ad++ blog

Take the Phishing IQ Test. I got 8 out of 10 questions right.

Netcraft now has phishing site feed available. For all the updates on stupid phishing sites - necessary, yet annoying information for ISPs, hosting services and company IT departments.

Actually, I thought I might read it just for fun, but that´s not possible - that feed is only available for $$$ and targeted not just for reading, but rather for integration with mail servers (filters! blacklists!) and web proxies (filters! blacklists!) and intrusion detection systems (firewalls in routers to target other applications than eMail and http, such as Usenet, FTP and IRC).

Ah, it´s an easy business modell: offer a free tool (the toolbar), offering to block phishing sites, collect data, resell that data to businesses. Same approach works for spam - remember Cloudmark?

A recent report (PDF) by the US National Institute of Standards and Technology (NIST) warns that VoIP systems´s architecture results in significant security issues.

Implementing common security measures into VOIP, such as firewalls and encryption, can cause poor voice quality and blocked calls if not done carefully and with the proper equipment.

Recommendations given include:

• develop appropriate network architecture
• including separate voice and data networks where feasible and practical
• ensure that the organization can manage and mitigate risks to their business (data)
• routinely test the security features included in VOIP systems
• update VOIP software regularly and frequently
• do not use “softphone” systems (PC+software+headset = aka Skype)

From the "If-I-only-had-known-this-earlier"-series:

1. Spam over VoIP (aka SPIM, article in German; thx to Stoki)
2. Security issues related to VoIP (via the 21c RSS feed)

SixApart just published a comprehensive guide to Combatting Comment Spam targeted mostly at MT users, but certainly interesting also for other bloggers and internet users.

JavaScript based password capture at eBay. Do not enter your real ebay account data and password. (via heise.de (in German))

There are strange job offers. Interesting, though. Like this: Consultant for Homeland-Security projects for Siemens Business Services. (in German, link from derstandard.at/karriere, may expire after a while)

Just finished reading SpamKings, the new book from Brian McWilliams published by O´Reilly. It´s an entertaining story listing the work of well-known spammers such as Davis Hawke, Brad Bournival and Sanford Wallace aka Spamford plus the never-tired spammer fighters including Susan "Shiksaa" Gunn and Steve Linford of Spamhaus.

Well, it´s a wicked good book. It´s so good actually, that I read it in 3 days (and could have done faster if there weren´t other things to life as well). Besides, I also learned more on the connection between spam senders and virus authors in an article from Brian McWilliams on the SoBig worm and an anonymous technical analysis (PDF) of that software. You can read Chapter 1 online (PDF) and get hooked into the book (Amazon Germany, Amazon.com), just as I did.

Excerpted from the glossary in the book:

Chickenboner - a label given to small-time spammers. Anti-spammers stereotype chickenboners as living in mobile homes with a personal computer on the kitchen table, surrounded by empty beer cans and empty buckets of fried chicken.

Lumber Cartel - a fictitious group formed by anti-spammers in 1997 in response to assertions by some bulk emailers that wood-products companies were funding anti-spammers in a effort to preserver paper-based direct-mail promotions.

There are even more articles by the author available over at Wired News, including an article on emails sent to Saddam Hussein.

Just read an interesting presentation (PDF) that AOL´s postmaster Charles Stiles delivered at the North American Network Operators Group conference.

He argues that spammers - or zombie PC´s - are increasingly using ISP mail servers (trusted internal networks) to send out spam as most ISP have closed down port 25. To counteract this trend, ISPs should introduce SMTP AUTH as the standard way of eMail communication. Also ISPs should enforce caps of outbound email (rate control) and introduce other outbound spam controls (as some larger ISPs already do). Eventually ISPs that do not take those measures risk being blocked by other ISPs.

Without SMTP Authentification, we are only validating the DOMAIN and not the USER portion of the address (user @ domain.com)

Note: by validating the domain, domain authentification techniques such as SenderID, SPF and DomainKeys are meant. This flags are OK if spammers send through the local MTA and use the local ISP domain as the from sender - only the user portion is forged (or even not).

