Digital Choke Daynotes

Back, just like a bad penny. Not sure what that means. How can a penny be bad? Which led to a short sidetrack to Google, which gave me a link that contained this information:

BAD PENNY noun: The phrase is usually heard in this country as ‘A bad penny always turns up,’ meaning that a no-good person can be counted upon to come back again and again. The expression was originally English and the unit of currency referred to was the shilling. Sir Walter Scott, in one of his early-nineteenth-century novels, wrote: ‘Bring back Darsie? Little doubt of that. The bad shilling is sure enough to come back again.’ [Morris Dictionary of Word and Phrase Origins]

See, you learned something. Permission granted to use this information during a lull in a conversation at your next boring party.

Noticed on the f-Secure site (anti-virus vendor, their 'blog' is here) that they found the 'first' Pocket-PC-based virus; they call it "Duts". It's a 'proof-of-concept' virus, and appends itself to all executable files found on the device. Although this one is not expected to be widespread, proof of concepts are usually the forerunner of more damaging viruses. McAfee talks about it here; Symantec here. Expect to see more about this type of virus in the future, along with much excitement from the computer press. (Note that, per our habit, all links here will open up a new window.)

The Internet Storm Center warns of problems with PHP servers. One of them involves a function that 'sanitizes' user input to remove HTML tags, which is a great way to inject programs or commands into a web site. The function apparently stops filtering the input whenever it gets a NULL byte, so the attacker could use this to get a command executed on the server. Patches are out. Info on the CVS site here and here. Note that the PHP server ability is installed by default on Apache-based web servers.

Another on-going problem is with 'phishing'. Internet Storm Center says:

A reader contacted the ISC early on Friday morning to report yet another online banking scam. In this case, the victim receives a forged email from PayPal instructing them that their account appears to have unauthorized access attempts and they need to change their password for their protection. Clicking on the embedded link takes the victim to a web site hosted by a cable modem user near New York City.

If the victim is using Internet Explorer and the browser is not patched for the .chm exploit, the victim's browser is directed to download several files including executables from a web hosting site in Atlanta. The .chm patch is included in the latest cumulative security update for Outlook Express at http://www.microsoft.com/technet/security/bulletin/ms04-018.mspx

The files on the Atlanta site attempt to capture login and password activity, then upload that information to a data repository at the same site. As of early morning on July 16th there appears to be over 11,000 victims with over 16,000 captured passwords and account information. The data collection starts in early May and is unfortunately still continuing. The Atlanta site has been notified. The Department of Homeland Security and US-CERT have also been notified.

This scam won't work if you have kept current with IE patches.

Speaking of Microsoft patches, MS04-022 fixed a problem with the scheduler. The patch was released last Tuesday. Exploits are already in the wild (see Internet Storm Center "Handler's Diary" entry here). Once again, note the short time between the patch release and the exploit release. Another reason to keep your patches current.

Just returned from a couple of days at the cabin. Very relaxing. Didn't use the computer once (although I did bring it along). I did read the "Malware" book (by Ed Skoudis, recommended). Quite interesting; worth a read if you are interested in how to exploit systems, or how to prevent the exploit of your system. Recommended.

Back to work after a long weekend, and was greeted by an virus update from the McAfee folks. That update was due to one of the Bagle virus variants. That's the virus that comes in a password-protected zip file. So you have to be really determined to give yourself this virus.

Then a bit after lunch, McAfee releases a second update, so I sent this along to Jerry Pournelle (he has a few more readers than I do).

Various Bagle virus variants are becoming widespread. The AV companies are paying attention; McAfee released two updates in one day (currently at version 4379 as of about 2pm PDT).

The current crop of Bagles will try to disable any anti-virus and firewall protection found. The intent appears to be to allow the infected computer to be used as a 'bot' — a remotely controlled computer, used for spam or other evil purposes. If you get infected, it's probably best to rebuild your system (and any others that are on the same network. Data backups are getting more important.

Expect more Bagle variants, as the source code is widely available (and included in some variants of Bagle).

I installed the current version of McAfee VirusScan Enterprise 7.x on my laptop. We have a corporate license for the McAfee products, and are in the first stages of rolling out ePolicy Orchestrator to manage the anti-virus configuration of our computers and servers. All of the workstations are on VirusScan version 4, so we are going to use ePolicy to roll out the update to the current version. So a manual installation on my system will help me get familiar with the new version.

During the anti-virus install, it found my test URL-obsuring pages on this site (here and here; I think all needed files are in place), and deleted them. So I had to exclude that folder so the links still work. Note that the exploits on those pages shouldn't work if you have been keeping current on your patches.

Not much to report today. The usual stuff at work. Updated the desktop computer at home with a few things, got rid of a few programs no longer needed on that system. Installed Spybot Search and Destroy, and found a few things to get rid of on that system. Ran a virus scan, and found a couple of viral-type programs, but they were some security scanning tools that I used a while back. And made some changes to the D-Link router's firewall settings for a bit more security. A Shields-Up test showed all the bad ports are closed, with a few in stealth mode. That's a good test to run to check out firewall settings.

