Vitalsecurity.org

Write about phishing, get threatened with the FBI

2009-07-15T21:32:00.002+04:30

Some awesome work by Ebay / Paypal yesterday, assuming "writing to someones webhost with lots of threats related to copyright infringement and then running to the FBI all because someone put up a screenshot of a phishing mail with your brand on it" means "awesome" nowadays.

Which is doesn't.

Gigantic amounts of fail can be yours for the taking here.

Some downtime scheduled...

2009-07-14T13:55:00.002+04:30

I'll be messing with things behind the scenes later today, so don't be massively surprised if the site is AWOL for a while. It might even come back online too - bonus...

Smacktalk Fail

2009-07-10T16:17:00.002+04:30

Oh dear.

GMail and IP Addresses

2009-06-30T16:22:00.005+04:30

My pals over at Sunbelt have written about a feature of GMail I didn't know existed:

"Click “Details” and you get an overview of your accounts activity, including whether it’s from POP, a browser, or a mobile phone"

It also gives you IP addresses. Now I'm of the opinion that grabbing the IP address of someone who has hijacked your GMail is an interesting prospect - however, this also means that anybody able to hijack your GMail account has your IP address too, and they'll have yours before you have theirs. To be honest, I think the potentially tiny benefit of having an attackers (potentially fake) IP is greatly outweighed by them having your IP.

Call me paranoid, but is it time to break out proxies and VPNs for GMail now? Perhaps there's a way for Google to implement some kind of password protection that's required to be able to access this information - but of course, if that password is tied to GMail itself then presumably the attacker would have access to that too - so how would you do it?

Suggestions on a postcard to Google, please...

Hackers Target Neopets Users

2009-06-30T11:06:00.002+04:30

Neopets Scam, originally uploaded by Paperghost.

Targeting 12 year old kids with keyloggers?

Oh Lordy. More here.

Save us from these idiots

2009-06-26T17:16:00.009+04:30

So some old guy who clearly knows nothing about computers - or how many internets you can fit into them - is seriously rubbing me up the wrong way.

“You need youngsters who are deep into this stuff… If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys,” he said.”

Wait, what?

Look out, clueless guy ahoy.

Apart from the fact that there's something distinctly pervy sounding about calling them "naughty boys" and "enjoyment" at them "getting caught" - we're not in some sort of boarding school here - this is the biggest heap of crap I've heard since the last time some old guy who knows nothing about computers talked a load of old crap.

Let's go out and hire (nay, REWARD) a bunch of talentless, idiotic script kiddies who haven't done very much of note to defend a country? Oh yeah, that's genius, that is.

Except that they

a) have little to no technical knowledge
b) enjoy cutting and pasting other peoples work (due to the whole lack of knowledge thing) and
c) are idiots, who leave their entire life across ten social networking sites then wonder how come you're waiting outside their house with a baseball bat and a length of cheesewire.

Last time I checked, the SAS was not full of morons. Nor are the SEALs, or any number of dedicated anti-whatever teams. Why should UK cyber security rather predictably be given the bastard children of a thousand leftover takeaway meals to defend it?

Idiots commanding idiots, I love it. I'm going to go out and phish six hundred XBox Live accounts, I might be in Whitehall within six months. Let me tell Old Man McGinty something - I have waded through a crapload of script kiddies, and every now and then even convinced them to do the right thing(TM).

But you know what? In order to get them to do the right thing, more often than not I had to THREATEN THEM WITH HORRIBLE AND EMBARRASSING THINGS. It took time. It took effort. It took pictures of them cavorting with their rather large and thuggish best mates girlfriend. Sometimes I did the cavorting.

It took all of these things and more, to get a TINY percentage of people to stop being morons and play good guy for a while - and only for a while. Where are these magical script kiddies - who really, really want to be good, honest they do - Old Man McGinty is talking about? Can we have some of them to play with?

Oh, right. Didn't think so.

I've said it before, and I'll say it again - UK law enforcement tackling cybercrime is like Stevie Wonder playing Dance Dance Revolution. And all these ancient Government type guys who are older than the telephone need to get out of the way and stop talking about computers, technology and (most of all) script kiddies.

Because they have absolutely no idea what they are talking about.

Oh, the rage.

