taint.org: Justin Mason’s Weblog

Spam: WashPost: Computers Seized in Data-Theft Probe:

According to an account provided by the teenaged member of the hacker group — and confirmed by the law enforcement source who insisted on anonymity — the LexisNexis break-in was set in motion by a blast of junk e-mail. Sometime in February a small group of hackers … sent out hundreds of e-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus (sic) that allowed the group’s members to record anything a recipient typed on his or her computer keyboard.

According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department’s account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc. …

The young hacker said the group members then created a series of sub-accounts using the police department’s name and billing information. Over several days, the hacker said the group looked up thousands of names in the database, including friends and celebrities. The law enforcement source said the group eventually began selling Social Security numbers and other sensitive consumer information to a ring of identity thieves in California.

Tags: account, child, computer, group, hacker, message, officer, police, source, spam, virus

Security: Hey user auth systems! If you’re going to require me to sign in, and publish my login as a signature to prove that I’m ‘me’, please do me a favour — don’t delete the account if it’s been ‘inactive’, and allow anyone to re-register that name without my knowledge!

I just tried to leave a comment on a Blogger.com weblog, to find that my user account at Blogger had been deleted. Re-creating a new account with the same name wasn’t a problem – the previous account data had been simply deleted outright. (Presumably they don’t do this to people with a Blogger.com weblog — I hope.)

The risks of this are pretty clear; given that I’d already established an identity (at least in comments on certain Blogger weblogs) as ‘justinmason23′, if an attacker were to have re-registered that identity before I did, they could impersonate me.

Tags: account, auth, blogger, com, hey, identity, login, name, security, user, weblog

Spam: I’m quoted in
New Scientist! w00t!

SlashDot picked it up pretty quickly. One comment there misses the point, though:

This is interesting and promising technology. But like all antispam techniques, spammers will find a way around it. Once spammers get a copy of the software, they can create and test countermeasures in the comfort of their own sleazy lairs.

It’s worth talking about this. Newsflash: spammers have no difficulty testing their spam against closed-source spam filters, even when they can’t ‘get a copy’ and test them in ‘their sleazy lairs’.

How do they do it? Easy — just set up an account at a site that uses that filter (AOL, Yahoo!, Hotmail, and GMail, it’s pretty obvious how to do that; for other closed-source filters, find an ISP that uses it). Then send ‘test mails’ repeatedly to that account, and apply trial and error to see what gets past the filter and what doesn’t. Eventually, they figure out what works for that filter, and what doesn’t.

How did I figure this out? Well, I came across the manual for the Send-Safe ratware on-line. It noted that the ‘hashbuster’ randomisation technique, which we in the SpamAssassin team had long assumed was intended to block hash matches by DCC, Pyzor and Razor, was in fact intended to block AOL’s implementation of that system. The open source ones weren’t even mentioned.

Update: found it — from their FAQ:

Mime Encoded content

If you want to get into AOL… use it.

MIME encoders allow you to send documents written within a specific application through email without causing readability or formatting problems. For example, you can send a letter created in MSWord with and be certain that it arrives at its destination in the same format by encoding it with MIME first. The recipient then decodes it back into the original MSWord format.

That isn’t why we use it though.

We use it to cause ‘uniqueness’.

When you put a rotate tag at the beginning of a MIME encoded email, it causes everything after that point (including checksums) to be ‘different’ in every message.

Why is that that important?

Because it throws off filters that look for many copies of the same message to nuke.

Tags: account, aol, copy, email, filter, format, mime, msword, point, spam

E-Voting: Paul Krugman: Fear of Fraud:

It’s election night, and early returns suggest trouble for the incumbent. Then, mysteriously, the vote count stops and observers from the challenger’s campaign see employees of a voting-machine company, one wearing a badge that identifies him as a county official, typing instructions at computers with access to the vote-tabulating software.

When the count resumes, the incumbent pulls ahead. The challenger demands an investigation. But there are no ballots to recount, and election officials allied with the incumbent refuse to release data that could shed light on whether there was tampering with the electronic records.

