Saturday, June 30, 2012

@securityguy23:

Wondering why Apple is refusing to support iCloud on their 2009 Snow Leopard version of OS X, but they have no problem allowing Vista SP2 even though it was released 3 months earlier (and is clearly not as stable/usable as any version of Mac OS X)
Posted by Christopher @
Tags: ,

Monday, June 25, 2012

@securityguy23:

Time to make the doughnuts
Posted by Christopher @
Tags: , ,

Wednesday, June 20, 2012

Now Heptadeca-Certified with STS - NAC Goodness. . .

From the Symantec Technical Accreditation Program on June 20th, 2012:

Christopher J. Marcinko -- Symantec Technical Specialist (STS): Symantec Network Access Control v12.1 (STS-NAC12.1)
Designation:
Symantec Technical Specialist (STS): Symantec Network Access Control v12.1

Date of Certification:
June 20, 2012
Posted by Christopher @
Tags: , ,

Thursday, June 14, 2012

No, the "Who View Your Profile" Facebook App is Not Real

This is just a repackaged version of an old scam.

Like all the versions what came before, this rogue Facebook application is also spreading by spamming the Friends List of all the unsuspecting users who mistakenly add the application to their profiles.

Facebook does not give any third party application the ability to track such things.  Instead of showing who has viewed their profile, these types of scams have historically fooled users into opening spam websites and giving up their personal info (along with what their friends have trusted to them via Facebook's 'privacy' settings)

Screenshot of the Facebook "Who View Your Profile" Scam
Screenshot of the Facebook

Update:
Ditto for the new "Who Views Your Profile" which looks just like it's "Who View Your Profile" cousin but seems to have been released in the days after.
Posted by Christopher @
Tags: ,

Wednesday, June 13, 2012

Now Hexadeca-Certified with ASC - DLP Goodness. . .

From the Symantec Authorized Symantec Consultant Program on June 13th, 2012:

Christopher J. Marcinko -- Authorized Symantec Consultant: Data Loss Prevention Specialization (ASC-DLP)
Designation:
Symantec Authorized Symantec Consultant (ASC): Data Loss Prevention Specialization (November 2010)

Date of Certification:
June 13th, 2012
Posted by Christopher @
Tags: , ,

No, I Do Not Have a Plethora of Facebook Notifications Waiting

Received 21+ bogus spam emails in last 5 days or so claiming that I have Facebook Notifications pending.

Each appear authentic in style (right down to the table, color, and font formating) and appear to be coming from Facebook, complete with the subject line "You have notifications pending"

However, they are clearly another scam (as confirmed by simply logging into Facebook directly without trying to go through these emails) and are coming via very different open mail relays with links actually pointing towards different equally suspicious destinations pitching International Prescription drugs.

Delivered-To: christoperj@
Received: by 10.231.223.193 with SMTP id il1csp123415ibb;
Wed, 13 Jun 2012 05:10:32 -0700 (PDT)
Received: by 10.101.6.28 with SMTP id j28mr10086590ani.61.1339589430841;
Wed, 13 Jun 2012 05:10:30 -0700 (PDT)
Received-SPF: softfail (: best guess record for domain of transitioning registration@pronext.cz does not designate 10.10.10.10 as permitted sender) client-ip=10.10.10.10;
Received: by 10.157.139.1 with POP3 id r1mf4853691yen.9;
Wed, 13 Jun 2012 05:10:30 -0700 (PDT)
Return-Path:
Delivered-To:
Received: from mx1. ([10.10.10.10])
by mss-us12. (Dovecot) with LMTP id TgwmMquA2E/dNQAAWHoucg
for ; Wed, 13 Jun 2012 12:02:13 +0000
Received: from hosting.olnet.com.pl (hosting.olnet.com.pl [178.32.201.66])
by mx1. (Postfix) with SMTP id AE0694712B9
for ; Wed, 13 Jun 2012 12:02:12 +0000 (GMT)
Date: Wed, 13 Jun 2012 14:02:12 +0200 (CEST)
Reply-to: noreply
To: work@
From: "Facebook"
Subject: You have notifications pending
Message-Id: <18d2771b29d58d1d73e56fbc6459e84f@mail.pronext.cz>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit

facebook

Hi,
Here's some activity you have missed on Facebook.