Also: More sensible takes on this here and here. I'll just stick with the ranting and cheap insults, for those are my boomsticks and I'm happy to deploy them.

Spam of the day

2009-06-16T12:44:00.004+04:30

Rohan Crones, originally uploaded by Paperghost.

...Rohan Crones? Are they old women from Lord of the Rings? If so, I'll have two of those and a Russian bride to go, please.

Remember kids, people lie on the Internet

2009-06-16T12:41:00.002+04:30

Oh dear.

Ten asshole points awarded to the social engineer for decimating an entire gaming clan, I guess.

Pastebins and Botnets

2009-06-15T14:16:00.002+04:30

I loves me some Pastebin action, and I loves me some Botnet action too. If someone were to combine the two and toss around an idea where Pastebins could be used to issue commands to Botnets, would I be interested in taking a look?

You bet. One of the more interesting things I've come across recently.

When will they learn?

2009-06-11T10:53:00.003+04:30

Honestly, when someone waves their arms around in the air and goes "hack me", you can bet someone will turn up minutes later and say "okay".

So it went with the recent Strongwebmail competition, where Lance James pulled a few A Team moves and pocketed a cool $10,000 in return for pwning their supposedly unpwnable CEO email account.

I really don't know why companies offer themselves up for a public gutting where competitions such as this are concerned, but whatever. You can read an interview with Lance here, although he doesn't say if he's Mr T or Hannibal which is a bit of a letdown.

JetKing: They came, they saw, they rocked

2009-06-05T23:53:00.007+04:30

At the height of the "Myspace band hacks" back in 2007, I have to confess to being somewhat underwhelmed by reaction to the problems facing the bands on that social networking site. It seemed most bands were puzzled at best and disinterested at worst by the mass hack attempts on their pages.

However - one band actually took an interest in it, and had been fighting the good fight for some time while I was only just starting to dig into the problem. That band would be JetKing, and they really flew the flag for bands that were getting it in the neck from all the phishing & malware spewing that was going on at the time.

We've kept in touch to this day, and I was flattered when they sent me a copy of their debut album a week or so ago. I'm happy to report that the album is bloody good and well worth investigating (I've had "Smoke and Mirrors" lodged in my brain for a few days now). It's an interesting mix of guitars and electronica, but what caught my eye (ear?) was that neither element was overloaded or overdone - there's a nice bit of breathing space to the tracks and that appeals to me as a one time orchestral bod. And hey, you can rock out to it so +1 for that.

You can check out a few of the songs on their Myspace page and there's a review here that pretty much says what I was thinking about the album myself. Cheers for that, album reviewer guy.

JetKing: flying the flag for music and security.

That's always a good thing, isn't it? Good luck with the album Vaughn, and thanks for being interested in the whole security thing at a time when so many others affected by the same problem weren't. It made a difference :)

If it's not for you, just move on

2009-05-29T19:10:00.004+04:30

It's an unspoken rule of security that anytime a story about something that isn't THE END OF THE WORLD appears, a guy will show up and loudly deride the story / the author / why it isn't important or "newsworthy" or something else he feels like complaining about.

Case in point, a week or so ago people were coming to me worried that their Playstation consoles were "infected with viruses". I looked into it, saw there was nothing to worry about and wrote about it on TechRadar. Sure enough, the very first comment posted was this:

"I'm sorry but anyone who is fooled by this is a complete moron. A picture of XP My Computer and a reference to ‘your PC’, I suppose he thinks those lovely ladies he speaks to on those ‘Hot Babes’ hotlines are real people and really live just a few blocks away. It certainly isn’t newsworthy for a site dedicated to technology. People have been duped by this stuff for years and will continue to be till the end of the net. It’s dumb enough for a PC user to be duped yet understandable as the messages do, quite successfully at times, simulate the user’s day-to-day PC environment. It’s not virus he should be scared of, its woodworm eating away at his head."

Love it. Wannabe holier-than-thou atttitude where security is concerned, combined with derisive scorn at the people who might actually be worried by something regarding hardware that cost them a lot of money.

