There is a bogus email

I got it twice. The first one was with an attachment that ClamWin auto-stripped in my hMailserver (I love ClamWin). The second one was with bogus link only.

People should know, Microsoft NEVER sends either update attachments or links to updates. They ALWAYS make you go through the normal update process.

Update for Microsoft Outlook / Outlook Express (KB910721)

Brief Description

Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

• To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:

ht://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=69856679253865343173165925879729351302763190300486843409431 ¹

Quick Details

• File Name: officexp-KB910721-FullFile-ENU.exe²
• Version: 1.4
• Date Published: Tue, 23 Jun 2009 10:21:29 -0300
• Language: English
• File Size: 81 KB

System Requirements

• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista

This update applies to the following product: Microsoft Outlook / Outlook Express

Regardless of what the link text says, the actual link goes to illlihff.com. This is strange because WHOIS gives me this³ .

Domain Name: ILLLHI1.COM

Registrant [1938512]:
        mary ramsden Jamiesonrl@yahoo.co.uk
        410 charlton ave
        south orange
        NJ
        07079
        US

Administrative Contact [1938512]:
        mary ramsden Jamiesonrl@yahoo.co.uk
        410 charlton ave
        south orange
        NJ
        07079
        US
        Phone: +1.973451855

Billing Contact [1938512]:
        mary ramsden Jamiesonrl@yahoo.co.uk
        410 charlton ave
        south orange
        NJ
        07079
        US
        Phone: +1.973451855

Technical Contact [1938512]:
        mary ramsden Jamiesonrl@yahoo.co.uk
        410 charlton ave
        south orange
        NJ
        07079
        US
        Phone: +1.973451855

Domain servers in listed order:

        NS1.2-PROFESSIONAL.COM
        NS1.COMPARE-TRANSLATED.COM

        Record created on:        2009-06-22 12:14:59.0
        Database last updated on: 2009-06-23 09:24:59.823
        Domain Expires on:        2010-06-22 12:15:00.0

–
Pinging the DNS name gets me this

C:\Users\Slamlander.CASELLE-NET>ping update.microsoft.com.ILLLHI1.COM

Pinging update.microsoft.com.ILLLHI1.COM [95.76.65.228] with 32 bytes of data:

Now I take the IP number that DNS gave me and look it up

C:\Users\Slamlander.CASELLE-NET>whois 95.76.65.228

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   95.0.0.0 – 95.255.255.255
CIDR:       95.0.0.0/8
NetName:    95-RIPE
NetHandle:  NET-95-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2007-07-30
Updated:    2009-05-18

# ARIN WHOIS database, last updated 2009-06-22 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.

Found a referral to whois.ripe.net:43.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to ‘95.76.64.0 – 95.76.67.255′

inetnum:        95.76.64.0 – 95.76.67.255
netname:        ASTRAL
descr:          ASTRAL TIMISOARA
country:        RO
admin-c:        UPC1-RIPE
tech-c:         UPC1-RIPE
remarks:        ***********************************
remarks:        *  report abuse to abuse@upc.ro   *
remarks:        ***********************************
status:         ASSIGNED PA
mnt-by:         ASTRALTELECOM-MNT
mnt-lower:      ASTRALTELECOM-MNT
mnt-routes:     ASTRALTELECOM-MNT
source:         RIPE # Filtered

role:           UPC Romania LIR
address:        62D, Nordului St.
address:        District 1, 014104
address:        Bucharest
phone:          +40-31-1018100
fax-no:         +40-31-1018101
org:            ORG-ATS4-RIPE
admin-c:        AH1598-RIPE
admin-c:        HMCB1-RIPE
admin-c:        SB666-RIPE
admin-c:        LPT7-RIPE
tech-c:         LPT7-RIPE
nic-hdl:        UPC1-RIPE
remarks:        ***************************************
remarks:        *  for abuse please use abuse@upc.ro  *
remarks:        ***************************************
abuse-mailbox:  abuse@upc.ro
mnt-by:         ASTRALTELECOM-MNT
source:         RIPE # Filtered

% Information related to ‘95.76.0.0/15AS6746′

route:          95.76.0.0/15
descr:          UPC Romania
origin:         AS6746
mnt-by:         ASTRALTELECOM-MNT
source:         RIPE # Filtered

People should know and it bears repeating, Microsoft NEVER sends either update attachments or links to updates. They ALWAYS make you go through the normal update process.

