Category: Computer Security

Posted on
by

By way of Justin Mason and the SpamAssassin mailing list comes this post about writing add-ons for Outlook.

Seth Goodman writes of Outlook’s contact list:

This feature was apparently added for the convenience of virus writers, who it appears were one of the key groups that set the design requirements for this product

Ronald F. Guilmette replies:

So if I want source code for a software tool that can extract addresses from a personal Outlook address book, I guess that I should just go out and hire a virus writer! Hummm. I would have no problem with that. At least this would give them some honest work for a change… keeping them off the streets and out of trouble for a short while.

So now, where does one post a ‘HELP WANTED’ ad for a virus writer?

Posted on
by

More “You sent a virus!” garbage going around. It’s gotten to the point where I don’t even look at most delivery failure notices, which means I could easily miss errors about mail I really did send.

I got ticked off enough this time that I wrote back to the return address on the warning, matching the tone and structure of their message as closely as possible:

An invalid virus notice was found in an Email message you sent. Your Email scanner recognized a virus as W32/MyDoom-O but did not take into account the fact that this virus always uses a fake sender address.

Please update your virus scanner or contact your IT support personnel as soon as possible as you are sending bogus virus warnings to third parties whose systems are not infected with the virus. This runs the risk of causing unnecessary concern among the less tech-savvy (and extra calls to tech support about the nonexistant virus they fear they have). I would recommend reading up on the phrase “crying wolf” as well.

Posted on
by

I regularly get bogus bounces from clueless virus scanners that don’t realize the sending address is fake 99% of the time, but this takes the cake:

Sometime last night I received three copies of the same notice from some system in Brazil. They had written their virus warning in Microsoft Word, saved it as HTML without cleaning up all the extra junk, and made it the only part of the message… in Base64 encoding!

If you’re going to send any kind of diagnostic notice by email, you want it to be as simple and widely readable as possible. That means plain text (not HTML or Base64, and certainly not both!) It also means if you do want to use HTML, at least clean it up and include a plain-text alternative. For all you know it’s going to be read by some admin logging into a GUIless server through SSH over a modem connection on a hotel phone line!

Posted on
by

This morning I recieved both a bogus “Out of Office” reply from someone at Halliburton (presumably from a virus that spoofed my address as the sender) and a new 419 scam variant, this one claiming to be someone in Iraq. (I still think of them as Nigerian scams, but they’ve gone seriously international over the past year or so.) Subject line: “EVERY IMPORTANT” (really!)

Something to consider on those vacation messages: I was just sent some random Halliburton employee’s cell phone number. Not that I have any use for it, but would you hand out your cell number to any random person on the Internet? I know I wouldn’t!

Posted on
by

I just came across an article on non-password authentication that refers back to an April 2004 survey of office workers which found that “71% were willing to part with their password for a chocolate bar.”

Wow. I know they say everyone has their price, but this is ridiculous.

It reminds me of the comic book Underworld Unleashed, in which a demon approached various DC villains offering to give them enhanced powers in exchange for their souls. The Joker sold his soul in exchange for… a box of cigars. “They’re cubans!” he explained.

Another good one: “I work in a financial call centre, our password changes daily, but I do not have a problem remembering it as it is written on the board so that every one can see it.”

Un. be. lievable.

Posted on
by

CNET posted an article today, Concern grows over browser security, about the rise in browser-based attacks (mostly spoofed sites for phishing, but also attempts to install viruses and other malware through web browser security holes).

What’s interesting about the article is that nowhere does it mention Mozilla, Opera or Safari.

Could it be that attacks through these browsers are less common than attacks through Internet Explorer, even adjusted for market share? (Sure, IE has more than 90%, but there are a lot of people using the others.)

Or could it be that the author has succumbed to the “Web Browser = MSIE” belief?

If nothing else, you’d think that their statistics would have a bit more information, but it’s a single number for “browser” attacks. Nothing more detailed than that.

To be fair, the press release doesn’t provide any better numbers. In fact, it mentions no browser by name at all. (One can hope their data is a bit more detailed, but the purpose of the study appears to have been to identify trends in types of attacks, not in the software targeted.) And yet IE is the only browser CNET mentions, despite the alternatives’ better security records.

Posted on
by

Last month I finally got around to installing antivirus software on the one Windows computer we have at home. While I’ve found Norton Anti-Virus has worked well on my system at work, I ended up choosing McAfee Internet Security Suite for two reasons: (1) unlike Symantec, they don’t use a product activation scheme, and (2) since McAfee bought Deersoft, purchasing a McAfee-related anti-spam product should help fund SpamAssassin development.

Big mistake.

Since installing McAfee, this computer has crashed at least once each time I’ve turned it on (usually with a McAfee dialog box visible). The privacy service adds another login prompt, whether you want it or not. It tends to pop up dialogs when you’re in the middle of, say, running ScanDisk to make sure the system survived the crash McAfee caused five minutes earlier. And, ridiculously, the software and virus definition update runs through Internet Explorer.

By this I don’t mean that it expects you to go to the website and download an installer. That would be inconvenient, but acceptable (since you could choose what web browser to use). No, it pops up a “Check for updates” dialog box which then opens Internet Explorer, goes through a set of redirects until it opens a pop-up that looks like a download manager (but is clearly done using HTML), and then downloads and installs the update.

Now forget any isues you might have with buggy rendering, feature parity, monopoly abuse, antitrust, etc. Just look at IE’s track record on security.

Why would you want a security system to rely on something so notoriously insecure?

Symantec has its own update program that calls out, checks for updates, downloads them and installs. You can run it manuallky, or you can set it to grab and install virus updates automatically. Nowhere in this whole process does Internet Explorer come into the picture – or if it does, it’s hidden away where the power user won’t see it and say “What the hell do they think they’re doing?”