Slashdot Mirror

A lot of proxy's will support SSL/TLS termination. A lot of web proxies support this. You use a GPO to push a trusted root to your users, then you terminate their SSL sessions and create a new tunnel using your trusted cert, then inspect the traffic contents. It's usually called "TLS Inspection" or "SSL Decryption" or something like that. By the way, I'm not making any moral judgement on if this is right or wrong.

I mean, they weren't totally opt-in in 2013, and that was before Windows 10.

http://community.websense.com/...

Websense makes devices to do this. I have a couple of customers that use it. It does tend to fuck up some websites though.

"The Websense ThreatSeeker Network has detected a new wave of mass-injections of a well-known rogue antivirus campaign"

How exactly are these sites infected in the first place?

"The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it"

Ahh so - nothing to read here ... moving on ...

"The Websense ThreatSeeker Network has detected a new wave of mass-injections of a well-known rogue antivirus campaign"

How exactly are these sites infected in the first place?

"The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it"

Ahh so - nothing to read here ... moving on ...

http://www.websense.com/content/careers.aspx

http://www.websense.com/content/careers.aspx

which sites are vulnerable? are there any more precise information than "outdated CMS and blog systems" ??

As others have noted, the original article is much more informative.

First, only MS SQL Server seems to be affected. This isn't because of a flaw in SQL Server, but because the injection seems only to work on a web app that's designed to run this DBMS in the back end, The article authors note that they don't know which application this is, however. This seems a little surprising, given that they should be able to spot the commonality between all the infected sites.

Second, to determine whether your server is affected, just check to see whether your site now has an URL like http://domainname/ur.php. If it does, you're infected. If you run on Linux and Apache, it looks like you're safe from this particular attack.

http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx

Websense published an update to their previous article with more information about the attack. It includes the SQL injection code.

Websense published an update to their previous article with more information about the attack. It includes the SQL injection code.

How about posting a screenshot of the anti-malware warning so we can be aware of it. I recently had to remove a piece of cruft from a user's laptop which, as far as I can tell, came from a Flash ad.

Since I know this user doesn't go to random bobssoftware.com sites, it had to come from an ad or a compromised site.

Also, would it have killed the editors to go to the source rather than some blog which scraped the source site?

(alphabetically)

SANS Internet Storm Center (I can't get the graph working, ymmv)
SenderBase
SpamCop (a feed to SenderBase)
Symantec
ThreatPost (TFA)
Websense Monthly reports (December not yet available, Websense is TFA's source)

An observation: spammers celebrate holidays too; it's hard to recover from a series of shutdowns while dealing with family affairs. I hope their holidays were joyful and full of lasting distractions...

"How about if - rather than an FBI warning or whatever - the site is replaced by a clone that sniffs your info or installs trojans?" - by phorm (591458) on Friday November 26, @01:29PM (#34351528) Homepage

HOSTS can also be used to block KNOWN bad websites that serve up malware:

http://ddanchev.blogspot.com/
http://www.malwareurl.com/listing-urls.php?page=1&urls=off&rp=
http://www.malware.com.br/lists.shtml
http://securitylabs.websense.com/content/alerts.aspx
http://www.stopbadware.org/
http://blog.fireeye.com/
http://mtc.sri.com/
http://www.scansafe.com/threat_center/threat_alerts
http://news.netcraft.com/
http://www.shadowserver.org/
https://zeustracker.abuse.ch/monitor.php?filter=online

Many of those sites have "removal lists" IF a site cleans itself up, or if it just "drops out of site"!

(The latter I don't trust though, because malware makers "recycle" domainname/hostnames they own, & the RBN (russian business network) though thought 'dead'? Has had it's domain/host names reused by ANOTHER botnet recently!)...

Thus, I add those sites that are known as serving up malware exploits as BLOCKED in my HOSTS file, and I can't get to them, until they're proven clean (I don't remove ones that just "drop" because they've been shown to get "recycled/reused").