UPDATE: I looked at the headers again, using SquirrelMail, which has a much better source view than Outlook. This time I got the correct DNS name. Since this is a live server and definite attempt to obfuscate the DNS name then this may indeed be the actual culprit.

UPDATE1:  I ran it again, using the full DNS link address and got an IP address in Romania. I am reasonably confident in this one.

1. Dangerous malware Link removed. The text that you see is the link text. The actual link goes somewhere quite dangerous. [↩]
2. This is the stripped attachment [↩]
3. It was definitely an obfuscated DNS name [↩]

Originally published at The Slamlander. You can comment here or there.

I haven’t been writing in this category for a while because there is very little news these days. The reason is that the media does not think it very news worthy and the world’s LEOs¹ are hampered in their efforts by the lack of sufficiently strong sentencing laws.

A New Zealand teenager accused of being the ringleader of an international cyber-crime network has been convicted.

This is all well and good, on its face, but then you read that;

Walker faces up to five years in prison for several of the charges, but Judge Arthur Tompkins indicated he was not considering a custodial sentence² .

Police allege the group infiltrated more than one million computers and used them to skim at least $20.4m (£10.3m) from private bank accounts. Excuse me folks, that’s not petty theft. It is serious crime and should have serious consequences.

I have long maintained that cyber-crime and cyber-terrorism takes sufficient knowledge and intellectual persistence that even a minor must realize that what they are doing is wrong or at least unethical. That if they are able to conceptualize and develop the software that they are making, they are also able to understand the ethical consequences of what they are doing. Software development is hard work and requires a certain amount of talent, intelligence, and persistence.

But then, society has to send out non-confusing messages as well, non? This kid looks set up to only get a slap on the wrist. What is that telling the rest of the world? What is that telling the LEOs?

The teenager, who is 18, cannot be named for legal reasons but was known by an alias as "Akill".

He was detained as part of an FBI crackdown on hi-tech criminals who run botnets - networks of hijacked PCs.

While not having the details, it is not difficult to infer that the FBI spent millions of USD catching this crook, only to watch him walk away scot-free, even after he was convicted and found guilty! These cyber-criminals are not stupid and not easy to catch. Many of them factor in the risk and some even plan on getting caught, knowing that they will get little to no sentence and even get to keep most of the loot! I also doubt that they have the entire gang or have even identified all of the loot. This criminal will still get out of this a millionaire. How is that going to deter anyone?

Update on the McKinnon³ case

If you recall the British hacker, Gary McKinnon, who the US insists on extraditing from the UK for trial in the US. Well, he has lost his appeals and will indeed be extradited. What I had failed to note at the time was that this is the second time that the US DOD has gone through this. The first was the case of Mathew Bevan⁴ .

US computer security investigators caught up with Mr Bevan, or Kuji as he was known, and he was arrested on 21 June 1996. He was held in a police station for 36 hours, charged under the Computer Misuse Act, and then freed to wait 18 months until the case came to trial. Like McKinnon, Bevan also admitted to his crime and the only remaining issue was his sentencing.

Although there were efforts made to extradite Mr Bevan, his case came to trial in the UK in 1998 but he was acquitted as it was judged not in the public interest to pursue the case . He now runs his own computer consultancy business.

I submit that, had the Brits properly prosecuted Mr Bevan, then the US DOD would not be so anxious to extradite McKinnon. In both cases, the scum had already confessed to their crime and there is no mitigating circumstance and Mr Bevan, like McKinnon, was definitely over 18 years of age.

Should Mr McKinnon face trial in the US and be sentenced to decades in jail, Mr Bevan feels such a sentence would be too harsh for what he has confessed to doing.

Of course Bevan would feel that way. They are of the same stripe. At least McKinnon will get to see decades in a US jail, which are not as nice and safe as a British jail. Mr Bevan should be thankful that there are statutes of limitation and protections against double-jeopardy. Otherwise, he might be on the same flight as McKinnon⁵ .

