Saturday, November 24, 2007

MSN Messenger Trojan - Spreading like Wildfire

MSN Messenger seems to be infected with a trojan that is infecting machines very fast.
http://www.eweek.com/article2/0,1895,2218894,00.asp?kc=EWKNLBOE112407STR1

If you get a link in MSN messenger don't click it unless you are positive the person on the other end meant to send it to you. Ask them.

I have written about the insecurity of IM in the past as a potential vehicle for maliciousness...and now it is coming to pass.

We need more security on the Internet - fast. And more government and crime fighting organizations looking into the depths of Internet traffic and trends...that is where the next battlefield lies.

If the other guys have access to your bank accounts and know your every move - how can you possibly win a battle? And if they can send a virus that spreads so fast it takes down the entire infrastructure we rely on - for just about everything...

Think about it.

Friday, November 23, 2007

SQL Server - Authentication Override

Here is a somewhat in depth discussion of sticking code into SQL Server 2000 to bypass pretty much any security or logging. So in other words - just because it isn't in your logs, doesn't mean you aren't hacked.

http://www.ngssoftware.com/papers/violating_database_security.pdf

Tuesday, November 20, 2007

Email. There must be a better way.

If someone could fix the email problems of the world I think they'd pretty much be a millionaire for sure (as long as they hire a decent sales person).

Here's the deal. This week I could not GET emails from Vericenter which is a tier 1 hosting provider, nor could I send emails to Network Solutions, and they are obviously a big Internet company. I also had a friend who was not getting my messages. So hmmm. Is this all just random? I mean really, c'mon - something has to be going on.

Let's say someone could intercept my messages and choose which ones they wanted me to get - or not - and which ones they wanted to go out - or not. Everyone says, oh, no this is not possible. Right. Just like the hack on my server was not possible that had a built in virus checker and was spewing out spam.

Ok moving right along, let's say this hacker is really good - and they usually are. My mail company traces a message and it goes all the way to Network Solutions machine. Let's say the hacker DID send a message all the way to Netsol. But it wasn't my message. It was a piece of spam half way through the route. It LOOKS like the message went through. On NetSol side, they say they have no message from me - it's not in their spam filter, yada yada.

Think out of the box...it IS possible. Don't tell me it's not.

But anyway back to the problem at hand. So I try to tell Network Solutions and they are a big company and one fo the best customer support people I've ever worked with...says there is nothing he can do. I asked him to contact his help desk and let them know - but what are the chances they fix it? They will say, "Everyone else is able to send and receive - it must be a problem with [your mammoth, top of the line] mail company [that supports major corporations].

So where does that leave me? SCREWED.

I am trying to work with and get help from all the people that are saying they cannot send to me or receive mail from me, however unless I can get two vendors on two sides of the equation to cooperate - this problem CANNOT BE FIXED.

If someone would run a mail company that would proactively call and work with other companies when this thing happens, on behalf of the person with the email account, they would make millions.

And by the way if it is a hacker, you could get reimbursed for this time via a lawsuit because of a new law that just passed....see my previous posts.

Stealing someone's email is a form of identity theft. This past year spam criminals in Seattle were charged this way - and sent to jail.

Installing Network Solutions SSL cert on Java web server?

If you're using Network Solutions site info to install their certs on a Java Web Server...don't. They are wrong and have been for over a year now. Call them to get the correct instructions.

Monday, November 19, 2007

Take Cyber Criminals to Court for Damages. New Law...

This is cool:

The U.S. Senate has passed a bill that would allow victims of online identity theft schemes to seek restitution from criminals and expands the definition of cyberextortion.

http://www.networkworld.com/news/2007/111607-senate-cybercrime.html?nlhtsec=rn_111907

It's about time criminals pay the price. Unfortunately some of them are out of this jurisdiction.

And by the way, does anybody believe me yet?

"Identity theft and data breaches have become organized crime's number one business." CSIA President Tim Bennett said in a statement.

