No-Click Phishing On The Way

An anonymous reader writes "MessageLabs has discovered a pretty nasty - though fairly crude - phishing scam which doesn't even require recipients to click on a link in order to hand over personal data. Simply opening the email is enough to activate a script which 'lies in wait for its victim' according to one report. The script rewrites the host files of the machine and directs users to a fake web page the next time they legitimately attempt to access an online banking page. ... However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs."

Pegasus Mail!

[rearl]

...doesn't execute HTML or scripts. Use it, be safe!

Re:Pegasus Mail!

[menkhaura]

Mutt (http://www.mutt.org) is your best friend. No HTML, no scripts, no images, only text, only message.

Re:Pegasus Mail!

[TobiasSodergren]

mutt is actually vulnerable to the Taliban virus!

Re:Pegasus Mail!

[coolsva]

Im sick of people suggesting not to use outlook/any other rich client.
It is upto an individual to select if they want a rich experience in their emails. I, personally would prefer plain old text mails, but that is a choice I made. A rich client like outlook supports rich mail, but the MIME RFC clearly recommends that if the mail contains HTML, it should be a html/txt MIME attachment, with a plan text copy attached as the main message. Thus, a non rich mail client, can still display this primary message (which is supposed to be the simple text representation of the formatted rich mail, but often not followed by spammers).
If grandma wants to send johnny a birthday greetings, trust me, in big letters with all formatting, it has more inherent value. If it has a flash content, so much the better.

Flamebait: If you want to live in the dark ages, be my guest, just dont thrust your opinion/prejudices on the rest of us. Many of us are aware of the risks and have a consious choice

Re:Pegasus Mail!

[freeze128]

Neither does Eudora 1.5.4. That's why I use it.

Re:Pegasus Mail!

[jsmarshall85]

eudora 1.5.4?????? you do know they are up to version 6.1 now right?

Re:Pegasus Mail!

[Yakko]

No, the users are vulnerable to the Taliban virus and other cross-platform "let's identify the stupid people" things like that there.

Re:Pegasus Mail!

Ummm Pegasus Mail is too slow just doing email, I think it would probably explode if it tried HTML.

Everyone kept saying use Pegasus, so I did. I forced myself to use it for a couple of weeks (PIII 500). It felt like I was paying penance the whole time. Switched back to Outlook Express and set my settings properly and I was much happier.

Haven't tried the others ones (Mozilla/Mutt). But after the Pegasus attempt I'm little gun shy.

Re:Pegasus Mail!

[LO0G]

That's being rather pedantic.

By the same logic, OE isn't vulnerable to this bug, it's the user's that are vulnerable.

And I'm not sure that the distinction is relevant.

Re:Pegasus Mail!

[jazman_777]

It is upto an individual to select if they want a rich experience in their emails.

"Rich experience" is marketing gas for "style over substance."

Re:Pegasus Mail!

[coolsva]

Email is inter-personnel communication, ergo, style. If people want substance, they would go back to old bulletin boards/usenet

Re:Pegasus Mail!

[jxs2151]

Yeah but 1.5.4 was really good. I still use it also.

Re:Pegasus Mail!

[Forthan+Red]

Amen. Not only will it not run scripts, it's immune to image links that will notify the sender that the email address is valid.

Re:Pegasus Mail!

[tigersha]

Actually that is bullshit. There is a good reason things like boldface and italics and different font sizes and proportional letters evolved in print media many, many years before email came along. It improves readability. Dramatically.

I seriously wish you snotty i-love-unix-terminal types came who tell everyone in the world that monospace ASCII is good enough for everyone would read a good book about type design. Try Robert Bringhurst's Elements of Typographic Style.

No, ASCII is not good enough. People like you make other people whine about the fact that computer as difficult to use. Remember, these things do not exist for the amusement of techies. They exist so that normal people can increase their efficiency.

Re:Pegasus Mail!

[some+guy+I+know]

these things do not exist for the amusement of techies.

No, but they should.

Re:Pegasus Mail!

[Sheep+Sophy]

...doesn't execute HTML or scripts. Use it, be safe!
br>DOS rulez!
br>:-)

Sheep
Need your help: http://www.make-my-son-happy.us.tp/

Re:Pegasus Mail!

[freeze128]

Why, yes, I do know. I even tried a recent version, and it was SO SLOW compared to mine. As the programs get bigger, they also get slower.

What

[Pingular]

are people that are, for example, at work, and can't turn off Windows Scripting Host and certain ActiveX controls? Not open emails? Surely there should be a solution to this.

Re:What

[Z4rd0Z]

Maybe they can install a different browser alongside IE for doing anything personal. If not, then they're just screwed I guess.

I doubt many people would be affected anyhow. If I understand correctly, the attacker would have to know the URL you go to for online banking and replace it in your hosts file with a different site. It seems unlikely that it would work on too many people.

Re:What

[RAMMS+EIN]

These people don't have to do anything at all. Their company chose to use Windows, thus the company has to accept any consequences of that decision. If the company disallows users from making their Windows installation more secure, that's also the company's choice, and they have themselves to blame if it goes wrong.

Re:What

[hoggoth]

> the attacker would have to know the URL you go to for online banking and replace it in your hosts file with a different site. It seems unlikely that it would work on too many people

Yeah, because it would be too hard to fill a hosts file with the URLs for Citibank, Chase, BankAmerica, and the rest of the top 10 or top 100 banks. Nobody could do that.

Re:What

[Lord+Kano]

Yes. Don't do your personal banking at work.

If the company's information gets phished because of inept IT staff, that's not your problem.

Unless of course, you ARE the IT staff.

LK

Re:What

[xNoLaNx]

Doesn't seem too difficult, people have large host files already. Just replace some major banks to start with, bank of america, wamu, blah blah, covers a lot of people.

Re:What

[Rie+Beam]

I guess you'll have to avoid doing critical home banking from work, then? Or perhaps use an alternate method of retrieving e-mails?

Re:What

They should complain to their idiot IT departments. Those IT departments should have turned off ActiveX in Outlook and Outlook Express long ago as part of a standard desktop setup. It shouldn't be the user's problem.

Re:What

Most Corporate security will not ever let the user bork the hosts file. Also they usually turn up the security on everyone but trusted sites..i.e. intranet.

Only those that run as administrator equivalent, and are crazy enough to use outlook need worry here.

Re:What

[CatLord42]

Right, and if you work at one of these companies and your information gets phished, they'll take care of it for you...

Re:What

[Z4rd0Z]

Right. No one could. Because I'm on OS X! Hah! I actually just replaced my banking login URL in my hosts file and it still loaded as normal. OS X must not consult the hosts file.

Re:What

[magefile]

Bzzt, wrong! You have to restart networking services (in Redhat, not sure what OS X calls it) or reboot, first. Thank you, goodbye, you[ and your hosts file] are the weakest link.

Re:What

[Yakko]

MacOS X does consult /etc/hosts if you put FFAgent in the LookupOrder for Netinfo. I've done this. It's not the default for MacOS X, though.

Re:What

[Z4rd0Z]

Actually, you're wrong. We both were. You don't have to restart networking, because I just tried redirecting my banking URL and it worked. Hmm...now I'm not sure why it didn't happen the first time.

Re:What

[Deviate_X]

It should be noted that Windows Scripting Host and "Certain ActiveX controls" have to be downloaded and installed manually and configured by the administrator, and are not installed and configured by default.

Thats why this is classified as extremely low risk. It is simply a demonstration (concept) of a method of spoofing a website by modifying the host files.

Re:What

[crimethinker]

are people that are, for example, at work, and can't turn off Windows Scripting Host and certain ActiveX controls? Not open emails? Surely there should be a solution to this.

You might consider not doing your online banking from work? (Yeah, I'm a hypocrite, browsing /. from work, but it's lunch break right now.)

Another possibility, if you have or can get enough control of the machine, is to install F/OSS alternatives. My corporate standard is Outhouse and Internet Exploiter, but I'm typing this on Firefox, and I'll check my e-mail in Sylpheed-Claws once I'm done. My IT guy knows about it, and doesn't raise a fuss, because I don't ask him to fix things when they (rarely) go wrong.

-paul

Re:What

[Heem]

Policy also probably says that you can't use your work computer for anything but work, and unless you happen to be the finance person checking the company account, you shouldnt be doing your banking at work, sure everyone does it, but in a contract/liabilty sense - you werent supposed to.

Re:What

[Lord+Ender]

Informative? Read the writeup. It doesn't matter which browser you use. Opening email overwrites your hosts file (for you nooobz: your hosts file is like a local DNS server). Any browser that tries to go to your bank (by domain name) will go to their fake site instead.

Re:What

[shokk]

Don't programs like Spybot S&D now watch out and intercept things like host file and start menu/registry manipulation to help you detect when spyware is attempting to load?

Re:What

[pcardoso]

it does, and you don't need to restart anything.

the thing is, if you already accessed the url, the result for the dns query (or hosts file) is cached and it doesn't need to do the query again.. try it with a url you never accessed before.

Re:What

[DocSnyder]

If you're using a proxy, the browser doesn't (shoudn't) care about DNS lookups or the host file, except for finding the proxy itself.

Re:What

[legirons]

"Surely there should be a solution to this."

Well yeah...

"I'd like an email client that automatically runs programs which were sent to me by email"

Is it just my imagination, or is that an utterly retarded way for an email client to behave?

Re:What

[Kyosuke77]

But shouldn't /etc/hosts only be editable as root or with a sudo? Mac OS X has lots of nice security checks like that.

Re:What

[chochos]

Not by default. By default, it uses de NetInfo database. type into a terminal:

nidump hosts /

or

nidump hosts .

and you get the real list of hosts that OSX is using (unless you fiddled with the configuration and set it to read the /etc/hosts file).

Re:What

Software restrictions. Unless setup badly, instantly kills all scripts and most badies, espically for restricted users.

Re:What

Many people at work would be pointed at a proxy
server, and the hosts file wouldn't come into
play.

Of course, the vulnerability allows the black
hat to account for that as well.

Re:What

Yes. Don't do your personal banking at work.

Kinda tough when you're expected to work 12 hours days (the alternative being you train your Indian replacement).

Re:What

[Technician]

Yeah, because it would be too hard to fill a hosts file with the URLs for Citibank, Chase, BankAmerica, and the rest of the top 10 or top 100 banks. Nobody could do that.

I like an old DOS program. It was simple and worked well. It ran from the Autoexec.bat file. It simple would run a checksum on designated files. IF the checksum was changed, it would pause and display the name of the altered file and it's checksum error.

I've thought about loading it into Windows to protect some files. Too bad it's impossible to use on the registery. It gets too many automatic changes to protect it as a non-changing file. However protecting things such as the hosts file should be easy. If you do alter your hosts file, you will have to update the checksum in the batch file to reflect the change.

In Linux, use a checksum checker as part of your logon script and you won't get burned with an altered ls or other file. Knowing something that shouldn't ever be changed, has been replaced, goes a long way in system awareness. Knowing your ls has been changed is a good warning something is seriously wrong.

Re:What

[R.Caley]

at work[...]

Don't do personal stuff on computers you don't have control of.

If work related information leaks this way, then your IT people have just learned a lesson. If they don't learn a lesson, start looking for a job at a less doomed company.

Re:What

[rew]

Policy also probably says that you can't use your work computer for anything but work,

OK. I am the guy making the policies here, and my opinion, people are more effective if they are having fun as well. If you enjoy a moment of "time off" reading slashdot, that's fine with me. If you just have to do some quick banking things from work, fine.

and unless you happen to be the finance person checking the company account, you shouldnt be doing your banking at work, sure everyone does it, but in a contract/liabilty sense - you werent supposed to.

It's a small company. I'm the finance person doing the company banking things. Now what?

The thing is, these "controls" are there for a reason. Turning them off disallows these scripts from taking over your computer. But apparently there are some websites or somesuch that simply use the features provided by this type of script. As their computer won't allow some functionality they ejoy, people are always tempted to turn these things on.

Re:What

Stop saying Bzzt. It's fucking annoying.