APK

P.S.=>

"And when the server gets bushwhacked instead of the domain, and they move to a new host - but you're still getting the old IP from your hosts file - then what?" - by phorm (591458) on Friday November 26, @01:29PM (#34351528) Homepage

I again confronted you today on this, as to HOW you were "modded up" here -> http://slashdot.org/comments.pl?sid=1887878&cid=34387450 because I already covered the other part in my initial reply with this statement (as to sites changing IP addresses) requoted, again, below next:

"& if they change it again? Re-Ping (with a double verifying WHOIS) said site & the TLD that does NOTHING but resolve hosts/domains to their correct IP will give you a correct IP address (provided you're NOT being "man-in-the-middle" attacked) to reinsert into your hosts file to update it..." - by Anonymous Coward on Friday November 26, @12:36PM (#34351132)

As to verifying IP addresses changing on sites.

So, if a site also is proven to harbor malware exploits?? A custom HOSTS file is also used to block those out until they are proven CLEAN... get it??

I don't see HOW/WHY you were modded up, because I cover the 1st point & anyone that knows how to use a HOSTS file knows it can be used to BLOCK OUT BAD SITES/SERVERS THAT SERVE UP EXPLOITS TOO, per the above... apk

I use a "hard-coded" HOSTS file entry for my "fav" websites (like this one for example) that allows me to reach what ping'd off as "legit" @ the start of the year here, and remains so today (which is how I validate it, against the TLD that does nothing but resolve IP addresses to their correct domainname/hostname).

Additionally: This allows me to also reach them faster by not making DNS requests for them, which involves turn around response times from DNS servers, which this technique avoids said "lag"...

(Especially since 200 of my favs. are done thus in my HOSTS file, and I block out KNOWN bad sites/servers in it as well to avoid "sucking in" malscripted or other types of exploits via malevolent people)

This practice also allows me to be less "trackable" (sure, I'm still trackable by ISP/BSP, but not as easily) since I am NOT showing up on DNS request logs for my favs (where I spend a GOOD 95% of my time online each day anyhow).

Lastly, this practice also allows me to reach said sites IF my DNS servers I do use "go down" or are "misdirected" via the Kaminsky 'hack' (since they're hardcoded)... I do so, because I can't do the entire net in my HOSTS file as "hard-codes"!

Now, IF a site I like & hardcode "turns up bad" or "infected"? I get notification via the sources listed below ... and it gets blocked, even if temporarily only (& if they clean themselves up, it shows in the removal lists those sources provide too, & those sources also have "validation" screens where you can check if a site is currently "a plague ship" too - can't beat that!).

As far as DNS servers though?

Well, I use either ScrubIT DNS or OpenDNS (both are good & fast + per many DNS flaws, OpenDNS is KNOWN to "patch right away" if possible + they DO pay attention to blocking out various forms of "questionable" or "threatening" material). I also "alternate them", periodically, between those 2 (for avoiding tracking a BIT better, yes, & even from they, via DNS requests logs).

APK

P.S.=> What I do know though, is that it makes me FASTER online & SAFER TOO, by far!

My friends + family & even customers, plus others in forums I have "turned on" to this very old technique (that nowadays seems forgotten) also note it!

E.G.-> My best pal says "my online speed has DOUBLED using HOSTS files" & he used to get 200++ infestations a month (no joke) & he's down to MAYBE 2 a yr. now using HOSTS alone! We even setup his system for 8++ months without a firewall, on older Windows 2000 unpatched, & no firewall... he still had a much lower infection rate!

I also block out adbanners (sorry webmasters - I pay for my online time out of my own pocket)

I want ALL the speed I pay for, & I get a "no commercials/HBO internet" this way, much faster & safer too (since adbanners have been found w/ malicious script content in them many times the past 4-5 yrs. now no less),

This also protects myself vs. the "Kaminsky security crack" in DNS, noted above!

I also protect users & myself via HOSTS files, vs. KNOWN bad sites, via these reputable sources (others too, but here are the "bulk" of them I use to populate my HOSTS file for these purposes):

http://ddanchev.blogspot.com/
http://www.malwareurl.com/listing-urls.php?page=1&urls=off&rp=
http://www.malware.com.br/lists.shtml
http://securitylabs.websense.com/content/alerts.aspx
http://www.stopbadware.org/
http://blog.fireeye.com/
http://mtc.sri.com/
http://www.scansafe.com/threat_center/threat_alerts

To a custom hosts file: That tell you anything? It used to only be that many a month years ago prior to I'd say, 2004 or thereabouts...

