WashingtonPost computer security stories
The Washington Post is running a group of stories this weekend about computer security and the problems a reporter went through with her Windows 98 computer. Interestingly, instead of ISPs the articles identify other sources of frustration for even technically savvy home computer user with software vendors and overzealous advertisers. A Digital Doctor Treats Computer Contamination http://www.washingtonpost.com/wp-dyn/articles/A64481-2004Aug14.html By Glenn Paterson Special to The Washington Post Sunday, August 15, 2004; Page F01 [...] Her PC was in such bad shape, it required 10 1/2 hours of surgery to restore it to working condition. [...] Finally, I abandoned ship, reinstalling the entire Windows 98 operating system to repair the damage to Internet Explorer and allow Kathleen's computer to access the Internet and update the Norton AntiVirus definitions. [...] So to sum up, I spent one day cleaning up problems created by ne'er-do-well hackers and overzealous advertisers and four more trying to resolve a known problem with a product that is supposed to help prevent problems, not create new ones. Yes, some of the trouble could have been avoided if Kathleen had kept her anti-virus and operating system software up to date. However, much of the responsibility lies with Symantec and the rest of the computer industry. [...] What a Tangled Web I Wove Computer Naivete Cost Me a Bundle And a Bit of Sanity http://www.washingtonpost.com/wp-dyn/articles/A64483-2004Aug14.html By Kathleen Day Washington Post Staff Writer Sunday, August 15, 2004; Page F01 My problem began the last Sunday in July, when my nearly teenage daughter, newly returned from a month away at camp, announced, "Something's wrong with the computer." [...] In fact, her comment marked the start of a much larger headache, one that launched an odyssey that has taken $800 and roughly 48 man-hours over nearly three weeks to end. [...] I wondered if maybe some of the programs I was trying to kill weren't really spyware but something essential to Windows that I shouldn't try to delete. I called Microsoft and was passed from operator to operator as I asked where I could find a list of legitimate Microsoft applications so I would know what to kill and what to leave alone. But the only response I got from one person after another -- most of them in foreign tech-support centers like those in India I had been reading so much about lately -- was that I needed to go to Microsoft's online sales. After 45 minutes of this, I hung up. Then I gave up. I actually stood up and walked away from my computer. [...]
Oh how I agree! I have 3 computers at home and have lived through rebuilding 2 of them multiple times due to everything stated. My personal computer has never had to be rebuilt because I run with ZApro and CA AV, but I came near to it when I took down ZApro for 15 minutes to run a Retina scan on something and some virus/worm got in and it took some registry editting and safe mode work to get it removed - and I know what I am doing. But my son's computer is now DOA and I refuse to take the 8-12 hours to rebuild it from scratch - again for the 3rd time. He knows to run with ZApro and CA AV but he loads up everything and runs all these P2P programs and online games and downloads and it would appear that W2K with all MS patches installed - even tweaked and hardened with a personal firewall and an uptodate AV are no match for a 15 year to ruin it. I put the blame not on the AV vendors but strictly on MS for building a sieve. -Hank On Sun, 15 Aug 2004, Sean Donelan wrote:
The Washington Post is running a group of stories this weekend about computer security and the problems a reporter went through with her Windows 98 computer.
Interestingly, instead of ISPs the articles identify other sources of frustration for even technically savvy home computer user with software vendors and overzealous advertisers.
A Digital Doctor Treats Computer Contamination http://www.washingtonpost.com/wp-dyn/articles/A64481-2004Aug14.html By Glenn Paterson Special to The Washington Post Sunday, August 15, 2004; Page F01 [...] Her PC was in such bad shape, it required 10 1/2 hours of surgery to restore it to working condition. [...] Finally, I abandoned ship, reinstalling the entire Windows 98 operating system to repair the damage to Internet Explorer and allow Kathleen's computer to access the Internet and update the Norton AntiVirus definitions. [...] So to sum up, I spent one day cleaning up problems created by ne'er-do-well hackers and overzealous advertisers and four more trying to resolve a known problem with a product that is supposed to help prevent problems, not create new ones. Yes, some of the trouble could have been avoided if Kathleen had kept her anti-virus and operating system software up to date. However, much of the responsibility lies with Symantec and the rest of the computer industry. [...]
