The Antivirus Bug

Antivirus for your Wordpress blog

2009-06-16T18:46:02Z

Do you got Wordpress as blogging or CMS (Content Management System) as we do and would like to be sure that your installation is secure?

Wordpress itself is extremely safe and not like for example phpBB full of security holes that can be exploited by hackers, but sometimes even the sun got “spots”. Since Wordpress is so popular and used on so many blogs hackers tend to abuse vulnerabilities as soon as they are known. Therefore it’s good to add a layer of extra security with a nice plugin called simply just AntiVirus.

This plugin is easy to use, just upload to your server activate and start scanning for security issues . Their web site says it all:

AntiVirus for WordPress monitors malicious injections and warns you of any possible attacks.

You can set the plugin to do daily scans of your blog to see if you got any issues you need to correct.

More information on this plugin can be found at their web site wpantivirus.com. There you can also download the plugin.

Antivirus for your Wordpress blog

Gumblar attacks Google users

2009-05-23T08:30:56Z

The virus attacks the computers by older versions of Adobe Reader and Adobe Flash. When a computer has been infected the Google search engine is then affected, whose results quietly redirects to sites that then steal information from your own computer. The aim is to obtain information, for example bank accounts and credit card numbers.

Gumblar can get into your computer through web sites without the owner noticing.

Although the virus has been known for a while, its activity increased during the past week. It was identified first with a URL in China, but has developed a new technology to evade detection. The updated version also attack more effectively Google users to circumvent Google’s black list of suspected sites.

When Gumblar became publicly known last week was about 800 sites affected. This week, reports security company Scan Safe to over 3 000 sites are affected, writes PC for all.

One way to protect yourself is to have the latest versions of Adobe Flash, Adobe Reader and Windows Update.

Gumblar attacks Google users

How to secure your IIS server

2009-05-20T20:33:16Z

Microsoft confirmed yesterday that there is a bug in the company’s web server IIS 6. According to the Microsoft security risk is minimal since it requires that the server is configured in a special way for the security hole to be exploited.

In a security bulletin that Microsoft released yesterday shows examples of the type of configuration that is at risk. The company is working on developing an update that plugs the security hole. The problem affects version 5, 5.1 and 6.0 of IIS. IIS 7 and later are not affected.

According to Eric Schultze at Shavlik security company so they can using any of the affected versions are easy to fix the safety problem itself by install two freeware available to download from Microsoft. The two programs are the IIS Lock Down Tool and the URLScan Tool.

How to secure your IIS server

Swine Flue spam

2009-05-02T09:02:24Z

As always spammers take advatage of big events to make people interested in the emails they get. And as alwasy spammers have already started sending out fake emails about the Swine Flue.

McAfee is reporting about spam emails trying to use Swine Flue to sell pills. If you follow the links in any of the emails mentioned you end up at web sites trying to infect your computer with maleware, so you really shouldn’t trust any such emails.

The spam emails Trend Micro is reporting about only contains information about the Swine Flue in the subject line, in the rest of the spam email the reader gets information about penis enlagrement pills. I’m not exactly sure about the connection between flue and the size of your penis, but I’m pretty sure they have nothing to do with each other

Remember, if you need credible information on swine flu, go directly to the World Health Organization’s website instead of trying to follow links in emails from unknown people.

Swine Flue spam

Do not use Adobe Reader

2009-04-23T19:09:56Z

Finnish F-Secure is recommending people to stop using Adobe Reader due to
all security vulnerability in that software lately.

This year over 47% of all direct attacks have been using security problems
in Adobes softwares according to Mikko Hyppönen from F-Secure. His advice
is to completely stop using Adobe Reader and instead switch to some other
reader. There are plenty of free PDF readers at www.pdfreaders.org, a
website listing free PDF readers. If everyone is using different PDF
readers it’s much more difficult to do direct attacks against security
vulnerabilities in just one of the readers.

Last month Adobe secured a vulnerability that had been used by attackers
for several months, and Hyppönen is saying that Adobe must increase their
focus on security issues.

Do not use Adobe Reader

PayPal fake emails

2009-04-22T18:48:05Z

The lesson learned from this blog post is to never send any information about your identity without first checking the identity of the company/person requesting the information. I got this email in my inbox earlier today and someone with my ID card, a copy of one of my utility bills and a copy of my credit debit card can easily steal my identity to commit fraud of various kinds. The scammers can for example open a bank account in my name and use it to transfer drug money. If the autorities find out I will get the blame since it’s my name on the account.

It’s also possible to use this information to empty your credit/debit card completely. If you have a card with high limits or maybe even no limits at all you could end up really poor. You may argue that you will get the money back from the bank, but still even if you would you would end up in problems. In worst case the bank could refuse to pay you back since you handed over the information of your own free will

This is what the scam email looked like. I have removed some information to make it more neutral.

Dear [my full name] ,

PayPal Resolution Center: Your account is limited.

Why is my account access limited?

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue
regarding your account:

Our system detected unusual number of invalid logging attempts on your account from these blacklist ip address.

(Your case ID for this reason is PP-XXXXXXX)

How can I restore my account access?

