Computer Security Weblog

A new twist to on old scam, I had someone report SPAM e-mail that was sent that appeared to come from Microsoft. A quick little research online led me to know this has been around for a few years but it has a different twist.

As you can see, this was the entire body of the e-mail.  Nothing to sell.  No e-cards to click on.  No official document from some bogus US Court.  Just 3 innocent looking links from everyone’s friend Microsoft. The text makes you think you subscribed to MSN Featured Offers and they are being kind enough to add an Unsubscribe link. Since you never really subscribed to this in the first place, they are hoping to get people to click the Unsubscribe link so they won’t have this sent anymore.  All because they respect your privacy. Taking a closer look at the 3 links, they all lead you to the same URL. The IP for the URL was registered in the USA. A quick Google search of the domain showed a lot of Russian language found on references to this domain.  After taking a closer look, all this URL did was to redirect you to a site that was registered in Korea. This gives you a little more insight on how SPAM e-mail can be a threat.  If this trail would have been followed all the way through, exploits for Microsoft, QuickTime, RealPlayer, and possibly Adobe Reader would have run against the PC and if it were not patched, then remote code execution could be possible, meaning the PC would have been added to someone’s criminal botnet and used in nefarious ways.

Remember what we say, never click on unsolicited links or attachments in e-mail.  Stay safe.

The Shadowserver.org does great work and informs the security community on the darker side of the Internet. In their most recent posting, they have listed the sites that are serving up the malicious content. Here is the list of sites and the number of sites injected with each of these malicious domains.  Please be advised….DO NOT VISIT ANY OF THESE SITES.

I work in computer security.  We see a lot of attacks from some bad people.  What trends are we seeing and what will attacks look like in the near future?  Here are my thoughts.  I read a lot of tech sites, I listen to tech podcasts, and you hear a lot of opinions.  The biggest trend this year will be legitimate sites being hacked and malicious code actually injected into them so they actually serve up attacks on unknowing visitors.

We started seeing this trend in early 2007 with the Super Bowl from Dolphin’s Stadium.  Then it got quiet until the end of the year and then things have picked up.  Things are going to get worse.  Malicious tool kits can be bought on the Internet and you can change the attacks as new ones are found and old ones are patched.  This attack vector very efficient.  Some attacks can affect hundreds of thousands of pages in a short period of time.

What is going to come in the not so far future in computer security?  I believe those who say that different types of hardware other than the actual PC will be targeted soon.  Routers being controlled by attackers who can use a form of DNS poisoning where they can direct you to their bad paypal.com.  You won’t be able to tell you aren’t really on the real paypal.com site.  These hardware devices need to be secured and upgraded with security updates too.  Let me ask you a question about your router you use in your home.  When was the last time logged into that wireless router you own and update the firmware?  Never?  I’m sure there have been updates.  Learn how to maintain all devices that you have.

I feel pretty secure surfing the web but I take steps avoid going to places and I use as many things to help defend against those evil criminal attackers out on the Internet.  Patch.  It’s simple and a huge step in the right direction.  I read a lot.  I try sharing it with you.  The common man or woman does not keep up with all the threats out there.  The one resource I would start to read is the Internet Storm Center.  They are sort of a warehouse of information relating to threats on the net and what you can do to protect yourself.

That is it for now.  The weekend is getting so close I can taste it.  Stay safe and have a happy Thursday.

Most of the time, attacks from the Internet are silent.  You may not have realized that clicking on your favorite web site silently redirected you to a server in China and then exploits from Microsoft’s Internet Explorer, Firefox, QuickTime, Realplayer, and other applications are run on your PC. If you haven’t patched all your software, some bad guy attacker might just be able to take control of your machine and then be able to execute code remotely.  Those are words you really don’t want to hear.

Eventually, your anti-virus vendor gets the signatures of the bad software loaded on your machine and can clean it off.  But how did it get there?  What do I use my PC for?  Do I bank online?  Do I access my investment accounts online?  Do I store personal information about myself or my family in a document saved on the PC’s hard drive?  Then you need to take steps in trying to figure out just what happened.

First of all, is your software patched?  If not, then download your patches from Microsoft, Apple, RealPlayer, or any other applications and apply those security patches.  Set up a process in making sure your PC is scanned regularly and you check for patches regularly.

Can you find out if sites you visit have been hacked?  Sometimes you won’t know unless you really follow stories posted online.  If it is a big name site like CNN.com or USAToday.com, then you might know.  Hundreds of thousands of sites get hacked and you never really know.  You could possibly defend against these attacks by using a tool called NoScript with your Firefox browser.

Do you store passwords for sites so when you browse to them?  Are any of those holding a credit card of yours?  If you’ve read my blog much, I advise you not use the function that will remember passwords to sites.

