08/27/2010

90% of all email is spam so we are building the underground economy

Yes 90% of all the infrastructure and operations of the underground economy on the internet is subsidized and paid for by you and me.

If they want to rob a bank they have get a car and petrol and guns and a place to hide and ......

If they want to do it online they only need an emailaccount and access to a computer (an euro an hour)

So when firms say that 90% of all email is spam this means that every investment in the emailinfrastructure is done for helping 90% of the email as spam to be transferred to the installations of the sender - or the firms that are doing that for him. The question is if that spam needs to arrive there.

That spam should never have left the building.

I am not sure in how much ISP's and service providers do spamblocking on the outgoing traffic. But maybe it would help already and it could establish more trusted relations between operators.

Because it is just crazy that all those servers, routers, dns infrastructure and all the rest for emailtraffic is used for 90% by spam we will mostly throw away anyway. Imagine that we can block on the startingblocks or the edge of networks or on the links between networks already most real spam. Not something heuristic but the things that we agree upon as being spam for about 90%.

Imagine if that would stop only 10 or 20% off all spam how much all those internetcompanies would win in space, installations and much more and how much they could use that infrastructure and money and human resources for other things.

Permalink | |  Print |  Facebook | | | | Pin it! |

some first thoughts about scams.skynetblogs.be and some blocking to do

after a week or so I start having the first scams in sent in from others

if you want to send in yours, just contact me, just the header and the mail itself in forward (delete your won mailaddress)

never thought that 400 people would exactly visit it, but if they do it is probably because telephone or mailaddress was on Google and they had it also

which was the purpose of the blog anyway

what I think is already clear to be blocked if you don't need it desperately (but I am talking Belgium here) are

@w.cn

@sify.com

I am sure that as the volume increases more will come, but those two you may be sure that by blocking or spamlisting them anyway that you are filtering out a lot of scam.

 

Permalink | |  Print |  Facebook | | | | Pin it! |

some new interesting developments in the dll story

Under the flood of echowriting and linking the same links all the time and the FUD that is coming from sellers of all kinds of software and hardwaresolutions and the stupid discussion about apple or linux security (the first bug was found in Apple software by the way) there are some interesting developments

- it looks like the flood of discoveries that begun yesterday is over - but this doesn't mean they aren't there but maybe they are in the underground

- Putty which is used by many administrators is vulnerable

- You can infect a station with a DLL on an USB stick

- the NSA has warned against this problem with the introduction of windows XP 12  TWELVE years ago  (so you should read their technical documentation for computersecurity a bit more .....)

- there is an interesting discussion started on the mailinglist fulldisclosure about the same dynamic searchfunctions in LINUX (debian,....) which seems maybe to be inserted only recently (to make it easier for programmers). If this is the case, than this problem will really become transversal

- there is a whole lot of FUD and commercial pseudoarticles running around that tries to cash in and at the same time sellers of different solutions (or their undercover 'researchers') are having debates about the stupidity of the solution of the others

- would you still download cracks or software from other sources (P2P ?). BSA and other softwarelicencefirms will have a field day. After all the viruses in cracks we can now have integrated malicious DLL's.

just to remind what we need as securitypeople

* we need to update and patch tens of different programs from authentic sources (and that for sometimes thousands of installations) as fast and as easy as possible (not only the main freeware programs)

* we need to be sure that the programs that run on different critical installations have only official updates and that no other changes have been introduced (a program like tripwire or sourcecode and eventmonitoring)

* we need seperate the workpc from the surfpc which can be done by virtualisation with different logins or with different hardware (attached to the same screen). If that is not possible we need to intercept everything that is coming from the internet in a seperate environment before the PC (proxy with storage for example) or on the PC itself (sandbox technology). Those policies can be coupled with software restriction policies and lockdowns (critical installations).

* we need to be able to test our own code and applications all the time against the new and possible attacks

* we need to have an integrated reporting from all those sources

so this goes well beyond the 'installation of an antivirus or firewall or patching advice'. This is insecurity 2010 and it is targeted, internally and human based. There is no way an antivirus or firewall will protect you against an active malicious DLL in a program. Imagine that your firewall or antivirus will need to scan all the code of all the programs before leaving it through. You will surf as fast on the internet as in 1980 (older guys remember the buzztones of the modems ?)