What a Tangled Web I Wove Computer Naivete Cost Me a Bundle And a Bit of Sanity http://www.washingtonpost.com/wp-dyn/articles/A64483-2004Aug14.html By Kathleen Day Washington Post Staff Writer Sunday, August 15, 2004; Page F01 My problem began the last Sunday in July, when my nearly teenage daughter, newly returned from a month away at camp, announced, "Something's wrong with the computer." [...] In fact, her comment marked the start of a much larger headache, one that launched an odyssey that has taken $800 and roughly 48 man-hours over nearly three weeks to end. [...] I wondered if maybe some of the programs I was trying to kill weren't really spyware but something essential to Windows that I shouldn't try to delete. I called Microsoft and was passed from operator to operator as I asked where I could find a list of legitimate Microsoft applications so I would know what to kill and what to leave alone. But the only response I got from one person after another -- most of them in foreign tech-support centers like those in India I had been reading so much about lately -- was that I needed to go to Microsoft's online sales. After 45 minutes of this, I hung up. Then I gave up. I actually stood up and walked away from my computer. [...]
On Sun, 15 Aug 2004, Hank Nussbacher wrote:
Retina scan on something and some virus/worm got in and it took some registry editting and safe mode work to get it removed - and I know what I am doing.
As far as I know, there is no remotely exploitable hole in windows that doesn't have a patch for it, nothing majorly in the wild anyway. I run my fully patched XP laptop without firewall directly connected to the internet all the time and the above you mention doesn't happen to me. A lot of the problems with windows that people complain about, isn't Microsoft caused apart from them designing a bad driver/library/registry model for how things are installed and ran. I usually run windows boxes for two-three years without reinstalling them, other people have to re-install every 3-6 months. Looking at their usage pattern and mine, they install games and other programs and de-install them all the time, whereas I usually stick to a fixed set of programs and rarely install new ones, and I always apply new patches when they're available via Windows Update. I can also run my machine for months without it crashing, which seems an unobtainable feat for a lot of other people. I see a pattern. Bad hardware and application software cause a lot more problems than the operating system itself. -- Mikael Abrahamsson email: swmike@swm.pp.se
Well, then bad hardware and application software are a lot more prevalant under Windows than Linux. I install/deinstall games and other application software all the time under Linux. I have the usage pattern you describe for others (except the part about patching my system regularly), and I just don't have any difficulty keeping the system up for months at a time, not having to reinstall the OS until I choose to upgrade major versions, and, generally, it just keeps on ticking. Admittedly, it's even better under MacOS with Apple hardware, but, given the extent to which Linux is more reliable than Windows in the same usage pattern as you described, I find it hard to blame the hardware. Windows is a poorly designed operating system, which, although they have plugged lots of holes, is constantly discovering new ones. Worse yet, Micr0$0ft has always chosen a "functionality at any cost" approach to their software, so, if they want to implement a feature and it can't be done securely, they implement rather than scale back. Yes, their current default settings are more secure than ever before, but, they're still pretty leaky. Owen --On Sunday, August 15, 2004 7:00 PM +0200 Mikael Abrahamsson <swmike@swm.pp.se> wrote:
On Sun, 15 Aug 2004, Hank Nussbacher wrote:
Retina scan on something and some virus/worm got in and it took some registry editting and safe mode work to get it removed - and I know what I am doing.
As far as I know, there is no remotely exploitable hole in windows that doesn't have a patch for it, nothing majorly in the wild anyway. I run my fully patched XP laptop without firewall directly connected to the internet all the time and the above you mention doesn't happen to me.
A lot of the problems with windows that people complain about, isn't Microsoft caused apart from them designing a bad driver/library/registry model for how things are installed and ran. I usually run windows boxes for two-three years without reinstalling them, other people have to re-install every 3-6 months. Looking at their usage pattern and mine, they install games and other programs and de-install them all the time, whereas I usually stick to a fixed set of programs and rarely install new ones, and I always apply new patches when they're available via Windows Update. I can also run my machine for months without it crashing, which seems an unobtainable feat for a lot of other people. I see a pattern.
Bad hardware and application software cause a lot more problems than the operating system itself.
-- Mikael Abrahamsson email: swmike@swm.pp.se
-- If it wasn't crypto-signed, it probably didn't come from me.
Retina scan on something and some virus/worm got in and it took some registry editting and safe mode work to get it removed - and I know what I am doing.
