Sunbelt Weekly TechTips #37

Test your memory
Recently Tom (my husband) started experiencing some weird problems with his primary computer. Windows would reboot by itself for no reason, programs wouldn’t install, etc. After a lot of weeping and wailing and gnashing of teeth, he was able to track down the problem: some of his memory had gone bad for some reason. He switched it out with the RAM from another computer and the problems magically disappeared. Memory problems can emulate many other problems, though. If you suspect you might have bad memory, you can use Microsoft’s Windows Memory Diagnostic to test your RAM for errors. Check it out here.

Computer Shutdown Day: Was it a big bust?
Saturday, March 24 was declared Computer Shutdown Day by, well, the folks at shutdownday.org (warning: you may find some of the words/content on that site offensive). The idea was for everyone to go 24 hours without using their computers. I admit it: I didn’t do it, and based on the amount of spam that came in, I wasn’t the only one. Did you shut down for the day? If so, was it a good experience or a bad one? Or were you one of the many folks I talked to who said that, despite a fair amount of publicity, they had never heard about the effort? Great idea, or just silly? 

Should you buy software on eBay?
eBay can be a good place to find a bargain, but sometimes those “great deals” are just a little too good to be true. The risk is especially high when it comes to buying software, since it can be impossible to know whether the programs you’re buying or legal or not, and some may even have embedded viruses or spyware. A “gray” area is the selling of OEM versions of software, which are supposed to be bundled with hardware. Read more about the problems here.

Why is the Apple pot calling the Vista kettle black?
Sure, the Apple commercial is cute. You know, the one where the dashing, “hip” guy representing the Mac shakes his head in amazement as the nerdy PC guy’s “bodyguard” – who presents Vista’s User Account Control (UAC) protection – throws up “Cancel or Allow?” dialogs whenever PC tries to do/say something. If you haven’t seen it, you can view it here.

Cute, but is it really a fair representation of the difference in intrusiveness between Vista’s and OS X’s security? My good friend George Ou says maybe not. Read his take on it here.

Installing the wrong program no longer kills my computer
You may hear some folks complain that their favorite third party programs don’t work on Vista. And it’s true that a lot of the “little” applications and utilities, especially freeware, haven’t yet been updated to work with the new OS. I’ve tried a fair number of such programs to find that they either wouldn’t install or wouldn’t work after installation. But something I noticed and really appreciated is that not one of these failed installations hosed my computer. Instead, I just got an error message or the program refused to run. The rest of the operating system was unaffected. That’s a welcome change from earlier versions of Windows. The infamous “blue screen of death” is a thing of the past – and I’m not sorry to see it go.

How to install the upgrade version of Vista on a wiped disk
You qualify to buy the upgrade version of Windows Vista because you have a copy of XP, but you don’t want to run the upgrade and have all that old code floating around in your Vista installation. Upgrades are notorious for having more problems than clean installs so you’re perfectly willing to bite the bullet and go through all the configurations to get your preferred settings back. But will you also have to pay more for a full copy of Vista? According to Adrian Kingsley-Hughes at CNET, here’s how to do a clean install of Vista with the upgrade copy.

How to change the system/boot drive letter in XP
If you break a mirror volume or for some other reason the drive letter of your system and/or boot drive gets changed so that the drive now has the wrong letter (not the one assigned to it when you installed the OS), you’ll find that the Disk Manager won’t let you change the letter of those drives. This is to protect you from making changes that render the OS unbootable, and you should make those changes only if the drive let gets changed as described above. To do so, you have to edit the registry. Be sure to back it up first.

  1. Log on with an administrative account.
  2. Click Start | Run and type regedt32.exe to open the registry editor.
  3. Navigate to the following key: HKEY_LOCAL_MACHINESYSTEM
  4. In the right pane, click MountedDevices.
  5. On the Security menu, click Permissions and ensure that Administrators have full control.
  6. Close regedt32.exe and run regedit.exe. Navigate back to the same registry key.
  7. Locate the drive letter you want to change (such as DosDevicesC:), right click it and select Rename.
  8. Rename it to the letter you want it to have (such as DosDevicesD:).
  9. Close regedit.exe and run regedt32.exe again to change the permissions on the key back to Read Only.

You’ll need to restart the computer for the change to take effect. Be very careful about renaming drive letters of system/boot drives.

