Decker Technology

Happy New Year!

Happy New Year to all!

There is also a "Happy Birthday" to be observed. Yes, the venerable TCP/IP protocol suite turned 25 on January 1st (http://blogoscoped.com/archive/2008-01-01-n53.html). In computer time that is a lot of years, but it seems to just keep maturing and doing the job. The next big advance may very well be the adoption of IPv6, but that may not filter down to the desktop for a while yet as providers use IPv6 with their backbone connections but retain IPv4 internally.

So, what else is in store for the new year?

Castlecops now Mirroring Data

In the aftermath of the extremely intensive Denial of Service attack on www.castlecops.com the site has emerged even stronger than before. One of the new "strengths" is the mirroring of databases used by HiJackThis analysts all over the internet. In Paul's own words:

The research database lists at www.castlecops.com are now mirrored at the following location:

http://mirrors.castlecops.com

Each of the mirror nodes checks the health of www.castlecops.com in real time. If they find it to be down, the nodes will open up like a book and permit immediate browsing -- just like you are used to at the main site.

The links are also the same, for instance, if you are trying to access the following and the site is down:

http://www.castlecops.com/tk1391-msdoh_dll_random_Class_ID.html

http://mirrors.castlecops.com/tk1391-msdoh_dll_random_Class_ID.html

Simply replace "www" with "mirrors" and it'll come up. Currently three mirrors are online offering data distribution in a total of four different ISPs and geolocs -- more nodes are on the way.

As formidible as the attack was, the main results achieved have been an increase in the site's resiliency and a new slogan "We Will Not be Silenced!" displayed at the top of each page. Kudos to Paul and all cooperating parties for establishing these mirrors.

Counterspy 2.0 Goes Gold!

The long awaited version 2 of Counterspy from Sunbelt Software went gold today. Official communications from Sunbelt can be found at both the official press release and the Sunbelt Blog. This newest version can be downloaded from the Counterspy home page.

Current users can get a free upgrade and newusers can (and should) take advantage of a 15 day trial offer.

I have tested this product since it was pre-beta and am pleased to report that it ameliorates the performance issues that dogged v1.5. Other exciting improvements include a greatly enhanced Active Protection functionality which qualifies as full feature process firewalling and support for Windows Vista. Scan speed is excellent with a very light performance footprint.

Now that v2.0 has been released there will be articles posted in our Counterspy forum that deal with possible problem areas. If you have a problem and don't find an answer then please post the question.

Sunbelt has definitely done this version the right way and I encourage all CS users to upgrade.

Antiphishing, a World Class Wannabee

There are people in every field of endeavor that would like to be something that they are not. Most get over it, move on, find another interest, etc. Those who just can't give it up and proceed to the point of pretending that they are something they are not are commonly called wannabees.

There is a particularly persistent wannabee at Castlecops right now. In case you don't know, Castlecops began the Phishing Incident Reporting and Termination (PIRT) team just about a year ago. In the time since, the team has handled tens of thousands of phish reports and, more importantly, terminated them while often collecting information that may actually identify the phishers. Team membership is subject to stringent vetting to ensure that the sensitive information that often surfaces will not be revealed to any who are not totally reliable.

It was probably inevitable that an effort of this magnitude and success would attract wannabees and it certainly has. By far the most interesting and persistent of these has been Antiphishing. The lengths that he has gone to to impersonate something that he is not make him a world class wannabee.

IE7 is on the Way

Yes, it appears that Microsoft will push the long awaited (feared?) IE7 as an out of cycle critical update to all Windows XP SP2 customers sometime this month (Oct 2006).

I am personally looking forward to finally seeing it but there are some precautions to be taken. IE is deeply embedded into the OS and will be writing to registry keys across most (all?) hives. This app has been fully tested and doesn't need to cause problems but there are precautions that need to be taken during the update:
Set a restore point
Disable any active protection monitors that might interfere with writes to the registry
Shutdown all other running processes except the firewall. This is always a good idea but may be critical in this case.
One of the best experts in IE that I know is a fellow MS MVP named Sandi Hardmeier who has kindly published her thoughts on IE7 installation. You may want to read through her comments on the procedure.

MS Patch Tuesday -- Oct 2006

Today (10/10/2006) is the monthly "Patch Tuesday" for Microsoft on which critical updates for their various products are released. If you do not have updates set to automatic then you should at least be checking the update site to review these.

A list of the updates scheduled for download today, along with links to the appropriate MS KB articles describing them, can be found at the SANS-ISC Portal.

Note that this is the last month for Windows XP SP1 support.

Myspace fraud link

My name is Noel and to be honest, I don't know much about computers. I have a myspace account, and I received a bulletin a few weeks on my account from someone I know titles "LOL". When I entered the bulletin, it had a link that said "Click here". Since the link was from someone I knew personally, I didn't think anything of it ( my first mistake). I did and was directed to a myspace log in page that said my session had retired. I put my user name and password in ( second mistake). I cannot remember where I was directed to, and have not thought of it since. Tonight, while logged onto myspace, I noticed that the same "LOL" titled bulletin was posted, but I did not post it. I looked at it, but did not re enter my information, since I realized that I was actually still logged in. I went to the myspace help link and realized that there is a link to report false log in pages. I reported the incident and website to myspace and posted to everyone I know not to open the bulletin link. The Fake page is an attempt to gather myspace usernames and passwords, I'm guessing in an attempt to gain more information, such as email addresses, ect. The reason I am contacting you is that an apparent IP address listed in the fake MYspace log in page is the same I found listed in one of your reports about paypal phishing, and I thought the same person could be behind both. the fake myspace log in page is h(ttp)://05.188.226.248/logon2myspace0/myspace.com I thought your previous information about this online scammer might assist in stopping this activity.

Thank you for allowing me to submit this information.

If you have any questions, you can contact me at (email removed by admin for submitter's protection)

The Symantec Shuffle

When I first became involved with personal computers over 20 years ago I used Peter Norton's excellent book Inside the IBM PC to get a good solid start. I also grabbed a copy of the Norton Utilities and used them to plumb the depths of that first box. Over the years I used a lot of Norton products so it was only natural that I stuck with them after the dawn of the internet age.

Like everyone else I noticed that virtually everything written about them in the online community was negative. The other side of the issued, though, was that the products themselves and the protection that they offered were rock solid. So, I continued to use my trusted Norton Internet Security Professional 2003 even in the face of the common wisdom. Up until yesterday, that is.

The Boy who Cried Wolf?

So far 2006 has been an eventful year security wise but I have to question whether we in the security community have handled it well. Yes, we certainly have an obligation to discover and report new threats but then what?

The new year had not even begun when the WMF exploit burst upon the scene and we were all over it. Instead of a useful measured response, however, there seemed to be a general tendency to run helter skelter screaming "The sky is falling!"

Happy Birthday?

Yes, this month marks the 20th birthday of the computer virus. That first reported virus wasn't carried on the internet but rather by sneaker-net on floppy disks. It was mostly harmless and easy to inoculate against but it was still the very first. So, happy birthday, Brain, one more year and you can be tried as an adult!