Re:What

Why would you have (non-company related) personal information on your company's computer in the first place?
You should be doing all of that stuff from your home machine.

Re:What

How much banking do you do that you have to spend more than a half-hour or so per week?
You should be able to do it while you're cooking dinner or listening to MacNeil/Lehrer.

Also, if you are doing banking and other personal stuff at work, rather than doing actual work, then you have nothing to complain about if your company wants to replace you.

Re:What

[hoggoth]

> run a checksum on designated files

It's called TripWire, and it's an excellent program.

Re:What

[Technician]

It's called TripWire, and it's an excellent program.

That's one version. The one I used in the old DOS days wasn't called Tripwire. I didn't mention any by name. There were several and for several OS'es.

Re:What

[CatLord42]

Sometimes the line blurs between the company related personal information and the non-company related personal information. For example, if your job requires any travel, even if the company sponsors a credit card for you, it's still your credit card. If you have to make travel arrangements or order stuff online, you have to use your personal information in spite of the fact that it is for company business.

you've been served

[bathmann]

No-click phising? That's infringing on Amazon's one-click patent!

Re:you've been served

IANAL. no, it's quite different.
now if amazon patented no-click shopping (we send you stuff because your profile says you like the over-stock stuff we have), then they might have a case.

Re:you've been served

[ManoMarks]

No, they have a prior patent. The phishers are suing Amazon for infringement.

Re:you've been served

lol newbie lol, but...

where does the phrase 'you've been served' come from? And why is it funny?

Don't fall out of your chairs laughing, now

Re:you've been served

Quick! Someone send a message to Bill about MS prior art on the Amazon 1-Click patent. He's sure to open it!

Re:you've been served

[The+Ultimate+Fartkno]

"You've been served" is a combination reference. "To be served" is to receive formal notice that you are being sued. "You got served!" is a rarely used phrase in the American hip-hop community that basically means "You got shown up in public!" or "I bet you feel stupid for bragging that you're the best, since that six-year-old girl just made you look like an idiot!" It's a rarely-used phrase because there was a seriously embarrassing movie released with the same name. It's even funnier because the movie was supposed to make a major star out of the lead actor Omarion, who quit his mediocre R&B band B2K on the assumption (and reassurances of his manager/father) that this movie would make him a breakout singer/actor/astrophysicist multimedia talent. The movie came out, tankality ensued, and now "You got served!" is pretty much a punchline.

Re:you've been served

[Anonymous+Custard]

now if amazon patented no-click shopping (we send you stuff because your profile says you like the over-stock stuff we have), then they might have a case.

Hasn't BMG music club already patented that?

So that's the reason

The virus apparently also redirects visitors of AOL Support Forums to Ask Slashdot, which explains the recent postings.

definition

[Coneasfast]

for those who don't know what phishing is, see the definition

[Phishing] is the luring of sensitive information, such as passwords and other personal information, from a victim by masquerading as someone trustworthy with a real need for such information.

Re:definition

for those who don't know what phishing is

Slashdot - news for n00bs, stuff that confuses

Re:definition

[jandrese]

Didn't this used to be called Social Engineering? One band does a stupid little prank and suddenly everybody uses their name.

Re:definition

It has nothing to do with the band. Phishing is derived from phreaking and fishing.

Everyone should already know this, so please don't mod me up.

Re:definition

[Carnildo]

Social Engineering covers a much wider range of activities: any non-technological technique for getting protected information. Rubber-hose cryptography, for example, is social engineering. So is sending a fake OS update that really installs a rootkit.

Re:definition

[Frizzle+Fry]

No, using an activex exploit to change someone's hosts file was never considered social engineering.

Re:definition

[WillWare]

Laugh about this if you want, but phishing emails have a much higher success rate than ordinary spam. There are people getting hurt by this. Maybe everyone you care about is Internet-literate, but I care about lots of people who aren't.

I'm older than most Slashdot readers. I'm still young enough and mentally alert enough to recognize when something is screwy. The first time I got a 419 email, I could see there was something obviously wrong. Fast-forward a very small number of decades. I'm retired, I'm out of the loop, I've probably lost a few IQ points, and I'm on a fixed income. I might not be clever enough to recognize the next scam. I might get taken to the cleaners.

Speaking as somebody a little closer to the end of his life than many here are, I find this kind of stuff very worrisome.

same thing works on linux

but you have to manual make the suggested changes to your /etc/hosts file after getting root access and using your editor of choice.

not quite "no-click", but linux does support this feature.

[/humor]

Re:same thing works on linux

[soulctcher]

Actually, this would be a "no-click" feature in linux. +1 for nobs!

Re:same thing works on linux

[Koohoolinn]

I can do all that without even touching the mouse so "no-click" is possible.

Re:same thing works on linux

[ross.w]

All those stupid people who browse as root and have Java enabled in their browser would be vulnerable to this.

thats why

that's why I never keep any personal info on a computer. in fact I have outlook filled with entirely made up crap. names like 'hootie McBoob' and such

Re:thats why

My name is Hootie McBoob, you insensitive clod! I was wondering why my bank account suddenly emptied.

Re:thats why

Chesty La-rue ?

Law enforcement?

[DogDude]

I find it hard to believe that our gov't is willing to spend $200 Billion to bomb the living fuck out of a country for no good reason, but can't get their shit together enough to start arresting people for the avalanche of fraud online.

Re:Law enforcement?

[Flabby+Boohoo]

Oh, they can. And then you would cry that your personal freedoms are being infringed on.

Re:Law enforcement?

because phishing doesnt make them rich ?
easier to steal money from investors (like Ken Lay) and be rich for eternity without any fear of long jail terms or people killing you for ripping them off

Re:Law enforcement?

[aurb]

Are you saying they should start arresting Microsoft programmers?

Re:Law enforcement?

[throughthewire]

I find it hard to believe that our gov't...can't get their shit together enough to start arresting people for the avalanche of fraud online.

They've started: The Federal Trade Commission has filed suit against Sanford Wallace, and U.S. District Court Judge Joseph DiClerico Jr. granted a temporary restraining order - ruling that Wallace and his businesses must refrain from exploiting Internet security vulnerabilities.

Re:Law enforcement?

[stinkyfingers]

I find it hard to believe that our gov't is willing to spend $200 Billion to bomb the living fuck out of a country for no good reason, but can't get their shit together enough to start arresting people for the avalanche of fraud online.

What's so hard to believe? When they spend $200 billion to bomb the living fuck out of a country, they have a reason. It's called croneyism. Halliburton, oil infrastructure companies, and military contractors get a big-ass portion of that $200 billion.

When Halliburton can figure out a way to make an assload of money off of eradicating online fraud, this government will get serious about stamping it out.

Re:Law enforcement?

It's a bit easier bombing the hell out of another country than it is your own.

Re:Law enforcement?

[AndroidCat]

Since some of the phishing sites are in China, that could get interesting.

Re:Law enforcement?

[Slime-dogg]

Yeah, especially when those fraudulent jerks are outside of the US.

Wait a second...

Re:Law enforcement?

Some people comsider a human life more valuable than the results of fraud. Maybe we should put people you care about thru a wood-chipper, and start torturing the shit out of you and see if you want to free yourself, or worry about online fraud.

Re:Law enforcement?

[khrtt]

...$200 Billion to bomb the living fuck out of a country for no good reason

I find it hard to believe that our gov't is willing to spend $200 Billion to bomb the living fuck out of a country for no good reason, but can't catch a single fucking terrorist Osama, who caused all the FUD that prompted our brave voters to vote for a guy with no common sense yesterday simply because he is crazy enough to bomb the living fuck out of small countries for no good reason. Duh. For the next 4 years we have a government that, instead of actually catching terrorists, uses their crimes to justify revenge against personal enemies of the president's father. Do you seriously hope that that government would care about any computer-type crime, or any economic matters whatsoever?

This post is funny, you can start laughing now. Don't know about you, I'm seriously thinking about "outsourcing" myself to ... say India ... for a while ... until next U.S. election. And that time around, I might just be voting in Ohio:-)

Re:Law enforcement?

[khrtt]

Yeah, especially when those fraudulent jerks are outside of the US.

Are you sure the US is not preparing to invade their countries, say, in order to help fight spam there>?

Re:Law enforcement?

[swb]

Terrorism or not, why doesn't the government track all kinds of online fraud generally?

Re: Law enforcement?

[Alwin+Henseler]

Yeah, especially when those fraudulent jerks are outside of the US.

No problem there for law enforcement, as the bulk of spam is coming from the US anyway...

Re:Law enforcement?

You need to spell online fraud as OIL fraud to get some reaction from the US Gov...

Re:Law enforcement?

They did. Look at the (very) recent operation firewall. This is exactly the sort of thing that helped prevent.

Re:Law enforcement?

[NegativeCreep]

Some people comsider a human life more valuable than the results of fraud. Maybe we should put people you care about thru a wood-chipper, and start torturing the shit out of you and see if you want to free yourself, or worry about online fraud.

And some DO consider a human life more valuable than the results of fraud. Oh wait, what do bombs do again... or... wood-chippers... what do they do to slashdot posters?

Re:Law enforcement?

China could kick USA ass. Cos USA like to brag how powerful and hightech they are on TV, but they are getting their ass kicked by untrained and lowtech insurgents. While China as the actual army to kick people ass.

Re:Law enforcement?

The last figure I heard was that Iraq has cost us 1/2 trillion dollars now...

Re:Law enforcement?

[AndroidCat]

Call me Mr. Silly, but wouldn't be easier just to drop all TCP port 80 SYN packets going into China?

Re:Law enforcement?

Bye!
Enjoy your stay!

Simple solution...don't use HTML mail

[nebaz]

I've set my mail display to always be text based. It's a lot easier to detect spam that way too as most of the onscreen stuff is usually garbage, or funnily "get a real mail client".

Re:Simple solution...don't use HTML mail

[Neil+Watson]

Very true. Just recently I discovered that a business partner (telecom industry) has begun rejecting HTML email. I wonder if that policy will survive?

Re:Simple solution...don't use HTML mail

I also use mail in text only mode. The mail server is configured with several options taht dramatically reduce spam.

smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_client_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client relays.ordb.org,
reject_rbl_client bl.spamcop.net
smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_hostname
smtpd_sender_restrictions = permit_mynetworks
smtpd_data_restrictions = reject_unauth_pipelining

As well as header and body filters in place.

Now, the ocasional spam that makes it through, less than 3 a week, almost invariably have an empty pane where the content is supposed to be.

Re: Simple solution...don't use HTML mail

[Alwin+Henseler]

Yes, and there's another very good reason to read e-mail as plain text, not HTML:

If you open HTML mail, stuff like pictures embedded in the HTML gets loaded, and that is one way spammers know that a) they've stumbled upon a valid e-mail address, and b) the user read the mail. I can imagine that with a spam run, a sudden surge in image loads from a target site might be used to calculate payments for the spammer, identify valid e-mail addresses used, use the latest browser exploit to install spy/addware, etc. etc. So in a way, just opening that HTML mail helps the spammer with his business.

Read plain text only, and if it's spam: delete, never reply (don't attempt to 'unsubscribe' either!). That way the spammer gets 0 info, or rewards for his effort. If everybody would do this, there wouldn't be any spam. The problem is only kept alive by those 0.1% STUPIDS that do click on links, and proceed to order the penis-enlargement crap.

Re: Simple solution...don't use HTML mail

[nebaz]

YEah, when an image is simply a 1 x 1 picture that notifies the server, it lets the spammers know the mail is valid. No to mention all the stupid javascript exploits there could be. My question is: if you only read the text, is the rest of the stuff loaded behind the scenes? Should you even open these emails?

Re:Simple solution...don't use HTML mail

[Tenareth]

For quite a while probably... There is no real need for HTML e-mail.

Re:Simple solution...don't use HTML mail

[Doctor+O]

I hope it will. Maybe without the fancy formatting people will learn to write again instead of scribbling.

BTW, I have the same sig you have here at work. My boss thinks it's odd and funny and likes to point it out as funny to prospective clients. I wonder if he'll ever grip how dumb it makes him look for the brighter ones, but I digress.

