Category: Computer Security

Posted on
by

If you’ve been paying attention to computer security, you already know that spam, viruses, and organized crime have been in bed together for at least a year. The recently-discovered theft of 40 million credit card numbers [edit: originally linked to Yahoo News] illustrates this point clearly:

CardSystems was hit by a virus-like computer script that captured customer data for the purpose of fraud, [MasterCard spokeswoman] Gamsin said. She said she did not know how the script got into the system. The FBI was investigating. (emphasis added)

Given the current porous state of many networks and operating systems, and the general public’s attitude that catching a computer virus is as inevitable as catching a cold, I’d guess it got into the system the same way most spyware does. An email attachment squeaked by the filters. Someone installed a tool that claimed it would make their web access faster. Someone got a well-designed phish, followed the link, and got infected by a backdoor because their browser was behind on security patches. Someone brought a laptop home, plugged it into their insecure home network, and brought back a virus.

Sadly, I expect we’ll be seeing a lot more of this.

Update June 20: Netcraft is reporting that it was indeed lax computer security that did them in:

MasterCard International said it “worked with CardSystems to remediate the security vulnerabilities in the processor’s systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data.” Officials at affected institutions were not specifying the vulnerability and exploit used to breach CardSystems’ security. (emphasis added)

Netcraft seems to think it was likely their website, which runs on Windows 2000 and IIS 5, and they go on to promote their own security consulting services. So it’s not entirely an unbiased look at the incident.

Posted on
by

Over the last few days, one of the viruses going around (probably a Mytob variant) has been trying to send its “Your account is being suspended! Open this file now!” come-ons. It forges the return address as support@example.net, admin@example.net, etc. We block any incoming mail using these addresses before it even gets to our virus scanner.

Now here’s the weird part. We’re also getting bounces sent to another domain we manage, let’s say another-example.com. Both sets are coming from someserver.another-example.com.br!

I think that the virus is finding itself on another-example.com.br and not recognizing the country-specific domain name, misreading it as just another-example.com. It then looks up the mail server, finds our domain, and targets both.
Continue reading

Posted on
by

We finally replaced our 4-year-old Windows Me computer with a new Dell (I’d had enough of building computers a few weeks ago) and it arrived yesterday. Katie had already asked me to upgrade her Mac while she made pizza for an office party. I had planned to finish installing Tiger first, but once you get past a couple of options and the EULA it’s all a matter of waiting for it to finish.

There’s something oddly exhilarating about simultaneously setting up both a Mac and a PC.

Of course I spent the next few hours registering the pre-installed software and updating everything. Run Windows Update. Reboot. Run LiveUpdate for Norton Internet Security. Reboot. Run Office Update (twice). It’s nice that Dell will pre-install stuff for you, but given that the computer is built to order, you’d think they could apply the updates before shipping.

With today’s hostile internet, it would greatly benefit not just new computer owners but the world at large if Microsoft (and Apple and Red Hat, while we’re at it) would take a cue from SuSE and Mandrake and tie their update systems into the setup process.

To Microsoft’s credit, Windows XP setup gives you a chance to turn on automatic updates, and recommends it to the point of “Well, if you really want to turn it off, you can, but you’ll be sorry!” And I’m reasonably certain Windows Firewall was turned on by default (i.e. it’s on now, and I don’t remember turning it on), though Norton supersedes a lot of its functionality. Depending on the default firewall rules, that should mitigate the impact of any worms that happen to pick your IP address before you run Windows Update.

Correction: It seems Windows Firewall wasn’t on as I thought. Norton Personal Firewall kept asking me whether I wanted to disable redundant rules (makes sense) or disable Windows Firewall entirely (I told it no—twice), so I assumed it was running. I hope it was only off because Norton was pre-installed.

Posted on
by

Some potentially nasty browser security vulnerabilities found this weekend in Mozilla and in Safari. Both involve software update mechanisms. The Firefox one tricks the browser into thinking it’s installing from a trusted update site (the maintainers of updates.mozilla.org and addons.mozilla.org—the only trusted sites by default—have made some changes on their server to prevent the exploit from working). The Safari one takes advantage of the Macintosh tradition of automatically opening archives. This one just happens to unzip itself into the location where Dashboard stores its widgets.

IEBlog has weighed in with a balanced (i.e. non-fanboyish) comment on just who “us” vs. “them” should mean: responsible developers & security researchers vs. the malicious ones. It won’t happen—people are too hunkered down in their own trenches—and even with Mozilla, Opera and Apple collaborating on specs, I don’t expect to see much in the way of collaboration on security except in the actual open-source world. (Even then, I suspect there’s too much rivalry between Gecko and KHTML developers to do much collaboration.) Continue reading

Posted on
by

Maybe it’s the housing costs, but people in San Francisco need a little extra incentive to give out their computer password than people in Liverpool. Last year a survey found that 71% would reveal their password for a chocolate bar. A similar survey this month in San Francisco found that 66% would give it up for a coffee.

At least Verisign made good on the offer—with a $3 Starbucks gift card.