Monster Spam - Money Scam

Received: from gwsin06.mbox.net [.19] by via mtad (C8.MAIN.3.40I) with ESMTP id 546LkTB1x0269M02; Tue, 20 Nov 2007 01:52:49 -0000
Return-Path:
Received: from gwsin06.mbox.net [127.0.0.1] by gwsin06.mbox.net via mtad (C8.MAIN.3.40I) with ESMTP; Tue, 20 Nov 2007 01:52:48 -0000
Received: from [.30] by gwsin06.mbox.net via mtad (C8.MAIN.3.40I) with ESMTP id; Tue, 20 Nov 2007 01:52:45 -0000
X-USANET-Routed: 1 gwsin-bmrelay Q:bmrelay
X-USANET-Routed: 2 gwsin-vs R:localhost:1825
X-USANET-Routed: 100 IN-RELAY R:cmsbackend.postoffice.net:525
Received: from smtp100.biz.mail.re2.yahoo.com [206.190.52.46] by via smtad (C8.MAIN.3.34P) with ESMTP id; Tue, 20 Nov 2007 01:52:45 -0000
X-USANET-Source: 206.190.52.46 IN Heather@Monster.com smtp100.biz.mail.re2.yahoo.com
X-USANET-MsgId: XID447LkTB1t0437Xma
Received: (qmail 73404 invoked from network); 20 Nov 2007 01:52:44 -0000
Received: from unknown (HELO localhost) (info24@qwbgtrbt543cvj.com@71.237.236.159 with login) by smtp100.biz.mail.re2.yahoo.com with SMTP; 20 Nov 2007 01:52:44 -0000
X-YMail-OSG: jYWPRfwVM1kU6Ince4b3cRwMQwOyx4BnAewRFJuHSQkx5tOVzBl7wHDcK9tJm2gmLUHNGHhDIzkk4X6ZGRd2sQ--
From: Heather Barnes Add to Address Book Block Sender Allow Sender
To: <>
Subject: , Monster.com have the new job for you Allow Subject
Reply-To:
Date: Mon, 19 Nov 2007 20:50:06 -0000
X-Mailer: MIME-tools 5.503 (Entity 5.501)
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID:
Mime-Version: 1.0
Content-Type: multipart/mixed;boundary="9246daffa5a6153600e6ef7b36aef7ee2b78215"
: Job offer

We have reviewed your resume at Monster.com and are eager to inform you that we are ready to offer you a vacant position of the "Money Agent".Mz AwZ


We looked through your skills and became sure that you correspond to our requirements.MTc 5YjF


The position of the money agent will require from you a half-day activity.
Your work will consist in transferring money among our clients.

Job scheme will comprise the following:NmQx ZD


1. You get a check by mail. ZT Jl

2. Than you cash itMjdj Zjh

3. You transfer the money to our clientsOTg 4MDU


Your earning will be 8 % of the amount of each check. NzE yO

Additionally we are going to effect you $ 1500 as your salary at the end of each month. OT UzN


Required skills to start this job:OWRi YzNi


- Honesty, responsibility and promptness in operations; YmM zN

- Prior customer service experience is a good benefit;MTY 0Mz

- Internet and e-mail skills; Experience in online work; NTM3 Zj

- Good communications skills ZDI0 Mm

Njli NjM4

This job will allow you to:
Njli NjM4

- Develop high selfrespect and esteem. MGFk ZT

- Efficiently work at home; MGFk ZTU0

- Get financial independence working only 3-5 hours per day; MGFk ZT

General requirements:
Nj li

- Internet and e-mail skills; Experience in online work; YjRj ZTBh

- Ability to create good administrative reporting; YjRj ZTB

- Prior customer service experience is a good benefit; Ym Yz

- Willingness to take the responsibility to set up and achieve goals; YzZl NDk4


In addition we will be able to offer you $ 2500 as a monthly payment after completion of the trial period. ZmV iOW


In case you are interested in the position, please answer this message. We will get in touch with you within 2 working days. NDJ iNj

Sunday, November 18, 2007

Hidden IP addresses

Well here's another criminal activity supporting product...

http://www.hide-my-ip.com/faq.shtml

Basically they set up a proxy IP for a user so the end web host cannot tell who the real user is.

I have to sort of revise what I said about this service prior as I just thought of something.