Re: Simple solution...don't use HTML mail

[mrchaotica]

If you read as text, the mail program never parses the message. Therefore, there's no way for it to know that there's a URL to load. So yes, you're safe. The worst thing text can do is be offensive (e.g. ASCII goatse).

Re: Simple solution...don't use HTML mail

[Combuchan]

Thunderbird has a nifty feature that if the email contains remote images, it won't load them unless you tell it too. That and its spam filters are quite intelligent. Blaming HTML mail readers completely isn't fair--believe it or not, there are some that don't do this default sucky behavior.

--sean

God bless Microsoft

For making products so easy to use that even someone you don't know can use them for you.

Re:God bless Microsoft

[Sheep+Sophy]

[quote] For making products so easy to use that even someone you don't know can use them for you.[/quote]

Very funny :-)

In a world without walls and fences -- who needs windows and gates?

Sheep Sophy
Need your help: http://www.make-my-son-happy.us.tp

And here I was going to switch to Windows...

[RealAlaskan]

However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs."

Well, I was going to switch over from Linux to Windows, because I heard Bill Gates said that ``security is our top priority'', but now I think he must have been misquoted. Maybe I'll stick with Linux just a little longer, until Windows gets those last few little bugs ironed out.

Re:And here I was going to switch to Windows...

[ConceptJunkie]

I heard Bill Gates said that ``security is our top priority'', but now I think he must have been misquoted.

No, the quote is correct, it's just taken out of context:

"[Our financial] security is our top priority".

Re:And here I was going to switch to Windows...

[pantycrickets]

Maybe I'll stick with Linux just a little longer, until Windows gets those last few little bugs ironed out.

That's the same reason I ride a bicycle. I've seen too many car accidents.

Re:And here I was going to switch to Windows...

[will_die]

This one is actually true, and from a meeting a few months back.

The Microsoft Engineer assigned by Microsoft to assist made this statement in a meeting in Fla.

"Active Directory is not about security, it is about management. If you need security, you need to have a third party application to provide it. We use Quest at Microsoft."

Makes me glad I use pine

[Colonel+Panic]

I ssh into my ISP and use pine to read email. Been doing it this way for over 10 years. Some people find this a bit quaint, but I don't have to worry about any worm/virus/phishing issues.

Re:Makes me glad I use pine

[slash-tard]

I just use pop3 and smtp commands inside a telnet window(ex: telnet mailserver 25 or 110). I consider this the safest. I dont know what pine is doing behind the scenes.

Re:Makes me glad I use pine

I ssh into my ISP and use pine to read email. Been doing it this way for over 10 years. Some people find this a bit quaint, but I don't have to worry about any worm/virus/phishing issues.

I've dug an elaborate network of underground tunnels leading to my work and various stores but I don't have to worry about traffic and smog.

Re:Makes me glad I use pine

[Lord+Ender]

That sure makes things easy when someone sends you some pictures. Or you want to reply to an email and attach a file on your local computer, having to initiate an sftp session is lots of fun, right?

There's this cool new thing called IMAP. Look into it and get with the 90's.

Re:Makes me glad I use pine

[cprincipe]

I used to ride a horse to work, but it kept getting run over.

Re:Makes me glad I use pine

[abb3w]

I just use pop3 and smtp commands inside a telnet window.... I consider this the safest.

Telnet is insecure against packet sniffing. Of course, so are most mail program POP/IMAP connections. Nothing I know of is quite as secure as ssh to a dual mail/shell server.

Re:Makes me glad I use pine

[misleb]

Yeah, but what if your ISP just happens to give your account root access and some scripting exploit is found for pine and a phisher edits your ISP's /etc/host file and you try to use lynx to access your bank account? What are ya gonna do THEN tough guy?

Re:Makes me glad I use pine

[ajs]

Quite so, and whith such excellent options as Evolution, Thunderbirt and others for Linux you really have no excuse these days (I'm running Evolution's latest under FC3test3 and it's amazing as ever, but more so).

Re:Makes me glad I use pine

Real users use mutt. Locally. With IMAP support over TLS. Pine? Please.

Re: Mozilla Thunderbird!

[michael186]

Just don't use ActiveX - biggest security risk ever. I sincerely hope no one here is using Outlook/Outlook Express.

Hosts file should be Read Only

Reread Subject.

Re:Hosts file should be Read Only

attrib -r %WINDIR%\system32\drivers\etc\Hosts

Re:Hosts file should be Read Only

[pe1chl]

Anything under %windows% should be read-only to the user.

Setup an administrative and a user account, lock-down Windows (tools for that are included on the resource kit cd) and a script running for the user will not be able to clobber hosts files, install spyware, infect the system with viruses, etc.

When will Windows people learn from Linux?

Re:Hosts file should be Read Only

[AdamTheBastard]

system("attrib -r %WINDIR%\system32\drivers\etc\Hosts" ); // BAM script just screwed ya.

Any script that can modify the hosts file probably has access to the shell.

(+r adds readonly -r removes it)

Re:Hosts file should be Read Only

[Technician]

No, the hosts file should be checksum checked at each login for alterations along with a bunch of other files that should not be altered by 3rd party programs.

Knowing your machine has been tampered with is half the battle.

Predictions

[Indy+Media+Watch]

this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls

Or in other words, this will probably not affect non-Windows or non-Internet Explorer users.

Well we could see plenty of comments along those lines coming, but here's a further thought:

Hey banks: All of your users have plastic cards that you issued. Mandate two-factor authentication already and watch Phishing scams go bye bye.

Re:Predictions

[MindStalker]

???? two factor.. please explain?

Re:Predictions

[michael186]

Using more than one method of checking the person's identity e.g. bank card PLUS smart card/biometric etc.

Re:Predictions

And how will this help phishing attacks that are completely external to the bank? Two factor authentication just gives the phisher more to work with. Unfortunately, the only thing banks can really do is to inform their customers.

Re:Predictions

[MindStalker]

Yea, but without expecting people to buy a special device its all subject to the same scams. And you know how people feel about that.

Now maybe my bank will give me a smartcard/usb key. Probably not though :)

Re:Predictions

[bvdbos]

Almost correct. As it's impossible to uninstall IE, you can be vulnarable even if you don't use IE but for instance firefox.

Re:Predictions

[ad0gg]

Considering a user would have to go into his IE settings and set "Restricted" zone to allow for both scripting and activex which are off by default. Why is this even posted? It would be lot easier for phishers to attach a zip file with an executable and tell the user to run it.

*pats his Mac on the head*

[RatBastard]

I lub you, Mr. Macintosh.

Re:*pats his Mac on the head*

[djdavetrouble]

I'm a mac user and administrator, but everytime someone posts a new win vulnerability/exploit do you all really have to post the smarmy 'glad i am a mac user' post? Its just like some punk kid saying 'I told you so", rude and inciteful. I don't even know you, but I want to punch you in the face already.
(sorry, i have the post election annoyed by everything syndrome)

Re:*pats his Mac on the head*

[mios]

Well .. here's the thing ... whenever (that one time) a mac exploit is posted, most every /. windows user starts to drool and froth at the mouth to do the same thing talking something about Mac security and comparing it only to market share ... is it right? Who knows, do some people get off on it, it sure seems like it ...

Mac folks have been the whipping boy for quite some time, so if we can jab every now and again, then more power to us.
Other thing to think about, is it the problem of the poster or the replier who quotes from the bible and moves hell and highwater to say something intelligent like "Well, you only have one mouse." or something about overpriced hardware ... I actually thought his post funny and light-hearted.

As for the election ... [looksovershoulder]well, I bet Bush uses a fucking windows box anyway[/looksovershoulder] ... :-)

Re:*pats his Mac on the head*

[djdavetrouble]

I know, usually I am right there flippin the birdie at windows from behind my mac, but the post election annoyed by everything syndrome has really got me by the balls.....

I'll go back to IRC and stop talkinng shit on /. now.....

Re:*pats his Mac on the head*

[mios]

Yeah .. at first it was like "Oh yeah ... people are starting to smarten up and finally we got more people going to the polls! ... score one for democracy!" ... then it all starts coming in and you realize who they must have been voting for, then you start thinking .. wtf, they're not getting smarter, somehow they just got stupider.

farkers.

Re:*pats his Mac on the head*

And if someone changes your hosts file and does this to you, which is possible on a MAC if you have root password, then you are screwed if you are then dumb enough to use on-line banking.

I guess you're good.

Took them long enough

[marktaw.com]

Overwriting your Hosts file is an obvious way to trick people, and Outlook is a prime target for this kind of hack, because it gives incoming email rediculous amounts of control over the rest of the computer.

Remind me to tell my mother to start using Thunderbird and Firefox and install a firewall.

Re:Took them long enough

[mfifer]

Remind me to tell my mother to start using Thunderbird and Firefox and install a firewall.

Sure. What was her email and IP address?

;-)

Re:Took them long enough

Remind me to tell my mother to start using Thunderbird and Firefox and install a firewall.

Tell your mother to start using Thunderbird and Firefox and install a firewall.

AC

Re:Took them long enough

[marktaw.com]

Thank you. ;-)

Re:Took them long enough

[Odin's+Raven]

Remind me to tell my mother to start using Thunderbird and Firefox and install a firewall.

Sure, no problem. But could you ask her to hold off on the upgrades until after I've finished sending out this last batch of bulk mail that I've got queued up on her box? Quid pro quo and all that. Thanks.

Re:Took them long enough

[flonker]

Hrmmm, wouldn't the invalid SSL cert cause a big huge warning to pop up?

Re:Took them long enough

[Icekold]

Remind me to check for the word rediculous in the dictionary. It's spelt with an 'i' i.e. ridiculous. Sorry to troll.

Re:Took them long enough

[mikefe]

"Hrmmm, wouldn't the invalid SSL cert cause a big huge warning to pop up?"

No, since the cert is only against the domain name. You can attack their dns server also to get a wider audience also.

News Flash!

[RAMMS+EIN]

ActiveX is insecure!
WSH is insecure!
Windows is insecure!
HTML mail can be used to exploit security flaws in user agents!

Film at 11!

MS will provide a solution...

[Kjuib]

with 1gig download Service Pack. It will be released in 1.5 years, and it is not backwards compatible. Aren't they nice?!

Innovation

[pete-classic]

Will the innovation never end?

-Peter

would it be so difficult

to set the file attribute on the hosts file to read only. ugh.

Re:would it be so difficult

[sapped]

You would be surprised. My wife runs XP and I recently tried changing one of the directories from read only to read-write. Windows happily applies the change but as soon as you click on the directory it just slaps the change back in again. I eventually had to copy the contents and kill the directory. I remember a couple of years back thinking I could solve my cookie problem by setting the cookies directory for IE to read-only. Imagine my surprise when I found out that IE reset my changes each time it started up. In fact I just tried this on the office PC running XP pro where I have administrator rights. Nothing I did could convince the cookies directory to go to read-only. Good thing I am telling the PC what to do and not the other way around.

Well...

[northcat]

This is what happenes when applications try to do more than what they are supposed to do. An email client is just supposed to read and send messages. All "dynamicness" and interactivity must be left to the appropriate programs. And this is exactly where *NIXes excell. You can't do a scripting exploit in 'mail' - Why? Because you can't do scripting. Let the current do-eveything software industry led by Microsft be a lesson to all programmers. Let's keep our programs simple. Let's continue the UNIX philosophy of one program for one task.

Re:Well...

[merphle]

Let's keep our programs simple. Let's continue the UNIX philosophy of one program for one task.

*coughemacscough*

Re:Well...

[Yakko]

Isn't emacs trying to evolve into GNU/HURD?

Re:Well...

[misleb]

Emacs: The exception that proves the rule.

Good luck

[MemoryDragon]

on my Linux machine you have to root it first to get even write access onto the hosts file :-D. But given the circumstances that most windows machines root every user and most windows users dont even have a clue about the existence of a hosts file on their machines, this is evil, but interesting.

Doesn't work on my XP box

C:\WINDOWS\system32\drivers\etc>attrib hosts
A R C:\WINDOWS\system32\drivers\etc\hosts

I've got it set so only administrators can unset this flag.

