Spyware Sucks : Technology

Caught installing a skimming device….

sandi — Thu, 03 Dec 2009 06:37:21 GMT

If you have ever wondered how long it takes to install an ATM skimmer, check this movie out (yes the crook was caught red handed)

http://www.liveleak.com/view?i=074_1252777692

The number one rule of technical support, which Symantec seems to have forgotten, is PAY ATTENTION

sandi — Tue, 16 Jun 2009 10:31:44 GMT

I sent a request for technical support to Symantec today – I thought, foolishly it seemed, that it was clear, succinct, and to the point. My message was:

Unable to download hotfix ftp://ftp.symantec.com/public/english_us_canada/hotfix/defutil/KB20080828105226EN.exe

Error when attempting download:

220 spftp/1.0.0000 Server [68.177.231.161]
501 Syntax incorrect
421 Service not available, closing control connection

I have been trying to download the hotfix for 48 hours.

Norton error requiring hotfix: - "The virus definitions required by Norton Internet Security are not valid. You cannot run a scan until this problem is resolved."

The Norton systray icon is RED.

Symantec technical support sent me the following response:

“I understand from your message that you have installed Norton Internet Security (NIS) 2009 and you are encountering an error message Error: "(3038,100)" when you run a Full System Scan with your Norton 2009 product.

This issue may occur if the virus definitions are not up to date, In order to resolve this issue we need to update the virus definitions using Intelligent Updater and run Full System Scan. For step by step instructions, please click on the link provided below:

Title: 'Error: "(3038,100)" when you run a Full System Scan with your Norton 2009 product'
Document ID: 20081007220233EN
Web URL:
http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&ssfromlink=true&sprt_cid=8eafb964-d4eb-407c-a3ff-d8b5b42a18c0&seg=hho&ct=us&lg=en&docurl=20081007220233EN”

The KB article I was referred to advises me to, and I quote…

“Download the fix tool.

Save the file to the Windows desktop.

ftp://ftp.symantec.com/public/english_us_canada/hotfix/defutil/KB20080828105226EN.exe”

For pity’s sake, which of the very first 4 words in my technical support request, being “Unable to download hotfix”, is so difficult to understand???

BTW, you will see that I did not actually tell Symantec that the error on the system in question was 3038,100 – that little gem of information was taken from a slew of system data that was added to the bottom of my request by support by the NIS support interface itself, unbeknownst to me (damned if I can understand why they need to know if I have an optical drive installed, or what the local time is where I am). The error being reported the affected system was actually 3035,2 (but it seems that that error requires the same fix as 3038,100, so we’ll let them off for that one).

To save myself the grief that comes from beating my head against the brick wall that is Symantec technical support I sourced the hotfix via alternate means, ran the hotfix, rebooted TWICE and ran a Live Update. Guess what… it actually WORKED.

UPDATE

I had replied to Symantec, before I was able to source the hotfix by other means, and asked that they send the hotfix direct to me via email. I was less than polite, I am afraid. This is what I wrote:

The VERY FIRST SENTENCE IN MY TECHNICAL SUPPORT REQUEST IS: " Unable to download hotfix ftp://ftp.symantec.com/public/english_us_canada/hotfix/defutil/KB20080828105226EN.exe. Let me repeat the error message in hopes that somebody will actually READ it this time.

Error when attempting download:
220 spftp/1.0.0000 Server [68.177.231.161]
501 Syntax incorrect
421 Service not available, closing control connection

With that in mind, WHY ON EARTH WOULD YOU SEND ME TO A TECHNICAL SUPPORT DOCUMENT that tells me to download a hotfix when I have already told you that it won't download??? Please send the fixes to me by email.
Also, PLEASE NOTE that the Norton Support Window refers me to the 3038,100 fix tool, BUT the NORTON PROGRAM ITSELF reports that the problem is 3035,2. <--- PLEASE READ THAT VERY CAREFULLY - NORTON 360 IS ALSO REPORTING THE ERROR 3035,2.

