CERT recommends anything but IE

US CERT (the US Computer Emergency Readiness Team), is advising people to ditch Internet Explorer and use a different browser after the latest security vulnerability in the software was exposed.

A statement on the CERT site said: “There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites.” CERT otherwise recommends users to set security settings to high and disable JavaScript

Malicious code, dubbed variously as “Scob” or “Download.Ject”, originally posted last week on a Russian website, could be downloaded secretly onto websites using Microsoft’s Internet Information Server 5.0. The code could then be used to log keystrokes made by visitors to the site – so long as they used Internet Explorer as their browser. Information, including passwords, was then to be emailed to the criminals behind the atack.

Microsoft said that it was unaware of widespread consumer impact and noted that the Russian site had been taken offline. It said some enterprise users of Windows 2000 Server, specifically users running IIS 5.0, were being targeted by “Download.Ject”. According to MS, this is not a trojan or worm but “a targeted manual attack by individuals or entities towards a specific server”. It said users should use a firewall, ensure they have the latest software updates and use anti-virus software.

Bill Gates, Microsoft chairman, called on users to switch on auto-update so that patches would spread faster. Speaking to Reuters in Australia at the weekend, he vowed to “guarantee that the average time to fix will come down. The thing we have to do is not only get these patches done very quickly…we also have to convince people to turn on auto-update.

http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/

Posted in Security | No Comments

Beastie Boys CD installs virus

According to unconfirmed reports, including a recent thread on the BugTraq mailing list, versions of a new Beastie Boys CD from Capitol Records (‘To the Five Boroughs’), which is being distributed worldwide except in the USA and UK, contain what could be labeled as a computer virus. Based on these reports, when the CD is loaded, an executable file is “automatically and silently” installed on the user’s machine. The file in question is said to prevent copying of the CD, but it can be viewed as affecting a “computer’s functionality, without first obtaining informed consent: a likely violation of pretty much every jurisdiction’s anti-hacking laws.”

http://www.theregister.co.uk/2004/06/23/beastie_boy_cd_virus/

Posted in Security | No Comments

Who really reads your e-mail?

The people in my personal focus group (my wife, my mother, and some coworkers at CNET) agree that this is one of the creepiest things they’ve ever heard of: a new service that will tell your correspondents exactly when you opened the e-mail they sent you. It will also tell them how long you took to read their message and which computer you used to do so. The kicker: You’ll never know all this information is being collected. It’s a supercharged return receipt that’s completely invisible. The service is called DidTheyReadIt. What it does is insert a small tracking device, often called a Web bug, into the e-mail that you want to track. When your recipient opens your message, the bug (a one-pixel, transparent GIF file) is pulled from the DidTheyReadIt server, generating a logged event that shows when the message was opened and for how long.

Whose mail is it, anyway?
The existence of this service raises interesting privacy issues. Do we have the right to read e-mail without sending a beacon back to the sender that we’re doing so? Certainly it’s customary that no beacon is sent. However, while personal messages don’t usually send such beacons back to their senders, many commercial messages and most commercial Web sites have been closely metered for some time. You can’t twitch a mouse on a big site like Amazon (or CNET, for that matter) without creating a log file entry that likely has your IP address attached to it.

The difference is the one-to-one nature of e-mail from friends or associates. Big sites aggregate log file entries and use the information to design more effective overall sales strategies or more compelling content. Individuals could use the data for other purposes that you might not like.

Furthermore, such tracking eliminates one of personal e-mail’s big charms: plausible deniability. “Sorry, I haven’t read your e-mail yet,” will vanish as an excuse for a tardy reply. And worse, if a sender knows you read his or her e-mail and you don’t reply in a timely fashion, you could be in line for social or business awkwardness of a very high order.

DidTheyReadIt adds presence to e-mail; with this live tracking, e-mail becomes similar to instant messaging. With IM, you can tell if your recipient is online and awake; with e-mail, to date, you haven’t been able to. DidTheyReadIt changes that. In fact, it goes beyond IM, by hiding the fact that people are watching your activity. Most IM systems at least require that you approve the addition of people to your buddy list before they can see your presence.

DidTheyReadIt has some legitimate uses. What with antispam products occasionally blocking even good e-mail these days, you might want to use this product to make sure that your personal e-mail messages are punching through your recipient’s filters. And it could turn e-mail into a medium with higher legal status than it has now. But overall, the product changes the customary usage models of e-mail, and more importantly, it just creeps people out. People should be able to turn off the capability of DidTheyReadIt to spy on them or at least be able to see if people are doing it.

Get out of my in-box!
Fortunately, there are countermeasures. While almost any e-mail reader that displays HTML will send DidTheyReadIt beacons, text-based e-mail programs (such as Pine, which I admit, hardly anybody uses anymore) won’t. Also, capitalism has come to the rescue: shortly after DidTheyReadIt was released, a competing company bought the DidTheyReadIt Google AdWord and started selling its Email Tracking Blocker, which it’s claimed will hide your e-mail presence from DidTheyReadIt and other products like it.