This means
1) I'd have to run IE as administrator
2) the script would have to change the permissions before doctoring the script

First though it'd have to get past my spyware- and other-nasty- blockers

Re:Doesn't work on my XP box

[fupeg]

This means 1) I'd have to run IE as administrator

Unfortunately, the default XP setup makes the primary user an administrator, thus IE would have the necesarry priveleges.

Re:Doesn't work on my XP box

IIRC, there's a registry key that can be set to point the hosts file to a different location. My father's Windows box was subjected to a trojan that redirected searches by manipulating the hosts file, and the DNS settings; the description of that trojan mentioned that the hosts file could be in a different location from the norm.

Anybody know the details? That's another candidate for marking read-only.

Re:Doesn't work on my XP box

[VoidWraith]

Easy solution: delete IE. I've never regretted it.

Use a browser for mail: Get what you deserve

[billsf]

The only aparently safe way to use mail is in a Unix shell. I've got my doubts about webmail too. Its a bit too slow compared to on-line mailing, but it may contain other unwanted elements, depending on the mailer. I've never had a real problem with any worm using mutt, the Unix mailer.

Very recently some joker in France sent me a worm that prevented me from reporting the abuse. The solution was simple: Delete the worm, restart mutt and mail it to abuse@wanadoo.fr. (Personal note: Wanadoo sounds like wanabee, they are little known among 'my crowd' and somewhat of a worry. This is not intended as put down to the French!) So the moral here is simply if you use Unix, call it *BSD or Linux, you may not be 100% safe, but certainly safer than using Outlook which should be called "Lookout".

Zero click exploits seem hardly new to me. Aren't most exploits, atleast in the past, done without the victim being imeadiately aware? This is from the computer-litterate camp.

Re:Use a browser for mail: Get what you deserve

[Sein]

Isn't Wandoo a known spamhost? Far as I know, they recently hosted someone who joe-jobbed Ken Evoy of SBI as a lead-in to the rather ridiculous Juiceboosted scam, for example.

Poor buggers who work there can't do jack shit about it either, since company policy is apparently very pink-contract friendly; even if Juiceboosted had to move to a spam-friendly host in China.

Well, they got kicked off the spamhost too, and you know you gotta be doing something wrong if even spamhosts kick you off the network...

Two factor is an illusion for these users

[brunes69]

Hey banks: All of your users have plastic cards that you issued. Mandate two-factor authentication already and watch Phishing scams go bye bye.

You obviously have no idea how these scams work. Mostly, they trick the unsuspecting user into giving out their PIN number, and name and home address. As soon as you give out your PIN, all your "two-factor" authentication is useless.

Why?? Here is why. Your bank card is absolutely trivial to duplicate.

All a theif needs is a card from the same bank (easy to obtain by simply creating an account), and a 50 dollar stripe reader/writer. They read the card, find out the format, and where the card number is stored (your account number is not on the stripe - it is associated with the card number in the bank's minaframe - this lets them easily replace your card if it is lost or stolen.),

Since they know your name and where you live, they can then just stake you out, until you go to an atm or restaurant or store with an improperly configured machine, that prints your whole card number on the slip, and not just the last few digits. They then wait for you to throw a slip away in a public trash can, and pick it up later.This is why you should NEVER throw away a debit slip in public - and if possible, shred it. (Or, at least do what I do - throw them in the kitchen trash with all the rotting meat and apples - the moisture, worms and bacteria will eat the slips up in no time.)

Re:Two factor is an illusion for these users

You obviously have no idea how these scams work. Mostly, they trick the unsuspecting user into giving out their PIN number, and name and home address. As soon as you give out your PIN, all your "two-factor" authentication is useless.

Why?? Here is why. Your bank card is absolutely trivial to duplicate.

That's why European banks have been handing out little challenge/response fobs, cards, etc for years. Those are not so easy to duplicate. As usual, the USA is waaaaay behind in technology.

Re:Two factor is an illusion for these users

[Scutter]

until you go to an atm or restaurant or store with an improperly configured machine, that prints your whole card number on the slip, and not just the last few digits.

Hey, guess what? Some machines print out the first eight and some print out the last four. I was cleaning a bunch of ATM receipts out of my car a few weeks ago and discovered that by combining several receipts, my entire account number and name was completely recoverable. Shred those puppies!

Re:Two factor is an illusion for these users

[JaxGator75]

I usually tear out the acct numbers that ARE revealed (last 4 or first 8... either way) and shred that portion into tiny bits, then deposit the remaining portion of the receipt anywhere. My main concern is the trash can at work and the cleaning crew that comes in nightly. . .

Re:Two factor is an illusion for these users

[ddent]

1) Read up on two-factor. The idea is that both sides authenticate each other.

One way to make card transactions more secure would be to implement something such that bank would generate a random transaction code, you punch it into your card, and it shows you a code to enter. That way you have to actually have the card.

2) CC #s use a checksum. IIRC (its been a while since I played around with the checksum algorithm) it tended to reduce the search space by a factor of 100, i.e. only 1/100 numbers are valid.

Re:Two factor is an illusion for these users

[LiquidCoooled]

To get onto my internet banking, I have a custom (selected by myself) security code, this is seperate and distinct from my PIN number (its also longer).

When I log into my bank, I give my Account number, some other personal info, and then a randomly chosen selection of numbers from my security code (something like tell us the first, third, and seventh digits).

I can only setup this number by speaking directly to the bank, and since its never asked for in full, I would need to be fooled multiple times before anybody could access my account.

My bank (HSBC in England) are very security concious, and responded extremely rapidly to a security concern I had when setting up my banking (I mentioned a possible security loophole to the assistant who passed it back to the head office who took me seriously and followed it through to resolution).

Re:Two factor is an illusion for these users

[Mojojojo+Monkey+Inc.]

Holy crap, you actually think that someone who wants to steal debit/credit cards will go to the trouble of driving all the way to your city & neighborhood, staking out your house, following you around like the freakin' FBI, and waiting for days or weeks for the opportunity to dig an account number out of the trash? Of course they'd have to dig through multiple loads of trash since they probably wouldn't know ahead of time which stores print the entire account number and which print only some digits. Wow, it sounds so simple!

Re:Two factor is an illusion for these users

[Indy+Media+Watch]

You obviously have no idea how these scams work.

And you obviously have no idea about my specific knowledge of it. Allow me to explain...

As soon as you give out your PIN, all your "two-factor" authentication is useless.

Bzzzt.. Wrong.
What if the PIN is single-use only, because one of the two-factors is a semi-random number generator (e.g. RSA SecureID or low-tech scratch-off number sheets as used by some banks already.

Why?? Here is why. Your bank card is absolutely trivial to duplicate.

Bzzt... Wrong again.
Firstly, how can a remote attacker copy your card without gaining access to it? A Russian phishing scammer can attack plenty more and physically obtain the cards. You are getting your various forms of card fraud confused.

Secondly, have a look at the Cardholder Verification Code at the end of the digits on the rear of your card. That number is generated using an algorithm completely different from the usual CC number and thus can't be readily guessed.

All a theif needs is a card from the same bank (easy to obtain by simply creating an account), and a 50 dollar stripe reader/writer.

Bzzzt... Again.
What if the banks issue smart cards instead?
How does your thief copy the seed in a Java machine built into the card which handles all crypto and signing?

In fact, this was the very point of the Amex Blue programme yet it appears the banks got distracted from the original idea of giving away card-readers to end-users.

I stand by my original comments that banks could kill Phishing dead tomorrow if they wanted to. Every card in the marketplace expires within 2-3 years. They could replace every single one of them with a smart-card or enable some other form of two-factor (or multi-factor) authentication IF THEY WANTED TO.

You need to be a lot more careful before throwing around phrases like "you obviously have no idea"...

Re:Two factor is an illusion for these users

[brunes69]

1. That is not the kind of "two factor" authentication the parent was talking about. He was talking about the card and the PIN. I was just showing him that the card is so easily compromised for most people, that once they have the PIN, all bets are off.

2. We're not talking about CC #s, we are talking about bank cards. CC #s are even easier to steal since you don't need a PIN to use them, just a copy of the card, which you can produce using a slip.

Re:Two factor is an illusion for these users

[brunes69]

What if the PIN is single-use only, because one of the two-factors is a semi-random number generator (e.g. RSA SecureID or low-tech scratch-off number sheets as used by some banks already.

And.. how many major US banks have SecurteID smart cards to access your account? Zero.

Firstly, how can a remote attacker copy your card without gaining access to it?

I already described that above. Bank cards are trivial to duplicate if you have the other persons card number and info as a reference. If you think otherwise you are deluding yourself.

What if the banks issue smart cards instead? How does your thief copy the seed in a Java machine built into the card which handles all crypto and signing?

It doesn't matter because they don't. You have to secure yourself NOW, not in the future. That means to shred your shit and don't give out your PIN.

I stand by my original comments that banks could kill Phishing dead tomorrow if they wanted to. Every card in the marketplace expires within 2-3 years. They could replace every single one of them with a smart-card or enable some other form of two-factor (or multi-factor) authentication IF THEY WANTED TO.

s/IF THEY WANTED TO/IF IT WAS PROFITABLE FOR THEM TO DO SO and you have the truth. Until the annual cost of identity theft (to the banks, not to you) exceeds the projected cost of replacing hundreds of millions of bank cards with smart cards, they will do nothing unless required to do so by law.

Re:Two factor is an illusion for these users

[Indy+Media+Watch]

And.. how many major US banks have SecurteID smart cards to access your account? Zero.

Actually you are mistaken. Several banks are implementing just that, albeit for their high-value customers.

In any case, I also mentioned a low-cost alternative (scratchy cards) which you neglected to mention.

Re: Mozilla Thunderbird!

[Frizzle+Fry]

I sincerely hope no one here is using Outlook/Outlook Express.

Did you read the article? It says " the most recent versions of Outlook, where such features are switched off as standard, will be protected." This has been the same with many recent exploits. They only affect old versions of ms software, but it immediately gets spun here to say that no one should be using the current, safe versions. It's similar to the recent status bar spoofing issue posted here which affected firefox rc1 and opera and pre-sp2 IE, but not sp2 IE, and was of course disscussed as being a "hole in IE".

Re: Mozilla Thunderbird!

[Kierthos]

I can't seem to delete it (or f!cking Windows Messenger), but I don't use 'em. They have the stink of evil and stupidity on them.

Kierthos

To Virus and Trojan writers

[BigGar']

If you want to gather a bunch of personal data and cover your butt at the same time start an ad company and release your virus, er demographics data gathering software and just claim it's business.

for those who don't know what WSH is - like me

[Prince+Vegeta+SSJ4]

HERE

Windows Script Host (WSH) is a Windows administration tool.

WSH creates an environment for hosting scripts. That is, when a script arrives at your computer, WSH plays the part of the host -- it makes objects and services available for the script and provides a set of guidelines within which the script is executed. Among other things, Windows Script Host manages security and invokes the appropriate script engine.

WSH is language-independent for WSH-compliant scripting engines. It brings simple, powerful, and flexible scripting to the Windows platform, allowing you to run scripts from both the Windows desktop and the command prompt.

Windows Script Host is ideal for noninteractive scripting needs, such as logon scripting, administrative scripting, and machine automation. WSH Objects and Services

Windows Script Host provides several objects for direct manipulation of script execution, as well as helper functions for other actions. Using these objects and services, you can accomplish tasks such as the following:

• * Print messages to the screen

  * Run basic functions such as CreateObject and GetObject

  * Map network drives

  * Connect to printers

  * Retrieve and modify environment variables

  * Modify registry keys

Where Is WSH?

Windows Script Host is built into Microsoft Windows 98, 2000, and Millennium Editions. If you are running Windows 95, you can download Windows Script Host 5.6 from the Microsoft Windows Script Technologies Web site (http://msdn.microsoft.com/scripting).

Note You can also go to the web site listed above to upgrade your current engines. The version of WSH in Windows 98, 2000, and Millennium Editions is either version 1.0 or 2.0. You must upgrade to version 5.6 to get the new features.