Additionally, to so do, I'm still using the same decent sources as well as my own I built up from the same sources since 1997:

Spybot Search & Destroy's "IMMUNIZE" feature
http://ddanchev.blogspot.com/
http://www.malwareurl.com/listing-urls.php?page=1&urls=off&rp=
http://www.malware.com.br/lists.shtml
http://securitylabs.websense.com/content/alerts.aspx
http://www.stopbadware.org/
http://blog.fireeye.com/
http://mtc.sri.com/
http://www.scansafe.com/threat_center/threat_alerts
http://news.netcraft.com/
http://www.shadowserver.org/
https://zeustracker.abuse.ch/monitor.php?filter=online

Today/Nowadays? It's worse than it was as far as PC's being @ risk online just on sheer numbers of bogus sites or even banner ads that are maliciously scripted in intent. Just on sheer numbers alone.

APK

P.S.=> In summation, all I can tell you, from my "POV" of making a hosts file full of known malware or maliciously scripted sites for a LONG time now is, it's gotten worse, & is happening FAR faster than it used to be (more folks understand coding now is why most likely & the tools are simpler/better too), & I've been building up a closing in on 1 million bogus sites based HOSTS file for over 14 or so years now as my basis in fact here is all...

You can find the actual Websense Threat Report in ASP-driven HTML here. I mention ASP because the video doesn't seem to be functioning correctly in my non-IE browser.

I thought I would find this in the NetworkWorld article. Boy was I mistaken. As I switch between the two pages of the article, I am presented with "Whitepaper" links to reports that then navigate me to a 'page1234' at accelacomm.com where it asks for all my personal information. In the middle of the article (with no indication this has nothing to do with the article) is a link to another NetworkWorld article titled 'Royal pain: British Royal Navy site hacked.' Shouldn't that go in the 'Related Content' section that is also in the article with links to how I can 'bail out my budget'? Oh look, they've hyperlinked phrases in the article that just direct me to another NetworkWorld article and at the end I get directed to their security section. Might they take a chance and link to the source of the information that they are considering an authority on SEO poisoning? So you know, I can judge for myself and further inspect the report? I mean, I'm not asking them to drive across town to get a quote from the mayor ... this is the smallest gesture of investigative reporting one could possibly do.

Sorry to rant for so long but it amuses me how a news article about SEO poisoning is obviously taking some questionable routes to up their own stats -- maybe even manipulate Google page ranks? Oh but that's just good old wholesome Search Engine Optimization -- it's those pesky cybercrooks that phish for my home address, not the "esteemed" online news sources we should criticize that ask me to enter it into accelacomm.com when I'm trying to read the news (and I'm not accusing accelacomm of being a scam, just annoyed at the principle).

"Web anti malware firm Dasient has published data claiming that more than 1 million Web sites were compromised in the second quarter, 2010 - a sharp increase. *In Sean Connery's James Bond voice* Of course they have." - by AnonymousClown (1788472) on Thursday September 16, @12:25PM (#33600940)

I don't know about THAT, however? Well - I DO know that my personal custom HOSTS file is nearly @ 1 million absolutely unique entries of known bad sites/servers, and it took me nearly 10++ yrs. now to get it to that # no less!

I populate it from very reputable & reliable sources listed below:

----

http://ddanchev.blogspot.com/
http://www.malware.com.br/lists.shtml
http://securitylabs.websense.com/content/alerts.aspx
http://www.stopbadware.org/
http://blog.fireeye.com/
http://mtc.sri.com/
http://www.scansafe.com/threat_center/threat_alerts
http://news.netcraft.com/
http://www.shadowserver.org/
https://zeustracker.abuse.ch/monitor.php?filter=online
http://en.wikipedia.org/wiki/Hosts_file
http://www.mvps.org/
http://someonewhocares.org/
http://hostsfile.mine.nu/hosts0
http://hosts-file.net/?s=Download
http://www.stopbadware.org/home

+ Spybot "Search & Destroy" IMMUNIZE feature add ons also...

----

In fact, as far as growth this summer alone? It's been more than usual, and last summer last year was the same it seems/iirc too...

However: Ahem - 1 million++ new known bad sites &/or servers, & in just 1 quarter?

