I’ve replaced bare email addresses on web page with either an encoded variation of the email or with a contact form to discourage spam scrapers and other automated tools from using it for a spam magnet. Well, it seems there are some tools that automatically submit forms – after all that’s what’s brought us the annoying captcha’s we see everywhere now. (You now those pictures with squiggly letters and numbers that you sometimes have to redo two or three times if you can’t read it correctly.) Well, Sans is talking about some interesting alternatives to the traditional captcha for protecting a form from automated spam bots.
Category: Security
-
Good idea to help limit phishing attacks
I saw this a few weeks back and think it’s a good idea. Essentially why don’t we have a .bank domain registration and limit it to just financial institutions the way .gov is limited to government registrations. (and .mil for military, .edu for educational institutions…..) Let’s face it, anyone can register a .com .net or .org – maybe instead of increasing the number of Top level domains that ANYONE can register in, maybe we need to tighten the restrictions and add a few new TLD’s that would be more closely restricted. There’s already a .museum, .bank would be a good one next.
-
Major botnet building and the massive jump in spam
For a few months now (since the demise of bluefrog actually) I’ve noticed that the level of junk mail has gone up on my own mail server. Yes, I use spamassassin to filter and tag, but the volume of stuff that’s tagged has gone up (as well as the volume that slips through.) I’ve had to flush out the bayes filter more than I would like after some massive bayes poisoning attempts (those messages with lots of random words or text.) I’ve also been following news on the topic and thought I’d detail some of it here for those that haven’t been paying attention.
-
Wireless exploits coming to Metasploit 3…
and the script kiddies rejoiced… It reads as though Metasploit 3 will make it easier than ever for script kiddies everywhere to take full advantage of the local wireless hotspots. Of course, metasploit has it’s good uses by people legitimately testing systems that they are responsible for, for vulnerabilities. But, it does make it very easy for the less skilled to pull off some exploits.
-
Watching out for MORE fake video codecs
sunbelt blog has yet MORE fake codec sites to watch out for. All are bad and should be AVOIDED… details after the jump….
-
Internet Explorer 7 final release – AND first vulnerability…
Looks as though IE 7 release is imminent and will be in automatic updates on November 1st. Here’s one persons take on the user interface “improvements”. Now, there are many improvements in core functionality, but I’m annoyed by the user interface changes. I have spent quite a while with people getting use to the way the interface for windows programs have been for the last 10 years, now I feel like many of them will take another 5-8 years to get used to a NEW way to expect programs to be laid out….
-
Massive Oracle quarterly patches
If Microsoft patched 101 flaws in one release it would make big headlines – so this deserves some headlines too…. more coverage at incidents.org
-
Would you like spyware with that? Apple too….
These stories come up from time to time. A free giveaway of some sort and it turns out that there’s spyware or a virus embedded, company gives a big “whoops” and fixes things by replacing them…. McDonalds had a promotion going where up to 10,000 people could win a flash based mp3 player they also received a trojan horse preinstalled…. They’ve apologized and are swapping the infected players and giving information on how to clean up a pc with the keylogger. According to f-secure it was infected with the QQPass password-stealing trojan. Just imagine how things would have turned out if the Greeks had looked that gift horse from the trojans in the mouth first…..
-
*Nix Nvidia binary root exploit
There appears to be a working root exploit against the binary NVidia driver for *nix based systems. It’s reported at kerneltrap.org It was resolved a few weeks back by the release of version 1.0-9625 of the Nvidia binary graphic driver. Linux has been primarily mentioned in these stories, but likely other Unixes (Unices)? are affected as well. (Since it seems to be the binary driver from Nvidia at fault.)
-
Exploit Thursday – this months winner – Powerpoint
The SecurityFix reminds us of what usually comes close behind Patch Tuesday…. exploit Wednesday or Thursday and this month, the exploits seemed to start coming out Thursday. There’s a new Powerpoint exploit starting to make the rounds right on the heels of Patch day. The main goal is likely to get the most mileage out of the exploit before the NEXT patch Tuesday. Microsoft is reported to be investigating the reports of this vulnerability.