05 December 2008

Welcome to the Cloud

It looks like cloud computing is going to be the next best thing!

There is a new OS called gOS (No it is not made by Google) that boots into a stripped down linux distro presenting the user with a browser. Effectivly with the massive increase in online apps users can now transfer all the processing and storage onto the "cloud" (web servers and web services on the internet). I think that we are going to see a lot more of this in future as it will reduce the cost of the end user device and increase online activity for service providers who will benefit from increased ad-revenue. I predict that this form of computing will slowly, but surely start taking over.

03 December 2008

Facebook Blocked?!? (static.ak.fbcdn.net)

I tried to logon to facebook today using google chrome and was presented with the following screen:

It would seem that static.ak.fbcdn.net is being reported as a phishing website!
This is the information for the domain fbcdn.net:

Facebook, Inc 
156 University Ave, 
3rd Floor Palo Alto, 
CA 94301 US 

Domain name: FBCDN.NET 
Administrative Contact: Admin, 
Domain domain@facebook.com 
156 University Ave, 
3rd Floor Palo Alto, 
CA 94301 US +1.6505434800 
Fax: +1.6505434800 
Technical Contact: Admin, 
Domain domain@facebook.com 
156 University Ave, 
3rd Floor Palo Alto,
 CA 94301 US

It would seem a though this is a legit facebook domain, but I am not able to find any info on the net as to why this domain is blocked! If anyone has any info please let me know.

02 December 2008

Vista SP2 on its way!

It seems as though Microsoft may be releasing Windows Vista Service Pack 2 in April 2009!
Check out this article:

Lets hope that they don't release it on the 1st of April :P

06 October 2008

Standard Bank Spoofed Email Malware

Please note that there are emails circulating claiming to be from Standard Bank Offshore Bank.
The URL in the email takes you to a page on the domain reprsinos.com.
The website tries to download a file "StandardCertificate2008.exe" to your computer.
Trend Micro office scan picks up the malware as "Cryp_MEW-11".

Clip of the Spoofed Email:
"Attention to all Standard Bank Customers!
Some Standard Bank customers have reported experiencing disconnect or write error issues with online banking.
To address this, Standard Bank has released a 128-bit SSL update for the online banking page that eliminates this bug."

I would suggest that all admins block access to the domain reprsinos.com on thier proxy servers imediatly.
Screenshot of spoofed website


Some more emails have made it through:
Example Subject lines:
  • Standard Offshore Bank - Security - security of individual customer information.
  • Standard Offshore Bank - Security - We use some information to help identify
  • Standard Offshore Bank - Security - Our customer information
Examble Email Body:

Attention to all Standard Bank Customers!
Some Standard Bank customers have reported experiencing disconnect or write error issues with online banking.
To address this, Standard Bank has released a 128-bit SSL update for the online banking page that eliminates this bug.

 You can update your browser from our Customer Service Department>>>

More domains to Block:
  • bizcombf.com

01 October 2008

The PHP Driven World Will End in 2037!

PHP / Unix seems to have its very own Y2K bug. Except it will happen in 2037.If you try and do any date/time calculations greater than 2037 with PHP it freaks out and goes back to 1 Jan 1970!

I am currenlty writing a bookings application and was playing with the calendar and checking out the future. All of a sudden when I went past the year 2037 the system would jump back to 1970!

Apparently this is a known but and is a limitation in counter that is 32bits long. (http://bugs.php.net/bug.php?id=7103)
Apparently 64bit machines are not vulnerable to this.

After doing some reading it would seem that this is indeed the Unix equivilent of the Y2K Bug!

So the moral of the story is that in the year 2038 you better make sure that you have a 64bit machine if you are running any unix based machines. Also make sure that the time_t is set to 64bit !

Delivery Reciept SPAM

It has recently been found that SPAMMERS are using the delivery reciept functionality of most mail clients to find valid email accounts. 
It is reccomended that you switch off this feature to prevent you email account from sending a response back to the SPAMMERS letting them know that your email address is valid.

