Print

Welcome to Smokey's Security Forums.

Guests have only limited access to the board and it's features, please consider registering to gain full access!

Registration is free and it only takes a few moments to complete.

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Quizmaster]

How much do musicians make from online music sales?
15 April 2010, 3:59 pm

Short answer: an infinitesimally small amount.

If you have any sympathy for musicians you’ll buy their CDs from their web sites or at their performances. That’s pretty much the conclusion you’ll draw from a great attempt at quantifying musicians’ pay rates in the online music business(es) by David McCandless of InformationIsBeautiful.net.

McCandless tried to determine how many songs or CDs a musician would need to sell in various ways to make the U.S. minimum wage ($1,600 per month). It was a tough project. He wrote: “As ever, this was incredibly difficult to research. Industry figures are hard to get hold of.”

The musician’s best deal: press and sell the CDs yourself (143 per month).

Second best deal: sell them on eBay (155 per month).

Worst deal: Spotify stream (4,540,020 per month).

Obviously Spotify makes the music available globally and selling CD’s from your own web site involves much less exposure. But four million a month?

McCandless acknowledges that his numbers are crude, but they are certainly an indication of what musicians face. It’s a good data point in the debate about piracy and the efforts of the Pirate Party to give creators less and consumers more.

Also, it’s another indication of why the successful working musician’s business model has always boiled down to: “work a lot of weddings and don’t quit the day job.”

McCandless blog here: “How Much Do Music Artists Earn Online?”

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Subdomains defaced on The Telegraph website
15 April 2010, 11:58 am

The Telegraph, one of the biggest newspapers in the UK, hasn’t had a good time of it lately where their website is concerned. Vulnerabilities were found back in March involving database access, and it seems a hacking group has gone in and defaced two subdomains.

These are the two subdomains in question:

shortbreaks(dot)telegraph.co.uk

wine-and-dine(dot)telegraph.co.uk/site/index.php

They appear to have been compromised by “R.N.S. – Romanian National Security”. Here’s a screenshot, both defacements are identical:



Both pages play some music – “The Lonely Shepard”, from a .ru domain (you'll also notice a rather bizarre link to a Top Gear: Romania clip hosted on Youtube. I guess everybody loves Top Gear). I put the text into Google Translate and (of course) it isn’t perfect, but you’ll get the gist of it:

“We tried to see how some "garbage" as you try to mock his country.

Let us create a completely different picture from the real one, and calling us "Romanian Gypsies" disseminating gender issues still

If you had the nerve to angry an entire country, know that we will not stop here! Romania

Guess What, Gypsies aren't Romanians, morons.”

We’ve notified The Telegraph, and hopefully the pages will be back to normal soon.

Christopher Boyd





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Branson, MO chamber of commerce hacked, serving exploits
14 April 2010, 11:34 pm



Along the same lines of the Northwestern Bank compromise last week, the Branson Lakes Area Chamber of Commerce is also compromised, serving exploits.



(Do not visit the exploit sites below unless you know what you’re doing.)

GET-hxxp://www.bransonchamber. com

GET-hxxp://mumukafes.net/trf/index. php

GET-hxxp://333.gosdfsdjas.com/index. php

GET-hxxp://333.gosdfsdjas.com/l. php?i=1

|

|

V

Zbot config and drop:

GET-hxxp://agreement52.com/cnf/shopinf. jpg

POST-htxx://agreement52.com/shopinf/gate. php

Also, checks into server "67.231.246.218" on port 553

Serves a Zbot trojan.

Alex Eckelberry

(Thanks Adam and Francesco)







Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Faceparty password sites really want you to click on things
14 April 2010, 7:23 pm

“Faceparty is a UK based social networking site allowing users to create online profiles and interact with each other using forums and messaging facilities similar to email” - Wikipedia

Faceparty does things a little differently to other social networking sites, however. Unlike most places where you register a username and password then start telling people how your farm is doing, to join Faceparty you need to send a text message to the tune of £25 / $38(!) and then enter your one time use password onto this page (warning: quite a few swearwords, because the site is indeed down with the kids).

As you can imagine, obtaining these passwords has become a bit of an obsession for some people. Scroll down on that link, and you’ll see the following:

“facepartypassword(dot)com, got mine free today woohoo!” posted by “Chelsea Davies”, who somewhat suspiciously lists their own URL as the very same domain.

Shall we take a look?



Yes, despite the passwords costing £25, this random website will “create a profile 100% free” – and all you have to do is fill in the desired username, password and email address.

