Slashdot Mirror
New IE Malware Captures Passwords Ahead Of SSL
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
Cue the "Gee I'm glad I use FireFox on Linux" posts.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Why anyone is still running Internet Explorer when there are so many better alternatives?
Intrigued, I went to those scumware vendors and saw that they are, in fact, dishing out scumware. So, in the interests of justice:
whois refestltd.com
Domain name: reflestltd.com
Registrant: Jay Seaton (6PPPG) jay@tremjade.com
United States
(913)6814254
Not that I condone using that information for any nefarious purposes...
All's true that is mistrusted
that this hasn't happened earlier. Why would you fsck with SSL when you can bypass it completely?
Disconnect and self-destruct, one bullet at a time.
And why won't Microsoft admit there is a problem???
I'm simply stunned...where I work security is #1 and availability is #2. Judging by their output...it must be very different working at MS.
Blar.
Is why I transmit all of my passwords in plain text... not very secure, but a lot less obvious then all of these complicated 'security' or 'encryption' methods.
Help Brendan pay off his student loans
SF has an article regarding this.
Gates Defends Microsoft Patch Efforts
Free XBox, PS2
I imagine spybot's BHO inoculation should block this. Anyone know? I use firefox on windows myself, but not for any other reason than that it's just a better browser. ff on linux is actually kind of painful to look at and sluggish to use still.
I've finally had it: until slashdot gets article moderation, I am not coming back.
I wonder why the author of the code chose to only look for a certain number of SSL-enabled URLs. Why not just write the code to look for any URL or redirection that's prefaced by "https://"?
Just another good reason to switch to Firefox.
For crying out loud, people! How hard is it to download Firefox and switch? Especially with the new settings import wizard?
This is about your internet banking passwords, people! Your hard earned money is at stake here!
"Oooh, does that mean we get to kick some puffy white mad zionist butt?"
"laziness"
To uncheck the "enable third party browser extensions" box in your Internet Explorer properties, if you must use Internet Explorer. This fixes most of the Internet Explorer problems that people ever experience and blame on Microsoft.
There is the slight problem that malware can silently reenable it when they run, but I doubt many do.
This is why I do all my online banking using Gopher.
That query is for "refestldt.com" and I stupidly typed "reflestldt.com" after "domain name". The whois info is accurate, just not what I typed there.
All's true that is mistrusted
This isn't Malware, this is advertising for Apple. THIS is why I buy Macintoshes.
What's a browser? Is that like Internet Explorer? But why do I need another one when I already have Internet Explorer? Don't I have to use Internet Explorer to connect to the internet?
By reading this you acknowledge that you have read it.
For the non-power user IE *IS* preferable. I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.
IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.
I don't blame most users for using IE. For them it is "good enough". I see a lot of snobbishness on this site, and maybe some of it is fair enough. I also see a lot of silly arguments with extrapolation from a small sample set "My sister uses Mozilla all the time now!" to big conclusions. As a scientist, I know enough not to make those errors. Anyway I just wanted to say most users don't need Firefox despite what you might read. I guess this is pretty obvious, it accounts for a fraction of 1% of browser usage after all.
For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
Stuff like the google search bar? Does that count?
Sehr geehrter Toilettenbenutzer!
Online banking and voting are insane ... we have been lucky up to this time.
... you never know what transaction you are verifying, and if your computer is rooted it can be anything at all.
If the next guy to find a buffer overflow on windows decides to just abuse it to target a couple of banks to hijack all transactions we will have chaos on a scale not seen before. One time verification helps a little, but only a very little
Both online banking and online voting will only be acceptable if they use external devices on which users can verify transactions. Mainstream OSs are too complex to trust.
this seems like its a pretty big deal. Good thinking by the author, he should be complimented, then put away.
how long will it take for everyone to switch to firefox? I sure hope its happening.
You know you really have something going for you when a single application in your product line helps defines it own genre of exploits:
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
....who figured out how it worked (i.e., Browser Handler Object, HTTP POST of stolen account info to a site) is Tom Liston of Hackbusters. He's been sorting through this kind of thing for a while...
The Army reading list
If my answers frighten you, stop asking scary questions.
From the article:
It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX.
Cue the FUD saying "look I told you Open Source was inherently less secure!"
Download my free songs!
I read this article in the Houston Chronicle this morning: Flaws may mean it's time to drop Microsoft browser. It's beginning to look like there's a ton of exploitable stuff in IE.
BTM
That was the turning point of my life--I went from negative zero to positive zero.
Everyone here is likely to blame Microsoft. I'm turning my wrath against the intelligence organizations of various countries. For far too long this BS - malware, viruses, fraud sent via spam - has been mostly ignored. It seems nobody is going to jail for the Paypal scams because Paypal isn't a "real bank". Now they're targeting real banks.
I, for one, am sick of it. Where is our FBI and what are they doing about this? If these were criminals setting up videocameras to record pin numbers at ATMs, you can bet there would be a huge effort to track them down. Well, this is worse than that.
-Ryan, with the unoriginal sig
netscape.
When there's no competition, M$ can get away with this crap. Let's face it, even with this 99% of people won't switch from IE, solely because they don't even realize they have a choice anymore. If there was actual competition in the industry (aside from nerds who run firefox), then this crap would NOT be allowed by M$, because it would mean certain death for any share of the browser market they held.
How many time does it have to be said? DON'T USE IE. Period. End of story. Fin.
(Score: -1, Redundant)
sulli
RTFJ.
As a programmer, I feel the continual march of progress in computing has been hampered as of late because of a major misconception in some segments of the software industry. Some would argue that the process of refinement by iterative design, which is the subject of many texts in the field -- extreme programming being the most recent -- demonstrates that applying the theory of evolution to coding is the most effective model of program 'design'.
But this is erroneous. The problem is that while extremely negative traits are usually stripped away in this model, negative traits that do not (metaphorically) explicitly interfere with life up until reproduction often remain. Additionally, traits that would be extremely beneficial that are not explicitly necessary for survival fail to come to light. Our ability to think and reason was not the product of evolution, argues a new and credible scientific theory called intelligent design, but was deliberately chosen for us. Perhaps this is a thought that should again be applied to the creation of software.
It makes no sense to choose the option of continually hacking at a program until it works as opposed to properly designing it from the start. One only has to compare the security woes of Microsoft or Linux with the rock-solid experience of OpenBSD for an example. It makes little sense from a business perspective as well; it costs up to ten times as much to fix an error by the time it hits the market as it would to catch it during the design. Unfortunately, as much of this cost is borne by consumers and not the companies designing buggy products, it's harder to make the case for proper software engineering.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Not to discuss about IE, what about banks using different password entry schemes?
In Brazil there seems to be a new regulation saying that users of ATM and online banking shouldn't type the password in a numeric pad anymore.
Instead, you get 5 buttons on the touch screen (or a small Java applet, or Javascript thing in the case of the bank where I have an account there) with combinations of two numbers. It looks like "press this if the next number is 3 or 8".
The thing is, the combination changes every time you enter your password. The first button that was "3 or 8" before will be something like "4 or 7" next time. And the combinations change too, not only the position of the buttons.
So it becomes more difficult for spyware to monitor keypresses / mouse clicks, or things like this to work for the scammer. (Ironic or not, the ATM in the pictures at the UT website is from a Brazilian bank).
I haven't seen anything like that in any US bank; it's always a number pad where you type your password, or a text field to type the password online.
Marcelo Vanzin
What is the point of pushing Firefox and other alternatives on /.? Is there anyone reading this that still uses IE?
Come on Bill, lets see you put your money (its not like you don't have enough of that) where your mouth is.
Your 48 hours starts now.
I gots ta ding a ding dang my dang a long ling long
When will us Linux users finally get to experience all of these exploits and viruses? It looks like Windows users have all the fun. :-)
"Gee I'm glad I use Firefox on Windows"
FWIW the 0.9.1 upgrade may help convert a few more Invariably Exploited (IE) users.
The phrase "Invariably Exploited (IE)" is patent pending, though infractions won't be dealt with until SCO's lawyers have a bit more time on their hands
mailto:EatSpamAndDie@princeweb.com
What would it take to do this in other browsers, say on Linux and Windows?
Would java enabled make it easy?
What about just javascript?
Is switching browsers enough? After that business last week about the IIS + IE sucker punch, I very much distrust anything running on Windows, for fear that the entire system is so easily compromised. If every key stroke is logged, every file is scanned, any DLL can be replaced, you really need to adopt an "X Files" kind of mentality, or you aren't paranoid enough. (they ARE out to get you, where they = black hats; you = people with anything valuable on a computer)
:-)
I *do* use Windows -- as a home entertainment center. At this point, there is no way I would consider putting anything like bank account numbers or SSNs on a Windows box. I have no illusions about the perfection of Linux, but there is something to be said about a diversity of platforms. I've never loaded BSD myself, but maybe it's time to start diversifying my software portfolio (OTOH - I can hardly wait to try to find *those* drivers).
My opinion of businesses considering using (requiring?!?) Windows for any kind of accounting or personal information just sunk another notch lower today.
-- END RANT --
Yow! I'm supposed to have a plan?
"Oooh switch to firefox" is the most ignorant and misguided response to this. Does soccer mom really care about a firefox? Nope.
This activity needs to be ILLEGAL...and that's the only way to stop it. They're wiretapping without consent.
Oh, and before the pro-firefox people jump all over me...allow me to show you my browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.8.
...I don't know about banks in the US, but at least my (Finnish) bank gives me a username, password and (most important of all) a list of one-time passwords. When I log in, the only things I can see before it requests a one-time password is the balance on account, EURIBOR interest rates and the few stocks I've chosen to observe (ie, a master summary page). If I try to access anything, such as transaction records (not to mention transfers), I have to type in the one-time password. They mail me a new sheet when I'm starting to run out of one-timers.
If I don't want to use one-time passwords, I can choose to use smartcard reader and a PIN number (which remains constant). I'm not sure if that would be vulnerable. Anyway, this follows the "something you have, something you know"-security model, I know the username/password and have either the smartcard or the one-time list.