5 friend request [5 Friend Request is a LINK that actually points to http:// bestofresources (dot) com/trace/a/b/c/d/]


Go To Facebook See All Notifications

This message was sent to work@. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe [LINK to facebook (dot) com].
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
Posted by Christopher @
Tags: ,

Tuesday, June 12, 2012

No, I Did Not Send You Additional Information for a Generic Support Ticket

Received 14+ bogus spam emails in last 4 days or so thanking me for providing extra information for a generic support ticket.

Each email uses a very generic apearence, with certain simularities:

Subject is usually
Ticket [#Random Number]
- or -
If You use LinkedIn [#Random Number]

Email usually starts
Thank you for your letter of [Current Date], your information arrived today.
- or -
Thank you for your letter regarding our products and services, your information arrived today.
- or -
Thank you for contacting us, your information arrived today.

Email usually ends
Sincerely, [Random Name], Support Team Manager

However, they are clearly a scam and are coming via very different open mail relays with links actually pointing towards different equally suspicious destinations.

Delivered-To: christoperj@
Received: by 10.231.176.83 with SMTP id bd19csp10833ibb;
Mon, 11 Jun 2012 19:34:29 -0700 (PDT)
Received: by 10.100.243.28 with SMTP id q28mr7673730anh.43.1339468469221;
Mon, 11 Jun 2012 19:34:29 -0700 (PDT)
Received-SPF: softfail (: best guess record for domain of transitioning ticket@nickeldeon.nl does not designate 10.10.10.10 as permitted sender) client-ip=10.10.10.10;
Received: by 10.236.20.174 with POP3 id p34mf4000620yhp.5;
Mon, 11 Jun 2012 19:34:29 -0700 (PDT)
Return-Path:
Delivered-To:
Received: from mx1.([10.10.10.10])
by mss-us12.(Dovecot) with LMTP id RFkcCkOp1k/LSwAAWHoucg
for ; Tue, 12 Jun 2012 02:28:34 +0000
Received: from server10.configcenter.info (server10.configcenter.info [87.253.162.10])
by mx1.(Postfix) with SMTP id CF8643F0084
for ; Tue, 12 Jun 2012 02:28:32 +0000 (GMT)
Date: Tue, 12 Jun 2012 04:28:33 -0700
To: me23@
From: "Support Center"

Reply-To: noreply
Subject: Ticket [#25698852]
Message-ID: <96d1e6f6f0db4782483baed103f7555c@localhost.localdomain>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4]
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit


Thank you for your letter of Jun 12, your information arrived today.
Alright, here's the link to the site:

Proceed to Site [Proceed to Site is a LINK that actually points to http:// herbalchemistsshop (dot) com]

Thank you for taking the time to contact us.
Sincerely, Jakayla Bishop, Support Team manager.

[Background graphic pulls from http:// nickeldeon (dot) nl /email_open_log_pic (dot) php?mid=38c97853035a60b8a3f72f47c3a6659b&s=a, which is a misspelled crap domain trying to appear as nickelodeon.nl while also setting both a tracking cookie and (appears to be) logging which emails are being opened (presumably to be looking for live email addresses and maybe IPs)]

HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 45
Content-Type: text/javascript
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=99

P3P: policyref="http://www.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"

Set-Cookie: nickeldeon.nl=search%3A0%7Cexitpop%3A0%7Clload%3A0%7Clvisit%3A0%7Cglobalcookie%3A1339520478%7Cclick%3A0%7Cblocked%3A0; path=/; expires=Wed, 13-Jun-2012 17:01:18 GMT

Set-Cookie: ident=search%3A0%7Cexitpop%3A0%7Clload%3A0%7Clvisit%3A0%7Cglobalcookie%3A1339520478%7Cclick%3A0%7Cblocked%3A0%7Ctoken%3Aqqzxrvqrursvyqvv; path=/; expires=Wed, 13-Jun-2012 17:01:18 GMT

Set-Cookie: Spusr=490015ac40ff4fd775dec5b5; path=/; expires=Thu, 12-Jun-2014 17:01:18 GMT
cookie_callback('490015ac40ff4fd775dec5b5');
Posted by Christopher @
Tags: ,

No, I Did Not Register Facebook Social within my Digg Profile

Received 7+ bogus spam emails in last 24 hours or so thanking me for registering Facebook Social Share within my Digg profile.

