Spyware Sucks : Security, safety and privacy on the Internet, Technology

Oh dear, oh dear, oh dear…

sandi — Mon, 26 Jan 2009 06:08:16 GMT

Its amazing what we find sometimes…

WARNING: I am assuming that my readers are smart enough to *NOT* visit the victim site, or the malicious URLs, without hefty protection in place, yes? In fact, don’t go there at all unless you are willing to reformat your computer, potentially without being able to back up your data (yes, some nasties out there are killing the ability to copy data to USB and whatnot). You have been warned!

I was taking a look at one of the recent SQL injection incidents the other day when I came across an interesting web site that had been affected (millerscitax.com). Here is a screenshot of an obvious problem:-

If we click on a “Read More” link, we see the following:-

So, anyway, being a good netizen ‘n’ all that, I decided to use the “Contact Us” page to warn the site owners that they had a problem (it should be noted that the News page is not hyperlinked as far as I can see – you need to know that it is there, and guess the URL, to find it). When I clicked on the “Submit” button on the “Contact Us” page, this is what I saw:-

<sigh> You would think that that is bad enough, yes? But, it gets even better (err, worse)… when we view the page source on the “Contact Us” page for the taxi site we find the following:

So, the next question is – why does the Millers City Taxis “Contact Us” page have code that references the gillibrand.co.uk web site? A potential explanation may be found in the fact that the Registrant for millerscitax.com is “eBusiness UK Ltd” (Capricorn House, Capricorn Park, Blakewater Road, Blackburn, Lancashire - 44.1254.279.998), and the fact that the “Web design” for gillibrand.co.uk is listed as having been completed by, you guessed it, eBusiness UK Ltd which lists its Lancashire address as Capricorn House, Capricorn Park, Blackburn, Lancashire - 01254.279.998.

Umm, oops.

DIRECTI finally agree to act

sandi — Thu, 22 Jan 2009 14:05:39 GMT

I sent an email to DIRECTI on the same day that I wrote this blog post:
http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx

The email said, essentially, the same thing that I said in that blog post.

As you can see, they have initiated a “whois inaccuracy complaint” against the domains quigley-simpson.net, hyundai-inc.com, mediavest-corp.com, posnerpromotion.com & singlesnet-inc.com.

Frankly, they should have taken such steps immediately upon receiving the impersonation complaint but at least they say they have taken action now.

It will be interesting to see what happens next, and how long it takes for something to happen.

By the way, there is something screwy about the date and time of the email. See the screenshot which shows that the displayed sent date and time of the email above is in the future!

Spotting the bad guys…

sandi — Mon, 19 Jan 2009 13:59:48 GMT

It is very important to be familiar with the traits and suspicious behaviour/signs common to domains associated with malware, fraudware and malvertizing, affiliate misbehaviour and whatnot. By studying what the bad guys are doing, and how they do it, and the domains that they are using, we can build a dossier of features common to dangerous domains which can be built into our reputational assessments and other due diligence checks.

By way of example, let's take the example of a series of fraudware domains as highlighted by the PandaLabs blog:
http://pandalabs.pandasecurity.com/archive/Rash-of-Rogue-Security-Malware.aspx

As we take a closer look at the domains it becomes clear that there a high likelihood of danger, not just because of the domains themselves (my personal opinion is that any new domain names that can be used to infer antivirus, or antispyware, or scanning, or security or similar themes should immediately be flagged for closer examination by Registrars as a matter of course) but because the Registrant details are suspicious. What we see below is 24 domains that can be gathered into 7 distinct "groups". Nearly all of the domains are registered via the same Registrar, and are shared between six different Registrants. There is also a lot of what I can best describe as "cross pollination" between the various "groups" and Registrants.

I have sorted the 24 domains, using various criteria, to make it easier to see the “ties that bind” between the various Registrants and groups. I see no reason why Registrars cannot implement similar checks and balances – checks that could be triggered by particular symptoms, such as a series of similar domains being registered, or when certain key words make up part of a domain name, or when “cross pollination” is detected via automated cross-checks.

Sorted by domain:

best6scan.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
bestscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

The two “Robert Flork” registrations above seems innocuous from the perspective of WHOIS information and domain “group”, until we realise that the name and email address is used in association with other suspicious domains (below), which then leads us to wonder if the various names we see are nothing more than pseudonyms.

easy4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
easy6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE

fastscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
fastscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fast4scan.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI

livescan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
livescan5.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
livescan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

newscan4.com   - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
newscan5.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
new7scan.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

plus4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plus6scan.com - REGTIME, for Alex Kitzmiller, (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
plusscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI

scan4easy.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
scan4fast.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
scan5best.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5plus.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan6live.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
scan7live.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

Sorted by Registrant:

best6scan.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
bestscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
livescan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
scan6live.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
newscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

easy4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
fastscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plus4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plusscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
scan4fast.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI

easy6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fastscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
plus6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE

fast4scan.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
livescan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
newscan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
scan4easy.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI

livescan5.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5best.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5plus.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha

newscan5.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
new7scan.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
scan7live.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

Sorted by IP:

best6scan.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel        (66.101.58.54)
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel       (66.101.58.54)
scan6live.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel         (66.101.58.54)

easy4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
fastscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
fast4scan.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                      (194.165.4.41)
livescan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                       (194.165.4.41)
plus4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
plusscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
scan4easy.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                    (194.165.4.41)
scan4fast.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)

livescan5.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)
scan5best.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)
scan5plus.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)

newscan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI (78.159.99.66)

bestscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
easy6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fastscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
livescan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
newscan5.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
new7scan.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
plus6scan.com - REGTIME, for Alex Kitzmiller, (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
scan7live.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

*****

These last few domains highlighted by PandaLabs exhibit identical Registrants and (for the most part) different IP addresses (by the way, I would look askance at WHOIS which records a USA street address but a Russian email address):

best2008-scan-av.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.1.203)
av-pcscan-comp.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (216.240.149.159)
forpc-av-scanner.net - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (216.240.149.159)
best-scanner-pc.net - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.18.54)
quickly-scan-no-av.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.18.54)

sg10scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI (78.26.179.253)
sg11scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI (94.247.2.39)
sg12scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI

*****

Who are REGTIME, and UK2 GROUP?

UK2 Group Ltd, Suite 2C, Eurolife Building 1, Corral Road, Gibraltar

Regtime Ltd, 1 Krasnoarmeyskaya Street, Samara, Russian Rederation

"Regtime Ltd was the first Russian ICANN-accredited registrar to offer a full service of cyrillic domains to Russian companies and individuals. Russian is the native or second language for more than 230 million people, so the decision to launch cyrillic language domains in 2001 was an important stage in the ability of Russian-speakers to access the Internet and the World Wide Web. Regtime continues to play a key role in the development of the Internet in Russia, including its work with the Cyrillic Languages Internet Names Consortium (CLINC)."

CITE: http://www.nic.aero/news/2008-06-30-03

The Julie Amero saga is finally over

sandi — Sat, 22 Nov 2008 01:30:51 GMT

But, she had to agree to plead guilty to a misdemeanor charge of "disorderly conduct", to finally see an end to her nightmare. She had to pay a fine of $100 and give up her license to teach in Connecticut.

Cite: http://sunbeltblog.blogspot.com/2008/11/breaking-julie-amero-horror-is-over.html

The Prosecutor, David Smith, added insult to injury by saying to the Court that he felt that they still had a case and that they were only allowing an end to proceedings because of Julie's declining health. It seems to me that Mr Smith is doing one of two things - he is trying to save face (good luck with that) or he still really doesn't get it. The way that this sage ended makes me fear that what happened to Julie may happen again.

Update QuickTime please...

sandi — Wed, 10 Sep 2008 08:41:10 GMT

A new version has been released that addresses several security issues.

Quoting from the Apple security announcement:

"QuickTime
CVE-ID: CVE-2008-3615
Available for: Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in the third-party Indeo v5 codec for QuickTime, which does not ship with QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering content encoded with any version of the Indeo codec. This issue does not affect systems running Mac OS X. Credit to Paul Byrne of NGSSoftware for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3635
Available for: Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the third-party Indeo
v3.2 codec for QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering content encoded with any version of the Indeo codec. This issue does not affect systems running Mac OS X. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3624
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files.
Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to Roee Hay of IBM Rational Application Security Research Group for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3625
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files.
Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3614
Available for: Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3626
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's handling of STSZ atoms in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of STSZ atoms. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3627
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption exist in QuickTime's handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of H.264 encoded movie files. Credit to an anonymous researcher and Subreption LLC working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3628
Available for: Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: An invalid pointer issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution.
This update addresses the issue by correctly saving and restoring a global variable. This issue does not affect systems running Mac OS X.
Credit to David Wharton for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3629
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination
Description: An out-of-bounds read issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination. This update addresses the issue by performing additional validation of PICT images. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.
QuickTime 7.5.5 may be obtained from the Software Update application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
For Mac OS X v10.5 or later
The download file is named: "QuickTime755_Leopard.dmg"
Its SHA-1 digest is: 934f784a553c2d4484d298071ad6d95ea34b8b2f
For Mac OS X v10.4.9 through Mac OS X v10.4.11 The download file is named: "QuickTime755_Tiger.dmg"
Its SHA-1 digest is: dcdf58e27aad2a1e958788c0f58584605c4b8e78
For Windows Vista / XP SP2 and SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 5900ff0b8044972cb06b52dfc913c6364bf27ccc
QuickTime with iTunes for Windows XP or Vista The download file is named: iTunes8Setup.exe Its SHA-1 digest is: 5d4ff8ffbe9feeaed67deb317797c1d71a03c359
Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222"

The Sun Java installer still sucks....

sandi — Wed, 09 Jul 2008 12:34:10 GMT

I was prompted to install the latest update to Sun Java a short while ago, and the installer still sucks.