For your protection, we have temporary suspended access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause. In order to assist us with this security measure, we ask that you send us a photocopy or scan of one document from each of the three categories listed below and return them via email to security@paypalcompany.com :

- A clear copy of your Passport, Photographic Drivers License or I.D. Card (both sides).

- A clear copy of both sides of the credit/debit card on your paypal profile.

- A clear copy of a recent bank statement or utility bill on which your name and address ( [my correct address]
) are clearly visible and less than 3 months old.

Completing all of the checklist items we will manually restore your account access.

Thank you for using PayPal!
The PayPal Security Department

——————————
——-

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page.

PayPal Email ID PP-XXXXXXX.

Luckily the domain used in this email has already been blocked in Firefox as a fake web site so you can’t access it by accident.
So the lesson learned in this case is that you always have to do some background checks before you send away any documents to anyone!

PayPal fake emails

Extremely critical vulnerability in Office

2009-04-06T18:34:51Z

Security companies have found a new and extremely critical vulnerability in Power Point in Microsofts Office suite. The vulnerability allows attackers to take control over the operating system and control computers remotely using special code inside a Power Point presentation. The security company Securia is ranking this as “extremely critical” and Microsoft is reporting that hackers have already been using this to take control over victims computers.

If you have any of the following you should be careful opening Power Point presentations: Office 2000 SP3, Office XP SP3, Office 2003 SP3 or Office 2004 for Mac. It’s highly likely that this security hole will get widely spread since there’s no bug fix for it yet, Easter is soon here with alot of funny Easter Power Point presentations sent between co-workers and friends, and this is not only affecting Windows but also Mac users should be careful this time.

Office 2007 is not affected luckily.

Extremely critical vulnerability in Office

Spotify Hacked – Change your password

2009-03-05T20:12:34Z

Yesterday I got an email from Spotify telling me to change my password since their music service had been compromised by the group behind Despotify. This is from the email they sent out:

Last week we were alerted to a group that managed to compromise
our protocols. After investigating we concluded that this group
had gained access to information that could allow testing of a
very large number of passwords, possibly finding the right one.
The information was exposed due to a bug that we discovered and
fixed on December 19th, 2008. Until last week we were unaware
that anyone had had access to our protocols to exploit it.

Along with passwords, registration information such as your email
address,birth date, gender, postal code and billing receipt
details were potentially exposed. Credit card numbers are not
stored by us and were not at risk. All payment data is handled
by a secure 3rd party provider.

From IDG.se I found out that they actually only had been able to get passwords and user information for about 40 users.

This was possible since Spotify had a security hole in their protocols so that whenever someone created a shared play list their user information like email, address, birthday and password where sent to the users client software. In the usual Spotify client this was not visible for the users, but when using Despotify’s client the group was able to collect this information.

Spotify is now asking everyone with an account from the time before 19th of December 2008 to change their passwords.

Spotify Hacked – Change your password

Keyweb’s servers are spamming forums

2009-02-03T17:31:16Z

Today I notice a weird message in one of our discussion forums. It’s a spam bot hosted by Keyweb AG in Germany trying to figure out if the discussion forum is moderated or not. The good thing is that this forum where the spam was posted in is actually moderated, so the spammers wont have much from trying to spam

To start with this post is really badly written. If you would have programmed a bot to spam, then you should at least make the message spelled a little bit better

When tracing the IP address 62.141.50.38 this message was posted from we ended up at a server in Germany hosted by Keyweb AG: ns.km14016.keymachine.de

According to the whois records Keyweb AG got a quite big IP address range starting at 62.141.48.0 and ending at 62.141.55.255. So if you have the possibility to block IP addresses in the server firewall you should block at least 62.141.50.38 since that’s the server that spammed our forum.

Keyweb’s servers are spamming forums

Akismet follow up – Graph

2009-01-29T18:58:49Z

As a follow up on yesterdays post about Akismet and how it’s not stopping spam as effective as it used to I’ve counted the spam comments we’ve received in 3 of our blogs since the 10th of October 2008. On the graph you can see 3 major “incidents” where the comment spam skyrocketed into the sky, but the biggest attack appeared in December where the total average for the month got much much higher than in for example October.

Unfortunately the trend is clear more and more spam comments are alowed by Akismet to by-pass the spam filter Another bad thing is that it’s not so hard to figure out that these spam comments are actually spam. Just look at this spam comment as an example:

uli herzner dresses
mybenefits wal mart employees
garand for sale
patricia navidad encuerada
celebrity autopsy pictures
dokhtar iran in norway photo
naruto fanfiction sakura trees
phim xxx
metesaca com
skat trak mohawks
runescape stats changer password
zenaida flava nude
pmhf lottery house 2007
bridget marquardt holly madison kendra wilkinson naked
texas nursing aide license verification
catherine roerva pelzer memoir
cercasi immobili prestigio
marshall college airplane crash
peanut jeff dunham
siti nurhaliza seksi

I removed the real links in the above post and replace it with blue text just to give you an idea . The above comment was posted in our blog at blog.xaviermedia.com on the 21st of December.

A solution to this problem is really welcome before the problem gets any worse.

Akismet follow up – Graph