Possible security vulnerability in Windows Mail
Vista includes a brand new built in email program, Windows Mail, which takes the place of Outlook Express. It has some impressive features, but it’s possible that it can be exploited by attackers who send malicious links in email, to allow them to run applications on the user’s computer without permission. Read more about it here.

How to aggregate the bandwidth of two modems.
If you’re in one of those unfortunate areas where broadband Internet connections aren’t available, it’s possible, if you have two phone lines, to use two modems and get double the bandwidth from a dialup connection.  If your ISP supports a feature called Multi-link, you can indeed install two modems in your computer and combine the bandwidth of two physical links into one Internet connection. Here are the instructions for using it with Windows XP Home or Professional edition.

Erase files from a CD-RW disc in XP
If you have a CD recorder installed on your computer and it supports CD-RW (rewritable) discs, you can erase the data on a CD and use it again for something else. You don’t even need third party CD burning software to do it. Just following the instructions in KB article 306641.

Gain access to the System Volume Information folder in XP
XP deliberately makes it difficult for you to access the System Volume Information folder, which contains data used by the System Restore feature. It’s a hidden system folder and there’s one on each partition on your computer. How to access it depends on whether your XP computer is using FAT32 or NTFS. For instructions in both cases, see KB article 309531.

Deb Shinder

Flame Away: Does the ‘Net Make People Nastier?

Last week, I ran across this article from the Associated Press about how the anonymity (or perception of same) that we have on the Internet leads some people to say and do things they would never say or do in their “real life” relationships.

It’s a phenomenon I’ve discussed here before, but some of the responses to last week’s blog post (which I’ll quote – at least those that are fit for a family forum) brought that fact home again. Some people get downright mean when they’re communicating electronically, and it’s hard to believe that all of them act that way in their offline lives.

Now, this is by no means a universal thing. It seems as if being online often has an effect similar to imbibing alcohol. You know how some folks, when they drink, still act pretty much the way they do when they’re sober but a little more relaxed, while others get all happy and funny and still others turn vicious? Likewise, people are affected differently by the act of slipping into an online persona.

For instance, there’s a person I had known in the “real world” for many years and had never been at all close to. I found her loud and abrupt and often rude, avoided her socially whenever possible but stayed connected to her because of other mutual relationships. Then we found ourselves exchanging email – and the person she became in her written messages was like someone entirely different. The negatively I had come to expect from her in response to everything I said was gone. Her messages were polite and friendly and thoughtful, and for the first time, we become friends of a sort.

But I’ve seen the opposite happen too many times, watching in amazement as someone I had always liked turned into an online monster, flaming people left and right, using language I’d never heard them speak, taking offense at the slightest disagreement.

When I write on a controversial subject, I expect to get lots of replies from those who disagree with my opinions. And after many years at this, I expect that a certain number of those won’t be very nice about it. In fact, I know a lot of writers – and their publishers – who feel the more heated the responses, the better; it always means a higher hit count and for every reader who says “I’m unsubscribing because I think you’re an idiot,” three more start reading because after all, it’s human nature to crave a little spice now and then, both in our food and in our discussions.

In fact, quite a few media personalities of all political persuasions have built multi-million dollar careers by ranting and raving on every topic. Those who have become household names get lots of hate mail, but their books keep selling, their radio and TV shows keep getting top ratings, and the money keeps pouring in.

When they’re espousing ideas we don’t like, we think of them as hotheads. When their philosophies and ideologies match our own, we tend to see them as brave souls who “tell it like it is.” Abe Lincoln said you can’t please all the people all the time, but pleasing half the people and making the other half mad as heck seems to be a formula that works very well for those with thick skins and a penchant for fame and fortune.

Maybe one reason for the popularity of extremists is the very fact that most people don’t dare express themselves that strongly in their own everyday lives. Expressing every negative thought that crosses your mind tends to have a less than positive impact on career growth, marital happiness, budding friendships and other real life circumstances that are important to most of us. So traditionally, we’ve let the professional ranters speak for us.

The Internet has made it easier for ordinary folks to let their hair down and pull out all the stops and express all those secret, nasty feelings themselves. The phenomenon of “flaming” – launching personal attacks on others out of proportion to whatever the flamer is responding to – first gained a foothold in newsgroups and mailing lists. It’s carried over to blogs, where you don’t even have to give your opponents the opportunity to respond if you don’t want to. And on the ‘Net, you can say mean things without risking your reputation by using a “screen name” that gives no clue to your real identity.

But has the Internet really made people meaner and less civilized? There have always been times and places where people say cruel things (listen in to any group of teenagers discussing those outside their clique). Some people just aren’t very nice, in general. And some people who generally are nice get carried away with their emotions when they feel very passionately about a subject. I’m not so sure that, deep down, people are any meaner today than they were a few decades or centuries ago (after all, they often gunned one another down in the streets in the Old West, and look at all the beheadings and such in Medieval times). But the ‘Net has made it easier to do your dirty work more anonymously and to spread it to a wider audience.

What do you think? Are you surprised at the nastiness that sometimes comes out in online discussions? Do you say things in email that you wouldn’t say in person, or do you know others who seem to turn into a different person when communicating online? Do you think the Internet is causing us to become less civilized?

Deb Shinder

So how many people click on bad search results

Recently, I wrote about the massive amount of crap comment spam pages in Live Italy, directing users to potential malware sites.

Fellow blogger Didier Stevens pointed out something really interesting to me: He did an analysis last fall on how many people actually click on these sites. How? He used the infamous AOL data, a veritable fount of fascinating information for researchers.

And he found that about 1% of AOL users were landing on these sites. Link here, with another related story here.

So…multiply 1% against the universe of computer users… that’s a lot of people hitting illegitimate sites (these sites may be pushing snake oil, cell phones — whatever — or malware).

Alex Eckelberry

Guerilla PR redux

Last week, I blogged about the practice of buying up negative names as a defensive PR measure.

As a follow-up, I’m posting part of an email I got from a blog reader (who asked to remain anon).

In the year 2000 (no this isn’t a Conan O’Brien skit) 2600 Magazine ran an article in their print version about how Verizon (which was a brand new company at the time) was registering about 700 domain names along the same lines. The article included every single domain name the 2600 writers could find. I’ve been searching 2600 online and can’t find that exact article (I’m not sure if they put the print articles on-line or not) but I can find several references to it, and to the ‘cyber-squatting’ suit Verizon filed against 2600 and Emmanuel Goldstein for registering ‘verizonreallysucks.com’. Link.

While searching through 2600 for the right article I came across a PDF of a deposition Eric Corley (aka Emmanuel Goldstein) gave when sued by Ford for registering ‘fuckgeneralmotors.com’ and pointing it to Ford’s website. Link here and here.

In item 24 Eric/Emmanuel describes Carl Rove registering 30 some odd domain names like “bushsucks.com’ and Verizon registering 700+ domain names.

In that point he also references a ‘”Lucentsucks” case’. A quick search of ‘lucentsucks’ reveals that some jokester registered that domain and put up a porn site. Lucent sued but the case was dismissed due to Lucent’s failure to comply with the Anti-cybersquatting provisions. Which is a bit off topic… but perhaps is part of the rationale behind mass domain registration.

So as my loyal reader points out, there’s other people doing this and it’s been going on for some time [apparently at least since 1998 (Earthweb) but possibly earlier].

Any other examples out there you know of? Feel free to comment.

Alex Eckelberry

Da CookieMonstor will get you

Cookiemonster12323

This came to me recently: A site threatening to sue us because we scan for their cookies in CounterSpy:

Company: Searchalot, Inc.
Company website: http://www.searchalot.com/ Contact name:
Gerald ODea
Product name affected: http://www.searchalot.com/ Product versions
affected: All Product is detected as: Cookie?
Software can be downloaded here: None
————————————————————
Brief description of software:
No software, and our site has absoultely no cookies. Please remove it
from your list or we will need to pursue this further with our law
firm, and you’ll be responsible for all of our legal fees.
————————————————————
Reason for submission:
to remove the searchalot.com site from your list as having some type
of bad cookie. we set no cookies on the site, so your description is
absoultely incorrect and it causing us to lose users. We will use the
emails from users having a concern about using our site, because of
your software, as evidence of lost revenue, and we will definitely
prevail in court.
————————————————————
Code: DEV_SPYWARE

Needless to say, they’re right, they have stopped pushing cookies pushed from that site, so we have taken them off.