Question

Will this problem be solved by making many of these free softwareprograms 'installationfree' or portable. Because those programs can be used without all those installations and all of their DLL's are included in the same folder (just like documents). It could make versioncontrol easier and it could be easier to lock down the kernel and registry in the enterprise. It would make installationpackages bigger but maybe we have to install less - and work more. Anybody any ideas about that ?

 

Permalink | |  Print |  Facebook | | | | Pin it! |

seniorenweb.be and netties.be hacked by Serbian ? hacker

The webpage of netties.be is clear  (archive at diigo.com/mailforlen)

seniorenweb.be has the following in Google - but you don't find it on Google yet

  1. owned09:41

    ur databases under controle. we can controle the world using our mind. rememmber this name cause u will see it again soon. contact :bofaisa2@hotmail.com.
    www.seniorenweb.be/

 

Permalink | |  Print |  Facebook | | | | Pin it! |

08/26/2010

Overview page for DLL attack crisis started

The page gives you some links to information you will need to follow

TO instant news from twitter

To search engines

To feeds with exploits and news

To a collection of links with articles and more

 

It could all blow over - or just be the start of something

If you know it you should work on the stockmarket

I just prepare for 'in case off'

 

You can find the resources here

http://www.netvibes.com/mailforlen#DLL_injection

Permalink | |  Print |  Facebook | | | | Pin it! |

workaround for DLL injection attacks breaks so many applications that it is not usable in a network

Well some applications that seem to be vulnerable (looking at the exploits that are coming (or should I say flowing) in will be broken when you install the workaround

according to the posts at the international Storm Center (how long are they still keeping the green up if yellow is the attentiongetter saying 'wake up world this is serious, do now something about it before this gets out of hand')the following applications just break

* chrome

* Outlook 2002

and probably any that is not secure and not patched yet

I don't see how you can implement the fix

this will mean that in high targeted networks computers will be shut off the network and be isolated alltogether untill some response is found that one can work with - this means

* or a set of patched microsoft, adobe and some other popular application in one service pack

* or a fix that let you manually or by script define where the unidentified dll's are to be found for the critical applications

* or both

another question I ask myself. How in the hell Am I going to update and patch all those different applications on the network with all the users on all their computers (homecomputers included if they use them for work)

Remember this can be sleeping trojan that only adds a function to an application or that is only activated when needed and as it is in the application it can even control the update process - giving you the impression that you have secured your application

now we are going to see if the bad boys are really as smart as they claim to be

producing viruses and workarounds for securityrules and so on in a tit-for-tat is maybe smart but now they will have to be really intelligent and stopping them will be really hard (look at the .link virus against scada that wanted only to change some part of the code in an application without breaking it)

Permalink | |  Print |  Facebook | | | | Pin it! |

Storm of working DLL hijacking exploits is there - now the botnets ......

Source  http://www.exploit-db.com/local/

and there are more and more and more already and flowing in......

now these are proof of concepts, they don't proof that you can actually do this all the time and that it is easy to integrate with the other things you have to do to infect a computer

I will integrate an RSS feed with the newest coming on on this blog

by the way next week I am on a real holiday and I am not sure I am going to be your watchful eyes all the time like I have to be around here to understand what is happening outside.

Permalink | |  Print |  Facebook | | | | Pin it! |

securitypeople will have to deal with daily load of new bugs for popular software from 1 september on

THis is the announcement

and I thought

don't we already have enough on our plate

can't they wait untill we see more clear in this 'traversal programming bug' (traversal because you can find it so many different programs that it will take some intensive work for all these programmers to fix it and to distribute the patch and get them installed and to fix problems that are caused by the patch or upgrade and so on)

"The Abysssec Security Team is about to unleash its Month Of Abysssec Undisclosed Bugs on us. Starting on the 1st of September, Abysssec will release a collection of 0days,  web application vulnerabilities, and detailed binary analysis (and pocs) for recently released advisories by vendors such as Microsoft, Mozilla, Sun, Apple, Adobe, HP, Novel, etc. The 0day collection includes PoCs and Exploits for Microsoft Excel, Internet Explorer, Microsoft codecs, Cpanel and others.  The MOAUB will be hosted on the Exploit Database, and will be updated on a daily basis. Get your hard-hats on, your VM’s and debugging tools organized – it’s gonna be a an intensive ride. Follow both the exploit-db and Abysssec twitter feed to keep updated!
http://www.exploit-db.com/moaub-0days-binary-analysis-exp..."