There are other antitracking methods. Some people have proposed turning off the automatic download of images in e-mail, but few e-mail products have this option–Outlook does, but only in the 2003 version, and even then, e-mail from people in your address book are exempt from this setting by default.

But there is a way to flag DidTheyReadIt-tracked e-mail in Outlook, at least for now: set a filter to catch any messages containing a reference to didtheyreadit.com, which is the server the tracking bug is downloaded from. You can’t see this code when you read the message, but it has to exist in the HTML body of the message for the service to work. At least this way you can see who’s bugging you, which is half the battle, and it turns the tables on the system, allowing you to reply to your senders with indignant messages asking why they find it necessary to track your e-mail reading behavior. However, while this simple filter works today, it won’t take much for DidTheyReadIt’s manufacturer to bypass it.

Ultimately, I expect that antispam programs will offer options to scan for tracking bugs and quarantine messages that have them. So, if you feel your privacy is being invaded when e-mail messages report back to their senders when you read them, you won’t have to wait long for more solutions to appear.

And if you feel it necessary to use DidTheyReadIt or products like it, I’d caution you that may not be worth it. While the tracking bugs are currently almost undetectable, they won’t stay that way forever. So don’t plan on being able to hide your use of this service for long. Also, keep in mind that the people I talked to called the tracking capability creepy, pushy, slimy, and other choice epithets. I’d guess that’s not the kind of impression you’re trying to make when you e-mail friends and associates.

http://reviews.cnet.com/4520-3000_7-5138076-1.html

Posted in Privacy | No Comments

Zombie PCs spew out 80% of spam

Four-fifths of spam now emanates from computers contaminated with Trojan horse infections, according to a study by network management firm Sandvine out this week. Trojans and worms with backdoor components such as Migmaf and SoBig have turned infected Windows PCs into drones in vast networks of compromised zombie PCs.

Sandvine reckons junk mails created and routed by “spam Trojans” are clogging ISP mail servers, forcing unplanned network upgrades and stoking antagonism between large and small ISPs.

Using its own technology, Sandvine was able to identify subscribers bypassing their home mail servers and contacting many mail servers within a short period of time – a sure sign of spam Trojan activity – over sustained periods. It also looked at SMTP error messages returned, which helps to clarify the total volume of spam within the service provider network. “After comparing those data points with the total volume of legitimate messages passing through the service provider’s mail system, we are able to arrive at our percentage of 80 per cent,” explained Sandvine spokesman Mark De Wolf.

Sandvine’s analysis, cross referenced with data from SORBS, to determine what IP space is assigned to residential subscriber pools of global service providers, shows most spam now originating from residential broadband networks.

Viral marketing

Instead of using open mail relays or unscrupulous hosts (so-called ‘bullet-proof’ hosting – in reality, ISPs in developing countries who pull the plug on spammers when enough complaints are received by their upstream provider), spammers are using compromised machines to get their junk mail out. Many security firms reckons many of the most well-publicized worm attacks in recent months (such as MyDoom and Bagle) were launched expressly to install spam Trojans on unsuspecting end users’ machines – waiting to be utilized later as a spam delivery relay. This expanding network of infected, zombie PCs can also be used as platforms for DDoS attacks, such as those that many online bookies have suffered in recent months.

Sandvine’s preliminary analysis has shown that the most active Trojans for spamming purposes are the Migmaf and SoBig variants. Its work on this area of the problem is still at an early stage.

The behaviour of spam Trojans on the network taxes ISP infrastructure and, in the case of smaller ISPs, creates the perception that some networks are generating more than their fair share of spam and other types of malicious traffic. The mounting scope of the problem means ISP need to begin filtering traffic – rather than leaving the problem up to end users – if spam is to be contained, Sandvine argues.

“While spam filters can provide an effective treatment, the scale & scope of the spam problem means additional remedies are needed”, said Marc Morin, co-founder and chief technology officer of Sandvine. “As a complement to existing mail server and client based tools, service providers need to arm themselves with network-based anti-spam defences and combat this growing form of malicious traffic.”

http://www.theregister.co.uk/2004/06/04/trojan_spam_study/

Posted in Internet, Privacy, Security | No Comments

Security Bug in Linksys Wireless-G Router

Cisco’s Linksys WRT54G Wireless-G Broadband Router has a flaw that could allow an attacker to gain administrative privileges on vulnerable devices. Even if the remote administration feature on the device is turned off, the router serves the administration web page on ports 80 and 443, protected only by a weak default password. Secunia rates the flaw as ‘moderately critical’ and advises users to use a stronger password for administrative access, or restrict access to the interface altogether. Alternatively, the device can be configured to forward traffic on the port to a non-existent server; even if sent to an existent server, forwarding will override the default behavior.

http://www.internetnews.com/infra/article.php/3362321

Posted in Security | No Comments