Slashdot Mirror
New IE Malware Captures Passwords Ahead Of SSL
Ken Treis writes "SANS Internet Storm Center is reporting on a new strain of IE Malware. This one targets bank customers, which in itself is nothing new. But the catch is in the way it does it: it installs a Browser Help Object (BHO) that can capture login information before it is encrypted, and 'watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.'."
Cue the "Gee I'm glad I use FireFox on Linux" posts.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Intrigued, I went to those scumware vendors and saw that they are, in fact, dishing out scumware. So, in the interests of justice:
whois refestltd.com
Domain name: reflestltd.com
Registrant: Jay Seaton (6PPPG) jay@tremjade.com
United States
(913)6814254
Not that I condone using that information for any nefarious purposes...
All's true that is mistrusted
that this hasn't happened earlier. Why would you fsck with SSL when you can bypass it completely?
Disconnect and self-destruct, one bullet at a time.
Is why I transmit all of my passwords in plain text... not very secure, but a lot less obvious then all of these complicated 'security' or 'encryption' methods.
Help Brendan pay off his student loans
SF has an article regarding this.
Gates Defends Microsoft Patch Efforts
Free XBox, PS2
I imagine spybot's BHO inoculation should block this. Anyone know? I use firefox on windows myself, but not for any other reason than that it's just a better browser. ff on linux is actually kind of painful to look at and sluggish to use still.
I've finally had it: until slashdot gets article moderation, I am not coming back.
I wonder why the author of the code chose to only look for a certain number of SSL-enabled URLs. Why not just write the code to look for any URL or redirection that's prefaced by "https://"?
Just another good reason to switch to Firefox.
Well, personally, i agree with you. Internet Explorer is far inferior to a lot of the other browsers out there.. The thing is that it's bundled with windows, and most people out there quite frankly aren't very computer literate, and more than 1/2 I would bet don't even know other web browsers exist. True, no? Any comments to that?
For crying out loud, people! How hard is it to download Firefox and switch? Especially with the new settings import wizard?
This is about your internet banking passwords, people! Your hard earned money is at stake here!
"Oooh, does that mean we get to kick some puffy white mad zionist butt?"
"laziness"
To uncheck the "enable third party browser extensions" box in your Internet Explorer properties, if you must use Internet Explorer. This fixes most of the Internet Explorer problems that people ever experience and blame on Microsoft.
There is the slight problem that malware can silently reenable it when they run, but I doubt many do.
This is why I do all my online banking using Gopher.
That query is for "refestldt.com" and I stupidly typed "reflestldt.com" after "domain name". The whois info is accurate, just not what I typed there.
All's true that is mistrusted
This isn't Malware, this is advertising for Apple. THIS is why I buy Macintoshes.
What's a browser? Is that like Internet Explorer? But why do I need another one when I already have Internet Explorer? Don't I have to use Internet Explorer to connect to the internet?
By reading this you acknowledge that you have read it.
Primarily cos they just use the first thing that is in front of their face.
One small step towards fixing this is to be involved as much as possible with all new computer installations.
Your mum is getting a new computer? Go in there and set it up for her. Put mozilla and firefox on the desktop, show her how to use them, and remove all the IE icons. She won't know any better and you can rest easy knowing there's less chance your inheritance is going to disappear from her bank account.
-- Even if a god did exist, why the fsck should I worship it?
For the non-power user IE *IS* preferable. I came to this conclusion after trying several times to get friends and family to migrate to Firefox from Explorer. Even when I did all the grunt work, installing and setting up the browser and explained the benefits to them, they all went back to IE.
IE has enough features for them to deal with. They don't need the fancy "bells and whistles" of Mozilla, in fact they didn't even use the extra features. IE has the Microsoft look and feel they are used to. It's free, it's preinstalled, so they get used to the feel of it from the outset and don't have to download and install, a task many find daunting. And as most of the extra functionality Firefox has over IE comes from extensions, which they can't even work out anyway, then it seems pointless for me to try to force them to use it.
I don't blame most users for using IE. For them it is "good enough". I see a lot of snobbishness on this site, and maybe some of it is fair enough. I also see a lot of silly arguments with extrapolation from a small sample set "My sister uses Mozilla all the time now!" to big conclusions. As a scientist, I know enough not to make those errors. Anyway I just wanted to say most users don't need Firefox despite what you might read. I guess this is pretty obvious, it accounts for a fraction of 1% of browser usage after all.
For the average user, using Mozilla is like using a 4x4 to go shopping. It is needed one time in a million, and the rest of the time it is woefully underused.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
Stuff like the google search bar? Does that count?
Sehr geehrter Toilettenbenutzer!
You know you really have something going for you when a single application in your product line helps defines it own genre of exploits:
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
....who figured out how it worked (i.e., Browser Handler Object, HTTP POST of stolen account info to a site) is Tom Liston of Hackbusters. He's been sorting through this kind of thing for a while...
The Army reading list
From the article:
It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX.
Cue the FUD saying "look I told you Open Source was inherently less secure!"
Download my free songs!
I read this article in the Houston Chronicle this morning: Flaws may mean it's time to drop Microsoft browser. It's beginning to look like there's a ton of exploitable stuff in IE.