Thank God for angry security commentators, eh? I mean, I would mention stones in glass houses when a quick check for him on twitter reveals his face, his name (hello, Toby) and what's probably his lovely lady here, or how his Facebook page reveals his location and opens his visible friends up to "fake friend" trolling antics, or how what looks like his EBay page under the same username used for contemptuous and insulting comments leaves him perilously open to aggrieved parties stalking him by buying an item from him, then returning it with an excuse to grab his home address.

But hey, people worried by Playstation virus warnings are idiots. Right?

Look out, it's Angry Apple Guy

2009-05-29T16:58:00.005+04:30

I love a bit of blog rage, but sadly I haven't seen any for a while. As it turns out, you need to simply question the veracity of an Apple Mac advert, retreat to a safe distance and wait for some guy to start going RAAAAARGH RAGE RAGE RAGE all over the place.

Which he is. Cheap shots, contrived logic, ad hominem attacks and a complete lack of understanding with regards how writing a blog that serves the needs of those with a technical bent, computer savvy reporters, those who have no clue whatsoever about IT but want to stay safe and non technical journos who want to learn more about "the whole security thing" operates on a day to day basis can be yours for the taking here.

All because someone said the word "virus", apparently.

Also, here's a stupid song I just made up.

ANGRY APPLE GUY! WOO-OOOO-OOOOO!
HE SAYS A LOT OF STUFF BECAUSE HE'S "IN THE KNOW"!
ANGRY APPLE GUY! WOO-OOOO-OOOOO!
PUTS CANDLES AT YOUR FEET, 'CAUSE WINDOZE BLOWS!

ANGRY APPLE GUY! WOO-OOOO-OOOOO!
WANTS TO GIVE YOU A CLASSIFICATION TEST!
ANGRY APPLE GUY! WOO-OOOO-OOOOO!
HAS A NERD RAGE ABOUT MAC OS X!

/ GUITAR SOLO

OH YES, HE'LL PROVE YOU WRONG!
UNLESS YOU MAKE YOUR COMMENTS TWICE AS LONG!
WATCH OUT FOR HIS MICROSOFT CHEERLEADER BARBS!
CAUSE I'M MARRIED TO BILL GATES, GOD BLESS HIS HEART!

/ SLOW SECTION

I ADDED NOTHING TO THE DISCUSSION!

/ POWER CHORD

EXCEPT A SAD ATTEMPT AT DIVERSION!

(Yes, I am using your own words as the basis for my song. Enjoy)

DOESN'T WANT TO GIVE ME A HUG!

/ POWER CHORD

EVEN THOUGH I OFFERED HIM A FREE WINDOWS MUG!

/ LEATHER PANTS THRUSTING

ANGRY APPLE GUY! WOO-OOOO-OOOOO!
HAS A BIG THING FOR BLOGGERS AND JOURNALISTS!
ANGRY APPLE GUY! WOO-OOOO-OOOOO!
HE PROBABLY SEES NOW I'M TAKING THE PI -

.....is this mike still on?

Location-based information on Twitter

2009-05-28T15:19:00.005+04:30

From Readwriteweb:

"Twitter might soon add location-based information to every tweet. Currently, users can set a location on their profile, but individual tweets are not geo-coded in any way. If Twitter did indeed add a geo-references to every tweet, then that would open up the door to a wealth of new possibilities for developers."

Well, screw the developers. All I want to know is

1) Will there be an opt-out and
2) If there IS an opt-out planned, will they apply geolocational technology to all the messages previously posted to Twitter before you get a chance to hit the "opt-out" button? Of course, in an ideal world opt-out would be selected by default (thus making it an opt-in, but it's all getting a bit confusing now so let's just say we don't want it in the first place and take it from there).

I asked the co-founder and the main Twitter account on, uh, Twitter here, but amazingly enough I haven't had a reply back. Hopefully the answer will be what we want to hear, or else I predict an epic security / privacy fail.

/ Edit - More from Graham Cluley here.

If you've nothing to hide, you've everything to fear

2009-05-26T23:09:00.007+04:30

"The government will have a few more records on me, so what?" Some guy on a forum

You know, I'm still amazed when I see statements like that one regarding the massive boner the UK Government has for compiling a gigantic set of databases on everything you could imagine. It's clearly a "nothing to hide, nothing to fear" way of thinking.

The problem is that it doesn't freaking work like that.

