There appears to be a new social engineering attack making the rounds of registered owners of Web sites that have SSL encryption certificates. I have a large number of Web sites, and so far I’ve only received emails to the technical address of sites which have SSL (security) certificates on them.
*** WARNING *** WARNING *** WARNING ***
This attack is currently live. DO NOT attempt to visit the URLS in this email if you do not know what you are doing!
The emails come from a phony From: address that is
Attention!
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
So for example if you have a Web site called
Needless to say, the “patch” you download from this address is a computer virus.
This is one of the most sophisticated social engineering attempts I’ve seen to date. It seems to be going after a very specific group of people: people who own secure Web sites. The email itself is custom-tailored to look as much as possible like it comes from the system operators of the Web site in question, and the payload is delivered from a hostile server with a URL that has the address of the target site owner’s Web site embedded within it.
My suspicion, though I have not taken the time to analyze the payload, is that it is a key logger, and that the virus writers are attempting to get FTP credentials for the target Web site.
Being able to hack secure Web sites would offer the hacker a treasure trove of advantages. First, secure Web sites may contain customer information, transaction records, payment histories, and credit card numbers for the site’s customers.
Second, a phony bank or eBay site placed on a secure server is more convincing, because the phony site can be accessed using “https://” and will have the browser padlock indicating that the site is secure, which may help it to fool more people.
I’ve mentioned in this post how a Web address can be designed to fool people. It does not matter what’s in the address except for the part in front of the very first / character; so for example if you see a Web address that looks like
you are not on eBay. You can see where you are by looking at the part just before the first / which in this case is
a site called
Similarly, in the URLs in these hacker emails, the key part of the URL is
The computer virus is being distributed from a site called
Trouble-free.net is an ISP I’m very familiar with. As near as I can tell, the “trouble” they are free of is meddling trouble such as legal issues, or those pesky problems you might have with having your spam or phish site shut down; they have, in my experience, a long and ignoble history of hosting viruses, spammers, pirate software sites (notorious credit card fraudster and pirate Art Schwartz has been hosted on trouble-free.net for over five years), and other criminal content.
The whois for
whois ssl-datacontrol.com
Whois Server Version 2.0
Domain Name: SSL-DATACONTROL.COM
Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS1.CEDNS.RU
Name Server: NS2.CEDNS.RU
Status: clientTransferProhibited
Updated Date: 05-oct-2009
Creation Date: 05-oct-2009
Expiration Date: 05-oct-2010>>> Last update of whois database: Mon, 12 Oct 2009 21:44:52 UTC <<< Registrant ID: HEIGAAS-RU Registrant Name: Elena V Zhuravlyova Registrant Organization: Elena V Zhuravlyova Registrant Street1: Orekhovyi boulevard Registrant Street1: d.31 kv.72 Registrant City: Moscow Registrant State: Moscow Registrant Postal Code: 115573 Registrant Country: RU Administrative, Technical Contact Contact ID: HEIGAAS-RU Contact Name: Elena V Zhuravlyova Contact Organization: Elena V Zhuravlyova Contact Street1: Orekhovyi boulevard Contact Street1: d.31 kv.72 Contact City: Moscow Contact State: Moscow Contact Postal Code: 115573 Contact Country: RU Contact Phone: +7 499 2678638 Contact E-mail: awoke@co5.ru Registrar: ANO Regional Network Information Center dba RU-CENTER
So in short what we have is a very sophisticated, highly directed attack targeted at Web site owners who are using SSL security certificates on their Web sites, being conducted through emails which create a custom From address and custom attack URL for each specific victim.
The same rules apply to this as to all emails:
– DO NOT believe the From: address of an email. Ever.
– DO NOT respond to ANY security alert, question, or prompt you receive in ANY email. Ever. No matter who it appears to be from.
– Learn to read Web site URLs. DO NOT trust any part of a URL except the part immediately in front of the first slash.
Absolutely!
Absolutely!
I’ve heard a term for something similar.
“Whaling.”
It’s like phishing, except you go after a small number of high-value targets. Usually, I’ve seen the targets as executives and VPs when people talk about “whaling” since they often have a lot of access but not necessarily a lot of technical ability.
Still, I think the term applies. “Whaling.” Carefully selected valuable targets, but the same kind of phishing schemes, just more sophisticated since you’ve got a smaller target victim.
I’ve heard a term for something similar.
“Whaling.”