BTM
That was the turning point of my life--I went from negative zero to positive zero.
Everyone here is likely to blame Microsoft. I'm turning my wrath against the intelligence organizations of various countries. For far too long this BS - malware, viruses, fraud sent via spam - has been mostly ignored. It seems nobody is going to jail for the Paypal scams because Paypal isn't a "real bank". Now they're targeting real banks.
I, for one, am sick of it. Where is our FBI and what are they doing about this? If these were criminals setting up videocameras to record pin numbers at ATMs, you can bet there would be a huge effort to track them down. Well, this is worse than that.
-Ryan, with the unoriginal sig
Where I work, I have to cater to the clients' demands, timelines, and budgets. That means that I strongly recommend as much security as they need, and if they don't want everything I recommend then I don't build it in. Then I provide a nice document detailing all the steps I took to secure the site and request that they review and sign off on it. It's on their heads.
There's an outcry when Microsoft pushes their product launch back another year, and followed up with complaints that they didn't spend enough time testing and securing everything.
I don't disagree with you, but I can also see some factors that cause these problems.
And finally - the story is not about Microsoft, it's about malware that someone else created. You could create and install malware for Firefox too, you know.
less chance your inheritance is going to disappear from her bank account.
Or if there is currently little or no inheritance... have her use IE in the hopes that some how her bank account will get extra funds due to the exploit thus creating or increasing your possible inheritance.
Help Brendan pay off his student loans
netscape.
When there's no competition, M$ can get away with this crap. Let's face it, even with this 99% of people won't switch from IE, solely because they don't even realize they have a choice anymore. If there was actual competition in the industry (aside from nerds who run firefox), then this crap would NOT be allowed by M$, because it would mean certain death for any share of the browser market they held.
(Score: -1, Redundant)
sulli
RTFJ.
Not to discuss about IE, what about banks using different password entry schemes?
In Brazil there seems to be a new regulation saying that users of ATM and online banking shouldn't type the password in a numeric pad anymore.
Instead, you get 5 buttons on the touch screen (or a small Java applet, or Javascript thing in the case of the bank where I have an account there) with combinations of two numbers. It looks like "press this if the next number is 3 or 8".
The thing is, the combination changes every time you enter your password. The first button that was "3 or 8" before will be something like "4 or 7" next time. And the combinations change too, not only the position of the buttons.
So it becomes more difficult for spyware to monitor keypresses / mouse clicks, or things like this to work for the scammer. (Ironic or not, the ATM in the pictures at the UT website is from a Brazilian bank).
I haven't seen anything like that in any US bank; it's always a number pad where you type your password, or a text field to type the password online.
Marcelo Vanzin
Come on Bill, lets see you put your money (its not like you don't have enough of that) where your mouth is.
Your 48 hours starts now.
I gots ta ding a ding dang my dang a long ling long
When will us Linux users finally get to experience all of these exploits and viruses? It looks like Windows users have all the fun. :-)
I've actually had online banking sites force me to use MSIE when they decided Mozilla 1.5 wasn't a modern browser. Seems better with recent Mozilla and Firefox versions, or perhaps the frigging bank fixed their frigging software.
Who do you get to be an expert to tell you something's not obvious? The least insightful person you can find? -J Roberts
Thats when you point her IE shortcut at Firefox...
I mean come on,,, Just tell her it is the new IE.
DJMD - The fourth man - Planetary
...I don't know about banks in the US, but at least my (Finnish) bank gives me a username, password and (most important of all) a list of one-time passwords. When I log in, the only things I can see before it requests a one-time password is the balance on account, EURIBOR interest rates and the few stocks I've chosen to observe (ie, a master summary page). If I try to access anything, such as transaction records (not to mention transfers), I have to type in the one-time password. They mail me a new sheet when I'm starting to run out of one-timers.
If I don't want to use one-time passwords, I can choose to use smartcard reader and a PIN number (which remains constant). I'm not sure if that would be vulnerable. Anyway, this follows the "something you have, something you know"-security model, I know the username/password and have either the smartcard or the one-time list.
Do the US banks only use username/password pair?
In other words, it's almost certainly a bogus phone number attached to bogus domain-registration info.
Easy, automatic testing for Perl.
I'm not a religious person... but I will now attempt to pray...
God, it's me, Anonymous Coward, I beg you, have the l33t hax0rs of the world unite to develop exploits and hacks against Linux and Firefox so that open source zealots can no longer scream about how secure their software is. Any competent person or deity (ie you) knows that there are potential exploits in both, but most have not been found because most do not look as hard as is done with Windows.
If you do this for me... I promise to sell my soul to your minions in Redmond and banish any Linux or Open Source related product from my home from now until eternity.
Amen
Are they even paying attention? At first it was .exe worms in email, then it was network-layer exploits, and then it was spyware, and now in the past week it seems that IE is totally unsafe for any purpose whatsoever.
What's amazing me is why Microsoft isn't *running* to provide patches, for at least XP and 2K, to mitigate this. They're offering non-solutions like disabling Active X and Javascript. Sure, fixing the problem may mean some serious breakage for some in-house software someplace, but does anyone care that Spyware+Malware+IE is rendering their operating systems junk?