I have another email here. This time Symantec Technical support wrote:

“I understand that you are getting an error message with error code "(3038,100)" when you run a Full System Scan with your Norton 2009 product and you tried to download the fix tool and it failed with error code “220 spftp/1.0.0000 Server [68.177.231.161]”, “501 Syntax incorrect” and “421 Service not available, closing control connection” (My emphasis)

I would like to inform you that this issue might occur might due to lack of latest virus definition updates or if the virus definitions are corrupted.

In order to resolve it, we need to update the virus definitions of Norton by running the fix tool and then restart the PC. After restarting the computer, a Help & Support window may open and you may still see the error. Please exit the Help & Support window, and then restart the computer again. It must resolve the issue.

For further assistance with the steps that need to be followed, please go through the following link.

Web URL:

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&ssfromlink=true&sprt_cid=8eafb964-d4eb-407c-a3ff-d8b5b42a18c0&seg=hho&ct=us&lg=en&docurl=20081007220233EN”

The technician then continued on, telling me that if the hotfix did not work I would need to download the Norton Removal Tool.

Yeah, I didn’t believe it either. I was referred back to exactly the same URL even after they acknowledged that I was not able to download hotfixes. My response began with:

“Forget it. Please close this Technical Support Incident as "customer gave up".”

News: lovesick hacker cripples Northern Territory Health Department, hospital, prison and Supreme Court servers?

sandi — Fri, 13 Mar 2009 02:07:57 GMT

For heavens sake … according to the news report at the URL below it took “130 experts” to “find the problem and fix it” – the “problem” was, apparently, the fact that the “hacker” (and I use that term very loosely) “deleted 10,475 user accounts”.

The incident is explained as:

“In submissions from his lawyer Tom Berkley and prosecutor Paul Usher yesterday, the court heard that McIntosh hacked into the system on his workmate's computer, using her password.

He was living with her in May, 2008, when he logged into government servers and deleted 10,475 user accounts from the Health Department, hospital, prison and Supreme Court servers.”

Who was this “workmate”? And how the heck did he know her password? Especially a password for a user account that I can only assume had high level administrative credentials? And how can such an unsubtle slash-and-burn attack need “130 experts” and a bill of $1,253,750 to fix?

Cite: http://www.ntnews.com.au/article/2009/03/13/38995_ntnews.html

Heated toilet seats!

sandi — Fri, 27 Feb 2009 15:32:00 GMT

Yep, that is an enduring impression that I will take away from my visit to Google’s offices – heated toilet seats; that and the slide from one floor to another that went down the stairwell :o)

I was very excited to have been offered the opportunity to visit Google while I was in town. It was immediately obvious that Google’s offices have a completely different ambiance to Microsoft – there was lots of open plan floor space, lots of spots of primary color, and fun names for meeting rooms – it was much lighter and brighter than many of the buildings that I have visited at Redmond and the view was amazing (there was even one of those coin operated pedestal binoculars, but it didn’t require coins). Sadly I didn’t dare to ask if I could take any pictures of the offices to share with my readers.

To my hosts – thank you! It was time well spent and enjoyed, and I hope we get the opportunity to meet again some time in the not to distant future.

Edit: Yes, yes, I know... this posting is pure fluff but what can I say - I signed an NDA :-D

Unhelpful error message….

sandi — Mon, 26 Jan 2009 08:23:06 GMT

Uh, thanks for that (software name obscured to protect me from the not-so-innocent) ;o)

Oh dear, oh dear, oh dear…

sandi — Mon, 26 Jan 2009 06:08:16 GMT

Its amazing what we find sometimes…

WARNING: I am assuming that my readers are smart enough to *NOT* visit the victim site, or the malicious URLs, without hefty protection in place, yes? In fact, don’t go there at all unless you are willing to reformat your computer, potentially without being able to back up your data (yes, some nasties out there are killing the ability to copy data to USB and whatnot). You have been warned!

