…. according to Ben Edelman. Yes, it’s Zango time again folks! I’ll take a back seat in this one and post a quote for you to ponder on. Just go and read the full story!

“In my hands-on testing, Zango continues numerous practices likely to confuse, deceive, or otherwise harm typical users as well as practices specifically contrary to Zango’s obligations under its November 2006 settlement with the FTC.

Among these practices are widespread, ongoing Zango-designed installation sequences which install Zango pop-up ad software without any on-screen disclosure of material terms. Instead, these installations mention Zango’s effects only in a lengthy EULA – exactly contrary to the FTC settlement’s requirements.

Zango’s ongoing practices also include prominent pop-up ads promoting sites that attempt to defraud users (e.g. by charging for software that is actually free), as well as widespread in-toolbar ads without the labeling and hyperlinks specifically required under the FTC settlement.”

… full story over at Ben Edelman’s site. Go and read the useful information he has published. Alternitavely, chat about it here.

Update – Zango deny violating their FTC agreement!

You may already know, but a new way of tricking computer users is about. Dubbed the “double-v trick”.

Our buddies over at Sunbelt reported this a few days ago:

“A group affiliated with the infamous VxGame Trojan has registered a new site called vvindowsupdate(dot)com.

It was created July 9, 2007, and so far no pages. However, the two v’s together looks like a “w”, so this is clearly an attempt to fool people into thinking it’s the real WindowsUpdate site.”

Basically malware writers are registering domains with double v’s so it looks like a “w”. Like above, you can fool people into making fake windows sites and exploit that area.

Paul Ferguson, who is a security expert, has reported about more domains that have been registerd with the above method;

“Today, I’ve been alerted to the fact that are several additional Windows domains which have registered where the “w”s have been also been replaced with “v”s:

VVINDOWS.COM NS NS1.MYDOMAIN.COM
VVINDOWS.COM NS NS2.MYDOMAIN.COM
VVINDOWS.COM NS NS3.MYDOMAIN.COM
VVINDOWSVISTA.COM NS DNS1.MALKM.COM
VVINDOWSVISTA.COM NS DNS2.MALKM.COM
VVINDOWSMEDIA.COM NS PARK25.SECURESERVER.NET
VVINDOWSMEDIA.COM NS PARK26.SECURESERVER.NET
VVINDOWSUPDATE.COM NS NS1.VVINDOWSUPDATE.COM
VVINDOWSUPDATE.COM NS NS2.VVINDOWSUPDATE.COM
NS1.VVINDOWSUPDATE.COM A 208.64.26.146
NS2.VVINDOWSUPDATE.COM A 208.64.26.146
VVINDOWS.INFO NS PARK36.SECURESERVER.NET
VVINDOWS.INFO NS PARK35.SECURESERVER.NET
VVINDOWS.NET NS NS.WEBZERO.CO.KR
VVINDOWS.NET NS NS2.WEBZERO.CO.KR

And these use “v”s for both “w”’s:

VVINDOVVS.COM NS NS1.DN.NET
VVINDOVVS.COM NS NS.PRO-FUTURA.COM
VVINDOVVS.INFO NS PARK36.SECURESERVER.NET
VVINDOVVS.INFO NS PARK35.SECURESERVER.NET
VVINDOVVS.NET NS NS1.DN.NET
VVINDOVVS.NET NS NS.PRO-FUTURA.COM
MS-VVINDOWS.COM NS NS1.OFFICELIVE.COM
MS-VVINDOWS.COM NS NS2.OFFICELIVE.COM

While some of these domains may not yet have hosts associated with them, there is certainly no good that can come of these.”

So all in all, be carefull out there. If you do happen to know another site which uses a similar method, make sure you report it. Spread the word and chat about it here.

I hate to say this, but in a day or so I will be hopefully posting about SpyHunter and the affiliates again!

We all know about their status and what they did after I started to kick up a fuss. Yes, they followed my advice and changed all their affiliate pages to a somewhat suitable standard …

… , but …

… what I discovered is still unacceptable. Stay tuned …

As reported by the FBI:

“For Immediate Release
DATE: July 23, 2007

INTERNATIONAL INVESTIGATION CONDUCTED JOINTLY BY FBI AND LAW ENFORCEMENT AUTHORITIES IN PEOPLE’S REPUBLIC OF CHINA RESULTS IN MULTIPLE ARRESTS IN CHINA AND SEIZURES OF COUNTERFEIT MICROSOFT AND SYMANTEC SOFTWARE

A joint investigation conducted by the FBI and authorities with the People’s Republic of China’s (PRC) Ministry of Public Security (MPS) has resulted in multiple arrests and the seizure of more than a half billion dollars worth of counterfeit software, announced J. Stephen Tidwell, Assistant Director in Charge of the FBI in Los Angeles, and Steven Hendershot, the FBI’s Legal Attache in Beijing, China.

The operation, codenamed “Summer Solstice,” began in 2005 and since then, law enforcement in both countries have worked closely by sharing information to jointly investigate multinational conspiracies by groups who manufacture and distribute counterfeit software products around the world. This unprecedented cooperative effort led to the arrest of twenty five individuals, the search of multiple businesses and residential locations, asset seizures by the Chinese government worth over $7 million, and the seizure of over 290,000 counterfeit software CDs and COAs (certificates of authenticity) in China. The counterfeit software has an estimated retail value of $500 million. In addition, Agents with the FBI’s Los Angeles Field Office executed 24 searches and asset seizure warrants, yielding approximately $2 million in counterfeit software products, in addition to assets seized by the U.S. government worth over $700,000.