Are they even paying attention? Is XP SP2 a magic fix? Is it just too badly broken to even BE fixed?
What fancy-ass security feature in Firefox would prevent somebody from writing a plugin like this? Anything besides 'not a big enough user base to attempt it'?
"Derp de derp."
The problem is that websites are test for IE only and are often broke with other browsers. Not because they are using some nifty (non-standard) feature of IE but just because the web developers only test IE.
I think this will change when non-IE browsers start ruling a larger percentage in the server logs and too many customer complain. I always take the time to send a nice e-mail to websites that are broke with Mozilla.
Companies need know that they are limiting their customer base and are losing sales.
Just yesterday I was signing up for a dedicated server at a vendor and their webpage was not working correctly, I brought up IE and worked fine. Ticked - I left and signed up with the competition (servermatrix).
... you are preaching to the choir here? I mean, there are atleast a few Mozilla/Firefox/Thunderbird stories on here a week! We all know what it is! Rather than preach your comments about switching here, instead, preach to your parents and friends that still might use IE. Send them news stories for them to read. Unfortuntely, it takes a real experience for them to have a change of heart. Don't let that happen!
Hmmm.
Funny, CIAC Issued a warning about BHO's in early 2002 Link to warning
The reason why people still use IE - EVEN when an alternative is shown - is because it's familiar, and because: - "my favourite websites don't work!" - "It's slow!" - "What is this crap." Coming from people like my sister. I even tried the IE icon trick but she insisted that I put IE back on. However, articles like this - where your bank password will be stolen if you use IE - well here we go, this is something that I could convince my mom with, as well as my sister.
"The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis."
.gif name to .exe or attempt to unzip the .gif file? If not, why does IE allow .gif's to be installed?!
Does another exploit change the
"Oooh switch to firefox" is the most ignorant and misguided response to this.
This activity needs to be ILLEGAL...and that's the only way to stop it.
Oh yes, I'm so glad that there are no murders, rapes or robberies around here, because those things are all illegal. I shouldn't lock up my house or car, that's ignorant!
Unfortunatly this describes 90% of people out there. The only way I can think of to overcome that kind of pervasive ignorace is a public service campaign like the anti-drug campaigns.
[joke]
"This is your computer.. this is your computer on Internet Explorer"
-or-
"Friends don't let Friends use Internet Explorer"
-or-
"Just say No to Internet Explorer"
[/joke]
Seriously, there needs to be a TV campaign or even public service banners on high traffic sites like google or CNN.
After last week's CERT advisory, there should only be a handful of them left.
This activity needs to be ILLEGAL...and that's the only way to stop it. They're wiretapping without consent.
(Nit-pick) It is illegal; it needs to be prosecuted.
...and, Soccer Mom might care about Firefox et al, if we tell her at every opportunity. She's not daft (hopefully) - she'll appreciate knowing how to reduce the risk to her (and her family's) finances.
This is where the serious fun begins.
I tried the same and it worked over here - you might also add a good fancy theme to mozilla/firefox to make it more attractive.
No Sig for you.!
And if you're dumb enough to use a bank that works only with the big neon "Hack Me" sign that is IE, you get what you deserve. Find a bank that works with Mozilla or Konqueror and use those for banking instead.
Oh yes, and be sure to tell your old bank WHY you're closing your account with them. "You're only supporting Internet Explorer as a browser, so I'm not supporting you as a bank."
Not like they'll notice on personal accounts, but maybe if a business or three moves their accounts, they'll sit up and take notice.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
No, I just meant the whois query was for the correct domain but when I was typing the response here I accidentally added an "l". That info is the whois query for refestltd.com.
All's true that is mistrusted
a) Threaten to never support her computer again
b) Hide the IE shortcuts
c) Change the IE homepage to say, in big letters, "YOU'RE NOT SUPPOSED TO BE USING THIS NOW GET OUT AND START FIREFOX"
d) If you have Zonealarm on her computer, set it so IE has no Internet access
e) Use IE's Content Advisor to block all Web sites
f) I could go on and on
Yes, it's sad that people don't realize that Internet Explorer is not "the internet" and that there are alternatives, but tricking them is not the answer.
Apparently her ISP software linked directly to Iexplorer.exe and when it asked her to make it default she clicked yes.
Not her fault but still makes you want to slam yur head against the monitor screen.
My days of not taking you seriously are certainly coming to a middle...
I think this will change when non-IE browsers start ruling a larger percentage in the server logs and too many customer complain.
... and decide there's no need to support anything else.
1. Web sites check the user-agent header, refuse access to anybody not claiming to be MSIE.
2. Users of advanced browsers change their user-agent strings to claim to be MSIE.
3. Webmasters check logs, see most all hits come from MSIE...
4.
To get around the "teaching others to use a new browser", I just loaded Firefox, added a luna skin to make it look like IE, and then used firesomething to change the name to "internet explorer". They barely know the difference!
But for those that are unfortunately enough to have to help those that insist on IE, for whatever reason, a program called BHODemon might help you. It lets windows users see what BHO's are loaded at any particular time, so I would assume that this malware would show up here as well. Its a quick way that someone can find out just what is running in the background.
http://www.definitivesolutions.com/bhodemon.htm
BHODemon 1.0
Thats funny considering I can't use my bank's Internet system it says it requires IE for security purposes.
