"I'm Brian and so's my wife"

2004-02-24T01:26:57+00:00

I'm subscribed to a whole bunch of mailing lists, mostly as a lurker as I have a hard enough time just keeping up with some of them. One of those lists is Bugtraq, which is pretty much required reading for anyone with sysadmin responsibilities for a server connected to the public internet. Bugtraq is the central hub of the "public disclosure" security community and is actually surprisingly low traffic with only twenty or so messages a day. It's fascinating to watch the latest exploits for all manner of popular software packages tick by on an hourly basis.

Last week, someone posted to the list asking if anyone knew of a contact address for the security team at Bank of America. Today, they posted a follow-up which included the following gem:

I'd also like to thank the 0-day social engineers for their variety of approaches used to attempt to gain access to this exploit. We received responses ranging from fraudulent "Bank of America" employees to phone calls from people claiming to be from Bank of America's IT Security. (One caller claimed to be from Bank of America's IT Security but didn't know what PGP is and then said he couldn't give his PGP key due to security restrictions. And when we asked him to provide information so we could verify the contact, he said he would call back but never did. To this caller: Yes, your social engineering failed and your caller-id spoofing was almost perfect. Emphasis on "almost".)

For some reason, I'm reminded of a classic scene from Monty Python's Life of Brian.

Tags: bugtraq, security, zeroday

Nasty new IE vulnerability

2003-12-09T19:21:45+00:00

Most people reading are probably aware of the common trick whereby spammers and other assorted ne'er-do-wells publish URLs with usernames that look like hostnames to fool people in to trusting a malicious site - for example, http://www.microsoft.com&session%123123123@simon.incutio.com. This trick is frequently used by spammers to steal people's PayPal accounts, by tricking them in to "resetting" their password at a site owned by the spammer but disguised as PayPal.com.

Today's new Internet Explorer vulnerability makes the problem a hundred times worse. By including an 0x01 character after the @ symbol in the fake URL, IE can be tricked in to not displaying the rest of the URL at all. Don't expect a patch for a while either; the guy who discovered the bug released it to BugTraq on the same day he notified the vendor.

Tags: bugtraq, internet-explorer, microsoft, security

Simon Willison's Weblog: bugtraq

"I'm Brian and so's my wife"

Nasty new IE vulnerability