Warning: Something's Not Right Here!

hype-free.blogspot.com contains content from randaclay.com
, a site known to distribute malware.
Your computer might catch a virus if you visit this site.
...

The source of the warning is the image / link in the comment form, which I have now removed (or more precisely replaced with a local copy). It seems that the randaclay.com has been hacked and thus it is classified as malicious by Google, which in turn leads to all sites linking to it being marked a potentially malicious. So, while I’m sorry for doing this, I will remove the links to their site until they manage to resolve the issue and will mirror their manifesto below:

Almost all blog platforms by default are set up so that a “dead end” piece of code is inserted wherever there is a link in a comment, so that search engines will not “count” the link as they are crawling the internet. This was originally designed to help stop comment spam, but it doesn’t work. What it does is remove some of the incentive for your readers contribute to your site by commenting on your posts.

What can you do about it? Turn off “nofollow”. Show your commenters that you appreciate them. Spread the link love.

• Customizable (password length, types of characters included, etc)
• Secure (it doesn’t communicate over the network, hence no need for SSL)
• Fully reviewable (as opposed to server-based solutions, where you have to trust the server)

The only flaw it had (as pointed out by a commenter) was the fact that passwords didn’t always include all the characters you’ve selected (ie. the checkboxes represented “possible” not “mandatory” characters, which was a little counter-intuitive).

I’ve thought about how to create passwords which included at least one character from each set. My first ideas were around generating a password, then checking that it contained at least one character from each set and if not, replacing some of the characters with ones from the missing set. However this train of thought quickly ran into problems when I had to decide which character to replace. Choosing something fixed (like the first one, last one, etc) is too predictable. If I choose a random one, I run the risk of overwriting previous change. So finally I realized that there is a simple solution: just re-generate the password until it satisfies all of the constraints. Although this might seem like a brute-force solution, in practice its speed is indistinguishable from a constant-time solution.

Below you have the new and improved YARPG:

I’ve also updated the original posting. You can get the source code for it by looking at the source of this webpage, or from my SVN repository: js_password_generator.html. Hopefully you find it useful!

Picture taken from cjc4454’s photostream with permission.

You make a good point, and it is one I often make about encryption. There are just too many standards out there for any smooth communication to occur. I think there are some companies who are getting it right with their approach to malware, but many malware just can’t seem to get their fundamentals down.

I didn’t remove the links, since they point to complete benign sites (sophos.com and kaspersky.com). Mike’s profile is private, but a quick search shows many other spammy comments. Unfortunately there doesn’t seem to be a way to report individual Blogger users as spammers, just actual blogs.

BTW. the same comment spam seems to have hit at least one other security blog. From the screenshot it seems that the spammer also uses the Blogger name MikeFrizzi, which seems to be linked to a real person, but then again, it is quite easy to create realistically looking “shadow identities” for people by scraping other websites.

This is as much as a quick search revealed and I would like to leave you with the following thoughts:

• Do comment moderation, at least retroactively if not proactively (small plug: I do moderate comments, but for the ones I approve the username links are without the nofollow tag – as per the u comment, i follow “ethos”)
• There is very little certainty on the Internet. Just because someone claims to be somebody (like the MikeFrizzi profile), it doesn’t mean he actually is that person.
• Also, the link between spam and the actual company being promoted is hard to prove. I don’t think that Sophos or Kaspersky were spamming here directly, but I do think it’s possible that some remotely connected company (ie. something along the lines of “a company hired by the outsourced marketing department”) did in fact employ such dubious (and useless, since in Blogger all the links in comments are “nofollow’ed”) techniques.
• Or, it may be, that some blackhats want to give the impression that these companies are spamming to erode their credibility…

Update: Sophos confirmed that it was a run-amok “marketing” company hired by them who posted the spam.

Picture taken from madmarv00’s photostream with permission.

• Error Level Analyser
• ELC – Error Level Compare
• ELA From Scratch

You might also find this paper interesting.

All in all, the most interesting thing for me was the fact professional image manipulators (ok, I just made that word up, meaning “people who know keyboard shortcuts in Photoshop”) repeatedly re-save the same image in lossy formats like JPEG, thus compounding the loss of quality. Then again, one should never underestimate human stupidity.

Picture taken from Elsie esq.’s photostream with permission.

Now I have no idea about the relative size of this subset (or if the companies have it, or how they can collect it for that matter), but I find the idea that marketing material put “out there” can backfire amusing :-).

Picture taken from tigger1fic’s photostream with permission.

Trouble is that their only recommendation is to “remind everyone to backup their important files regularly” (coincidentally – sarcasm, sarcasm – they have an online backup component in their suite). They could have at least mentioned that Sunbelt provides a tool which may decrypt the files (I say may, because I didn’t actually try the tool). This is even more inexplicable given the fact that they got the samples from Sunbelt (“Many thanks to Adam Thomas from Sunbelt for providing samples of the dropper”).

