[SecurityRatty] tag: index

Is Google Using Chrome to Index Password Protected Web?

Mon, 06 Oct 2008 07:20:02 +0000

An interesting theory we heard recently is that Google will use Chrome to index the password protected Web. Right now the Chrome Terms of Service prevents Google from indexing private data. But when you consider that Chrome was initially presented as a browser for applications, instead of just web pages, this theory begins to make more sense.

robots.txt is NOT a security control

Tue, 30 Sep 2008 03:24:56 +0000

Sitting in a meeting the other day, my mind hoisted a little red flag when I heard someone say the robot.txt file was a good security control. Not only is it not a security control, it also doesnt add much value beyond helping control which search engines get to index your Web sites and what they get to index. In other words, they have no value when attempting to stop an attacker from retrieving information during target reconnaissance activities.

The opt-out from hell

Tue, 16 Sep 2008 15:22:03 +0000

One problem with making your email address available (which I will continue to do, don't worry) is that folks with something to sell assume you're interested in their stuff. To wit, let's consider an email I received today (copied, headers and all, after my griping).

Note that if I want to opt out of further communications, I have to do two separate things -- which actually becomes three things.

First I have to click the last link to opt out of future TechTarget spam. (Yes, I deleted the actual links. But certainly none of my trustworthy readers would attempt to re-subscribe me, right...?
But that isn't enough -- I also have to separately opt out of future Avaya spam! (Why does the no-more-from-Avaya link live on a techtargetmail.com server? Whatever.) Clicking on that link eventually does land me on an avaya.com page, where I have to confirm my email address and indicate they don't have my permission to send me spam. Hmm, too difficult to embed my email in that link, when the other techtargetmail.com link did embed my email?
Then after submitting it, another page pops up telling me that I'll soon receive an email with additional instructions! In this email there's a link -- to avaya.com with my email address embedded -- that I must click, I guess to double plus confirm that yes, I really really really do wish never to hear from you again. Clicking that link takes me to a page that promises my "permissions have successfully been set. Thank you."

A pox on both your houses, TechTarget and Avaya. I never asked for your stuff. Go away.

Spam, my friends, is only going to get worse. It was so easy to ban junk faxes in 1991. But even those regulations were weakened in 2005. So do you really think we'll see anything even remotely logical for outlawing spam? I doubt it, unless we the citizens foment a revolt. Let's get cracking!

Received: from SVC-EXGWY-E801.partners.extranet.microsoft.com (10.251.24.242)
by tk5-exhub-c102.redmond.corp.microsoft.com (157.54.18.53) with Microsoft
SMTP Server (TLS) id 8.1.291.1; Tue, 16 Sep 2008 11:27:56 -0700
Received: from mail139-wa4-R.bigfish.com (216.32.181.113) by
mail04.microsoft.com (10.253.160.184) with Microsoft SMTP Server (TLS) id
8.1.291.1; Tue, 16 Sep 2008 11:27:55 -0700
Received: from mail139-wa4 (localhost.localdomain [127.0.0.1])    by
mail139-wa4-R.bigfish.com (Postfix) with ESMTP id 018C11184C2    for
; Tue, 16 Sep 2008 18:27:50 +0000 (UTC)
X-BigFish: ps16(zz18c1K1936K2b7wcak69jzzzz2af1jz2fh6bh5eh65h)
X-Spam-TCS-SCL: 4:0
Received: by mail139-wa4 (MessageSwitch) id 1221589667478982_28100; Tue, 16
Sep 2008 18:27:47 +0000 (UCT)
Received: from pp.techtargetmail.com (pp.techtargetmail.com [65.211.80.227])
    by mail139-wa4.bigfish.com (Postfix) with SMTP id 46566978071    for
; Tue, 16 Sep 2008 18:27:47 +0000 (UTC)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pp.techtargetmail.com; b=iOmibOrM91/1Ugy2gj3QbWo74T2m3GuhmwxZCXJQpFT+nwRES8QKg+4vjt48SNp7WWJExG61Ge+DtnKD3KVI3KwqTKzkPRVrEBF0DCHhYot6VAG/EyEr5vb5RhBz+91yvNhbIqITzGnuQ+uBDJzyc6gU0FHfBl0Fa3S/phcPELM=;
Message-ID:
Date: Tue, 16 Sep 2008 14:27:47 -0400
thread-index: a818b044.724694.236c8ee748f7dd97.1.n.4
Reply-To: Avaya
From: Avaya
To: Steve Riley
Subject: 7 Tips to Ensure Readiness for UC Deployment
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Return-Path: a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com
X-MS-Exchange-Organization-PRD: pp.techtargetmail.com
Received-SPF: Pass (SVC-EXGWY-E801.partners.extranet.microsoft.com: domain
of Avaya@pp.techtargetmail.com designates 65.211.80.227 as permitted sender)
receiver=SVC-EXGWY-E801.partners.extranet.microsoft.com;
client-ip=65.211.80.227; helo=mail139-wa4-R.bigfish.com;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.6916.600;SV:3.3.6916.813;SID:SenderIDStatus Pass;OrigIP:65.211.80.227
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-SenderIdResult: PASS

The following message was sent to you as a subscriber to third party offers from a TechTarget property, including our network of Search sites, Bitpipe.com, CIO Decisions Magazine, Information Security Magazine, Storage Magazine, KnowledgeStorm, TheServerSide.com and/or TheServerSide.NET. To unsubscribe, see below.
____________________________________________________________

How should you evaluate the move to unified communications (UC)? Who within which parts of an organization will benefit? Will UC reduce the time to market? Read this E-Guide for answers to these questions and a better look at how the value of UC will, at first, be less of a financial issue and more of a productivity improvement issue that translates into financial benefits. Download this white paper now: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

When implementing unified communications, there are a number of important issues to think about and questions to ask. This E-Guide analyzes seven phases to ensure you reap the full benefits of UC in each. If you're ready to take the plunge but you're not sure your business or your infrastructure is - download this E-Guide now.

Click here to learn more: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

"If you do not wish to receive future promotions directly from Avaya please forward this e-mail to {link removed} ; please note that there is a separate opt-out procedure below to be removed from the list from which this email originated."
____________________________________________________________

Please do not reply to this email. To unsubscribe from all future third party offers from all TechTarget properties, simply click here: {link removed}

TechTarget | 117 Kendrick Street, Suite 800 | Needham, MA 02494

Can Chrome be read by a Keylogger?

Fri, 05 Sep 2008 11:56:35 +0000

I dont know yet, but Im checking. This is a article that bears reading.

clipped from www.tgdaily.com

Chrome is a security nightmare, indexes your bank accounts

So is this all a big deal?? Well anyone who wants to search your financial information would need local access to your machine and if a person is sitting at your computer, you have a lot more things to worry about than him/her using Chrome’s history search.? Conceivably a hacker could develop an app to pull the cache and index files off your computer and examine them later on another machine – these files reside in the “C:\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default” folder.

Fake Security Software Domains Serving Exploits

Thu, 28 Aug 2008 02:41:10 +0000

Psychological imagination, "think cybercriminals" mentality or scenario building intelligence, seem to always produce the results they are supposed to. On Monday, I pointed out that :

"Ironically, the participant in the affiliate program whose original objective was to drive traffic to the fake security software's site, may in fact start receiving so much traffic due to the combination of traffic acquisition tactics, that introducing client-side exploits courtesy of a third-party affiliate network, may in fact prove more profitable then the revenue sharing partnership with the rogue security software's vendor at the first place."

The next day, client-side exploits start getting introduced "in between" the fake security software sites :

"I've blogged before about the problem of Google Adwords pushing Antivirus XP Antivirus 2008. The situation is still ongoing. However, it's taken a turn for the worse, as these XP Antivirus pages are pushing exploits to install malware on the users system. This will also affect the many syndicators of Google Adwords."

The domain in question bestantivirus2009.com - (68.180.151.21) is hosting the binary at bestantivirus2009 .com/setup_1096_MTYwM3wzNXww_.exe and has an IFRAME pointing to huytegygle .com/index.php (200.46.83.246).

Here's another example antivirus0003.net with an IFRAME pointing to a different location - 124.217.250.85 /~ave/etc/count.php?o=16.

Despite that these domains are part of the "International Virus Research Lab" fake domains portfolio, it remains to be seen whether others will start multitasking as well.

Fake Porn Sites Serving Malware - Part Three

Tue, 26 Aug 2008 05:02:26 +0000

Continue the Fake Porn Sites Serving Malware and Fake Porn Sites Serving Malware - Part Two series, in part three we'll take a peek at the emerging trend of parking a single domain at up to three different hosting locations, re-establishing connections between malicious ISPs for yet another time in between exposing the domains and the download locations sharing the same IPs.

downlfreesexgirlbeach .com first redirects to infodist1 .com/in.cgi?2 then to watchnenjoy.com/index.php?id=1314&style=black, and finally to the front end to the codec's download location handmadeclips .com, where the codec is downloaded from fwlprocedure .com. Behind these domains, we can easily expose many other fake porn sites and pharmaceutical scams, next to a small portfolio of domains specifically used for hosting the binaries. Due to the obvious rotation I've encountered several times so far, a fake porn site today, is tomorrow's blackhat SEO content farm :

downlfreesexgirlbeach .com - (88.214.198.25)
vids365 .com
downlfreesexgirlbeach .com
top.only-bi .com
wikiei .com
paysuperporn .com
aboutsexporn .com
freactor .com
cheapofficialpills .com
finance-leaders.comnudenakedboys .com
photosgayboys .com
uniqueincest.com
shyincest .com
banrnd.central-xxx .com
tvisklick .info
thebg .net
termion .net
xoxvids .net
bestpricepills .net
bcodecnow .net

infodist1 .com - (88.214.204.40)
farmasearch2008 .com
flaxxvid .com
xanax777pills .com
18virgingirls .com
girlnudegallaryvideox .com
allxxxpornogerlsx .com
jproshin .info
familytaboo .info
fullsitehost .info
20searchonlinesite .net
add-your-video .net
blogs4y .net

adult-shemale .com - (88.214.198.25)
adult-tranny .com
all-shemale .com
bcodecnow .net
best-tranny .com
bestguyportal .com
bestmoviez .com
central-xxx .com
downlfreesexgirlbeach .com
gallery-boy .com
hiosexywomensxxxgirlsx .com
lady-dick .com
bcodecnow .net
mytoppharmacy .com
nakednudeboys .com
nakednudemen .com
nudenakedboys .com
only-bi .com
only-shemale .com
page-reviews .com
paulaslosingit .com
photosgayboys .com
stud-boys .com
the0download .com
wikiei .com
moviez .com
hiosexywomensxxxgirlsx .com
sexygirlsisuniformh0t .com
the0download .com

flwprocedure .com - (77.91.231.201)
movupdate .com
flwupdate .com
formatmpeg .com
movieexternal .com
flwtool .com
aviexecution .com
releasedvideo .com
wmvcompressor .com
movieopens .com
mpegapparatus .com
flwassistant .com
flwinstrument .com
piterserv .com
wovview .com

Some info on a sample codec :
Scanners Result: 11/36 (30.56%)
Trojan-Downloader.Win32.Zlob.cos
Trojan.Popuper.7315
File size: 10240 bytes
MD5...: 467e4e78974dc8b2ee5d7da024daf31a
SHA1..: 311e0c710bb15761ef3dace54b55489830cf5803

Phones back to 69.50.164.50/this/is/stereo/music.php?param=0;1314;1550; 69.50.164.50/this/is/stereo/jazz.php?param=49325611;2:191:5|7:271:0|6:130:0|9:0:5|34:65536:0 and to 85.255.119.244/this/is/stereo/music.php?param=0;4135;1548.

When Emil Kaperski's owned InterCage, Inc. (69.50.164.50) meets UkrTeleGroup Ltd. (85.255.119.244) previously known as Andrei Kislizin's owned InHoster, you know you're on the right track.

Fake Celebrity Video Sites Serving Malware - Part Two

Wed, 20 Aug 2008 21:52:00 +0000

Malicious parties remain busy crunching out domain portfolios of legitimately looking celebrity video sites. The very same templates used on the majority of fake celebrity video sites which I exposed in a previous post, remain in circulation with anecdotal situations where they aren't even bothering to match the site's logo with the domain name -- it would ruin the malicious economies of scale approach. And since centralization to some, an laziness to others, remains in tact, the fake security software and fake codecs served remain once parked at the same IP as the fake celebrity sites which I'll expose in this post.