Do the US banks only use username/password pair?
In other words, it's almost certainly a bogus phone number attached to bogus domain-registration info.
Easy, automatic testing for Perl.
Just download the zip file, and extract it - you should be able to run it in place from a directory!
Also complain to your company security team about having to use an insecure browser.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
basically it's a keylogger?
But Does it Run on Linux?
I'm not a religious person... but I will now attempt to pray...
God, it's me, Anonymous Coward, I beg you, have the l33t hax0rs of the world unite to develop exploits and hacks against Linux and Firefox so that open source zealots can no longer scream about how secure their software is. Any competent person or deity (ie you) knows that there are potential exploits in both, but most have not been found because most do not look as hard as is done with Windows.
If you do this for me... I promise to sell my soul to your minions in Redmond and banish any Linux or Open Source related product from my home from now until eternity.
Amen
I am glad I use FireFox on Linux and not such shitty software that gets a new exploit every week that has the potential to fuck up my life! All I want is to browse the Internet, not risk losing all my money.
Are they even paying attention? At first it was .exe worms in email, then it was network-layer exploits, and then it was spyware, and now in the past week it seems that IE is totally unsafe for any purpose whatsoever.
What's amazing me is why Microsoft isn't *running* to provide patches, for at least XP and 2K, to mitigate this. They're offering non-solutions like disabling Active X and Javascript. Sure, fixing the problem may mean some serious breakage for some in-house software someplace, but does anyone care that Spyware+Malware+IE is rendering their operating systems junk?
Are they even paying attention? Is XP SP2 a magic fix? Is it just too badly broken to even BE fixed?
If they don't already, credit card companies and banks should have several unsecured computers hooked up to the internet and create bogus accounts so they can track where the information is going to. As soon as someone attempts a transaction with the information out come the cops.
/ Hmm, better read the article in case something similar was mentioned. Good thing I'm an A.C.
According to the "complete findings" linked from the article, the phone number belongs to a school in Kansas.
I have no problem with online banking et al, but I was talking to my accountant yesterday and he said he will never put a credit card number or transfer money using the internet. He is an older gentleman and I wasn't about to go on about how SSL and other tech keeps this stuff safe, but it makes you think. Why would I put my information so easily available out there? I will continue to use the internet for online banking and such because I feel I take the necessarly precautions to keep myself safe. Makes you wonder will there ever be a time when you will be safe on the internet? I would say no. What are your thoughts?
My well being does not depend on my slashdot score.
What fancy-ass security feature in Firefox would prevent somebody from writing a plugin like this? Anything besides 'not a big enough user base to attempt it'?
"Derp de derp."
How ironic... this gets posted just as finished reading Steven J. Vaughan-Nichols article on dumping IE after seeing a link to it on NewsForge.
And the phone number's bososity is both noted at the end of the complete write up linked to at the end of the article, and something which Google would tell you, if you thought to look.
//Information does not want to be free; it wants to breed.
Microsoft's software doesn't have any problems, it's always at the fault of the user.
*rolls eyes*
... you are preaching to the choir here? I mean, there are atleast a few Mozilla/Firefox/Thunderbird stories on here a week! We all know what it is! Rather than preach your comments about switching here, instead, preach to your parents and friends that still might use IE. Send them news stories for them to read. Unfortuntely, it takes a real experience for them to have a change of heart. Don't let that happen!
Hmmm.
Funny, CIAC Issued a warning about BHO's in early 2002 Link to warning
The reason why people still use IE - EVEN when an alternative is shown - is because it's familiar, and because: - "my favourite websites don't work!" - "It's slow!" - "What is this crap." Coming from people like my sister. I even tried the IE icon trick but she insisted that I put IE back on. However, articles like this - where your bank password will be stolen if you use IE - well here we go, this is something that I could convince my mom with, as well as my sister.
It seems that some people have been studieng...
It looks like hunting season has been opened...
IE users, do yourself a favor and start listening to all the bright people on here telling you to use Firefox or Opera...
I use Phoenix/Firebird/Firefox since 0.4 and am happy since.
This is a huge opportunity for Mozilla if they really mobilize and take advantage of it before I.E.'s team and Dave Massy get going on their "renewed effort on Internet Explorer."
I posted this in another thread, but for those of you who don't know, you can get rid of BHO's with BHO Demon .
I run ad-aware and Spybot search and destroy but BHO Demon found some crapware that neither adaware or spybot found.
I'm not a windows user, but tons of my friends and family are. I worry more and more that they will fall victim to IE-based exploits. This recent issue is finally causing me to act.
Can someone point me to an easy-to-read article that explains the problems with IE, what alternatives like Firefox exist, and how to switch? I want to send it to everyone I know, urging them to switch away from IE.
_______
2B1ASK1
... on http://www.refestltd.com/. Also, Infoworld, "the Globe and Mail" (?).
Now, given that the website only claims "as mentioned in" those publications, there may not be much they publishers can do. "Mentioned" covers a wide range of possibilites, from "recommended", to "stay away from this at all costs".
Anyone care to tip off PCWORLD, etc?
The real "Libtards" are the Libertarians!
"The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis."
.gif name to .exe or attempt to unzip the .gif file? If not, why does IE allow .gif's to be installed?!
Does another exploit change the
I'll consider it as soon as they come out with a formal release (ie: v1.0+). It's still in beta, from what I can tell (v0.9). I don't run beta software on any of my business machines.
I'm suprised that they are still banks that don't use one time passwords.
Microsoft has reviewed the problem and their recommendation is that you continue to buy more Microsoft products.
A feeling of having made the same mistake before: Deja Foobar
This guy is a creationist, mod down.
Gates says MS is getting faster fixing security holes.
I finally got my money back (only after a threatening, certified letter stipulating hard deadlines and escalations), but some crook (my guess is from the dealership) got off scott-free. Thanks to the FBI and so-called anti-terrorism. I feel safe.
So apparently these password thingies are working out too well... how about a new option....just say the password we want outloud, then everytime we want to login, our dead relatives will relay the message to John Edward, who is conveniently stationed at our bank! He will then call us with any information that we require! (of course a service charge of $9.99 will apply)
Unfortunatly this describes 90% of people out there. The only way I can think of to overcome that kind of pervasive ignorace is a public service campaign like the anti-drug campaigns.
[joke]
"This is your computer.. this is your computer on Internet Explorer"
-or-
"Friends don't let Friends use Internet Explorer"
-or-
"Just say No to Internet Explorer"
[/joke]
Seriously, there needs to be a TV campaign or even public service banners on high traffic sites like google or CNN.
What surprises me the most is that the AVERAGE user does not really rely on any IE specific functionality? Sure, corporate users my have specialized apps that require IE because of plug-ins and ActiveX and what-not, but not most users, and not even most business users. So why do they not switch to something like one of the Mozilla flavors? Do they not know they are there? Do they think they don't work with Windows (only that Linux thingy), that it lacks functionality they need?
I switched my wife to Firefox, it even sort of LOOKS like IE...
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Unlike the domain name, that will not be fraudulant:
host www.refestltd.com
66.226.64.11
whois 66.226.64.0
Abacus America Inc.
ABAC
5276 Eastgate Mall
San Diego
CA
support@aplus.net
All's true that is mistrusted
These are some of the things molecules do...... given 4 billion years -Carl Sagan
After last week's CERT advisory, there should only be a handful of them left.
Not saying that something similar couldn't be done for Firefox or Opera of course ... it stands to reason that if something can be "plugged into" an application, like these BHOs, and that they can do stuff with the page content, or intercept form data before any transport stage, that this was bound to happen at one stage or another.
... it happens on IE, and thus IE's entire design is flawed. Quite how any corporate institution can continue to use IE instead of wiping it from all hard drives for security reasons is beyond me.
But
And if you're dumb enough to use a bank that works only with the big neon "Hack Me" sign that is IE, you get what you deserve. Find a bank that works with Mozilla or Konqueror and use those for banking instead.
Oh yes, and be sure to tell your old bank WHY you're closing your account with them. "You're only supporting Internet Explorer as a browser, so I'm not supporting you as a bank."
Not like they'll notice on personal accounts, but maybe if a business or three moves their accounts, they'll sit up and take notice.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
"I've actually had online banking sites force me to use MSIE when they decided Mozilla 1.5 wasn't a modern browser."
The debug build of Safari would let you spoof the user agent. A site requires MSIE? (click) Oh look! I'm MSIE now.
Looks like there's an extension for Mozilla that does the same.
Might help. Of course I then set it back to the regular Safari/Firefox/non-MSIE user agent ID so that any webmasters gathering stats will see that there are folks who (gasp) actually don't use IE.
New and credible eh? Well crafted but a troll nonetheless.
There is no interface to just blatantly let software attach itself to firefox, you can install plugins, but a page has to call a certain type of plugin for it to be used.
Javascript nor Java would cause any type of vulnerability, since the bank pages would not be running either. Applet's have very little power to begin with, so you'd have to download and run a java program for it to even think about keylogging and sending.
So no, not all browsers are weak and just not targeted, IE is just an incredibly insecure POS. I worked for 9 months at a university tech-help center where the VAST majority of our time (we're talking 90% of a multimillion tech help budget) was spent on cleaning spyware from IE. I answered a hundred or so calls on a shift, every few weeks I'd get a call from a mac user....almost always because exchange wasn't configured right on their mac. And yes, I run FireFox on FreeBSD....
No, I just meant the whois query was for the correct domain but when I was typing the response here I accidentally added an "l". That info is the whois query for refestltd.com.
All's true that is mistrusted
Oh, it's the big 'e' on my computer.
It said it was out of memories so I deleted all my games but it still won't run right. I thought the Internet didn't need memory.
It's time to send a message. Larry Sanders, Larry David, and Deadwood be damned! The bad just outweighs the good in this case. Join dyslexics against BHO now!
To get around the "teaching others to use a new browser", I just loaded Firefox, added a luna skin to make it look like IE, and then used firesomething to change the name to "internet explorer". They barely know the difference!