As far as I know, there is no remotely exploitable hole in windows that doesn't have a patch for it, nothing majorly in the wild anyway. I run my fully patched XP laptop without firewall directly connected to the internet all the time and the above you mention doesn't happen to me.
I agree with Mikael here. If your box is fully patched you need not worry about that much -- if you are still having problems, check your assumptions. :) Windows 2003 Web Servers are up unfiltered out there, there isn't a real reason why a Windows XP laptop wouldn't be [exploita du jour excepted]. My only reason for liking a hw firewall for use with my laptop is that the network chatter/probe attempts on cable internet keeps the thing from staying asleep without it.
A lot of the problems with windows that people complain about, isn't Microsoft caused apart from them designing a bad driver/library/registry model for how things are installed and ran. I usually run windows boxes for two-three years without reinstalling them, other people have to re-install every 3-6 months. Looking at their usage pattern and mine, they install games and other programs and de-install them all the time, whereas I usually stick to a fixed set of programs and rarely install new ones, and I always apply new patches when they're available via Windows Update. I can also run my machine for months without it crashing, which seems an unobtainable feat for a lot of other people. I see a pattern.
Bad hardware and application software cause a lot more problems than the operating system itself.
This meshes for me too. A handful of utilities [NAV, putty, Mozilla, etc] and the Office suite is about it. My laptop [with frequent standbys, hibernates and the rest] doesn't need to be rebooted even monthly. The Verizon BroadbandNow software is the only thing that prefers a restarted machine with hardware changes [insert card/remove card] --- hopefully they will fix that, but I'm not confident. I find it interesting that those who claim their machines are soooo important and soooo vital are the ones who spend many hours screwing around with the reinstalls, the upgrades [without knowing what features they are getting] and then being frustrated and uninstalling, etc. Not all software vendors are equal, not all software packages from the same vendor are equal. I think this is the key point. Symantec [IMO] does fine with Windows, Microsoft's own stuff is pretty good, Mozilla is improving, etc. Installing some random software, no matter how well intentioned is usually the problem for most folks. One suggestion that seems to help. When you buy a machine from scratch, uninstall or forcibly remove all the unnecessary software the vendor puts on. Lots of them install chatty support agents and self-diagnosis tools. I have never seen anything but trouble from these. Purists would say just install from fresh media and don't trust the uninstalls, ymmv. Deepak Jain AiNET
Note these appear to be WINDOWS security articles. I've not found a mention of non-windows vulnerabilities.. Hmmm... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
Maybe you should browse through the SANS archives, plenty of bind, sendmail, apache, nfs, etc. exploits.. http://www.sans.org/top20/ The problem with *nix, is more with misconfiguration then coding flaws, but this should not be underestimated. Given the current tendency towards global outsourcing, the people with the required skills to properly configure/maintain server systems, are often the same people who find themselves on the front lines of sweeping company layoffs, as their jobs are outsourced to inexperienced and under qualified support personnel. A large computer company I once worked for, recently laid off their UNIX frontline. They outsourced the entire department, and the outsourcing company hired people off the street to fill the positions. A colleague had told me that the interview for this job was just a meet and greet, there was no technical requirement, and no experience necessary. In fact, he had to train his replacements, and sadly, many of them did not posses even the most basic skills, let alone the ability to configure and troubleshoot terabyte sized storage systems. As for Linux for the home user, well.. it is getting better, but has a long way to go before it becomes as polished and intuitive as XP. Overall I would have to say XP serves its purpose well. It is easy to use, highly automated, and if maintained well - a stable OS. As for my detractors, I would argue that I don't feel using MS has caused me to lose my mental acuity, devalued my engineering skills, or caused me any sustained brain damage. It is just a choice, and as far as my personal pc goes, I prefer the clear facility and simplicity of XP. J. ----- Original Message ----- From: "David Lesher" <wb8foz@nrk.com> To: "nanog list" <nanog@merit.edu> Sent: Sunday, August 15, 2004 3:19 PM Subject: Re: WashingtonPost computer security stories
Note these appear to be WINDOWS security articles. I've not found a mention of non-windows vulnerabilities..
Hmmm...
-- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Sun, 15 Aug 2004, Deepak Jain wrote:
I agree with Mikael here. If your box is fully patched you need not worry about that much -- if you are still having problems, check your assumptions. :) Windows 2003 Web Servers are up unfiltered out there, there isn't a real reason why a Windows XP laptop wouldn't be [exploita du jour excepted].
Assumptions are a funny thing. Its amazing how many patched systems with firewalls are compromised. Understanding how and why that happens is important.
Bad hardware and application software cause a lot more problems than the operating system itself.
-- Mikael Abrahamsson email: swmike@swm.pp.se
Bad users cause more problems than everything else combined. Doesn't matter if you're running windows, bsd, linux, OS X, or whatever. When a dumb user does a dumb thing, dumb things happen. Doesn't matter really, if it's an OS that gets asked to run malware, and then is blamed for corrupting itself, or an SUV who's airbags and crumple zones fail to keep the driver alive that was spacing off and talking on a cell phone when they crossed in front of a semi. The end result is the same: Technology, and the intelligent individuals that create it can only do so much to prevent a stupid individual from causing damage to themselves and others. If anyone wants to argue against this, I beg of them to read http://www.mentalsoup.com/mentalsoup/basic.htm first. -Jerry --
On Sun, 15 Aug 2004, Mikael Abrahamsson wrote:
As far as I know, there is no remotely exploitable hole in windows that doesn't have a patch for it, nothing majorly in the wild anyway. I run my fully patched XP laptop without firewall directly connected to the internet all the time and the above you mention doesn't happen to me.
i'm sure there are plenty, and not just in windows. just because you dont know about them or theres nothing published doesnt mean it doesnt exist. the hole used by sapphire didnt 'exist' until sapphire infected all the open windows boxes within a couple hours even with your firewall you're not safe, stuff can get through if you either allow it with a listening port (eg webserver) or by malicious trojan data (eg javascript embedded in webpage, crafted response to dns/ping/snmp/ssh/whatever)
Bad hardware and application software cause a lot more problems than the operating system itself.
i think they're all major things you should include in any security assessment, the exact order of importance is irrelevant Steve
: : I put the blame not on the AV vendors but strictly on MS for building a : sieve. : : -Hank : I blame the miscreants who are malicious enough to want to cause as much damage as they can. MS software has tried for too long to be everything for everyone. For instance the SP2 for XP now being released even breaks some of the expensive MS applications, because they are learning to start turning stuff off, by default, and removing much of the backwards compatibility that leaves them so wide open for assault. It is a rare Linux box that has as much stuff installed and running at the same time as the average Windows box does. I have learned to ghost an image of the installed box, and burn it to DVD which makes it a no-brainer to rebuild a box that has gone south due to mis-use by the uninitiated.
Speaking of computers fubar'ed by spyware, I just found a particularly nice example of a phishing attempt. SpamAssassin had tagged it with the astronomical score of 136.3 thanks to SARE. The mail originated from 68.77.56.130 (an ameritech.net DSL connection, right now not pingable) and loads some images from www.citibank.com. It links to http://61.128.198.51/Confirm/ - an IP address hosted by Chinanet (transit to there supplied by Savvis from my point of view). That page does something interesting: it meta refreshes itself to Citibank's corporate homepage but also pops up a window (/Confirm/pop.php) requesting the user's card#, PIN (twice) and a new PIN. The main page being citibank probably lends some credibility to the scam. This attack won't work if your browser blocks popups, or if you remember that the padlock icon in the status bar is what tells you the status of a connection, not a "128-bit SSL" or "Verisign trust-e" or whatever logo inside the webpage. It's disheartening to see that this website is still online after several days (I received the scam mail received Friday morning). I'm thinking that Citibank will cease to be a target if they give (ok, it's a bank - sell) their subscribers a hardware token that requires presence of the ATM card when the customer wants to use online banking facilities... as several banks here in the Netherlands do. -- Niels.
How strange, I received that in my email too.. -Henry --- Niels Bakker <niels=nanog@bakker.net> wrote:
Speaking of computers fubar'ed by spyware, I just found a particularly nice example of a phishing attempt. SpamAssassin had tagged it with the astronomical score of 136.3 thanks to SARE.
The mail originated from 68.77.56.130 (an ameritech.net DSL connection, right now not pingable) and loads some images from www.citibank.com. It links to http://61.128.198.51/Confirm/ - an IP address hosted by Chinanet (transit to there supplied by Savvis from my point of view).