One thing you will have to remember.  The Internet was not set up to handle secure transactions.  It was set up to share information.  Bad guys are taking advantage of all the vulnerabilities out there.  I can not guarantee you will be completely safe even following all these steps.  You can follow best practices and be safer than the average person.  If you have teenagers, your battle will be an uphill fight.  Teenagers trust everyone.  Clicking things that need not be clicked.  Think about having a computer you adults use, then one that the teenagers use.  You’ll still have to fight off attacks on the teenagers PC.

Good luck and stay safe.  I’m ready for SUMMER!!!

Adobe Reader has been patched (won’t be the last time) and you need to make sure you update it.  This patch fixes 8 security vulnerabilities.  We preach patching here.  If there is a security patch for any software you use, you need to update it.  Bad guys are out there will take advantage of you not patching your software.  The bad guys always will have an advantage when they exploit 0day vulnerabilities (no patch available), so when you have an opportunity to fix problems, then do it.  Patch, patch, patch!

Stay safe and have a great Tuesday!

Yep, you are reading that headline right. Yet another code injection attack that is new. Just prior to writing this post, it showed 855,000 pages infected with some malicious (BAD!!) code that was injected into legitimate sites. NoScript is one defense, since this code is hosted on another domain.

The attack that I wrote about that started last week just hasn’t really taken off. Doing a Google search shows 25,500 pages that were affected by this one. It is early in the game for both of these attacks so more details will come out later. I’ll do more checking on the current attacks to see where those bad sites are being hosted.

The two sites in this new attack are listed below.  I’ve altered the URL.  My advice is NOT to go to either of these sites.

hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js

Stay safe and HAPPY MOTHER’S DAY!!!

Well it doesn’t appear that this attack is spreading. I just did a Google search on one of the redirect domains and it showed only 14,000 pages. Not as efficient as the last one that blasted several hundred thousand pages. Still see some of the same names on this list and it seems that the smaller organizations who probably don’t have full time staff to work on them and may not even know their sites have been compromised. Here is a short list of a few of the domains that still are making an appearance in Google. Remember that they may have been cleaned and Google hasn’t caught up with their spiders.

hxxp://www.wiredseniors.com

hxxp://www.moviesunlimited.com

hxxp://www.seniorstravelguide.com

hxxp://www.cancerissues.com

hxxp://www.reducecholesterol.org

hxxp://www.coloradowheelchairsports.org

hxxp://www.peta.org    (All you PETA freaks can still go there though.  Happy Surfing.  All my friends stay clear)

hxxp://www.seniorshomeexchange.com

hxxp://www.adhdissues.com

hxxp://www.goodtime-tickets.com

hxxp://www.matcmadison.edu

hxxp://www.coolbuddy.com

I’ll give an update on this if things pick up.  If you want to see the number of sites infected Google with

winzipices.cn and you’ll get a pretty long list.  Stay away unless you want your PC compromised.  Stay safe and take care.

I don’t have a lot of information at this time other than it appears that there is another SQL injection attack similar to the attacks we’ve seen where legitimate sites are redirecting to sites in China that are then launching different attacks that can compromise a machine. It may take a few days but there will be more information coming out about the details of this attack but at this time, there isn’t a lot out there. If you want to read more, you can go to the Internet Storm Center page by clicking here and reading what they know.

As more information becomes available, I’ll post another story. Take care and have a safe week!

Stories last week came out that the folks in Redwood had a closed door meeting with law enforcement. Here is an excerpt about this story.

Botnet fighters have another tool in their arsenal, thanks to the folks at Microsoft. The software vendor is giving law enforcers access to a special tool that keeps tabs on botnets, using data compiled from the 450 million computer users who have installed the Malicious Software Removal tool that ships with Windows. Although Microsoft is reluctant to give out details on its botnet buster — the company said that even revealing its name could give cyber criminals a clue on how to thwart it.

Microsoft company executives discussed it at a closed door conference held for law enforcement professionals Monday. The tool includes data and software that helps law enforcers get a better picture of the data being provided by Microsoft’s users, said Tim Cranton, associate general counsel with Microsoft’s World Wide Internet Safety Programs. “I think of it … as botnet intelligence,” he said.

Kind of cool I thought. But makes one wonder how much information Microsoft is keeping on it’s customers which are the majority of the folks online.

Stay safe and have a great week!!

Last week, the security researchers at GNUCitizen reported another vulnerability in Apple’s QuickTime.  It has been reported to Apple and soon we’ll see another security patch from the folks at Apple.  This is just a lesson learned.  Software like QuickTime, RealPlayer, Windows Media Player, WinZip, Adobe Reader, instant messaging applications like AOL’s AIM, Yahoo Messenger, Google Talk, etc.  Think of all the software you use online.  How many of those applications have an automated update process for security patches?  This is one area Microsoft is actually gotten good at.  Apple too has an automated process.  More and more, applications are becoming more automated.

It may be a good practice for you to find the way you can check software that you use for updates.  They all have them.  Some have them under the Help in the top part of the window of the application.

Have a safe weekend!