starfeed1 .com - (85.255.117.218)
codecservice1 .com
siteresults1 .com
codecservice6 .com
celebs69 .com
topdirectdownload .com
sexlookupworld .com
favoredtube .com
yourfavoritetube .com
wwvyoutube .com
celebsnofake .com
celebsvidsonline .com
celebstape .com
freevidshardcore .com
topsoftupdate .com
porndebug .com
newfunnyvideo .com
bestfunnyvids .com
pornmoviestube .net

worldstars2008 .com - (79.135.167.54)

antivirus2008-pro .name
antivirus-2008pro .name
antivirus2008pro .name
antivirus2008pro-download .org
antivirus-2008-pro .org
antivirus2008-pro .org
antivirus-2008pro .org
antivirus2008pro .org
thesoft-portal-08 .com
stars-08 .com
thestars-08 .com
thebigstars-08 .com
funny-08 .com
realonlinevideo-2008 .com
2008-adult-2008 .com
adult18tube2008 .com
adultstreamportal2008 .com
2008-adult-s2008 .com
new-content-s2008 .com
newcontent-s2008 .com
worldstars2008 .com
thestars2008 .com
thebigstars2008 .com
newcontents2008 .com
18x-adult2008 .com
2008adult2008 .com
adult-x2008 .com
hotadulttube08 .com
adultxx-18 .com
newcontent-s2008a .com
antivirus2008pro-download .com
onlinestreamvide .com
onlinestreamvide .com
ns2.onlinestreamvide .com
xxxstreamonline .com4
supersoft21freeware .com
kvm-secure .com
kvmsecure .com
themusic-08portal .com
adultstreamportal .com
streamxxxvideo .com
antivirus-2008-pro .com
antivirus2008-pro .com
antivirus-2008pro .com
thefunny-08 .com
thestars-08 .com
thestars08 .com
celebsnofake .com
adult-s-portal .com
adultsoftcodec .com
adultstreamportal .com
adultxx-18 .com

And while none of these seem to be taking advantage of client-side exploits, a Russian celebrity site that seems to by syndicating the malicious redirectors from a legitimate advertising network, is an exception worth point out due to the Adobe Flash player exploit it's attempting to take advantage of.

Bestcelebs .ru javascript redirectors through several different doorways :

crklab .us/index.php => firstblu .cn/3.php?19383577 => xanjan .cn/in.cgi?mytraf => atomakayan .biz/afterftpcheck/2603/index.php =>
toksikoza .net/fi/index.php?mytraf => toksikoza .net/fi/1.swf

What you see is so not what you get.

Friday Squid Blogging: Talking Squids in Outer Space

Fri, 15 Aug 2008 12:57:09 +0000

An index of fiction.

The site was inspired by Margaret Atwood's infamous comment that Oryx and Crake isn't really science fiction, because science fiction is "talking squids in outer space." This prompted a hunt for science fiction which actually did feature talking squids in outer space.

Spamming Deterrent?

Wed, 13 Aug 2008 09:38:22 +0000

It’s a harsher sentence than that handed to some spammers,
but is it enough? Have your say at
http://www.virusbtn.com/news/polls/index

clipped from www.virusbtn.com

Is 47 months imprisonment sufficient punishment for a convicted spammer?

It seems like a pretty tough sentence but there’ve been quite a few big arrests/trials/tough sentences and it doesn’t seem to be putting these people off - all these ’spam kings’ are repeat offenders with long histories of fines and sentences but they keep on doing it.

Fun Reading on Security - 6

Thu, 07 Aug 2008 14:01:00 +0000

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #6, dated August 7th, 2008.

DNS + Karma = Boom! Enuf said. Also, hear Pete Linstrom squeal.
Fun essay on "blocking" and risk. Is it our job to stop'em from using Facebook?
MS Exploitability Index. Smart ... or misguidedly focused on "vulnerability release" (and not creation)
Chip-n-PIN, a PCI killer? I don't think so!
Mike R revisits "good enough security" - read it, then review your IR plans (...for you will be 0wned)
Very fun RSA survey here; data leakage beats malware again, people still not report incidents (to whom???)
More and more and more people point at idiocies of academic security research... Read the whole w00t 08 thread here. Weep. Laugh.
Neosploit has a bad quarter... breaks support "contracts" ... shuts down? Ah, the economy :-)
Awesome stuff from Richard Bejtlich: CAER.
"The Network Firewall is a Consensual Hallucination" :-)
More GRC-ball-kicking: here, here ("IT-GRC "vendors" are not IT-GRC vendors") - both are pretty insightful for GRC-lovers and GRC-haters)
More SIEM-ball-kicking: here ("underwhelming","ridiculous", "missing the point"), here ("dead ...unless","cripple")
Fun DLP portal launches.
Final word (?) on TerryChilds-gate here. "When management starts controlling the actions of admins, things start to fall apart." Huh? When management loses control of the business, it dies. Folks, IT vs IT security gap IS real. I never quite believed it, but this taught me a lesson. Some common security sense for a change (also here).

Enjoy.