 

Permalink | |  Print |  Facebook | | | | Pin it! |

08/25/2010

DLL Injection exploitation research finds exploits by the ......

There is tool out that makes the scanning easy

http://blog.metasploit.com/2010/08/better-faster-stronger.html

a whole bunch of Microsoft programs and Apple programs and other programs are proven to be vulnerable

in theory

now for each an exploit will have to be written to be usable

and even than it has to work which is not so evident but not impossible

don't think malware writers are on holiday - they are probably all coming back in a hurry to find the first big exploit

* they could sell to the securitymarket or to the underground

* exploit themselves

 

Time to organize your defenses

Some antivirus scanners already block the tool as a hackerstool

but there are other administrator tools that do exactly the same thing (dependency explorer, process explorer and a bunch of others)

Permalink | |  Print |  Facebook | | | | Pin it! |

the weakest link of wikileaks is in Belgium and the Dutroux case files

I do not know who told him this but this believe that Belgium is a safe haven is totally bullshit

"Belgium comes a close second to Sweden's laws on the protection of sources because its law has also been extended to digital media, adds Philippe Leruth from the European Federation of Journalists' steering committee.
http://www.euractiv.com

The Belgian journalists who have been put under investigation and who had their material confiscated can only smile. It is not the letter of the law that is important here but the way in which it is interpreted in context with other crimenal investigations and laws.

"Wikileaks makes the most of this opportunity and exploits Sweden's constitutional laws. The webpage states: "Online submissions are routed via Sweden and Belgium which have first rate journalist-source shield laws."
http://www.sydsvenskan.se/

The same articles states that this is also NOT true for Sweden.

So who are you kidding.

If you want to leak to wikileaks you should be sure that you are difficult to track down and it won't only be the badly managed certificates from Wikileaks that will protect you or the fact that it is in Sweden or Belgium

It will be how you have done it.

And that is why there are 500 volunteers running around.

Collecting papers in a digital world.

Curious to see if the Belgian justice will now try to find that Belgian server of Wikileaks because if there is a complaint by for example one of the parents they will be obliged to try to confiscate the server. Even if they don't really want to, legally they are more or less obliged to do so.

There are rumors running around that the files that are downloadable from Wikileaks are also harbored in Luxembourg (but the filesize is different) or that they are also present on the famous DVD's.

Instead of leaking invented rape claims in Sweden the anti-wikileaks operators should have looked better on the networkmap of the wikileaks infrastructure.

There is a small country Belgium that has some very interesting laws about publishing court material.....

Permalink | |  Print |  Facebook | | | | Pin it! |

dll injection is perfect for targeted attacks

so even if you see no big viruses and even if your application is not mentioned in listings

this doesn't mean that this method isn't being developed or in use by people who are specialised in targeted attacks instead of running viruscampaigns between expensive holidays with cheap chicks :)

so if you have installations or people who could be the target of such an attack, you will have to take all the necessary measures

and maybe think of some of the things people are more and more talking about

* total seperation of a network of cheap internetpc's and the workpc's (the first can sometimes even go wireless). The bridge between the two are the analyzer bridge computers will all kinds of securityware on them but in a perfect world they should be closed down

* another virtual image of your machine that has to be loaded before you can connect to the internet

* a no install policy when surfing the internet

* a software restriction policy

* a NAC before surfing to the internet

Permalink | |  Print |  Facebook | | | | Pin it! |

Microsoft publishes updated guidelines for programmers for DLL search - must read

PROGRAMMERS SHOULD READ THIS UPDATED DOCUMENT BY MICROSOFT IMMEDIATELY

We’ve also recently drafted additional guidance to help developers understand this issue. You can find that developer guidance attached to the blog post.

 

don't say you didn't know

more resources at netvibes.com/mailforlen and diigo.com/user/mailforlen

Permalink | |  Print |  Facebook | | | | Pin it! |

Microsoft publishes workarounds against DLL hijacking attacks (are underway)

The first articles and warnings from Microsoft that not abiding by their best-of practices could lead to problems date from 2008 and 2009. It just needed someone to discover a cheap and easy way to implement it.

