So there is apparently an open mail relay webform on the democrat.org website here. I was able to spam myself from it without any issue from a completely bogus email address and I don’t think I did anything illegal since there isn’t even a displayed AUP on the page.
Given that the email server itself will allow you to forge whatever
Gotta love it. President’s cyber-czar quits and it apparently shows. I thought the demos were must more tech-savvy than their republican counterparts.
I am actually quite pleased with my ISP (RoadRunner) for a change. Check these speedtest results:
I just wish my upstream speed was a little faster.
Cause of Death… too many security controls?
There was an email I was reading, posted to one of the lists I monitor, that was essentially arguing that CPU, memory, hard-drive space, and network bandwidth, cannot keep up with the amount of security controls that will be required to protect a Windows machine from being infected. You can read the email here.
This got me thinking… I can see his point and I can agree with it on some levels, but has the exponential growth in unique malware actually been observed beyond simple mutation? I mean, first, multiple variants seem to exist in each type of exploit; but at the end of the day they take advantage of a common system weakness… so work-arounds, awareness-training, and patches are actually probably more effective than any sort of anti-malware software to begin with. It’s like the difference between just hanging a sheet over a doorway (AV) and actually closing the door (patching and/or workaround). The sheet might filter the light, but it’s not really going to stop much from coming in.
Second, aren’t many malware systems defending themselves by shoring up their installs through their own security means, in order to prevent other malware from displacing them? If that’s the case, a single malware infection might actually be beneficial (but nor desirable… twisted logic here) as opposed to not having any infections to begin with.
Third… it seems that one of the ways that the AV vendors have been combating this performance issue is by stripping out support for protection from older forms of malware as they see the vendor (in this case Microsoft) provide patching. I think this commentary might be valid if you look at the entire malware landscape as monolithic itself, and that every single form of malware were the basis for the next kind, and that to be protected, you had to include specific instructions for combating every single piece of malware as sort of a barrier to entry to any (malware genetic interdependence, which I think is ludicrous). But, if OS/app code is properly patched and operating systems and applications are properly configured to do exactly what they are supposed to do, and specific malware is targeted towards specific vulnerabilities that no longer exist through proper reconfiguration and patching techniques, all the protection pieces he’s saying will grind your machine to a halt, could in theory at least, be removed for those solved vulnerabilities.
It’s a simple use-case analysis… apply the right controls for the right kind of environment… for (a simplistic) example; if I don’t have Windows RPC enabled (stand-alone home box, no Microsoft Network Client loaded, running no services, no file/print sharing) then why do I need a) patches to fix an RPC buffer overflow vulnerability, b) protection to combat the introduction of an RPC attack, and c) signatures to detect the attack on the host (they could be shifted into the network).
Since the premise that those controls and fixes are expensive, from a system performance standpoint, may be correct, why would I choose to implement them… or at least implement anything other than or beyond a patch or reconfiguration to solve the vulnerability (which by the way IS probably interdependent on the installation of other process-fixes, patches, etc… true software interdependence)? I mean, if a signature for a particular attack doesn’t exist to begin with, why bother with the framework associated with hosting that signature (an A/V product). If the signature is known, then shouldn’t we already be taking mitigating steps as opposed to relying directly upon the signature, due to the very polymorphic nature of malware, to begin with? I mean, if you’ve put all your eggs in the AV basket, you deserve what you get.
Similarly… if I run a browser that is configured to be harder to compromise, or if I run in a sandbox or other restricted session-type, then do I need all of these protections piled on top of each other… especially if the session is virtual or temporal to the extent of the time it is used? Probably not because the risk that I am going to become infected is greatly reduced. If an infection attempt is made, and I am running in one of these contained systems, what difference does it make if it is successful anyways? Do I even need to be notified that it’s happened? I guess so… so I could close my session, and start anew.
The author doesn’t state it, but it seems he is driving at an agenda supporting the elimination of Windows from the common desktop. He fails to point out that there is no shortage of Linux and Linux application vulnerabilities. There are regularly multiple vulnerability announcements regarding the Linux kernel and applications on the FD list every week. So what’s the difference? I believe that the low rate of malware infection among these types of systems is directly related to the operating-system security model used (default non-privileged), the fact that the community-approach IS used to validate code (which does support one of his premises) and the fact that there just aren’t that many people surfing or interacting with malware delivery systems from Linux machines (~1%). There just is no target here. If we were able to reverse the situation and Linux was at ~90+ percent of the desktop marketplace, I fully believe that the problem would be significant as well, but probably not quite as bad due to the default privilege levels and community code-review.