Re: Mozilla Thunderbird!

[michael186]

IMHO, it shouldn't even have the "feature". You don't need ActiveX in emails.

How about not doing your banking on company time .

... posting on slashdot is IT related though nice MR admin!!

Re: Mozilla Thunderbird!

[SoTuA]

I sincerely hope no one here is using Outlook/Outlook Express.

Some of us don't have the choice (at work).

At least I can install firefox, but mail clients that aren't OE are a big no-no.

Makes me glad I use FSK

I dial my ISP with a 300-baud acoustic coupler and whistle my login, "cat /var/spool/mail/$LOGIN" and "^d" into the modem.

In 8-N-1 ASCII, of course.

WHost and XP are integrated like IE and XP.

[Sheepdot]

However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs.

That's like saying, "this will only affect users who have not yet switched to Linux or MacOS."

I would say that a good 98% of installations have WSHost enabled. Those that are SP2 or up to date might have the latest MS patch that I believe sets a kill bit on the Internet Explorer side of WSHost scripting under all circumstances.

This is also not really anything new. Spy and adware companies have been manipulating hosts files now for at least a year, no doubt phishers have done exactly the same thing, this is just the first reported time of it happening.

One thing you have to keep in mind is that severay so-called security experts are very bright individuals but succumb to what some call: media-whoring. This is a specific instance of a "media-whoring" by Message Labs. Let me explain my proof of this: they use ASP and IIS as opposed to something like PHP and Apache.

They are obviously not very concerned about legitimate security. There's a website that keeps track of the media fanatics: http://www.vmyths.com/

The site is run by a guy who has over a decade of solid security experience. He knows when there is something legit to worry about, and he knows when something is hype.

I suppose the best way to know is years and years of experience. If you read a lot of the security mailing lists, you'd be under the impression that the world was about to revert back to the stone age with the security threats.

But the reality is, a huge amount of idiots exist that love to overhype the security risks when it comes to viruses and worms like "I Love You" and "Sasser". Most of us know when there is going to be a big problem, but there are a huge number of others that like to spread false info.

There are others, like Mikko Hypponen of F-Secure that don't sell media hype, they sensationalize the truth. Yes, there have been instances of zombie-net owners selling their networks to spammers, but I have yet to actually see the sales, and I've been running a honeypot for well over a year now and track nearly a dozen different botnet herders.

For the most part, it looks like botnetting is still used for two things, Americans (north and south america) for File Sharing/FXPing, and Germans for DDoSing. The Russians who have been spamming have been using IE exploits and web controls, not so much IRC connections. Thus, they cannot be truly considered "botnets".

Re:WHost and XP are integrated like IE and XP.

[Deviate_X]

Interestingly you appear to be running Apache 2.0.49 on your website at http://www.sheepdot.org/.

Now Apache 2.0.49 is currently associated with 9 security vulnerabilities some which allow attackers to run arbitrary code on your server; you are also running PHP 4.3.6 on your website, which is associated with 6 vulnerabilities some of which allow attackers to run arbitrary code on your server.

Let me explain why I mentioned this, you are criticizing MessageLabs for running ASP and IIS. I agree that MessageLabs are "media-whoring" but so are you, by pontificating about security when you are clearly not on the ball with your own.

Re:WHost and XP are integrated like IE and XP.

[Sheepdot]

Actually, I no longer own the sheepdot.org domain, nor have I owned it for well over three years now. Going on four. It's switched hands twice since I originally registered it in something like 1999 and kept it for two years. You can refer to the "Wayback Machine" to verify this.

Back when I ran it, it had actual CONTENT. The guy that got it after me put pictures of himself, his roommate/friend and his dog on it. It hasn't had anything for a long long time now.

Re:WHost and XP are integrated like IE and XP.

[Sheepdot]

Ahh.. I see where you got the site from. I *still* have it in my profile as a website I maintain. I'll remedy that. Sorry for the confusion.

I still had it in my signature up until about a year or so ago, just to continue to promot the guy's that took it over after me. But the more I think about it, I should probably quit doing so. :)

Thanks for bringing this up, otherwise I wouldn't have found it.

Yes, it would.

[Ungrounded+Lightning]

would it be so difficult ... to set the file attribute on the hosts file to read only.

a) Why should Joe Newbie Windowsbuyer be expected to KNOW that he needs to change the permissions on the host file from the install defaults?

b) If he can do it, he can UNdo it, and so can the bad guy's script.

c) How many OTHER holes would he have to fix? Thousands? Tens of thousands? (Remember, he only has to miss ONE.)

Re:Yes, it would.

[Grinler]

Unfortunately this has method is known not to work. There are a ton of crapware out there that simply changes the attribute on the hosts file and does what it wants to it

Re:Yes, it would.

[gumpish]

a) Why should Joe Newbie Windowsbuyer be expected to KNOW that he needs to change the permissions on the host file from the install defaults?

I believe the grandparent meant "would it be so difficult for MicroSoft to set the file attribute on the hosts file to read only".

However your other points are valid.

Just secure windows and this wont be a problem!

[Grinler]

With the amount of crapware out there and the amount of guides and articles written about this subject you would think people would still be a bit more secure. Unfortunately it does not seem to be the case.

This guide explains how to keep your damn computer from being stupidly compromised:

Simple and easy ways to keep your computer safe and secure on the Internet

Also heres a tutorial for switch from IE to firefox:

Switching from Internet Explorer to Firefox

What about the certificate?

[retro128]

All major financial institutions use HTTPS to log in to their online banking systems. Wouldn't a redirected HOSTS file set off some alarm bells when a user tries to access a fake site?

Or maybe it's just that nobody will think to look for the little lock on the bottom of their browser...

Re:What about the certificate?

[ArsenneLupin]

All major financial institutions use HTTPS to log in to their online banking systems. Wouldn't a redirected HOSTS file set off some alarm bells when a user tries to access a fake site?

If the script has privileges enough to modify the hosts file, it is certainly also powerful enough to insert fake root CA keys into your Internet Exploder.

Re:What about the certificate?

[Student_Tech]

Except HTTPS uses the name and not the IP, so that if they got a cert that said they were www.somebank.com and the signer was a legitimate signer (or they convinced the user that they needed to accept that it was legit) it wouldn't set off the alarms.

Plus I'll agree that I doubt many people check the lock (or key or whatever) says it is encrypted. Part of the reason I have my brower set to tell me everytime I enter(or leave) an encrypted site.

Re:What about the certificate?

[ad0gg]

Umm try to get an ssl cert from a trusted authority that uses a major banks host name. You won't get one.

If you put anoter cert up on there, you'll get a warning message both on IE, mozilla and other browsers saying the cert does not match host.

Of course this is meaningless since most people don't know what ssl is, or even to look for a key so the phishing website won't even have ssl.

Re:Where Are the Microsoft Shills?

[julesh]

Is this exploit so blatant and so obvious that not even the Microsoft faithful will defend IE and Outlook, not to mention ActiveX or Windows Script Hosting.

There's not a lot wrong with Windows Script Hosting, as long as no other shite on your system lets somebody else run scripts without your permission.

Re: Mozilla Thunderbird!

[rearl]

But you get it because IE is used as the rendering engine, thereby ensuring that any security problems in one application are shared amongst as many others as possible.

A possible solution?

[null+etc.]

I know at work, it may be impossible to choose or configure one's web browser. I know that's the case in my situation.

As an alternative, whenever you need to access sensitive data from work, you can inspect your hosts files manually, immediately prior to visiting the desired website, to ensure that no URL spoofing is going on.

Of course, this is dangerous if somehow, an ActiveX control spoofs the URL that you're visiting during the middle of one of your sessions. But I'm guessing that's not too likely.

Windows experts: is there a way to lock down the hosts file to prevent modification via an untrusted control or program?

Re:A possible solution?

[Grinler]

Nope .... Most users of Windows run at an adminstrator level. This causes any crapware to be able to run at the same level when it installs and then it can easily override the hosts file. Unfortunately programs like spywareguard and teatimer do not monitor the editing of the host file.

Re:A possible solution?

re: is there a way to lock down the hosts file
[No. Marking the file read-only is useless because it is trivial for a program to mark it writable given the prevalence of Admin users.

Best you can do is be notified when it changes.

There is a free program called WinPatrol that will notify you with a popup dialog if the hosts file has been changed. Drawback: it polls once every 3 minutes by default.

I recently wrote a program that notifies me when the hosts file has been saved. The interrupt model is much better.

The algorithm is roughtly:
. Startup
. Read hosts file into VM
. hook into Windows file system notification system
. loop forever
. when notified of change, compare the VM copy against the HD file.
. endloop

I think the computing world would be a better place if everyone wrote their own spyware utilities because then the crapware vendors would have no obvious targets (e.g. look for and disable SpyBot or AdAware, CWShredder, etc.)

--Bruce

Re: Mozilla Thunderbird!

[Spoing]

1. Did you read the article? It says " the most recent versions of Outlook, where such features are switched off as standard, will be protected." This has been the same with many recent exploits. They only affect old versions of ms software, but it immediately gets spun here to say that no one should be using the current, safe versions. It's similar to the recent status bar spoofing issue posted here which affected firefox rc1 and opera and pre-sp2 IE, but not sp2 IE, and was of course disscussed as being a "hole in IE".

Why are WSH and ActiveX even an options for Outlook? Bad ideas, poorly implemented, and not secure.

spybot helps....

[dogeatshouse]

the tea timer and host file blocking has helped me keep problem users from installing crapware, etc. that would change the hosts file...

How effective is chaning the HOSTS file...

[nz_mincemeat]

...if you're required to go through an HTTP proxy anyway? (Like most corporate environments)

Maybe the next generation of home ADSL routers would have one in their firmware and tout it as a "security feature"?

Re:How effective is chaning the HOSTS file...

[Cornelius42]

Proxy servers tend to munge up way too much software so all but one company I have ever worked for just nat everything and do not use proxy servers.

Well, I have used transparent proxy servers at every SMB installation without fail. All the web pages see it as they would if the computers were NATed together.

If you use a proxy server, transparent or not, this vulnerability will not affect you.

Re:Where Are the Microsoft Shills?

[jxyama]

>There's not a lot wrong with Windows Script Hosting, as long as no other shite on your system lets somebody else run scripts without your permission.

and there's not a lot wrong with an unstable SUV that's easy to flip over and kill the passengers as long as those SUVs aren't driven in an "unsafe" manner...

did you ever think that requiring "no other shite (sic) on your system (that) lets somebody else run scripts without permission" is what's "wrong" in "not a lot wrong"? it's like "it's in perfect condition, except for a scratch." well, that scratch is what makes it not perfect... duh.

Read all messages text only.

[ArrayIndexOutOfBound]

This works with most reasonable email clients and notably Outlook Express (without implying OE is a reasonable email client choice).

I have to use Outlook Express but my little workaround renders all email virus attacks benign to all but really stupid users.

I'm going for the troll, but this needs to be said

[Jucius+Maximus]

One of the disturbing things about phishing is that, in general, you are always vulnerable, regardless of your platform. Phishing is not a virus and does not have to exploit security holes. First and foremost, phishing relies on the gullibility of the user. Even if you are reading your mail on pine via ssh, this in itself provides you no protection from being conned by some nigerian scheme or receiving message 'from' PayPal requesting that you 'verify' your profile through some web server in China hosting www.paypalsys.com. (Yes, www.paypalsys.com was actually used for fraud.)

Just because you use pine or OS X or linux does not mean you can sit back and smirk at people who use Windows / Outbreak Express. The primary defence against phishing is critical thinking skills, not technology. Do not be conned into a false sense of security. Phishing is simply a technological incarnation of a kind of scam that has gone on well before the internet. Always keep your critical thinking skills in gear, as that is where real protection from phishing is gained.

And before you flame, I do acknowledge that said non-majority systems like OS X, pine, etc do help protect you from some of the technological vectors used to facilitate phishing, like HTML tricks to obscure the real destination of a link or the URL bar in MSIE. But once again, phishing is not a technological phenomenon. It is a social phenomenon and has social solutions. Patching the security holes will do very little to stop phishing on the whole.