But the idea of suing us because we scan for their cookies is just… out there. They need to listen to CookieMonstor disco and relax…

Alex Eckelberry

Gozi Trojan

Well worth reading. Really.

Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS. Originally, this analysis intended to provide insight into the mechanisms used to steal that data, but it became an investigation into the growing trend of malware sold not as a product, but as a service. Eventually it lead to an alarming find and resulted in an active law enforcement investigation.

Link here.

Alex Eckelberry
(Hat tip to Richard Smith)

Omerta spyware scam

The good folks who run Omerta (a massive multiplayer text-based game) are beyond frustrated as they are being plagued by some slimeballs who are foisting off very dangerous spyware as Omerta’s.

Omerta100000001

Omerta100000000

Omerta29999999999999999

What these pages install is a nasty piece of spyware, ProAgent (for one sample, Sunbelt Sandbox report here, VirusTotal results here).

Omerta players — be careful of any software for the game that’s not from the Omero folks themselves.

Alex Eckelberry

QED

Something I’ve pounding the table on for some time…

But it took a car seat scandal to make them realize that they need to talk to experts in industry to understand how to test.

Jim Guest, president of Consumers Union, the nonprofit publisher of Consumer Reports, said in an interview yesterday that in the future, the magazine would consult with a broad range of experts, including those from the industry, for establishing protocols for complex tests, but it would still make its final assessments on its own.

Good! Security software testing is complex, and very few people have it right. But the people in the industry can really help magazines like Consumer Reports report accurately — and help consumers make the right choice.

Alex Eckelberry

Sunbelt Weekly TechTips #36

OEM OS frustrations, revisited
Many of you wrote in regard to last week’s link to an article about the many folks who are having problems getting their promised OEM upgrades to Vista. It seems Dell (the subject of the original article) isn’t the only culprit; I also heard from people who had bought computers from Acer, Toshiba and other manufacturers with the upgrade option and have not been able to get their upgrades.

On a different but related note, many of you tell me that now that Vista has been released, many hardware vendors aren’t giving you any choice about it. Attempts to buy new computers with XP installed have resulted in many of you being told by Dell, HP, Acer and others that the model you’re buying can’t be ordered with XP installed.

Vista update released
Although no security patches were released on this month’s Patch Tuesday, Microsoft did release an update for Vista that will address compatibility issues with several applications. Several of these are games, but it also improves compatibility with some third party security-related software such as Trend Micro’s PC-cillin and AOL’s Safety and Security Center. If your Vista machine has automatic updates turned on, you’ll get the update automatically. If not, you can download it here.

1239o9888888888888888888888Windows CardSpace makes identity management easier
If you peruse the Vista Control Panel, you’ll run across a brand new applet called Windows CardSpace. If you’re like most new Vista users, you won’t have any idea what it is. CardSpace is the client piece of Microsoft’s information card technology, an “identity selector” that allows users to select from a set of cards holding their personal information to authenticate to certain web sites or services, without having to remember all those user names and passwords. You can read all about it here.

How to add or change a user’s picture in XP
You can display a photo next to your name in the list of user accounts on the XP Welcome screen and on the Start menu. Here’s how to change the picture:

  1. Click Start Control Panel.
  2. Double click the User Accounts applet.
  3. Select the user account for which you want to change the picture.
  4. Click Change the Picture.
  5. Click Browse For More Pictures, navigate to the graphics file you want to use and click it.
  6. When the picture you want is highlighted, click Change Picture.

How to resize Vista desktop icons
One of the complaints I hear about the Vista GUI is that “the icons are too big.” Well, fixing that is a simple matter. Here’s how:

  1. Right click an empty space on the desktop.
  2. Select View.
  3. Click Classic Icons.

Another way is to use the scroll wheel on your mouse or trackball. With the cursor on the desktop, press and hold the CTRL key and scroll the wheel to make icons larger or smaller.

IE 7 vulnerability lets phishers attack
A new vulnerability has been discovered in Internet Explorer 7 that could allow phishers to display fake content for trusted sites, without creating a false URL. The exploit takes advantage of the “Navigation Cancelled” page, and it’s recommended that you not click any links on that page until there’s a fix for the flaw. IE 7 is affected on both XP and Vista. Read more about it here.