When you are in a network that has to protect important data you will have to implement this as this malpractice by programmers of a whole series of programs (and the list can be enormous) has given attackers a quite easy way to inject their malicious code with the name of a normal part of the program in the program itself.

Each program is made of different parts of code. One part are the DLL's. These can be written by the programmer or he can use the DLL's that are already present on the system and are used by other programs as well. If the programmer has not specified in his program where the DLL's are and it aren't DLL's for which Microsoft has hard encoded the place the program can fetch them, the Operating system will search for them dynamiccally and will load the FIRST file it finds with the same name and function. The only thing an attacker has to do is to place a DLL file in a folder where it can be activated before the folder where the application will find its normal authentic DLL.

Imagine that an emailagent would get a malicious dll that makes the program work - so the user sees nothing - but that send a copy of each email to another address or folder. Or a financial program that does that. Or a musical program that loads advertising for which not the programmer is paid but the malware writer. And you have downloaded the right program from the official site and there is no virus in the program. The only thing that happens is that another function is added to the program. Imagine a securityprogram that stops all viruses except one. I hope that you understand the seriousness of this bug.

On a greater level this means that

* programmers will have to check all their programs for this bugs (for the moment it is only windows but who knows...)THis includes drivers.

* new programs will have to follow stricter rules

* you will have to think about a strict software policy and for example only accept software in your environment that can be patched automaticcally

* every program will need a dynamic automatic updatemechanism that you will have to install if it are securitypatches

* programs have a certificate (MD5) but what about the different parts of programs ? Have to look into that some day but this may be something interesting.

* refuse access to unpatched machines and throw away windows2000 and upgrade xpSP2 to XPSP3 or throw it away.

* disable the WebDAV client service on workstations to prevent outbound WebDAV connections

* do not let shared SMB traffic from in your network pass the firewall to the outside

* implement the following tool to change the registry settings http://support.microsoft.com/kb/2264107

"This update introduces a new registry key CWDIllegalInDllSearch that allows users to control the DLL search path algorithm. The DLL search path algorithm is used by the LoadLibrary API and the LoadLibraryEx API when DLLs are loaded without specifying a fully qualified path."

http://www.microsoft.com/technet/security/advisory/226963...

http://blogs.technet.com/b/srd/archive/2010/08/23/more-in...

 

Permalink | |  Print |  Facebook | | | | Pin it! |

Dutroux files on wikileaks are illegal - what about the unsecured DVD's ?

When the DVD's with the files from the Dutroux case were found in the offices of the Archbischop of Belgium, it made quite a storm.

Afterwards it became clear that there are tens of copies of those DVD's going in rounds.

It seems that the judge of the trial had decided to put all the files that were being used on a DVD for the journalists.

It also seems that not everyone in the judiciary agrees with this and finds this an enormous risk.

The documents on the DVD are not protected with passwords or encryption or double authentification for access (that would help a little but not against a dedicated hacker)

The result is that those DVD's are being copied and distributed among interested parties but that not all the documents on those DVD's (or all the information in some of these files) is for public view and that for persons who don't know the whole story and know the importance (or not) of some judicial files it may lead them to conclusions that were not intended or are right.

There is another problem with the DVD's according to sources on the internet. There are tens of thousands of documents on those DVD's which makes the indexing of those files and the search function very important. It is not a full text search they search but only a certain number of searchterms were chosen. You can imagine that for some who are looking under every stone to find information about the 'networks' (if you believe that or not) have discovered that they have to re-index the files and add other searchterms to find some bits of information they were looking for.

The fact that the Dutroux case is still so important and that so many people are still researching the case is because the investigation and the trial itself were never conducted in such a way that anybody could believe blindly that everything that has been done was done completely and scientifically. And that is the case for both sides of the debate. It is the same for some other big judicial investigations.

Now a set of files - I don't know if they come from the DVD's and I don't want to know (it is up for someone of the judiciary or the press to do that, they have legal protections I don't have and I don't have the DVD's myself )) was published on Wikileaks more than a year ago.

It was recently discovered by the press - we mentioned this already a year ago - and they contacted the judiciary who says that the files are illegal.