Re: Mozilla Thunderbird!

thank god we have a mod system that keeps such ungodly facts down, not messing up our jihad

QuickBooks requires this

WSH, Java, Javascript, cookies, the whole shebang must be running with IE to run QB, the most popular accounting program.

Gotta have it for updates, to contact the mothership, to update tax tables. You can sign up for the CD updates, but they just don't work right.

On top of this, QB isn't a standalone proggie, it's just a bunch of scripts that run in an IE window, no other browsers invited. Just totally sucks.

Elaborate tunnels

[shubert1966]

Tunnels - Luxury!

Why I don't even have a spade. At Christmas time I didn't even get a lump of coal. I got a pickaxe so as to go get my own coal, which I had to ignight by rubbing together the dried-up bones of my own hacked-off legs. I use that small ember and a swatch of rag to send smoke signals.

phishing

[kfuq]

just another reason NOT to use M$ crap... go firefox & thunderbird

Re: Mozilla Thunderbird!

[Frizzle+Fry]

You don't need ActiveX in emails.

Don't tell me what I need or don't need in my software. It's off by default and if you don't want it, you don't have to do anything. But it's not for you to decide what I should or should not be able to do with my software. Other people may have different needs or use software in a different environment from you and this moralizing attitude that you can decide for everyone what their software should be able to do is frightening.

Re: Mozilla Thunderbird!

[Yakko]

How would they enforce such a restriction? Outlook Express doesn't have features that basically will you to use it, like Outlook has. Unless you're somehow using Exchange and their calendar system...

Personally, I'd rather continue using mutt than have anything to do with HTML email. I wish some graphical mail client would have a feature where all HTML email is converted to text before being presented (of course this would be configurable, and there would be a "View as HTML" option)

Email is a text medium, and always will be.

Don't be lulled into a false sense of security...

[MenTaLguY]

Just be sure your ISP keeps their installation of pine up-to-date. I've seen all too many installations of pine that haven't been updated since sometime in the 90s.

Granted, I doubt pine is a big target for phishing scams, but nonetheless...

Microsoft: PLEASE back out of this design...

[argent]

However, this will only affect users who have Windows Scripting Host enabled and certain ActiveX controls, according to MessageLabs.

If only Microsoft would back out of this insistence on making the browser a completely general web applications framework with the ability to provide full access to local resources.

Microsoft: split the HTML rendering engine out of the web client components, and get rid of the "security zones" hacks. You've been trying to come up with a design that lets you do this safely for over seven years now, and never succeeded in holding off attackers for more than a few weeks at the most... it's time to admit that even all the brilliant people at Microsoft (and you have some bloody amazing blokes over there) won't be able to make it work. Please consider that you may have been mistaken.

You can be safe(er?) with PocoMail, too

[EtherAlchemist]

Last year I bought a new laptop. When I was setting up my apps, I decided to ditch Eudora and look for a better mail client.

I tried out Pegasus Mail, Fox Mail, Mozilla mail, the Thunderbird standalone and PocoMail. PocoMail was the only one that wasn't free, and it was the one I chose in the end.

A number of reasons led to my choice:
1 - Built in spam engine (Bayesian filtering added in 3.1) and the best auto-junkmail filter of the apps I tested, includes learning filters
2 - UI totally configurable
3 - Ease of use. Everything was intuitive; layouts, menu items being where you would think they were, etc.
4 - Internal HTML viewer: it doesn't use embedded IE and thus IE exploits go out the window
5 - Doesn't execute JavaScript or VBScript: only supports PocoScript and only then if you tell it to. NOTE: also not affected by the latest JPG vulerability.
6 - Integrated automatically with both Panda Antivirus and later, Norton without me doing anything special.

I've used it for a little more than a year now and love it. It was worth the $40 I paid for it, and Poco has updates frequently. If you're looking for a new mail client, I would recommend taking a look at it.

More info.

Re:You can be safe(er?) with PocoMail, too

[lordkuri]

ok, here's one for ya...

who do I have to blow to get someone to write a *very* basic IMAP-S client?

I don't need spam filtering (spamassassin), I don't need html (never use it), and I don't need all the other garbage that's piled into 99% of the clients out there...

I'd love to ditch Outlook, but damn! I don't need all that extra baggage!

Someone hook me up with a link if such a beast exists!

Why is this considered phishing?

[jesser]

Why is this attack lumped together with phishing attacks? It sounds to me like this attack involves a hole that lets the attacker run arbitrary code with the user's permissions, which could just as easily be used to install a keylogger.

Momma Says

Momma says ActiveX is the devil!

Microsoft doesn't get it

[ajs318]

This is another example of Microsoft's flawed security model -- which, no doubt, has its origin in the supremely arrogant and short-sighted idea that ultimately it should be Microsoft, and not the user, who has the last say on what happens to a computer.

No regular user should ever need write access to the hostsfile. That's the way Linux works by default. If you do need to modify it, you probably are root anyway.

To allow ordinary users to edit the hostsfile is stupid, but to allow some random person on the far end of a long piece of wire to edit it is bloody suicidal. Yet this is exactly what is happening here -- the user is effectively executing dangerous, unknown programs at their own privilege level {which is likely administrator}.


And what is the attraction of online banking anyway? There are precisely two reasons why I ever visit a bank. One is to deposit cash or cheques through the hole-in-the-wall, and the other is to withdraw cash through the hole-in-the-wall. Unless there has been an improvement in Windows software of late, that allows you to print pound notes out of your own printer, but I don't think so. I know how much I'm getting paid and how much my direct debits are for, so that tells me how much I can withdraw each month; multiply by 12, divide by 52 and round down to the nearest whole *10 and I get a weekly entitlement. As long as I don't withdraw more than that, I know I'm fine {and anyway I can always check my balance at the HITW next time I go there}.

Re:Microsoft doesn't get it

One point a friend made to me was interesting. He told me he checks his online accounts daily. I've never tried online banking, but as I understand it, you have an instant up-to-date view of your transaction record so it's possible to detect fraudulent charges quickly. And 2nd, so that someone else doesn't set up your online banking account behind your back without you knowing (and presumably stealing your money).

Of course being a computer guy, I've opted to take the impoverished route, they can't steal what I don't have. Try to be a less easy target, so the scammers go after someone else first... I just read a phishing article at the register and they note also that banks are increasingly trying to stick the unfortunate victim with the bearing the charges because fraud is so widespread. IIRC they said it's up 4000% and on average the victim is incurring a $1200 loss to their bank account.

Re:Microsoft doesn't get it

[rec9140]

No regular user should ever need write access to the hostsfile. That's the way Linux works by default. If you do need to modify it, you probably are root anyway . . .To allow ordinary users to edit the hostsfile is stupid,

I have to disagree strongly with that, I edit the hosts file on my Linux and wimpdoze boxes daily. Why?

ADS! ADS! POPUPS! ADS etc...

I don't want ads or anything else and the hosts file stops 99% of it. The rest my wimpdoze browser has a URL filter to kill and its popup kill gets what few popups still get thru.

I hate using even simple web sites like newspapers etc. at work due to all the ads, annoying. I now do what I need and move on due to the ads etc..

And what is the attraction of online banking anyway?

Simple software allows me to keep an accurate record of my banking needs, pay bills, and I am not talking about using the banks websites. I am talking about using, Quicken as an example, to DL/UL transactions, and bill pay requests, directly in the software using OFX. Anything that can not be direct debit'd is setup as an auto repeating transaction online, till I kill it.

I have not been inside a bank in 4 years except to start the account when I moved. The closest I get is to deposit the few checks that I still get now and then, but thats probably maybe 20 times tops in 4 years.

Need cash .. ATM or money back at the local store of choice, and money back beats the ATM fee in most places if your bank charges them. The rest DEBIT CARD! ! ! This is the best thing every created. I rarely carry cash, and any place that doesn't take my debit I probably don't need to go anyway.

90% of all bills are direct debit to the account, as well as direct deposit of pay. Why cant the US and the rest of the world move to a cash free society.

Re: Mozilla Thunderbird!

[Carnildo]

Me spell chucker work grate. Need grandma chicken.

Shouldn't that be "Me spill chucker work grate. Knead grandma chicken."?

Reminds me of Autoexec.bat attacks

[siastbill1]

When I was younger, I used to write little batch files that would mess up my friends autoexec.bat file. I would give them a game on a disk, and then tell them to play the game they had to type go (go.bat). The batch file would then backup their autoexec.bat file and replace it with my tampered version. Then when they rebooted their computer, blammo.

I would have it execute gwbasic programs that would continiously loop "your computer is screwed", or that would just bleep out sounds from the PC speaker. I even wrote a program that would pretend to format your floppy drive (a continous loop that constantly tried to load a file from A:>)

People were so clueless they actually thought they had a virus. After people started using 2000 and XP I kinda figured that this sort of simple fake hack was over, but then I forgot about the hosts file. I think I'm goona change my grandma's computer so that google.ca resolves to playboy.com :)

Another simple fake hack is to erase the boot.ini file. It makes your uncle think his hard drive is mangled.

Ah windows, it's the one constant I can always rely on.

Re:Reminds me of Autoexec.bat attacks

Are you saying you don't get ENOUGH calls from your family to come fix their computer???

Re:Reminds me of Autoexec.bat attacks

[cortana]

He's just learning how to nurture the need for a business, from the masters!

Re:Reminds me of Autoexec.bat attacks

[YouHaveSnail]

When I was younger, I used to write little batch files that would mess up my friends autoexec.bat file.

Ha ha ha, that's so incredibly funny! My, you were a precocious little one, weren't you?

Did you ever wonder why nobody seemed to want to be your friend?

Re:Reminds me of Autoexec.bat attacks

[xarak]

Actually, those are virii. Not harmful ones, but they need not be.

I don't get it

[js3]

doesn't this flaw have more to do with what email client you are using than activex and windows scripting host?

it would be helpful to say which email clients to avoid (probably outlook express I take it?)

Re:I don't get it

> doesn't this flaw have more to do with what email client you are using than activex and windows scripting host?

It's not really a flaw. Or rather it's no more a flaw than permitting root on some *nix to run rm -rf / or C giving you enough rope to hang yourself.

So if there is a flaw at all here then it is located in front of the machine. In my case so the attack described simply would not work as I neither use to do my everyday work while logged in as root nor while logged in as Administrator.

I don't use smash my thumb to pulp, blaming the hammer afterwards either, though.

More information please

[LesPaul75]

The last line of defense for a lot of people was checking the actual URL of a link and seeing that it wasn't really "ebay.com" or "citibank.com," and it sounds like this flaw provides a way to defeat even that test. So this is pretty serious, it would seem, which is why it's surprising that the article is so sparse on details. Wouldn't it be good to know:

1) What e-mail applications are vulnerable (can I get this through web-based mail)?
2) What can be disabled to prevent this? Scripting? Active-X?
3) Is a patch on the way?

That article is pretty crummy.

Re:would it be so difficult - not to _chmod

[iamcf13]

would it be so difficult to set the file attribute on the hosts file to read only. ugh.

The C library function _chmod can be used to un-read protect a file so protecting the hosts file that way is useless.

So I primarily use my software to filter out such HTML-based exploits in additon to certain system configurations to make such attacks 'almost impossible'.

Zzzzzzzzz

[m.h.2]

*yawn*

Re: Mozilla Thunderbird!

[Fulcrum+of+Evil]

Other people may have different needs or use software in a different environment from you and this moralizing attitude that you can decide for everyone what their software should be able to do is frightening.

Name one. If you're passing activeX around in email, it could probably be done better some actual way. In the meantime, we all have to deal with the results of malicious activeX email.

Incidentally, my moralizing attitude is that you shouldn't be dumping benzene upstream of me. Is that also not for me to decide?

Patented

[punkkid]

Didn't Amazon patent no-click phishing? Oh wait, that was 1-click phishing. Sorry!