This is what you see next:



Yes, it all goes wrong very quickly. You have to click your way through no less than five advert banners, each of which will take you to websites sporting people who seem to have forgotten to put some clothes on. Remember – “If you don’t click all the banners, you WILL NOT be sent the password!”

I don’t know about you, but I’m not entirely convinced here. Once you hit the Next button (just out of shot), this appears:



As you can see, they really want you to keep clicking that Fling banner advert. And wait, only a page earlier they were saying you didn’t have to join – now you do?

Someone is probably raking in a fortune in affiliate signups / clickthroughs here. Can you guess what happens when you hit the “Get Faceparty Password” button?

Sure you can. It doesn’t involve passwords, I can tell you that much – instead, you’re redirected to a specific profile on a site called Adultwork(dot)com, which advertises the services of more people who like to take their clothes off.

A few days later, and (amazingly enough) the email address I used to jump through hoops on the Facepartypassword(dot)com site still hasn’t had a password sent through to it. When I revisited today a new page was appearing at the start of the “signup process”, too:



Yes, a £3.00 / $4.60 text message will get you your “Keycode”, or you can join Fling.

Again.

The thing that particularly caught my eye was that for a split second when visiting the site, a page will flash up before you’re taken to the first form to fill in. If we get all technical (and by technical, I mean reload the page then hit the Stop button on your browser as fast as you can) you’ll see this graphic, with two links at the bottom of the page that will send email to the site owners:



“Share the password”? “Sell your profile”?

Oh boy.

Christopher Boyd





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

VB’s RAP on VIPRE
13 April 2010, 10:10 pm

Virus Bulletin Reactive and Proactive (RAP) testing



Sunbelt Software’s VIPRE engine was among the top AV products for reactive and proactive detection in April in Virus Bulletin testing.

Virus Bulletin’s RAP Testing measures products' reactive and proactive detection abilities against the most recent malware that has emerged around the world.

The test measures products' detection rates across four distinct sets of malware samples. The first three test sets comprise malware first seen in each of the three weeks prior to product submission. These measure how quickly product developers and labs react to the steady flood of new malware emerging every day across the world. A fourth test set consists of malware samples first seen in the week after product submission. This test set is used to gauge products' ability to detect new and unknown samples proactively, using heuristic and generic techniques.

Thanks to Virus Bulletin for permission to use the graphic.

Tom Kelchner







Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Twitter Spammers get creative with rearranged spelling
13 April 2010, 8:28 pm

It seems spammers on Twitter are using some curious methods to get their message across (thanks to David Cawley for pointing me in the right direction).

Check this out:



Yes, that is vaguely peculiar. Here’s another one:



The spammers are using a system of writing that involves jumbling up the middle letters in the words, which means they’re still readable. There’st some confusion as to whether or not this “system” was developed through research at Cambridge University – this person says “yes”, while this person says “no”.

I have no idea either way, but to be honest I’m more curious as to why the spammers are doing it. I know Twitter keeps an eye out for malicious URLs and the like, but I don’t believe they determine if an account belongs to a spammer based purely on the words they use. This could be a monumental waste of time on the part of the spammers, although if nothing else it did make me sit up and take notice.

If that was the purpose of the switcharound, they’ve failed there too - rather than clicking on the XXX dating site link they’re promoting, I’ll be reporting them to the spam department. Not sure they’ll get much satisfaction from rearranging the word “Banned”…

Christopher Boyd





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Patch Tuesday is today
13 April 2010, 7:48 pm

Microsoft has issued Security Bulletins MS10-109 through 029 -- eleven bulletins addressing 25 vulnerabilities in Windows, Exchange and Office.

For further information:

http://www.microsoft.com/technet/security/current.aspx

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Sex and the (not so) Great Firewall of China
13 April 2010, 7:20 pm

Scale the wall, comrade. View the peaks of Japan

Sometimes the collective behavior of a lot of people discloses information that isn’t apparent any other way. There’s a big word for it in the social sciences, but I haven’t been able to remember it for about five years.

Chinese net users last weekend apparently discovered the Twitter handle of Japanese adult film actress Aoi Sola (@Aoi_Sola) and the information went viral. A lot of Chinese fans (15,000) signed up to follow her. Aoi Sola is very attractive and best known for her “expansive” treatment of bikini tops

There’s nothing unusual in that in this day and age.