This has a lot of consequences for the people who are involved in this if the judiciary decides to investigate and prosecute the people - and they will have to if someone who is mentioned in those partial files of the investigation files a complaint because his privacy and good name may be endangered by this.

The files are on wikileaks if you click country index and than belgium and than under the page belgium:dutroux

the same kind of files seem to be on sale for 30 Euro's on the net by a site in Luxembourg, so in fact anyone could have bought it and placed it online

The parents of the girls seem shocked and some lawyers say that the files on wikileaks are totally illegal.

Getting them off wikileaks will be difficult but maybe they can block it again with their firewall (but this will be difficult with the network of proxies that they have set up).

Permalink | |  Print |  Facebook | | | | Pin it! |

08/24/2010

First dll preloading attacks being developed - how many will follow

Some persons have to understand that in 2010 it makes no sense keeping things quiet and only publishing bits of information. THere is a whole set of researchers dissambling every word that is written and putting all those bits together so they can start testing and working on it. Or you say absolutely nothing (in the hope that no other researcher will find it also and that he or she will publish it without thinking (or understanding the gravity of it all)) or say all and you oblige the whole industry of calling everybody back from holidays and back to the coding machines to fix that bug.

Now we have a situation in which the original discovers are trying to keep as much technical detail out of the limelight while on hackerfora the first attackscripts against popular software is being developed. The possiblities of this attack are too beautiful to ignore. As I have said before, you can place DLL's for say 100 most downloaded applications all over the machine and just wait for one of those to be downloaded. The more I think about it the more it seems like the perfect attack for a crimebot that wants to stay in the greyzone. You could even launch your own dll's with publicity like 'make outlook work faster'. What the person won't know is that somewhere deep inside the user agreement you receive every emailaddress you have sent email too - for reseach possilibities....)

On the twitter list mailforlen and the diigo.com/mailforlen and the security dashboard at netvibes.com/mailforlen you will find links and more information. I am not going to post every link here.

But it is important to know that attacktools are being developed against popular software. One I have seen today is against powerpoint 2010. (huh Secure Development Lifecycle Management by Microsoft ?)

tommorrow we will post some fee tools to check and prepare yourself for the onslaught if this gathers storm (and who can tell ? this script seems so easy....)

There are also a lot of other tools that may be vulnerable like Electronic Identity Card readers and homebanking tools and stuff like that.... because if the link to the DLL isn't hardcoded and in full than there maybe a problem or an opportunity. Remember this is just the first discovery. It makes me think of XSS attacks. The first ones I think two years ago were so simple and stupid you fell of your chair when it was shown. Now we are talking about things like double reflective xss and crsf and a new one DRSF (in the same domain) and you really have to read it slowly and very attentive to still understand what it is and how to prevent it.

I can imagine that in later stadium the attacks will try to replace the DLL's or take their name or make the application the next time to load the new DLL and not the normal one. There was a lot of theory flowing around that attacks would move from the web to the applications (and back to web) but there was no way to do this on a massive scale with a massive impact (except a few popular Apple and Adobe products).This maybe the black breakthrough.

I am gonna to invest in Landesk and Secunia and consorts.

Permalink | |  Print |  Facebook | | | | Pin it! |

new kind of important attack : DLL preloading attack (and growing consequences)

We have written about it before and now it has gotten its official name : DLL preloading attack

It means that a malicious DLL can be loaded by any program that didn't place the full path of its DLL's in its code and uses the alternative search process by the windows operating system and where the DLL isn't placed in the first logical place where this alternative search process is going to look and where an infection can place files that can be loaded.

This means really any windows program that doesn't follow the Secure Lifecycle Development.

It also means that one can infect a computer with a high number of sleeping DLL's for popular vulnerable programs waiting to be activated. It also means that one can infect a computer with such a DLL and afterwards promote the legal vulnerable program to be downloaded. Yes, you wouldn't be making rogue securitysoftware or adware or something like that. Just a freeware that is vulnerable and that you are promoting, you can even download it from their site - as long as it is vulnerable. Than you have all these users installing the vulnerable program and afterwards you control them by the malicious DLL and do the rest (make them zombies). I am not sure if it is possible in practice but in theory it is. You have to think like a criminal to be faster than them.