This isn’t a paranoid fantasy. It’s a true account of a recent election in Riverside County, Calif., reported by Andrew Gumbel of the British newspaper The Independent.

Here is Gumbel’s account. It’s quite simply crazy:

On March 4, Floyd and Cassel saw the second Sequoia employee, Eddie Campbell, return to the registrar’s office and watched him pop into his pocket what looked like a PCMCIA card similar to those used to store votes on individual touchscreen machines. The Sequoia AVC Edge machines do not make a paper record of individual votes, and any record of total votes for a potential recount — vital in a race separated only by 45 votes — would only be stored on that kind of card.

Floyd shouted out: ‘Where are you going with that?’ But he received no answer.

Incredible.

Tags: account, card, challenger, count, e-voting, election, fear, fraud, record, recount, sequoia

Spam: Don’t miss this account of the capture of a 419 scammer in mid-spam. Nice work, Steffen! (PS: I don’t think eating a USB memory stick would do any good ;)

Tags: account, capture, memory, scammer, spam, stick, usb, work

Linux: so it seems one of the GNOME guys wants to rewrite the rc.d boot script system in Python. Eek!

• scary OSNews interview
• Slashdot story
• My comment
• Richard Gooch’s cool need(8)/provide(8) tools

Games: Someone has broken into Valve Software’s network and stolen the source code for Half-Life 2 — shacknews:

• 1) Starting around 9/11 of this year, someone other than me was accessing my email account. This has been determined by looking at traffic on our email server versus my travel schedule.
• 2) Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.
• 3) For the next week, there appears to have been suspicious activity on my webmail account.
• 4) Around 9/19 someone made a copy of the HL-2 source tree.
• 5) At some point, keystroke recorders got installed on several machines at Valve. Our speculation is that these were done via a buffer overflow in Outlook’s preview pane. This recorder is apparently a customized version of RemoteAnywhere created to infect Valve (at least it hasn’t been seen anywhere else, and isn’t detected by normal virus scanning tools).

Insanely bad news for Valve. :(

Tags: account, boot, email, gnome, linux, machine, script, someone, source, valve, virus

Spam: A nasty new development — spammers are now exploiting closed relays to send spam, by brute-force attacking their SMTP AUTH interfaces. SMTP AUTH is a system used to allow legitimate mail server users to send outgoing mail securely, by authenticating them first. ( sample documentation here.)

This ROKSO file indicates one spammer’s modus operandi:

These relays were abused using SMTP AUTH. That is, the spammer supplied a valid username/password pair to the server, was authenticated, and therefore granted permission to send mail anywhere. Such attacks are therefore successful only when weak passwords are used. This spamhaus constantly scans the net to find abusable servers to use in subsequent spam runs. All brands of servers (sendmail, exchange, mdaemon, rockcliffe, etc) are equally targeted, as long as they support SMTP AUTH. The attacker tries several username/password pairs - such as with ‘admin/admin’ - following a certain pattern and hoping to find a combination that lets him in.

An analysis done in july 2003 has shown that a total of 276 combinations are attempted (of course new ones can have been added in the meanwhile): Usernames: webmaster, admin, root, test, master, web, www, administrator, backup, server, data, abc each with the following passwords: username, username12, username123, 1, 111, 123, 1234, 12345, 123456, 1234567, 12345678, 654321, 54321, 00000000, 88888888, admin, root, pass, passwd, password, super, !@#$%^&* as well as with a blank password.

MDaemon users beware! The account creation tool of recent versions of MDaemon defaults the password to the account name. If the default is accepted, the account will be open to be exploited by this spamhaus.

Incredible. There’s no way at the SMTP/IP level to tell that this relay was compromised; blacklisting will definitely cause collateral damage in response; so content analysis is pretty much necessary, as far as I can see.

And in another worrying development: it turns out that the latest Outlook worm, W32.Swen, doesn’t bother trying to randomly generate usernames etc. or send via SMTP directly. Instead, it asks the user for their username, password and SMTP server!

Tags: account, admin, auth, mail, mdaemon, password, server, smtp, spam, username

A nasty new development — spammers are now exploiting closed relays to send spam, by brute-force attacking their SMTP AUTH interfaces. SMTP AUTH is a system used to allow legitimate mail server users to send outgoing mail securely, by authenticating them first. ( sample documentation here.)