But for those that are unfortunately enough to have to help those that insist on IE, for whatever reason, a program called BHODemon might help you. It lets windows users see what BHO's are loaded at any particular time, so I would assume that this malware would show up here as well. Its a quick way that someone can find out just what is running in the background.
http://www.definitivesolutions.com/bhodemon.htm
BHODemon 1.0
Thats funny considering I can't use my bank's Internet system it says it requires IE for security purposes.
- go to http://www.mozilla.org/products/firefox
- download the windows installer
- run aforementioned installer
- Realise that installer automatically imports IE favourites
- Select the Internet Explorer icon, press "Del" key
- When asked if you are sure,say yes (with extreme prejudice)
it's really that simple, for added effect you could try replacing the firefox icon with the explorer one (right click|properties|change icon|browse to iexplore.exe|select the icon from the ones that come up), that's what I did as I was used to clicking on a blue e. After a while I weaned myself off.I am NaN
I worked for the Canadian govt for a while and they use a product called secureID. It basically generates a new number every 40 seconds this number forms the last half of your password. If banks forced customers to use one of these then your passwords would be a lot more secure and almost all of these security problems would be a lot less of a problem.
No. he runs on Windows. Can't you tell?
Bust out all your mad coding skills and throw up a rogue Windows patch site to install your own 'patches' onto the Windows OS/IE to fix these problems.
You sit here and spout about how much MS ruins the world, and make fun of your end-users (without whom you would have no JOB) to the point of weary. Yet, you do nothing to FIX these problems. According to you they don't know any better...so instead of worry their feeble little minds with learning a new broswer, put your dual 4.5 Ghz Biological thinking machines to work and fix the BHO/SSL problem along with world hunger.
Cue the FUD saying "look I told you Open Source was inherently less secure!"
Sure, it's interesting. But any tool can be used for practically any purpose, good or bad. Whether it be FOSS or proprietary software, in this case.
The fact remains, we won't ever be able to control what purposes tools will be used for, unless of course we're willing to give up more basic freedoms. Think RIAA for example.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
There's a good explanation of BHO and how malware authors tend to exploit it here.
Maybe this is the kick of the pants that M$ will get now that financial institutions are targetted with a n exploit from a badly-design browser model.
Which is nice.
Wearing pants should always be optional.
Somewhat Ironic, considering Most banks -- at least here in the UK will send an error, or physically stop you from using their system in the interests of security :)
Is there, somewhere, a good, complete list of recent (say for all of 2004) IE exploits to show the PHB?
Thanks
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Right now they are off fighting the War on Drugs, the War on Terrorism, and the War Against Civil Liberties. They are sitting in theaters putting people in jail for 3+ years for recording a video, or helping track down and arrest people who break 'encryption schemes' like ROT13 for Adobe, or people reprogramming their set top boxes. Major corporations aren't affected by this, so the FBI doesn't care much.
I think their priorities are grievously misplaced.
Don't you know the proper way for citizens to solve their problems today?
1. Incorporate yourself
2. Make a $1000 contribution to the Corporate Party (DNC or RNC, doesn't matter which)
3. Sue them for $10000, and get your pol friends to bring in the FBI
4. PROFIT!!!
"The Justice Department's spending on cybercrime would leap from the $157 million allocated by Congress for the 2003 fiscal year to $265 million. The agency's Internet Crimes Against Children program, which investigates child pornography and "enticement" cases, would receive a $2 million increase, to reach $14.5 million."
Even if the Justice Department "only" had $157M in 2003, you'd think there would be a bit more to show for it. But this is the US government we're talking about. There are doubtless a good number of motivated and competent people in the US government who are dilligently working to combat cybercrime.
The problem is that US government agencies are notoriously slow to adapt to change. Having worked in one before, I can attest to how frustrating it can be to try and get even simple, obvious tasks completed when groupthink prevails. It must be incredibly frustrating for the folks working in those departments who are trying to go after cybercriminals.
Read the EFF's Fair Use FAQ
Is there a skin that acts exactly like IE? I'm looking to swap my family computers over and would like an IE interface. I've tried education to the family and it just hasn't worked really well. Tabs? What do they care? Adblocking? Who's got the time? They're just ads. Every feature I introduce doesn't really sell them. So basically, they would like to stick with Internet Explorer. However, clearly, I can't let them with all this crap flying around these days. That being said, I just want a way to make Firefox look like IE so I can do a swap. Anyone?
Disagreeing with me does not mean you get to mod me troll.
obviously, the bhodemon is a very useful little tool, but why does the icon for the little executeable look like someone took the napster cat, doused him with kerosene, and flicked a match in his direction?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Unless, of course, I've lost all my marbles...
Dream as if you'll live forever.
Live as if you'll die tomorrow.
~Anonymous~
Okay folks, now is the time to DEMAND your online banking providers to switch to a one-time pad system for passwords.
Many banks in the EU have already done this. Why are banks like BANK OF AMERICA and others still using simple passwords?
Just Use Knoppix, At Least Then You Will Know Nothing Has Been Installed To Spy On You! http://www.knoppix.org/
My passwords are just little black dots when I type them.
------ How can making people laugh lead to bad karma?
That's assuming the file was named xxx.gif.exe, but the article doesn't say that. Obviously there was a payload inside of it, obviously Microsoft blocks executables (generally) from being run. I'm just trying to figure out how the gif file (assuming that it doesn't have the .exe extension) could get executed if you're using reasonable security.
It is an compressed Exe-File with a .gif ending. The user didn't run as admin and the Windows XP policy was in place so the file couldn't install. Through this it came to the admins attention. I guess Firefox wouldn't have be a more difficult target.
As soon as a trojan gets executed on your machine you can just hope you didn't do it with root-powers and that the trojan won't find a way to raise it's priviledges.
According to the linked article, this BHO phones the mothership located at:
http://www.refestltd.com/cgi-bin/yes.pl
www.refestltd.com is 66.226.64.11; the ARIN pull is below.
I'm on the phone right now with Matt of Abacus America to get the website taken down.
I am saddened to think that I'm the first one that's bothered to go to the trouble...
OrgName: Abacus America Inc.
OrgID: ABAC
Address: 5276 Eastgate Mall
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
NetRange: 66.226.64.0 - 66.226.95.255
CIDR: 66.226.64.0/19
NetName: ABAC2002A
NetHandle: NET-66-226-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ABAC.COM
NameServer: NS2.ABAC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-31
Updated: 2003-03-27
TechHandle: AD384-ORG-ARIN
TechName: A Net DNS Administrator
TechPhone: +1-858-410-6900
TechEmail: dns@aplus.net
OrgTechHandle: ANETS-ARIN
OrgTechName: A Net Support
OrgTechPhone: +1-858-410-6900
OrgTechEmail: support@aplus.net
# ARIN WHOIS database, last updated 2004-06-28 22:17
# Enter ? for additional hints on searching ARIN's WHOIS database.
Many people work on big (or small companies) that use Windows on desktops and have opted to not install any other browser than IE. Corporate users don't have a choice. The lazyness is not only of home users, but also of PHBs.
... cost. The silly device and the licensing and support (those things go out of sync) cost a bundle. They figure that the cost outweighs the benefit, I guess.
A two-factor authentication would be the way to go, for sure. Someone else in this posting thread mentioned that his Finnish bank gives me a one-time use list of passwords (known as a strikelist).
Which is nice.
Wearing pants should always be optional.
Oh for fuck's sake, puhlease, spare us your whinging. The FBI were absolutely right that $1000 is too small an issue for them to get involved. This would have been as true before Sept.11 2001 as it is now; "anti-terrorism" has nothing to with it.
So there's a list of 50-or-so banking sites that the malware picks up. Where's the list? How can I know if I need to call home and tell the wife to NOT use online banking until I get home or not? Also, what's the quick way to tell if I have the malware or not? Does it drop a dll, exe or something somewhere? I *hate* things like this where it's reported that "you might be infected" -- tell me what clues I can look for to know. Tell me which (if any?) IE fixes subvert this. Tell me which A/V vendors have patches to prevent it (if any). Aargh.
For example, I used to work for Cablevision's Optimumonline service. I would sit in meetings and go on and on about how we should support, even lightly suggest our customers use Mozilla. One of the biggest avoidable call drivers in our Call Centers was people complaining of pop-ups. Another large driver was Spam. Mozilla is a great tool for handling both of those problems.
The Higher Ups weren't interested in my ramblings. They would point out that we support IE, Netscape, Outlook Express and Outlook. They eventually came around and offered support of Safari but on a very limited basis (not that it needs anything more).
The biggest problem that most ISPs face is uneducated consumers. Their machines get hijacked and in turn Spam the World, which causes other users to complain and blame the company. These machines also eat up Network resources, again causing other users to complain and blame the service. Don't forget the users that click on EVRERY pop-up that comes their way, thereby infesting their machine with spy-ware to the point that even opening IE is near impossible. Again, this is blamed on the service.
Granted the Mozilla fam aren't really out of the "beta" fase, but I see less Firefox, and Mozilla fixes then there are for IE. Being that Netscape and Mozilla are half-siblings (in a sense) why not support it? It's not like the support staff needs to be re-trained.
People don't care what browser they use, they want one that is intuitive, free, and functional to their needs. I think the Mozilla branch does that. With firefox 9.1 out today, why are people still using IE? Better yet, why aren't ISPs telling people NOT to use IE? It would save them a fortune and a company not looking to save a fortune..... should be investigated!
I boycott signatures
I DO use FF. But how do I really know it's any more secure than IE? Or Some Other Browser(TM)? I don't. Seems to me we have come to the point where the computer just can not be trusted. (If you say some other OS is safer, you may be right today, but wrong tomorrow.)
Is it possible to have a truly secure box that is used for
and doing online transactions? How many banks allow their employees or customers to use their ATM network for all of these purposes? What's needed is a more robust model: Specialized hardware and software, maybe something sinilar to VPN. I don't think a generic PC will ever be secure enough, regardless of OS. It's time to think of new solutions for security problems.
Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
So apparently I'm the frist one to RTFA, because I would think someone would have commented on this by now. This bug sends your passwords to a script at , and refestltd.com appears to be in the business of (or at least it points to someone who is in the buisness of) selling anti-spyware software. Coincidence? Conspiracy? Joe-job? Bueller? Bueller?