It’s like phishing, except you go after a small number of high-value targets. Usually, I’ve seen the targets as executives and VPs when people talk about “whaling” since they often have a lot of access but not necessarily a lot of technical ability.
Still, I think the term applies. “Whaling.” Carefully selected valuable targets, but the same kind of phishing schemes, just more sophisticated since you’ve got a smaller target victim.
This is why the tech support address for my domain goes to *me*.
Anything claiming to be from the folks running my domain is *automatically* spam, since all [mydomain] addresses are either me or a couple of friends. The folks hosting it are friends and would be sending from their business domain address, not any address in my domain.
This is why the tech support address for my domain goes to *me*.
Anything claiming to be from the folks running my domain is *automatically* spam, since all [mydomain] addresses are either me or a couple of friends. The folks hosting it are friends and would be sending from their business domain address, not any address in my domain.
I’d just like to thank you for the warnings you give and the knowledge you spread. It is truly appreciated 🙂
I’d just like to thank you for the warnings you give and the knowledge you spread. It is truly appreciated 🙂
I received my first one of these today. Since my sys admin is my wife I just sent it to her.
Thanks for the technical stuff and warnings.
I received my first one of these today. Since my sys admin is my wife I just sent it to her.
Thanks for the technical stuff and warnings.
Just had one here, too. Thanks for the warning and info
Just had one here, too. Thanks for the warning and info
I wonder if they’re also skipping self-signed certs, or only picking on certs signed by the big CAs…
I wonder if they’re also skipping self-signed certs, or only picking on certs signed by the big CAs…
Excellent Detail
Our company received this attack in large numbers on Monday October 12th. Of course, before we could get it blocked and cleaned up, we had at least 1 user click and get infected. We’ll have the cleanup/reload(s) done shortly. Thanks for the details.
Unbelievable. All the people I know who home-school are Pagans, not Christians, but I don’t know that many Fundamentalist Christians.
I’ve heard that a small group of very religious Christians in Texas essentially choose the textbooks that are used in public schools throughout the country. I read an autobiography years ago — it may have been Richard Feynman, but honestly I can’t remember for certain. Whomever it was — he was invited to be on the textbook committee, so he carefully read all the books to make genuine recommendations, and refused all the “perks” the manufacturers offered him, so as to remain unbiased. He complained that his fellow committee members apparently recommended their books based upon the “perks” (aka bribes) the book manufacturers offered.
Excellent Detail
Our company received this attack in large numbers on Monday October 12th. Of course, before we could get it blocked and cleaned up, we had at least 1 user click and get infected. We’ll have the cleanup/reload(s) done shortly. Thanks for the details.
Unbelievable. All the people I know who home-school are Pagans, not Christians, but I don’t know that many Fundamentalist Christians.
I’ve heard that a small group of very religious Christians in Texas essentially choose the textbooks that are used in public schools throughout the country. I read an autobiography years ago — it may have been Richard Feynman, but honestly I can’t remember for certain. Whomever it was — he was invited to be on the textbook committee, so he carefully read all the books to make genuine recommendations, and refused all the “perks” the manufacturers offered him, so as to remain unbiased. He complained that his fellow committee members apparently recommended their books based upon the “perks” (aka bribes) the book manufacturers offered.
Cool! You can email me at tacitr (at) aol (dot) com; I’ll also send you my phone number here.
Cool! You can email me at tacitr (at) aol (dot) com; I’ll also send you my phone number here.
Sometimes those compatibilities are fully discussed, at great length and over lengthy periods of time.
Humans, however, have this wacky lack of stasis – so while it may have been covered ad infinitum over a period of years, that’s no guarantee that one of the people won’t change their mind at a later date.
The children question, in particular, I find to be the sort of thing that shifts. “No, no kids, ever. [a year later] Can you believe people would do that to themselves? [another year passes] So, if you got pregnant, would we keep it?. [another year] So, when do you think we’ll start our family?”
I may have been through this myself. More than once. In every case, the guy said “well, I kinda thought you’d change your mind. I mean, women do, you know.”
Sometimes those compatibilities are fully discussed, at great length and over lengthy periods of time.
Humans, however, have this wacky lack of stasis – so while it may have been covered ad infinitum over a period of years, that’s no guarantee that one of the people won’t change their mind at a later date.
The children question, in particular, I find to be the sort of thing that shifts. “No, no kids, ever. [a year later] Can you believe people would do that to themselves? [another year passes] So, if you got pregnant, would we keep it?. [another year] So, when do you think we’ll start our family?”
