Category: Computer Security

Posted on
by

CAN-SPAM one year later: more spam than ever. Spam has more than doubled from 15 billion messages in 2003 to an estimated 35 billion in 2004. Is anyone really surprised? From the article: “The FTC says the goal of the act was never to cut down on spam but to give recipients control via the opt-out component.” Hmm, that might be part of why groups like Spamhaus were calling it the “You Can Spam” act. (via The War on Spam)

Webroot identifies the Top 10 “Most Unwanted” Spyware programs, using the “P-I Index…. P is for prevalence, I is for insidiousness.” The “winners” include pop-up generators, keystroke loggers, autodialers and the like. (via Aunty Spam’s Net Patrol)

Finally, there are several fixes and work-arounds for the pop-up window spoofing vulnerability I wrote about last week. There’s the all-inclusive method: close all other browser windows. Netcraft reports that Opera has issued a fix (7.54u1) and Safari is safe if pop-up blocking is enabled. I just got an email indicating that KDE has released a fix for Konqueror (expect that to start hitting distributions this week). No word yet on Firefox or IE, and while Microsoft has its monthly patch day tomorrow, I wouldn’t expect this to show up quite that soon.

Posted on
by

Here’s an online security story to freak you out: Security firm Secunia has found a loophole [Edit: originally linked to Yahoo! News] in basic browser window handling that can let any site plug its code into a pop-up window generated by any other site. That’s not just ads, that includes pop-up help files, password dialogs, you name it.

They even have a demonstration: Start the code going on their site, open up Citibank, then click on a button on the Citibank site and it’ll open a page from Secunia.

And it works in every major browser, for the simple reason that it uses standard functionality that no one has questioned until now: The ability to open a page in a particular frame or window. All you need to know is the name of that window, and you’re set. As long as it hides the toolbars (SOP for pop-up windows of all stripes), the user will never notice. There is a workaround, at least for Firefox and Mozilla users, but it’s ugly: prevent sites from hiding the location bar.

Actually, the functionality has been questioned before: last July, when Secunia found a similar problem in frames. The solution for that was to prevent a page in one window (or tab) from accessing frames in another. But it’s a little more challenging to decide which pages should be allowed to update a top-level window.

In the short term, sites wanting to protect themselves from being hijacked can probably help by randomizing the names of their pop-up windows. In the long term, browsers are going to have to figure out how to separate windows that should have the ability to load new pages from windows that shouldn’t, knowing that they’ll undoubtedly end up breaking some websites in the process.

(via The War on Spam)

Posted on
by

Mozilla developer Ben Goodger writes about losing his inbox to the latest virus… despite not using any vulnerable software. Apparently he’s been getting over 10,000 virus-laced messages every day, and with the four-day weekend they built up to the point that Thunderbird wasn’t able to handle the influx. (Imagine having to filter out 770 megabytes of junk every day, and having that build up over several days.)

Sure, the the pre-release Thunderbird still has problems dealing with very large folders, but 770 MB/day? Even Gmail only gives you 1 GB of total storage. I can’t think of any reasonable expectation that any mail client should have to deal with that at today’s level of data richness. Maybe in the future when we’re sending full-motion video on a regular basis, but not when most email is text with maybe some formatting and a couple of small images.

It’s just staggering that, even though the main email worms depend on Microsoft Outlook, Outlook Express, and Internet Explorer to spread themselves and infect new hosts, they can still damage systems that don’t use those programs!

Posted on
by

Netcraft reports on a series of malicious banner ads using a vulnerability in Internet Explorer 6 to spread the Bofra virus. Clicking on the banners sends you to a website that uses the recently-discovered IFRAME vulnerability to infect your computer. Of note are the facts that there is no patch for this yet, and XP SP2 is affected (whoops, I misread that part).

The Register found the ads on their own website and identified the source as ad server Falk AG. They have pulled Falk AG’s ads from their rotation and apologized to their readers. Netcraft adds that Falk AG’s clients include high-profile sites such as A&E, NBC, and Sony. The ad company has issued a statement, but the page currently consists of the line “Server Engine: Application error.”

Update 3pm: The statement from Falk [archive.org] is readable now. Apparently someone broke into one of their network load balancers and reconfigured it to redirect ads to the malicious site. Once they discovered it, they shut down the affected system and started checking the rest. The malicious ads ran for a total of about 6 hours on Saturday.

Update Tuesday: the Internet Storm Center has posted a write-up of the attack response.

Of course, there are several ways to protect yourself from this type of attack.

Browse Happy. Online. Worry-free. Switch today.

Posted on
by

This has got to be a typo:

About 91 percent of PCs today are infected with spyware programs that send information from your PC to an unauthorized third party.

NCSA (National Cyber Security Alliance, not the National Center for Supercomputing Applications of Mosaic fame) Chairman Ken Watson quoted by CNET in Study: Consumers take cyberattacks lightly.

That’s a staggering number, and I hope it’s supposed to be 19. Even so, considering how many computers there are in the world, it’s still a staggering number.

Spyware, viruses and worse are out there, and they’re all over both business and home computers. It’s worth checking out the NCSA’s website, staysafeonline.info, as well as others like CERT‘s page on Home Network Security, the US-CERT website, or the FTC‘s guide to Consumer Information Security (though I can’t quite get past the turtle logo on that one).