- go to http://www.mozilla.org/products/firefox
- download the windows installer
- run aforementioned installer
- Realise that installer automatically imports IE favourites
- Select the Internet Explorer icon, press "Del" key
- When asked if you are sure,say yes (with extreme prejudice)
it's really that simple, for added effect you could try replacing the firefox icon with the explorer one (right click|properties|change icon|browse to iexplore.exe|select the icon from the ones that come up), that's what I did as I was used to clicking on a blue e. After a while I weaned myself off.I am NaN
you forgot konqueror
There's a good explanation of BHO and how malware authors tend to exploit it here.
Maybe this is the kick of the pants that M$ will get now that financial institutions are targetted with a n exploit from a badly-design browser model.
Which is nice.
Wearing pants should always be optional.
Don't you know the proper way for citizens to solve their problems today?
1. Incorporate yourself
2. Make a $1000 contribution to the Corporate Party (DNC or RNC, doesn't matter which)
3. Sue them for $10000, and get your pol friends to bring in the FBI
4. PROFIT!!!
"The Justice Department's spending on cybercrime would leap from the $157 million allocated by Congress for the 2003 fiscal year to $265 million. The agency's Internet Crimes Against Children program, which investigates child pornography and "enticement" cases, would receive a $2 million increase, to reach $14.5 million."
Even if the Justice Department "only" had $157M in 2003, you'd think there would be a bit more to show for it. But this is the US government we're talking about. There are doubtless a good number of motivated and competent people in the US government who are dilligently working to combat cybercrime.
The problem is that US government agencies are notoriously slow to adapt to change. Having worked in one before, I can attest to how frustrating it can be to try and get even simple, obvious tasks completed when groupthink prevails. It must be incredibly frustrating for the folks working in those departments who are trying to go after cybercriminals.
Read the EFF's Fair Use FAQ
"Oooh switch to firefox" is the most ignorant and misguided response to this. Does soccer mom really care about a firefox? Nope.
The good news is, she doesn't care about a Internet Explorer either.
I spent some extra time while replacing my mother's aging and cruft-hobbled Win98SE install (with XP, for the record) to install and configure both Firefox and Thunderbird alongside IE and OE. The fox and the bird are default, but I wanted to make sure that if she found them unacceptable for any reason, her known devices were still there and up for the task.
She was nervous about having to suddenly rely on unfamiliar programs to do her thing but as long as they did the same things as IE+OE she was up for it. I made sure to import her "favorites" and contacts and picked out a theme for Firething with her and introduced her to tabbed browsing briefly. I showed her how to check her mail and where to change things for either program. After that all I could do was walk away and hope for the best.
A few days later I got an email from her thanking me again for my help and commenting on how much speedier everything was. I checked the user agent: Mozilla Thunderbird 0.7. =^)
Is there a skin that acts exactly like IE? I'm looking to swap my family computers over and would like an IE interface. I've tried education to the family and it just hasn't worked really well. Tabs? What do they care? Adblocking? Who's got the time? They're just ads. Every feature I introduce doesn't really sell them. So basically, they would like to stick with Internet Explorer. However, clearly, I can't let them with all this crap flying around these days. That being said, I just want a way to make Firefox look like IE so I can do a swap. Anyone?
Disagreeing with me does not mean you get to mod me troll.
Okay folks, now is the time to DEMAND your online banking providers to switch to a one-time pad system for passwords.
Many banks in the EU have already done this. Why are banks like BANK OF AMERICA and others still using simple passwords?
My passwords are just little black dots when I type them.
------ How can making people laugh lead to bad karma?
It is an compressed Exe-File with a .gif ending. The user didn't run as admin and the Windows XP policy was in place so the file couldn't install. Through this it came to the admins attention. I guess Firefox wouldn't have be a more difficult target.
As soon as a trojan gets executed on your machine you can just hope you didn't do it with root-powers and that the trojan won't find a way to raise it's priviledges.
Unfortunately, people have their (usually unjustified) reasons.
Take, for example, my Mom. A month or so before coming home from school, I mentioned that I planned on building a new computer for myself over the summer. She told me that she was just about fed up with our home PC because it was so slow and working so poorly and crashing. I told her definitely not to go do anything silly like buy a new one, just yet.
So when I get home, she has since cleaned up a lot of stuff (she's fairly tech-savvy as far as Aunt Tillie-types go) and the computer is running OK. I immediately installed Firefox on the computer, and told her, my brother and sister to all start using it instead of IE.
I left a week later for my summer job (6 hr drive, first time I go back is this weekend). As soon as the IIS compromise issue came out, I e-mailed my Mom and made sure she was using Firefox because she had told me over the phone that she had a lot of spyware/malware problems. Of course she wasn't using Firefox. I asked her why the hell not and she says, "I'm old and don't want to have to take the time to learn something new" (she is co-owner of a financial consulting firm). So I explain to her how it's not anything new. A browser is a browser, you've got the back button, the forward button, hell, you can even import favorites. So whatever. That was a few days ago.
