Russia-backed crew's latest malware has discerning taste – when screening visitors to poisoned watering holes Russia's infamous Turla hacking crew looks to be gearing up for a new offensive, according to researchers with ESET. The European security firm said that the fingerprints of the state-backed crew have been found all over previously unseen malware samples collected from compromised government websites in Armenia. Data from …
Which is blocked by NoScript.
Again, NoScript to the rescue. Frankly, NoScript should be considered as a must-have, receive a Public Utility Award as well as a Keeping The Internet Safe Award, and be enshrined as a tool that defends Democracy and Privacy.
Oh, and somebody give its author a million bucks. He deserves it.
Meanwhile, a Flash Update ? Really ? And "high interest" people fall for that ?
I wonder what the malware guys will do when Flash has been eradicated from the Internet. Are they going to try to push YouTube updates ?
"Are they going to try to push YouTube updates?"
Short answer: of course they will... along with many other chameleon-like variations--at varying degrees of effectiveness/deadliness.
But, getting down to fundamentals...
I keep pushing the view that technology didn't really bring us any new scams. It only changed the delivery methods for scams, made such delivery easier, and therefore increased the rate of delivery. After all, that's what technology does. But, when we hear that there's a "new" scam, all I see is just a new variation of a repackaged scam, delivered by a slicker, faster method.
Once we decided that users should be prompted to allow an update, we effectively created a procedural convention that could be leveraged by fakes.
The fundamental problem is making it impossible to fake an official notification. Basic rule of security: you can make things harder, slow the rate of compromise, and mitigate the risks/costs--but you can't make fakes impossible--just costlier.
And then, if you've bothered to read this far, there's that final unfortunate trade-off. Barriers to fakes usually make things harder on users (think TSA), so we don't build the best barriers in the hopes that users will tolerate and comply with the ones we put in place. It's a bit of a juggle.
Flash is just one of those pervasive things that should have died long ago. It's persistence is simply easily exploited. It's a bit of low-hanging fruit that should
" this is why we have the Internet of Turds"
FWIW: a _LARGE_ part of the reason we have the Internet of turds is NAT and the continued use of IPv4
Tunnelling out your devices to some (vulnerable) website so you can remotely view security cams wouldn't be necessary in a IPv6 environment - and blocking those tunnels takes away a huge chunk of the attack face.
if you have to implement a kludge (that kind of shit) on top of a kludge (32 bit addressing - there's history on that, it was only intended to be in service for 5 years) then expect the authors to be careless.
I'm not saying that IPv6 cures all ills - but not behaving like the old lady who swallowed a fly goes a long way towards not having as many issues in the first place
"I keep pushing the view that technology didn't really bring us any new scams. It only changed the delivery methods for scams"
Yup. I saw my first 419 missive in the requisite ALL CAPS coming off a telex machine in 1989 - and of course THAT'S just a variant on the "Spanish Prisoner" letters selling treasure maps with 'X marks the spot' that inspired Robert Louis Stephenson
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