The installer still triggers a UAC prompt.
The installer still does NOT remove old versions of Java - old versions that take 136 megabytes per version.
The option to install Open Office is still enabled by default, and the English language skills of whoever it was that coded the text on the installer screen need attention.

I swear, if I see a press releases trumpeting an increase in "users" of OpenOffice...
There is still no cancel button, and the openoffice.org graphic sucks ... look how pixelated the text and graphics are.

Negligent technical support advice from TomTom

sandi — Mon, 19 Nov 2007 12:21:03 GMT

Never never never never NEVER tell users to turn off their computers firewalls.

You can read my brief dialogue with TomTom's technical support here - yes, I suppose I should have tried switching from wireless to wired before contacting TomTom, but all other downloads from their service were working just fine - it was only maps that were affected, so I was expecting to receive a response indicating high demand on their servers or something like that.

Let's consider TomTom's response logically.

I told them only one download is failing and that I was able to download everything else - therefore we can rule out a problem with antivirus or firewall or router or proxy - if *they* were the problem *all* downloads would fail, not just one.

Obviously their response was no more than a scripted answer sent by somebody who saw 'downloads failing' and didn't pay attention to anything else I said.

So let me repeat...

NEVER NEVER NEVER NEVER NEVER tell users to turn off their firewalls as a troubleshooting step - EVER.

Haute Secure is blocking smh.com.au!

sandi — Sat, 10 Nov 2007 00:35:01 GMT

Oh, this is not good...

I go to www.news.com.au and I see this:

I go to www.smh.com.au and I see this:

Access to smh.com.au is completely blocked.

Clicking on the More Info link reveals:

I'm going to get in touch with the guys at Haute Secure and see if I can find out *why* this has happened. I assume it's because of the advertisements on the smh.com.au site. The fact that the site has not been scanned for threats since 15 October and is noted as last malicious on 18 June is a grave concern. My personal opinion is that too much time is being allowed to elapse before a site is rechecked, especially in a case like this where access to the site is being blocked.

Michael of hardwaregeeks.com tells me that he was advised by Haute Secure that they display warnings about a site for 6 months after an incident (Michael was hit by a malicious advertisement - hence the warning by Haute Secure).

We have just experienced an outbreak of malicious advertisements that affected some pretty big advertising networks - advertising networks that are used by sites all over the world. My concerns continue that HS is a great idea, but an idea that needs a lot of tweaking - if users are warned too often, if the warnings remain in place for too long after a situation is fixed, and if a site blocking remains in place for too long without checking, and for too longer after a problem has been cleaned up then 1) site owners are going to be seriously pissed off, and 2) people are going to stop using Haute Secure.

We need to find a better balance.

Quechup - how to kill your business and online reputation in one fell swoop

sandi — Sun, 09 Sep 2007 09:22:53 GMT

Wow! It's been a while since I've seen a Web 2.0 startup become the target of such widespread negative press.... Note: I did my best to ensure that Quechup did not have access to any address books stored on my local PC, but there is one page,...(read more)

oh dear, michael will not be happy

sandi — Sun, 15 Jul 2007 04:30:19 GMT

hardwaregeeks.com blocked by Haute Secure

haute secure - how it works

sandi — Tue, 26 Jun 2007 13:09:19 GMT

Ok, so I've had the chance to chat to the developers behind Haute Secure, and I have a little more information about the how's and why's of the product. I'll leave it to them to introduce themselves, and provide their Curriculum Vitae, in future days/weeks.

My regular readers will know that I had a few questions about Haute Secure:

"There is a lot still to be learned about Haute Secure - for example, exactly how does it work and how often is the database updated - is information transmitted encrypted - is it a fully dynamic service or is information stored locally - what classes as malware - does the site have to actually attempt to install software to be blocked, or is a known download site for fraudware (such as sites used by the Winfixer family of fraudware) also blocked - how will it handle malicious banner advertisements or pop-ups - will it go down the "all adverts are bad" route taken by the popular protective HOSTS files, or will it try to differentiate between good ads and bad ads (which is going to be a real technical challenge)."

I won't go in to too much depth now - the product is still in alpha, and the developers are very open to feedback, therefore the entire situation is still very malleable - it is more appropriate to consider the following as current thinking rather than set-in-stone "this is how it is going to work" type information. Please, be gentle on the guys.. they're talking to the best people in the business (including me, forgive the arrogance) so things could, and likely will, change, as they go forward.

