It started as a trickle once before on a forum that I help maintain and turned into a flood as our forum was added to a list that was used by spammers. We upgraded our software, and the spam stopped dead. Well, over the last few weeks it started raining again.

Apparently both PHPBB and gmail’s captcha’s have been compromised, so soon the rain might turn into a flood.

Google needs to address this yesterday, heck even turn off new registrations until it is sorted if they have to.

Interestingly, an akismet type approach may be the best way in the long run instead of the poorusability that is a captcha.

Malvertising is the practice of using internet based advertising to spread malicious software (or malware).

Malvertising can be particularly nasty as it is delivered through websites that users would normally consider highly reputable. A recent example high profile site is MSN Norway.

The malvertising attack vector

Typically malvertising is a flash based attack where malicious code is written in ActionScript and then heavily obfuscated in an attempt to hide it’s true nature. The common attack is a cross site scripting attack to misdirect the user to a different destination.

How can you protect yourself from malvertising

As an end user there is not a lot that you can do to protect yourself from this type of attack, as not having flash installed is not a terribly practical solution. To a large extent you are reliant on flash, the browser, operating system and website owner to do the right thing.

As a site owner, you have two main ways to protect yourself.

1. Don’t show flash ads on your site. Only show image based or text based advertising.
2. Insist that your advertising provider has a policy and process for checking all their flash based ads.

If you are interested in the technical process of how to check ads, there are a number of tools available such as SWFIntruder.

Additional References

Inside rouge flash ads

Malicious advertising increasing

March from Microsoft
From The Unofficial Microsoft Weblog: No patches due in March from Microsoft

According to the March 2005 Microsoft Security Response Center Bulletin sent out today, there will be no updates
released on March 8, the “Patch Tuesday” for this month. Following last month’s epic release of more than a dozen
patches, this will undoubtedly be welcome news to system administrators as well as end users.

Hopefully this will become the norm rather than the exception to the rule. It looks like, with the Trustworthy Computing initiative, Sir Bill has turned the supertanker again, just like he did when it missed the rise of the internet. It looks like the turning circle has grown, though, and it doesn’t fit on a dime anymore .

From “Making Windows XP Start Faster” at http://www.pcmag.com/article2/0,1759,1768883,00.asp

This post started at Microsoft WebBlogs: NNNNOOOOOoooooo….!.

Michael Howard, co-author of Writing Secure Code, posted on his weblog about a pc magazine article that suggested you should disable a couple of services to increase performance.

Two of the services listed under “Stopping Unneeded Startup Services”

Automatic Updates: This service enable Windows XP to check the Web automatically for updates. If you don’t want to use Automatic Updates, you can disable the service. You can always check for updates manually at the Windows Update Web site.

Windows Firewall/Internet Connection Sharing: If you do not use these features, you can disable them.

NNNNOOOOOoooooo….!

I thought that his post was simple, to the point, and I filed it into the “Who in their right mind would do that?” part of my mind. That was until I saw this today and almost fell off my chair…

Warning: The following content may offend some readers

D:\WINDOWS\ehome>doRunner.bat

D:\WINDOWS\ehome>

..\Microsoft.NET\Framework\v1.0.3705\CasPol -s off
Microsoft (R) .NET Framework CasPol 1.0.3705.6018
 Copyright (C) Microsoft Corporation 1998-2001. All rights reserved. 

 Success

... do some stuff  ...

D:\WINDOWS\ehome>..\Microsoft.NET\Framework\v1.0.3705\CasPol -s on
 Microsoft (R) .NET Framework CasPol 1.0.3705.6018
 Copyright (C) Microsoft Corporation 1998-2001. All rights reserved. 

 Success

Please excuse me for a moment, I am going to be sick …

Who in their right mind disables code access security for every .net application on a system, just to make their application work?

I heard somewhere that MS are considering either removing Caspol.exe all together from the Whidbey release. I would hate to see Caspol.exe disappear altogether, as the framework configuration control panels seem to break to often for my liking, and I need to resort to Caspol.exe to make things work. However please, please, PLEASE remove the -s off option. I am happy to live with whatever pain it causes, if it stops cowboys opening up my system to the world just to make their life easier.

Via Robert Hensing’s Incident Response Weblog…

Secunia.com have some statistics that show a stark contrast between Red Hat ES 3.0 and Windows Server 2003. Red hat comes in with 136 advisories and W2K3 comes in with 44 advisories. But here’s the kicker, the windows numbers have come in a period that is 18 months longer than red hat. On a per-month average Red hat tips the scales with 34 advisories per month compared to 2 per month for W2K3!!!

So it looks like anyone who is serious about security (and that should be everyone), should take a leaf out of Microsoft’s book and adopt their own version of the trustworthy computing initiative.

I also think this finally disproves the theory that an open source project will be more secure, simply because source code is available for scrutiny.

If you are serious about running with least privilege, then Aaron Margosis’ weblog is the place to visit.