the exclamake! blog

AT&T continues it’s dominance in the connectivity department with this news. AT&T has supplanted T-Mobile as the WiFi provider for the 12,000+ Starbucks stores in the US. If you are an existing AT&T DSL customer, you simply use your AT&T username/login to connect. Glenn Fleishman’s excellent commentary here.

I would expect some iPhone applets to be coming in the future. This synergy promotes too many marketing opportunities.

I suppose there’s two ways for a spammer to evolve their craft.  1) Create a better piece of malware (package) 2) Create a better invitation.

Although the packages have progressively been getting better, I’ve been of the opinion that the invitations have not improved at the same pace.

However, I did receive an interesting semi-targeted spam today that made me curious.  Here’s the text:

——————————————————————————–

Mr Trenton Zakary , recommended us your company Exclamake!. Below you will find a proforma invoice with the full details of our first order. Please sign and send back to us by fax or email: proforma-invoice

Thank you in advance, and contact us as soon as you can, with a full offer. Also let us know if the prices you published here at http://www.apicella.org/ are right or not.

——————————————————————————–

Manager Kobe Derick .
Hunter & Soons LLC, California
Phone: 388-638-6978
Fax: 942-552-8828

Note that it’s well written, provides some information that it’s a local company (California), and has our complete company name with the exclamation point, the linked-to apicella.org appears legit, and no spelling errors!

Now where it lacks some credibility: area codes for Phone and Fax don’t match, both area codes don’t exist, header says the message is from Branson & Soons LLC, footer says the message is from Hunter & Soons LLC, reply email is noreply@superpages.com.

Clicking on the proforma-invoice link takes you to a webpage with a thumbnail of a .scr file (with who knows what kind of package).  The html file itself is exploiting one of the more recent XML4 vulnerabilities.  Microsoft identifies it as HTML/Xmlreq.A  ISC has info here. My guess is that my email address (company inbox)  was harvested from superpages.com and this spam was generated from a script to insert the state.

Be careful!

I’m disappointed in Microsoft here. Beginning last week (September 5th) I’ve been trying to order a Small Business Server (SBS) Standard license but am unable. It seems that Microsoft has introduced R2 (again) but does not have the media kits available. In addition to that, they’ve discontinued SBS Standard 2003 (R1) SKUs so that nothing is available in an SBS flavor. This is particularly a bad mistake since Microsoft always has one version back available to satisfy downgrade rights.

Even as of today, Microsoft reps have no ETA. I’ve been googling and checking the blogs for information similar to this, but still haven’t seen any, so it comes to me I guess!  Hopefully they’ll be able to ship something very soon.  Hard to keep busy when there’s no Microsoft software to install!

Update: As of 9/15, SBS Standard and Premium R2 licenses can be ordered, but media kits for Standard are sporadically being backordered and Premium media kits are definitely backordered.  So, Microsoft’s now taking my money… I guess that’s progress. 

I became aware of bump keys during media coverage of the HOPE conference in NYC. To those unfamiliar with the term, it’s a technique that allows an individual to open the majority of mechanical locks (one estimate is 90%) by using a special key and tapping or bumping it. With practice, the lock can be opened in a few seconds and leaves no evidence of a break-in. There is a well-written Dutch news segment that provides a nice overview. Note that this program aired in April 2005.

That segment made a large “wow” impact on me. I’m amazed and unsurprised simultaneously. As I keep up-to-date with network and data security, it’s not a shock that the principles causing the risk and mitigating methods to reduce the risk are the same. Some observations:

• Motive
  I know this may seem obvious, but it’s worth stating the cause of the issue. As long as certain people want to steal, whether for the excitement, or money, or both, security will be an issue. The other fact that’s equally obvious is that society, as a whole (sweeping statement here), does not seem to be getting more ethical, but less so. This trend in motivation, coupled with tools/knowledge (next point) has led to an increase in attempted break-ins. I don’t think a statistic is necessary here.
• Sophisticated tools and training are easily accessible to unsophisticated masses.
  First requirement… how do you get the ’special’ bump keys? Well, a quick google yields a lot of info. How to make your own keys with a key machine, or buy a set on eBay, or buy a set from a company called Multipick-Service. The point is, just as with network security break-in tools, these are readily available.

  Second requirement… how do you master the technique? Again, there are many sources of info on this. You can find videos on Google or YouTube, PDF’s on TOOOL and many other blogs are documenting their successes and failures with specific types of locks. Practice is easy, buy a lock and try at home!

• Layered Security is a Necessity
  Most property owners realize that they need more than a single lock to protect their belongings. A door lock is supplemented with additional locks (access control), a security alarm system (more access control and intrusion detection), and a video surveillance system (intrusion detection and reporting).

  One of the big concerns with bump keying is that there is no evidence that a break-in occured. Yes, you’re missing your plasma tv, but the insurance company has no proof of a burglary. A layered security would provide that proof. I find there is a tremendous parallel between this and network security. So many of my clients have insisted that they have never been a break-in target, yet have no reporting mechanism or IDS to really know. In contrast with a physical burglary, it’s obvious that the family jewelry is gone, but when we’re talking about data, theft is taking a copy, and often not altering any obvious systems.