I called her last night to make sure she started using Firefox, and of course, she wasn't again. I asked her why and this is exactly what she said, "I may be superstitious or something, but ever since Mozilla was installed, that's when we started getting all the nasty stuff on the computer." Well I didn't want to be rude and point out what problems she was having before I got home from school, so I let it go when she promised I could show her how great Firefox is when I go home this weekend.
I only hope she's not using IE to check her bank statements, etc.
Some people are so set in their ways, like my uncle, for example, who refuses to wear a seatbelt. I feel like switching browsers is the same situation. If anyone has any recommendations on how to convince people that are utterly unconvinceable to switch to Firefox, please let me know.
According to the linked article, this BHO phones the mothership located at:
http://www.refestltd.com/cgi-bin/yes.pl
www.refestltd.com is 66.226.64.11; the ARIN pull is below.
I'm on the phone right now with Matt of Abacus America to get the website taken down.
I am saddened to think that I'm the first one that's bothered to go to the trouble...
OrgName: Abacus America Inc.
OrgID: ABAC
Address: 5276 Eastgate Mall
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
NetRange: 66.226.64.0 - 66.226.95.255
CIDR: 66.226.64.0/19
NetName: ABAC2002A
NetHandle: NET-66-226-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ABAC.COM
NameServer: NS2.ABAC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-31
Updated: 2003-03-27
TechHandle: AD384-ORG-ARIN
TechName: A Net DNS Administrator
TechPhone: +1-858-410-6900
TechEmail: dns@aplus.net
OrgTechHandle: ANETS-ARIN
OrgTechName: A Net Support
OrgTechPhone: +1-858-410-6900
OrgTechEmail: support@aplus.net
# ARIN WHOIS database, last updated 2004-06-28 22:17
# Enter ? for additional hints on searching ARIN's WHOIS database.
So there's a list of 50-or-so banking sites that the malware picks up. Where's the list? How can I know if I need to call home and tell the wife to NOT use online banking until I get home or not? Also, what's the quick way to tell if I have the malware or not? Does it drop a dll, exe or something somewhere? I *hate* things like this where it's reported that "you might be infected" -- tell me what clues I can look for to know. Tell me which (if any?) IE fixes subvert this. Tell me which A/V vendors have patches to prevent it (if any). Aargh.
For example, I used to work for Cablevision's Optimumonline service. I would sit in meetings and go on and on about how we should support, even lightly suggest our customers use Mozilla. One of the biggest avoidable call drivers in our Call Centers was people complaining of pop-ups. Another large driver was Spam. Mozilla is a great tool for handling both of those problems.
The Higher Ups weren't interested in my ramblings. They would point out that we support IE, Netscape, Outlook Express and Outlook. They eventually came around and offered support of Safari but on a very limited basis (not that it needs anything more).
The biggest problem that most ISPs face is uneducated consumers. Their machines get hijacked and in turn Spam the World, which causes other users to complain and blame the company. These machines also eat up Network resources, again causing other users to complain and blame the service. Don't forget the users that click on EVRERY pop-up that comes their way, thereby infesting their machine with spy-ware to the point that even opening IE is near impossible. Again, this is blamed on the service.
Granted the Mozilla fam aren't really out of the "beta" fase, but I see less Firefox, and Mozilla fixes then there are for IE. Being that Netscape and Mozilla are half-siblings (in a sense) why not support it? It's not like the support staff needs to be re-trained.
People don't care what browser they use, they want one that is intuitive, free, and functional to their needs. I think the Mozilla branch does that. With firefox 9.1 out today, why are people still using IE? Better yet, why aren't ISPs telling people NOT to use IE? It would save them a fortune and a company not looking to save a fortune..... should be investigated!
I boycott signatures
So apparently I'm the frist one to RTFA, because I would think someone would have commented on this by now. This bug sends your passwords to a script at , and refestltd.com appears to be in the business of (or at least it points to someone who is in the buisness of) selling anti-spyware software. Coincidence? Conspiracy? Joe-job? Bueller? Bueller?
Media that can be recorded and distributed can be recorded and distributed.
-kfg
While this naively may seem like a good idea, it has enormous potential to blow up in your face.
By installing software on a computer-illiterate person's computer, you are implicitly taking *personal* responsibility for that computer, whether you want to or not. From that moment forward, that person will insist that you provide free technical support for them whenever you need it. Refuse this, and you will cast a bad light on open source. (ie: That Mozilla thing broke my Internet and no one will help me!) From experience, Murphy's law will go into effect, and any and every thing will go wrong.
Be wary whenever you offer to help someone with their computer. I have been so burnt out from helping so many people over the years that I refuse to help anyone, even family members, or even talk to them about computers.
Like it or not, open source cannot forever rely on legions of selfless geeks helping everyone. It's just not infinitely scalable. "Mainstream" open source projects like Mozilla, OpenOffice, etc need to 1) proactively focus on usability by recruiting (by paying if necessary) human-computer interface experts and focusing all development on usability and 2) forming political relationships with as many computer manufacturers, banks, and any other organizations we can to get our stuff in front of mainstream users. There is already some movement on these fronts, but it needs to be at least an order of magnitude greater.
