Blackmoor Vituperative

Spam has exploded in the last several weeks. 9 out of 10 emails in 2006 were spam. It’s been so bad it has caused delays and even shutdowns on some networks. It’s ridiculous. The SMTP protocol is way, way past overdue for replacement with something that has authentication built in, and it really pisses me off that it hasn’t been replaced by now. I am sick to death of people saying that it isn’t practical — the choice will soon be either to replace SMTP or to stop using email at all. Stop making excuses and replace the damned protocol. Here’s one suggestion. Here’s another. Get it done.

At this point I don’t even think it’s worth the effort of reporting spam to services like SpamCop. That’s like calling the police every time you see someone driving over the speed limit. It’s just a waste of time, because it makes no difference.

Apart from the actual security provided by digital certificates in a Web environment, in terms of encryption of data and authentication of participants, they are meant to be a confidence-boosting measure.

That little lock icon in the browser and the “https” in the address tell the user that the communications are secure. Users can also click through some dialog boxes linked from the icon to see specifics of the certificates for the site they are viewing and make a decision about the authenticity of that site. Of course, 99% of users never do any such thing, and probably very few even notice the relatively obscure lock icon.

Even the value of the lock icon has been diminished lately. There have been recent examples of scammers obtaining a certain kind of SSL certificate, called a domain-authenticated SSL certificate, that can be obtained with very little in the way of verification of the bona fides of the applicant. Even if the user takes care to look for the lock symbol, he or she can be fooled by such a certificate.

A new standard hopes to address this situation with a new class of certificate. Some reports indicate that the final official name for these certificates will be “Extended Validation,” but they are more widely known as “High Assurance” SSL certificates.

(from IIS Zone, High Assurance SSL)

Last month a panel of EU experts warned that the e-Passport’s security is “poorly conceived”, and a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying “It is hard to see why anyone would want to access the information on the chip.”

Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker’s struggles to keep up with gaping holes in its popular word processing program.

The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened.

Microsoft has not yet publicly acknowledged the vulnerability, but the United States Computer Emergency Readiness Team issued an alert to warn that Word documents can be manipulated to trigger code execution of denial-of-service attacks.

(from eWeek, Third MS Word Code Execution Exploit Posted)

At this point I just have to ask… why the hell is anyone still using MS Office? Fool me once, shame on you, fool me over and over and OVER AND OVER again, for years on end, and maybe I’m just too damned stupid to be permitted to operate a computer. I think anyone still using MS Office falls squarely into that category.

A former UBS PaineWebber employee was sentenced to eight years in prison on Wednesday for planting a computer “logic bomb” on company networks and betting its stock would go down.

The investment scheme backfired when UBS stock remained stable after the computer attack and Roger Duronio lost more than $23,000.

(from ZDNet, ‘Logic bomb’ backfires on insider hacker)

Dumbass hackers.

Microsoft on Dec. 5 warned that an unpatched vulnerability in its Word software program is being used in targeted, zero-day attacks.

A security advisory from the Redmond, Wash., company said the flaw can be exploited if a user simply opens a rigged Word document.

[…]

There are no pre-patch workarounds available. Microsoft suggests that users “not open or save Word files,” even from trusted sources.

(from eWeek, Microsoft Issues Word Zero-Day Attack Alert)

Why are you still using MS Office? Does a house have to fall on you? Uninstall it and switch to OpenOffice, you knuckleheads.

The US Department of Homeland Security has warned that attackers are exploiting an unpatched flaw in Windows to compromise systems via malicious websites.

Microsoft on Friday said it was investigating reports of a newly discovered, unpatched bug in the XMLHTTP 4.0 ActiveX control, which it confirmed was being exploited on malicious sites. The bug has the potential to infect a large number of systems. Since it doesn’t require any user interaction, a user must merely use Internet Explorer to visit a site containing the exploit.

(from TechWorld, Windows hit by zero-day flaw)

Does a house have to fall on you people for you to get the message?

1. Don’t use Internet Explorer!
2. Don’t use or enable ActiveX!

Oct 19, 2006

SpamCop and others are monitoring a huge global increase in spam volumes that started late last week. Networks are reporting anywhere from 30-50% increases in spam volume. On our system, this is causing occasional mail delays as our filtering systems struggle with the load. We’re working on installing more systems in the filters to increase our capacity but this won’t be finished for around a week. In the meantime, we may have delays during the middle of the day. We’re aware of the problem and doing what we can to mitigate it until all the new systems are operational.

(from SpamCop Email System News)

I have been getting swamped with spam over the last few days. Most of it has subject lines like “Momentous letter. You must to read.”

We really need a replacement for SMTP. Like, five years ago.

Jesse Ruderman, a Mozilla security staffer, attended the presentation and was called up on the stage with the two hackers. He attempted to persuade the presenters to responsibly disclose flaws via Mozilla’s bug bounty program instead of using them for malicious purposes such as creating networks of hijacked PCs, called botnets.

“I do hope you guys change your minds and decide to report the holes to us and take away $500 per vulnerability instead of using them for botnets,” Ruderman said.

The two hackers laughed off the comment. “It is a double-edged sword, but what we’re doing is really for the greater good of the Internet. We’re setting up communication networks for black hats,” Wbeelsoi said.

(from ZDNet, Hackers claim zero-day flaw in Firefox)

On the bright side, the idiot hackers have publically confessed, so the federal case against them when their crime goes to court should be a slam dunk. Say hello to your new cellmate, hacker scumbag.

Update:

Apparently it was just a joke. Just good-natured fun. Those wacky hackers.

Miscreants are using an unpatched security bug in Internet Explorer to install malicious software from rigged Web sites, experts warned Tuesday.

[…]

“Fully patched Internet Explorer browsers are vulnerable,” Ken Dunham, director of the rapid response team at VeriSign’s iDefense, said in an e-mailed statement. “This new zero-day attack is trivial to reproduce and has great potential for widespread Web-based attacks in the near future.”

(from ZDNet, Porn sites exploit new IE flaw)

On the one hand, I am curious why ZDNet specifically mentions porn. The exploit could just as easily be on a web site with photos of kittens. On the other hand, I am wondering why on the gods’ green earth anyone is still using Internet Explorer to begin with. Use Firefox, you knuckleheads!