Media that can be recorded and distributed can be recorded and distributed.
-kfg
First (Gee, I SURE AM GLAD to be using Firefox on Windows!) and foremost, what if the creators of this are students of the high school who are obviously smarter than the paraprofessional at the front desk who takes calls? They could have set up a webhosting account using the school's name and phone number to look legit, or call it a "project" or something. Of course, I could just be a complete moron, too.
I'm going for Option Number Two.
=]
The whole Microsoft direction seems to be as friendly as possible to hostile code. That's a case for a neligence class action.
If there was an exploit in Firefox, how long would it take to be detected? I mean - who finds this stuff? Surely the new popularity of Firefox will lure some malicious intent.
Personnally, I'd like to see more data on how long the virus or whatever has been floating around before anyone noticed. Otherwise, they might as well tell me that my passwords have been exposed for years, but no-one realized.
Who is going to do that with IE? Its getting to that point now isn't it?!
How are we going to migrate a whole bundle of non-technical users off IE anyway? Firefox payload super-virus perhaps?
Ah, okay. The CHM exploit is what this whole shebang has been all about...
Mozilla based browsers can't access windows update. It's an issue with lack of standards support in OpenSSL, so just changing the browser string won't fix it.
So if you're using only Firefox and you haven't enabled automatic updates, you can be sure your computer is vulnerable to all the latest Windows holes.
Bank One works fine with Firefix and it is a modern naionwide bank. Not that I am saying their service or anything else is better, but they are not bad.
Just switch. The ones that adapt and survice, the rest, thankfully, will disappear.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
They've been getting away with inferior (and dangerous) products long before they became they gained monopoly over the browser domain. Using their existing OS monopoly to force vendors to not package Netscape or Opera they effectively nulled out the competition. Customers knew they had a choice then exactly as much as they do now: hardly at all.
Microsoft doesn't have to listen to customers any less now than they have ever have been. The only thing they listen to is the ka-ching of the cash drawers whenever another customer buys a machine bundled with Windows.
><));>
I once saw a door with a keypad where the numbers were LEDs under funny plastic. Every time you entered the numbers would be rearranged but your pin was the same. The numbers were pretty much only readable from directly in front of it. An on-looker could not get your pin (as easy). An interesting additional security measure.
What the hell!?!? Microsoft promised me that Windows was more secure then Linux1?!?
-=-=-=-
And yes, a bug in Explorer counts as a bug in Windows, after all they're the ones that were so insistant on building the web browser directly into the OS.
Freudian slip?
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Obligatory 'install the patch' link here...
I wouldn't have realized, because like you say, I don't use them. I don't use firefox because it's got a lot of features. I use it because it works, it renders pages correctly, and it doesn't hose my system.
What have extra features got to do with it? Unless "working right" is an "extra feature" in your world...
If it helps, Kerry is running an insecure LAMP install
y .com
http://uptime.netcraft.com/up/graph?site=johnkerr
While this naively may seem like a good idea, it has enormous potential to blow up in your face.
By installing software on a computer-illiterate person's computer, you are implicitly taking *personal* responsibility for that computer, whether you want to or not. From that moment forward, that person will insist that you provide free technical support for them whenever you need it. Refuse this, and you will cast a bad light on open source. (ie: That Mozilla thing broke my Internet and no one will help me!) From experience, Murphy's law will go into effect, and any and every thing will go wrong.
Be wary whenever you offer to help someone with their computer. I have been so burnt out from helping so many people over the years that I refuse to help anyone, even family members, or even talk to them about computers.
Like it or not, open source cannot forever rely on legions of selfless geeks helping everyone. It's just not infinitely scalable. "Mainstream" open source projects like Mozilla, OpenOffice, etc need to 1) proactively focus on usability by recruiting (by paying if necessary) human-computer interface experts and focusing all development on usability and 2) forming political relationships with as many computer manufacturers, banks, and any other organizations we can to get our stuff in front of mainstream users. There is already some movement on these fronts, but it needs to be at least an order of magnitude greater.
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
Try out links on the framebuffer command line. All the graphics without the bloat! You'll never need a window manager again!
We'll just add the following Javascript into websites:
//
var userAgent = navigator.userAgent;
var MSIEIndex = userAgent.indexOf("MSIE");
if (userAgent.indexOf("Win") != -1 &&
userAgent.indexOf("MSIE") != -1 &&
userAgent.substring((MSIEIndex + 5),(MSIEIndex + 8)) >= 5.5)
window.location.replace("IE_BAD.htm");
and let those still using IE suffer.
---
IMHO, of course.
May the SOURCE be with you.
Also, the FBI did specifically confirm that due to the multiple states involved, it would normally be their case, but that due to their new focus they could not handle it. So it's their word against yours that "'anti-terrorism' has nothing to do with it."
I have such little respect for the FBI now, that I will never lease or finance again, to ensure that the transaction stays within the same state and I retain access to redress.
I'm sure a huge percentage of people out there won't/can't/too-lazy-to download any of the alternatives. It's nice so long as they don't affect other people when malware like this hits. But there've been cases where software have been used to effect a DoS.
Nothing to do but keep informing people as we meet them.
I am tired of trying to propose solutions to the problems brought about with the large numbers of ignorant users using MS software. I'm also tired of trying to fix problems that these users repeatedly cause. Government and law enforcement doesn't seem to care, so I'll propose this solution:
In nature, when a population gets too large there's a die-off. Usually this die-off is caused by disease or starvation. The better adapted creatures survive and live on.
We can use the fox and rabbit scenario here.
The malware writers are the foxes and the ignorant users are the rabbits. In our case the foxes don't eat the rabbits, but instead hijack the rabbits' computers for fraud, spam, pop-ups, etc. Foxes die by giving up and moving on to more lucrative off-line crimes.
The rabbits don't eat anything but are increasing in numbers by simply hooking up machines to the Internet. Rabbits die by cancelling their AOL accounts and stop using the Internet.
Right now there are a ton of rabbits (and more every day) and the fox population is exploding.
If we just sit back and let natural selection take its course, the ignorant rabbits will become sufficiently frustrated with their Internet experience and give up. The foxes will concentrate even harder on the remaining rabbits (who will be better adapted to counter the foxes' attacks) or start writing malware for the rest of the rabbits or face a massive die-off as well.
Those that are able to adapt do so by either keeping their machines properly patched or learn to use alternative browsers (or operating systems). These rabbits will then have a better Internet in the end because we will have a better class of users and software.
There's plenty of educational material out there for ignorant users to read. Practically every day there's something in the newspaper about how to protect oneself from these attacks.
The Zombies and SpamBots will make life a hell for the rest of us, but that's a short-term problem in this model. That should fix itself after the die-off itself.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
What's wrong with taking a 4x4 shopping? I have successfully migrated my various family members in far-flung states to Firefox, people who call IE "the Internet." Either install it during a visit, or, if need be, talk them through it over the phone. If they don't want extra features, they don't have to use them. Once they're comfortable, though, casually suggest they try, say, tabs. Then eventually they're installing their own extensions! If they're not part of the solution, you know, their part of our problem. So you have to do a little free tech support. Big deal. Consider the opportunity here to create a user base for open source software in the general public. This is beautiful opportunity to wow them with better software. Don't squander it.
grammar-lesson free since 1999. (rescinded - 2005)
Someone could just as easily program a plug-in for Mozilla/Firefox/whatever that does the same thing as BHO? Do you also think that all operating systems are equally secure inherently? Is it just as easy to program in Python as it is to program in Pascal? Microsoft has a long history of creating application environments that offer extensibility through plug-ins that are inherently prone to security exploits. This makes it easier to create exploits for their products.
IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.
Like back in the day, when Netscape ruled the browser market? Yep, there were a lot of adware/spyware/trojan-ware apps back then.
Maybe you should be happy that IE is used by so many.
Actually, no. I think most people would be a lot happier not to have to deal with such a crappy browser that is always introducing security problems, isn't standards-compliant, and doesn't have any of the most recent "must have" features that so many other browsers share. It would be easier for web developers, users, and security managers if IE weren't such a piece of crap.
Read the EFF's Fair Use FAQ
There's a risk associated with accepting credit cards, but most merchants choose to accept that risk to increase their customer base.
Similarly banks put themselves at risk by providing online banking, but that risk must be sufficiently small compared to the number of customers they'd loose if they didn't provide that service.
I know theres a risk in using my credit card online, but the financial and time cost of credit card fraud (in my personal case) is far lower than the financial and time savings i've made through buying online.
Isn't Firefox with its plugins system also susceptible to malware? How secure is the area in which plugins can play? It would be interesting if someone would take up the challenge of writing a similar piece of software as a plugin for Firefox and see if they can insinuate it in the Plugins repository.
It's not that I wish such a thing on people, but I'd like to know how secure the repositories are and what kind of damage we're looking at if it isn't.
Here in Switzerland, the online banking system is the same with "scratch-list" or a list of one-time passwords that are used one by one for each access to the online banking service. Recently, UBS and some other banks have even a better solution. Instead of a paper list that somebody may secretly take a copy of, they give the customers some type of smartcard and a special small calculator-like device to read it. Each time you access the bank's website to do some banking transactions, you enter your user and password, then a number is displayed on the screen. You enter this number in the card-reader holding the smartcard you have, and it returns back a hash value that you enter in the webpage. Now, each user have a unique smartcard and the number that the webpage generates is random so there is practically no way to predict the needed hash value to access the banking record unless you can physically access the smartcard. And needless to say the smartcard has itself a user selectable password that can be changed using the card-reader to protect it against theft. This way, even bank employee can't steal your password and/or scratch-list!
I sent a mail to all the company when last friday's attack hit the media. I told people to be careful with IE and if they wanted a browser that didn't have that problem download firefor (provided a link).
The company's CTO mailed me back and told me:
"Despite we give users admin right in the [w2k and XP based workstation] machines, you cannot install software without first checking out with the IT department. This is more important when we are talking about basic OS components, specially to those doing web development because it could lead to diferent rendering results."