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
We'll just add the following Javascript into websites:
//
var userAgent = navigator.userAgent;
var MSIEIndex = userAgent.indexOf("MSIE");
if (userAgent.indexOf("Win") != -1 &&
userAgent.indexOf("MSIE") != -1 &&
userAgent.substring((MSIEIndex + 5),(MSIEIndex + 8)) >= 5.5)
window.location.replace("IE_BAD.htm");
and let those still using IE suffer.
---
IMHO, of course.
May the SOURCE be with you.
I am tired of trying to propose solutions to the problems brought about with the large numbers of ignorant users using MS software. I'm also tired of trying to fix problems that these users repeatedly cause. Government and law enforcement doesn't seem to care, so I'll propose this solution:
In nature, when a population gets too large there's a die-off. Usually this die-off is caused by disease or starvation. The better adapted creatures survive and live on.
We can use the fox and rabbit scenario here.
The malware writers are the foxes and the ignorant users are the rabbits. In our case the foxes don't eat the rabbits, but instead hijack the rabbits' computers for fraud, spam, pop-ups, etc. Foxes die by giving up and moving on to more lucrative off-line crimes.
The rabbits don't eat anything but are increasing in numbers by simply hooking up machines to the Internet. Rabbits die by cancelling their AOL accounts and stop using the Internet.
Right now there are a ton of rabbits (and more every day) and the fox population is exploding.
If we just sit back and let natural selection take its course, the ignorant rabbits will become sufficiently frustrated with their Internet experience and give up. The foxes will concentrate even harder on the remaining rabbits (who will be better adapted to counter the foxes' attacks) or start writing malware for the rest of the rabbits or face a massive die-off as well.
Those that are able to adapt do so by either keeping their machines properly patched or learn to use alternative browsers (or operating systems). These rabbits will then have a better Internet in the end because we will have a better class of users and software.
There's plenty of educational material out there for ignorant users to read. Practically every day there's something in the newspaper about how to protect oneself from these attacks.
The Zombies and SpamBots will make life a hell for the rest of us, but that's a short-term problem in this model. That should fix itself after the die-off itself.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
Someone could just as easily program a plug-in for Mozilla/Firefox/whatever that does the same thing as BHO? Do you also think that all operating systems are equally secure inherently? Is it just as easy to program in Python as it is to program in Pascal? Microsoft has a long history of creating application environments that offer extensibility through plug-ins that are inherently prone to security exploits. This makes it easier to create exploits for their products.
IE is the target because a high per cent of people uses it. If it was 50% IE and 50% Mozilla I'm sure we would see a lot more activity on trying to create ad/spy/trojan-ware for all browsers.
Like back in the day, when Netscape ruled the browser market? Yep, there were a lot of adware/spyware/trojan-ware apps back then.
Maybe you should be happy that IE is used by so many.
Actually, no. I think most people would be a lot happier not to have to deal with such a crappy browser that is always introducing security problems, isn't standards-compliant, and doesn't have any of the most recent "must have" features that so many other browsers share. It would be easier for web developers, users, and security managers if IE weren't such a piece of crap.
Read the EFF's Fair Use FAQ
Isn't Firefox with its plugins system also susceptible to malware? How secure is the area in which plugins can play? It would be interesting if someone would take up the challenge of writing a similar piece of software as a plugin for Firefox and see if they can insinuate it in the Plugins repository.
It's not that I wish such a thing on people, but I'd like to know how secure the repositories are and what kind of damage we're looking at if it isn't.
Here in Switzerland, the online banking system is the same with "scratch-list" or a list of one-time passwords that are used one by one for each access to the online banking service. Recently, UBS and some other banks have even a better solution. Instead of a paper list that somebody may secretly take a copy of, they give the customers some type of smartcard and a special small calculator-like device to read it. Each time you access the bank's website to do some banking transactions, you enter your user and password, then a number is displayed on the screen. You enter this number in the card-reader holding the smartcard you have, and it returns back a hash value that you enter in the webpage. Now, each user have a unique smartcard and the number that the webpage generates is random so there is practically no way to predict the needed hash value to access the banking record unless you can physically access the smartcard. And needless to say the smartcard has itself a user selectable password that can be changed using the card-reader to protect it against theft. This way, even bank employee can't steal your password and/or scratch-list!
I sent a mail to all the company when last friday's attack hit the media. I told people to be careful with IE and if they wanted a browser that didn't have that problem download firefor (provided a link).
The company's CTO mailed me back and told me:
"Despite we give users admin right in the [w2k and XP based workstation] machines, you cannot install software without first checking out with the IT department. This is more important when we are talking about basic OS components, specially to those doing web development because it could lead to diferent rendering results."
My answer was: "I never told them to install anything in the office PC, I assume some might have a PC at home."
What I like is the part where he think a browser is a basic OS component.
I really must stop watching Comedy Central.
I don't want knowledge. I want certainty. - Law, David Bowie
Tear everything down and start again. If you can get someone to properly document your kernel, so that your own employees will have a chance of understanding it, go that deep.
Go as far as you need to to actually secure your OS and supporting suite. People aren't going to put up with this crap forever.
Windows had the potential to be a good system when you originally bought DOS, until you started piling "functionality" onto it.
Do you see what I did there?