There is something wrong with a system that incarcerates people for getting a little high and yet let’s thieves of millions of dollars get away with their crime and keep their loot.

1. LEO=Law Enforcement Officer [↩]
2. This means that they are not considering jail time. [↩]
3. Gary McKinnon on Wikipedia [↩]
4. Mathew Bevan on Wikipedia [↩]
5. Which I truly think he should be. [↩]

This article explains how far some will go in order to send you their ads. You can go there for the full explanation, Michael Kassner does a pretty good job of that¹ From a security perspective, it’s a man-in-the-middle attack. I should note that British Telecom tried this in the UK and were held accountable for it. They were also told to stop doing it.

I’m not sure I want a business entity tracking my every move on the Internet. My government, sure that’s a different story² . They aren’t doing it for monetary gain; they are protecting me.

That’s where I have a problem, a huge problem. It’s right up there with wire-tapping, only it’s the Internet version. I don’t want ANYONE intercepting and redirecting my traffic.

Also, I suspect that this business model will place the advertising world in some sort of turmoil. For instance, who gets to decide what ads are displayed when I go to Techrepublic.com? TechRepublic or someone paying my ISP?

I also run Websites and I have friends and clients that run Websites. They depend on Ad revenue for their existence. This basically amounts to theft. They are stealing ad revenue from those sites and Ad companies like ProjectWonderful and AdSense³. There is no question about who has the right to place ads on a particular site. It is the owner of the site! Phorm and NebuAd are hijacking a site’s traffic and Ad revenue and that should be as illegal as theft and burglary.

There are options that you can use to avoid behavioral targeting cookies and DPI scrutiny. Encrypted tunnels through your ISP disallow the installation of behavioral targeting cookies. Also using VPNs, whether they are IPsec, L2TP, or SSL, will negate any effort by DPI to decipher the encrypted traffic. … There are not a whole lot of options, but that’s because behavioral targeting applications are being placed only one hop away from your network perimeter.

As a Website operator there is one other solution; start using SSL and make it mandatory! In order to do that and still run Ads, the Website must also run their own Adserver⁴.

I should note that I have long been an advocate of the All Packets Must BE ENCRYPTED! school.

1. It’s a follow up of his DPI article I wrote about last time. [↩]
2. My emphasis [↩]
3. Used by those sites [↩]
4. There is an Open Source Ad server that will work under IIS-PHP5 [↩]

If for no other reason than to showcase to others that this activity is NOT innocent or legal.

The US government alleges that between February 2001 and March 2002, the 40-year-old computer enthusiast from north London hacked into dozens of US Army, Navy, Air Force, and Department of Defense computers, as well as 16 Nasa computers.

This guy is real scum!

For his part Gary McKinnon, or Solo as he was known online, paints a very different picture of himself, and his motivation. In a BBC interview in 2005, Mr McKinnon said that he was not a malicious hacker bent on bringing down US military systems, but rather more of a “bumbling computer nerd”.

He said he’s no web vandal, or virus writer, and that he never acted with malicious intent.

Yes, he claims this but at the same time, he does not deny what he is accused of doing.

It says his hacking caused some $700,000 dollars damage to government systems.

What’s more, they allege that Mr McKinnon altered and deleted files at a US Naval Air Station not long after the terrorist attacks on September 11, 2001 and that the attack rendered critical systems inoperable.

The US government also says Mr McKinnon once took down an entire network of 2,000 US Army computers. His goal, they claim, was to access classified information.

Considering what he did, the US Gov’s damage estimate is faulty. Once a machine has been hacked it has to be scrubbed and re-certified. This involves saving only the data, wiping the drives clean, and reinstalling the operating system and applications. Only then can you scrub and clean the data. Ergo, the damage estimate is extremely low. The US Gov is being nice to him.

There is no way that anyone can convince me that cracking into systems and networks that do NOT belong to you is anything other than the purist of evil. His fellow crackers need to be made painfully aware of this, as painful as possible. His counter arguments have been heard before, every one of these scum claim them. He doesn’t deny what he did. They should lock him up and melt down the keys.

More info can be had here. His friends can provide even more evidence against him.

