17-10-07

unofficial patch for Windows URI bug

Researcher posts unofficial patch for Windows URI bug

A researcher beat Microsoft to the patch punch Sunday by publishing an unofficial fix for a critical flaw in Windows XP and Server 2003 on PCs with Internet Explorer 7.

KJK::Hyperion, a.k.a. "Hackbunny," a researcher believed to live in Italy, posted a link to the 16KB patch on both his Web site and the Full Disclosure security mailing list Sunday. KJK's patch, dubbed "ShellExecuteFiasco," blocks the execution of malformed URLs and forces normalization of valid URLs. URL normalization, which can include tasks such as changing a URL to all-lowercase and stripping out the "www" part of the address, is a technique used by search engines to reduce indexing of duplicate pages.

Users who apply the patch do so at their own risk, KJK warned. "The present patch is dramatically under-tested and it has underwent [sic] no quality assurance procedure whatsoever, so please deploy with the greatest care," he said in the notes accompanying the fix. "It has a very good chance of misbehaving and making your system unusable."

His patch targets the URI (Universal Resource Identifier) vulnerability that Microsoft acknowledged last week. On Thursday, the company's security group issued an advisory that spelled out the problem, which could allow attackers to compromise systems running Internet Explorer 7 if users clicked on malicious links embedded in e-mail messages or posted on a Web page. Microsoft also said it would release a fix but would not commit to a schedule.

"The update will be part of our normal product update process [and] will be released as soon as we feel it's ready," said Mark Miller, director of the Microsoft Security Response Center, last week.

Microsoft typically takes a dim view of third-party patches like the one KJK posted. Although it did not immediately reply to a request for comment Monday, in past cases, it has cautioned users against deploying any unsanctioned fix.

Symantec gave much the same warning to customers of its DeepSight threat network Monday. In the advisory, Symantec said it had not been able to verify the integrity of KJK's work and told users to "use extreme caution when using patches from third-party sources."

The unsanctioned patch can be downloaded from KJK's Web site.

14:41 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

15-10-07

Hack of the week (RTBF)

from be-hacked.skynetblogs.be and zone-h.org

an archive of about 700 hacks of .be belgian websites can be found here

http://be-hacked.skynetblogs.be

The RSS updates coming from furl.net seem to have a technical hiccup for now and if they can't fix it, than I will resolve the updates another way in the next days. 

Over the weekend the FREEBSD servers of the RTBF were defaced and so many of their websites had another page - this time from Iranian hackers being too radio-active. Luckily it weren't flemish extremists placing messages about the end of Belgium and so forth, that would have made headlines all over the place.

time for a security check-up before others try to do the same thing. One hacked, always attacked.  And just to have an idea, how long to get everything up and running and having closed the holes.

bot_004

13:10 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

How long does it take to close down a fraudulent paypal site

Very long

if you read the blogposting by fsecure about finding a specific paypal phishing fraud set up on the 16th of SEPTEMBER

and you do the googling with the same terms  than you will find the following sites still up and running and taking your paypal credentials - thank you


209209 Host Locked.paypal-accounts1.com/
209209 Host Locked.paypal-accounts-login.com/
209209 Host Locked.paypal1-login.com/ 
209209 Host Locked.paypal-user-update.com/
209209 Host Locked.paypal-team.com/
209209 Host Locked.paypal-accounts-login.com/
209209 Host Locked.paypal-user-update.com/
209209 Host Locked.paypal-accounts-update.com/
209209 Host Locked.paypal-online-account.com/
209209 Host Locked.paypal-accounts1.com/
209209 Host Locked.paypal-support1.com/
209209 Host Locked.paypal-account-protection.com/

A few remarks

* First it is incredible that anyone can register an account like that without any limits. Paypal is a trademark and a financial business so you should know that if that registration doesn't come from Paypal it is a fraud. The registering firms and domain handlers have to be made accountable for such neglicence. They are not acting as a good housefather in the legal interpretation. They should preceed with caution when they have demands for such registrations. I think it shouldn't be too hard to make up a list of a thousands names of institutions and payment methods that should have limits on their use in domainnames.  

* Secondly it is quite amazing that these websites aren't taken down after they have been made public nearly a month ago. I thought that paypal had a take-down antifraud operation or is paying someone to do this for them.

* you should try to block these sites and find a way to whitelist only the legitimate links and teach your users about phishing with as number one thing DO NEVER CLICK ON LINKS TO PAYPAL. Always type your financial links by hand in a NEW browserwindow.

12:40 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

Belgacom infected Botnet attacks give Belgium Bronze in Botnet battle

Should it be true what sources are telling ? That the Russian problem on our Belgian net is bigger than the media let us to believe ?

The numbers on this international attack monitoring site may give us more info

http://atlas.arbor.net/cc/BE 

For the moment we are the third country in the whole world infected by attacks and attacking others just behind China and the US. Wow this little country can be famous in so many mysterious ways.