Using XP on a computer with a quad core processor.
Is a quad core considered a single processor or as four? Well, good news for quad core fans: Microsoft has specifically defined a “processor” as a single chip that houses a collection of one or more cores. This was first announced in the document titled Multicore Processor Licensing that was published on the Microsoft web site in 2004 in expectation of the release of the first dual core processors. This document explicitly states that “Windows XP Professional can support up to two processors, regardless of the number of cores on the processor.”

Troubleshooting startup problems in Windows XP
Can’t get XP to start up properly? Unfortunately, there are a number of different possible causes, from corrupted files to hardware problems. You can find a quick guide to help you diagnose and fix the most common startup problems in KB article 308041.

How to set special permissions for files and folders in Windows XP
Special permissions are customizable sets of permissions that you can apply to files and folders stored on an NTFS-formatted partition. If your computer doesn’t belong to a domain, you’ll need to disable simple file sharing in order to set these permissions. KB article 308419 explains what all the available special permissions are and how to view, set and remove them.

How to use the Bootrec.exe tool to troubleshoot and repair Vista startup issues
If you have problems with the master boot record (MBR), boot sector or boot configuration data store (BCD store) that cause startup problems in Windows Vista, you can use the Bootrec.exe tool in the Windows Recovery Environment to figure out what the problem is and repair it. Find out how in KB article 927392.

Deb Shinder

In Defense of Perimeters and Security through Obscurity

This week’s editorial is sure to cause a firestorm with some in the security community. I’m sure my credibility will be attacked from all sides and I’ll be shunned by at least half the “experts” forevermore – because I’m about to question two sacred cows:

1) that there is no longer such a thing as a perimeter in network security, and

2) that “security through obscurity” is practiced only by idiots.

After spending the last week surrounded by other security professionals and hearing those two mantras repeated over and over, I decided it’s time for someone to offer a challenge. Unfortunately, security people seem to have latched onto these two ideas with absolute certainty.

First, let’s take a look at the new idea that somehow security perimeters have ceased to exist. This grew out of the very entertaining “Death of the DMZ” presentation introduced by Steve Riley of Microsoft a couple of years back. The point seemed to be that network boundaries are becoming less defined because of remote access, VPN, wireless access points, etc. And that was a good point – but it’s also a complex issue that has been reduced by many of Steve’s disciples to the simplistic chant that “there are no perimeters.”

That’s like saying that because more people now live in apartments and condos than on 100 acre walled estates, there are no physical perimeters anymore. Of course there are perimeters – in fact, there are now multiple perimeters. In some cases the boundaries have moved inward; just as you may now have control only over the space within your walls instead of all that acreage surrounding you, you now need to put more focus on protecting the host (individual computer) than you might have back when the internal network was more clearly separated from the Internet outside.

But the new model doesn’t mean that outer boundaries are gone completely. As the threat level has increases (both for networks and neighborhoods), we should be looking at more perimeter protection, not less. The fact that apartment and condo buildings must let many people into the common areas doesn’t mean they have to let everybody in. Gated communities use access controlled fences to keep out the casual wanderer. Are those controls perfect? Of course not – a determined intruder can sneak in on the coattails of an authorized resident or find out the key code through social engineering or even blow up the gate. But that doesn’t mean the perimeter controls are useless.

And neither are firewalls, DMZ networks and other protective mechanisms at the network edge useless just because they don’t, by themselves, completely protect the host computers inside. The “no perimeters” proponents seem to believe that any security mechanism that doesn’t provide 100% protection is worthless. The fact is that no security is ever 100% effective. If it were, legitimate users wouldn’t be able to get access to the resources they need.

This doesn’t mean we should just throw up our hands and give up on perimeter protection altogether. Instead, we need to recognize the importance of multi- layered, multi-level security strategies. We can’t expect the firewall at the network edge to create a LAN that’s totally safe any more than we should expect that living in a gated community means we don’t need to lock the doors of our individual homes. The edge firewall (and the gate) will keep out certain types of threats. Others, not so much. You still need to use mechanisms such as IP security, file level permissions, disk encryption, file encryption, Group Policy, wireless encryption and so forth to address all the perimeters present on today’s network.

Should you rely on perimeter protection for all your security? Of course not, just as you don’t rely on a locked fence to protect your valuables, but also put them inside a locked safe that’s inside a locked house that has a big, mean dog in the yard. But it’s silly to throw away one of the layers of your security plan just because it won’t do it all.