I was taking a look at one of the recent SQL injection incidents the other day when I came across an interesting web site that had been affected (millerscitax.com). Here is a screenshot of an obvious problem:-

If we click on a “Read More” link, we see the following:-

So, anyway, being a good netizen ‘n’ all that, I decided to use the “Contact Us” page to warn the site owners that they had a problem (it should be noted that the News page is not hyperlinked as far as I can see – you need to know that it is there, and guess the URL, to find it). When I clicked on the “Submit” button on the “Contact Us” page, this is what I saw:-

<sigh> You would think that that is bad enough, yes? But, it gets even better (err, worse)… when we view the page source on the “Contact Us” page for the taxi site we find the following:

So, the next question is – why does the Millers City Taxis “Contact Us” page have code that references the gillibrand.co.uk web site? A potential explanation may be found in the fact that the Registrant for millerscitax.com is “eBusiness UK Ltd” (Capricorn House, Capricorn Park, Blakewater Road, Blackburn, Lancashire - 44.1254.279.998), and the fact that the “Web design” for gillibrand.co.uk is listed as having been completed by, you guessed it, eBusiness UK Ltd which lists its Lancashire address as Capricorn House, Capricorn Park, Blackburn, Lancashire - 01254.279.998.

Umm, oops.

DIRECTI finally agree to act

sandi — Thu, 22 Jan 2009 14:05:39 GMT

I sent an email to DIRECTI on the same day that I wrote this blog post:
http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx

The email said, essentially, the same thing that I said in that blog post.

As you can see, they have initiated a “whois inaccuracy complaint” against the domains quigley-simpson.net, hyundai-inc.com, mediavest-corp.com, posnerpromotion.com & singlesnet-inc.com.

Frankly, they should have taken such steps immediately upon receiving the impersonation complaint but at least they say they have taken action now.

It will be interesting to see what happens next, and how long it takes for something to happen.

By the way, there is something screwy about the date and time of the email. See the screenshot which shows that the displayed sent date and time of the email above is in the future!

Spotting the bad guys…

sandi — Mon, 19 Jan 2009 13:59:48 GMT

It is very important to be familiar with the traits and suspicious behaviour/signs common to domains associated with malware, fraudware and malvertizing, affiliate misbehaviour and whatnot. By studying what the bad guys are doing, and how they do it, and the domains that they are using, we can build a dossier of features common to dangerous domains which can be built into our reputational assessments and other due diligence checks.

By way of example, let's take the example of a series of fraudware domains as highlighted by the PandaLabs blog:
http://pandalabs.pandasecurity.com/archive/Rash-of-Rogue-Security-Malware.aspx

As we take a closer look at the domains it becomes clear that there a high likelihood of danger, not just because of the domains themselves (my personal opinion is that any new domain names that can be used to infer antivirus, or antispyware, or scanning, or security or similar themes should immediately be flagged for closer examination by Registrars as a matter of course) but because the Registrant details are suspicious. What we see below is 24 domains that can be gathered into 7 distinct "groups". Nearly all of the domains are registered via the same Registrar, and are shared between six different Registrants. There is also a lot of what I can best describe as "cross pollination" between the various "groups" and Registrants.

I have sorted the 24 domains, using various criteria, to make it easier to see the “ties that bind” between the various Registrants and groups. I see no reason why Registrars cannot implement similar checks and balances – checks that could be triggered by particular symptoms, such as a series of similar domains being registered, or when certain key words make up part of a domain name, or when “cross pollination” is detected via automated cross-checks.

Sorted by domain:

best6scan.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
bestscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

The two “Robert Flork” registrations above seems innocuous from the perspective of WHOIS information and domain “group”, until we realise that the name and email address is used in association with other suspicious domains (below), which then leads us to wonder if the various names we see are nothing more than pseudonyms.

easy4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
easy6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE

fastscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
fastscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fast4scan.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI

livescan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
livescan5.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
livescan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

newscan4.com   - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
newscan5.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
new7scan.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

plus4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plus6scan.com - REGTIME, for Alex Kitzmiller, (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
plusscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI

scan4easy.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
scan4fast.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
scan5best.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5plus.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan6live.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
scan7live.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

Sorted by Registrant:

best6scan.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
bestscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
livescan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
scan6live.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
newscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

easy4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
fastscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plus4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plusscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
scan4fast.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI

easy6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fastscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
plus6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE

fast4scan.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
livescan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
newscan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
scan4easy.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI

livescan5.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5best.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5plus.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha

newscan5.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
new7scan.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
scan7live.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