Secondly it means that a software restriction policy is necessary in secure environments. We are now entering a new area. Forget everything as it was before. Just as PDF attack were something marginal and new a year ago, they have become so widespread that Adobe - like Microsoft some years ago - has to invest enormous resources in security and rethink a lot of things if it wants to survive as a trusted business (and PDF as a trusted format).

This means that only programs that have an update process and that patch securityproblems fast can survive once this kind of attack becomes mainstream (or should I say meanstream ?).

It means that all old stuff that is used by consumers and in targeted secure networks (don't forget the Advanced Persistant Attacks - very small and seldom (so they stay under the radar) but very effective and specific).

It also means that your upgrading and patching solutions will have to extend their reach to a enormous number of programs, they will in the near future even have to include drivers because they could also become vulnerable if they aren't programmed.

No quality without security. If people didn't follow the guidelines by Microsoft for secure programming how can they expect to deliver quality ? One day or another your negligence becomes a securityproblem and even if it isn't used by viruses, it can become a securityproblem for targeted attacks. Either way, it will cost a lot of money to resolve. It was much cheaper following these guidelines. Get your programmers to follow them strictly. They were written with some reason and even if the work goes more slowly, it will survive much longer in the end.

Now we have a problem of which the impact can be enormous - and everybody is keeping quiet for the moment but you feel the nervousness.

And if it doesn't explode. It will still stay a time-bomb awaiting another vulnerability or malicious technique to be combined with and to be used much more economically and efficiently.

Reading stuff

http://www.microsoft.com/technet/security/advisory/226963...

And a very good posting on International Storm Center

Permalink | |  Print |  Facebook | | | | Pin it! |

08/23/2010

Brucon, the Belgian ITsecurity cool-hackers Event, second edition

I won't be present this year because I have family coming over from Chile and we only see them alive in person every 15 years or so. But it is a very interesting agenda. And if you work for a firm, your company spends thousands listening to total crap and if you wanted to meet all those speakers you should go to the UK or the USA and that would cost them thousands more, so don't complain.

brucon.jpg

 

If you go, see the Wombat project because Olivier is one of those military Infosec people who is really interesting.

There are also some very interesting training sessions with trainings for which you would otherwise also have to go to the UK or the States and which are being given by the top notch in their fields. One that stands out is for VOIP security because this is mostly overlooked and for critical installations something they had to consider in the first place since the beginning. (in depth I mean). The same for the training about pentesting in high secure environments. The other two are only interesting if you already use those tools or if you don't have such a tool yet and are looking for an opensource alternative. They will surely bring you uptodate so that you can use them more effectively.

From the website :Brucon.org (follow them here for all their news)

Our sales model this year is based on a "pay what you can" system to make the conference accessible to everyone. All tickets include foodcoupons for both days (breakfast, lunch and dinner).

Basic ticket (no invoice):

  • Starting 1st of July or after 100 tickets: 150 Euro
  • After 17 September, door-price only: 195 Euro

Business ticket:

  • Starting 1st of July - 17 September: 350 Euro
  • After 17 September, door-price only: 395 Euro

Program

So if you are in Belgium or work as ITsecurity official in Belgium and you don't have family over you won't see for years or nobody is in hospital and your network is not going down every hour, you should start planning your presence here. The first edition was known to be one of the best security conferences around. You will also meet a lot of people that are working in the ITsecurity business in Belgium and aren't trying to sell you something (which make infosecurity.be conferences such a bore/hassle/headache).

Oh and hurry if you plan to go, not for the price-increase but because there is only room for 350 people and registrations are flowing in.

and the crew and volunteers may be very proud of themselves :)

Permalink | |  Print |  Facebook | | | | Pin it! |

not a 0 vulnerability for windows but programmer's malpractice

There are some indications and rumours running around about a new explosive 0 day for windows. Let's clear that up before you start looking in the wrong places and to warn you that for securitypeople there is an enormous task brewing behind it (this is why everybody is keeping for the moment quite silent about the facts - a good indication that something is very wrong - remember the DNS and the SSL bugs for starters).

This post is based upon the available information from different sources that are trying to put the pieces together.

This is the information as we know them today

This is NOT a windows bug. The windows kernel and OS has NOTHING to do with it. Keep that in mind while reading further.

