Spyware Sucks

Windows Vista: Windows Update fails–stuck at “Preparing to install updates”

sandi — Fri, 03 Feb 2012 05:22:21 GMT

I’ve been having a terrible time today updating one of my virtual machines ready for the next round of testing that I need to do. The darned thing was stuck on “preparing to install updates” for a good hour, with no discernable network traffic, and yes, the WU service was running as it should.

Thankfully I was able to fix the problem. Here’s how, in hopes y’all may find useful:

Click Start, Run, type: cmd. Right click the Program Menu entry that appear and select “Run as Administrator”. Press Enter. Run the following command in the opened window:

Net stop WuAuServ
Wait for the process to finish.
Click Start, Run, type: %windir% and press Enter.
In the opened folder, rename the folder SoftwareDistribution to SoftwareDistributionOLD
Click Start, Run, type: cmd. Right click the Program Menu entry that appear and select “Run as Administrator”. Press Enter. Run the following command in the opened window:

Net start WuAuServ
Wait for the process to finish.
Reboot.

Nice to know my IE site is still useful sometimes :)

sandi — Mon, 16 Jan 2012 00:20:15 GMT

SPAM: “official-reader-upgrade.com”

sandi — Tue, 20 Dec 2011 06:52:51 GMT

It’s not legit people:

Click on the link you end up here:

But click on “Download Now” and look where you end up…

And, of course, it’s not free…

Interestingly, the McAfee logo is not clickable

We get it–you won :-D

sandi — Tue, 20 Dec 2011 04:39:31 GMT

More on the Telstra stuff up…

sandi — Sat, 10 Dec 2011 05:50:45 GMT

Word is emails are flowing again, which is good… as for the rest of this sorry tale..

More information is flowing in about what was exposed:
http://www.watoday.com.au/it-pro/security-it/telstra-customer-database-exposed-20111209-1on60.html?comments=34#comments

“detailed information outlining the customer's account number, what broadband plan they're on, what other Telstra services they're signed up to and notes associated with the customers' accounts including in many cases their usernames and passwords”

“details about technician visits, SMS messages sent to private mobile numbers and credit check details”

“At about 4.45pm AEDST, about an hour after Telstra was notified of the breach by this website, customer details were still accessible. At about 5pm AEDST the site presented internet users with "Access Denied".”

The source article also reveals that Telstra are a customer of Pure Hacking, a company that claims it has “the expertise needed to keep the wrong people from getting to the sensitive places in your computing infrastructure” – seems to me they missed something pretty damned basic here (assuming that Telstra purchased a service that should have picked up such a glaring deficiency). Who knows, maybe Pure Hacking were only undertaking penetration testing and intrusion detection and prevention, which could, I guess, miss a "served-on-a-platter-all-you-can-eat-no-hacking-needed” incident like the Telstra one.

Ty Miller has a blog on the purehacking.com website, which I shall be watching with interest:
http://www.purehacking.com/blogs/ty-miller

Photo source: Michael Lee/ZDNet Australia via http://www.zdnet.com.au/telstra-exposes-customer-information-339327696.htm – original url: http://cdn.cbsi.com.au/story_media/339327696/bundlefail_1.jpg

Scammer paradise….

sandi — Sat, 10 Dec 2011 04:23:41 GMT

Oh great…

Imagine this. Some scammer spots the above tweet and thinks, “cool, let’s do some cold calls”…

“Hi Mr Telstra customer, we’re calling from Telstra about our screwup last week .. you saw our tweet on our official Twitter account saying we’d call everybody? Cool…” … and so the scam conversation goes on…

Telstra – registered express post is the way to go with this one… oh, sorry, is that too expensive? Tough!

In short, how are your customers meant to know, when that phone rings, that the person calling them is really Telstra, and not some scammer taking advantage of the situation?