I may have been through this myself. More than once. In every case, the guy said “well, I kinda thought you’d change your mind. I mean, women do, you know.”
iphone unlock
[url=http://www.3gsunlock.co.uk]iPhone Unlock[/url]
iphone unlock
[url=http://www.3gsunlock.co.uk]iPhone Unlock[/url]
We had other…uh, priorities. Responsiblities! Yes, that’s it.
We had other…uh, priorities. Responsiblities! Yes, that’s it.
When I walked into the hotel for Frolicon (this year was my first time going) I said, “Man, I’ve been here before!” and I realized as soon as I saw the elevator that only went up and down one floor exactly when I’d been there: 2001ish (I’m fairly sure, anyway–if you can figure out what number AWA is on now, it’s AWA 7 that I’ve kept my badge from, because it was my first ever convention) for Anime Weekend Atlanta. I spent the night in that elevator, actually! It was still working at the time, though with lurches and odd smells if you went on more than three trips consecutively.
AWA is now being held somewhere much larger, as it’s grown far beyond the bounds of that convention center, but at the time when I went to that convention center before, the whole place was in use–all those exhibit halls!
There was the dealer’s room, artist alley, the main stage where they had all the cosplay stuff, the room they had the rave in… I’m fairly sure they used every exhibit hall there, because I had friends on staff who said that the space was nearly too small.
Anyway, I did some heavy exploring when I was there (see above, re: sleeping in elevator–was not my first choice) and I don’t remember any offices being there. I can’t remember what was there, but I think I’m pretty sure I’d have found the offices a more comfortable place to hide than that elevator.
If Frolicon is in the same space again next year, I’m going to check it out and see how it’s changed. Quite curious now.
I’m guessing is that when a similarly sized but newer/nicer convention center came along (there’s been a number built in the last ten years, thanks to the realty market boom) and they couldn’t rent out the space with any reliably they sold it to whoever would buy. And when those people ran out of funding/their project was completed… well, urban decay.
When I walked into the hotel for Frolicon (this year was my first time going) I said, “Man, I’ve been here before!” and I realized as soon as I saw the elevator that only went up and down one floor exactly when I’d been there: 2001ish (I’m fairly sure, anyway–if you can figure out what number AWA is on now, it’s AWA 7 that I’ve kept my badge from, because it was my first ever convention) for Anime Weekend Atlanta. I spent the night in that elevator, actually! It was still working at the time, though with lurches and odd smells if you went on more than three trips consecutively.
AWA is now being held somewhere much larger, as it’s grown far beyond the bounds of that convention center, but at the time when I went to that convention center before, the whole place was in use–all those exhibit halls!
There was the dealer’s room, artist alley, the main stage where they had all the cosplay stuff, the room they had the rave in… I’m fairly sure they used every exhibit hall there, because I had friends on staff who said that the space was nearly too small.
Anyway, I did some heavy exploring when I was there (see above, re: sleeping in elevator–was not my first choice) and I don’t remember any offices being there. I can’t remember what was there, but I think I’m pretty sure I’d have found the offices a more comfortable place to hide than that elevator.
If Frolicon is in the same space again next year, I’m going to check it out and see how it’s changed. Quite curious now.
I’m guessing is that when a similarly sized but newer/nicer convention center came along (there’s been a number built in the last ten years, thanks to the realty market boom) and they couldn’t rent out the space with any reliably they sold it to whoever would buy. And when those people ran out of funding/their project was completed… well, urban decay.
http://www.google.com/search?domains=www.schneier.com&sitesearch=www.schneier.com&q=rape&hq=inurl%3Awww.schneier.com%2Fblog
Funny, I fail to find anything that suggests that Schneier believes his work on risk assessment is meant to be applied to potential rape in the manner you suggest.
He *does* talk about realistic assessments of risk, and taking appropriate measures, but I find nothing anywhere that leads me to think that Schneier is an appropriate citation against “yes means yes”.
Let’s approach this from a Schneier-like approach.
What’s the failure mode if “yes means yes” fails? According to you, a woman might remain a virgin.
What’s the failure mode if “no means no” fails? According to a lot of us, someone gets sexually assaulted while the other party believes, because they didn’t actively intend to rape that nothing untoward happened. (emphasis, not a quotation)
In many cultures,
Women are socialized to give deniable consent.
Men are socialized to push for acquiescence (NOT consent!).
This constitutes “rape culture”. It makes the line between consenting sexual activity and rape a murky mess, because without the hard line of “she gave enthusiastic, clear consent”, there’s the fuzzy line of “she didn’t say no, and I didn’t set out to be a rapist”.
The fact that discussions of whether or not “intent to rape” was in play itself is a flag — in contrast, questions of trespassing are clear. “It wasn’t locked against me” isn’t enough of a defense there.
People have the idea that “yes means yes” takes the sizzle out of sex. I posit that this is because we’re taught to eroticize lack of consent — we train men to transgress boundaries, and women to expect it. Learn to eroticize overt consent, and we reach a culture where indeed, as you say, only an intentful rapist does things that are boundary transgressing.
I think the biggest issue here is that your vision of “yes means yes” relies on a verbal ‘yes’, because your vision of “no means no” relies on a verbal no. AIEEE!
http://www.google.com/search?domains=www.schneier.com&sitesearch=www.schneier.com&q=rape&hq=inurl%3Awww.schneier.com%2Fblog
Funny, I fail to find anything that suggests that Schneier believes his work on risk assessment is meant to be applied to potential rape in the manner you suggest.
He *does* talk about realistic assessments of risk, and taking appropriate measures, but I find nothing anywhere that leads me to think that Schneier is an appropriate citation against “yes means yes”.
Let’s approach this from a Schneier-like approach.
What’s the failure mode if “yes means yes” fails? According to you, a woman might remain a virgin.
What’s the failure mode if “no means no” fails? According to a lot of us, someone gets sexually assaulted while the other party believes, because they didn’t actively intend to rape that nothing untoward happened. (emphasis, not a quotation)
In many cultures,
Women are socialized to give deniable consent.
Men are socialized to push for acquiescence (NOT consent!).
This constitutes “rape culture”. It makes the line between consenting sexual activity and rape a murky mess, because without the hard line of “she gave enthusiastic, clear consent”, there’s the fuzzy line of “she didn’t say no, and I didn’t set out to be a rapist”.
The fact that discussions of whether or not “intent to rape” was in play itself is a flag — in contrast, questions of trespassing are clear. “It wasn’t locked against me” isn’t enough of a defense there.
People have the idea that “yes means yes” takes the sizzle out of sex. I posit that this is because we’re taught to eroticize lack of consent — we train men to transgress boundaries, and women to expect it. Learn to eroticize overt consent, and we reach a culture where indeed, as you say, only an intentful rapist does things that are boundary transgressing.
I think the biggest issue here is that your vision of “yes means yes” relies on a verbal ‘yes’, because your vision of “no means no” relies on a verbal no. AIEEE!
Okay, I have to say it: after all the build-up regarding the Guatemalan abduction, I must say that I’m disappointed in the actual event. I feel like the movie trailer oversold the film, if you catch my drift. – ZM
Okay, I have to say it: after all the build-up regarding the Guatemalan abduction, I must say that I’m disappointed in the actual event. I feel like the movie trailer oversold the film, if you catch my drift. – ZM
Actually, in a lot of ways it IS a dichotomy. Coal is the cheapest source of power, thanks in part because of subsidies and lax environmental restriction, so when utility companies cancel or decommission nuclear power plants they most often replace them with coal.
For example, when massive protests and civil suits caused the Northern Indiana Public Service Company to halt construction of the Bailly Nuclear Power Plant, they replaced it with a coal-fired plant instead. When the Alabama Power Company canceled four nuclear power plants at its Barton facility, they were replaced with two large coal-fired plants. When a huge outcry against the Black Fox Nuclear Power Station caused Public Service Company of Oklahoma to cancel construction and abandon the plant, they turned to coal and natural gas to replace it…and passed along a huge price hike to their customers.
The list goes on and on. Nuclear power scales easily, and nuclear plants tend to have large capacities. So when a nuclear plant is canceled, coal most often replaces it.
People are terrified of nuclear. This fear prevents even otherwise reasonable people from sitting down and seriously considering that it might be good to use, which is why I chose it as an example. The canceled nuclear plants which were replaced with coal have led directly o the deaths of more people than have been killed or injured in every nuclear plant accident worldwide combined…
…but that won’t budge you a bit. Even if I could provide evidence of that that you found persuasive to any arbitrary degree of certainty you chose, you would still hate and fear nuclear power, yet not have that same fear of coal.
Actually, in a lot of ways it IS a dichotomy. Coal is the cheapest source of power, thanks in part because of subsidies and lax environmental restriction, so when utility companies cancel or decommission nuclear power plants they most often replace them with coal.