(Hey, anything's possible, but that's a bit "excessive/steep" imo @ least... still, one never knows! Still, I somehow DOUBT it's that bad out there. Yes, it's bad, but not THAT bad... I don't think so @ least, and I tend to keep pretty steady-eddy tracking of this up (for over 10++ yrs. now @ sites & sources such as those listed above via populating my custom HOSTS file for both added security AND added speed))

I.E./E.G.-> The # of entries of known bad sites &/or servers in my HOSTS file, which a great deal of came from my sources listed above no less, had grown this year from July 15th 2010 to Sept. 15th 2010 by almost 18,000 entries alone at the tail-end of this summer alone (up to 881, 543++ total entries, & gaining typically between 50-250 more each day).

It's crazy out there now, but it doesn't affect "me or mine", because I cannot be hurt by that which I cannot enter to get hurt by it, such as a bad website that's malscripted or bears a malware, because that's what HOSTS files do, at least part in the way of security (and more for speed such as adbanner blocking (which also helps security too, because many a banner ad has been found with malicious code in it too the past few years now as well), and site IP-to-URL hardcoding): HOSTS files, if done right, can keep you from getting burned in a bogus kitchen, so-to-speak!

Still - 1 million++ new known bad sites in just 1 quarter this year 2010? I have trouble with that estimation, in believing it to be blunt about it, & yes, I have been looking at this type of data for quite a long time now (over 10++ yrs. in fact, in making a custom HOSTS file to protect vs. this type of lunacy).

APK

P.S.=> Since I

Per my subject-line above. & this quote from the article here on /.:

"The Cybersecurity Act of 2009 passed a Senate panel, giving the president unprecedented power to issue a nation-wide blackout or restriction on websites without congressional approval" - by Akido37 (1473009) on Tuesday March 30, @10:49AM (#31670706)

?

Well, then from the SOUND of it @ least, I am ALL FOR IT personally!

Why??

Well, because online attacks DO go on, & they DO exist, & they DO INTERFERE WITH PEOPLE'S LIVES IN SERIOUS WAYS IS WHY!

(AND, in many ways, because a LOT goes over "the public internet" people, a lot more than say, slashdot webpages, whether you know it or not)...

E.G.-> Such as databases' drivers & libs using ports on the net, like:

----

A.) SQLServer = default ports usually used -> 1433/1434/4022/2382/2382/443 (SSL)/135 (RPC) & on both UDP & TCP/IP

B.) Oracle = default ports usually used -> 66/1521/1525/1526/1527/1529/1571/1575/1630/1748/1754/1808/1809/1830/2481/2482/2483/2484/3872/3891/3938

C.) IBM DB/2 = default ports usually used -> 523/532/6789/50000/60000 (probably more here, this is the one I am LEAST familiar with, sorry I could not be more "complete" here)

D.) MySQL = default ports usually used -> 3306 (probably more here too, I am JUST "getting into" this one lately (hey, it's FREE man!!!)

----

(Those tools, as I am sure MOST of you know, are for businesses where YOU yourself do business, which means YOUR MONIES or other life-crucial information, for instance - which again, is a LOT more than & of most likely far greater import than merely the web's HTML data alone you use, while you browse websites, in other words...)

And, then there are things like POWER PLANTS (which, like it or not, DO conduct things over the public internet), & even life-monitoring devices + security systems.

SHOULD THE GOV'T. TAKE ACTIVE MEASURES vs. ATTACKS ON THESE THINGS NOTED ABOVE? Hey guys...?? ABSOLUTELY!

(Especially IF they're being "cyber-attacked", OR, just to prepare for such an event, JUST IN CASE!)

APK

P.S.=> See- The past 12 yrs. now or so, I've taken a more than "somewhat" active interest in things 'security-related' online... &, know what sort of "spooks me" (& yes, even shocks me, because of the cultures/nations I see it coming from mainly)?

CHINA...

Yes - It really "blows my mind" that a culture w/ more than 5,000++ yrs. of recorded history behind it is showing up, & MORE THAN ANY OTHER NATION BY FAR, in the lists I use to populate my HOSTS file here, & here are the sources (all known & reputable) I typically utilize, so you can check this yourselves (or, perhaps, even USE THEM yourselves for hosts file population to block out known bogus sites &/or servers):

-----

http://ddanchev.blogspot.com/
http://www.malwareurl.com/listing-urls.php?page=1&urls=off&rp=
http://www.malware.com.br/lists.shtml
http://securitylabs.websense.com/content/alerts.aspx
http://blog.fireeye.com/
http://mtc.sri.com/
http://www.scansafe.com/threat_center/threat_alerts
http://news.netcraft.com/
http://www.shadowserver.org/
https://zeustracker.abuse.ch/monitor.php?filter=online
http://en.wikipedia.org/wiki/Hosts_file

It didn't go completely undetected.

http://community.websense.com/blogs/websense-features/archive/2010/01/21/security-bulletin-aurora-internet-explorer-zero-day-attack.aspx

FWIW - I'm not a Websense employee. We just use their products as part of a multi-layered defensive strategy. They had mitigation mechanisms in place a week before Google, Adobe, et al acknowledged that they had been compromised.

Obviously Websense isn't a magic bullet. They wouldn't have prevented the initial infection. All they did was notice the infection after the fact and then worked to contain the spread.

Sorry to hijack this, but http://securitylabs.websense.com/content/Assets/WSL_ReportQ3Q4FNL.PDF seems to be the direct link to the paper.

First, here's the actual report, without any form to fill out. (Backup copy at WebCitation.) Amusingly, the report is clearly written for a target audience who prints out PDF files on paper. It contains charts in tiny type.

The report covers the usual email issues, which will be familiar to Slashdot readers. New issues for 2009 are the following:

• Anti-virus companies are slowing down. Average time to "patch: (really, release a new identifying signature) has increased from 22 hours to 46 hours. By the time the anti-virus companies catch up, the attack has changed. This indicates the uselessness of signature-based attack detection.
• More attacks are successfully targeting search engines. Google is more vulnerable to hacked SEO than previously thought. Google Trends, which drives Google Suggest (the command completion in Google search boxes) is extremely vulnerable. (I've commented on that before.) "The average number of malicious sites in any Google search using hot/trending topics (as ranked by Google) by the end of the year stood at 13.7% for the top 100 results."
• The "long tail" of the Web is becoming less important as more user generated content moves to the top 100 sites. More attacks now involve injection of hostile code into user generated content on major sites.

The report identifies Google's weak security in their search engine as a problem. Microsoft's Internet Explorer remains a problem, of course, but now Google is now the attack target of choice to drive traffic to a site that can attack the browser. Google still, apparently, hasn't figured out a good way to prevent link farms from driving up search position.

docs.google.com shows up currently in the category "Personal Network Storage and Backup." Seems quite accurate to me.
Requires a valid subscription to see, but https://www.websense.com/sitelookup does allow administrators to test categories and report categorised URLs to the human review team. It is also available in the installed product, so admins don't even have to go out of their way.

From TFA. Specifically the responses at the bottom: "Brian, wouldn't an add-on like Giorgio Maone's NoScript stop the processes necessary for this kind of fraud to succeed on Firefox ?". Which gets this as an answer: "@mhenriday - I suppose it's possible, but I doubt it."

Next he refers to the Security labs article for more information. Notice the "payload" section and the marked sections. See how this is all javascript code? Now check the NoScript website, see how its primary use is a "Javascript/Java/Flash" blocker?

So why would the author have any doubts if this NoScript plugin can actually stop the execution of this javascript code block? Does he somehow think this block of code is very different from other javascript snippets or could it be that he doesn't like (or understand) this free, easy and most of all safe kind of protection ?

Maybe I'm too cynical here but I wonder.. Double agenda perhaps?

The virus itself is a complicated one. As per the article, it was installed on the system during a mass exploit dubbed Nine-Ball, which was loaded onto 40,000 legitimate websites. Visiting those sites caused the Nine-Ball script to execute, which redirected an iframe to a page containing malicious code which mounts a series of attacks. Those mentioned by the site are:

• Exploit MS06-014, which targets the MDAC ActiveX control
• Exploit CVE-2006-5820, which targets the AOL SuperBuddy ActiveX control
• [Some] targeting Acrobat Reader"
• [Some targeting] QuickTime

So basically, an application (browser) visits this malicious page. If that application runs the ActiveX controls mentioned (and presumably Acrobat Reader and/or QuickTime), it was vulnerable to the initial Nine-Ball exploit. IE qualifies for all 4 of those; Firefox can use ActiveX (I believe, with a plugin), but not out of the box... however, it does have plugins for Acrobat Reader and QuickTime.