Data and synching

There is a locally cached copy of the master database. The data store itself is locked very early in the boot process and the application has the only interface to it. The client regularly syncs a copy of the database with Haute's web service. The data that comes down to the client is hashed and signed. The resynch interval is still being tweaked, but it's very regular, certainly comparable with IE7's phishing filter.

Haute Secure's client application and web service relationship

The client provides both 'passive' and 'active' protection. Passive protection is the block list which will pop up the block/warn dialog on the client if the user navigates to a site that has previously been identified as having bad content. Active protection is a behavioral analysis that watches for and then protects against sites exhibiting malicious behavior. This way if a user hits a malicious site that Haute Secure has never encountered before it can protect them even though the site isn't on the block list. The client protects the user by blocking the malicious behavior AND reporting the malicious site to Haute's web service. This report is then validated and propagated out to all other clients via the web service.

The service

The backend is proactively going out and scanning for malicious sites, and is the primary way that the block list is populated. The service also validates sites that the client behavioral analysis believes is malicious and then passes them through to the web service.

The current thinking is that Haute Secure will not block all ads BUT they are already picking up malicious ads in their backend scanning. Since they have behavioral analysis and protection on all the clients they hope to pick up and block malicious ads that get served that have not previously been encountered (and, of course, once one client picks an ad up, it goes back to the web service and then gets propagated out to all the other clients).

They don't tackle fraudware - yet.

As Haute explains it, fraudware is a very hard problem to solve in an automated way (and heavens knows I, and every advertising network out there, will agree with them). Watch this space for possible developments on that point.

I admit to being very excited about the potential for good in this product. Malware served via banner advertisements, hacked web sites and malicious blog comments is a growth industry. I've had discussions with antivirus companies that I have connections with about the need to actively honeypot the various advertising networks because of the reality of hostile creatives, but reality is that they can't help out in a way that can make a real difference.

I hope, I hope, I hope, I hope, I hope that going forward services such as Haute Secure can make a real difference in the fight against malware and betrayware, and the attempts by the bad guys to get on to our system via Web 2.0 ... fingers crossed...

More to come later as the product develops.

haute secure - a new add on dedicated to fighting malware sites

sandi — Mon, 25 Jun 2007 13:55:21 GMT

How can I best describe Haute Secure, a yet to be released toolbar for Internet Explorer (x86 and x64). Well, we all know how successful the Phishing Filter has been at protecting web surfers from phishing sites - a big part of the success of the Phishing Filter has been the data sharing that happens - whether it be data sharing between Microsoft and various corporate data providers, or IE7 users sharing their phishing site discoveries with Microsoft.

The developers of Haute Secure are very aware of the new risks associated with Web 2.0, whether it be social networking, blogs, search engines, widgets or banner ads. Regular readers of my blog will know that such risks are a primary focus and interest for me as well - I've been right in the thick of the fight to get malware out of the various advertising networks and trying to shut down compromised web sites, and heaven knows I'm sick of having to carefully check blog comments just in case the URL of the poster is a malware or compromised Web site.

Haute Secure is a step towards using the same sort of communal mind-share that is the foundation stone of the Phishing Filter's success, but this time the target is malware. Users are protected as follows:

Bad sites are blocked before they can load.
Even if the site has not been encountered before, Haute Secure can stop sites from downloading malware via the use of behaviour based algorithms.
Every time the software blocks a malware download, the incident is reported to Haute Secure's malicious link database. What was once an unknown bad site becomes a known bad site, protecting future visitors to the site who are using Haute Secure.

As you'll see from the screenshot below, Haute Secure installs a toolbar in IE7. It looks small, but it is kind of eye catching - the toolbar changes color, moving from a gray tone to red, and back again. BTW, the Find toolbar you can see in the screenshot is "Find As You Type", available at www.enhanceie.com.

CAVEAT: Please bear in mind that I am running a pre-release build of Haute Secure - the look and behavior of the product could, and likely will, change a lot between now and later builds

Haute Secure is not yet available to the general public. The home page is live, but there is not much to see.

Known bad sites are blocked:

False positives can be reported:

Clicking on "Let us know" brings you to this page:

Clicking on the toolbar when an alert is triggered gives us various options - you can continue to the site if you wish, and even add the site to an ignore list.

The more info screen:

There is a lot still to be learned about Haute Secure - for example, exactly how does it work and how often is the database updated - is information transmitted encrypted - is it a fullly dynamic service or is information stored locally - what classes as malware - does the site have to actually attempt to install software to be blocked, or is a known download site for fraudware (such as sites used by the Winfixer family of fraudware) also blocked - how will it handle malicious banner advertisements or pop-ups - will it go down the "all adverts are bad" route taken by the popular protective HOSTS files, or will it try to differentiate between good ads and bad ads (which is going to be a real technical challenge).

I'll post again once a build is available to the public and as I learn more.