Operation Summer Solstice encompasses multiple investigations currently being conducted by the FBI in Los Angeles and the MPS, Economic Crime Investigation Department (ECID), in which criminal organizations responsible for manufacturing and distributing counterfeit software have been identified in both Shanghai and Shenzhen; as were distributors located in the United States.

As much as I protested WGA (Windows Genuine Advantage) being added to Windows XP, I have no objections to it being included as a part of Windows Vista. My reasoning? WGA was not part of XP when the license was purchased and the initial software caused many headaches. However, with a brand new operating system in Windows Vista, it is known that WGA is included from the start.

Complete report at Federal Bureau of Investigation.
Via Todd Bishop’s Microsoft Blog
Discuss it here with us.

Remember – “A day without laughter is a day wasted.”
May the wind sing to you and the sun rise in your heart…

Microsoft Announced an enhanced set of privacy principles for Live Search and online advertising data collection, use and protection. Microsoft’s intention is to

“implement new privacy features and practices as it continues to develop its online services and offer new controls that help users manage the types of communications they receive from Microsoft.”

I selected some of the key features from the announcement that caught my attention. For example, later this year, Microsoft plans to offer advertising services to third-party Web sites. Under the enhanced privacy, customers will have the ability to opt out of the behavioral ad targeting by Microsoft’s network-advertising service on those Web sites.

There will be specific policies around search query data and Microsoft will be explicit with customers about how long the company retains search terms in an identifiable way as well as informing people when and how to “anonymize” such data.

Following Google and others, Microsoft will make all Live Search query data anonymous after 18 months, unless the company receives user consent for a longer time period. According to the announcement, the policy will be both retroactive and worldwide. It will include removal of cookies and IP Address connected with search terms.

Another important feature change is the storage of store Live Search service search terms separately from account information. With so many “Live” features requiring a Hotmail/Live email address, it is reassuring the personal data associated with that account will not be tied to other services.

See the Press Announcement for complete information. Plus discuss it here with us!

Remember – “A day without laughter is a day wasted.”
May the wind sing to you and the sun rise in your heart…

Following the Mozilla Firefox browser update yesterday, Opera has released an update due to a vulnerability in BitTorrent header parsing which can be exploited by malicious people to compromise a user’s system. The vulnerability description from Secunia:

“The vulnerability is caused due to Opera using already freed memory when parsing BitTorrent headers and can lead to an invalid object pointer being dereferenced. This can be exploited to execute arbitrary code, when the user is tricked into clicking on a specially crafted BitTorrent file and then removes it via a right-click from the download pane.”

Update to Opera 9.x.

Remember – “A day without laughter is a day wasted.”
May the wind sing to you and the sun rise in your heart…

Last week, a highly critical risk was reported, with proof of concept, involving registering a “firefoxurl://” URI (uniform resource identifier) handler on a computer with both IE and Firefox 2.0 (or later). This was described by Mozillazine as follows:

“When installed on Windows, Firefox registers a URL protocol handler to handle firefoxurl:// URLs (this works much like a http:// or ftp:// URL protocol handler). If an IE user visits a webpage that tries to call a firefoxurl:// URL (for example, using an iframe), IE will launch Firefox with no further prompting, passing it the URL. Neither IE nor Firefox escape or sanitise the URL, which allows an attacker to inject additional parameters into the command line used to invoke Firefox. Used in combination with the -chrome parameter, the attacker can make Firefox execute dangerous JavaScript code.”

If you read the above-referenced Mozillazine article, note the finger pointing as to whether the problem is caused by IE for passing untrusted data to another application or by Firefox for not validating input properly. Regardless of where the problem resides, Mozilla reacted quickly and included the fix in Firefox 2.0.0.5.

Note: By default, Firefox automatically checks for updates. If you have changed that setting, go to Menu > Help > Check for updates.

Included in Firefox 2.0.0.5:

• MFSA 2007-25 XPCNativeWrapper pollution
• MFSA 2007-24 Unauthorized access to wyciwyg:// documents
• MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
• MFSA 2007-22 File type confusion due to %00 in name
• MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
• MFSA 2007-20 Frame spoofing while window is loading
• MFSA 2007-19 XSS using addEventListener and setTimeout
• MFSA 2007-18 Crashes with evidence of memory corruption

References:

• Firefox Download Page
• Release Notes

Remember – “A day without laughter is a day wasted.”
May the wind sing to you and the sun rise in your heart…

Hey guys, I have to apologise for my lack of blogging and other bloggers.

1. First we had some issues which meant for site downtime.
2. Secondly I have been rather busy with other more important commitments. One of those being, helping our local community after last months floods.

As I am part of a committe and coding the web site for this committe, my time blogging has been hit. There are important issues I certainly would like to raise and just general security news I would wish to blog about. However this may continue to be one of my areas being hit when more bad weather is due this weekend.

On the bright side, you may see some blog articles by other bloggers we have here to keep this active.  So from me, stay safe.

In May I reported about this Malware Protection Center which Microsoft have come up with.

On time, it is finally out of beta and in full working mode. What are your opinions about this now it’s launched? Tell us here.

Well it had to be done in my opinion. Anyway from the events of last week we have set up a committee and a website. I coded it and I’ll hope to be heavily involved with it.

Here you go – Burstwick United