That brings us to our second topic: security through obscurity. This much maligned practice is mentioned in tones of contempt. It’s popularly considered to be not just worthless, but downright evil.

Of course, most of those who proclaim that only an idiot would practice security through obscurity are the same folks who’ll argue that it makes sense to use Linux or Mac, or to use “any browser but Microsoft’s” since it makes you a smaller target for the hackers. Isn’t that a form of STO? And if you truly believe obscurity plays no part at all in security, why don’t you flash your roll of cash when you’re out on the town? Why do you hide your expensive jewelry away in the bedroom instead of leaving it on the coffee table when you have a party? Why do you put valuables under the car seat or in the glove compartment if you have to leave them in the car, instead of leaving them out in plain sight to passersby?

In fact, such a fundamental security practice as keeping your password secret is a form of obscurity. The only thing that keeps an intruder from using it to log onto the network with your account is the fact that you’ve obscured it by making it long and hard to guess and not telling it to everybody.

If you say obscurity is a relatively weak form of security, I won’t argue with you. But to say it should be used in conjunction with other, stronger technological security mechanisms to increase the overall level of security makes no sense at all. As any police crime prevention officer will tell you, the real purpose of security measures is to make it more difficult for an intruder to get in. Everything that slows him down makes it more likely that he will give up and move on to a house (or network, or computer) that’s less protected, that he can get into more quickly and easily. By putting obstacle after obstacle in his way, you build security for the items you want to protect most – whether that’s your diamond necklaces or your sensitive files – one piece at a time.

What do you think?

Is protecting the perimeter hopeless so you might as well not even try?

Is obscurity useless so you might as well advertise your sensitive information in flashing lights?

Or do security specialists who advocate such theories do a disservice to those they’re supposed to be helping protect?

Let me know your thoughts.

Deb Shinder

More on the Windows Live pwnage in Italy

As we reported earlier this month, Microsoft Live in Italy is serving massive amounts of infected pages through rogue search engine optimization by the Gromozon crew.

The Register has picked up the story and run with it.

To see for yourself, type “veicolo commerciale noleggio” into Live.com and watch what gets returned. The first result (at the time of writing, anyway) is for a site at b9n3q3.info/yb6u46p76.html, which uses a Javascript to redirect users to another site. This second site actively tries to install several varieties of malware, in some cases the nasty Trojan known as Rustock. This return is just one of many malicious referrals Live.com makes when entering the above search term, which is Italian for “commercial vehicle rental.”

Link here.

Some researchers might get confused by this exercise — because the results aren’t showing malware.

However, they will if you’re using an Italian IP address. Also, according to Francesco Benedini, a Sunbelt researcher and one of the foremost experts on Gromozon, “the Gromozon group pulls off every trick to make sure that when you’re surfing one of those sites you’re doing it with a real browser instead of an http crawler like wget; that includes headers that wget doesn’t normally put in place, like “Accept-language”, “Accept”, a proper user-agent, and apparently even that actual referrer is one of their sites.

So if you don’t live-test it with a real browser you’re not being redirected to their malicious pages. Also, there’s a server-side detection of the user-agent as well; an XP machine with SP1 and IE6 gets infected right away, an XP machine with SP2 and Firefox doesn’t.”

Alex Eckelberry

BMW dealership requiring thumbprints?

Wow, this reeks to high heaven. There’s lots of BMW dealerships out there in Southern California. Go to one which does not have an absurd policy of demanding a thumbprint in order to buy a car (like this South Bay BMW and Mini outfit). The dealership is apparently owned by Hitchcock Automotive Resources — ironically, the subject of a Cisco White Paper.

Imagine you’ve gone through a multiple week process to purchase an automobile.

You know the drill. Research every feature, pick your color, then, it’s negotiations for purchase price and for trade-in. Everything is done and agreed-upon, and excited, you are ready to hand over the check and collect your new car.

But wait!

You are handed a slip of paper and told to mark your right thumbprint in a box. The paper says clearly that it’s a request, for your protection, and to prevent your identity theft.

When you politely decline, the dealership refuses to sell you the car.

This is precisely what happened to me today when I tried to purchase a new X3 at the South Bay BMW dealer in Torrance, California.