First of all if you don't want these unknown Ips hitting your sites - block them out. They cannot change the IPs that fast and get so many that you can never block them all - because that would not be cost effective - to continually switch networks like that. The only way they could change IPs that fast is if they were doing some sort of criminal activity to get those IPs by hacking in and using IPs owned by other people. This would be a form of identity theft and very unwise so I doubt this is going on here.

My initial reaction was that that for security reasons, this should be outlawed. If you have to hide your IP address (which can be dynamically assigned from a huge company and always changing anyway) then you are probably doing something you shouldn't be doing.

However there are some instances where this can be used for good. For instance when you are trying to protect your identity because you are reporting criminals and they don't like it, such as I do here.

But I still think this is a hotspot for surveillence of illegal activity.

Saturday, November 17, 2007

91.190.88.177 in Russia bombing our sites

This IP 91.190.88.177 was apparently performing some sort of DOS attack at about: 11/16/2007 7:28:46 AM

inetnum: 91.190.88.0 - 91.190.88.255
netname: StartTelecom-NW
descr: P-t-P networks
descr: JSC Start Telecom, North-Western branch
descr: St.Petersburg, Russia
descr: 191119, St.Petersburg, Ligovsky pr., 108B
country: RU

Thursday, November 15, 2007

Princeton Premier

Spam or not? Phishing or not? Underlying crummy business model or unscrupulous ulterior motives? You make the call...

http://answers.yahoo.com/question/index?qid=20070810121143AApf9Tq

Sunday, November 11, 2007

Network solutions - no way to add spf records?

I am using a Networks Solution system for domain management and find it pretty much insane that they do not offer their domain owners a way to enter SPF records.

Saturday, November 10, 2007

Managed Hosting

A rant on my last managed hosting company (a big company that many people use). First regarding my last post on SPF records --(The managed company we used before that was the same way) -- It's almost like they don't want you to set up an spf record. Heck if a spammer gets on your machine and sends enough spam you'll be paying for the bandwidth so what do they care? Not sure why they don't help customers setup SPF records as it would enhance security for all their customers.

How to create SPF records

I found this cool tool from Microsoft that helps create SPF records and seems a lot easier to use than the ones RackSpace and Datapipe sent to me - rather than tell me anything about whether my spf records were right or wrong.

But anyway, here's the tool from Microsoft: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

Microsoft Update Bug

I've seen this bug a number of times. I go to Microsoft update and the error message says that background intelligent transfer, event log and automatic updates are not turned on. I turn the services on and still continue to get this error message. This happens going to https://www.update.microsoft.com

The reason for going to that particular url is to ensure you are really at a Microsoft site and cannot be spoofed to download some garbage from a hacker.

Finally I went to some other link like http://update.microsoft.com and this site told me to install some ActiveX control, and then I could go through the whole update process.

Seems like Microsoft needs to ensure whatever this ActiveX control is can be downloaded from their https site as well. (or if by some chance this is the work of a hacker, find and fix it from https://www.update.microsoft.com.

I don't think this is the work of a hacker as was on a new machine but without using SSL cannot neccessarily be 100% confident.

PCI Compliance

Good point here:

PCI compliance mandate's power raises conflict-of-interest questions, 11/08/07: Businesses accepting credit cards have to assure their networks are secured according to the Payment Card Industry Data Security Standard, and to achieve that, they often make security investments based on the advice of the organization setting the standard and its 60 or so qualified security assessors empowered to judge whether a business is PCI compliant or not.

http://www.networkworld.com/news/2007/110807-pci-compliance.html?nlhtsec=1105securityalert5&&nladname=110907securityal

Russian Crime Ring Down

Here's good news for the good guys:

http://www.networkworld.com/news/2007/110807-major-russian-crime-hub-suddenly.html?nlhtsec=1105securityalert5&&nladname=110907securityal

Keep bloggin' and reporting the Internet mischief on your network.

Friday, November 09, 2007

Someone in Russia trying to spam reputations

Apparently this group in Russia:

a@softsearch.ru

and probably related are trying to spam people's reputation. Feel free to email them from a throw away email account and tell them to stop their nonsense.

I also saw a ton of spam about an investor acquaintance of mine - a nasty insulting page repeated over and over and over again on the net.

I think Google needs to look into this repetitive harmful content. It is obviously spam by someone who wants someone else to take a fall.