My answer was: "I never told them to install anything in the office PC, I assume some might have a PC at home."
What I like is the part where he think a browser is a basic OS component.
Only to a geek would not installing another browser be "laziness." Calling it that illustrates the fundamental anti-socialist nature toward non-computer-literate people who don't even know what a "browser" is. We're not high and mighty and above other people just because we use something called "FireFox."
I really must stop watching Comedy Central.
I don't want knowledge. I want certainty. - Law, David Bowie
Tear everything down and start again. If you can get someone to properly document your kernel, so that your own employees will have a chance of understanding it, go that deep.
Go as far as you need to to actually secure your OS and supporting suite. People aren't going to put up with this crap forever.
Windows had the potential to be a good system when you originally bought DOS, until you started piling "functionality" onto it.
Do you see what I did there?
So does this mean BHO really stands for "Butt-Hole Objects"? (Apologies to Mac 7100 owners and the late Carl Sagan)
Our ability to think and reason was not the product of evolution, argues a new [sic] and credible [sic] scientific [sic] theory [sic] called intelligent design, but was deliberately chosen for us.
This "intelligent design" thing is badge-engineered creationism, an attempt to sneak religion into school curricula by changing the packaging. It's not "new": Every culture on Earth has creation myths. It's not a "theory": It's an attempt to bend the evidence out of shape to fit a received opinion. It's not "scientific": It's religion. It's not "credible": Pat Robertson is not a credible figure in the field of biology. Bottom line: Re-expressing religious beliefs in fake "scientific terminology" doesn't make them scientific. That's not what science is. When you listen to creationists, it becomes very clear that they don't know what science is: They believe as firmly as the New Age dingbats do that "it's all a matter of opinion". (The "irreducible complexity" thing is just plain silly: What they're saying is "I can't think of any way for this to have evolved, so therefore it didn't." That's a perfect non sequitur. Ignorance is not evidence.)
Now that we've gotten that out of the way, you're no more than half-right about software design, either. Consider Multics. Consider, by contrast, any successful software design (e.g.: C, C++, Unix, Windows, Apache, Excel, or anything else that anybody actually uses voluntarily). Designers can't anticipate everything. Software sticks around. Successive versions do what the customers want them to do, or they get clobbered in the marketplace (remember Lotus 1-2-3?) They change over time. They change when QA discovers late in the game that the interface is unusable. They change for dozens of reasons, because any top-down design will be flawed and incomplete. This has been learned again and again for decades now. The lesson may not have had much impact on academic computer scientists yet, but they're in an entirely different business anyway (academia's not a business at all). Academia's the last bastion of belief in command economies, too, and for the same reason: It looks nice on paper. It sounds good to an undergraduate or to somebody with tenure who's never had to deal with real problems on a large scale. No nasty reality-driven complexities to confuse the issue. To somebody lacking a clue, command economies seem more "efficient" than free ones. In practice, command economies are a mess because government bureaucrats, even honest ones, can't anticipate everything any more than software designers can. In practice, a system like that is fantastically clumsy and wasteful.
It's seriously naïve to imagine that you can sit down and invent a complete Grand Design for a nontrivial piece of softare and end up with anything usable or saleable. Too much must be learned by experience along the way. If you junk the whole thing after 1.0 and redesign 2.0 from the ground up, your competitors will happily eat your lunch and screw you to the wall while you're wasting a year or two (or three, or more; remember Mozilla?) re-implementing stuff which could simply have been fixed instead. In the real world, what you're talking about simply doesn't work. Designers do the best they can, and then things change anyway, and that's reality. That's how software happens.
Of course, the hippy-dippy "just let it grow" mentality is idiotically idealistic, too. Your error lies not in wanting to plan, but in believing that the Holy Plan will save you. It won't save you. Ever. If you get all plan-obsessed, you'll be lucky if the product is even functional at all, much less successful.
IHBT, I'm sure. Dragging perfectly irrelevant creationist cant into it in such a bland, disingenuous way is precisely the kind of thing I'd do if I were trolling.
Will finally consider officially supporting browsers other than IE ;-)
You complain about "lack of competition," but neglect to mention that Netscape fucking sucked by version 4. What's the point of bitching about competition if there wasn't actually any good competition? IE won out because it was the better browser.
Umm...
Dude I use Moz 1.6 to go to Fleet's site all the time, works great.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Okay, this idiot must want to get caught. To you aspiring virus/trojan writers out there: DO NOT have your virus/trojan send information to a web site. Send it to a newsgroup. Geez. Encrypt it if you must, but don't send it somewhere where you can be tracked. Send it somewhere where you can get it anonymously. Man, moron hackers out there. It's like that idiot Slashdot reported on yesterday who got caught on the extortion deal when he told them who to make the check out to.
The report says that the malware contacts http://www.refestltd.com/cgi-bin/yes.pl and if you go to http://www.refestltd.com/, it points you to download a spyware scanner.
Here is a sample of an email I sent recently:
With the almost daily anouncements from Microsoft about security vulnerabilities in Internet Explorer web browser, I now use the Mozilla.org web browser. Unfortunately, the BANK-NAME web site requires Internet Explorer. I very much enjoy BANK-NAME's online services, but do not feel secure using software that has a negligible sercurity record. I will be doing all my banking and account access directly at my branch office until I am able to access my online account with a more secure browser. Thank you much for your time.
Sincerely,
my-name
itadakimasu
Geez, great way to help these assholes improve their trojans, dumbass. Way to go for stupidity.
With IE security holes and exploits being announced almost daily, it might make you wonder why people would continue to use a piece of crap like IE. I wondered the same thing until recently when I had the following conversation with a friend, who is not exactly "computer savvy".
Friend: [asks me a bunch of questions about IE and Outlook Express]
Me: "I really don't know. I never use those programs"
Friend: "Oh. [looking very surprised] I thought you *HAD* to use them."
Similar issue here the other day with my wife's Mac (safari and mozilla both).
Not sure I can use the brackets, but you'll get the idea here anyway.
input type="text" " name="foobar"
(Note the extra ")
Safari/Mozilla (rightly?) barfed on that portion of the form, and wouldn't submit a value for foobar. I *suspect* IE works just fine with it, as the company hasn't yet replied to us about it not working for them. We're demanding a refund because they can't/won't fix the problem after 5 business days.
creation science book
If you can't get that program when sp2 comes out for xp it adds management for plugins to ie. You can disable them but not turn them off. M$ got it half right I guess.
The average user does not want to go to that serious trouble just to log into their banking.
Any serious virus writer can go one step further by taking control of the user's PC once logged in, so this is really a pointless defense.
I can't really do much with my online banking anyway. What are they going to do, transfer money between my accounts and order boxes of checks? Whoopdie doo.
Get yourself a Tailored boot from cd Linux distribution :
Knoppix
MandrakeMove
PcLinuxOS
This was my first thought too. However its the wrong people you have doing the mobilising. *We* need to mobilise. I'm mailing out to all my friends and family to make sure they know about this threat to their assets. All they need to know is "Your IE bookmarks appear under Imported Bookmarks". Mozilla market share through the roof, standards win, open source wins...
Sig pending!
i just love it when a plan comes together
penalize them for failure to reveal risk.
Actually, there have been scams like that, for some time. There was even a great online documentation of one such device that someone found attached to an ATM.
Amazingly these crimes aren't being tracked down by the FBI either.
Right now if you're not threatening national security by using DeCSS or Kazaa then you're off the FBI's radar, they have bigger payoffs... er lobbyists... er... I mean problems to take care of.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
I won't link to the Mozillazine Forum thread on this issue (since they are having bandwidth problems), but you could just search for my username there (Jimmy_C) for the origional thread. Rest assured that this is backed up. The latest Mozilla FireFox builds have a feature where only extensions from white-listed urls can be installed. The UI for this feature works almost exactly the same as for popup-blocking.
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
Eighty million bugs have been created by intelligent designers of software in the last decade alone. The irreducible complexity of pointer arithmetic proves that the only workable data-security model is prayer.
Damn it, I was just browsing something before going home and thought it was HBO stealing my bank account number.
There is a spark in every single flame bait point.
I won't link to the Mozillazine Forum thread on this issue (since they are having bandwidth problems), but you could just search for my username there (Jimmy_C) for the original thread. Rest assured that this is backed up.
The latest Mozilla Firefox builds have a feature where only extensions from white-listed urls can be installed. The UI for this feature works nearly the same as for popup-blocking. The only default white-listed site will be hosted by Mozilla.org. In addition to the no-silent-install policy and the built-in delay before the accept button is activated, this new feature should help prevent these types of attacks against Firefox from being practical.
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
Sorry; I pressed the "enter" key by accident. Since I'm online with a slow connection (dialup), there is often a large delay before a submitted form page is displayed. One did not display for me and I didn't realize that I already submitted this. Why, oh why, doesn't /. have a mandatory preview before comment submission like any sane forum? :-&
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
I'm sick of this argument. There are plenty of ways to add stuff to you're Honda; and if you don't know how to work on cars you pay someone lots and lots of money to add them. You're right, BHO are an awful idea, but the poor design of one piece of software does not mean computers aren't meant for regular people. All a "regular" person has to do is use mozilla. It's not like knowing how to build a differential, it's like knowing what grade of oil to put in your car. If you don't know, ask somebody who does.
Not that it isn't also the companies fault. They go out of their way to tell people that they can turn their brains off when they plop down in front of a monitor (just like TV), and you can't do that. But there is a happy medium between deep internal knowledge and dangerous ignorance, and most end users are way on the dangerous ignorance end.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Did you RTFA?
.gif file. Even those who are smart enough to disable Microsoft's filetype hiding (because, obviously, users are too stupid to deal with file extensions) would think that this is a quite safe, viewable file. But Microsoft, in their infinite wisdom, ignores the extension and determines what type of file it is by examining the file structure directly (exe) and goes ahead and executes it. Designed this way e-mail filters that deliberately exclude executables (to prevent this very kind of attack) are fooled into passing this right along.
.NET Longhorn?
