file (jpg, png or gif), but actually render an HTML page (or whatever else).

What’s happening is that IE is “correcting” what it assumes is a mistake. The technique is explained in detail in this Heise article (thanks DJ).

Today, I saw an interesting phish, with the following URL:

acceghsh.nxt.ru/img/6.jpg?nin.ey.it/ws/e$ISAPI.dll?Sign&ru=http%3A%2F%2Fwww¬.it%2F

Or more simply,

acceghsh.nxt.ru/img/6.jpg

(the text string after the ? being simply garbage made to look like a querystring).

So, let’s use a simple tool like web-sniffer to see what’s going on here:

As you can see on the top of the screen, the server is telling the browser that it’s a JPEG file. But when we look at the content, it’s HTML.

And IE 7 will render it as HTML, because it’s assuming the web server made a mistake, and is correcting the “error”:

Nifty, eh?

Let’s take a look at the same page in Firefox:

This whole MIME sniffing thing has been handled in IE 8. It’s the older versions of IE that display the page incorrectly.

Alex Eckelberry
(Hat tip to N)

Not the most surpising news, but there’s SEO search poisoning going on using swine flue keywords.

Using the search term “Swine flu protection”, 8^th result:

 

Using “swine flu statistics”, 2^nd result:

 

Clicking on the link leads to a fake malware scan page (currently dead). 

 

Alex Eckelberry
(thanks, Adam)