Sorted by IP:

best6scan.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel        (66.101.58.54)
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel       (66.101.58.54)
scan6live.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel         (66.101.58.54)

easy4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
fastscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
fast4scan.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                      (194.165.4.41)
livescan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                       (194.165.4.41)
plus4scan.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
plusscan4.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
scan4easy.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                    (194.165.4.41)
scan4fast.com - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)

livescan5.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)
scan5best.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)
scan5plus.com - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)

newscan4.com - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI (78.159.99.66)

bestscan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
easy6scan.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fastscan6.com - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
livescan6.com - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
newscan5.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
new7scan.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
plus6scan.com - REGTIME, for Alex Kitzmiller, (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
scan7live.com - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

*****

These last few domains highlighted by PandaLabs exhibit identical Registrants and (for the most part) different IP addresses (by the way, I would look askance at WHOIS which records a USA street address but a Russian email address):

best2008-scan-av.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.1.203)
av-pcscan-comp.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (216.240.149.159)
forpc-av-scanner.net - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (216.240.149.159)
best-scanner-pc.net - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.18.54)
quickly-scan-no-av.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.18.54)

sg10scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI (78.26.179.253)
sg11scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI (94.247.2.39)
sg12scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI

*****

Who are REGTIME, and UK2 GROUP?

UK2 Group Ltd, Suite 2C, Eurolife Building 1, Corral Road, Gibraltar

Regtime Ltd, 1 Krasnoarmeyskaya Street, Samara, Russian Rederation

"Regtime Ltd was the first Russian ICANN-accredited registrar to offer a full service of cyrillic domains to Russian companies and individuals. Russian is the native or second language for more than 230 million people, so the decision to launch cyrillic language domains in 2001 was an important stage in the ability of Russian-speakers to access the Internet and the World Wide Web. Regtime continues to play a key role in the development of the Internet in Russia, including its work with the Cyrillic Languages Internet Names Consortium (CLINC)."

CITE: http://www.nic.aero/news/2008-06-30-03

Advertising in RSS feeds

sandi — Wed, 14 Jan 2009 08:11:11 GMT

I really don’t like advertising in my RSS feeds – especially silly advertisements like this one:

The screenshot above is of Robert Scoble’s RSS feed. I have to say, in all honesty, that such advertising simply lowers the perceived tone and quality of a blog. And, its all downhill from there – clicking on the advert takes us to this (oh well, at least it wasn’t one of those irritating “fun” sites that won’t let you close the page without jumping through dialogue hoops):

Don’t feel too bad Rob – StillSecure were showing the same advert:

For those of you who really want/need to pollute your feeds with advertising (personally, I hope that you don’t succumb to the temptation), please remember that there are more discreet advertising styles around the place – take TidBITS for example – their advertisements are discreet, relevant to the theme of the blog, and they maintain an aura of professionalism:

This one is teetering on the edge of irritating, from the The Daily WTF blog.

A big benefit of RSS, for me, has been the fact that it was advertising free for a long time. It is sad that that benefit is being eroded away. Oh well, at least the darned things aren’t Flash adverts.

Lawyers given permission to serve debtors with default judgement through Facebook

sandi — Tue, 16 Dec 2008 03:13:00 GMT

"TWO friends who defaulted on a six-figure loan are about to find out through their Facebook page a mortgage lender's lawyers are on their trail. In an Australian and possibly world first, two lawyers have won a court order to allow them to serve a default judgment through Facebook. After failing to serve the court documents personally, lawyers Mark McCormack and Jason Oliver tracked down the debtors' Facebook page. They were granted permission in the ACT Supreme Court to serve the default judgment through a Facebook email to the debtors."

Cite: http://www.news.com.au/technology/story/0,28348,24806438-5014239,00.html

There is more detail about the events that led up to the decision at this URL:
http://www.canberratimes.com.au/news/local/news/general/youve-been-served-court-approves-facebook-notice/1387146.aspx

The Defendants are Carmel Rita Corbo and Gordon Kingsley Maxwell Poyser.
The couple failed to appear in court to defend the action by lending company MKM Capital.
Private investigators were hired, and an advertisement was placed in The Canberra Times.
11 attempts were made to serve the couple at their Wyselaskie Circuit home between November 8 and December 6.

Its not the first time unusual steps have been used to achieve service in a legal case. Take the case of Sonny Bill Williams.

"Earlier this year, lawyers acting for the Bulldogs NRL club served player Sonny Bill Williams with a subpoena via SMS text message. Williams was in Europe after defecting to French rugby club Toulon."
Cite: http://news.smh.com.au/national/facebook-used-to-track-down-debtors-20081216-6zgt.html

Back in the late 1980's/early 1990's I worked in the field of debt recovery and bankruptcy, including during the "recession we had to have" (according to Australia's then treasurer) and the time of amazingly high interest rates that sent so many people to the wall (I can remember standing in my bank, and looking at an poster offering an interest rate of 11% to those people lucky enough to be able to save money during those difficult times). I have seen how clever debtors (and especially what we call "professional debtors") can be when they are determined to evade service of documents. I for one am pleased at this new development.

I would be interested to hear if anybody knows of an occasion when Facebook or any other social networking site was used to achieve service of legal documentation.

More coverage about the Facebook decision:
http://news.google.com/news?hl=en&ie=UTF-8&tab=wn&as_drrb=q&as_qdr=d&as_mind=14&as_minm=12&as_maxd=15&as_maxm=12&ncl=1280569682

Me.dium is no more...

sandi — Tue, 02 Dec 2008 03:55:46 GMT

Me.dium was replaced by something called OneRiot on the 11th of November and the Me.dium social map that I liked so much is no more. So now I have to go through my web sites and remove all of the defunct Me.dium code and track down what will happen to Me.dium accounts.

According to Jennifer Lauren, Me.dium data "is no longer active and is contained in offline backup files that are not connected to OneRiot in anyway [sic]."

If you want your data and your Me.dium account to be deleted, you are going to have to send Jennifer an email.

Note the reviews at the FF add-on site since Me.dium disappeared - there have only been a few reviews posted since the change, and they are all negative:
https://addons.mozilla.org/en-US/firefox/addon/4365#reviews

I tend to agree with commentator who says that all of the positive reviews that are reviews of the Me.dium application should be deleted (or OneRiot should have its own download page). Weekly and total download counts should also be reset to zero as at 11 November 2008.

Will I be installing OneRiot? Well, I won't be installing the toolbars or the Pulse Checker. I'll only install the Search Provider (which adds OneRiot to Internet Explorer's built in search box) because I can see a potential research benefit if OneRiot's promised ability to feature the most popular results makes it easier to find the most current content and conversations out on the net (the biggest problem with Google and other search engines is sorting the recent from the old, and the noise and spam from the useful conversations). But, that being said, a lot of the stuff that I work on is really obscure. I wouldn't be doing my job well if I end up simply following a crowd - that's not the way to stay on the cutting edge.

I've gotta say, too, that I'm going to really miss the social map.

PRESS RELEASE: "Mirror image" web site leads to a $10,000.00 fine - penalty suspended

sandi — Mon, 01 Dec 2008 23:59:01 GMT

The Washington Attorney General’s Office says a Pinole, Calif., man’s mirror-image version of Russell Investments’ site violated the state’s anti-phishing law.

Rommel Balingit was ordered to pay $10,000 civil penalty under an agreement filed in November in Thurston County Superior Court. The penalty is suspended provided he complies with the agreement terms.

Assistant Attorney General Katherine Tassi said that Russell, a global financial services company headquartered in Tacoma, alerted the Attorney General’s Office to a lookalike site that resembled the company’s own site.

“The real Russell did stand up,” Tassi said. “And helped make sure the phony site was shut down.”

An investigation by the Consumer Protection High-Tech Unit led to Balingit.

Balingit claimed he built the Web site as a model to solicit clients to his now-defunct Web site design company, Tassi said.

Balingit Assurance of Discontinuance

The WHOIS details for the domain that triggered the Attorney General's action, russellassets.com, were originally hidden behind the privacy protection service supplied by domainsbyproxy.com. That protection was removed in or around April 2008, and ownership of the domain seems to have been transferred to the Frank Russell Company in or around June of this year after the National Arbitration Forum handed ownership of the domain to Frank Russell Company on 30 May 2008. According to the Forum's Decision, Balingit failed to respond to the Forum's "Notification of Complaint and Commencement of Administrative Proceeding" or submit a response.