• Disclosure is Best
  You either agree or disagree, but disclosure of bump keying is the best way to mitigate it. I am glad that there is public awareness over this so I can now take steps (most very simple) to mitigate the risks. Yes, awareness will also expose this information to those who mean harm, but the most malicious individuals assuredly knew of this break-in technique before I did, so now I’m glad that I can make defenses. I’ll take knowledge over ignorance every day.

Since I don’t know anyone that leaves their home unlocked when they leave, these comparisons are useful in explaining principles to business owners on network security.

Have a secure day!

Microsoft has released a statistical report on the results of the Malicious Software Removal Tool. The MSRT was released in January 2005 and has had mostly monthly updates since then. If you use Windows Update, Microsoft Update, or Automatic Updates, you most likely have this tool running on your computer.

It should be used in addition to your our desktop defenses because it does not scan for spyware and only scans for a subset of viruses deemed malicious. Also, it does not run in real-time, so cannot be relied on for comprehensive coverage.

The MSRT has been installed on 270 million computers in 24 languages, so gives a base to report on. The report brings out many statistical features and is a good read. It’s a long document, but some of the highlights I took note of:

• Backdoor trojans are the most popular malicious software, by far. 62% of infected computers contained at least one backdoor trojan. The most prevalent type of trojan was the bot, facilitator of the zombie networks.
• The rate of infected computers has been relatively constant at about .3%.
• Of the infected computers, the majority have not run the MSRT before. This is an interesting one to me because it highlights that it’s the newer computers that are more at risk. The interesting thing here is that there is a very small time delta between a new computer being put into service and the MSRT being downloaded by Automatic Updates. Malware’s getting in quickly.
• Windows SP2 is a necessity if you want to be protected better.

The full report can be found here in a Word document. Enjoy!

I receved the following spam this morning:

X-Gmail-Received: 578cab460a32ed1cfe13cfa928001cd18b82b1c4
Delivered-To: e.smythe@gmail.com
Received: by 10.64.142.6 with SMTP id p6cs151534qbd;
Tue, 6 Jun 2006 05:48:51 -0700 (PDT)
Received: by 10.48.233.5 with SMTP id f5mr5313000nfh;
Tue, 06 Jun 2006 05:48:51 -0700 (PDT)
Return-Path:
Received: from barhatova.org ([193.27.215.43])
by mx.gmail.com with SMTP id v20si6495368nfc.2006.06.06.05.48.50;
Tue, 06 Jun 2006 05:48:51 -0700 (PDT)
Received-SPF: neutral (gmail.com: 193.27.215.43 is neither permitted nor denied by domain of e.smythe@gmail.com)
Date: Tue, 06 Jun 2006 16:48:08 +0300
To: “E.smythe”
From: “E.smythe”
Subject: 57657
Message-ID:
MIME-Version: 1.0
Content-Type: text/html; charset=”us-ascii”
Content-Transfer-Encoding: 7bit

From: E.smythe [e.smythe@gmail.com]
Sent: Tuesday, June 06, 2006 6:48 AM
To: E.smythe
Subject: 57657
5556

The interesting thing is that I don’t have email address e.smythe@gmail.com, but esmythe@gmail.com . Wondering about that.

Also, the message text is just what is posted above. A 4-digit code, non-encoded.

SANS also has a journal entry over what appears to be the same generator.

UPDATE: Symantec has identified this spam as a variant of the Beagle virus.

Got back from vacation this morning to discover a fresh vulnerability for Symantec Antivirus.  This particular vulnerability allows for remote code execution, not good.

This is an interesting trend as several antivirus products have created they’re own share of problems.  There was the bad McAfee virus definition that deleted Microsoft Office files and the CLAM AV antivirus remote code execution vulnerability.

This further emphasizes the point that more than security is a layered defense and you should not be relying solely on your antivirus product to catch everything.

The other obvious point is that Symantec and others, in the business of security, need to turn an eye toward their own products.

Source: Symantec Security Response

SANS is reporting a targeted attack to a particular company.  This attack begins with email from a domain that closely resembles the company’s own domain, so that it appears as an internal email.  The attached Word file uses an undisclosed exploit to extract and execute a Trojan.  Another interesting bit is that it overwrites the attached Word file with a ‘clean’ copy so that everything appears fine after the fact.  This attack was not picked up by spam filters or antivirus.

In short, this is a nasty one.

Lessons… Hmm… This is a tough one to defend.  I’d like to know if the user was running with Admin privileges.  Also, was the Word exploit triggered through a macro?  UTM firewalls like the SonicWALL allow blocking of Microsoft Office files that contain VBA scripts.  It would be interesting to see if such a policy would have prevented this exploit.
Still, it demonstrates the challenges to targeted attacks.  It’s dangerous world out there!
Source: SANS - Internet Storm Center

We just completed our second network security seminar in San Luis Obispo, Recovering From a Network Break-In: How Loyal Would Your Clients Be? The seminar was well-attended and very well received. Attendees gained knowledge in how security threats are increasing through exploits and vulnerabilities and specific examples were cited. And we covered how SMBs can add cost-effective, comprehensive defenses to their networks.

Our next free seminar will be held July 12, 2006 at 4:00pm at the Holiday Inn in Grover Beach. Please email info@exclamake.com if you would like to reserve a seat.

Larry Seltzer of eWeek weighs in on UTM (Unified Threat Management) for the small business.

In the meantime, the reasons to buy one are still compelling: networkwide protection, a second source of protection besides your desktop vendor, access to extra features like content filtering, and easier management.