03 September 2008

Some Google Chrome Features

I have been playing with Google chrome today and found some usefull features that others may enjoy:

Application Shortcuts
This allows you to place shortcuts on your computer that link you to web applications such as Gmail or Facebook. The cool thing about this is that it opens up the application in its own window without all the browser controls etc. This allows you to view more of the application as the screen real-estate is not taken up by the other browser controls.

Incongnito Window
The incognito window feature is pretty cool. It allows you to open a "Special Window" that will not "remember" any information about where you went or what you did. i.e. All cookies, URL's and sessions will not be stored in your history or browser cache. This is a nice feature that will allow you to surf your internet banking or "other" sites (naughty naughty) without the fear of the information being stored on your computer for someone else to find.

Javascript Speed
According to many reports on the internet the implemenation of Javascript in Google Chrome is significantly faster than in other browsers. This is pretty visible when browsing the internet. I think that this browser is much faster than anything I have used before.

New Browser - Google Chrome

Google released a new browser into the wild yesterday. The new browser called Google Chrome has many cool features and I think it has the potential to become a major player in the heavily contested browser market.

The new browser sports a whole bunch of features never before seen in the browser world as well as some of the same old standard things we have come to expect from a modern browser such as tabbed browsing.

As Google tends to do, they thought about stuff a lot more and came up with some really nice solutions to some age old problems.

Lets look at some of the cool new features I think will make this browser take the browser market to new levels:

Tabbed browsing processes
Tabbed browsing has become a standard feature since it was introduced a couple of years back.
The thing is google looked at the tabs and said mmm, lets take this and make it work better. They took the tabs and instead of running them as seperate threads under the same process they decided to split each tab into its own process. The benefit of this accoring to thier website is that it allows for better garbage collection which prevent the browser from using up all the computers resources after it has been open for some time. This will also allow you to end only the tab that causes the problems, not the entire browser itself. This is a major step forward in thinking and I think it will be a matter of time before all the bigger players in the browser market follow suite.

Internal Process Monitoring
Google Chrome comes with its own task manager that allows you to check which tabs and plugins are causing hassels and kill them if they are getting out of hand.

There is also a link in the bottom called stats for nerds which gives you more detail on the tasks.

Advanced URL Bar
Much like the Mozilla Firefox 3 URL bar the Google Chrome address bar gives you rich results based on not only the URL entered but based on the title of the page. In addition to this the Google Chrome address bar also uses google suggest to find search results in the address bar and you can use the address bar to search.

Google has used all of its considerable resources for page rank and other technologies to add assitave technology that is seemless, quick and pretty into this seeming simple portion of the web browser.

User Interface
Of all the browsers that I am awareof on the market today, Google Chrome is the most simple and clean in terms of UI. They have followed thier concepts from thier Google search page and made a very simple, fast and very powerfull system that is easy for anyone to use without much knowledge. Don't be fooled though because behind all the simplicity there are appear to be some awsome tools for the tech savvy nerds.

I have only spent about 1 hour with this browser, but I think this may be the browser of the future! I will keep you posted on any new features that I find.

Get Google Chrome here: http://www.google.com/chrome

02 September 2008

Google to launch web browser

It would appear that Google is looking at releasing a web browser called Chrome in the near future. According to reports on the net there was an accidental release of the information including video and screen shots, most of which have been removed already.

You can find information about the new browser on the following sites:

I for one am looking forward to see what Google can bring to the browser market. I am still however a loyal Firefox user, until something that compete with the power of Firefox and its array of useful extensions I am not budging, but hey Google normally makes really awesome easy to use products so I will hopefully have a copy soon to review.

08 August 2008

5FM Blocked ?!?!

I am not a regular visitor to 5FM.co.za, but I decided to go today and was greeted by the firefox "Reported Attack Site!" warning. I then tried to google 5fm and google displayed a warning as well. Something is clearly up on thier website. Check out the screenshots below:

17 July 2008

SARS e@syFile Employers Manual Backup & Restore

Our HR people had a problem with the new SARS e@syFile Employers application. On opening the program it could pop-up with a window saying
"The application has started from the incorrect icon. Please start e@syFile - employers from the desktop icon"