However…

Twitter is blocked by the Great Firewall of China. A lot of the twitters were using simplified Chinese which, according to the Dongguan Times, indicated they were from mainland China. That meant a LOT of people had figured out how to defeat Internet filtering by the Chinese government.

Here’s the account from Danwei.org, a site devoted to “Chinese media, advertising, and urban life.”

“From the Dongguan Times:

“Many netizens are suspicious of the identity of Aoi Sola's fans, because on the Chinese mainland, many netizens cannot use Twitter. ‘You can't get on Twitter on the Chinese mainland, did your followers come from Hong Kong or China Taiwan?’

“Because Aoi Sola works in the AV industry, which is adult entertainment, it could cause harm to youngsters' mental and physical well-being. Therefore, whether it's Twitter or news about Aoi Sola, all information is forbidden. In order to become a follower of Aoi Sola's Twitter from the mainland, the fan must use software for ‘scaling the wall.’

“However, for the netizens who left a message on Aoi Sola's Twitter, many of those used simplified Chinese, [so] most of them were from the Chinese mainland. After Aoi Sola's Twitter account was ‘discovered,’ netizens claims that many Chinese people are learning to use software to ‘scale the wall.’”

Aoi Sola’s response to all the attention:

“Aoi Sola: I'm surprised.Receive many follow messages & RT from China now.aaaaaaaaahhh,I don't know,anyway THANK YOU!!”

Danwei.org story here: “AV actress entices Chinese netizens to go on Twitter”

And, check out Google Images: “Aoi Sola” (CAUTION: the Peoples’ Republic of China believes these photos “could cause harm to youngsters' mental and physical well-being” although the first 700 or so that we looked at showed nothing you can’t see on Clearwater Beach on a warm day.)

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Twitter will advertise. Will mal-tweets follow?
13 April 2010, 4:26 pm

Twitter cofounder Biz Stone has announced on the Twitter blog that the microblogging service will begin tweeting advertising.

“We are launching the first phase of our Promoted Tweets platform with a handful of innovative advertising partners that include Best Buy, Bravo, Red Bull, Sony Pictures, Starbucks, and Virgin America -- with more to come. Promoted Tweets are ordinary Tweets that businesses and organizations want to highlight to a wider group of users,” he wrote.

Twitter is going to need a source of income to survive, and it certainly comes as no surprise that the organization is moving into something that will “monetize” its traffic and its popularity.

We’re wondering how long it will be before the online pharmacies, botnet operators and rogue security product pushers decide to mimic Twitter’s ads for their own nefarious purposes. Like the search engine optimization techniques that have taken advantage of the big search services, there will be attempts to use the promoted tweets. And there will be countermeasures by Twitter and the rest of us in the anti-malcode world.

So when this starts, use common sense and keep alert for tricky new malicious techniques that will fit into 140 characters. Since Twitter mentioned Best Buy, Bravo, etc. in the blog, those names probably will be some of the first ones (mis)used in mal-tweets. We would expect tweets with links (probably shortened) that lead or redirect to sites selling questionable  wares or  downloading Trojans or other malware.

Twitter blog here.

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

WordPress blog pages redirected to rogue site
12 April 2010, 5:14 pm

Brian Krebs, in his “Krebs on Security” blog is reporting that a large number of Wordpress blog pages have been hacked to redirected visitors to networkads.net that downloads rogue security applications onto their machines. Also, the owners of the blogs are locked out of access.

“It’s not clear yet whether the point of compromise is a Wordpress vulnerability (users of the latest, patched version appear to be most affected), a malicious Wordpress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider,” Krebs wrote.

He also said that a script that downloads from the networkads.net site attempts to install a malicious ActiveX browser plugin which runs in Internet Explorer. VIPRE detects it as Trojan.Win32.Generic!BT.

A spokesperson for Network Solutions said an investigation is underway and the hack may be related to a malicious Wordpress plugin.

Krebs blog here.

Update: unsecured passwords caused WordPress blog takeovers

Network Solutions has found the vulnerability – passwords stored in plain text – that caused the issue and secured it.

Shashi Bellamkonda said on the company blog:

“As part of the resolution, we have had to change database passwords for WordPress.  Normally, this does not impact functioning of the blog, but in some cases if you have custom code with manually-embedded database passwords (in files other than wp-config), this will require changes.

“As a precaution, we’re also recommending that all customers using WordPress should log into their account to change their administrative passwords.  Also review all the administrative access accounts and delete those that you do not recognize. If you feel you are still experiencing issues and need help please contact us at Listen  NetworkSolutions.com.”

