Back on August 12th, I wrote an article on the disappearance of raw sockets from Win XP in Service Pack 2.
Rob Rosenberger has written his take on this, available here. He writes that this is the removal of an internet standard. The real problem is the failure of ISPs to perform proper egress filtering on their routers.
Archive for September 2004
Rosenberger Article on Raw Sockets
Feeding Media Egos
Tim Mullen has a totally awesome article over at Security Focus on the tech writers reaction to XP service pack 2.
http://www.securityfocus.com/columnists/265
It is a great article on the frenzy of reporting/bashing surrounding SP2 as every minor blemish or thing not fixed that was wrong in xp becomes a major blemish. It causes typical users to flee in terror from a service pack that will do them a lot of good.
“In the Feeding of Media Egos, everyone leaves vulnerable.”
CERT Recommends SP2
The U.S Computer Security Response Team has recommended that all users install Service Pack 2 for Windows XP.
http://www.us-cert.gov/cas/alerts/SA04-243A.html
Reasons:
Windows Firewall
Windows Firewall is enabled in almost all configurations, blocking network traffic coming into your computer. Blocking this traffic helps to protect you from worms and other malicious code that spread via the Internet.
Internet Explorer Local Machine Zone Lockdown
New settings for Internet Explorer disable the execution of ActiveX controls and Active scripting in the Local Machine Zone. This protects you from attacks and vulnerabilities such as Download.Ject.
Additional Internet Explorer Security Changes
Internet Explorer now includes a pop-up blocker, additional window restrictions, and changes in MIME type handling that better defend against social engineering and “phishing” attacks. A browser add-on management interface provides a way to identify and disable programs that run as part of Internet Explorer. Enhanced protection against security zone elevation and object caching vulnerabilities helps defend against malicious web scripts.
Email Handling Technologies
Outlook Express now supports the ability to read and compose messages in plain text and to block external HTML content such as “web bugs.” Security checks are now performed in a more consistent way to help prevent the execution of malicious attachments.
Security Center
The Security Center “…provides a central location for changing security settings, learning more about security, and ensuring that [your] computer is up to date, with the essential security settings that are recommended by Microsoft.”
Automatic Updates
The update services and automatic update feature of Windows XP have been improved. US-CERT highly recommends that you enable Automatic Updates.
Data Execution Prevention
Memory protection helps prevent attackers from executing code on your computer.
Drive by Spammer Cops a Plea
Nicholas Tombros is reportedly ready to accept a plea deal in the face of CAN-SPAM charges of breaking into another persons computer to send spam.
Tombros drove through beachfront Venice California looking for unsecured wireless networks and used them to send porno spam. Also interesting is how he got the email addresses. He stole them from a Credit Card aggregation company where he worked.
So we’ve got a lesson there about companies needing to secure your data. And the fill out that privacy election form we get once a your from the credit card company. Otherwise our contact info will be shared with a company that doesn’t secure our info.
I wish I could find an article on how this guy was caught. Also kind of curious about why the company who paid for the spam wasn’t charged also.
Infoworld’s antiSPF article
There is an article over at infoworld, , about a ciphertrust study of SPF.
Ciphertrust reports that only 5% of mail is using SPF and of those using it with correct syntax an even number of spammers and legit sites are using it.
Infoworld breathlessly reports this in a manner that would indicate that even before the standard is ratified it has been circumvented by the spammers. Those that continue reading down the page find this really isn’t true.
SPF is not intended to end the problem of spam. It is intended to end the problem of mail spoofing. (Sidenote: microsoft’s implementation SenderID apparently only checks the visible header, not the envelope header, so this apparently wouldn’t solve the problem of the forged envelope from resulting in employees getting virus notices from other companies for messages they didn’t even send.) Spammers registering their domain names with SPF doesn’t allow them to continue to spoof valid addresses.
The real problem with SPF is the lack of implementation by major players. Even commonly phished credit card companies and banks haven’t jumped on board. The article points out only 31 of the Fortune 1000 have SPF records.
IE still vulnerable to Phishing
One of my users got an email supposedly from Suntrust which advised the user to go to https://internetbanking.suntrust.com/verify/default.asp otherwise their creditcard or account would be suspended. The url of actually went to http://219.117.228.247/verify. This is a computer in Japan running Redhat Linux.
Of course this is garden variety phishing. What I found interesting is that even on a fully patched version of Internet Explorer the real location is hidden from the user. 
At this website, right clicking is prevented in IE. The addressbar displays a https:// suntrust url. The lock is missing down in the status bar.