There are two huge problems with "nothing to hide, nothing to fear".

1) It assumes the people in charge (along with the people who have access to the data currently stored on the 11 or so databases with parts of your whole existence stored on them) are all whiter than white.

They're not, as it turns out. They're just like you and me, and just like you and me, they get up to things they don't want everybody to know about. Fancy that.

And the more people you open the data up to, the bigger the risk of idiocy taking place. The ContactPoint database is a perfect example - 300,000+ people from police, to charities(!) to random boobs in councils and God knows where else, and NONE of those people will try to track a kid down for their mate with an estranged spouse or other such shenanigans?

Huh, good luck with that.

As the desire for databases combining their information grows - and ContactPoint is a big step towards that - so the risk increases for huge chunks of data to be lost and used in horrible and as of yet unthought of ways.

2) Put down the groundwork for a "Let's watch everybody" State, and its the easiest thing in the world for a party to come in afterwards and use that system to abuse whoever they feel like. It should certainly give pause for thought when considering how many pieces of your life are constantly being stacked up inside ever growing databases. I can tell you this much - whoever gets into power after the current shower of thugs are fired into the heart of the Sun, it will be the hardest thing in the World for them to kill off some of these databases and monitoring tactics.

It'll be like that guy who really, really wants to keep his terabyte of porno on his external HD but doesn't want the wife to find out. Seriously. They will agonise over it.

Oh, and let's not forget the very people constantly telling us how wonderful these databases will be, and how you can soon go into Snappy Snaps and "Have your face scanned and fingerprints taken" while shopping are the very same shower of idiots who've done their level best to prevent the public from seeing how much they've been screwing over the expenses system.

It seems like everyone, everywhere is constantly being told to watch people, and report them, for anything and everything. If it's not kids as young as eight trained in the ways of reporting their neighbours, its the growing army of "Accredited Persons", or photography of police becoming illegal, or those stupid posters issued by the "anti terror hotline" begging you to report anyone and everyone lest they blow something up, or tourists stopped in London and having their photos deleted in case they're "terrorists", or schoolchildren having their biometrics taken at school without parents permission, or the police posters asking you to report people who wear "too much bling", or the desire for State approved spyware, and on it goes.

I can say with conviction there is something fundamentally broken with this idea that huge reams of data being piled high magically solves everything. It's clear the Government intends to plough on with as many of these idiotic schemes as possible making it that much more difficult to remove the structure should someone else get into power.

But hey, you'll be able to get your face scanned and fingerprints taken at Boots and Snappy Snaps. Great.

How did we even reach the point where people could be going around thinking this is remotely normal?

You must read this...

2009-05-24T22:55:00.001+04:30

"If they can break the law, why can't we"? Link

Playstation 3 virus warnings: don't panic!

2009-05-22T20:53:00.003+04:30

PS3 fake virus warning, originally uploaded by Paperghost.

Is there anywhere rogue antispyware popups don't cause a problem?

More here at TechRadar.

Klingon Antivirus

2009-05-20T12:18:00.000+04:30

This really is genius.

ContactPoint database goes live despite security fears

2009-05-17T23:36:00.003+04:30

"The Government has announced plans to push ahead with the next phase in launch of a controversial child protection database, despite ongoing concerns about the security of data held on the system.

The delayed ContactPoint system, which is due to include names and addresses on every child under 18 in England, will be accessed by frontline care workers in real-life trials for the first time from this Monday.

Security experts contacted by El Reg remain concerned that information housed on the database might leak out despite ministerial assurances on security provisions that will accompany the roll-out of the directory system." Link

The above article is absolutely required reading for anyone concerned with the gradual creep-creep-creep of Government interference in day to day life. I give it six months max before the first "ContactPoint ruined my life" story appears.

It's no end of amusement to me that the Government that most promoted the "If you have nothing to hide, you've nothing to fear" mantra had an awful lot they wanted to hide, as it turns out.

A Revolution is indeed the Solution...

Zango: Dead Space

2009-05-15T13:25:00.004+04:30

It seems the good ship Zango has been temporarily abandoned while the new owners clear the decks. Check out Zango.com:

Click to Enlarge

Pinballcorp, eh? You know, the amount of restraint I had to show with regards calling this blog entry "Pinball Wizard" was immense. Seriously. Here's their site:

Click to Enlarge

...and here's how I'm going to be rolling.

