[SecurityRatty] tag: redmond

Links for 2008-10-07 [del.icio.us]

Tue, 07 Oct 2008 20:00:00 +0000

The opt-out from hell

Tue, 16 Sep 2008 15:22:03 +0000

One problem with making your email address available (which I will continue to do, don't worry) is that folks with something to sell assume you're interested in their stuff. To wit, let's consider an email I received today (copied, headers and all, after my griping).

Note that if I want to opt out of further communications, I have to do two separate things -- which actually becomes three things.

First I have to click the last link to opt out of future TechTarget spam. (Yes, I deleted the actual links. But certainly none of my trustworthy readers would attempt to re-subscribe me, right...?
But that isn't enough -- I also have to separately opt out of future Avaya spam! (Why does the no-more-from-Avaya link live on a techtargetmail.com server? Whatever.) Clicking on that link eventually does land me on an avaya.com page, where I have to confirm my email address and indicate they don't have my permission to send me spam. Hmm, too difficult to embed my email in that link, when the other techtargetmail.com link did embed my email?
Then after submitting it, another page pops up telling me that I'll soon receive an email with additional instructions! In this email there's a link -- to avaya.com with my email address embedded -- that I must click, I guess to double plus confirm that yes, I really really really do wish never to hear from you again. Clicking that link takes me to a page that promises my "permissions have successfully been set. Thank you."

A pox on both your houses, TechTarget and Avaya. I never asked for your stuff. Go away.

Spam, my friends, is only going to get worse. It was so easy to ban junk faxes in 1991. But even those regulations were weakened in 2005. So do you really think we'll see anything even remotely logical for outlawing spam? I doubt it, unless we the citizens foment a revolt. Let's get cracking!

Received: from SVC-EXGWY-E801.partners.extranet.microsoft.com (10.251.24.242)
by tk5-exhub-c102.redmond.corp.microsoft.com (157.54.18.53) with Microsoft
SMTP Server (TLS) id 8.1.291.1; Tue, 16 Sep 2008 11:27:56 -0700
Received: from mail139-wa4-R.bigfish.com (216.32.181.113) by
mail04.microsoft.com (10.253.160.184) with Microsoft SMTP Server (TLS) id
8.1.291.1; Tue, 16 Sep 2008 11:27:55 -0700
Received: from mail139-wa4 (localhost.localdomain [127.0.0.1])    by
mail139-wa4-R.bigfish.com (Postfix) with ESMTP id 018C11184C2    for
; Tue, 16 Sep 2008 18:27:50 +0000 (UTC)
X-BigFish: ps16(zz18c1K1936K2b7wcak69jzzzz2af1jz2fh6bh5eh65h)
X-Spam-TCS-SCL: 4:0
Received: by mail139-wa4 (MessageSwitch) id 1221589667478982_28100; Tue, 16
Sep 2008 18:27:47 +0000 (UCT)
Received: from pp.techtargetmail.com (pp.techtargetmail.com [65.211.80.227])
    by mail139-wa4.bigfish.com (Postfix) with SMTP id 46566978071    for
; Tue, 16 Sep 2008 18:27:47 +0000 (UTC)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pp.techtargetmail.com; b=iOmibOrM91/1Ugy2gj3QbWo74T2m3GuhmwxZCXJQpFT+nwRES8QKg+4vjt48SNp7WWJExG61Ge+DtnKD3KVI3KwqTKzkPRVrEBF0DCHhYot6VAG/EyEr5vb5RhBz+91yvNhbIqITzGnuQ+uBDJzyc6gU0FHfBl0Fa3S/phcPELM=;
Message-ID:
Date: Tue, 16 Sep 2008 14:27:47 -0400
thread-index: a818b044.724694.236c8ee748f7dd97.1.n.4
Reply-To: Avaya
From: Avaya
To: Steve Riley
Subject: 7 Tips to Ensure Readiness for UC Deployment
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Return-Path: a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com
X-MS-Exchange-Organization-PRD: pp.techtargetmail.com
Received-SPF: Pass (SVC-EXGWY-E801.partners.extranet.microsoft.com: domain
of Avaya@pp.techtargetmail.com designates 65.211.80.227 as permitted sender)
receiver=SVC-EXGWY-E801.partners.extranet.microsoft.com;
client-ip=65.211.80.227; helo=mail139-wa4-R.bigfish.com;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.6916.600;SV:3.3.6916.813;SID:SenderIDStatus Pass;OrigIP:65.211.80.227
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-SenderIdResult: PASS