Re:Patented

[slazar]

hmmm I think it was no-click fisting. No wait, that's what our newly convicted spammer friends will be getting in prison...

most corps don't use proxy servers

[codepunk]

Proxy servers tend to munge up way too much software so all but one company I have ever worked for just nat everything and do not use proxy servers.

Security model is a big factor ...

[gstoddart]

And this is exactly where *NIXes excell. You can't do a scripting exploit in 'mail' - Why? Because you can't do scripting.

Lets say I wanted to allow scripting on a UNIX machine. I can in Mozilla you know, at least for javascript in e-mail.

The difference is on my UNIX machine, no matter *what* I have enabled in my mail client (and it sure isn't scripting) I'm running the code as a non-root account, and it doesn't get to change things like my hosts.

The bigger problem is that the mail program has full administrative control over the machine instead of just being a user-land app.

This is a long-standing problem with the Microsoft process model dating back to when they were a single user OS. The fact that all software expects to be able to manipulate the registry, change system dll's, and put its crap in the one-true place for such things seems to make the exploits worse.

Cheers

Good point

Anyone smart enough to make the file read-only is probably smart enough to not run IE with administrative privilages except when absolutely necessary, e.g. Windows Update.

Yes, Joe Home User probably won't do a thing, but business users can and should configure their systems to close such holes. There's no reason Joe File Clerk or Joe Bank Teller needs to run with administrative privilages.

reading mail as plain text

[Mr+44]

I wish some graphical mail client would have a feature where all HTML email is converted to text before being presented

Not that I expect anyone on slashdot to actually know anything about microsoft products, but outlook express, outlook 2002 and 2003 all have this ability.

Outlook 2002 added it with SP1. See Q307594 for details.

In outlook 2003 its even easier, just check the option for it.

And in XPSP2, Outlook express now reads mail in plain text (Q883257).

This should not be a problem

[bigberk]

Because your Windows account has non admin privileges, of course. A low privilege user can't overwrite the hosts files, or screw around with the HKLM registry. And personally, my own mail client doesn't even try to support HTML or script-like thingies. Too difficult, too weird, unnecessary, dangerous.

As tech support...

[MMaestro]

No offense, but you'd be surprised how many reports and calls are made due to pranks like this are made to tech support people. I hate to say this, but your 'fake hack' actually hurts thousands, even millions. If you wrote something like this as a kid and distributed it from floppy disk to computer, imagine what kind of varients of this are running around the internet right now.

Re:As tech support...

[Grishnakh]

No offense, but you should work on your reading comprehension. They guy did simple hacks which may have looked like viruses, but weren't. I'd say, offhand, his 'fake hack' actually hurt only a handful of people: his friends that he pulled this prank on. A DOS batch file with GWbasic programs does not constitute a virus, and certainly isn't going to spawn varients and jump to the internet.

Re:As tech support...

[siastbill1]

Thanks for the backup on this one. I was just commenting how back in the 80's and 90's it was really easy to mess up a dos box with a simple batch file. The batch files I was writing were like 4 - 5 lines long, and literally incapable of spreading. They were just used to mess with my buddies a little bit.

The point that I was hoping to make was that a simple 4 - 5 line batch file made by a little kid is still capable of messing up an MS box because of things like changing the hosts file or renaming boot.ini. In a sense, not a lot has changed over the years.

Re:As tech support...

[Grishnakh]

To be fair, this is the case on any computer I think. hosts files work the same way in Unix/Linux, and changing things in the setup scripts can royally screw up one of those systems too.

However, unlike the default or typical Windows installation, you have to have root access on a Unix box to get to these files. This makes it much harder for pranksters to mess around with one of these systems.

Tastes like tuna

Let me get this straight. We have an article on phishing by a guy named Will "Sturgeon"... hmmm something sounds fishy to me. :)

Who would still use windows nowadays?

Who in his right mind would still use windows nowadays? Can't get enough viruses, adware, spyware, pop-ups, or what? Man, even my 7 year old niece and my 68 year old grandmother are using Linux. They are anything but computer literate and both love it.

One Task per Prog? See Firefox

[SeinJunkie]

You know, I don't have many problems with one program:one task thinking, except that using that thinking, new user expansion will be stunted. The more you isolate programs, the less likely you are to gain a user base. That may be the very thing that some Linux enthusiasts are going for: exlusivity. I wouldn't see the point in that, and it seems many people are ruining that by trying to spread the word about Firefox. One reason Firefox can pick up users so fast is because it combines many different useful features into one program. I'm not sure about you, but I've tried a lot of extensions, too. The point of each extension is exactly the opposite of what you're talking about. It adds functionality to an already functioning browser.

You could break the whole thing down infinitely, and by your definition, Firefox does too much. Whether or not you use Firefox, the point is that one program and one task may have been good enough for your grandmother, but who wants to write software for your grandmother? Nobody. Simple programs abound, but they don't innovate.

read-only bit on directories

[Mr+44]

Actually, this is a common point of confusion with windows XP. There are two tricky aspects to it. 1st, the read-only bit on directories is "special" and doesn't actually make the directory read only. 2nd, and this is really confusing, in XP's folder property sheet, the read-only checkbox is a tri-state checkbox that refers to the files within the folder, but the XP theme makes the "indeterminate" state look like its checked.

See Q326549 for more info.

Re: Mozilla Thunderbird!

[innocent_white_lamb]

I wish some graphical mail client would have a feature where all HTML email is converted to text before being presented

You mean this one?

hype? sure, but there's not enough news either.

[twitter]

If you read a lot of the security mailing lists, you'd be under the impression that the world was about to revert back to the stone age with the security threats. But the reality is, a huge amount of idiots exist that love to overhype the security risks when it comes to viruses and worms like "I Love You" and "Sasser". Most of us know when there is going to be a big problem, but there are a huge number of others that like to spread false info.

I'd say Microsoft has already harmed trust in the web and there are not enough reports about it. More than 80% of the world's spam is sent from broken Windows boxes. That in itself is a awefull but it's nothing to compare to the downfall of e-commerce that looms. New surveys are already showing that people are already getting skittish. When these automated scams start taking their victims, that skittishness is going to knock the bottom out of Microsoft or online retail, online banking and every other business that depends on taking money over the web. People are going to have their passwords stolen and their accounts abused and then they will tell their friends and that will be that for everyone. Between the misconception that PC==M$ and the barage of BS from Redmond about everyone else's software sucking as much as theirs, the trust will be gone for a long time.

By the way, that vmyths site itself looks like an email harvester for spammers or worse. I would never give them an email address or use the screen saver offered. I don't trust their flash. Their copy contains no useful or technical information and even looks like spam to me. Check out this deathless prose:

Still waiting for JPEGs to kill the Internet, part 2 We stand at 41+ days since Microsoft released a patch to fix a JPEG vulnerability. Based on what the experts predicted in September, you should be sprinkling lime over your loved ones by now.

It takes time for the Microsoft security dissaster to have it's effect but it's coming. People are not collecting these accounts and passwords for fun and bragging rights, they are doing it for money.

Not a problem

[RzUpAnmsCwrds]

Recent versions of Outlook (2000 SP1 and beyond) and Outlook Express (IE SP1 and beyond) display emails in the restricted sites zone. Neither ActiveX nor Javascript are allowed to execute in the restricted sites zone.

This also doesn't affect anyone using SP2 either.

Move along, another already patched Microsoft vulnerability.

Re:Not a problem

[zygote]

Yes, of course, not a problem at all because every Windows user on the planet has a fully patched, up-to-date system. Whew.

Trollfully yours,
z

A possible solution to this exact issue

[PW2]

Make a new username such as ConfigEdit and assign ownership/read/write permissions to that user. Make sure that administrator and other users are not owners and have only read access to the hosts file. Email programs hopefully don't try to re-assign file ownership.

Damn! Lotus Notes...

...is actually good for something useful after all!!!

Re: Mozilla Thunderbird!

[Citizen+Gold]

Did you read the article? It says " the most recent versions of Outlook, where such features are switched off as standard, will be protected."

What's your point? This is a minority group among Outlook/Outlook Express users. Most users of O/OE are using it because it's what came with the computer. They don't tend to know any better.

Re: Mozilla Thunderbird!

[m_pll]

So what exactly is your problem with WSH (or Outlook, for that matter)? Yes, if the user goes out of his way to enable .vbs attachments in Outlook, and then is stupid enough to execute them, he's screwed. Same as with .exe or any other executable type. Which is exactly why these types are blocked by default.

Re:I'm going for the troll, but this needs to be s

[YouHaveSnail]

The primary defence against phishing is critical thinking skills, not technology.

Sure, but it'd be awfully nice if the technology we use didn't automatically give away my personal information before I even get a chance to employ said critical thinking skills.

There are enough gullible people in this world that social engineering-type scams will likely always be with us. Still, you could vastly decrease the number of security problems on the net if you could wipe the twin scourges Internet Explorer and Outlook from the face of the Earth.

Re: Mozilla Thunderbird!

[sflanker]

It should also be noted that this exploit is only possible if the user is running as a member of the Administrators group, since that portion of the file system is only writable by Adminstrators and System.

Running as Administrator in Windows is just as stupid as running as root on linux.

"Cool new thing called IMAP"

[hackerb9]

There's this cool new thing called IMAP. Look into it and get with the 90's.

Uh, that's amusing, but wrong. Pine was the first mail program to use IMAP. Both Pine and IMAP were created at the University of Washington.

Re: Mozilla Thunderbird!

[cbreaker]

"Don't tell me what I need or don't need in my software."

Then what the hell are you doing using Microsoft software?

Outlook XP isn't THAT old...

[cbreaker]

Not sure why they use a plural "recent versions" in that. Only Outlook 2003 will block executables and scripts by default.

Outlook XP won't block these scripts by default. It's only a couple years out, and I don't consider it to be OLD software. Expecting people to buy new versions of office every year (Office XP = 2002, and then Office 2003 a year later?) to protect themselves is silly.

I don't excuse people for opening attachments, though, not completely. It's been years of "Don't open files you don't trust" bombardment across the board now that most people should frigging know better. But no, they don't, and people will keep opening these attachments over and over and over again.

Re:Outlook XP isn't THAT old...

[Bill+Dog]

Looks like this is supported in a security update back to Outlook 98. Don't know if this is applied by Windows Update, but visiting the Office update site would prompt to apply this, by default. (They really need to merge all their patch sources into one. The customer doesn't care how MS may have divided itself up into business units. Grandma just wants to go to one page on the MS site and be brought up-to-date.)

More security isses?

[deemaunik]

With all the tech issues, browser hijackings, and virus scares, I've been learning Linux as a replacement. Wine seems to be supporting most of what I need, and I can't take much more of these insecurities... It's becoming rediculous. Simply going to a page can completely hijack a browser via scripts that download and run .cab or .exe files, and the vast majority of computer users have no idea how to remove or prevent this type of "Espionage." Remember when it was safe to browse the web with a windows based machine? Ah, Memories...

I find this

[FuzzyDaddy]

slimy, but actually kind of clever.

Re: Mozilla Thunderbird!

[Qaztal]

Unfortunately some people are forced to use certain products such as Outlook as part of their company standard.

Re: Mozilla Thunderbird!

[Spoing]

1. So what exactly is your problem with WSH (or Outlook, for that matter)?

My problem? It's not my problem as I don't use WSH or Outlook anymore. Microsoft has a problem and instead of fixing it they reluctantly disable the defective part and allow it to be turned right back on again.

1. Yes, if the user goes out of his way to enable .vbs attachments in Outlook, and then is stupid enough to execute them, he's screwed. Same as with .exe or any other executable type. Which is exactly why these types are blocked by default.

Q. If WSH and other executibles are turned off by default in Outlook or at the system level, why have them at all?

If they can be made secure, then having them on is no problem. If not, they aren't reliably available and can be abused. Having WSH and other disabled dangerous services on the system at all makes turning them right back on again that much easier.

Beyond that, another problem that Microsoft has is sticking to the data-as-executible concept. Yes, data and programs are just strings of bits, though treating them with equal privilidges is a bad idea.