Blog post here.

Expanded story at the Register: “Network Solutions mops up after mass WordPress breach”

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Wordpress blog pages redirected to rogue site
12 April 2010, 5:14 pm

Brian Krebs, in his “Krebs on Security” blog is reporting that a large number of Wordpress blog pages have been hacked to redirected visitors to networkads.net that downloads rogue security applications onto their machines. Also, the owners of the blogs are locked out of access.

“It’s not clear yet whether the point of compromise is a Wordpress vulnerability (users of the latest, patched version appear to be most affected), a malicious Wordpress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider,” Krebs wrote.

He also said that a script that downloads from the networkads.net site attempts to install a malicious ActiveX browser plugin which runs in Internet Explorer. VIPRE detects it as Trojan.Win32.Generic!BT.

A spokesperson for Network Solutions said an investigation is underway and the hack may be related to a malicious Wordpress plugin.

Krebs blog here.

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Malware humor
12 April 2010, 3:44 pm

Every once in a while, you find some odd piece of text in a piece of malware.

Debugging the TDL 3 rootkit yields some interesting results. Here are messages that dump in the debug window at various times:

Fri Apr  9 09:02:37.495 2010 (GMT-4): You people voted for Hubert Humphrey, and you killed Jesus

Fri Apr  9 09:03:01.900 2010 (GMT-4): Ah Lou, come on man, we really like this place

Fri Apr  9 11:53:08.715 2010 (GMT-4): Dude, meet me in Montana XX00, Jesus (H. Christ)

Fri Apr  9 12:18:27.522 2010 (GMT-4): I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke

If you’re a movie or TV buff, you might recognize these:

Fear and Loathing in Las Vegas: You people voted for Hubert Humphrey, and you killed Jesus

Fight Club: — Ah Lou, come on man, we really like this place and I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke.

Brake my wfie, please: Dude, meet me in Montana XX00, Jesus (H. Christ)

Alex Eckelberry

(Thanks, Chandra)







Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Twitter: 60 percent growth outside U.S.
9 April 2010, 10:52 pm

Aiming for one billion Twitterers by 2013?

Twitter’s International Team Lead Engineer Matt Sanford has blogged on the company’s site that Twitter is seeing growth of over 60 percent in registrations outside the U.S.

After setting up a Spanish language capability in November, the microblogging service saw a huge surge in registrations in Latin America, Sanford said. Sign-ups in India also spiked early in the year after several politicians and Bollywood movie stars began Tweeting.

The service was thought to have 75 million users at the end of January (“New Data on Twitter’s Users and Engagement” ) and documents obtained from Twitter by a hacker and published in 2009 showed that the company had plans to sign up one billion users by the end of 2013.

Several sources have estimated that at the end of 2009 1.7 billion people ere using the Internet.

Twitter Blog: "Growing around the world"

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Adobe Patch Tuesday news: auto updater coming
9 April 2010, 10:02 pm

Adobe has announced that it will release an updater along with Adobe Reader and Acrobat versions 9.3.2 and 8.2.2 on patch Tuesday next week.

On the Adobe blog, Steve Gottwals wrote: “…we have been testing a new updater technology with select beta customers since our October 13, 2009 quarterly update. The purpose of the new updater is to keep end-users up-to-date in a much more streamlined and automated way.

"During our quarterly update on January 12, 2010, and then again for an out-of-cycle update on February 16, 2010, we exercised the new updater with our beta testers. This allowed us to test a variety of network configurations encountered on the Internet in order to ensure a robust update experience. That beta process has been a successful one, and we've incorporated several positive changes to the end-user experience and system operation. Now, we're ready for the next phase of deployment.”

Users can set an "Automatically install updates" control or not, as they wish.

Blog entry here.

Given the attention that malcode creators have lavished on Adobe products recently, an updater to go along with regular “patch Tuesday” updates will certainly help us all have a good "end-user experience."

Tom Kelchner





Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<

[Quizmaster]

Iowa bank compromised, serving exploits
9 April 2010, 9:22 pm

Northwestern Bank Online - Orange City is compromised and should not be visited until it’s clean.



Embedded in the side is a malicious iframe, as you can see in this screen shot:



(Testing the site with Wapawet doesn’t work, since it chokes on the javascript emulation. However, the iframe is malicious.)

Alex Eckelberry

(thanks Francesco)







Source: Sunbelt Blog

>> To obtain the full Sunbelt blog post, click the link in the first post line <<