If any of those vulnerabilities were present with the applicaton visited the iframe, it runs malicious code that installs a crapton of viruses on the host computer, among them the FFSearcher virus.

Once FFSearcher is on your computer, it causes itself to get run all of the time, probably as Administrator. It then proceeds to:

1. Executes a Windows root-kit to hide its presence
2. Injects code into browser application processes; for IE, it will inject an IE-specific payload, and for Firefox, it will inject a Firefox-specific payload. Each payload causes the infected browser to do all the malicious redirecting that is described in lower-level detail in the article.

So a nice, clean, and secure IE / Firefox get started up, but Windows, itself infected, loads the virus into them! No vulnerabilities are exploited, here. Since FFSearcher runs as Administrator, everything it does is straightforward and allowed by the system; it can do basically anything. What it chooses to do is target IE and Firefox. Since it's running as Administrator, it doesn't have to exploit any vulnerabilities in either; it just barges in and rewrites parts of them to do its bidding. Administrator can do things like that.

In conclusion, there isn't any vulnerability in IE or Firefox that's involved in FFSearcher, and the only reason FFSearcher doesn't pwn other browsers is because the author didn't bother to write a payload for them, too. FFSearcher, itself, was installed due to some browser vulnerability that happened sometime, and now, permanently present on the system, takes advantage of its Administrator privileges to do some pretty wicked stuff.

Microsoft's revised CAPTCHA busted. This is the latest publication on Websense's blogs. The spammers certainly seem to improve their attacks with every move. Authorities have to be more strict and more rigid in terms of punishing such spammers. Also, the domain registrars if spammers should be treated in the same way...hunt them and burst them!!!

May I point you to surfcontrol?

http://www.websense.com/global/en/scwelcome/

I used this for a LONG time. You can have it set up to where it just blocks packets, blocks packets based upon a BUNCH of different rulesets, block packets based upon authentication (I had a private company that the owner HAD to be able to look at porn. I created a custom container for him, and no logging, reports, etc. came through).

It will block based upon port, protocol or keywords it finds in the packets.

Best product I ever found, at least for WinTel environments (It will integrate seamlessly with domains, etc). I prefer it over MS Proxy for web based content filtering at work.

Nothing better, in my opinion.

--Toll_Free

Since those days my outfit has started filtering our Web access using http://www.websense.com/ [websense.com]. I recently found a way around the filter, but don't want to report this hole in case the management decide to stop me using this way around the filter.

There! Fixed that for ya.

There was a similar situation awhile ago where I work (in my outfit's Computer Center.)

I found a password ripper on the net, and tried it on our password file. Seemingly, the password rules that used to be applied had been lost during a recent system change; and now passwords like 'password' and 'letmein' were not rejected when the user tried to set their password. I was able to crack >1,000 passwords within 30 minutes.

I reported the problem to my supervisor, and he got me to discuss it with the Technical Director. They decided that the new Identity Management system that they were looking for funding for, would fix the problem. The budget bid failed, and the IDM system still hasn't been built. The hole remained for 2 to 3 more years.

I read a case online where a NASA sysadmin would email users to warn them to strengthen their passwords, so I started doing that myself. "Hullo [user], your password is your favourite football team. That's a dictionary word, and easy to crack. Please choose a stronger password, using one of these methods." This did reduce the scale of the problem somewhat, but new accounts would appear with weak passwords, so the hole was still open.

Around 2 to 3 years after I originally reported the problem, a user reported exactly the same thing to his boss, who told the Computer Centre. He was hauled over the coals, reprimanded and nearly got disciplined for his trouble. Password creation rules were instituted, and the hole was closed in short order.

Since those days my outfit has started filtering our Web access using http://www.websense.com/. I recently found a way around the filter, but don't want to report this hole in case the management decide to punish me for it.

Custom protocols and standards wreck the web, which originally got large in part because of its inherent interoperability.

It's why we bothered to put things in HTML in the first place, instead of linking Gopher trees to LaTex and .doc files.

I have never liked Flash for this reason. It's a hog on Opera, and unstable as well on Firefox. It encourages the worst kind of contentless web site creation. Finally, it's a giant sieve of security holes and vulnerabilities.

Google Checkout is the payment scheme of choice for Craigslist spammers. Some other payment processors have kicked off spam tool vendors, but spammers have found a friendly welcome with Google. Google also supplies spammers with free e-mail accounts in bulk. Google's YouTube runs ads and videos from spammers. Google's Blogger provides free hosting for spam and redirection sites. It's full-service evil.

Google has clearly gone over to the dark side. They're not just an innocent victim. Google Checkout is laundering spammer money and taking a cut. Google AdWords is accepting ads from spammers. The dark side generates revenue for Google.

Unfortunately. XP is horribly insecure in the default configuration, and few companies have administrators that know enough to make it secure AND useable. Hence the widespread threat of trojans that companies are not even aware of.

A recent survey by websense (unfortunately in German, so rather useless for most people reading here) came up with 98% of companies considering their security "adequate" or better, 53% thinking their security is "very good". 66% of middle management thought that nothing could penetrate their security, their IT guys are rather suspicious, only 25% share the view of their management. Still a lot, if you ask me...

Unfortunately, admins rarely make the decisions when it comes to purchases. They only have to suffer from them.

And the rest of Vista, the eye candy and the fluff, aren't a selling point either for companies. A company doesn't care whether their workers get to "enjoy" their "computing experience" more. Their question is: Does it increase productivity? And the answer is probably no.

I doubt that will have much impact on where most of the phishing originates, though, which is overseas.

If we believe this map and if we are African, Australian or Eurasian, overseas is indeed worst.

CC.

If you have an windows domain the best is to the group policies and create individual accounts to track each of the students.

Group policy http://www.microsoft.com/technet/technetmag/issues /2005/05/LockDown/ will also give you a great deal of control over how much of the windows interface they have access to. For instance you can lock out the CLI, and where they can save files. Here is a link from Micro$oft on how to get started.

If you don't have an active directory domain setup, you can still lock down the desktop by creating local policies http://www.windowsnetworking.com/articles_tutorial s/wxppspol.html, unfortunately you will need to apply these to each PC if all the hardware in the lab is the same, but it wouldn't be to difficult to create a locked down image using Ghost, and then image all the machines to be identical.

Also, if the school can afford it buy a copy of websense http://www.websense.com/global/en/. It will keep the little buggers out of the internet, prevent them from downloading games, and even using chat programs.

I've been there not so long ago. All the PCs are iMacs (there are about 15 in total). The base units are locked away in a 'pod' display type thing so there is no access to USB ports or floppy discs or anything like that. Whatever you download you can't take with you. Also it's fairly heavily censored using a websense based proxy so don't think for a second you'll be downloading hundreds of megs of mp3s or anthing like that.

My company's web filter, http://www.websense.com/global/en/WebSense ("Securing Productivy"), blocks the site as a proxy filter.

Funny, funny. I'm blocked by Websense from downloading this extension - or any Firefox extension from addons.mozilla.org here in the bowels of Iraq.

But obviously I can still post to /. Someone has some incredibly skewed priorities.

When asked "Gosh, do you think that this is a moral thing for an American company do to?" they replied "Hey, we just sell the software, we can't be responsible for how people use it."

Anyone who has worked with sales before knows that is a load of shit. Before you start talking to a customer, you learn about their needs so you can better sell your product. There's no way they just passively got a contact with the chinese government. I promise you, they were over there for weeks, showing powerpoint presentations claiming that their product could filter and report on dissidents MUCH better than the competition.

They've been putting up this bullshit about web usage for years. A few years ago, it was porn at work, and how companies are at risk for lawsuits if they don't immediately buy a filter. Of course, this fails the "What if it wasn't on a computer?" test, since if I brought an old-fashioned porn mag to work and was caught reading it, i'd be fired, and the company wouldn't be negligent. They don't need a $100,000 porn scanner at each door... but since it is on a COMPTUER, well, it is magic.

I mean, check out the management. Their CEO looks like he is about to rip off his false face to reveal the reptilian features underneath.