The privilege factor primacy is even more pronounced when one looks at the kinds of attacks that are, in-fact, regularly occurring. Breaking into boxes (anywhere but in TV-Land) doesn’t actually happen much… malware delivery is being performed through social (mostly web 2.0) engineering techniques. If you’re socially engineered and you’re on a Windows box, you’re trained (especially with Vista now) to simply click yes; since you’re admin, you’re owned. And all the malware protection, patching, and configuration techniques in the world didn’t stop it from happening! If there’s a signature available for the attack, that’s great, but what was the impact to your system; how expensive (resource-wise) was it to have that level of protection in-place? Why not simply fix the problem by attacking the root-causes, as opposed to constantly trying to win an arms-race by running a signature-based AV product? I guess that’s where I differ in opinion… Windows, using a correct security model, patch-levels, configuration, and awareness-training, can be protected without having to grind the system to a halt by burdening it with 100MB of AV signatures.
$0.02 for the day 
Dear Friend….
My name is Mrs. Caroline smith. I am a dying woman who has decided to donate what I have to charity through you.You may be wondering why I choose you. But someone has to be chosen.I am 59 years old and was diagnosed for cancer about 2 years ago,years after the death of my husband who had left me everything he worked for.
I have decided to donate from what I have inherited from my late husband to charity through you for the good work of humanity,rather than allow my relatives to use my husbands hard earned funds inappropriately.I am presently in London
waiting for an operation and praying that I survive. I have decided to WILL/Donate the sum of US$10.5 Million (Ten Million, Five hundred thousand united state dollars) of my husband investment in to charity through you for the good work of humanity, and to help the motherless,less privileged and also for the assistance of the widows. At the moment I cannot take any telephone calls,due to the fact that I have been restricted by my doctor from taking telephone
calls because I deserve all the rest I can get before the operation.Presently,I have informed my lawyer about my decision in WILLING this fund to charity through you. I wish you all the best of luck, and please use the funds well as I want it to be a seed i have sown and always extend the good work to others.If you are interested in carrying out this task,i will inform my Family Lawyer so that he can arrange the release of the funds to you. You may wonder, why don’t i call the the many charity group and donate the fund to them, that is the more reason i have contacted you, there is a little logistic work to be done,and it involves direct dealing with the bank and providing the necessary logistics for the transfer of the fund before the final donation, for this reason and owning to the fact that my health is bad to carry out all this i have decided to contact you, in reward, you shall take 20% of the fund while the rest will be donated to various charities.
NB: I will appreciate your utmost confidentiality in this matter until the task
is accomplished,as I don’t want anything that will Jeopardize my last wish,
due to the fact that I do not want relatives or family members standing in the
way of my last wish. If you are wiling to help in this course kindly reply to
this email to enable my lawyer contact you.
Some personal questions?
Are you married?
How old are you?
Your Phone Number/Fax?
What kind of work / business do you do?
Love,
Caroline smith.
Wow… heart-wrenching story. How brave she is to face death and try to help all those folks with all her money. Notice how “she” asks for some personal information that could probably be used to validate your identity or at least social-engineer someone into thinking she was actually you?
Hey Caroline… I’ll tell ya what. I will give you an address you can ship the cash to. I prefer $20s, but I will take $100s if that’s easier. Please don’t send any checks or request any wire-transfer info and I don’t want to hear from you afterwards.
Let’s see what’s in the mail header:
Hrm… return address is “nobody@cp.webbingxchange.net”… I guess they didn’t want any bounces coming back to them on this email. No surprises there.