Link here.

Truly, what extraordinary audacity on the part of this dealer.

Here’s my advice: Don’t give anyone your thumbprint unless it’s statutorily required.

Alex Eckelberry
(Hat tip)

Seen in the wild: Trojan spawned on MySpace

My colleague John LaCour over MarkMonitor shared this one with me. It just goes to show how social networks can be used to spawn malware (as Dan Hubbard at WebSense describes it, “Web 2 dot uh oh”). When you give anyone in the world the ability to rapidly and anonymously create web pages, and then invite “friends”, you’re asking for trouble.

John got an invite saying “Jocelyn wants to be my friend”. The invite has showed a picture of a young lady in a bikini.

Jocelyn199123812312321

(Perhaps a more accurate portrayal might be here).

Once you check Jocelyn’s profile, you get a link to download the Zlob trojan, from http://privatemsprofiles(dot)net/download(dot)php.

Myspace91991233

(Obviously, don’t download this trojan, and don’t go to Jocelyn’s profile unless you’re in a virtual machine.)

Incidentally, do you want to guess what the number one piece of spyware out there is? Zlob. You can see this right on the front page of our research center, which pulls live threat stats from our ThreatNet network. (Zlob is a trojan that downloads as a fake “Codec”, purporting to be requried in order for you to view a video clip.)

Threatnet1293123123123123

What’s really sad is all those people that you can see on Jocelyn’s profile who have been pwned.

Alex Eckelberry

Higher education and infected wikis and tikis. It’s icky.

We’re finding buckets of infected forums, blogs, wikis and tikis. A lot of “compromised” educational (.edu) sites, most likely from unpatched vulnerabilities.

Take a look at some of these examples (offensive screens are thumbnailed for the easily offended):

Wikit98123123080000

As you can see, a vast number of hits of sites that have been taken over by porn on the University of Southern California system (usc.edu).

But it’s not only USC.

We have Virginia Tech:

Virginiatech1239998

On this one Virginia Tech page, we get some really nasty porn (which we’ve covered up), with an offer to view more porn after installation of a fake codec:

Virginiatech123213400

Here’s the University of Maryland:

Universmd991923

Searching Google for this one term brings up some rather disturbing stuff:

More991238888888

Similarly, searching for “amatuer porn movies free” on Google brings up more nasty stuff, including this:

Luther1998823888

Now, in the case of the Callutheran site, it’s a WIKI – there is a PHP script that loads HTML from here a porn site (http://www(dot)bigvideosonline.com/lesbians/index(dot)php?id=1403&style=orange). How did the script get there? We don’t really know, but suspect it could MediaWiki vulnerability.

A search for “Cheating Wives movies frees inurl:edu” brings us this:

123998888888adfcgeat

And here’s more, Indian River Community College and USC:

Porn12999123818888

Sniffing around one place, we find wide open access:

Snf2923423400888

So there’s an open directory listing with a keyword list and two PHP scripts that load the security scam hijacker porn pages or re-direct to rogue applications like Privacy Protector:

Privacy921949888234

It literally goes on and on and on and on and on.

Alex Eckelberry
(With copious credit to Sunbelt researcher Adam Thomas)

Security theater: Massive prank at the Superbowl

Many of you may know of this one, but it’s not widely known. zug.com did a massive prank at the SuperBowl. Whether it actually happened or not (I think it probably did), it’s worth checking out.

And this note by the author, John Margrave, which is dear to my hear and something I’ve written about before:

We live in a zero-risk society, convinced that more security, more police, more searches, and more technology will make us more safe. This is false. As we’ve proven, even four comics and a cameraman can outwit the most tightly-controlled event in history. Everyone did their job. No one did anything wrong. But no system is completely safe.

Life involves risk.

I want to leave you with this final thought. Life is some risky business. When we cling to the illusion of security, we give up our freedom and our privacy. When we willingly remove more clothing at airport security, when we allow our government to pass wiretapping legislation, when we give them power to spy on us, we are giving away our precious civil liberties that our founding fathers earned with blood.

Link here (via BoingBoing)

Alex Eckelberry

Another explosion in Connecticut

As you may know, I’ve been deeply involved in the case of Julie Amero, the hapless substitute teacher convicted of four felony counts for impairing the morals of a child, while the defense contends that Julie was a victim of popups and spyware. The rest is history, as the tech community exploded into her defense.