Charles Stiles proposes shifting attention from inbound control to outbound control, although I think this is a prisoner´s dilemma situation.

heise Security has an article (in German) on penetration tests for web applications (using proxy tools) and a introduction (in English) to W32 exploits (in Windows applications).

Spyware Warrior is a weblog about - Spyware.

David Tyree has a paper on Security Patterns (PDF, large) for secure web applications (via Kristian Köhntopp).

Microsoft just released a critical update for Microsoft Internet Explorer, Windows-KB870669-x86-ENU.exe. This update is applicable to Windows NT, 2000, XP, and 2003. There´s a seperate page warning customers of the vulnerability.

Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer.

This vulnerability has been used in dozens of attacks to install malware silently, including the latest attack through compromised IIS servers.

Update: US-CERT notes though:

It is important to note that there may be other ways for an attacker to write arbitrary data or to execute commands without relying on the ADODB.Stream control.

On the other end of the spectrum, HP urges user to erase Netscape to avoid security problems and proposes that users of its HP-UX version of Unix switch to Mozilla (which is related to Netscape though, since Netscape is based on the open source Gecko engine of Netscape).

Meng Wong, the lead developer of SPF, is being interviewed:

In the coming months I expect industry to start moving. We'll be publishing SPF records and upgrading to SPF-enabled MTAs that can implement SenderID and SPF Classic. Forwarders will need to firm up their plans for SRS. ISPs will need to support SMTP AUTH on 587 and start rate-limiting outbound mail servers

See also my recent post on ASTA and the combined model of SPF and Microsoft´s CallerID anti-spam authentification.

Glenn Fleishman summarizes the model policy document (PDF) put together by several large US ISPs - the Anti-Spam Technical Alliance (ASTA) in the recent Tidbits issue.

The recommendations to reduce spam and spoofing are:

Shut down open relays. Monitor well-known unintentional scripts that forward email to arbitrary recipients. Make sure proxies work in internal networks only. Discover if local machines are compromised and sending spam, and figure out how to remove them from the network through notification or by shutting down the connection. Use authenticated SMTP. Change passwords on customer routers, like DSL modems. Install reasonable limits on inbound and outbound email for standard accounts. Don't allow instant account access for new registrations. Turn off open Web redirectors. Improve complaint reporting and handling.

After an overview on the burden of spam on the internet, the following best practice recommendations are given:

• close all open relays
• monitor formmail.pl and other CGI applications
• configure proxies for internal neetwork use only (= shutdown open proxies to avoid them being abused to send out email and for DDoS attacks)
• detect and quarantine compromised computers
• implement A-SMTP (preferable with SSL/STARTTLS for an encrypted password)
• caps on outgoing email traffic (rate limits; very good idea).

An important rule is:

The Good Neighbor policy requires that ISPs and network providers be responsible for all traffic emanating from their systems on port 25. This is especially important in the case of traffic from a compromised computer since it may include viruses and/or worms that threaten other ISP networks.

Actually, you may think that there´s something else to do for a sunny rainy tuesday afternoon, but I enjoy reading IETF internet drafts such the one on email port access.

What´s worse that reading all that offensive spam? Listening to it!

This is interesting, but not surprising: 80% of Spam Originating from Home PCs due to spam trojans.

So in other words, if people would get their act together and patch their systems accordingly, we would loose 80% of the total spam amount circulating. OK, you can argue that it Microsoft´s fault. Also ISP will have to react - essentially to protect their own users in a way; this is already done in some ways.

I have to check tomorrow if spam received on our companies mailboxes adheres to the new FTC rules on sexually explicit spam. If anyone cares at all!

Current windows update mechanism seem to be way to difficult for many users. As reported by the SANS Internet Storm Center citing Microsoft statistics, about 1.5 million users downloaded the cleanup tool from Windows update since May 1st. This also means that these 1.5 million users didn´t download the regular Windows updates that would prevent the LSASS exploit from the start. And that number is only the tip of an iceberg :-(

As the BBC reports, people are eager to reveal passwords and personal information in exchange for a bar of chocolate !! Really!! Crazy, isn´t it! People give personal details to strangers - who can use the data for identity theft - without hesitating:

It found that many people volunteered important personal information, such as their mother's maiden name or their own date of birth, when questioned during a street survey.