From caroline smith Tue Aug 18 10:06:33 2009
X-Apparently-To: me@yahoo.com via 209.191.69.52; Tue, 18 Aug 2009 03:11:36 -0700
Return-Path:
X-YMailISG: pZ.bqJEWLDtjLRpIqN7yt31JvyN3UI9kxDgiOkW.Qkv0qD9dBLdQW2Hwf1KnPcamP_1
GoMSz4EDh8lI3zo7H90Npo409_ENPqnL5A_GLCZgapbAPxFD3KkZU4NCSJRTgQ.wE
ixTlFE9yZirAdh.D5VXOy2u3YonjsxGNxSFKWB5jdeZ0mQAS141xA_HCA6XItmi0Apv
QUSOD90xssRAOj.73itjg9LSFwjYiO5GeRvaW5wxb9zO9.3amQ_sXyDvtQ50UAN6gS
fFWRJrns_uqXQILivObs3AvXDXygXtzK1CL2VEQk92LmKwbC2RfdwyElo8YYf63Qe8A
9nZM_a4EcMKwIp7KQ_ZnOJ9XiY6QOq5mBn4LJR9.BpL6Es_FOAoPzmyV3g0-
X-Originating-IP: [202.186.96.91]
Authentication-Results: mta413.mail.re4.yahoo.com from=yahoo.com; domainkeys=neutral (no sig); from=yahoo.com; dkim=neutral (no sig)
Received: from 202.186.96.91 (EHLO cp.webbingxchange.net) (202.186.96.91)
by mta413.mail.re4.yahoo.com with SMTP; Tue, 18 Aug 2009 03:11:36 -0700
Received: from nobody by cp.webbingxchange.net with local (Exim 4.69)
(envelope-from
id 1MdLaL-0003D9-Nr
for me@yahoo.com; Tue, 18 Aug 2009 18:06:33 +0800
To: me@yahoo.com
Subject: IT CAN HAPPEN TO ANY ONE
From: caroline smith
Reply-To: carolinesmith0@yahoo.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Tue, 18 Aug 2009 18:06:33 +0800
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – cp.webbingxchange.net
X-AntiAbuse: Original Domain – yahoo.com
X-AntiAbuse: Originator/Caller UID/GID – [99 32002] / [47 12]
X-AntiAbuse: Sender Address Domain – cp.webbingxchange.net
X-Source:
X-Source-Args: /usr/local/apache/bin/httpd -k start -DSSL
X-Source-Dir: malaysiaweb.info:/public_html/abjad/images
Content-Length: 2517
Oh… I wonder why Caroline needs to use a server in Kuala Lumpur to send email to me? She must be spending her last days out there in KL. Could we make a movie “Dying in KL” about her?
mbp01:~ user$ whois 202.186.96.91
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 202.0.0.0 – 203.255.255.255
CIDR: 202.0.0.0/7
NetName: APNIC-CIDR-BLK
NetHandle: NET-202-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-info/whois_search
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse.
RegDate: 1994-04-05
Updated: 2009-06-01
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net
# ARIN WHOIS database, last updated 2009-08-17 20:00
# Enter ? for additional hints on searching ARIN’s WHOIS database.
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 202.186.0.0 – 202.187.255.255
netname: JARING-MY
descr: JARING Communications Sdn Bhd
descr: Technology Park Malaysia
descr: 57000 Kuala Lumpur
country: MY
admin-c: JIA1-AP
tech-c: JIA1-AP
remarks: service provider
notify: ip-request@jaring.my
notify: abuse@jaring.my
mnt-by: APNIC-HM
mnt-lower: MAINT-JARING-AP
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20031124
changed: hm-changed@apnic.net 20070709
changed: hm-changed@apnic.net 20070711
source: APNIC
role: JARING IP Administrator
address: JARING Communications Sdn Bhd
address: Technology Park Malaysia
address: 57000 Bukit Jalil
address: Kuala Lumpur
country: MY
phone: +603 8657 5000
fax-no: +603 8996 8250
e-mail: ip-request@jaring.my
trouble: send spam and abuse reports
trouble: to abuse@jaring.my
trouble: Please include detailed information
trouble: including header or full log
trouble: and time in GMT
admin-c: MBA1-AP
tech-c: IA2-AP
nic-hdl: JIA1-AP
remarks: http://www.jaring.my
notify: ip-request@jaring.my
notify: abuse@jaring.my
mnt-by: MAINT-JARING-AP
changed: ip-request@jaring.my 20070416
source: APNIC
Obviously, just because the email server is in KL, doesn’t mean that she is. I just find it funny though that these things float around. Funny and sad because if no one fell for them, we’d never see them.
Server uses cPanel. They never bothered to configure the website for it though.
© 2010 Scott… Sit down and shut up! · Proudly powered by WordPress & Green Park 2 by Cordobo.
Valid XHTML 1.0 Transitional | Valid CSS 3