The following message was sent to you as a subscriber to third party offers from a TechTarget property, including our network of Search sites, Bitpipe.com, CIO Decisions Magazine, Information Security Magazine, Storage Magazine, KnowledgeStorm, TheServerSide.com and/or TheServerSide.NET. To unsubscribe, see below.
____________________________________________________________

How should you evaluate the move to unified communications (UC)? Who within which parts of an organization will benefit? Will UC reduce the time to market? Read this E-Guide for answers to these questions and a better look at how the value of UC will, at first, be less of a financial issue and more of a productivity improvement issue that translates into financial benefits. Download this white paper now: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

When implementing unified communications, there are a number of important issues to think about and questions to ask. This E-Guide analyzes seven phases to ensure you reap the full benefits of UC in each. If you're ready to take the plunge but you're not sure your business or your infrastructure is - download this E-Guide now.

Click here to learn more: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

"If you do not wish to receive future promotions directly from Avaya please forward this e-mail to {link removed} ; please note that there is a separate opt-out procedure below to be removed from the list from which this email originated."
____________________________________________________________

Please do not reply to this email. To unsubscribe from all future third party offers from all TechTarget properties, simply click here: {link removed}

TechTarget | 117 Kendrick Street, Suite 800 | Needham, MA 02494

The Feds Fight Google/Yahoo Alliance

Tue, 09 Sep 2008 16:17:03 +0000

A google employee once said, “Google’s going to take over the world, and everyone’s going to love it,” or something to that effect. Now, with Yahoo and the big Goog looking to team up, the Department of Justice is planning some moves of its own to make sure that the ad market isn’t totally dominated by the two search engine giants… but is it really the Feds behind the Anti-trust suit, or is it Microsoft weilding the power of its own monopoly money…?

While advertisers have expressed concern over the potential market power the formidable pair might wield, both firms are quick to note that the proposed arrangement would be a nonexclusive revenue sharing deal in which Google gained rights to run ads on Yahoo sites. Yahoo and Google would continue to compete for advertising dollars, and prices would be set by auction.

Many observers see the hand of perennial search-wars Bronze medalist Microsoft looming in the background here. Redmond made its own abortive bid to acquire Yahoo outright, arguing that the union would create a counterweight to Google’s dominance.

Read the full article here.

[OT rant] Are there any home WiFi routers that DON'T SUCK?

Fri, 22 Aug 2008 20:12:38 +0000

Warning: rant ahead, and names named.

When I'm not traveling, I like to work from home some days rather than endure the trek from Seattle to Redmond (although it's much better now that our own employee transit service has expanded into my neighborhood -- the existence of which is sad commentary on the availability and reliability of Seattle's public transit companies).

This means, of course, that I need fast and stable network connections. Comcast with their PowerBoost is working very well for me. But I just can't find a decent wireless router at all. My Lenovo T61p (with Intel 4965abgn adapter) just won't stay connected to my D-Link DIR-628 and IT'S DRIVING ME CRAZY! (Yes, I've tried various driver versions, from both Lenovo and Intel.)

My house is in an area with a lot of wireless activity -- sometimes I can see nine or ten SSIDs. I'm running draft N on 2.4GHz (which occupies two non-adjacent channels, currently 1 and 4), and I suspect the problem is collision interference. I could shift the router to 5.2GHz, which I probably would help, but then the rest of the computers in my house won't connect. Why, you ask? Well get this: the DIR-628 is part of D-Link's RangeBooster N family. So I stayed in the family and got two DWA-542 adapters for the desktop computers. Yet they only do 2.4GHz! Silly me, I assumed that being in the same family means full support of the router's capabilities.

I'm very tempted to replace my router again -- and I'm thinking that the best option is to get one with dual radios. That way I can move my T61p to 5.2GHz and replace the desktop adapters, while still having single-channel 802.11b/g on 2.4GHz for the Wii and my PlayStation Portable.

Now my request: tell me about your experience with home routers. What do you really like, and why? What should I buy?