Even if you open the program from the desktop icon it still gives you this error.
I found that you can do the following to fix this.
  1. goto
    Windows XP: C:\Documents and Settings\{username}\Application Data\EasyFileEmployer.{hash}\Localstore\
    Windows Vista: C:|Users\{username}\AppData\Roaming\easyFileEmployer.{hash}
  2. Copy the EasyFile.db and easyFile-employer.air files to a safe location.
  3. Uninstall the e@syFile Employer application.
  4. Re-install the program from the setup file
  5. Copy the EasyFile.db and easyFile-employer.air files back to the directory.
    Windows XP: C:\Documents and Settings\{username}\Application Data\EasyFileEmployer.{hash}\Localstore\
    Windows Vista: C:|Users\{username}\AppData\Roaming\easyFileEmployer.{hash}
  6. Start the e@syFile program again.
All you data will now be back and the application should run fine.

I would suggest that you backup the EasyFile.db and easyFile-employer.air files on another computer/server or removable disk.

You can write an xcopy script that will copy the files to a server or backup disk and create folders named with the date of the backup like so:

MD E:\PAYEBACKUP\%Date:~0,4%-%Date:~5,2%
CD C:\Documents and Settings\{username}\Application Data\EasyFileEmployer.{hash}\Localstore\
XCOPY *.* E:\PAYEBACKUP\%Date:~0,4%-%Date:~5,2%\

16 July 2008

Music to Malwares Ears?

As reported by Trend Micro there is a worrying new attack vector that malware writers are using to spread their code, multimedia. The malware apparently infects almost any multi-media files which, when opened, ask you to download a codec to play the file. The codec is actually the malware which then infects the computer.

As the Trend article pointed out this could be a massive problem because of P2P networks. Infected multimedia files could soon be flying around P2P networks infecting everyone.

Multimedia files are some of the most shared files and therefore this could be a very problematic attack to prevent. I would suggest that network administrators keep their eyes open and try to discorouge users from bringing multimedia files to the office.

11 July 2008

Windows and OSPF issue

We have been testing OSPF on our network now that our wireless WAN links are a stable. Basically what we are trying to do is get the routers to re-route traffic between our sites via Diginet in the event that our wireless link goes down.

We tested it on our Cisco routers and everything seemed fine, but the Windows clients are not playing the game. Basically we have 2 routers on each subnet, one for Wireless (Mikrotik) and the other for Diginet (Cisco).

When we disconnect the LAN cable for the Mikrotic router the Cisco automatically detects this and then re-routes traffic via the Diginet. The windows clients however do not go through the Diginet.

On closer inspection we noted that in the Windows routing table (route print) on the client machines they have a route to the remote subnet via the Wireless router. The strange thing is that their default gateway set via DHCP is the Cisco router yet they still have this entry in the routing table.

If anyone out there has had something similar could they please help out. We have been scratching our heads for a couple of days now and can not find anything usefull on Google yet. (Clearly our search strings are all messed up!)

The one solution that we have thought of is to put the mikrotik router on its own subnet and set the Cisco's LAN interface to have addresses on both subnets. This would mean that the Wireless equipment will not be directly accessible from the local client subnet and only allow traffic to traverse this link via the Cisco ethernet interface. The only problem with this scenario is that it will result in a lot of network downtime to setup and that there is the possibility that the client connection to the wireless may be limited to the speed of the 10Mbps ethernet port on the Cisco router.

DNS Mega-Poison

According to IT-Web there is a mega flaw in DNS that will allow for DNS poisoning to happen allowing attackers to redirect traffic to almost anywhere.
DNS (Domain Naming System) is the system that converts domain names to IP Addresses. This previously undiscovered vulnerability could lead to massive identity theft due to the fact that users could be redirected to fake websites without their knowledge.


10 July 2008

MSN SPIM - ultimate-stuff.info

Some more SPIM domain names are showing up ...

  • ultimate-stuff.info
  • <msn username>.hostings.info

Please do not enter your username and password in these forms. They will take your account details and start sending links to all your contacts.
If you have entered your username and password in this form please change your password as soon as possible!

My complete list of domain names to look out for are:
  • imagedino.info
  • imagelook.info
  • locatehost.info
  • imagedino.info
  • hostings.info
  • ultimate-stuff.info
If you are a network administrator please block these domains on your proxy server asap.

08 July 2008

More SPIM - locatehost.info, imagelook.info

There seem to be several new domain names that are showing up for the MSN SPIM imagedino.info.

Some of the ones that I have seen so far are:
  • imagelook.info
  • locatehost.info
  • imagedino.info
There are some more listed on this website:

WHAT NEXT? - imagedino.info MSN SPIM

Please change your password if you entered your user name and password into the imagedino.info website.

I have been following the imagedino.info saga since yesterday when I received a link to the site from a contact. Ever since then I have been trying to figure out what the point of this "attack" was. It seems pretty harmless and it also seems to be a rather basic attack, but I did some digging and found this article from Trend that seems to be rather similar form of attack.

The article indicates that once you have entered your user name and password into the form your login details are sent to an email box. The owner of that email box can then use your email account to send out spam mails or malware. This is obviously not a good thing, as it will annoy the daylights out of all your friends and possible infect their machines if your account is used to send out malware!

imagedino.info has Google Analytics
I noticed that if you view the source of the page it has Google Analytics embedded in it! What on earth are these guys doing? Is it some security research project by some students that got into the wild?

Get Firefox 3 to block
Also note that Mozilla Firefox 3 now blocks that domain. I would recommend that if you are using internet explorer rather upgrade to Firefox 3. It has some really good security features that block websites like these once they are identified. This is very usefull if you expect someone else to use your computer that also uses MSN. It will prevent them from being part of this whole attack.

What is SPIM?
I noticed that a lot of people where referring to the messages sent as SPIM. according to wiktionary.org : "SPIM is Unsolicited commercial messages sent via an instant messaging system"

07 July 2008

SOLUTION - imagedino.info MSN Phishing


It would appear as the the MSN phishing outbreak is nothing more than phishing. After running several scans on his computer my "infected friend" found no viruses or malware. After changing his MSN password the messages seemed to stop. (Also verified by Gregg. See link found http://www.avertlabs.com/research/blog/index.php/2008/06/10/now-be-a-good-victim-and-enter-your-login-credentials-in-the-form/)

Lets hope this is just a single vector attack as now these punks have managed to get all the email addresses and msn information of most of the contacts. I would watch out for the next week or so for any suspect looking emails that arrive in your MSN account email address.

imagedino.info MSN Phishing

I recently received a message from a contact in MSN that had a link in it to the domain imagedino.info. It looked suspect, but I thought I might as well see what is going on.
When I followed the link it took me to a rather suspicious login screen that asked me to logon using my MSN Account.
I would suggest that no one do this as this is more than likely a phishing website that will use your account details for no good.
The link was http://.imagedino.info/
Please block this on your proxy server is you have a proxy.
If you have entered your username and password into this form:
  • please change your MSN password as soon as possible.
  • I am not sure if the page downloads anything malicious onto your computer. I would suggest updating your anti-virus and running a full system scan.
    You can get AVG Anti-virus for free from here.
  • Also try using something like spybot search and destroy

Screenshot of the website.

19 June 2008

The moral debate

I read an article on news24.com that says:
One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues' salary details, personal e-mails or board-meeting minutes, according to a survey.
This is a pretty concerning statistic. We (Netowrk Admins) all know that we can access anything in our organisation, but it is our moral responsability not to do so. I know that I can get my hands on any information that I want, any time, from anywhere, but I choose not to as it is not right.
The problem with network administrators is that their role is often missunderstood and that management does not have a clue that they have access to this information. The other problem is that IT administrators are also mostly the implementers of the file security on the networks and that we hold the Administrator rights which allow us to access any information.
It is a double edged sword, we need access to the files to assist when something goes wrong, but we should not be able to see the contents of certain files.

Hack my Coffee?

This could be the funniest security vulnerability ever! I read about how a new coffee machine that can be hooked up to your computer has a buffer overflow vulnerability that can allow a hacker to take control of the application that controls the coffee machine on Trend Micro's Website.
Imagine waking up in the morning to the horror of getting black coffee without out sugar when you programmed your machine for white coffee with 2 sugars!

Oh what a crazy world we live in! :P

Photo courtesy PDPhoto.org

17 June 2008

Facebook Phishing

I got an email from facebook that looked like a legit notification that one of my buddies have written on my wall. Except it was written in broken english:

"hello , howdy?? lisen i got a new friend here..shex kinda new here..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)
It was followed by the following link:
It looks pretty legit at first glace, but if you take a close look you will notice that the domain is actially for dortos.net.
Whois information from whois.net

Now the thing that I found wierd was that when I logged into my profile on facebook I still got a notification about the wall post, but there was no post on my wall.

I cautiously opened the link to the fake profile and Firefox 3 Beta blocked it. (See screenshot)

I then decided to open the page up in IE8 and guess what. It looks identical to the facebook login screen. Except that it aint. (screenshot below)

This is a typical phishing attempt. I imagine that my buddy who sent the origional wall post recieved the same thing and his account was compromised. My personal information was then obtained through his profile and a wallpost was placed on my wall.

I am not sure exactly what is going on, but I recon there will be some information once the security researches around the world get a similar "phantom wall post".

I guess this is another reason to upgrade to Firefox 3 :P

13 June 2008


Ransomware seems to be a relativly old form of malware that is beginning to resurface according to Trend Micro. This form of malware takes certain files on your computer and encrypts them. You will not be able to access the files unless you pay the malware writer a fee for the program to decrypt the files. You can find more information about this malware on Wikipedia.

I think that this type of malware is particulary destructive / disruptive and could cause massive problems for computer administrators in future if this type of threat increases.

10 June 2008

More Officescan Woes

Well now, lets get back to the Trend Micro Officescan issue AGAIN!
After downloading SP1 for officescan, which failed to install I eventually got it up and running again by fully un-installing the Officescan server and then IIS. Re-installing both and applying all the pathes for Officescan and then installing Service Pack 1.
All seemed well for about 12 hours. I came back this morning and tried to check on my client machines and do some routine maintenence when all of a sudden the web interface started to hang up again.

I went into task manager to see what was going on and noticed that there where a huge amount of processes running for the Web Interface. There where mostly the following apps running in the background:
  • cgiOnStart.exe
  • cgiSummary.exe
  • cgiChkMasterPwd.exe
  • cgiRqlNl.exe
  • cgiClientAdm.exe
So on to Process Explorer to see more of what is going on ..... I noticed that all of these applications are running under w3wp.exe, which is IIS. So these are all CGI applications running under IIS for the Trend Micro Officescan web constol.
I managed to get back into the web console by restarting IIS and then restarting the office scan master service. You need to do this in this order to first close all the cgi*.exe applications running in the background under IIS. This will allow you to stop the officescan master service. If you just try and restart the officescan master service without restarting IIS the service will say "stopping" infinitly.

I am back in the web console now, but there are no hosts shown at all in the console. ARG ! I know that a re-boot will remedy this, but I can't restart until later when there are less users on this machine. Trend is really starting to be a pain in the butt!

30 May 2008

Help Firefox set a world record!

Download Day - English

Help Firefox set a Guiness World record for the most downloads in a 24 hour period. Click on the banner above and click on the pledge link to sign up for the newsletter which will alert you when the download will become available for the new release of Mozilla Firefox V3. The new version of the popular browser will be released some time in June. Pledge now and become a part of this world record attempt!

Mozilla Store

29 April 2008

Trend Micro Officescan 8.0 Clients Crashing

Double Click Error

Right Click Error

We seem to be experiencing some difficulty with Trend Micro Officescan lately. When a client right clicks on the system tray icon and tries to open the Officescan console Trend Crashes. If they try to double click on the tray icon Officescan also crashes.

This is happening on all the clients that are attached to the servers that we recently updated to the latest patch from Trend Micro. It is happening to both Windows XP SP2 machines as well as Windows Vista Business SP1 machines. As yet I have been unable to find any information on the Trends website on how to resolve the issue.

When you double click you get the following error on Windows Vista:
"Trend Micro Officescan Monitor has stopped working"

When you right click you get the following error on Windows Vista:
"Trend Micro Officescan Management Console (32-bit) has stopped working"

Server Version: Officescan 8.0 build 1834

31 March 2008

Officescan 8.0 Web Console Hangs

We recently had a problem where I could not get into the Trend Micro Officescan web console. The logon page would display correctly, but once I logged on the page would never go into the console itself. Restarting the IIS or Officescan services would not work. The only thing that would get me back into the console was a re-boot of the Windows 2003 Server box itself.

