Top 11 Things Google Plans to Do with Their IPO Money

http://bbspot.com/News/2004/05/top_11_google_ipo.html

Posted in General BS | No Comments

New and Improved HFT Online!

Need help with any of your computing needs? Stop over at the new and improved HFT Online Forums and post your questions for the Experts!

HFT Online

Posted in Internet | No Comments

Prevent Browser Hijacking

Mike Healan
March 23, 2004

If you’ve ever been infected with a browser hijacker, you know what an infuriating situation it is. For all intents and purposes, your $3,000 computer is converted into a source of revenue for some fly-by-night web site unable to generate legitimate web traffic. Once installed, it usually takes an expert to remove a browser hijacker effectively.

If you’ve gone through this before, you never, ever want it to happen again. So, how do you prevent being hijacked? This is surprisingly easy.

Dump MSIE

First and most simply, stop using Internet Explorer. If you use either Mozilla, Firefox or Opera, you are immune to all known and future browser hijackers.

You are immune not because current hijackers are written to exploit Internet Explorer. It is because these other browsers do not allow access to Windows the way Internet Explorer does. MSIE has all sorts of security flaws that allow malicious web sites to slip past security and run arbitrary code. This is what happened to you if you’ve ever been infected with a hijacker.

The other browsers have their flaws but even if someone did manage to compromise them, what could they do then? The answer is: “not much”. The Mozilla and Opera browsers are user-level applications; they have very limited access to Windows. At most, they might delete some of their own files and force you to reinstall them.

Apply the same question to Internet Explorer and you can do just about anything you want. Microsoft has integrated Internet Explorer as part of Windows. Because of this, Internet Explorer is a system-level application and can do just about anything.

If you have to use MSIE

Switching browsers is the easy answer. For some people, that is not an option for various reasons. Internet Explorer can be made reasonably safe without locking down every useful function, but it requires some third-party software.

The most important thing is to update your browser and operating system. Go to WindowsUpdates and install the latest version of Internet Explorer (currently MSIE 6 Service Pack 1), then go back and install any security patches that are available. Also install any service packs and patches for Windows itself. This one action will save you from the overwhelming majority of browser hijackers.

After you’ve done that, replace Microsoft Java VM with Sun Java. You can download that from http://www.java.com/. There are several hijackers that exploit flaws in Microsoft Java VM. Sun’s Java is more secure and more up to date. Make certain, in Java’s options, that Sun Java JRE is set to work with Internet Explorer.

Open Internet Options from the Windows control panel and click the “Security” tab. Highlight the “Internet” icon and then click “Custom Level”. Choose “Medium” from the drop-down box at the bottom, then click the “Reset” button. Click ok, then click “Custom Level” again.

Set your options just as I have listed below:

.NET Framework-reliant components

• Run components not signed with Authenticode (Disable)
• Run components signed with Authenticode (Prompt)

ActiveX controls and plug-ins

• Download signed ActiveX controls (Prompt)
• Download unsigned ActiveX controls (Disable)
• Initialize and script ActiveX controls not marked as safe (Disable)
• Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
• Script ActiveX controls marked safe for scripting (Prompt)

Miscellaneous

• Access data sources across domains (Disable)
• Drag and drop or copy and paste files (Prompt)
• Installation of desktop items (Prompt)
• Launching programs and files in an IFRAME (Prompt)
• Navigate sub-frames across different domains (Prompt)
• Software channel permissions (High safety)
• Userdata persistance (Disable)

Scripting

• Allow paste operations via script (Prompt)
• Scripting of Java applets (Prompt)

Next, you need to run a registry script called IE-SPYADS. This script will place an enormous number of web sites known to be abusive into Internet Explorer’s “Restricted Zone”. Any site in that list will be unable to run javascripts, java applets, set or read cookies or use ActiveX scripting. You still will be able to visit those sites but they will be very limited in what they can do.

Be aware that MSIE has many security flaws that will allow a clever site designer to bypass security settings, even if their site is in the restricted zone. More must still be done.

Now you need to install SpywareBlaster. ActiveX programs need to use a CLSID (identifier number) before Windows will execute them. SpywareBlaster stops certain ActiveX CLSIDs from working by setting a “kill bit” in the Windows registry. This will stop ActiveX drive-by installations from programs that use those numbers, as well as preventing software already installed from running if they use that CLSID.

As a final safeguard, install a program called Browser Hijack Blaster. This program will watch for alterations to the home page, default page and search page as well as watching for Browser Helper Objects being installed. If it detects a change, it immediately will pop up a warning and ask if you wish to allow the change.

Be very careful about installing programs. By far the most common source of malware infection comes from third party bundles. Grokster, for instance, will install a dozen or more unwanted programs.

Finally, you also should disable the preview pane if you use Outlook or Outlook Express. Simply by highlighting an email while the preview pane is active, even to delete it, you could activate any scripting in that email. Visit TomCoyote’s site for instructions on doing that.

Follow the steps above and it will be very unlikely that you ever will be hijacked again. Periodically scan your system with antispyware and antivirus software. I recommend Spybot S&D for antispyware and Nod32 for antivirus.

Posted in Privacy, Security | No Comments

Witty Worm

A new worm has been discovered exploiting the ISS/PAM ICQ module vulnerability. The worm payload is contained in a single 1025-byte UDP packet with a fixed source port of 4000 and a random destination port. Only the first 470 bytes of the payload are the working code of the worm; the remainder appears to be the contents of the memory immediately past where the worm code overflows the stack. The ISS PAM module will inspect the packet regardless of whether there is a service listening on the destination port. If the packet is inspected by a vulnerable version of BlackICE or RealSecure, the packet payload will be executed. This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist – unfortunately it will take all the affected systems with it. Rather than simply executing a “format C:” or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread.

BlackICE versions 3.5 and below are not affected by the worm or the vulnerability. Version 3.6ccf may be the only BlackICE version on which the worm functions but this is not guaranteed since we are unable to verify that each prior version does not use the affected dll. The worm will not affect version 3.6ccg, the latest version as of this writing.

The affected versions of RealSecure are unclear at this time. It is safe to say that the worm code is fully dependent on version 3.6.16 of the iss-pam1.dll, so any ISS product using that version of the DLL will probably be affected.

The dependence on the DLL version lies in the way the worm obtains the addresses for the Windows API calls. It relies on the the imported functions from the iss-pam1.dll file being at a specific address. When the DLL is recompiled between shipped revisions, these offsets are subject to change. A change in the offsets will cause the worm to call the wrong function or execute invalid code. Systems vulnerable to the exploit but not running the specific version of the DLL the worm relies on may experience crashes of the BlackICE or RealSecure software.

The worm’s functionality is as follows:

1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
Starts the process over from step 1

The act of writing directly to the drive will cause certain filesystem corruption. Any infected machine will likely have its operating system and partition data destroyed along with most files on the physical drives, depending on how long the worm runs on the machine. Snort Signature
The following signature will detect the worm traffic:

alert udp any 4000 -> any any (msg:”ISS PAM/Witty Worm Shellcode”; content:”|65 74 51 68 73 6f 63 6b 54 53|”; depth:246; classtype:misc-attack; reference:www.lurhq.com/witty.html; sid:1000078; rev:1;)

http://www.lurhq.com/witty.html

Posted in Security | No Comments

Problems updating AVG?

Navigate to your AVG install directory and rename your existing url.ini file to url.iniold.Copy the following and paste into notepad and save it as url.ini. Put this new file into your AVG install directory. You’ll now have 3 options to select from with www.grisoft.com being the default.[SERVER_NAME]
1=free.grisoft.cz
2=ftp.grisoft.com
3=www.grisoft.com

[SERVER_URL]
1=http://free.grisoft.cz/softw/60/fe
2=ftp.grisoft.com/pub/softw/60/fe/
3=http://www.grisoft.com/softw/60/fe/
Actual URL=3

Posted in Internet, Software | No Comments