The traffic is mostly windows port 445 and 135 and some 139

80% of these attacks is according to Atlas  the ASN CVE-2003-0818

Age: 1321 daysSeverity: HighCVSS Score: 7.0
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.

and for this kind of attack we have won the Olympic Gold medal

bot_001

 

And Belgacom network is the main source of the attack

 

bot_002

 

and the main sources are

 

bot_003

 

 We are also conducting botnet DDOS attacks against others, which is normal if you are infected and also scanning for other vulnerable computers.

And further down the pages you can see there is actually one botnet

So how much time will it cost to bring down 1 (you have read it right) botnet and clean up the mess of the infected pc/servers (before another botnet recuperates them) ?

Tips for network admins

* Block all ICQ  traffic on your firewall if you haven't do so already. Period. Why because most of the botnetcommands come by ICQ. Also block on every port any destination with ICQ in it. And are you sure everybody needs pure FTP on port 21 ? Or that any PC has to be he's own mailserver on port 25 ?  

* look at your firewall for internal scanning traffic if you have diverted all non-responsive scanning traffic (to non-existant servers for example). Throw the pc's and servers that are scanning wildly your internal network off the network. Period. Desinfect and monitor and if it ain't succesful you will need an antirootkit tool or in the worst case you have lost the pc/server and you will have to backup on a seperated backup the docs and totally re-install the server/pc.

* contact the networkadmins of the official network or the ISP's about belgian based scanning and attacking traffic. You can try the e-cops or BIPT but I am not sure if they already have a cyberinfrastructure defense procedure. ...

* limit your outbound traffic to normal ports (for users this would only be 80, 8000, 8080, 443, 53 (if you don't have an internal DNS relay server),....)

* I presume that your pc's/servers are all updated and have a antivirus, firewall and so on ?

and please, help those guys building placing more monitors http://www.arbornetworks.com/atlas_register.php

09:30 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

14-10-07

more than 500 other belgian sites with porn and spaminfected comments

buy levitra viagra porn site:.be   but this in Google and change .be with the name of your site

the problem with this spam is that it is possible to insert links that let the reader instantly go to another site where he eventually can be infected with malware and other stuff if he isn't patched or updated or protected.

22:50 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

Public Comment portal of Belgian tax administration overwhelmed by spam and porn

http://annuaire.fiscus.fgov.be/loqw/livre.php?page=11&...

Er zijn momenteel 380364 Commentaren

http://annuaire.fiscus.fgov.be/loqw/rechlivre.php?lang=nl...  and when you look for porn in these thousands of comments - you get thousands of results

22:46 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

The Official Flanders website loves spam and porn as comment

  They have to learn a few things about filtering and other methods to keep your comments clean.

http://www3.vlaanderen.be/bestuurszaken/nucms/index.php?itemid=445  

06 november : Minister Geert Bourgeois onderzoekt integraal e-government voor alle bestuursniveaus

CORVE besteedt in opdracht van de minister een studie uit die moet zorgen voor het uittekeken van een interbestuurlijk e-government. Deze studie zal een set van acties en aanbeveling omvatten die aangeven hoe de Vlaamse overheid best tewerkgaat om alle lokale besturen, ongeacht hun draagkracht, te ondersteunen. De studie wordt meteen ook mee begeleid door de Vlaamse Vereniging van Steden en Gemeenten, de Vlaamse Vereniging van Provincies en het Steunpunt Bestuurlijke Overheid (SBOV) om een zo breed mogelijk draagvlak tot stand te brengen. Lees de persmededeling van 23/10 op de site van CORVE.

Reacties

Reactie van John op 13 oktober
free sex galleries <a href=" http://weblog.xanga.com/ron... ">free sex galleries</a> free sex movies <a href=" http://weblog.xanga.com/ron... ">free sex movies</a> free sex pics <a href=" http://weblog.xanga.com/ron... ">free sex pics</a> free sex stories <a href=" http://weblog.xanga.com/ron... ">free sex stories</a> free sex teen <a href=" http://weblog.xanga.com/ron... ">free sex teen</a> free sex teen

 

Reactie van John op 13 oktober
<a href=" http://www.freewebtown.com/... ">pictuers cartoons sex</a> <a href=" http://www.freewebtown.com/... ">sex movie dome</a> <a href=" http://www.freewebtown.com/... ">sex postions</a> <a href=" http://www.freewebtown.com/... ">bisexual playground</a> <a href=" http://www.freewebtown.com/... ">sex shop mexico</a>

 

Reactie van coop op 13 oktober
HI! http://3.gerbery.cn/index.html zoids chase mp3
http://3.gerbery.cn/zoids-c... zoids chase mp3
http://3.gerbery.cn/ozzy-fu... ozzy fudd mp3
and many others

 

