Archive for January 2006
“Trend Micro, Symantec and McAfee are joining forces with ICSA Labs and Thompson Cyber Security Labs in a bid to standardize methods for sharing spyware samples and testing anti-spyware products and services.” reports The Register.
Scoble thinks everyone should just post all their contact information on their website. Hmm, anyone see a problem with this?
In the original version of this post, I thought I’d help Scoble out by posting the same info he had on his site: email, cellphone, work street address, birthday, wifes name, marriage date, friends name, son’s name and birthdate.
Sounds like a good start for some social engineering. His reasoning for posting this information is that the more people who know who the real Scoble is the less likely it is that his identity can be successfully stolen. I think that reasoning is crap. How many times has someone pretended to be a professional athlete and successfully written bad checks. I bet you that I could show up at TechEd and get people to believe that I’m Scoble.
We’ve been seeing a number of w32/brepibot.gen in our inbound email since noon today.
McAfee has a writeup on this virus here. McAfee updated their definitions on January 30th noting:
There were several mass-spammings of new Brepibot variants recently. The 4685 DAT files contain updated detection to cover the new variants. One example of a spammed message is as follows:
The email’s I’ve seen have the following characteristics:
Subjects:
Photo
Photo Approval Needed
Campus Life
Photo Approval Required
Campus Life Article
FWD:Photo
Photo Approval Deadline
photo approval needed
Photo Approval
Requesting Photo Approval
Attachment:
Photo and Article.exe
Source IPs:
62.49.4.123
86.135.27.88
83.38.83.48
213.132.238.109
68.186.147.67
157.253.66.7
82.38.170.158
86.128.48.255
84.92.83.135
Last May, you might recall I had a problem with my website over at PoWWeb. It seems that somehow an iframe had been appended to the bottom of my site so that if you went to my page, it also called http://www.tgp.la/or.html and attempted to install spyware. I wrote about that here. This came up again last week.
The staff at PowWeb posted that they have cleaned up the infection by removing the malicious code. I know they really didn’t want have to touch people’s webpages, but I think this was the best solution. I hope they’ve taken some steps to prevent this from happening again.
An article on the front page of today’s Washington Post reports on targets role in assisting law enforcement.
“One of the nation’s top forensics labs is located at Target’s headquarters building in downtown Minneapolis,” said FBI Special Agent Paul McCabe, who has worked with Target. “They have abilities and technology that far surpasses many law enforcement agencies in the country.”
I was kind of surprised to hear in this story that they succeeded in recovering a damaged video tape where NASA had not. Its not clear if NASA just declined the police request or were unsuccessful. I recall a few years ago NASA was the place to go for restoring damaged surveillance video. The C-Stores often dont rotate the tapes in their surveillance machines. The tape degrades to the point of not being usable. Hopefully more will use digital video recorders.
[bloggers note]: sorry for any spelling errors, I dont have IEspell installed on this computer.
http://interviews.slashdot.org/article.pl?sid=06/01/26/131246&from=rss
Good interview but of course dont waste your time with the comments. When the slashdot crowd here’s the word Microsoft its like Pavlov’s dog and the dinner bell.
Here are some notes:
In Vista the Giant antispyware acquisition will be built in. It is named Windows Defender
The firewall will be bidirectional in Vista.
“After Blaster happened, I wanted to find out who was responsible for the buffer overflow that was exploited and hold the individual accountable. But once we looked into it, we realized that there was not a documented a process that the developer was supposed to follow that would have prevented the mistake, nor did we have a set of procedures for our developers to verify that a secure development process was utilized.” Hence the need for the Security Development Lifecycle and all the re-training.
So I’ve got my shiny new Treo 700w. It doesn’t come with a holster like my blackberry. But hey, its Windows Mobile 5. its supposed to be better. It doesn’t come with a cradle. But hey its Windows Mobile 5, its supposed to be better.
Next lets synch it up to the computer. Oh wait, some numb nuts thought it would be a good idea to use tcp/ip over the usb connection for the syncing. That means I have to whitelist 3 programs and 6 ports in order for this to work. Not only that, but I cant just whitelist them in my intranet personal firewall program. The mobile phone is self assigning an ip address in th 169.254.x.x autoconfiguration range. This causes my personal firewall to drop intot internet mode.
What does this mean? in order to synch I need to poke holes in my personal firewall allowing access to ActiveSynch a program which in prior versions has had denial of service vulnerabilities as well as information disclosure vulnerabilities. I am really not pleased about this. Not one bit.
Well, that’s it for today. I’ll go whitelist
Infoworld has reported that ZoneAlarm 6 Internet Security Suite is phoning home. Rather ironic since one of the reasons you would want a personal firewall that controls outbound access is to stop products from phoning home.
I’ve been working at building a spreadsheet of patches, which are exploited, as well as the ratio of patched to unpatched systems at my company.
Its kind of a pain to search through old Deepsight notices to see which patches have associated exploits. The Elsenot Project posts which Microsoft patches have associated exploits. I’m not really a fan of their stated goal “an exploit for every Microsoft vulnerability” but it is a good quick reference. One thing they could do better is in addition to linking to exploit code they should also use the common name where possible such as slammer, or code red.
Microsoft put out a press release yesterday indicating that Bulgarian police have arrested 8. They had performed phishing on MSN accounts.