Telstra exposes customer user names and passwords to the world

sandi — Sat, 10 Dec 2011 04:01:35 GMT

Unbelievable, isn’t it:
http://www.theage.com.au/it-pro/it-news/telstra-probes-privacy-breach-amid-network-outage-20111210-1ooez.html

Email, online billing, BigPond self-care and “My Account” have been down since Friday evening, and Twitter has been in meltdown. Note: it seems that only *incoming* email is affected now – reports indicate that outgoing email is working just fine at time of writing (2:54 EST)

A horrid situation, to be sure, but I do wonder at some of the complaints that I am seeing on Twitter about the action Telstra took.

Imagine if Telstra had held off so it could notify customers first – that would have given spammers/scammers/criminals more time to use stolen credentials.

Really? You really sure you want them to do that? You might be one of the people who had their email username and password exposed.

Anyway…. what’s to be the next step? Obviously everybody at potential risk is going to have to change their passwords, but how to tell them to do it? Turn on email access again and send them an email, hoping that they’ll read it and change their password real quick. But how to protect users for that period of time between email service being reactivated and passwords being changed? At the very least the Bigpond email servers should reject any connections not coming from a computer with a Bigpond IP address – it’s not perfect, and it has it’s drawbacks, but its better than nothing. I don’t envy Telstra the challenges that face them now.

Telstra users actually choose their own password when setting up their accounts in shop nowadays instead of being issued a password by Telstra – I’ve been there when a salesman asked a person to write down their choice of password onto a piece of paper so that he could enter it into the computer. I didn’t like that protocol then and I don’t like it now – I shudder to think how many people use the same password on multiple accounts.

We have no way of knowing how long the data breach existed, or how many people viewed the now disabled web page. I would strongly recommend that affected users change not only their Telstra password but also the password of any other sites that they have used the same password for, ESPECIALLY if they have used their Bigpond email address as their log in name.

In fact, that advice applies to EVERYBODY. Be very careful about sharing passwords across multiple services, and NEVER use non-unique passwords on email, banking or financially sensitive sites. Ask yourself, if a site is hacked or your info is negligently exposed (as happened with Telstra), and somebody got your info from that one site, what other sites could they get access to? Could crooks use your username and password to get into one of your email accounts? Could they then send password reset requests for *other* sites to the email account that they have got into? Think big picture.

Malvertizing activity

sandi — Tue, 06 Dec 2011 10:05:26 GMT

There has been a lot going on in the malvertizing world lately, with a spike in the number of reports coming in about malvertizing incidents that are occurring because the Ad Server in question is running an old and exploitable version of OpenX – people, we need to be running version 2.8.8.

The bad guys have been able to insert malicious iframe scripts in tandem with legitimate advertising, and sometimes obfuscated JavaScript that causes various requests to domain names within the *.dyndns.org namespace.

A couple of domains implicated in malvertizing incidents are reonmedia.com and malidie.com

reonmedia.com (registered 19 June 2011 – reonmedia.com cookie spotted in a conversation about an infected computer here)
IP address at time of writing 176.65.162.61 – Zexotek It-services, Gmbh
Registrar: DIRECTI
Registrant: LEGAZ Inc, Anthony White (anthonywhite@gmail.com)
Sharing IP with adtiara.net

adtiara.net (registered 15 July 2011)
Registrar: DIRECTI
Registrant hidden by privacyprotect.org

malidie.com (registered 21 July 2011)
IP address at time of writing 188.72.204.48 – Hessen, Frankfurt, Netdirect
Registrar: BIZCN.COM, INC
Registrant hidden behind privacy-protect.cn
Sharing IP with inviasat.ru and gennetron.com

gennetron.com (registered 21 July 2011)
Registrar: DIRECTI
Registrant hidden behind privacy-protect.cn

inviasat.ru (registered 1 June 2011)
Registrar: REGRU-REG-RIPN
Registrant: “Private Person”

Also mentioned in recent times – trekmedia.net – including here:
http://stopmalvertising.com/tag/trekmedia.net.html

trekmedia.net (registered 14 February 2011)
IP address at time of writing 173.236.89.200
Registrar: ENOM, INC
Registrant hidden behind WhoisGuard