Why I Flushed Foxit

2009-05-14T22:24:00.019+04:30

Like many people, I've been digging around for alternatives to Adobe Reader in the wake of all those wonderful exploit related stories in the press recently.

Well, I'd heard Foxit mentioned quite a few times so off I went in search of fox-related goodness.

In case you haven't guessed, IT'S ALL ABOUT TO GO HORRIBLY WRONG.

See, here's the deal - if at any point during the install I see something I don't like, then I'm going to look for the escape route. You better provide me with an escape route, or I'm going to complain about you on the Internet.

In this case, I get one of these:

Click to Enlarge

...and one of these:

Click to Enlarge

....and finally, I get an "Agree / Disagree to Ye Olde EULA" box. No problems so far, and everything is going swimmingly.

But then...

Click to Enlarge

Hey look, it's an ASK Toolbar complete with pre-ticked box things.

DO NOT WANT.

Imagine my dismay when I look around for the button to cancel the install immediately (or even to back up a step) only to find that IT DOES NOT EXIST.

Look at the picture - it's simply fallen off the installer and gone MIA despite a "Back / Cancel" button being on every other box I can remember seeing (they're in the first couple of screenshots!)

Essentially, you're left wondering exactly how to exit out of this install. Also, see the "X" icon in the top right hand corner of the installer? Despite that X being clickable at every stage of the install up to this point, you cannot click it when you get to the ASK prompt because it suddenly no longer works. Why is this?

You can untick the License Terms box (thus opting out of the Toolbar install) and see the following:

...but I couldn't care less about not getting typewriter tools and text converters. All I want to do is see the option to leave the install routine entirely because I want nothing to do with a program that wants to install ASK products. So why don't I have one, Foxit?

At this point, I decided to pop open Task Manager and kill the whole thing dead - specifically, I was going to cancel the Foxit Reader install. That's what I thought would happen, anyway.

What happened next momentarily stunned me so much that I was unable to get a screenshot the first time round. Check this out - here I am with the Foxit installer still open and Task Manager to the right of it:

Click to Enlarge

What happens the second you hit "End Task" in Task Manager? This:

Click to Enlarge

That's right kids, Foxit Reader (not the ASK toolbar) INSTALLS ANYWAY.

In fact, upon further testing I found the desktop icon for Foxit appears on your desktop the moment you see the Toolbar installer prompt. In other words, although you THINK the Toolbar prompt is part of the overall install, it's not - the actual Foxit reader has already finished installing and you can happily run it while the ASK prompt is still sitting on the desktop.

Making a "Back / Cancel" button vanish on an installer page asking me to install unwanted applications is annoying (and momentarily panic inducing) enough, but to discover the Foxit program has actually finished installing itself BEFORE I think the install procedure has completed is outrageous. The "Setup Completed" popup that appears when you think you've killed the install off in Task Manager is the rather grubby icing on an out of date cake.

Lament your Resurrection within the flames of Hell, or as I like to put it, my Recycle bin.

You won't be getting out of there anytime soon...

/ Addendum - There seems to be a little confusion. The issue here is the way the Foxit installer behaved, the way the cancel install button fell off when I reached the ASK prompt (because as soon as I saw that, I wanted out of the whole deal - unchecking the ASK toolbar wasn't enough, I simply didn't want to have Foxit installed at that point full stop) and how Foxit had actually installed itself when the ASK prompt was still on the screen. The ASK toolbar did not install without permission.

Spywareguide Roundup: Image Stealers and Halo Spam

2009-05-11T23:04:00.005+04:30

In case you don't read my writeups at Spywareguide, here's two quick links to tempt you into doing so. You naughty people, you.

First up, we have the bizarre occurance of Chain Letter Spam on the XBox Live network - in the form of this rather fetching picture.

halrec4, originally uploaded by Paperghost.

No seriously, you really will get that armor if you send it to 50 people. Fo realz.

Read all about it here.

Next up, we have a rather creepy infection designed to steal the images on your PC then send them via FTP to some pervert who smears himself in butter, or something.

Click to Enlarge

Lovely, isn't it? More here.