This ROKSO file indicates one spammer’s modus operandi:

These relays were abused using SMTP AUTH. That is, the spammer supplied a valid username/password pair to the server, was authenticated, and therefore granted permission to send mail anywhere. Such attacks are therefore successful only when weak passwords are used. This spamhaus constantly scans the net to find abusable servers to use in subsequent spam runs. All brands of servers (sendmail, exchange, mdaemon, rockcliffe, etc) are equally targeted, as long as they support SMTP AUTH. The attacker tries several username/password pairs - such as with ‘admin/admin’ - following a certain pattern and hoping to find a combination that lets him in.

An analysis done in july 2003 has shown that a total of 276 combinations are attempted (of course new ones can have been added in the meanwhile): Usernames: webmaster, admin, root, test, master, web, www, administrator, backup, server, data, abc each with the following passwords: username, username12, username123, 1, 111, 123, 1234, 12345, 123456, 1234567, 12345678, 654321, 54321, 00000000, 88888888, admin, root, pass, passwd, password, super, !@#$%^&* as well as with a blank password.

MDaemon users beware! The account creation tool of recent versions of MDaemon defaults the password to the account name. If the default is accepted, the account will be open to be exploited by this spamhaus.

Incredible. There’s no way at the SMTP/IP level to tell that this relay was compromised; blacklisting will definitely cause collateral damage in response; so content analysis is pretty much necessary, as far as I can see.

And in another worrying development: it turns out that the latest Outlook worm, W32.Swen, doesn’t bother trying to randomly generate usernames etc. or send via SMTP directly. Instead, it asks the user for their username, password and SMTP server!

Tags: account, admin, auth, mail, mdaemon, password, server, smtp, spam, username

Red Bull was made in Thailand — I never realise it went from Thailand to Europe instead of vice-versa. (link via the great 2bangkok.)

Also, via Ben — an amazing account of what recovering your vision feels like after 43 years of blindness…

Tags: account, bangkok, blindness, bull, link, realise, red, vision

So for the past few weeks, I’ve been getting a lot less spam – like about 1/3 to 1/4 of the normal volume — to my jmason.org account.

I didn’t have a clue why; occasionally I mused that some spam gangs must have figured out that I needed all that spam to develop SpamAssassin, and cutting down on my volume would mean that I’d have to schlep stuff out of the spamtraps (which is a bit of a chore), so they’d unsubscribed me to cause some minor hassle ;)

In reality, what had happened was that my old secondary MX — which was secondarying for me because nobody had gotten around to updating it — had finally been updated, and was no longer accepting mail for jmason.org. So I had only one MX, and the erstwhile backup was bouncing anything it saw, immediately.

Lots of spamtools relay spam via the secondary MX — not sure why, we think it’s working on the assumption that secondaries are less likely to have effective filters.

So basically a good 2/3 to 3/4 of my spam was being sent to a machine that immediately bounced it ;)

The upshot: if you get a lot of spam, and don’t really care if you might occasionally lose real mail if your primary MXes are down, you could always set up a ‘fake’ secondary MX record. The spamtools will happily attempt to send spam to you via that machine (which may not even exist), and then give up after the first bounce – missing you entirely.

Big caveat: I wouldn’t suggest this for situations where your mail delivery needs to be reliable, though. Primary MXes do go down occasionally ;)

Tags: account, clue, jmason, lot, machine, mail, mxes, org, spam, volume

more geek politics: A first-hand account of Day One of the Johansen trial in Norway, from Politech. I really hope this goes well.

Tags: account, day, geek, johansen, politech, trial

“I spiked Ted Heath’s dinner”. “At a meeting in 1970, ad man Jeremy Scott sprinkled speed on the Tory leader’s canapes. His firm went on to win the party’s account, and Heath won the election.” … “I was really just trying to cheer everyone up,” he adds sheepishly. “The quantities I used were minute.”

Tags: account, dinner, election, firm, leader, man, meeting, party, speed, tory