Directi has taken over Estdomains' Registrar operations

sandi — Wed, 26 Nov 2008 02:18:12 GMT

Announcement:
http://www.icann.org/en/announcements/announcement-25nov08-en.htm

It is important to note that Estdomains designated Directi as its successor. This is despite the fact that Directi apparently dumped Estdomains as a client a while back (see "Historical Stuff" below).

It will be very interesting to watch developments going forward. What Registrar will the fraudsters use from now on? Will Directi audit the domains that have been passed on to them? How fast (or slow) will takedowns be? Will they red flag and audit domains associated with email addresses which use multiple pseudonyms, or pseudonyms that use multiple email addresses (like these?) (btw, don't assume that these are used for Estdomain/Directi registered domains - they're examples of what the bad guys do):

Historical stuff:

28 August 2008
Washington Post - Hostexploit - Report slams US host as major source of badware (Atrivo) - mentions Directi
http://hostexploit.blogspot.com/2008/08/report-slams-us-host-as-major-source-of.html

3 September 2008
The Register - Anonymous domain registration nixed amid fraud complaints
http://www.theregister.co.uk/2008/09/03/directi_strikes_back/

6 September 2008
Hostexploit - Atrivo - Cyber Crime US Report - update 090608 - Directi take action
http://hostexploit.blogspot.com/2008/09/atrivo-cyber-crime-usa-report-update.html

7 September 2008
Hostexploit - Joint statement from Directi, HostExploit and Kunujon
http://hostexploit.blogspot.com/2008/09/joint-statement-from-directi.html

8 September 2008
A Superlative Scam and Spam Site Registrar - includes a section entitled "The Role of Directi"
http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html

Domains registered at Directi that have been listed in URIBL - URIBL lists domains that appear in spam (Note: 830 domains have been listed in my URIBL RSS Feed of Directi domains that have appeared in spam since the afternoon of 18 September 2008)
http://rss.uribl.com/nic/DIRECT_INFORMATION_PVT_LTD_D_B_A_PUBLICDOMAINREGISTRY_COM.html

18 October 2008
Directi blog - Action against registry services abuses
http://blog.directi.com/0-directi/actions-against-registry-services-abuse-%E2%80%93-report-oct-2008-hostexploit-and-directi/

Various dates
Mention of Directi at rbn.blogspot.com
http://rbnexploit.blogspot.com/search?q=directi

Various dates
Mention of Directi at knujon.com
http://www.knujon.com/news.html#directi

The Julie Amero saga is finally over

sandi — Sat, 22 Nov 2008 01:30:51 GMT

But, she had to agree to plead guilty to a misdemeanor charge of "disorderly conduct", to finally see an end to her nightmare. She had to pay a fine of $100 and give up her license to teach in Connecticut.

Cite: http://sunbeltblog.blogspot.com/2008/11/breaking-julie-amero-horror-is-over.html

The Prosecutor, David Smith, added insult to injury by saying to the Court that he felt that they still had a case and that they were only allowing an end to proceedings because of Julie's declining health. It seems to me that Mr Smith is doing one of two things - he is trying to save face (good luck with that) or he still really doesn't get it. The way that this sage ended makes me fear that what happened to Julie may happen again.

Request For Information: ICANN Seeks Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains

sandi — Wed, 29 Oct 2008 07:24:32 GMT

Announcement here:
http://www.icann.org/en/announcements/announcement-2-28oct08-en.htm

"As the result of the de-accreditation of EstDomains, Inc. (IANA ID 832), ICANN is seeking Statements of Interest from ICANN-accredited registrars that are interested in assuming sponsorship of the gTLD names that had been managed by EstDomains.
EstDomains managed approximately 280,000 gTLD registrations, including registrations in the biz, com, info, mobi, net, and org registries, including approximately 7 second-level internationalized domain names. EstDomains, Inc. is organized in Delaware, United States
Registration data held in escrow is believed to be complete and in a proper format as described in the Registrar Data Escrow Specifications posted at http://www.icann.org/en/rde/rde-specs-09nov07.pdf [PDF, 33K]."

It will be interesting to see who takes on this particular can of worms...