Compromised Cpanel Accounts For Sale

Mon, 18 Aug 2008 06:42:50 +0000

Is the once popular in the second quarter of 2007, embedded malware tactic on the verge of irrelevance, and if so, what has contributed to its decline? Have SQL injections executed through botnets turned into the most efficient way to infect hundreds of thousands of legitimate web sites? Depends on who you're dealing with.

A cyber criminal's position in the "underground food chain" can be easily tracked down on the basis of tools and tactics that he's taking advantage of, in fact, some would on purposely misinform on what their actual capabilities are in order not to attract too much attention to their real ones, consisting of high-profile compromises at hundreds of high-profile web sites.

Embedded malware may not be as hot as it used to be in the last quarter of 2007, but thanks to the oversupply of stolen accounting data, certain individuals within the underground ecosystem seem to be abusing entire portfolios of domains on the basis of purchasing access to the compromised accounts. In fact, the oversupply of compromised Cpanel accounts is logically resulting in their decreasing price, with the sellers differentiating their propositions, and charging premium prices based on the site's page ranks and traffic, measured through publicly available services, or through the internal statistics.

SQL injections may be the tactic of choice for the time being, but as long as stolen accounting data consisting of Cpanel logins, and web shells access to misconfigured web servers remain desired underground goods, goold old fashioned embedded malware will continue taking place.

Interestingly, from an economic perspective, the way the seller markets his goods, can greatly influence the way they get abused given he continues offering after-sale services and support. It's blackhat search engine optimization I have in mind, sometimes the tactic of choice especially given its high liquidity in respect to monetizing the compromised access.

The bottom line - for the time being, there's a higher probability that your web properties will get SQL injected, than IFRAME-ed, as it used to be half a year ago, and that's because what used to be a situation where malicious parties would aim at launching a targeted attack at high profile site and abuse the huge traffic it receives, is today's pragmatic reality where a couple of hundred low profile web sites can in fact return more traffic to the cyber criminals, and greatly extend the lifecycle of their campaign taking advantage of the fact the the low profile site owners would remain infected and vulnerable for months to come.

Related posts:
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Injecting IFRAMEs by Abusing Input Validation
Money Mule Recruiters use ASProx's Fast-flux Services
Malware Domains Used in the SQL Injection Attacks
Obfuscating Fast-fluxed SQL Injected Domains
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

When turning updates off really doesnt

Thu, 14 Aug 2008 09:31:32 +0000

In any business dealings, if you cant trust the company to do what they say they will do,
You go elsewhere right?
Its your decision. Not in this instance folks.

clipped from windowssecrets.com

You’ll get a new Windows Update, like it or not

This time, Microsoft is being more up-front about its forthcoming
refresh of Windows Update. For example, product manager Michelle Haven described in a
blog post on July 3 some new features that the upgrade will add.

The new version will reportedly reduce the time WU takes to scan for and send out new updates. In addition, if you use the online version of WU, and you click an update for more information, the new version will offer you more links with additional details.

But the Redmond company hasn’t changed the wording of the Control Panel settings that appear to prevent Windows Update from performing silent downloads — but don’t.

In light of these potentially misleading controls, a few tricks on managing Windows Update are just what the doctor ordered.

Fake IE7 Downloads Advertised Via EMail

Thu, 07 Aug 2008 10:56:21 +0000

There seem to be quite a few of these in circulation over the past day or so:

Download the latest version!

About this mailing:
You are receiving this e-mail because you subscribed to
MSN Featured Offers. Microsoft respects your privacy.
If you do not wish to receive this MSN Featured Offers e-mail,
please click the "Unsubscribe" link below. This will not
unsubscribe you from e-mail communications from third-party
advertisers that may appear in MSN Feature Offers.
This shall not constitute an offer by MSN. MSN shall
not be responsible or liable for the advertisers' content
nor any of the goods or service advertised. Prices and item
availability subject to change without notice.

2008 Microsoft | Unsubscribe |
More Newsletters |
Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

As you might have guessed, it's fake. Microsoft don't send out EMails asking you to download files from random, non-Microsoft websites. This:

....is not what it appears to be. Run the file, and instead of IE7, you're actually more likely to see a fake antivirus program appear on your desktop:

Click to Enlarge

This particular fake AV is also being pushed quite heavily via the recent CNN videos scam. You can see another example of these emails here. There is more than one URL being used for this attack, so be alert!