Also adveritising.com (note the extra letter i)

adveritising.com (registered 17 July 2011)
IP address at time of writing 50.17.195.149
Registrar: DYNADOT, LLC
Registrant hidden behind Dynadot Privacy

International Checkout (URL: internationalcheckout.com) hacked

sandi — Tue, 06 Dec 2011 09:22:59 GMT

A friend received the email below the other day. Note that not only do International Checkout advise that “an intruder accessed and potentially compromised [their] system”, but the intruder / intruders also “gained access to part of [their] system that contained credit card numbers of customers” AND the intruder / intruders were able to “access the encryption key [for the credit card information database] that was stored separately”.

My friend’s credit card was misused, with many overseas transactions being charged to her card.

If you go to the internationalcheckout.com web site, and look at the large list of partners currently using the service, you can get a sense of the scale of the potential problem.

If you have used any of the merchants listed on the internationalcheckout.com web site please keep a close eye on your cards. If you know anybody that has used the sites, let them know about what has happened.

Seven charged in ad fraud case

sandi — Thu, 10 Nov 2011 02:13:00 GMT

It is estimated that the defendants reaped least $14 million in ill-gotten gains over a five-year period. Small fish compared to groups such as Innovative Marketing, but still a good win.

Importantly, six of the seven people named in the indictment are Estonians who are in custody in that country, with extradition being sought to the United States. One Russian remains at large.

source: http://www.news.com.au/breaking-news/seven-charged-in-internet-ad-fraud-case/story-e6frfku0-1226191217963

Fake Hewlett-Packard HP Officejet emails

sandi — Tue, 20 Sep 2011 09:55:03 GMT

Everybody knows not to open the attachment, yes? :)

Fake YouTube emails

sandi — Tue, 20 Sep 2011 09:44:29 GMT

As you can see from the screenshot, the hyperlink does not lead to YouTube

If you are silly enough to click on the link you are redirected to viagragenericsteva.com. The site is timing out, unfortunately, so we can’t take things any further.

You’d think they’d be a little more careful with their spelling :)

sandi — Thu, 15 Sep 2011 01:42:29 GMT

Invoice spam:

Don’t be silly enough to open the attachment, ok?

sandi — Thu, 15 Sep 2011 01:33:53 GMT

If you get an email claiming you are registered as "latinloveline . com” just delete it – don’t be tempted to open the attachment.

Another fake ACH Notification spam

sandi — Wed, 14 Sep 2011 09:37:40 GMT

Their English hasn’t improved with practice ;o)

uTorrent.com compromised

sandi — Wed, 14 Sep 2011 09:35:05 GMT

Cite: http://blog.bittorrent.com/2011/09/13/security-incident/

The servers were compromised on 13 September 2011 between 4:20 a.m. and 6:10 a.m. Pacific time – a period of less than 2 hours – that’s a pretty good response and detection time, I think you’d agree.

No word on how the servers were compromised.

SPAM: “ACH and WIRE transaction”

sandi — Wed, 31 Aug 2011 00:53:07 GMT

Of course, you don’t want to open that attachment.

We would hope that the poor standard of English in the email would alert most readers… “departament”, “you transaction abilities”, “have” instead of “has”, “your security version” etc.

Spam: Re: Scan from a Xerox W. Pro #1988437

sandi — Fri, 26 Aug 2011 01:38:42 GMT

Again we all know not to open the attachment, yes?

Spam: ACH Payment Canceled

sandi — Fri, 26 Aug 2011 01:37:37 GMT

We all know not to open the attachment, yes?

ALERT: Fake Facebook “Friend Request” emails

sandi — Mon, 22 Aug 2011 09:18:06 GMT

As always, you can see by hovering your mouse cursor over the “Confirm Friend Request” or “See All Requests” buttons that the URL you would be taken to is NOT a legitimate Facebook URL.

Please, don’t be tempted to visit the page – there is every chance the page will contain various security exploits designed to automatically infect your computer with who knows what nasty stuff.