The University where I work has introduced
1) Censorship of the Web, using Websense http://ww2.websense.com/global/en/.
2) Throttling bandwidth on network ports using Storm Control http://www.cisco.com/en/US/products/hw/switches/ps 708/products_configuration_guide_chapter09186a0080 160a9f.html
3) Filtering out spam using Ironmail http://www.ciphertrust.com/products/index.php
Each these measures have had a negative impact on genuine study and research.

Our Computer Centre Director, who is in the invidious position of having to balance academic freedom against meeting JANET http://www.ja.net/ regulations, released this message which I reproduce here to show what Universities are dealing with.

-END OF QUOTE-
The introduction of restrictions is not something
that we have come to lightly. We certainly have
no desire to apply censorship to our users;
however, unlike Internet Service Providers,
we have somewhat more legal responsibility for
the material that is carried over or stored
within our network. In particular, the University
can be held 'vicariously liable' for a number
of offences relating to, for example, the
display or storage of pornography. Similarly,
material relating to religion or race that is
capable of offending is a potential threat, in
a legal sense, to the University. There are others.

On the matter of websites that just plainly offer
no business value to the University, we need to
strike the right balance between the various
interests. We have real concerns about the
capacity of our network and to compromise academic
and business activity on the network because we
are hosting a flood of dubious traffic does not
make good sense. However, under this specific
concern, clearly there may be scope for relaxing
restrictions outside the 'working day'.
-END OF QUOTE-

to mitigating Spyware that I've had sucess with:

1) Websense has a category set for Spyware to stop it at the firewall.

2) Spyware Blaster is an excellent free Spyware prevention program. I've never had a problem with users who run it.

The best would of course be to convert your enterprise to linux with Firefox. But, if everybody did that, the organized crime that is Spyware would target linux systems. Security through obscurity only works as long as you don't have the market share. However, open source tends to converge on security fixes more quickly anyway. So, even if there were major browser vulnerabilities more often, the fixes would be here faster...

I always liked JibJab. Their ficks are a great way to waste some time here working graveyard. Unfortunatly the company I work for recently invested in a highly anoying filtering proxy called Websense. The damn thing filters everything.

Yeah, everybody's ignorant because they don't know of an obscure browser they weren't looking for because IE's doing its job satisfactorally for them

If you ask Jeeves, this is his answer. I would have checked it out first, but my company uses WebSense to keep us from visiting cool sites at work. (So I settle for /. ;)

"Why, Gannoc", you might be claiming, "Wherever did you hear such vicious slander against Websense?"

Why, right on their goddamn website. They're proud of it, of course, because the type of people who invest in a company like Websense are the type of people who don't mind the idea of a few people going to jail for going to a politically progressive web site, as long as the stock price goes up.

Bah.

Or, alternately...

http://www.websense.com/management

My company uses Websense, and I have found them to be extremely reasonable. The url checking feature needs registration now (I think somebody was using a bot to try and get a copy of their database), but the request for change form is still open. I have gotten many sites saved or recategorized. The key is that they have reasonable people looking at the recommendations, and they don't block phrases (so skateboardsextreme.com won't be blocked). So it can be done . . .

Political advocacy may cause excessive thinking on the job, dissension from commonplace views, dissatisfaction with society, and is known to foster a spirit of rebelliousness. Obviously as dangerous as porn.

Just do your work and don't worry about it.

Unbelievably remote?

If it happens every day, all day long in many corporations, would you say that it's unbelievably remote?

There are security packages that do just that - hijack domain names, redirect them, and spoof the domain or site, such that if you call up www.pr0n.com, you get the corporation's policy manual.

I would hardly call this a far-fetched scenario! ONE bad IS employee in ONE major company (with access to the DNS server) could gather credit card information from thousands or tens of thousands of users. Imagine if an AOL employee were inclined to spoof sites. Or what if someone hacks an AOL DNS server (which are inherently accessible on the net).

I agree with you that this doesn't make SSL junk. But I also think that if 80% of the SSL implementations IN USE (i.e. IE) are insecure, and the primary function of SSL is security (authentication and encryption), then I'd say that the technology is not meeting it's "prime objective". It's salvageable, but calling it "junk" isn't far from the truth.

Block webmail sites at your firewall. This can be tedious to do manually, as there are many (and more each day), so try a product like Websense which allows you to block them and get updated "signatures" from the vendor to keep them blocked.

No, I don't work for them. Yes, we are a customer.