Over the last few days, one of the viruses going around (probably a Mytob variant) has been trying to send its “Your account is being suspended! Open this file now!” come-ons. It forges the return address as support@example.net, admin@example.net, etc. We block any incoming mail using these addresses before it even gets to our virus scanner.

Now here’s the weird part. We’re also getting bounces sent to another domain we manage, let’s say another-example.com. Both sets are coming from someserver.another-example.com.br!

I think that the virus is finding itself on another-example.com.br and not recognizing the country-specific domain name, misreading it as just another-example.com. It then looks up the mail server, finds our domain, and targets both.
Continue reading

We finally replaced our 4-year-old Windows Me computer with a new Dell (I’d had enough of building computers a few weeks ago) and it arrived yesterday. Katie had already asked me to upgrade her Mac while she made pizza for an office party. I had planned to finish installing Tiger first, but once you get past a couple of options and the EULA it’s all a matter of waiting for it to finish.

There’s something oddly exhilarating about simultaneously setting up both a Mac and a PC.

Of course I spent the next few hours registering the pre-installed software and updating everything. Run Windows Update. Reboot. Run LiveUpdate for Norton Internet Security. Reboot. Run Office Update (twice). It’s nice that Dell will pre-install stuff for you, but given that the computer is built to order, you’d think they could apply the updates before shipping.

With today’s hostile internet, it would greatly benefit not just new computer owners but the world at large if Microsoft (and Apple and Red Hat, while we’re at it) would take a cue from SuSE and Mandrake and tie their update systems into the setup process.

To Microsoft’s credit, Windows XP setup gives you a chance to turn on automatic updates, and recommends it to the point of “Well, if you really want to turn it off, you can, but you’ll be sorry!” And I’m reasonably certain Windows Firewall was turned on by default (i.e. it’s on now, and I don’t remember turning it on), though Norton supersedes a lot of its functionality. Depending on the default firewall rules, that should mitigate the impact of any worms that happen to pick your IP address before you run Windows Update.

Correction: It seems Windows Firewall wasn’t on as I thought. Norton Personal Firewall kept asking me whether I wanted to disable redundant rules (makes sense) or disable Windows Firewall entirely (I told it no—twice), so I assumed it was running. I hope it was only off because Norton was pre-installed.

Some potentially nasty browser security vulnerabilities found this weekend in Mozilla and in Safari. Both involve software update mechanisms. The Firefox one tricks the browser into thinking it’s installing from a trusted update site (the maintainers of updates.mozilla.org and addons.mozilla.org—the only trusted sites by default—have made some changes on their server to prevent the exploit from working). The Safari one takes advantage of the Macintosh tradition of automatically opening archives. This one just happens to unzip itself into the location where Dashboard stores its widgets.

IEBlog has weighed in with a balanced (i.e. non-fanboyish) comment on just who “us” vs. “them” should mean: responsible developers & security researchers vs. the malicious ones. It won’t happen—people are too hunkered down in their own trenches—and even with Mozilla, Opera and Apple collaborating on specs, I don’t expect to see much in the way of collaboration on security except in the actual open-source world. (Even then, I suspect there’s too much rivalry between Gecko and KHTML developers to do much collaboration.) Continue reading

Maybe it’s the housing costs, but people in San Francisco need a little extra incentive to give out their computer password than people in Liverpool. Last year a survey found that 71% would reveal their password for a chocolate bar. A similar survey this month in San Francisco found that 66% would give it up for a coffee.

At least Verisign made good on the offer—with a $3 Starbucks gift card.

At the end of a post on SSL/TLS and just how much security a “secure” site really gives you, Eric Lawrence of IEBlog posted an interesting thought:

The so-called “browser wars” have fundamentally changed. It’s no longer Microsoft vs. Mozilla vs. Opera et all. Now it’s the “good guys” vs. the “bad guys.” The “bad guys” are the phishers, malware distributors, and other miscellaneous crooks looking for a quick score at the expense of the browsing public.

We’re all in this together.

I’m not sure I agree entirely. It’s more like a second war has started, one in which former enemies are (or at least should be) allies. I do still think competition is necessary, as evidenced by Microsoft’s sudden reversal on updating IE once Firefox became popular—but more cooperation on security may be something MS/Moz/Opera/Apple should consider.

Talk about convoluted. Someone has developed a Java applet that will use one browser to install spyware on another. The applet runs in any browser using the Sun Java Runtime Environment—Firefox, Opera, Mozilla, etc.—and if it can convince you to run the installer, it will install spyware on Internet Explorer. And since you can’t remove Internet Explorer from Windows (you can hide it, but it’s always there…waiting), just using an alternative browser isn’t enough to protect you.

Of course, the obvious solution here is don’t let it install anything. That’s what the Java sandbox is for, after all: applets run in their own little world and can’t touch the rest of your system unless you let them (or they find a hole in the sandbox, which is why you need to keep Java up to date—just like everything else).

Time to emphasize the fact that while Firefox is still safer than IE, it’s not a magic bullet. There is no magic bullet. You can minimize risk, but never eliminate it.

(via SANS Internet Storm Center)

AKA stuff I wanted to write about earlier this week but need to just slam out while they’re still topical.

  • Judge slams SCO’s lack of evidence against IBM. After all the wild claims they’ve made without providing evidence, it’s nice to see even the judge is getting sick of it.
  • Beware the unexpected attack vector – Your enemy may not come at you from the direction you expect. Set up sentries around the beach, they’ll get you through the ocean. Set up a firewall, they’ll get you through web browsers. It’s mainly about computer/network security, but it has an interesting story explaining why there’s only one major newspaper in Los Angeles.