For example, when massive protests and civil suits caused the Northern Indiana Public Service Company to halt construction of the Bailly Nuclear Power Plant, they replaced it with a coal-fired plant instead. When the Alabama Power Company canceled four nuclear power plants at its Barton facility, they were replaced with two large coal-fired plants. When a huge outcry against the Black Fox Nuclear Power Station caused Public Service Company of Oklahoma to cancel construction and abandon the plant, they turned to coal and natural gas to replace it…and passed along a huge price hike to their customers.
The list goes on and on. Nuclear power scales easily, and nuclear plants tend to have large capacities. So when a nuclear plant is canceled, coal most often replaces it.
People are terrified of nuclear. This fear prevents even otherwise reasonable people from sitting down and seriously considering that it might be good to use, which is why I chose it as an example. The canceled nuclear plants which were replaced with coal have led directly o the deaths of more people than have been killed or injured in every nuclear plant accident worldwide combined…
…but that won’t budge you a bit. Even if I could provide evidence of that that you found persuasive to any arbitrary degree of certainty you chose, you would still hate and fear nuclear power, yet not have that same fear of coal.
I was traumatized for about a dozen years by the Jaws movie poster alone. I’ve never seen the movie. I didn’t overcome my phobia of deep water until I lived in New Orleans and visited the Aquarium of the Americas regularly for a year or two. Thanks Peter Benchley, Steven Spielberg and whoever designed that stupid poster…
I was traumatized for about a dozen years by the Jaws movie poster alone. I’ve never seen the movie. I didn’t overcome my phobia of deep water until I lived in New Orleans and visited the Aquarium of the Americas regularly for a year or two. Thanks Peter Benchley, Steven Spielberg and whoever designed that stupid poster…
“I find this argument a little baffling. It is not lack of courage that prevents me from hitting on a hundred people a day; it’s the fact that hitting on a hundred people a day wouldn’t succeed in getting me the kind of relationship I value. “
I think you may have missed the point. I probably wrote it badly (was on a bus after 3 hours sleep; midnight play party on a cruise around Manhattan :-))
In my view “courage” is demonstrated when you “take risk”. Without risk (without “being scared”) there is no courage required. Risk implies possibility of failure. Other than words used, I think we’re on the same page at this point.
So simple logical progression: courage => risk => possibility of failure => chance of not being rewarded.
And that’s why I have a problem with “life rewards courage” type statements. It doesn’t. And even where it seems to (“hitting on hundred people a day”) it may ultimately not be a reward at all (short time vs long term). And this goes extra for “greatest courage”.
Courage does not imply success. Courage may help you overcome perceived limitations and may increase chances of success, but equally courage may cause you to overstep real limitations and increase chances of failure.
I think there might be “observer bias” at work here; people who “win big” (find the love of their life; have wonderful relationships; whatever your definition of ‘win big’ is – it’s not relevant) may have a large portion of risk takers and thus it’s easy to conclude that being courageous and taking risk will be rewarded. But this view misses out on those who were courageous and failed.
Dunno if that helps explain my position. Probably not 🙂
“I find this argument a little baffling. It is not lack of courage that prevents me from hitting on a hundred people a day; it’s the fact that hitting on a hundred people a day wouldn’t succeed in getting me the kind of relationship I value. “
I think you may have missed the point. I probably wrote it badly (was on a bus after 3 hours sleep; midnight play party on a cruise around Manhattan :-))
In my view “courage” is demonstrated when you “take risk”. Without risk (without “being scared”) there is no courage required. Risk implies possibility of failure. Other than words used, I think we’re on the same page at this point.
So simple logical progression: courage => risk => possibility of failure => chance of not being rewarded.
And that’s why I have a problem with “life rewards courage” type statements. It doesn’t. And even where it seems to (“hitting on hundred people a day”) it may ultimately not be a reward at all (short time vs long term). And this goes extra for “greatest courage”.
Courage does not imply success. Courage may help you overcome perceived limitations and may increase chances of success, but equally courage may cause you to overstep real limitations and increase chances of failure.
I think there might be “observer bias” at work here; people who “win big” (find the love of their life; have wonderful relationships; whatever your definition of ‘win big’ is – it’s not relevant) may have a large portion of risk takers and thus it’s easy to conclude that being courageous and taking risk will be rewarded. But this view misses out on those who were courageous and failed.
Dunno if that helps explain my position. Probably not 🙂
(For you, and people like you).
(For you, and people like you).