Entrusting your data to Boots and Snappy Snaps

2009-05-07T11:25:00.001+04:30

I am, of course, refering to this.

God help us all.

When is a "full game" not a full game?

2009-05-06T23:15:00.012+04:30

When it's purchased via Microsoft's XBox Live.

For those not aware, if you have an XBox Live account you can purchase and download games from Microsoft's "Marketplace" using Microsoft Points. Generally, the games are of decent quality and the titles cater for most tastes.

However - today, Arkanoid Live became available to purchase. People have fond memories of this game; it's one of the genuine old school classics and I remember playing a variant waaaay back when on the Commodore +4. Awesome fun.

This is what you see when you come to download / purchase it:

Click to Enlarge

"Full Game - Arkanoid Live: 800 MS Points"

You couldn't be any clearer about what to expect for your money, or so you would think. Note that Microsoft "do not offer refunds" for their downloads, which they are at great pains to tell you every ten seconds. Despite being able to download demos of games, generally the demos are pretty short and lots of downloadable content is simply not previewable at all on the Marketplace.

With that in mind, there's a fair amount of trust on the consumers part where these downloads are concerned - people expect MS to give them a fair shake, which I think is reasonable.

When you fire up the demo, you see how many levels you'll be getting from the Menu screen:

Click to Enlarge

As you'd expect, Episode 1 is selectable and the others are greyed out. Therefore, if I pay the 800 MS points to unlock the "full game", I should gain access to the "full game" - which would be all four episodes.

Imagine your dismay, then, when you pay for the game online, download it, expect to get what you've paid for - a "full" game (which, last time I checked, meant the whole thing) but then end up realising you're missing two whole episodes.

As it turns out, you're primed for this bizarre absence in a wonderful piece of mealy-mouthed doublespeak when you attempt to exit the Demo. On the splash page urging you to buy to unlock the "full game" you see this:

Click to Enlarge

Some things that caught my attention:

1) Extremely interesting method of colouring one set of text white, and the other parts red. Note only does the white practically leap out and bite you, but the red parts are (by comparison) rather muted and fade into the background (they did for me anyway, on both a standard TV and a HDTV).

Why is this important? Because the white text is essentially meaningless yet prominent (UNLOCK THE FULL GAME AND CLEAR), whereas the red text gives the game away that their definition of "full" actually means half (ALL 62 ROUNDS OF EPISODES 1&2).

So many people are going to miss this completely. I did, and I'm pretty well known for spotting junk in Adware EULAs and things of a similar nature.

2) In the same way, the second section of white & red text puts the important bit (that lets you know 3&4 are missing) in red instead of the much more bold white text:

YOU'LL THEN BE ABLE TO DOWNLOAD A FURTHER / ALL 62 ROUNDS OF EPISODES 3&4.

Curious, isn't it?

Oh, notice that it doesn't mention anything about paying anything extra to get hold of these additional levels either. The problem with that is this: there is no indicator anywhere as to whether or not you're going to have to pay for this additional half of your game or not. If it's free content, then great - but why would they offer the second half of the game as a free download if they could have just included it in the first place?

Many people (here, here and elsewhere) suspect that they're going to charge you a "small" fee to get the rest of the game.

If that turns out to be true, then effectively an 800 point (10$ or £6.80) game just became 1200 points ($14.99 or £10.20).

Of course, nobody is really going to care, and if / when an announcement is made in a few weeks / months regarding the additional levels costing money people will just treat it as "additional content" and pay up, forgetting that this game was advertised as "full".

The ball is in your court, Microsoft, and people are already flipping out about this. If it does indeed turn out that you have to pay for the second half of the game, you can expect quite a few people to not want to give you money anymore...

(By the way, I purchased Space Invaders Extreme today and noticed that too has a "download content" link on the title screen and is apparently made by the same company. If I find half my game is missing, I'm going to stab someone in the face. You have been warned).

My Top Five Tips For Businesses On Social Networking Sites

2009-05-02T21:17:00.004+04:30

I've come up with a little list of tips I like to break out when talking about businesses jumping onboard the 2.0 train. They had a fair amount of positive feedback at InfoSec Europe, so feel free to check it out and also suggest your own hints for preventing too much data spillage on the web.