The latest patch from the Trend Micro Website managed to sort out the issues we have been experiencing. So far, there have been no more hiccups. (Hold thumbs)

19 March 2008

Windows Vista SP1

It looks like Windows Vista Service Pack 1 has been released. You can download a standalone installation (x86) from the Microsoft Download centre.
The download weighs in at a pretty heft 434.5 MB. So beware the cap.

The Service Pack does not seem to be available yet via WSUS.
Apparently the Windows Update version of the update will weigh in at only about 65MBfor the x86 version and 125Mb for the x64.
I am waiting to see what the WSUS download is going to do to my cap!
And then there is still Windows XP SP3 which should be out some time soon too!
Ah Telkom, you are going to make some money this month!

18 March 2008

Pacemakers Hacked !?!

The New York Times reports that it is possible to hack some pacemakers:
"They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal — if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory"
New Your Times

Imagine a heart attack toolkit being released for sale! (Ok so it would cost you an arm and a leg)
I hope these kind vulnerabilities don't become common place in future!

17 March 2008


It seems as though there is a new threat on the web .... MALVERTISING. (Malicious advertising).

Trend Micro:

"Surprisingly, users do not necessarily have to click on an ad to trigger a Web threat."

"viewers may be quickly redirected from the original site to a different site, which initiates a malicious adware download through browser vulnerabilities—a process known as drive-by-download."
Link to Trend Article
Trend Micro Malvertising Threat Prevention

16 March 2008

Vista SP1 a load of crap?

Classic! Some japenese guys have started making toilet paper with Windows Vista SP1 features listed on it! Check it out on Engadget.


Link to translated website with more images :

28 January 2008


Trend finally found the Virus! It took them some time but the mymsnpictures.com virus has finaly been detected in the file I downloaded from the link sent to me in MSN.
You can find information about the virus here:

24 January 2008

SOLUTION: Hey, is this your picture?? MSN Virus

After an evening of fighting I think I have finally beaten this MSN virus! I ran Adaware, SpyBot, Windows Defender and Trend Micro Office Scan, but they all left some trace of the virus behind.

I noticed that the sneaky code modified my host file and pointed all anti-virus websites to local host as well as making the host file read-only. You can fix this by going to %SystemRoot%\System32\Drivers\Etc\ and right clicking on hosts file and unchecking the read only checkbox.

You can then open the file in something like wordpad and delete all the entries that show up near the bottom. Mine had a huge list.

Once you have doe this the instructions to get rid of the virus can be found on this helpfull blog:
Look at the entry " Wednesday, January 23, 2008"

Hope this helps you out!

23 January 2008

Hey, is this your picture?? MSN Virus

I got a message from a firend in MSN that said Hey, is this your picture?? followed by a link to a website mymsnpictures.com. Appon following the link a file was downloaded to my machine. The file was a .com file which kind of set off some red lights in my head.
So I tried scanning the file with Trend Micro Office Scan Client and it didn't pick up anything.
So I then decided to try the following online scanners:
  • Trend Micro House Call
  • Bit Deffender Online Scanner
  • kaspersky Online Scanner
None of them picked up anything. So curiousity got the better of me and I decided to open the file.
At that point Windows Defender started screaming like mad!
I imagine that shortly after that multiple MSN windows opened and closed in quick succession on my PC, but I have not been able to verify that yet as I pulled out my network cable. None of my msn contacts have complained yet, but I suggest you ignore any links to pictures in MSN for now.

I will keep you posted as I am currently doing full system scans with Trend and with windows defender.

07 January 2008

Trend Micro Office Scan 8 Control Manager Service Keeps Stopping

I recently noticed that some of my client machines where not up to date when walking around the office. On trying to log into the office scan web console to check what was happening I got an error saying that the Office Scan master service was not running.

This had occured at all 3 of my sites with office scan 8 installed. To rectify the problem you can open the services mmc console. Start > run > services.msc
Find the Office Scan master service and click start.
To prevent the error in future I changed the recovery options for the service to restart the service should it ever fail.