Shame on you F-Secure for putting a (possible) financial interest before the interest of your users!

So I don’t know about you, but instead of claiming that pure self-interest is the solution, I will go with:

Everything in moderation – including moderation.

Picture taken from d3stiny_sm4sher’s photostream with permission.

PS. Who wants to bet that – if these claims are bought to F-Secure’s attention – they will claim that they didn’t know about the removal tool?

Update: I’m not singling out F-Secure here, Zarestel Ferrer from CA just made a very similar blogpost: here are the facts (he did include some more technical detail, which is nice for us, security geeks), you should have used a security product to keep it out:

CA advises to keep your security products signature updated to prevent this kind of ransomware.

The plus side: he doesn’t pimp his company’s product necessarily. The minus: he doesn’t link to the Sunbelt decryption tool either. On the plus side, there is a comment facility on their website which could be used by visitors to mention the tool and thus help out people who lost data, but on the negative side: it doesn’t work, not even with IE!.

Before Christmas Bob decided to treat himself with a Wii Fit (yes, the only thing which came of it was a machine telling him that he is fat – don’t ask :-p). Looking around several places he finally decided to go with a supermarket, since it was the cheapest choice (by about 30 EUR). He picked it up and rushed trough checkout. After paying he realized that the anti-theft system wasn’t removed, but since it didn’t beep when exiting the store he figured that it should be ok.

So he rushes home and cuts one of the wires (sidenote: with very low-tech equipment it took less than two minutes to do that. Using something professional, yet still discreet enough to fit in a pocket, it would take less than 30 seconds). And behold: it started to beep. The beep was somewhat loud, but not so loud as to be heard outside of an apartment, especially when put in some kind of acoustic insulation. Most probably it would attract attention in a supermarket though. And thus the alarm system met its maker a hammer and was promptly silenced. Just for the fun of it, Bob decided to take it completely apart to see how it worked:

Ideas / lessons / thoughts:

• The construction is not that robust and would quickly give way if a determined / knowledgeable attacker was picking away at it (physical force is optional)
• It is powered by four small batteries. In fact, it is very easy to deactivate by using Philips a screwdriver and removing the batteries. In what Bob can only assume to be standard operating procedure, the battery access was oriented towards the box and became accessible only after the unit was removed from the box
• It would be interesting to try the following experiment, cut the insulation in two places on one of the wires. Link together the two cuts with a good conductor (like a copper wire). Now cut it in the middle. If the system isn’t watching for fluctuations in the resistance, just for contact / no contact it should work (which is probably the case, since the alarm didn’t trigger until Bob fully cut trough the cable, even though he partially cut it before)
• There are actually two pair of wires crossed rather than one long wire. The “normal” deactivation mechanism is probably a magnet which allows the case to be turned counter-clockwise (this is normally blocked by the combination of metallic plate (upper side of the picture) and the white ring (which was “teeth” oriented in one direction). Crafting a small deactivation device seems also rather easy.

My conclusion is that (similar to infosec) “you don’t have to outrun the bear, only your friend” – meaning that you only have to raise the bar a little to eliminate most of the problems. Then again, one should go into such endeavors with “eyes open” and knowing the limitation of the technology (which very few vendors will tell you). And, as always, it will annoy your customers!

• Whole Product Dynamic Test
• Performance Test
• Summary Reports

Go read them if you have questions like “which product is the best for me?”. Thank you Andreas for providing a great and impartial service.

PS. One surprising thing for me was the high detection rates in the dynamic test – upward of 90%. This indicates that either I’m too much of a cynic or that their crawler system still has room to improve – I would expect AV products to be around 60-70% effective against new threats.

• Schneier-Ranum face-off, part1: The future of information security
• Schneier-Ranum face-off, part 2: Social networking
• Schneier-Ranum face-off, part 3: Compliance and security
• Schneier-Ranum face-off, part 4: Cybersecurity coordinator
• Schneier-Ranum face-off part 5: Security metrics
• Schneier-Ranum face-off part 6: Audience questions

And here are some Schneier only videos (the first video has some audio problems in the first 3 minutes, but it gets better afterwards):

A Hungarian online news site published an article titled “Hackers tried to steal user data from Amazon” (here is a somewhat usable automatic translation for the non-Hungarian speakers). I assume that the information went like this:

What happened –> What the security company has written up about it –> What the “journalist” understood –> What s/he actually wrote.

What actually happened is that an Amazon EC2 rented to a third party was being used as a C&C server for a botnet. No Amazon user data compromise here, move along (also, this isn’t a new phenomenon at all).

To top it off, the article talks about the security issues involved in cloud computing. Surely they are paid by buzzwords / paragraph :-p.

As if you needed further proof that a large percentage of the news out there is false, even when there is no intent to “spin” it. Newer attribute to malice what can be explained by stupidity I suppose…

Picture taken from bignoseduglyguy’s photostream with permission.