Windows 7 Preview Video

sandi — Tue, 28 Oct 2008 04:38:40 GMT

For those of you who may be interested:

http://www.microsoft.com/downloads/details.aspx?familyid=26996ced-888d-4892-b1be-5141da8272bd&displaylang=en&tm

Note: only available for download via systems that pass Windows Genuine Validation

Adobe has posted a security advisory regarding the "clickjacking" problem

sandi — Wed, 08 Oct 2008 02:13:44 GMT

The Advisory is here:
http://www.adobe.com/support/security/advisories/apsa08-08.html

I quote:

"Customers:
To prevent this potential issue, customers can change their Flash Player settings as follows:
   1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
   2. Select the "Always deny" button.
   3. Select ‘Confirm’ in the resulting dialog.
   4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html."

Update QuickTime please...

sandi — Wed, 10 Sep 2008 08:41:10 GMT

A new version has been released that addresses several security issues.

Quoting from the Apple security announcement:

"QuickTime
CVE-ID: CVE-2008-3615
Available for: Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in the third-party Indeo v5 codec for QuickTime, which does not ship with QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering content encoded with any version of the Indeo codec. This issue does not affect systems running Mac OS X. Credit to Paul Byrne of NGSSoftware for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3635
Available for: Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in the third-party Indeo
v3.2 codec for QuickTime. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering content encoded with any version of the Indeo codec. This issue does not affect systems running Mac OS X. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3624
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files.
Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to Roee Hay of IBM Rational Application Security Research Group for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3625
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution
Description: A stack buffer overflow exists in QuickTime's handling of panorama atoms in QTVR (QuickTime Virtual Reality) movie files.
Viewing a maliciously crafted QTVR file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of panorama atoms. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3614
Available for: Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PICT images. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3626
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in QuickTime's handling of STSZ atoms in movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking of STSZ atoms. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3627
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption exist in QuickTime's handling of H.264 encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of H.264 encoded movie files. Credit to an anonymous researcher and Subreption LLC working with TippingPoint's Zero Day Initiative for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3628
Available for: Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution
Description: An invalid pointer issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution.
This update addresses the issue by correctly saving and restoring a global variable. This issue does not affect systems running Mac OS X.
Credit to David Wharton for reporting this issue.
QuickTime
CVE-ID: CVE-2008-3629
Available for: Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2 and SP3
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination
Description: An out-of-bounds read issue exists in QuickTime's handling of PICT images. Opening a maliciously crafted PICT image may lead to an unexpected application termination. This update addresses the issue by performing additional validation of PICT images. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.
QuickTime 7.5.5 may be obtained from the Software Update application, or from the QuickTime Downloads site:
http://www.apple.com/quicktime/download/
For Mac OS X v10.5 or later
The download file is named: "QuickTime755_Leopard.dmg"
Its SHA-1 digest is: 934f784a553c2d4484d298071ad6d95ea34b8b2f
For Mac OS X v10.4.9 through Mac OS X v10.4.11 The download file is named: "QuickTime755_Tiger.dmg"
Its SHA-1 digest is: dcdf58e27aad2a1e958788c0f58584605c4b8e78
For Windows Vista / XP SP2 and SP3
The download file is named: "QuickTimeInstaller.exe"
Its SHA-1 digest is: 5900ff0b8044972cb06b52dfc913c6364bf27ccc
QuickTime with iTunes for Windows XP or Vista The download file is named: iTunes8Setup.exe Its SHA-1 digest is: 5d4ff8ffbe9feeaed67deb317797c1d71a03c359
Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222"

Updated VPC images have been released...

sandi — Tue, 02 Sep 2008 01:39:46 GMT

Download here - the images will expire in January 2009

http://www.microsoft.com/downloads/details.aspx?FamilyId=21EABB90-958F-4B64-B5F1-73D0A413C8EF&displaylang=en

Images available:

Windows XP SP3 with IE6
Windows XP SP2 with IE7
Windows XP SP3 with IE8 Beta 2
Vista with IE7

Google is acting a bit weird today...

sandi — Wed, 13 Aug 2008 03:59:55 GMT

Is anybody else seeing this?

Google in Firefox seems ok.

Google in Internet Explorer is showing a strange overlay...