In fact, each of those tasks are good to run on a regular basis:

• Windows Update (scheduled for a daily check)
• Anti-virus update and scan (scheduled for a daily check for updates, late-night automatic scan)
• Firewall check with Shields Up (manual, every couple of weeks)
• Spyware/adware checker (Spybot Search & Destroy, or Ad-Aware; manual, every couple of weeks)

Perhaps tomorrow will be a bit more exciting.

Although I did find an interesting opinion on the fallout from the 'download.ject' attack of a couple of weeks ago. (See my simple analysis here.) Ed Foster's "Gripe Log" (he's a columnist for InfoWorld) mentioned what I have been wondering about for a while. I'll let him introduce it; the link is here:

An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.

In the wake of the Scob/Download.ject attack a few weeks ago, a reader wrote with an interesting observation. "The successful compromise of IIS 5.0 servers worldwide, leading to infection of many client machines visiting them that used IE web browser, has been covered massively," the reader noted. "It has also been widely reported that many popular and well known sites were infected, thus infecting their users. OK: WHO WERE THEY? ... There appears to be a concerted cover-up. What this tells me is some heavy hitters were probably hit, they infected a whole lot of visitors, and they are now afraid of lawsuit city."

Suggest that you read the whole article, and the comments (although some comments are predictable).

A productive day at work; I got a bit organized and sent out some draft security guidelines on a couple of subjects. One was the proper security settings for a Windows server, the other was a compilation of all the current "Acceptable Use" policies in our organization.

And I found a bug in the SurfControl Web Filter product. We have it configured to keep a log of all Internet access. This helps us determine the load on our Internet 'pipe'. The log file includes the Novell NDS user name, web site accessed, and other information. It should be noted that we have followed recommended practices for notification to users about this web browsing monitoring. (See the report on "Is That a Felony on Your Computer?".)

It turns out that a user name with a space character at the end works just fine in Novell, but the Web Filter program can't handle that value in an access rule. This particular user needed access to a normally blocked category, but each time that the user name was added to the 'OK' rule, the entry disappeared. It was quite puzzling, until I noticed that the fully distinguished name of the user object (user name plus container names) showed a space at the end of the user name, as in "JoeUser " rather than "JoeUser". A test with a different space-enabled user name proved my hypothesis. That bit of detective work took a bit of time.

On another subject, did you know that the original digital media viewer is now 65 years old? I'd bet that you (yes, both of you regular readers) had one when you were younger. And if you are a parent, it's highly likely that you have bought one for your children. And if you are a grandparent (as I am), I bet that you have bought several of them (there's one in the toy closet here).

Yes, folks, the "View-Master", that toy of everyone's youth, was invented back in 1939. Full details in this ABCNews story. And did you know that there are View-Master collectors? (Ebay has over 2700 listings.). And that Fisher-Price has a special anniversary edition?

I got an interesting email today. It seems that I've won $2.5 million in a lottery. The neat thing about that is that the lottery headquarters are at an address that is just a few blocks away from my office.

Although I do have to contact a person in the Netherlands, I think that it would be much more efficient if I just went to the local office, bypassing the middleman. I'll just need to take along my checking account information, perhaps my ATM card (with a PIN number on a yellow sticky-note), and maybe my credit card number, along with the numbers printed on the back of the card. That will help identify me as being the winner. So I won't have to go to work next week, even with taxes taken out of my winnings. I'd have more money than Ken on "Jeopardy".

Not.

There are a few problems. The email shows the address is on "North 10th Street" (there is no "North 10th Street" around here), and the zip code is slightly dyslexic. And it's too bad that nobody at the lottery place is able to write in proper English. (Although there are some around here that say the same thing about me.)

So, perhaps I'll pass up this opportunity. I should be able to get a better one the next time I check my email. There's millions of dollars available in every email I get. (One of many sites that try to out-scam the 419 scammers.)

Much accomplished today. Started out by planting some ground cover in part of the back yard to add a bit of color. The back yard was fully landscaped by the previous owner. Most of the back yard is a patio, with curved edges framing the planting area. The plantings are a bit formal (I guess that is the term), a nice variety but mostly shrubs. There is a bit of ground cover in a couple of the areas, but lots of open space (mulched) between the plantings. There is also a complete drip system in place; every plant has it's own dripper.

So we thought that a bit more ground cover was in order. A trip to Lowe's last night to pick up a flat or two, and then about of hour of planting this morning before it got too hot. It turned out nice, but not as fancy as Brian BIlbrey's place. His thumb is much greener than mine.

I also washed the exterior windows (Windex hose-mounted thing, so not too hard) in the back while the sun was on the other side of the house. The plan was to do the front windows in the afternoon were still in the shade.

But then the grandkids stopped by. It was still in the morning, so I took them over to the park while Pam and Christine (and Max) went shopping. Both sets of travelers had a good time, and we got home about the same time.

Pam picked up a small wading pool (8 foot diameter, about 30 inches high, liner fully attached) for under $5, so my job was to fill up the pool while they ordered and picked up the pizza. After lunch, the kids got into their swimming suits (Pam just happened to pick up one for each of them in her shopping trip) and had a good time out there in the water for about an hour. Then back inside for some movies and snacks.

We had a quick dinner (french toast for the kids) and then they were off. So the evening turned out to be pretty quiet.

... more later ...
Last Week	Next Week	Prior Weeks	mail	bookmark	The Digital Choke story