Each appear authentic in style (right down to the table, color, and font formating) and are arriving with one of two sender names:

Facebook Social
Facebook Verification

However, they are clearly fake (confirmed by simply logging into Digg directly without trying to go through these emails) and are coming via very different open mail relays with links actually pointing towards different equally suspicious (non-Digg/non-Facebook) destinations.

Delivered-To: christoperj@
Received: by 10.231.223.193 with SMTP id il1csp49169ibb;
Tue, 12 Jun 2012 06:58:48 -0700 (PDT)
Received: by 10.236.9.68 with SMTP id 44mr26767508yhs.98.1339509526068;
Tue, 12 Jun 2012 06:58:46 -0700 (PDT)
Received-SPF: softfail (: best guess record for domain of transitioning registration@rvsnonferro.nl does not designate 10.10.10.10 as permitted sender) client-ip=10.10.10.10;
Received: by 10.157.134.4 with POP3 id l4mf4022355yen.36;
Tue, 12 Jun 2012 06:58:45 -0700 (PDT)
Return-Path:
Delivered-To:
Received: from mx1. ([10.10.10.10])
by mss-us12. (Dovecot) with LMTP id R4A/ExdI109HcAAAWHoucg
for ; Tue, 12 Jun 2012 13:51:17 +0000
Received: from in.ispot.com.pl (in.ispot.com.pl [62.148.95.5])
by mx1. (Postfix) with SMTP id 225CB4716E0
for ; Tue, 12 Jun 2012 13:51:15 +0000 (GMT)
Date: Tue, 12 Jun 2012 15:51:17 +0200 (CEST)
From: "Facebook Social"
Message-Id:
Mime-Version: 1.0
Subject: Thank you for registering
To: work@
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=ISO-8859-1


Problem viewing this email? View it in your browser [LINK that points to dead Digg.com address]


Thank you for registering with us at Facebook Social.
We look forward to seeing you around the site.
Your profile has two different views reachable through clickable tabs:
View My Profile: see your profile as your network does
Edit My Profile: edit the different elements of your profile


View profile details

[View profile details is a LINK that actually points to http:// havadurumu (dot) skiciyiz (dot) biz /up/load/]


What is Facebook Social Share?

Enable Facebook social sharing,
and share your Digg experience with your Facebook friends.
Let your friends see what you're reading as you discover the best news around the web.

Click the Social button to turn this off.
Control which emails you receive from Digg [LINK that points to Digg Notification Settings]
Posted by Christopher @
Tags: ,

Monday, June 11, 2012

No, (Insert Name Here) Does Not Want to be My Friend on Windows Live

Received 15+ bogus spam emails in last 24 hours or so alerting me that random people want to be my friend on Windows Live. Each appear authentic in style (right down to the table, color, and font formating) and are arriving with one of three different subject lines:

Live.com Notification
Windows Notification
Microsoft Notification

However, they are clearly fake (confirmed by simply logging into MSN Live directly without trying to go through these emails) and are coming via very different open mail relays with links actually pointing towards different equally suspicious (non-MSN/Microsoft/Live.com) destinations.