Smells Like a Copycat SQL Injection In the Wild

Mon, 28 Jul 2008 01:51:23 +0000

In between the massive SQL injections, that as a matter of fact remain ongoing, copycats taking advantage of the very same SQL injection tools using public search engine's indexes as a reconnaissance tools, are also starting to take advantage of localized and targeted attacks, attacking specific online communities. Among these is mx.content-type.cn /day.js using day.js to attempt multiple exploitation using publicly obtainlable exploits such as Adodb.Stream, MPS.StormPlayer, DPClient.Vod, IERPCtl.IERPCtl.1, GLIEDown.IEDown.1, and targeting primarily Chinese web communities.

Compared to a bit more sophisticated attack tactics applied by Chinese hackers, taking advantage of localized versions of the de facto web malware exploitation kits, those who don't have access to such continue using cybercrime 1.0 DIY exploit embedding tools at large. The rest of the SQL injected domains as well as the exploits themselves are parked on the same plaee - 222.216.28.25, also responding to :

down.goodnetads .org
ads.goodnetads .org
real.kav2008 .com
hk.www404 .cn
err.www404 .cn
mx.content-type .cn
sun.63afe561 .info
ads.633f94d3 .info
ads.1234214 .info
ad.50db34d5 .info
ads.50db34d5 .info
ad.8d77b42a .info
web.adsidc .info
free.idcads .info
free.cjads .info
ads.adslooks .info
list.adslooks .info
ad.5iyy .info

The SQL injected domains :
ads.633f94d3.info/day .js
ad.8d77b42a.info/day .js
ad.5iyy.info/day .js
free.idcads.info/day .js
efreesky.com/day .js
v.freefl.info/day .js

The internal structure :
free.idcads.info/f/index .htm
free.idcads.info/014 .htm
free.idcads.info/real11 .htm
free.idcads.info/real10 .htm
free.idcads.info/lz .htm
free.idcads.info/bf .htm
free.idcads.info/kong .htm
free.idcads.info/f/swfobject .js
ad.50db34d5.info//rm%5C/rm .exe

Parked domains responding to the command and control locations, 60.191.223.76 and 222.216.28.100 :
ftp.gggjjj .info
live.ads002 .net
log.goodnetads .org
dat.goodnetads .org
root.51113 .com
sun.update999 .cn
abb.633f94d3 .info
up.50db34d5 .info
web.cn3721 .org
dat.goodnetads .org
cs.rm510 .com
sb.sb941 .com
k.sb941 .com
info.sb941 .com
day.sb941 .com
post.ad9178 .com
v.91tg .net

Centralizing their scammy ecosystem always makes it easier to monitor, keep track of, and of course, expose.

Related posts:
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Links for 2008-07-24 [del.icio.us]

Thu, 24 Jul 2008 20:00:00 +0000

Event Log Subscriptions in Windows Server 2008 (and Vista) - Realtime Windows Server
Redmond | Column: Syslog ... 20 Years Later
San Francisco network lockup justifies CIO fears
A determined IT staffer has countless opportunities to sabotage a business's operations. Eliminating that risk is impossible, experts say, and minimizing it requires a series of security efforts that go beyond the IT department and extend across the busin
Understanding Windows Logging

We should all be this bad - Microsoft is dead, long live Microsoft!

Wed, 23 Jul 2008 20:57:02 +0000

I have written before about what a joke I think it is when people write that Microsoft???s best days are behind it and that their corporate grave is already being dug. Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure. Don Dodge had a good article up the other day about Microsoft???s recent end of FY numbers. The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before! They dropped 17.6 billion (again with a b) to the bottom line. To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year. Microsoft grew 9 billion in revenue last year. That is they grew organically more than a whole Yahoo. You can check out Don???s article for more financial facts and figures.

I ask you ladies and gentlemen, does this sound like the numbers of a company on the way down? If you were a betting person, would you be betting against this monster? I would not be. Do you think by 2011 things are going to fundamentally change? Next time someone tells you how open source, Linux, Google or anyone else is going to kill Microsoft try to put some of these numbers in prospective.