This is a
Don't you see a number of design problems with this approach? Don't you have to wonder whether Microsoft actually wants trojans and spyware when you see this? And if they do want trojans and spyware, what kinds of holes do you think they will design into
is why the heck the site that COLLECTS the stolen usernames and passwords is still online!?
It's in the advisory: http://www.refestltd.com/cgi-bin/yes.pl
That's the Perl script that the browser object reports to. It's still nice and responsive. Isn't there some fraud dept of the FBI that should have shut this down already? Or are we all just chatting about this and doing nothing, and no one has even notified the ISP?
And interestingly enough, the home page purports to sell a spyware scanner. Nice.
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
because you should have started your dear old ...
Mom out on Linux to begin with. What's wrong
you, you lazy bum
She doesn't need root access, anyway.
You clearly have no idea what you're talking about. That's not even how the trojan gets installed. Windows doesn't "examine the file structure" to determine what type of file something is. Otherwise, changing filename extensions wouldn't even matter. This isn't some MacOS metadata system or something.
Next time you want to make shit up, try a better job.
noooteeexxtttteeekmoooo
According to the article the exploit posts it's found data to http://www.refestltd.com/cgi-bin/yes.pl. Guess what they advertise on there site http://www.refestltd.com/ ? That's right a free spyware scanner.
I'd like to download the BHO checker, but I'm a little paranoid. This story isn't listed on any other security sites that I've been to, and I'm afraid that this is some elaborate hoax in order to get me to download and install the BHO checker, which could contain all sorts of malware. Does anyone know about the legitamicy of this story? What about the BHO checker? How reputable is definitivesolutions.com ? Has anyone ever heard of them?
1) This is a trojan. While IE could be improved to help prevent this, this type of trojan can be used with any browser (albeit with a bit more social engineering effort would be required with most other browsers).
2) Yes, XP SP2 is a magic fix. I've seen the dialog screens for BHO's and the like. They're rediculously obvious. Furthermore, I believe that MS is _finally_ sandboxing this stuff (I remember reading it somewhere, but I can't verify). Finally, SP2's super aggressive firewall would detect that an unauthorized application was trying to send data via port 80 (or any port, for that matter) and warn the user. SP2 isn't bullet proof, but MS has put a LOT of resources into it to help minimize it's embarassing history. From what I've seen it looks promising, and hopefully my firewall will stop reporting so much NIMDA etc. traffic.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Yeah, but the only site still forcing me to use IE is my local bank...
:-( A good friend of mine worked for them nearly 5 years and was laid off due to the outsourcing.
In the USA, Bank of America has branches just about everywhere. Mozilla Firefox on Linux works perfectly fine with BoA's online banking site.
I've been using Mozilla on Linux for a couple years to do my online banking with BoA.
One forewarning about BoA that might get your goat though, is that BoA outsourced much of their IT development and operations to India a while back
There are already numerous pron/w4r3z sites that somehow, during browsing using most recent Mozilla/Firefox that despite having "Allow website to download programs" set to false somehow trigger a "Download netscape_install.xpi? yes/no" window to be displayed.
Tear everything down and start again.
Look at Windows 2003. They don't have the same usability req's as XP, so it's easier to secure. And it IS secure. It's not bulletproof, it's not OpenBSD, but how many serious exploits have made it into the wild, especially when compared to competing OS's? Windows XP SP2 looks to be a huge improvement - we'll just have to see. Either way, it seems they have a handle on it, without having to tear everything down and start again.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Here's the real and true account of my attempt to put Firefox on a friend's machine when I did a clean reinstall (at her request):
I: Okay, now, this is Firefox---
She: WHAT HAPPENED TO MY INTERNET EXPLORER?!
I: This is better. Here, let me show you---
She: PUT IT BACK PUT IT BACK!!
I: Really, it does everything IE does; if you'll just look at it---
She: YOU KILLED IT! AAAAHHH!!
I ended up leaving IE as her default browser. True frickin' story. People fear change.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
something as simple as the OS prompting for an account password (ala just about any flavor of *nix comes to mind), would do wonders for windows pathetic security...i looked around all the new features that are said to be included with win xp sp2...this wasn't among them....
why is it that the second that i have logged in, anyone could sit down and my system and if i happen to not have a password on the screen saver or have the system set to automatically log me out after x minutes of activity, ANYONE could install ANYTHING on my system...and just extend that a brief moment to any perpetrator online installing malware and any other executable trojan to turn a windows box into a spam zombie....
i just don't buy that MS is serious about security...this is a pretty easy solution that shouldn't take months of ripping apart the OS for implementation....
i don't get it...?
PS - i'm not trolling, i'm serious...this seems like a pretty simplistic fix that wouldn't take a rocket scientist to figure out...
- bliSS
the only difference between a rut and a grave, are the dimensions
But Microsoft, in their infinite wisdom, ignores the extension and determines what type of file it is by examining the file structure directly (exe) and goes ahead and executes it.
.gif (wrongly attributed file) gets downloaded and can't be displayed and another process renames it and executes it and ultimately your infected. If MS had actually checked the file based on the "magic number", it probably would have been scanned and acurately detected. In some ways, you have to blame the anti-virus companies as well if they didn't correctly scan the file. In the end though, it's still a users responsibility to not download/install untrusted software. Even if IE is helping things along, the user chooses to use the browser and likely is running with elevated priviledges to allow the trojan to install in the first place.
Generally speaking, MS uses the file extension rather than the "magic number" of the file. In the case of this attack, I got the impression that the
As of 7:11 PM Eastern Time (1.5 hours after my phone call), the site is now offline.
If this is another case of sloppy programming by M$, everyone that looses money can sue. A class action suit for negligence, starting price 10 Billion. We will of course demand actual reimbursement of damages besides that fine, and we are always willing to negotiate.......UP.
Break the bank, problem solved.
Professional Politicians are not the solution, they ARE the problem.
not on the list and let me tell you our managers are shitting pink twinkies these days and for the first time in a LOOONG time actually listening to tech's vs sales people. We'll see how far it actually goes $$$ wise but if your corp's browser allows for 3rd party or IE installs without prompt and enable any script to run...*shudder*
errr....umm...*whooosh* *whoosh* Is this thing on ?
This is one of the reasons why my bank uses onetime passwords generated by a small calculator-looking device. I enter a 4-digit password into the device and get back a sixdigit number that I give to my bank to log in. The key is generated based on time and a key built into the device.
This way no password information is transferred over the wire. In theory the information could be transferred over standard HTTP (though you probably don't want to do that since other people could see how much money you have on your account). The same system is used when I call my bank.
It constantly amazes me how bad security is at american banks. My mothers maiden name is certainly not impossible to figure out (it's my grandmothers last name), neither is my homenumber, zipcode or which year I opened my account. The first two is more or less public knowledge, and the last can be bruteforced or guessed.
So the only thing standing between the bad guys and my money is my 6 digit accountnumber. That is in my mind not a whole lot.
- Jonas
Failing to learn from history dooms you to repeat it.
For those of you who don't take the time to read the analysis of the trojan, here's what is said:
.chm file. At the same time, it appears to have executed a script on .chm exploit, shown above is likely used to rename and execute this
The HTML here attempts to exploit a known flaw in Internet Explorer to load and
execute a
www.mymaydayinc.com called photos.php. At this point, the packet captures provided
by the victim end, but it is possible to make some intelligent guesses as to what happened
next.
The victim of the attack found a file called "img1big.gif" had been loaded onto their
machine. Because of the account restrictions on the person running the machine, it had
failed to install properly, which was why it had come to their attention. It is this file that
they forwarded to the SANS Internet Storm Center for analysis.
The file "img1big.gif" is not a graphic file at all. It is actually a 27648 byte Win32
executable that has been compressed using the Open Source executable compressor UPX.
(Hypothesis: the
file.)
So basically, it allows a CHM file (Compiled Help, used in your standard help files) to auto-install a DLL, which in turn regisers itself as a Browser Helper Object (BHO). BHO's are typically used for things like Browser Toolbars (like the one Google provides).
Microsoft should not allow auto-execution of any file type. It should be an easy fix to IE though.
News about Microsoft products based exploits will pretty soon cause the users of these products to become "immune" to this information. It can be compared to watching bad news on your local news channel. Everyday someone is killed, robbed, raped; and they feed you this information to the point where you can become somewhat "immune" to this terrible news. Eventually the next time you watch the news you're like "well, what's new? next!".
Car bombed killed 20, American beheaded, IE BHO exploit, blah, blah, blah...."what's new? NEXT!" The more you hear about it, sad to say, the less important it can become.
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
on these turkeys:
http://www.refestltd.com/cgi-bin/yes.pl
where the data gets shipped after it's hijacked, according to the analysis summary
nada, then I tried google just on the domain. No entries, no pages containing the term, no nuthin.
anyone else get any better results
well, I will admit I didn't look at the PDF, maybe it's answered there.............
Really, most of those people who won't switch are just plain afraid to do it. They get their machines broken and stuffed with malware while doing nothing wrong! No matter what they did last week to make it better, this week there's something else that will break their machines. They barely can run what they have now, so they get scared to start from scratch with a brand new learning (and potential expense in their minds) experience. These things -das komputarz- are sold all over as "easy to use", All you are supposed to have to know is click here, fill in the blank, click again, get online, open browser, go surfing. Really, see the ads for computers all over. NEVER do they claim it's hard and you will need to jump through hoops daily. People know that kindergarteners 'can use computers' now, so in their minds any normal adult can just get one, turn it on and use it.
So, they do that, they buy one, get online, 15 minutes later they get borked. They surf for a week, they got 293 weirdo scripts, cookies, warez, whatevers crawling all over their machines and the thing barely moves. They haul it to the local shop where the helpful windows computer expert trusted computar guy charges them 50$ to run a few cheap programs against it, it gets cleaned up. They drop another 50$ on an antivirus program at his recommendations. Next week it's broken again, back to the shop. 50$ to fix it, another 50$ to get a "firewall". Back home. Next week they get borked again, then they say "FxxK IT! Enough!" they won't care after that point, and no way do they want to start fresh all over with something new that is pushed the same exact way they got borked in the first place, with the recommendation of "go ahead, drive it, it's easy, a kid can do it, it's the same as you had before, just different".