Okay, this idiot must want to get caught. To you aspiring virus/trojan writers out there: DO NOT have your virus/trojan send information to a web site. Send it to a newsgroup. Geez. Encrypt it if you must, but don't send it somewhere where you can be tracked. Send it somewhere where you can get it anonymously. Man, moron hackers out there. It's like that idiot Slashdot reported on yesterday who got caught on the extortion deal when he told them who to make the check out to.
Here is a sample of an email I sent recently:
With the almost daily anouncements from Microsoft about security vulnerabilities in Internet Explorer web browser, I now use the Mozilla.org web browser. Unfortunately, the BANK-NAME web site requires Internet Explorer. I very much enjoy BANK-NAME's online services, but do not feel secure using software that has a negligible sercurity record. I will be doing all my banking and account access directly at my branch office until I am able to access my online account with a more secure browser. Thank you much for your time.
Sincerely,
my-name
itadakimasu
Maybe you didn't install it right? I'm using Firefox right now to type this...
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
penalize them for failure to reveal risk.
Maybe the problem is with another part of your system? I only wonder this because I've been using Firefox as my primary browser since the day 0.1 was anounced on slashdot. I've never seen it lock up once, and I have slashdot set as my homepage.
I regulary use it on different platforms, and have deployed it to a network of over 500 windows computers, and never had a single problem reported.
I've probably seen firefox crash less than five times in this time. Not bad for a 0.x release really.
This is actually a known hole. Even SP2 doesn't fix this. Basically the file is downloaded as a .gif file (xxx.gif). Javascript commands to ActiveX then rename the file to xxx.gif.exe. Then execute it. This exploit will actually work even if you have ActiveX disasbled.
Quit playing Monopoly with Bill.
Linux - of the people, by the people, and for the people.
So rename Iexplorer.exe to Iexplorer.exe.bak and make a shortcut to firefox.exe. Any app that tries IE will really get Firefox. You can also "uninstall" IE under MS Windows. You don't really get to uninstall the core IE stuff, but you can remove Iexplorer.exe which is just a crappy front-end to a crappy engine. At least this way no app could use Iexplorer.exe directly.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
something as simple as the OS prompting for an account password (ala just about any flavor of *nix comes to mind), would do wonders for windows pathetic security...i looked around all the new features that are said to be included with win xp sp2...this wasn't among them....
why is it that the second that i have logged in, anyone could sit down and my system and if i happen to not have a password on the screen saver or have the system set to automatically log me out after x minutes of activity, ANYONE could install ANYTHING on my system...and just extend that a brief moment to any perpetrator online installing malware and any other executable trojan to turn a windows box into a spam zombie....
i just don't buy that MS is serious about security...this is a pretty easy solution that shouldn't take months of ripping apart the OS for implementation....
i don't get it...?
PS - i'm not trolling, i'm serious...this seems like a pretty simplistic fix that wouldn't take a rocket scientist to figure out...
- bliSS
the only difference between a rut and a grave, are the dimensions
Such pinpads are used in high security (mainly military) installations, and have been around for decades. The problem is as soon as you start using them in situations where the userbase does not have maximum security drummed into their heads, anything that makes it more difficult for them to enter their PIN just increases the chance that the PIN gets written down and kept in their wallet. Usually when I type numbers on PIN pads, my memory recalls them positionally rather than numerically, and many other people are the same.
As of 7:11 PM Eastern Time (1.5 hours after my phone call), the site is now offline.
For those of you who don't take the time to read the analysis of the trojan, here's what is said:
.chm file. At the same time, it appears to have executed a script on .chm exploit, shown above is likely used to rename and execute this
The HTML here attempts to exploit a known flaw in Internet Explorer to load and
execute a
www.mymaydayinc.com called photos.php. At this point, the packet captures provided
by the victim end, but it is possible to make some intelligent guesses as to what happened
next.
The victim of the attack found a file called "img1big.gif" had been loaded onto their
machine. Because of the account restrictions on the person running the machine, it had
failed to install properly, which was why it had come to their attention. It is this file that
they forwarded to the SANS Internet Storm Center for analysis.
The file "img1big.gif" is not a graphic file at all. It is actually a 27648 byte Win32
executable that has been compressed using the Open Source executable compressor UPX.
(Hypothesis: the
file.)
So basically, it allows a CHM file (Compiled Help, used in your standard help files) to auto-install a DLL, which in turn regisers itself as a Browser Helper Object (BHO). BHO's are typically used for things like Browser Toolbars (like the one Google provides).
Microsoft should not allow auto-execution of any file type. It should be an easy fix to IE though.
Really, most of those people who won't switch are just plain afraid to do it. They get their machines broken and stuffed with malware while doing nothing wrong! No matter what they did last week to make it better, this week there's something else that will break their machines. They barely can run what they have now, so they get scared to start from scratch with a brand new learning (and potential expense in their minds) experience. These things -das komputarz- are sold all over as "easy to use", All you are supposed to have to know is click here, fill in the blank, click again, get online, open browser, go surfing. Really, see the ads for computers all over. NEVER do they claim it's hard and you will need to jump through hoops daily. People know that kindergarteners 'can use computers' now, so in their minds any normal adult can just get one, turn it on and use it.
