Category: Computer Security

Posted on
by

I regularly get bogus bounces from clueless virus scanners that don’t realize the sending address is fake 99% of the time, but this takes the cake:

Sometime last night I received three copies of the same notice from some system in Brazil. They had written their virus warning in Microsoft Word, saved it as HTML without cleaning up all the extra junk, and made it the only part of the message… in Base64 encoding!

If you’re going to send any kind of diagnostic notice by email, you want it to be as simple and widely readable as possible. That means plain text (not HTML or Base64, and certainly not both!) It also means if you do want to use HTML, at least clean it up and include a plain-text alternative. For all you know it’s going to be read by some admin logging into a GUIless server through SSH over a modem connection on a hotel phone line!

Posted on
by

This morning I recieved both a bogus “Out of Office” reply from someone at Halliburton (presumably from a virus that spoofed my address as the sender) and a new 419 scam variant, this one claiming to be someone in Iraq. (I still think of them as Nigerian scams, but they’ve gone seriously international over the past year or so.) Subject line: “EVERY IMPORTANT” (really!)

Something to consider on those vacation messages: I was just sent some random Halliburton employee’s cell phone number. Not that I have any use for it, but would you hand out your cell number to any random person on the Internet? I know I wouldn’t!

Posted on
by

I just came across an article on non-password authentication that refers back to an April 2004 survey of office workers which found that “71% were willing to part with their password for a chocolate bar.”

Wow. I know they say everyone has their price, but this is ridiculous.

It reminds me of the comic book Underworld Unleashed, in which a demon approached various DC villains offering to give them enhanced powers in exchange for their souls. The Joker sold his soul in exchange for… a box of cigars. “They’re cubans!” he explained.

Another good one: “I work in a financial call centre, our password changes daily, but I do not have a problem remembering it as it is written on the board so that every one can see it.”

Un. be. lievable.

Posted on
by

CNET posted an article today, Concern grows over browser security, about the rise in browser-based attacks (mostly spoofed sites for phishing, but also attempts to install viruses and other malware through web browser security holes).

What’s interesting about the article is that nowhere does it mention Mozilla, Opera or Safari.

Could it be that attacks through these browsers are less common than attacks through Internet Explorer, even adjusted for market share? (Sure, IE has more than 90%, but there are a lot of people using the others.)

Or could it be that the author has succumbed to the “Web Browser = MSIE” belief?

If nothing else, you’d think that their statistics would have a bit more information, but it’s a single number for “browser” attacks. Nothing more detailed than that.

To be fair, the press release doesn’t provide any better numbers. In fact, it mentions no browser by name at all. (One can hope their data is a bit more detailed, but the purpose of the study appears to have been to identify trends in types of attacks, not in the software targeted.) And yet IE is the only browser CNET mentions, despite the alternatives’ better security records.

Posted on
by

Last month I finally got around to installing antivirus software on the one Windows computer we have at home. While I’ve found Norton Anti-Virus has worked well on my system at work, I ended up choosing McAfee Internet Security Suite for two reasons: (1) unlike Symantec, they don’t use a product activation scheme, and (2) since McAfee bought Deersoft, purchasing a McAfee-related anti-spam product should help fund SpamAssassin development.

Big mistake.

Since installing McAfee, this computer has crashed at least once each time I’ve turned it on (usually with a McAfee dialog box visible). The privacy service adds another login prompt, whether you want it or not. It tends to pop up dialogs when you’re in the middle of, say, running ScanDisk to make sure the system survived the crash McAfee caused five minutes earlier. And, ridiculously, the software and virus definition update runs through Internet Explorer.

By this I don’t mean that it expects you to go to the website and download an installer. That would be inconvenient, but acceptable (since you could choose what web browser to use). No, it pops up a “Check for updates” dialog box which then opens Internet Explorer, goes through a set of redirects until it opens a pop-up that looks like a download manager (but is clearly done using HTML), and then downloads and installs the update.

Now forget any issues you might have with buggy rendering, feature parity, monopoly abuse, antitrust, etc. Just look at IE’s track record on security.

Why would you want a security system to rely on something so notoriously insecure?

Symantec has its own update program that calls out, checks for updates, downloads them and installs. You can run it manually, or you can set it to grab and install virus updates automatically. Nowhere in this whole process does Internet Explorer come into the picture – or if it does, it’s hidden away where the power user won’t see it and say “What the hell do they think they’re doing?”

Posted on
by

Anyone whose email address is posted on a web site probably doesn’t bother to identify who sent them viruses anymore. With faked return addresses and the high probability that your only connection to the sender is the fact that they visited your web page sometime in the last month, there really isn’t much point.

Every once in a while, you’ll see something weird.

Today I received what looked like a classic credit-card theft scam: a notice supposedly from PayPal claiming that my account would be canceled unless I re-entered all my credit card information into the linked web page. Right. Normally I just report it to PayPal and delete it, but this one had an attachment instead of a link, and that attachment had been defanged. With a name like www.paypal.com.scr, it was pretty obviously a virus. Continue reading

Posted on
by

With the new crop of email viruses – the ones that fake the return address based on the same sources (address books, web caches, etc.) as the target list – you get a few interesting effects.

The first is that there is a good chance you’ll recieve many copies of the virus from the same source, with different return addresses. I saw this a lot in the recent Sobig outbreak: when our mail server deletes a virus, it logs the sending and receiving addresses and the IP of the connecting server. Some IP addresses would send hundreds of copies of the virus, all to the same recipient, all with different return addresses. So it would look like hundreds of people are sending you the same virus, but in reality, it’s just one infected machine.

The other is the “friend of a friend” effect. You may get the virus from someone who knows you (or has just visited your web page), but it looks like it came from someone who knows them (or someone else whose web page they visited). Two degrees of separation.

ยปAll pages site-wide with this tag