Uh huh, that's gonna make them want to switch. Yep. Sure it is.
That's my theory anyway
There's little to no long term money in making windows or explorer secure or functional. What would they sell from then on if they actually released a product like that? They'd sell it ONCE, that's it. You wouldn't have a need to upgrade. You wouldn't need mr. fixit and even more expensive mr. consultant. And now MICROSOFT is going to sell antivir because their crap is so lame and PEOPLE WILL BUY IT!
There's a cubic metric boatload of megatons of money in making MSOS and browser (and server and email client and etc) *almost* secure and *almost* functional, for microsoft themselves down to the thousands of helpful windows/computer experts at the local whitebox stores and in the consulting yellow pages.
Browser Helper Objects: The Browser the Way You Want It
I am about over Microsoft not doing anything about this security hole. The whole "We are going to let the Anti-virus" Stance just doesn't sit well with me. I still like Windows XP and will have to continue to use it so long as I have to for Work but I am not forced in any way to used IE and have switch to Firefox. I will continue using it until Microsoft gets off their butts and deals with this problem.
Very well put. I have to (sadly) agree. Most non-geeks are simply overwhelmed by what is supposed to be easy but is truly annoying and difficult.
But I'm starting to notice that normal folks are starting to realize that Microsoft can't be trusted. The avalange of security problems, etc., are starting to slowly blunt the notion that "Microsoft makes it, so it must be good."
Much of the problem is that the computer industry is rife with overpromising and underdelivering products. In the US at least, they can make all kinds of vague marketing claims, so people think that they're stupid if their Windows computer isn't running glitch-free.
But now people are starting to talk amongst themselves. I've noticed a lot more of my relatives and friends no longer look at me like I'm a freak when I tell them that I don't have malware or constant security problems with my Macs. They usually still don't have enough wherewithall to break away from Windows, but their perception of Windows as the gold standard seems to be eroding.
Perhaps as Linux continues to advance, OS X continues to advance, and Longhorn continues to languish while Windows users suffer, a few more cracks in the wall will appear and the Windows desktop hegemony. I think malware and virus-riddled email may actually be the straw that breaks the camel's back.
Read the EFF's Fair Use FAQ
Two quick stories... About six months ago I declared to my dear wife that I was switching the PC to Linux full time... I set up a profile for her in KDE complete with a win2k theme.. widgets icons everything and pointed her to Mozilla... She logged in ONCE on her own.
Usually when she takes over my PC, the first thing she does is logout of Linux and reboot into Windows bitching the whole time about how complicated Linux is.
I have both Opera and Mozilla installed in both partitions and I suggested she use Mozilla, explaining that it's "the newest version of Netscape"... no good..She spends most of her time on the Win98 box (HER PC) and only uses IE.
My Brother-in-law has managed to infect his computer with so much malware that at this point whenever he clicks on a download link in IE, it takes him instead to one of those generated on the fly search pages..
When I was over there last month, I installed and ran spybot search and destroy and ran a system scan in Norton and installed Mozilla... and suggested he use it.
Two days ago he called me to tell me he couldn't look at any pictures in his Hotmail inbox. He said he was getting the fake searchengine site again instead.
"Oh, I didn't think that would happen in Mozilla," I said.
"I'm not using Mozilla."
"Okay.. try this... open Mozilla"
"Okay"
"Now type in wwwdothotmaildotcom in the address bar."
"Okay. Now what?"
"Log in." I said."Can you look at the attachments now?"
"Ya."
Now that said...I bet that right after I got off the phone he closed Mozilla and openned up another session of IE. Hey, what can you do?
-- Cheers!
Try "BHO Cop", kinda old but Source Code is included.
http://www.pcmag.com/article2/0,4149,270,00.asp
HTH
L053R
Which virtual machine are you trying to install? I just browsed to this simple Java applet example and it worked out-of-the-box. Note that I installed Java2 SDK 1.4.something a long time ago, before installing Firefox 0.9 (from scratch) using the Windows installer. In fact, I installed all my plug-ins before using Firefox 0.9. What are you referring to? Is it possible that your unfortunate situation is just a special case or an anomaly?
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
5. Profit!!!
emt 377 emt 4
Gee, they used a GPL product in their spyware and didn't release source code? Time to get midevil on their hineys!
Seriously, though, UPX has it's own license. One choice of it is a completely GPL (you can use GPL UPX code with GPL software) and another option is to use a fixed, non-modifiable component with closed-source stuff.
Guess which licence choice the malware authors made?
Is there anyone here that is still using IE?
I'd been using Firefox for ages without dramas. I switched to Linux in the end because I wanted something that:
Not to sound like I'm preaching to the converted here but a very large portion of the issues I experienced were directly related to IE bugs. Bugs experienced despite: latest patches, up to date anti virus software, decent firewall, solid security practises (and I work in ITsec too btw).
Funnily enough, the above is all Microsoft tells you that you need to do when using their products to remain "safe"...*chuckle*
Sysadmins should be forcing all their users to switch to Firefox and see just how long before Microsoft finally pull their heads out of their asses and get the job done properly.
at least IE can run multiple instances,
so if one process crashes, it doesn't take my 20 other windows with it
Wrong. IE does use 'magic bits' to sniff HTTP content under certain conditions. Try open a .TXT file that happens to start with and see what happens.
Oops -- that's a TXT file that starts with "", over HTTP. IE will ignore the MIME type, ignore the file extention, and only use the magic bits.
I'm typing away in a form,
the website had a meta refresh to install software,
the prompt pops up just as i'm hitting enter and BAM, i got fucked
"people who really honestly like IE and dislike FireFox... I don't see why, I'd think that from the lamans view they'd be identical"..... /heresy:
/heresy
I use ffox, Opera & IE, and keep returning to IE.
Why?
1. On Win (which I must still use sometimes), ffox is the slowest of the 3 (especially re-draw), even though I'm always on the latest release.
2. I can't get the other browsers to do the simplest, stupidest things I can do in IE, e.g.: drag/drop shortcuts between address-bar & folders, or File=>Send=>Shortcut To Desktop, or drag a link from a page to the address-bar (a sure-fire "use the same window, dammit").
I dunno, maybe I just didn't RTFM.
3. I make genuinely productive use of toolbars (e.g. Google) unavailable on other browsers.
4. I don't grok the excitement of tabbed windows. I much prefer being able to position pages independently in separate windows. And if one of those windows crashes or hangs, I don't lose the others (or their back-traces).
As for security, I do quite well with the combo of common sense, frequennt AV updates, SpyBot, AdAware, WebWasher, and very aggressive/paranoid firewall settings. (I love Agnitum Outpost, which lets me control cookies, ActiveX, JavaScript, etc. -- each *separately* -- on a per-domain basis.)
Your choice of browser helps, but it's not enough. You might not be caught by this, but Windoze itself listens on other ports and can be exploited. It happens without any effort on your part. Also, you might be tempted to use LookOut or similar, are probably running as root and lack a host of other safety mechanisms that protect the average Linux user.
The average user is much better off running a kernel that has real users that respects permissions embedded in the file system. As someone else mentioned, all of the above makes it difficult for a malicious web site to load any kind of system software without the user knowing. Windoze was designed to make that possible and it is no surprise that security is so poor on Windoze.
Some might complain that you use Mozilla based browsers, email clients and other stuff to avoid Windoze security problems and that's good enough for you. Fine for them, whatever. I consider it all a royal pain in the ass to keep up with all of that. Going to get a handfull of free software programs to make Windoze work right is an exhausting and pointless exercise. Microsoft does it's best to break them and dependency resolution on Windoze has always been impossible. It's much easier, and more secure, to simply install a reasonable distro in the first place.
Friends don't help friends install M$ junk.
The easier solution is to make a browser that does not allow plugins to be installed without root user consent. For my clients, that means a phone call to me because they forgot their root password. Problem solved.
Friends don't help friends install M$ junk.
The only bank account that could actually be hacked with a PIN was my citibank.com account in the US.
I have two bank accounts now:
- One of them uses HBCI with a smart card: essentially my EC-card with an added encryption device. The encryption is done *externally* and authorized using a PIN on the external card reader.
- the other one is a little backwards: a PIN/TAN combination. All these people could eventually find out with the static PIN is the negative amount of money in my bank account. I hope they will pity me and transfer some money into my account.
Maybe I am overlooking something here. But maybe your average bank just doesn't care about your account security.
I hate to gloat but there is nothing like getting hirt for a wake up call!
Hallowed are the Ori
All was well for about five minutes, when I realized I had lost my Google Toolbar(!!!)
So, yes, I can confirm Google Toolbar is a BHO.
I went right back and rechecked the box - life isn't worth living without Google. :-)
Ok ok Firefox is great. Opera is too. I just wanted to say that.
IEButton
Includes Unicode DLL build + source
I switched to Firefox on Friday. Finally I was sick of the security holes in IE.
By Saturday I had come across three bugs:
1. Opening a pdf file froze Firefox temporarily. I quit it normally and it wouldn't open because it thought the user profile was still in use. Even worse, it had somehow killed Acrobat Reader so I couldn't read pdf files on my own computer. When I clicked on the same pdf link in IE, IE froze and soon computer (Win XP) hard crashed. Restarted and it soon hard crashed again. Restarted again.
2. The photography forums at www.fredmiranda.com don't work properly. When I control click to open a thread in a new tab, it opens it both in a new tab and in the current tab.
3. Sun's iPlanet Messaging Server for accessing IMAP email doesn't work properly. Even with popup blocking turned off, Firefox still for some reason blocks the Compose and Reply popup email composition dialog boxes. Perhaps there is another popup blocking setting that I don't know about. For now, I still have to use IE.
The first problem is a serious fault with Firefox/Mozilla. The second and third problems have to do with Firefox but may also be due to poor webpage design. Regardless, the switch to Firefox has not been transparent, even for someone not afraid of computers. And I still need to keep IE around. In my book, Firefox has a ways to go. (Still, love the tabs and the google search dialog. Reminds me of Apple's Safari.)