Delivered-To: christoperj
Received: by 10.231.176.83 with SMTP id bd19csp126986ibb;
Mon, 11 Jun 2012 06:50:21 -0700 (PDT)
Received: by 10.236.185.198 with SMTP id u46mr16756178yhm.33.1339422620108;
Mon, 11 Jun 2012 06:50:20 -0700 (PDT)
Received-SPF: softfail (: best guess record for domain of transitioning mm.kerkvliet@breda.nl does not designate 10.10.10.10 as permitted sender) client-ip=10.10.10.10;
Received: by 10.232.25.147 with POP3 id z19mf3265585ghb.16;
Mon, 11 Jun 2012 06:50:20 -0700 (PDT)
securityguy23
Return-Path:
Delivered-To:
Received: from mx1 ([10.10.10.10])
by mss-us12 (Dovecot) with LMTP id ASyUGN711U9cMwAAWHoucg
for ; Mon, 11 Jun 2012 13:48:20 +0000
Received: from 213-128-80-22.turkrdns.com (unknown [213.128.80.22])
by mx1 (Postfix) with SMTP id 9D3AB471384
for ; Mon, 11 Jun 2012 13:48:19 +0000 (GMT)
Subject: Windows notification
From: "Windows Live"
To: me23
List-Unsubscribe: [LINK to Live.com Profile Notification Preferences]
X-HM-NotificationScenario: 68982
X-HM-SenderCID: -960321457121426397
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID:
Date: Mon, 11 Jun 2012 16:44:32 -0700

Luna Rivas wants to be your friend on Windows Live | View Invitation

[View Invitation is a LINK that actually points to http:// uwmadisoncfs (dot) org /up/load/]



Notification Preferences [LINK to Live.com Profile Notification Preferences]

SMS Notifications [LINK to Live.com Profile Options including what looks like a Session key]

Microsoft Privacy Statement [LINK to Microsoft Privacy Statement]
Posted by Christopher @
Tags: ,

No, My Password is Not "Too Weak" (No Matter What Your Email Claims)

Following LinkedIn's password 'incident' last week, now seeing a disturbing uptick in my spam folder with bogus "Your password is too weak, click here to change" emails falsely claiming to be from IMDb.

Subject is usually:
Your password is too short
- or -
Your password is too week
- or -
Change your Password

Sender is usually:
Database User Protection
IMDb User Protection

All of the seven emails I've received in the last three days (so far) use the same email body and appear to point to a HTTPS IMDb destination. But they all come via very different open mail relays with links actually pointing towards different equally suspicious (non-IMDb) destinations.

Delivered-To: christoperj
Received: by 10.231.176.83 with SMTP id bd19csp135731ibb;
Mon, 11 Jun 2012 08:46:52 -0700 (PDT)
Received: by 10.101.166.40 with SMTP id t40mr6806941ano.5.1339429610543;
Mon, 11 Jun 2012 08:46:50 -0700 (PDT)
Received-SPF: softfail (best guess record for domain of transitioning ticket@balanceandpower.com does not designate 10.10.10.10 as permitted sender) client-ip=10.10.10.10;
Received: by 10.232.20.148 with POP3 id f20mf3392662ghb.12;
Mon, 11 Jun 2012 08:46:50 -0700 (PDT)
Return-Path:
Delivered-To:
Received: from mx1 ([10.10.10.10])
by mss-us12 (Dovecot) with LMTP id qG6vEvUQ1k+/FQAAWHoucg
for ; Mon, 11 Jun 2012 15:45:15 +0000
Received: from mercury.uhost.ro.124.78.195.in-addr.arpa (unknown [195.78.124.14])
by mx1 (Postfix) with SMTP id F1D124711E2
for ; Mon, 11 Jun 2012 15:45:14 +0000 (GMT)
Subject: Your password is too short
Content-Type: text/html; charset="utf-8"
To: work
From: Database User Protection
Message-Id: <20120611184515.9C5AE53B20@imdb-pro-online-1578.iad1.amazon.com>
Date: Mon, 11 Jun 2012 18:45:15 -0700 (PDT)


This is an automatic message from the Internet Movie Database (IMDb) registration system.

Our system detected your password is too weak. Short passwords are easy to guess.

Please follow this link :

[LINK appears to be IMDb, but actually points to http:// wildhartz (dot) com (dot) au/up/load/]

If you use this password at any other sites, you'll need to change those passwords as well.

Regards,
IMDb User Protection help
[LINK to IMDb Account Registration]
Posted by Christopher @
Tags: ,

Wednesday, June 6, 2012

@securityguy23:

Changing the LinkedIn password for safety as a file (allegedly) exposing 6.5 million+/- hashed LinkedIn passwords has been posted to a Russian webserver. Good times
Posted by Christopher @
Tags: , , ,