It began with a mistake in the Apple Itunes software for windows (for those who think that installing applesoftware will make their PC safer :) ). That bug is fixed with the latest update (go to http://update.microsoft.com)

To function each program has to load different DLL's that should be located in a specific folder and sometimes are placed all over the system (more difficult to manage). If you don't like this kind of installation look for portable or installation-free software (and bypass the limitations placed on your workcomputer by installing them between your documents :) )

Now read the following very carefully because if this may be true, I think we have an enormous problem

"When an application tries to load a specific module into the address space of the calling process, it usually uses the Windows APIs LoadLibrary / LoadLibraryEx - at least if you want to follow the documented way.

One of the parameters accepted by these APIs is the path to the library that is wanted to be loaded. If the developer just specifies module name without a path, the operating system starts searching this module by looking in a number of known paths.
http://www.prevx.com/blog/153/An-oldnew-day-Windows-flaw-on-the-horizon.html"

The attack is very simple and can be industrialized by a botnet. You only have to place a DLL with the same name as the program will be searching for in one of the places windows will be looking first. This means that if the programmer has installed the DLL in the third place windows will automatically search for it and didn't specify the full location of the DLL that the program has to launch, than all a malware coder has to do is to place a bit of code with the same name in the first or second place Windows will search for it and the program will launch it.

If he is smart he will start an update process and can start downloading other stuff during the so-called installation process. You can imagine that many users will simply click us to upgrade or extended because the alert seems to come from the program itself.  Or he could install other functions later.

There will be at least 40 popular and important windows applications that could be vulnerable.

But if you will take every software into account it can be much more.

now if you have a software restriction policy you can be saved because you only have so many programs to watch out for updates. It means also that you will need a full update policy for all the programs you are using because it means that now that some popular programs are trying to get a securitypolicy together other usertools can also become the target if they made several mistake in the programming and architecture.

IT-Security is an ever moving field

THis one could become important for software. Curious if this would also work in Linux or Apple.

THis shows the importance of SDL  secure Development Lifecycle and the test phases that have to be set up during it.

Did your progammers follow any course on that ? Are your outsourced development firms certified ?

Oh that would cost more.... How much would it cost to adapt you software if this attack becomes generic (this means that it becomes an attack independent of the software or the code like a bruteforce attack for example).

How much of your software has been tested for bugs ? And how many of those bugs have been corrected ?

You understand now why this can be such an important story equal to the DNS and the SSL bugs.... Wait and see.

Permalink | |  Print |  Facebook | | | | Pin it! |

08/22/2010

last new functionality on this blog today for international readers

I have inserted at the right of this blog direct links to translation services for international services according more or less the countries that visit this blog and to make some information more interesting

but please understand that those services are far from perfect and that maybe the translator misunderstood me before attacking me for something translated or so on ...... I am not responsable for the translation and have no time correcting it

for the moment this blogplatform doesn't include Googletranslate functions with each blogposting, who knows but for the moment it gives you the homepage

that's all folks, keep safe

oh, I only speak dutch, english and french, so please don't mail me in the other languages because those translation services can sometimes really misunderstand what you are trying to say

Permalink | |  Print |  Facebook | | | | Pin it! |

Google indexes my scamblog in realtime : it works

So it works, Google indexes the new postings in the scam blog in realtime with all the information.

If you search afterward the IP address or the emailaddress of the scammer it comes back with the post on the blog

I will integrate it with twitter to get even more realtime results

and than it is up to you

let's build here a realtime scamalert from blog - to Google and twitter - and from there to the all the antiscam and antispams of the world - not only the one you have sent your mail to

we are not looking for spam for viagra and stuff like that but datingscams, workscams, diplomascam, moneyscam, phishing

and to repeat I won't edit a thing

you get an emailaddress you can send your scams to in realtime

so it gets in realtime in the Google process

and now hoping that someone will be smart enough to Google before he or she responds to the same scam I have received and sees that it is a scam and will have some doubts or just doesn't throws it away

those scams may seem not very important and believable to you, but every year there are hundreds who fall victim to these guys because they believe everything on the internet is official and for real

while this is totally not the case, on the contrary

Permalink | |  Print |  Facebook | | | | Pin it! |

1 2 3 4 5 6 7 Next