The average ... Windoze ... Windoze ...
Some might ... Windoze ... Windoze ... Windoze ... Windoze
I'm sorry. You were saying something? I lost you at the fifth "Windoze".
Please re-type, using the normal term "Windows", which is not at all painful to employ and restores what little credibility you had before posting this.
Thanks.
That's because HTML files are stored in standard ASCII text format--like a .TXT file. So when you give it an ASCII text format file that has an HTML tag in the beginning, then yeah, it'll read it as HTML.
Jeesh. I can't believe I had to explain that.
You honestly believe the Windows operating system scans an entire file to determine its type? Think of performance hit as it went through scanning the entire file and comparing it agains all possible registered file types...
I wonder if MS even COULD make any of their Windows flavors - new or old - secure. To begin with, It seems that in order to do that they would have to set up a permissions system on the registry which is accessed by most programs and also disallow installing of any file containing executeable code in any location, unless the user is an administrator. However, if they did this, much, if not most already installed sofware may no longer run. That would be a quick way for MS to ensure the loss of many users and thus big $$$ loss.
I got a program once on a CD for my Mac, which was obviously a quick and dirty PC port. This program would not even start up if it was run under an ordinary user account on my OSX Mac. It always wanted to have admin priv. which I did not give. I have no idea to what forbidden part of my system it wanted access. I have NEVER been able to install *any* software on my Mac without supplying an admin password unless I installed it into my own private applications folder. If the software STILL asks for an admin password even though I tried to install it into my OWN home folder, then I did not install it at all.
Sometimes I do wish to surf to unknown places and I set up a special restricted account for just that. Then, if something nasty DID get through the normal protections, it could not access any other parts of my computer and transmit personal info. since that account contains nothing I care about. The worst that could happen is for the malware to hose that account.
Most of my browsing is now done with Safari, but I still use the old MSIE occasionally and I did get to some site once where a request for an admin password came up unexpectedly -- which I did not give it.
The bottom line is that the OS should disallow any installation or running of code from an unauthorized location unless the user is asked for permission and has the ability to give such permissions.
All theory is gray
"When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE."
:(
So if I write protect this section of the registry so no user can write to it then IE will never load the BHOs? I starting to think that read-only for the entire "\Software\Microsoft\Internet Explorer" might be a good idea.
FYI: I work at an internet gaming cafe, I don't think I've ever seen so much spyware
I've experiments to run, there is research to be done on the people who are still alive.
Shouldn't it be easy to find the dirtbag responsible? The piece of malware has to send the data somewhere. It should lead right to the source.
Radio screen listening stuff everything does not matter what os you are using I can see the screen with it the tool is down right expencive but down right usefull to point out that hardware and building are important to protect critial records.
The best part of Radio Screen listening is that there is no hardware attached to the computer. Just a little system listening in. This one point out know what your computer sould look like stop a lot of these addons.
That's a great system. Defeats any keylogger, plus the bank can deploy it to selected users if they are worried of scaring clients away with the RSA acronym . A bank in greece uses one-time transaction validation codes (you get a list of one-time "PINs" from the bank and go rof a refill when you use them up) but this is better still.
Furthermore, IE makes it very easy for a user to be duped into allowing a plugin to be installed.
:)
Yeah all you need to do is tell people that Internet Explorer will popup a security window and that they should ignore it and click the "Yes I want to install untrusted software" button!! sort of like this
. . . someone said about IE vs. Linux.
Let's pause a moment to regain our bearings.
The article was about an IE vulnerability.
Someone responded by questioning the virtues of IE and recommending other browsers (for his/her parents), but still WITHIN the context of Win.
I prefer *n*x variants (over Win) as much as the next person; but, in the context of this article, Linux is irrelevant, because there *is* no IE on Linux.
As I said before, there are times when I have no choice but to use Win; and, at those times, IE best fits my needs. When another Win-based browser can do the things I mentioned, I'll switch gleefully.
In Germany and Austria, online banking requires a TAN (Transaction Authorization Number) for any operation that changes the account.
the TANs come one a one-time-pad kind of sheet and you can use each number once before they become invalid. Therefore, if somebody is scanning my TANs (along with other things), they can do exactly nothing with it.
The sheet of TANs is generated on some bank server and sent to me via postal mail.
Admittedly, i wouldn't want anyone browsing my bank account. But the damage they can do with that is limited (changing passwords and so on requires a TAN too).
Yet another sheep without a clue.
On previous installations of various Linux distros, the first step I've taken is to download the various patches and updates. Same procedure with Windows.
Linux isn't a magic silver bullet that will solve all of your security problems.
"permissions embedded in the file system" is always overcome by people using the magic chmod 777 fix. "Real users" is useless if all the important personal data is stored by the user using the web browser.
I'm typing this using Firefox 0.9 under XP. I don't particularly like Windows, but there are other people who need to use this machine. For the many millions of people using Windows, using software other than IE/OE is a great choice.
What a great idea, lets ignore posts from now on however interesting they may be and moderate people based entirely on the contents of their signatures. Could produce some 'interesting' results...
With most banks in Sweden you get a little calculator look-alike with which you RSA-encrypt two fourdigit strings recieved from the site and use the ciphertext as password.
Nowhere can the user access the encryption-key.
The thingie itself is protected by a userset pin-number and locks it self up if invalid pass is entered three times. After this you have to exchange it with the bank for a new one, with a different key.
The good thing with this is that no keys are reusable, so it's in practice impossible to misuse a sniffed password since a new one is generated for each signing of a transaction.
It's also impossible to sniff the pin for the thingie unless you have some sneeky CCTV in the building or someone watching over your shoulder.
The only drawback is that it uses RSA - i know it should be better to promote the use of DSA.
Buy all your crazy japanese videogames from
... the drunkard still alive and kicking.
There was a recent /. story about how the new SP2 will break some XP programs. Apparently it's NOT possible for Microsoft to introduce security without breaking stuff! And I'm sure SP2 will STILL be far less secure than Linux.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
I contacted my bank yesterday about the inability to access my account with Firefox. Their reply astounds me:
"[My bank] will make enhancements to [the Online Service], in 2004, which will allow for
compatibility with the Mozilla (Netscape) web browser as well as other web
browsers.
The Hardware/Software Requirements Section of our web site at
[Bank's FAQ Online] lists the browsers currently
supported at [my bank]. Using a browser listed on the web site will ensure that
you have the highest level of stability and security in accessing your
account information in [their online service].
a browser listed on the web site will ensure that
you have the highest level of stability and security
. . . not so much when the only browser suggested is IE 5.5 or later. What a load of crap.
This is the only way bugs get fixed and people ween themselves off of IE and IIS.
Too bad you don't just use a net install to begin with. It's very different from Windoze, which always comes from an old CD.
I'm typing this using Firefox 0.9 under XP. I don't particularly like Windows, but there are other people who need to use this machine.
Too bad for you and them. You could be running something nice like KDE 3.2.
Friends don't help friends install M$ junk.
Wow. I'm browsing at +5, and after reading about 40 posts, you are the *first* (and I won't be surprised if you're the only) _ON_TOPIC_ post! Since moderations a sham, I would just like to say - Contratulations. (and thank you)
I used to write off all these Microsoft problems as "well, they have 95% of the market, so that's why they get targeted for these things."
But this latest problem made me reconsider! I switched to Firefox (and Thunderbird!) yesterday, and don't miss IE and Outlook one bit.
Thanks, /., for encouraging me!
Best Buy can have you arrested
I'm posting this so that you (the moderator) have some context to consider twitter and not mod him up whenever he posts his filler preformatted rants about installing Knoppix or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.
If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than twitter. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.
To get an idea of what I'm talking about, check this post out. I mean, this is an article about email disclaimers, right? The parent of the post is complaining about the ads in the linked page and so on, and twitter actually goes off on a rant to blame it on Microsoft and recommend Lynx. WTF?
Here's another. In this post twitter not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "GNU". Yes, if you're confused, you're not alone. The reply (modded +4) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.
More? Just read though this post and the subsequent replies. I guess this stands on its own. Or these two. Or this one.
Still not convinced? This is what twitter considers "humour" while going about his daily "M$" routine.
More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, twitter wants to be RMS, apparently (that first one is a winner). I mean,
1. Opening a pdf file froze Firefox temporarily. I quit it normally and it wouldn't open because it thought the user profile was still in use. Even worse, it had somehow killed Acrobat Reader so I couldn't read pdf files on my own computer. When I clicked on the same pdf link in IE, IE froze and soon computer (Win XP) hard crashed.
When Acrobat forced Firefox to crash, it left an out-of-control Acrobat process. You should've just opened your task manager & killed the acroread32 (or whatever it's called) process. It should've been easy to spot, because it was probably chewing up 100% of your CPU time. Then everything would've worked.
twit, better run for the hills. Apparently evil M$ astroturfing fanboys living in Bangalore in the employ of Bill Gates have taken over the Slashdot moderation system and are unfairly prosecuting you! And by doing that they attack free software!
We're doing our own internal time-tracking applications (as mainly an exercise to keep us busy as more work comes down the pipe.)
I decided to fire up the RC2 version of the web app under Firefox.
Worked without a hitch.
Granted we're not using anything really complex... (we're using some 3rd party data grids built off the MS grids, that's it)
But still.
Worked fine in Firefox.
If people actually bothered to TEST their applications, they may find that they work in alternate browsers. Or at least, they could hack around any incompatibilities.
I followed your suggestion and am recruiting the family. All I had to do is explain the new BHO trojan and they were eager to have an alternative.
No shit?
No problem. The new speaks for itself and all your blither is empty waste. It's just sucking M$ $$$$. Keep it up, losers.
I use Opera and I see pop-ups every morning. Then I take the toast out of the toaster and butter it. That's what they mean by pop-ups, isn't it?
Is really expensive...
Windows Update
Office Update
hang on...
give me a sec...
I'll come up with somethin....
nope.
That's it.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
hahahahaha owned, that rules dude!
Have you metaroderated recently?