Windows uses data-as-executible everywhere -- making trivially changed things like file extentions important. Windows in general and many Windows applications specifically wouldn't know what to do with one file or the other without file extentions...allowing not only users to be fooled but applications as well. Manually making exceptions for each defective implementation of this only works if the systems never change...yet they are being changed constantly and reintroduce this defect over and over again.

My email client will be immune

[q2k]

Score another point for Pocomail. Knowing my wife isn't using Outlook or OE is well worth paying the license fee for Poco.

Readable version of this

http://shit.slashdot.org/article.pl?sid=04/11/03/1 829252

google desktop search?

can't this also be accomplished with
something like google's desktop search?
an app running in the background, intercepting
requests for bank urls?

Telekinetically controlling email?

It says this is a "no-click" phishing scam, but I always have to click to get an email to display. Does it only affect you if you are using telekinetic powers to control your email program or am I missing something altogether?

Of course they do

[brunes69]

This is what these fucking scams do.

What good is a person's PIN number without their card? It's useless. These guys use the scam to get your info and PIN, so that they can either go to your house and get the card info from your trash, or they can go to the bank and use your info to trick them into re-issueing your card, and pick it up.

Get a clue - identity theft had over 10 million victims in the US alone last year. Everyone is at risk.

SHRED YOUR SHIT.

Re: Mozilla Thunderbird!

[m_pll]

Microsoft has a problem and instead of fixing it they reluctantly disable the defective part and allow it to be turned right back on again.

It's not like there's a checkbox in Outlook saying "allow .vbs attachments". To do this you'd have to edit the registry. Seems pretty reasonable to me.

If WSH and other executibles are turned off by default in Outlook or at the system level, why have them at all?

I'm not sure what you're asking here. How do you imagine using a computer if you can't execute any executables?

Having WSH and other disabled dangerous services on the system at all makes turning them right back on again that much easier.

So what you're saying is that since .vbs files can be abused, they should be permanently disabled? By this logic, you'd have to disable .exe and .bat files as well.

Re: Mozilla Thunderbird!

[FinalCut]

I didn't see the parent say anything about RECENT - he/she just said I hope no one here is using Outlook/Outlook Express.

Your rush to judgement led you to infer the author meant RECENT - when in fact they may have meant any version.

Is it just me

[nsingapu]

...or has windows security made the whole damn internet AOL circa de 1997.

It used to be that if someone wanted a user name and password they IM'ed AOL members one by one. With the advent of activex, they can now do it en masse. Thanks Bill.

Re: Mozilla Thunderbird!

[Spoing]

Of course that doesn't happen in every case. The problems Microsoft should fix are fairly broad, though -- and some of them were mentioned in the parts of my previous comments you left out this time.

Is ActiveX a bad idea: Yes. Implemented poorly: YES. (They won't remove it since it's both a lockin tool and a marketing idea...it does nothing for the customer that couldn't be done more safely with other methods.)

Is WSH a bad idea: No. Implemented poorly: Yes. (If not, it would not be abused. Since it has to be turned off to secure a system...it's not very valuable. Other scripting languages on other systems don't have these problems.)

Are any executibles a bad idea: No. If implemented poorly: Yes. If integrated poorly: Yes. If easily confused with different data or executibles: Yes. If easily re-enabled and abused: Yes.

Look at the various exploits that Windows and Windows applications have suffered with over the years -- specifically Outlook and IE -- and you'll find examples of each of these.

That is the "Whose job is it?" question.

[Ungrounded+Lightning]

I believe the grandparent meant "would it be so difficult for MicroSoft to set the file attribute on the hosts file to read only".

Yep. They're two sides to the same issue, really:

With respect to each and every one of the huge number of configuration security bugs that Microsoft ships as its default configuration: Is it the job of millions of customers, many non-experts, to separately change their configuration to turn off the bugs (that they CAN turn off)? Or is it the job of the experts at Microsoft to do this once for everybody?

If it's the latter, aren't they failing in their minimal responsibilities with respect to producing a consumer product? If they are failing, when will the bulk of the consumers realize it and switch to a product that is more robust?

IMHO this is finally starting to happen. And once we're past the tipping point MicroSoft will be in the position of trying to sweep back the avalanche.

But perhaps that is wishful thinking.

Re: Mozilla Thunderbird!

[m_pll]

Is ActiveX a bad idea: Yes. Implemented poorly: YES

Do you mean ActiveX in general? Or ActiveX support in IE?

Saying that ActiveX in general is a bad idea is like saying DLLs are bad. An ActiveX object is nothing more than a component packaged in a DLL that can be used in a somewhat language-neutral way.

ActiveX support in IE could have been better, I'll grant you that.

Is WSH a bad idea: No. Implemented poorly: Yes. (If not, it would not be abused. Since it has to be turned off to secure a system...it's not very valuable. Other scripting languages on other systems don't have these problems.)

I don't understand this. Can you safely run a Perl script from an untrusted source? Do you have to disable Perl in order to secure a system? Why do you think the answers to these questions are different when you replace Perl with WSH?

3 reasons

"And what is the attraction of online banking anyway? There are precisely two reasons why I ever visit a bank. One is to deposit cash or cheques through the hole-in-the-wall, and the other is to withdraw cash through the hole-in-the-wall."

And one can pay bills using online banking - no more rushing around at lunch time...

Re:3 reasons

[ajs318]

My mortgage, rates, TV licence, cable TV and insurance are paid by direct debit. My gas, water and landline bills -- which are variable -- are paid by payment card {out of my housekeeping money} at the post office about 400m. from my home. My electricity, which is the second most variable amount, is on a meter, and my mobile phone, which is the most variable bill of all, I can top up almost anywhere.

I like pound notes, because it's next to impossible to tell where they've been without the co-operation of more people that is feasible {and anyway, nobody records the serial numbers of the notes you spend; they just stick them in a till with all the others}. I like coins even more, because they don't even have serial numbers.

Or..

[Adam9]

Look for the pretty little padlock icon on your browser.

hosts is a standard TCP/IP file

if anything is redirected to an IP address that you don't know, then you can be pretty sure that it is wrong to have this in the hosts file.

I use my hosts file to redirect annoying advertising URL's to local host (which is always 127.0.0.1)

If you have any other IP address in hosts there that is not a local network address (which is a 127.x.x.x or 10.x.x.x and maybe some others)

I suggest that you google for hosts and see what it is. Or view your own on your local system.

If you have a local network you also use the hosts file to direct your computer to other computers on the network. If you are using DHCP you don't do this.

Re: Mozilla Thunderbird!

[michael186]

Quite right FinalCut. I wasn't referring to this specific vulnerability - I was referring to O/OE in general.

Re: Mozilla Thunderbird!

[Venotar]

> Don't tell me what I need or don't need in my
> software.... it's not for you to decide what I
> should or should not be able to do with my
> software

It's not your software. It's Microsoft's software, you're just allowed to use it (for a fee).

Re:Where Are the Microsoft Shills?

[julesh]

So, you'd believe that having, say, bash or perl or python installed on a Linux system is inherently insecure, because if, say, your mail client were to allow a script to be executed through a design flaw in the mail client, it would be able to compromise the system? Have you perhaps considered that blaming the scripting language for this is just plain stupid?

Re: Mozilla Thunderbird!

[Chris+Hodges]

Are any executibles a bad idea: No.

Exactly. I wrote a large set of macros for Excel 97 a few years ago as a summer job, and supported by email when I was back at uni. This often involved sending patches direct to the (2) users. A winzip self-extracting .exe was perfect - until the mail gateway was rconfigured to block all executables (and .zip files) and even the IT department on that site couldn't do anything about it (e.g. whitelisting). In the end the solution was to rename patch.exe as patch.bmp, which wasn't even scanned by the gateway virus checker, and instruct the user to rename and run. I didn't want to use a vulnerability to bypass overzealous security, but posting floppies was too slow. Of course that's the last thing you want to do for ordinary users.

Is there a way to...

[stkpogo]

a way to change the default location of the host file, so any phanges affect a fake host file?

an use a mail washer / monitor and delete the spam on the mail server...

Re: Mozilla Thunderbird!

There's no such thing as a safe Microsoft app. At least I'm not aware of one.

The article only mentions Outlook, not Outlook Express - the last time I checked on WinXP SP2 OE still had lots of nasty things enabled that need to not be enabled. Outlook 2003 [which I use in my office] is secure by default to the point that it's annoying. But at the same time, it does provide somewhat of a safety net for myself and other employees throughout the company.

Re: Mozilla Thunderbird!

[SoTuA]

Unless you're somehow using Exchange and their calendar system...

Bingo.

For personal use, I use pine for mail and tin for newsgroups. But @work, it's use exchange or face the hassle of not having the company calendar/scheduling/address book available. Exchange :(

Re: Mozilla Thunderbird!

[BrokenHalo]

I concur. I have not seen a single email in at least 18 months with any form of Windows executable content which has not been malign.

I'm not a zealot about html mail, since as a markup language it is there to aid expression and communication, but html is just text, and sensible practices such as not allowing one's mail client to follow every link in sight should be sufficient to make it safe.

ActiveX, however, opens up a can of worms every time it's invoked and has no honest or useful place in email.

Re: Mozilla Thunderbird!

[BrokenHalo]

At least I can install firefox, but mail clients that aren't OE are a big no-no.

If, perchance you are referring to the need to interface with MS Exchange, Evolution now does that quite well. Though I should say, recent versions of Evo have unfortunately become quite heavy resource hogs...

I have no comparisons to make with OE, however. Does anyone else?

Re: Mozilla Thunderbird!

I sincerely hope no one here is using Outlook/Outlook Express.

Until recently, I was using Outlook Express with no problems.
All that was required was that I turn everything off -- JavaScript, ActiveX, everything.
(I don't need all of that crap enabled just to read email (or to surf the web, for that matter).)
Unfortunately, I can't turn off either HTML or images.
This means that with the new JPEG exploit, I can no longer use OE, as MS no longer supports my MS-Windows95 version of OE.
I guess that it's finally time for me to switch over to some other mail reader.

I Read the Article Also

[LifesABeach]

It states in the first sentence, first paragraph, "A phishing scam has been detected..."

It was NOT "broken by trained personnel".

The implications should be fairly linear at this point.

Re: Mozilla Thunderbird!

[Spoing]

1. In the end the solution was to rename patch.exe as patch.bmp, which wasn't even scanned by the gateway virus checker, and instruct the user to rename and run. I didn't want to use a vulnerability to bypass overzealous security, but posting floppies was too slow. Of course that's the last thing you want to do for ordinary users.

That your workaround was even possible shows how bad the extentions issue is for Windows; even a 'virus detector' took the extention as the truth -- not the contents of the file itself!

Unfortunately, this extentions-centric way of doing things has been used on *nix desktops too. You'd think that the hard lessons of Windows would not have to be relearned elsewhere...bah!

Re: Mozilla Thunderbird!

[Spoing]

ActiveX in general; it is treated often as a system process or library loaded from a 'trusted' external source; injected on to the local machine. IE is just the main vector for it appearing, not the only one. DLLs are not injected across networks (minus through other known exploits).

WSH; is a bad implementation because it by default has hooks into too many areas of the system that haven't been vetted. That's why it keeps being used in viruses. Any scripting language that allows external scripts to be executed *should* be properly locked down to the user level or even sandboxed (Java, CLR) if sent from a remote source. It shouldn't be trusted automatically.

If that makes the Windows version of Perl a bad implementation too, so be it, though I don't know of any cases where Perl was used as part of a system exploit.

Re: Mozilla Thunderbird!

[Sheep+Sophy]

It says " the most recent versions of Outlook, where such features are switched off as standard, will be protected."

It is like a error warning for cars: "Driving a car without brakes can cause damages."

Question to all: Who is using Outlook earlier than 2000 and Outlook Express earlier than 6? Computer is security relevant. If the system is to old, you have to upgrade. If the upgrade is to expensive, have a look to cheaper operating systems like Mac OS or something like that.

I know, a lot of users are insecure. But be sure: there is noch patent on upgrading. Or...?

Sheep
Need your help: http://www.make-my-son-happy.us.tp/