That page does something interesting: it meta refreshes itself to Citibank's corporate homepage but also pops up a window (/Confirm/pop.php) requesting the user's card#, PIN (twice) and a new PIN. The main page being citibank probably lends some credibility to the scam.
This attack won't work if your browser blocks popups, or if you remember that the padlock icon in the status bar is what tells you the status of a connection, not a "128-bit SSL" or "Verisign trust-e" or whatever logo inside the webpage.
It's disheartening to see that this website is still online after several days (I received the scam mail received Friday morning).
I'm thinking that Citibank will cease to be a target if they give (ok, it's a bank - sell) their subscribers a hardware token that requires presence of the ATM card when the customer wants to use online banking facilities... as several banks here in the Netherlands do.
-- Niels.
On Mon, 16 Aug 2004, Niels Bakker wrote:
It's disheartening to see that this website is still online after several days (I received the scam mail received Friday morning).
out of curiosity, you did send in a complaint to CitiBank's proper alias for spoofing/phishing/blah, and a followup to Savvis who is providing transit as you see from your perspective? and a sprint+sbc as it's their customer 'hosting' the original page? If no complaint is lodged citibank/sbc/sprint/savvis are non-the-wiser to the problem, eh?
Christopher L. Morrow wrote:
On Mon, 16 Aug 2004, Niels Bakker wrote:
It's disheartening to see that this website is still online after several days (I received the scam mail received Friday morning).
out of curiosity, you did send in a complaint to CitiBank's proper alias for spoofing/phishing/blah, and a followup to Savvis who is providing transit as you see from your perspective? and a sprint+sbc as it's their customer 'hosting' the original page?
If no complaint is lodged citibank/sbc/sprint/savvis are non-the-wiser to the problem, eh?
/dev/null
passing to abuse, sorry for missing missing the original comments neils. mark
Why don't write out a generator of credit cards / pins and flood out this site by false information? (I saw a few better examples, btw). ----- Original Message ----- From: "Niels Bakker" <niels=nanog@bakker.net> To: <nanog@merit.edu> Sent: Monday, August 16, 2004 3:26 AM Subject: Phishing (Was Re: WashingtonPost computer security stories)
Speaking of computers fubar'ed by spyware, I just found a particularly nice example of a phishing attempt. SpamAssassin had tagged it with the astronomical score of 136.3 thanks to SARE.
The mail originated from 68.77.56.130 (an ameritech.net DSL connection, right now not pingable) and loads some images from www.citibank.com. It links to http://61.128.198.51/Confirm/ - an IP address hosted by Chinanet (transit to there supplied by Savvis from my point of view).
That page does something interesting: it meta refreshes itself to Citibank's corporate homepage but also pops up a window (/Confirm/pop.php) requesting the user's card#, PIN (twice) and a new PIN. The main page being citibank probably lends some credibility to the scam.
This attack won't work if your browser blocks popups, or if you remember that the padlock icon in the status bar is what tells you the status of a connection, not a "128-bit SSL" or "Verisign trust-e" or whatever logo inside the webpage.
It's disheartening to see that this website is still online after several days (I received the scam mail received Friday morning).
I'm thinking that Citibank will cease to be a target if they give (ok, it's a bank - sell) their subscribers a hardware token that requires presence of the ATM card when the customer wants to use online banking facilities... as several banks here in the Netherlands do.
-- Niels.
I'm thinking that Citibank will cease to be a target if they give (ok, it's a bank - sell) their subscribers a hardware token that requires presence of the ATM card when the customer wants to use online banking facilities... as several banks here in the Netherlands do.
This is a social engineering attack. As long as you can convince the user to cooperate, you can subvert technological counter-measures. When you add the ability to subvert the communication device (computer, telephone, etc) it gets even more interesting. The scam may even occur in multiple parts using different forms of communication (email, web, fax, phone, mail) for different parts of the scam. Yes, it is possible to subvert smartcards, one-time hardware tokens (securid), biometrics, etc. They are not just academic attacks, they have been successfully attacked in the wild. Brute force isn't needed when you can subvert other parts of the system, which includes the human. Scams also use other mediums. Here is an example: http://www.fincen.gov/stoporder.pdf
I wonder if the banks have ever considered how they have contributed to the problem. If their pages were straight up, no pop-up's, no JavaVirus, etc.... it would be far easier to tell their customers: ============================================================== Here is what our page looks like: The address ALWAYS starts with: https;//www.countrybank.com/... With a page like this. [graphic image] If you have pop-ups, or a different page, stop... ============================================================== But of course, that would not be glitzy enough.... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
I wonder if the banks have ever considered how they have contributed to the problem. If their pages were straight up, no pop-up's, no JavaVirus, etc.... it would be far easier to tell their customers:
============================================================== Here is what our page looks like:
But of course, that would not be glitzy enough....