Reactie van coop op 13 oktober
HI! http://3.gerbery.cn/index.html zoids chase mp3
http://3.gerbery.cn/zoids-c... zoids chase mp3
http://3.gerbery.cn/ozzy-fu... ozzy fudd mp3
and many others

 

Reactie van vias op 13 oktober
Hello! http://3.gerbery.cn/mp3-sou... mp3 sound editor
http://3.gerbery.cn/mp3-son... mp3 song indonesia
http://3.gerbery.cn/mp3-sha... mp3 sharing program
and many others

 

Reactie van vias op 13 oktober
Hello! http://3.gerbery.cn/mp3-sou... mp3 sound editor
http://3.gerbery.cn/mp3-son... mp3 song indonesia
http://3.gerbery.cn/mp3-sha... mp3 sharing program
http://3.gerbery.cn/mp3-rec... mp3 recorder usb
http://3.gerbery.cn/mp3-pol... mp3 polly nirvana
http://3.gerbery.cn/mp3-pla... mp3 player recording
and many others

 

Reactie van vias op 13 oktober
Hello! http://3.gerbery.cn/mp3-sou... mp3 sound editor
http://3.gerbery.cn/mp3-son... mp3 song indonesia
and many others

 

Reactie van John op 13 oktober
<a href=" http://www.freewebtown.com/... ">sex info</a> <a href=" http://www.freewebtown.com/... ">celebrity sex tapes</a> <a href=" http://www.freewebtown.com/... ">free sexy mifs</a> <a href=" http://www.freewebtown.com/... ">double penetration sex</a> <a href=" http://www.freewebtown.com/... ">sexual punishment</a>

 

Reactie van John op 13 oktober
free teen sex <a href=" http://weblog.xanga.com/ron... ">free teen sex</a> free trailer videos xxx <a href=" http://weblog.xanga.com/ron... ">free trailer videos xxx</a> free world porn free <a href=" http://weblog.xanga.com/ron... ">free world porn free</a> free xxx movies <a href=" http://weblog.xanga.com/ron... ">free xxx movies</a> free xxx passwords <a href=" http://weblog.xanga.com/ron... ">free xxx passwords</a> free xxx passwords

 

Reactie van John op 14 oktober
<a href=" http://www.freewebtown.com/... ">free animal sex</a> <a href=" http://www.freewebtown.com/... ">sexy poses</a> <a href=" http://www.freewebtown.com/... ">wildsex</a> <a href=" http://www.freewebtown.com/... ">sexywomen</a> <a href=" http://www.freewebtown.com/... ">sexy panties</a>

 

Reactie van John op 14 oktober
<a href=" http://www.freewebtown.com/... ">sex with horses</a> <a href=" http://www.freewebtown.com/... ">sexru teens</a> <a href=" http://www.freewebtown.com/... ">sexy mifs</a> <a href=" http://www.freewebtown.com/... ">weird sex</a> <a href=" http://www.freewebtown.com/... ">midget sex</a>

 

Reactie van John op 14 oktober
<a href=" http://www.freewebtown.com/... ">farm animal sex</a> <a href=" http://www.freewebtown.com/... ">bombay sex</a> <a href=" http://www.freewebtown.com/... ">sex talk</a> <a href=" http://www.freewebtown.com/... ">prego sex</a> <a href=" http://www.freewebtown.com/... ">sex personals</a>

 

Reactie van davip op 14 oktober

Reactie van John op 14 oktober
<a href=" http://www.freewebtown.com/... ">ashanti sex tape</a> <a href=" http://www.freewebtown.com/... ">sex position pictures</a> <a href=" http://www.freewebtown.com/... ">el sex shemales</a> <a href=" http://www.freewebtown.com/... ">sexy butts</a> <a href=" http://www.freewebtown.com/... ">kinky sex</a>

 

Reactie van John op 14 oktober
<a href=" http://www.freewebtown.com/... ">sexy fat girls</a> <a href=" http://www.freewebtown.com/... ">sexy and funny</a> <a href=" http://www.freewebtown.com/... ">sex orgy</a> <a href=" http://www.freewebtown.com/... ">sexy fillipina teens</a> <a href=" http://www.freewebtown.com/... ">sexy swimsuits</a>

 

Reactie van John op 14 oktober
<a href=" http://www.freewebtown.com/... ">lesbian porno pics</a> <a href=" http://www.freewebtown.com/... ">sexy schoolgirls lesbian</a> <a href=" http://www.freewebtown.com/... ">lesbian personals</a> <a href=" http://www.freewebtown.com/... ">free lesbian pictures</a> <a href=" http://www.freewebtown.com/... ">lesbian video</a> <a href=" http://www.freewebtown.com/... ">free lesbian pictures</a> <a href=" http://www.freewebtown.com/... ">pics of lesbian sex</a>

or would they like to boost (sic) their traffic by being among the top results when people search for free music and porn and so on ?

22:42 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |