Category: Security

Thunderbird, meet Norton

I just downloaded a trial copy of Norton Antivirus 2007 to install on a test machine. On the same box, I have Mozilla’s new Thunderbird 2.0 e-mail client installed. As part of the trial install, I had to create a Norton Account (not sure, but that might be a (TM)) with Symantec.

Symantec sent me an acknowledgment message via e-mail within minutes after I created the account. Thunderbird’s anti-phishing module wasn’t pleased: 

Sym_scam

I’ve been reasonably impressed with the performance and design of Thunderbird so far, but this sort of false positive is always troubling, no matter where it comes from.

Update: I’m surprised that this post drew so many comments so quickly. Here’s why I’m pointing this out: Mozilla and Google are tight, very tight. They collaborated extensively on the anti-phishing technology in Firefox. Google Mail (Gmail) even gets its own entry in the New Account Setup dialog box for Thunderbird.

Gmail_tbird

So I would assume that mail coming into Thunderbird from my Gmail.com account should be the best possible candidate for the Mozilla/Google team to get right.

And in fact Google Mail does get it right. When I look at the message source, I see two headers added by Google: One shows the results from a Brightmail scan, which says the message is from a whitelisted domain. The other is an SPF header from Google, which is tagged PASS and says the IP address from which the message originated is a “permitted sender.”

Google has gone to a lot of trouble to screen all mail coming into a Gmail account as junk or suspicious. So why isn’t Mozilla able to piggyback on this analysis?

Update 2: For those who think I’m picking on Mozilla, note that I called Microsoft for an even sillier false positive about 18 months ago. And in both cases this behavior is the correct default. When in doubt, let me make the decision, exactly as Thunderbird has done here. But the algorithm really should be better than this.

Tags: , , , ,

WordPress users, take notice

Good lord, this is a nightmare scenario. If you run a website powered by WordPress, be sure to read this announcement:

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

If you know someone whose site is powered by WordPress, spread the word. And man, do I feel bad for the people who run WordPress.org. This is indeed “the kind of thing you pray never happens.”

Tags: ,

High-security web certificates arrive

I’ve been meaning to mention this for a while, and today I got another reminder when I went to eBay to see how much I could get for a Dell PowerEdge 600SC server:

Ebay_green_cert

In IE7, the Address bar turns green to indicate that the secure connection is backed up by an “extended validation” certificate from a trusted certification authority (in this case, Verisign). So far, I’ve seen these certificates at PayPal and eBay, both of which are prime targets for phishing attacks.

When these certificates were announced, there was a bit of a brouhaha about how they would turn mom and pop retail outlets into second-class citizens. But organized criminals aren’t aggressively attacking those little sites; they’re going after the big names. So this approach makes sense. (Not only that, but many small businesses use PayPal or eBay stores for payment and order processing, which means they get the enhanced security without having to pay for an expensive certificate.)

Have you seen these certificates anywhere else?

Update: If you’re running IE7 on Windows XP, you’ll need to go to Windows Update and get the Root Certificates update (in the Optional section) before this feature will work.

Tags: , ,

The mystery of the gobbledygook folder

My buddy Michael sends a worried e-mail:

I’ve got a question/concern:

I found the attached .txt file in a weird folder on my C: drive.

It has me a bit concerned, b/c it’s such a detailed log of some serious changes on my machine.

The folder was named “6d3f48932a458452fc06ece98b60” and is dated 11/19/2006.

One possible clue: I installed the new IE somewhere around this date– but my concern is that I’ve found several of these similar folders & txt files on Renee’s computer, and I haven’t upgraded her IE.

WTF is it? Does it mean anything to you? Is it nothing, or something bad?

I have those on several machines here. They’re perfectly normal, if a bit baffling. The best clue was the name of the attached file:

msxml4-KB927978-enu.log

It’s easy enough to break that down:

  • The .log extension means this is a log file, in text format, documenting changes that were made to the system.
  • The -enu bit at the end means it was in the English (U.S.) language.
  • KB927978 refers to a Microsoft Knowledge Base article number.
  • And if you look for that article, you find out that it’s entitled “MS06-071: Security update for Microsoft XML Core Services 4.0”, which pretty neatly takes care of the msxml4 part at the beginning of the name.

The long, gobbledygook number is a security precaution. If you write a patch to a known location on every one of a few hundred million PCs, then the bad guys know to target that location. By creating a system-generated name for the folder, it’s impossible for an attacker to target the files in that location.

If you’ve got one or more of these folders hanging around, you can safely delete it.

Technorati tags: , ,

An up-close look at Russian spambot herders

Ryan Naraine at eWeek has a must-read article on how the recent surge of “pump and dump” spam is being delivered. Working with Joe Stewart, a senior security researcher at SecureWorks in Atlanta, Ryan was able to deliver a detailed picture of how these sleazy operations work and why they’re so hard to shut down.

Sobering numbers: 70,000 infected machines capable of pumping out a billion messages a day, virtually all of them for penis enlargement and stock scams.

Excellent graphics, too. This one shows that Windows XP Service Pack 2 is hosting nearly half the attacked machines.

It would sure be interesting to find out which exploits are responsible for all these infections. 

… as Mike Dimmick points out in the comments, many of these bots are installed because users download and install dangerous software and hand the keys to their system over to the bad guys: “That’s why the ISPs have to take charge and block spam from leaving zombie computers – ordinary users frankly can’t be trusted not to infect themselves.”

Sad but true.

Technorati tags: , , ,

Yo ho, yo ho, a pirate’s life for me

Long Zheng looks at the latest Microsoft research on counterfeit software and piracy and turns the numbers on their head

Does that mean 75% of websites accessed offer[ing] counterfeit product keys, pirated software, key generators or crack tools did not attempt to install malicious software? And are in theory, safe?

[…]

Does that mean an astounding 89% of key generators and crack tools downloaded from web sites were also safe?

[…]

Does that mean 41% of key generators and crack tools downloaded from P2P networks were also safe?

And apparently 76% of counterfeit copies passed activation, too.

This is purely satirical commentary, Long hastens to add. And they’re just hypothetical questions, too.

No class in Cupertino

 So, Apple ships a bunch of iPods with a virus. And who do they blame?

We recently discovered that a small number – less than 1% – of the Video iPods available for purchase after September 12, 2006, left our contract manufacturer carrying the Windows RavMonE.exe virus. This known virus affects only Windows computers, and up to date anti-virus software which is included with most Windows computers should detect and remove it. So far we have seen less than 25 reports concerning this problem. The iPod nano, iPod shuffle and Mac OS X are not affected, and all Video iPods now shipping are virus free. As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it. [emphasis added]

Hey, Apple, you shipped it. Show some class.

Clowns

A few days ago, a presentation at the previously obscure Toorcon security conference features a pair of self-styled hackers who claimed they had discovered a zero-day exploit in Firefox. On a scale of 1 to 10, this is about a 13, especially with the added detail that devising a patch might be difficult or even impossible.

 I chose not to write about it here or at ZDNet, because something just didn’t feel right about this story.

Now, it turns out, one of the two presenters admits they were just clowning around:

[Mischa] Spiegelmock, a developer at Six Apart, a blog software company in San Francisco, now says the ToorCon talk was meant “to be humorous” and insists the code presented at the conference cannot result in code execution.

If these two really were just clowns, it wouldn’t be a big deal. But one of the two works for Six Apart, which runs the TypePad and LiveJournal blogging services and sells the Movable Type blogging platform. Having a heavyweight name on his business card probably has at least something to do with why these guys were selected to speak, and why the security community took them seriously. Pulling a fire alarm isn’t funny, and it no doubt sent a lot of security professionals scrambling to perform work that wasn’t necessary. They have every right to be pissed off.

eWeek’s Ryan Naraine and Brian Krebs of the Washington Post are both excellent reporters. I hope the folks at Six Apart turn over every rock to find the real story. If Naraine and Krebs are reporting accurately, someone needs to be fired – or sent to work night shifts on the Clueless Newbies support desk.

Can you trust Automatic Updates?

Do you have Automatic Updates for Windows turned on? If you knew that it might take a week or longer for all Critical updates to arrive on your PC, would you still use Automatic Updates?

I’m still trying to get answers on some important questions here, but I’m not reassured when the Microsoft Security Response Center says it’s “perfectly normal” for updates to be delayed by a week and possibly more.