News.com has been on the offensive against Internet Explorer as off late. They have run big articles with the headline asking if IE is heading toward extinction. I think that month IE usage slipped from 95 to 93%. Ooo, big scary!
So lately they run an article citing developer frustration with IE, then the next day they have an article on how AOL is building a new browser… wait for it… BUILT ON TOP OF IE. Now they may be contractually obligated to not use Netscape right now, but I still found it kind of funny. Which is it news.com? Are developers fleeing IE or building more things on top of IE? I guess it depends on what day it is. I really think news.com has given up on mainstream tech reporting and is trying to get the open source crowd to stop by more. Its TheRegister model. Bash Microsoft to get visitors.
I particularly enjoyed the Microsoft Monitor’s take on this and I’d encourage you to check it out.
Archive for October 2004
Microsoft Monitor takes aim at shoddy news.com reporting
aimBot
Saw this posted over on NTBugtraq. Sharp-ideas.net has an example program that uses AIM to run programs and send the result back to the requester. Basically a wrapper interacts with the person sending the message and it runs a basic set of commands. The example uses nmap, but a fleet of hacking/reconnaissance tools could potentially be used. AIM works very hard at traversing firewalls. So someone outside a firewall could send a command to a computer inside the firewall.
This solution doesn’t sound like it will scale very well. I suppose with AIM groups you could control a bunch of bots. A one-to-one connection could already be pulled off by sending someone a Trojan and then waiting for it to connect back on a specific port.
NCSA Survey says: Most have no clue how insecure they are
A survey by the National Cyber Security Alliance found that most people have no clue when they last patched or updated antivirus. 30% of people think they have a better chance at hitting the lottery than suffering a computer security problem.
According to the US National Weather Service, Americans have a 0.0000102% chance of being hit by lightning.
By contrast the chances of falling victim to a computer virus, phishing attack, malicious hack attempt or other cyber security dangers are currently running at 70%, according to statistics gathered for the E-Crime Watch Survey.
So what do we need to do? Public security announcements regarding computer security? Required autoupdates?
False Authority Syndrome
The ISC had a good example of false authority syndrome. It relayed a story of a family whose computer had been underwater due to hurricane related flooding down in Florida. They called their insurance company and were told to place everything out on the lawn to make it easier for the insurance adjuster to come by. Of course their computer was stolen off the front lawn.
The insurance call taker is giving advice that will help them do their job faster. Not what’s best for your and certainly not what is secure. Faced with the threat of not getting our insurance check, I suppose its easy to be bullied into doing something stupid. But we’re all responsible for our own actions. So its important to stop and ask ourself if this is really good advice or not.
Defusing the FUD
Microsoft Monitor is a weblog by Juniper research group. Today’s article attacks the FUD surrounding the JPEG vulnerability.
Good article all in all. The author praises Microsoft for limiting vulnerability by blocking the automatic display of images in Outlook 2003. This is good, but I do believe images included in the message itself (rather than just links to a website image) are displayed. Of course they have the chance to be scanned by SMTP antivirus.
Another important point of the article is to double check your antivirus. You really should be scanning all files. If you’re scanning program files only, you need to add jpg and jpeg to that file extension list. There have also been reports that tiff uses the same interpreter. You’re really better off scanning all files. I think most companies have caught on to that.