Yet the local Norwich, CT town has continually taken the side the prosecution, with virtually every story laced with implications that Julie deserved her sentence. However, the stories were always veiled as “unbiased journalism”, looking at “both sides of the story”.

Well, their true colors were finally shown today. They dropped a bombshell editorial, going on the record that Julie deserves these four felony counts:

Amero could receive up to 40 years, if she gets the maximum sentence allowable for each of her four convictions of risk of injury to a minor, and the judge orders them to be served consecutively. It’s an unlikely sentence, even though children were exposed to six hours of Internet pornography under Amero’s watch. We think Amero is likely to receive some sort of community service, and it would be a fair sentence.

Amero has many supporters, which should not sway the court, as most of them have formed opinions based on limited knowledge of the facts of the case, or simple hearsay. At the heart of this international debate is whether Amero was responsible for causing the pornography to be on the computer screen for an entire school day, when seventh-grade students were able to view it. Many in the technology field have suggested she was the victim of a “porn storm,” which were frequent problems in 2004, when the incident occurred. Some suggested the computer was overtaken by malware or spyware, technical parasites that will plant unwanted images, pop-ups, etc., onto a computer. Some have suggested Amero was the victim of a conspiracy by students.

My answer that I posted:

You say that Amero’s supporters have limited knowledge of the case — yet many supporters are basing their arguments on the very same trial testimony that you are using. I’m not sure I understand this logic.

In this country, one understands that there is the concept of proportional justice, where “the punishment will fit the crime”. In this case, the crime was ignorance, and for this you demand a felony conviction, which will ruin Amero’s life. Do you have any idea what an effect a felony conviction has on someone’s ability to work and live?

You had a pregnant substitute teacher nearing 40 who had popups on the computer. The trial testimony shows that she went for help and attempted to keep the children from seeing the images — even going so far as to push a child away. And despite what anyone says, it’s not clear that these popups were occurring “all day” – in fact, it’s apparent they occurred for less than 2 hours.

Comparing these popups to “a fire in a trashcan” or a “racy magazine on the desk” is misleading. A fire, a magazine, a fight in the classroom — these are all things that people in general have experience in. With computers, you’re entering a different realm — how many relatives or friends do you have that are computer illiterate and really do think that turning off the monitor will end up turning off the computer itself?

Allow me to point out that intent to harm a minor played a role in this case. And yet, we see no proof from the testimony that there was any intent to harm by Amero.

Let’s leave “armchair” jurisprudence to the legal experts. They know the law, let them decide if ignorance is the basis for a devastating felony conviction.

Prominent USA Today journalist Andrew Kantor also comes to her defense, here.

And you can read the transcripts for yourself here and come to your own conclusions.

Alex Eckelberry

Guerrilla PR: Buying up negative names

Earlier this month, an environmentally-oriented blog posted some interesting research. Johnson & Johnson, the makers of Splenda, has gone out and bought buckets of potentially negative names.

Some examples:

splendasucks.net, .org, .biz, .info
splendakills.net, .org, biz .info
splendatruth.com , .net, .org, .biz, .info
splendapoison.com, .net, .org, .biz, .info
thedangersofsplenda.com, .net, .org, .biz, .info
thefactsaboutsplenda.com, .net, .org, .biz, .info
thesplendadangers.com, .net, .org, .biz, .info
thesplendafacts.com, .net, .org, .biz, .info
victimsofsplenda.com, .net, .org, .biz, .info
thetruthaboutsplenda.net, .org, .biz, .info
thesplendatruth.com, .net, .org, ,biz, .info
splendatoxicity.com, .net, .org, .biz, .info
splendatoxicitycenter.com, .net, .org, .biz, .info
splendavictims.com, .net, .org, .biz, .info
splendahealth.com

Many, many more here (via Domain Name Wire).

Interestingly, they didn’t manage to get splendasucks.com, which is a blog by fellow who really doesn’t like Splenda (he says it gives him rashes and is made with chlorine).

Now, buying up negative names to control your PR image isn’t new. EarthWeb owns the domain earthwebsucks.com, and I’m sure there are many other examples.

If you know of have any other similar types of activity by corporations, post a comment with more info or contact me directly.

Alex Eckelberry