My bank does pretty much what you suggest. Have a look here https://ibank.barclays.co.uk/fp/1_2c/online/1,26806,logon,00.html and if that link has timed out or something, just go here https://ibank.barclays.co.uk/ and click the Log-in button. Barclays also uses a "memorable word" in addition to the PIN code. They repeatedly tell us that no-one from Barclays will ever ask us to reveal this memorable word. It's only use is for a simple challenge-response where the website asks for two specific letters from the word and we select them from drop-down boxes to defeat keyloggers. Nice example of layered security that keeps the criminals snapping at the heels of the guy next door, i.e. CitiBank et al. --Michael Dillon
On Tue, 17 Aug 2004 Michael.Dillon@radianz.com wrote:
Barclays also uses a "memorable word" in addition to the PIN code. They repeatedly tell us that no-one from Barclays will ever ask us to reveal this memorable word. It's only use is for a simple challenge-response where the website asks for two specific letters from the word and we select them from drop-down boxes to defeat keyloggers. Nice example of layered security that keeps the criminals snapping at the heels of the guy next door, i.e. CitiBank et al.
Lots of european banks issue sheets of onetime passwords.
--Michael Dillon
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
On Tue, 17 Aug 2004 08:05:41 -0400 (EDT) "David Lesher" <wb8foz@nrk.com> wrote: | I wonder if the banks have ever considered how they have contributed | to the problem. If their pages were straight up, no pop-up's, no | JavaVirus, etc.... it would be far easier to tell their customers: | | ============================================================== | Here is what our page looks like: | | The address ALWAYS starts with: https;//www.countrybank.com/... | | With a page like this. [graphic image] | If you have pop-ups, or a different page, stop... | | ============================================================== | | But of course, that would not be glitzy enough.... No matter how often they told customers that, a sufficient percentage would ALWAYS be susceptible to the fraudsters' social engineering ... That feature seems to be hard-coded into the class $customer -- Richard Cox
Alexei Roudnev wrote:
Why don't write out a generator of credit cards / pins and flood out this site by false information?
(I saw a few better examples, btw).
Because fighting abuse with abuse is never a good idea? Pete
I disagree - this is a good idea, and it REALLY DO WORKS (have been tested on hackers, with great success). Moreover, it is not a problem to catch this fishers/phishers... issue 1,000 special credit cards, send their data to this site, and trace who and how will use them. Or just intersect traffic and log all cards posted to this site (and thace them). Nothing too complicated for any law enforcment agency... Just watching and saying _ohhm, one more phishing_ is the worst idea - to fight anything, you must always be active. Active side always win (it is only a matter of time, how long it takes to win), so if you just looking and using passive defense, you will be biten (early or later). Hackers and Phishers do not make any difference vs other fightings.
Alexei Roudnev wrote:
Why don't write out a generator of credit cards / pins and flood out this site by false information?
(I saw a few better examples, btw).
Because fighting abuse with abuse is never a good idea?
Pete
The mail originated from 68.77.56.130 (an ameritech.net DSL connection, right now not pingable) and loads some images from www.citibank.com. It links to http://61.128.198.51/Confirm/ - an IP address hosted by Chinanet (transit to there supplied by Savvis from my point of view).
It's a 1 line rule with mod_rewrite and apache to block nonexistant or off-site http referers attempting to display GIF/JPG/PNG images... Sometimes I wonder why Citibank, Paypal and others don't do this. It would cut down on the displayed authenticity level of many basic phishes.
On Tue, 17 Aug 2004, Eric Kuhnke wrote:
It's a 1 line rule with mod_rewrite and apache to block nonexistant or off-site http referers attempting to display GIF/JPG/PNG images... Sometimes I wonder why Citibank, Paypal and others don't do this. It would cut down on the displayed authenticity level of many basic phishes.
Because many (broken) browsers/proxies/"firewalls"/etc block or forge referrer headers "for security" and they'd quadruple their tech support load with all their idiot customers using Norton Internet Security or other similar products calling in saying "why don't I get any images on the site? waah!" This simply isn't an option in the real world. -- Tim Wilde twilde@dyndns.org Systems Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
TW> Date: Tue, 17 Aug 2004 09:06:30 -0400 (EDT) TW> From: Tim Wilde TW> Because many (broken) browsers/proxies/"firewalls"/etc block TW> or forge referrer headers "for security" and they'd quadruple TW> their tech support load with all their idiot customers using TW> Norton Internet Security or other similar products calling in TW> saying "why don't I get any images on the site? waah!" This TW> simply isn't an option in the real world. Ughh. Some "security" products cause more trouble than they solve. Norton Internet Security is obnoxious enough to "filter ads" by nuking graphics based on pixel dimensions. (After having to alter some sites to get around this, we have a much harder time recommending Symantec products...) Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked.
Edward B. Dreger wrote:
Ughh. Some "security" products cause more trouble than they solve. Norton Internet Security is obnoxious enough to "filter ads" by nuking graphics based on pixel dimensions. (After having to alter some sites to get around this, we have a much harder time recommending Symantec products...)
Filtering images based on size is comparable to filtering specific TCP or UDP ports. Both are based on arbitary numbers which have use which suffers from the blocking. Pete
I received a few messages as well, one with US Bank, which I don't have an account with, and they both had images attached. The image was displayed, without any external connection. As far as fighting abuse with abuse, it's not *always* a bad idea. If the databases are filled with bad entries, it will be too costly to sort through valid data. Other people will cease to purchase information from the phisher because of unreliable data, or less will be paid. Either way, there will be less money in the particular method and less of an incentive. It will not stop phishing totally, but why make it easier? If you've got some extra time to write something, then go for it. As far as legal concerns, there is no law against lying to someone that is trying to steal from you. -b On Tue, 17 Aug 2004 09:06:30 -0400 (EDT), Tim Wilde <twilde@dyndns.org> wrote:
On Tue, 17 Aug 2004, Eric Kuhnke wrote:
It's a 1 line rule with mod_rewrite and apache to block nonexistant or off-site http referers attempting to display GIF/JPG/PNG images... Sometimes I wonder why Citibank, Paypal and others don't do this. It would cut down on the displayed authenticity level of many basic phishes.
Because many (broken) browsers/proxies/"firewalls"/etc block or forge referrer headers "for security" and they'd quadruple their tech support load with all their idiot customers using Norton Internet Security or other similar products calling in saying "why don't I get any images on the site? waah!" This simply isn't an option in the real world.
-- Tim Wilde twilde@dyndns.org Systems Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
On Tue, 17 Aug 2004, Eric Kuhnke wrote:
The mail originated from 68.77.56.130 (an ameritech.net DSL connection, right now not pingable) and loads some images from www.citibank.com. It links to http://61.128.198.51/Confirm/ - an IP address hosted by Chinanet (transit to there supplied by Savvis from my point of view).
It's a 1 line rule with mod_rewrite and apache to block nonexistant or off-site http referers attempting to display GIF/JPG/PNG images... Sometimes I wonder why Citibank, Paypal and others don't do this. It would cut down on the displayed authenticity level of many basic phishes.
<cookie-foo>: 31-Dec-2014 00:00:00 GMT; path=/; domain=.usbank.com Server: Microsoft-IIS/5.0 Date: Tue, 17 Aug 2004 15:34:02 GMT Citibank.com returns: Server: "" Perhaps the 1-line mod_rewrite isn't available to them because they don't have mod_rewrite?
participants (23)
-
Alexei Roudnev -
Brett -
Christopher L. Morrow -
David Lesher -
Deepak Jain -
Doug White -
Edward B. Dreger -
Eric Kuhnke -
Hank Nussbacher -
Henry Linneweh -
Jerry Pasker -
Joel Jaeggli -
John Underhill -
Mark Kasten -
Michael.Dillon@radianz.com -
Mikael Abrahamsson -
Niels Bakker -
Owen DeLong -
Petri Helenius -
Richard Cox -
Sean Donelan -
Stephen J. Wilcox -
Tim Wilde