They said Schiefer worked by day as an information security consultant but was a well-known "Botmaster" among the underground network of hackers skilled in so-called "botnet attacks."

This was triggered by Hamster and WiFi cracks and more ...

First off, remember this name and company; Robert Graham (CEO Errata Security). He''s not a nice guy (self-centered and greedy) and ethically challenged as well. He actually sells a solution for this problem he creates. No, the solution isn't comprehensive (I'll get into why later on) but he wants to profit from escalating this problem (profiting from our misery). He well deserves our scorn. Yes, that's a value-judgment and, in my opinion, this guy is the worst of Net.Scum!



I'll let y'all read the links for what this is all about in detail. Suffice it to say here that this man is indirectly responsible for security breaches at many web-mail sites. Oh and everything that applies to Webmail also applies to LiveJournal.Yes, this effects all of us.

1. There is NO justification for cracking someone else' systems without permissions of EVERYONE involved.
2. There is NO justification for showing someone else how to do it.
3. Releasing such tools (Ferret and Hamster), to the general public, borders on the criminally irresponsible.
4. Doing so to create business for your own firm, should be a crime but, sadly, it isn't.

Details (Danger:Geek talk ahead):

WiFi Hot Spot operators are facing a challenge, a real Hot Spot (HS) lets people access the Internet from the Hot Spot. In essence, the Hot Spot operator is an ISP but they rent access by the hour or day. The simplest means to do this is by MAC address control lists, on a RADIUS server.

While there are about three ways to perform security, the HS operator has only one, shared-key security (WEP, WPA-PSK, WPA-PSK2). This involves encryption using shared keys. While this is acceptable for a company that has a fixed and seldom changing herd of network users, an HS that has customers coming and going all day long has a problem with key issuance and management. Likewise, the HS customers would have to have a set of keys for each HS they go to, and maintain them as they change. WEP can't be managed via RADIUS either. The same goes for WPA2-PSK and WPA-PSK, which all use shared keys. Note that if the intruder also has the shared key (they are also a HS customer) then the HS's encryption isn't secure anyway. It's no small wonder that most HS's consciously turn encryption off.

The only real answer is to use SSL security on the Webmail server and the Hot Spot has absolutely zero control over that. What dear friend Robert does, is to break everyone's mail security needlessly, for his own private gain. He even delivers the tools for it. This guy's worse than most hackers.

Yes, I run my own mail servers with my own Webmail server and it has SSL capability. I also use direct access via my own VPN, which completely defeats these tools, regardless of which Hot Spot I use. I'm not at risk but, these poor innocent Hot Spot operators are now going to catch a load of useless grief from clueless clients everywhere.

Starting next year, the city of Nyon, CH, is planning to have free WiFi throughout the entire town.

It's both old and new info about trojans. It's getting worse folks.

When they actually catch a cracker, they should be making examples of them, instead of slapping their wrists!

I'm speaking about the Sasser worm author. Until they start enforcing jail terms for these schmucks new ones will continue to think that it's cool to crack systems. This brat should have, at least, done 12 months in the can and been banned from computer use for life! That's the only thing that'll get the message through to these bloody stupid punk-tard script-kiddies!

Those that really know me shouldn't be surprised at my reactions here.

MySQL is announcing a new worm.(and here) This worm isn't either the fault of MySQL or Windows.It's the fault of architects and SysAdmins that don't know what the fsck they are doing!

There is absolutely NO EXCUSE for a DB server being compromised, from the Internet, ever, period, paragraph, end of story! None whatsoever ... nada! The architects, designers, and systems admins, on all those infected machines, are incompetent, stupid, and are begging to be fired. They should be accomodated immediatly.

RDBMS server deployment policies and guidelines:

1. RDBMS' should be installed in dedicated hosts, on a dedicated LAN, with no other major application and no other connection.
2. Such a host should NOT have a public Internet address.
3. Such will be behind a NAT wall
4. Only the Application Servers, or the management work stations, should have network access to the RDBMS host, via the didicated LAN.

It's not as if these rules are particularly difficult, or expensive, to follow and if one follows them then user security is almost trivial because only hosts and applications that need their RDBMS services can even see the RDBMS host.