So, they do that, they buy one, get online, 15 minutes later they get borked. They surf for a week, they got 293 weirdo scripts, cookies, warez, whatevers crawling all over their machines and the thing barely moves. They haul it to the local shop where the helpful windows computer expert trusted computar guy charges them 50$ to run a few cheap programs against it, it gets cleaned up. They drop another 50$ on an antivirus program at his recommendations. Next week it's broken again, back to the shop. 50$ to fix it, another 50$ to get a "firewall". Back home. Next week they get borked again, then they say "FxxK IT! Enough!" they won't care after that point, and no way do they want to start fresh all over with something new that is pushed the same exact way they got borked in the first place, with the recommendation of "go ahead, drive it, it's easy, a kid can do it, it's the same as you had before, just different".
Uh huh, that's gonna make them want to switch. Yep. Sure it is.
That's my theory anyway
There's little to no long term money in making windows or explorer secure or functional. What would they sell from then on if they actually released a product like that? They'd sell it ONCE, that's it. You wouldn't have a need to upgrade. You wouldn't need mr. fixit and even more expensive mr. consultant. And now MICROSOFT is going to sell antivir because their crap is so lame and PEOPLE WILL BUY IT!
There's a cubic metric boatload of megatons of money in making MSOS and browser (and server and email client and etc) *almost* secure and *almost* functional, for microsoft themselves down to the thousands of helpful windows/computer experts at the local whitebox stores and in the consulting yellow pages.
Try "BHO Cop", kinda old but Source Code is included.
http://www.pcmag.com/article2/0,4149,270,00.asp
HTH
L053R
Well, you must never have really RTFM with Opera then(probably Firefox either).
1. On Win (which I must still use sometimes), ffox is the slowest of the 3 (especially re-draw), even though I'm always on the latest release.
Well, not having used Firefox, I don't know. But I find it hard to believe anything could be slower than IE in my experiance. 40+ seconds(on dial up true) to load a page that takes 11 seconds in Opera. Pathetic.
2. I can't get the other browsers to do the simplest, stupidest things I can do in IE, e.g.: drag/drop shortcuts between address-bar & folders, or File=>Send=>Shortcut To Desktop, or drag a link from a page to the address-bar (a sure-fire "use the same window, dammit"). I dunno, maybe I just didn't RTFM.
I can't grok why anyone in their right mind would want to do this, but I believe you can just go add to bookmarks that is at the top of the list inside a submenu in the bookmark list. Can't send a shortcut to the desktop... you can copy the address... again, I can't see any real reason to do this. It's pretty easy in Opera to open a link wherever you want, either as a button/click or rightclick option, but you can also drag a link from a page to the address bar.
3. I make genuinely productive use of toolbars (e.g. Google) unavailable on other browsers.
Again, in opera it comes default with a search option box for google, amazon, alltheweb, etc... You can add your own. Opera comes with pop-up blocking. I can't comment on other bars as I don't use them, nor have any idea which others you use but did not mention.
I don't grok the excitement of tabbed windows. I much prefer being able to position pages independently in separate windows. And if one of those windows crashes or hangs, I don't lose the others (or their back-traces).
You are very lucky, every time IE crashed for me, it took all it's windows with it, and the task bar(system tray stuff) - even in XP pro.
Opera has MDI, which is more than tabbed windows, you can arrange as desired inside Opera - much less task bar clutter. Ever tried the Continue from last time? Right back where you were - even after a crash, and keeps history (what you mean by back traces I think).
As for security, I do quite well with the combo of common sense, frequennt AV updates, SpyBot, AdAware, WebWasher, and very aggressive/paranoid firewall settings. (I love Agnitum Outpost, which lets me control cookies, ActiveX, JavaScript, etc. -- each *separately* -- on a per-domain basis.)
Well, I use AV, spybot etc, but since I stopped using Kazaa, and have been using Opera, guess what? I haven't found any spyware with SpyBor or AdAware (I don't use webwasher as it costs $$, and as I'm not getting infected I don't see the point of wasting money). Good firewall settings are a good idea, and I commend you. However I don't have to use my firewall to keep my browser in line just by using Opera. Much easier. Although, I do also recommend Proxomitron. Great ad control.
Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
"When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE."
:(
So if I write protect this section of the registry so no user can write to it then IE will never load the BHOs? I starting to think that read-only for the entire "\Software\Microsoft\Internet Explorer" might be a good idea.
FYI: I work at an internet gaming cafe, I don't think I've ever seen so much spyware
I've experiments to run, there is research to be done on the people who are still alive.
In Germany and Austria, online banking requires a TAN (Transaction Authorization Number) for any operation that changes the account.
the TANs come one a one-time-pad kind of sheet and you can use each number once before they become invalid. Therefore, if somebody is scanning my TANs (along with other things), they can do exactly nothing with it.
The sheet of TANs is generated on some bank server and sent to me via postal mail.
Admittedly, i wouldn't want anyone browsing my bank account. But the damage they can do with that is limited (changing passwords and so on requires a TAN too).
I used to write off all these Microsoft problems as "well, they have 95% of the market, so that's why they get targeted for these things."
But this latest problem made me reconsider! I switched to Firefox (and Thunderbird!) yesterday, and don't miss IE and Outlook one bit.
Thanks, /., for encouraging me!
Best Buy can have you arrested