Hotmail accounts hacked for sending iPhone spam

I’ve had a few family and friends now who have apparently had their hotmail email accounts hacked for the purpose of sending spam to all the people in their contacts (including me!)

The spam (who’s grammar should make it obviously not from the original sender) takes the form of

hi, how are you? recently, I got a nice site: www.nottheoriginalsite.com I brought some items from them. Wow, it is very nice. low price and good quality (iphone new model 3GS 16 GB only 385 euro) they also sell Wii, DJ, TV, laptop,camera and so on. how do you think? login and have a look at it! yours truly,

As best I can tell, they’ve done this either via guessing passwords or maybe via some kind of phishing attack. One reason for this belief is that for one incident I saw, the spam was saved in the sender’s “Sent Items” folder, just like other regular email that they had sent.

If you have a hotmail account, I’d strongly recommend you ensure your password is long enough to be extremely difficult to guess. A passphrase instead of just a password is probably the best way to do this.

Why Websense is stupid (and I told them so)

One of the vendors who happened to be exhibiting at TechEd Australia this year was a company called Websense.

They were giving away T-shirts, so it was only after I had received my free shirt from them that I then proceeded to tell them how stupid and horrible their software was.

This seem to take the Websense staff a bit by surprise and they tried to defend their product assuring me with words to the effect that their software was wonderful and couldn’t possibly be faulty and had the “largest database”. Well let me assure you “quantity” definitely does not equate to “quality”, and it may be no coincidence that their company name rhymes with “nonsense” :-)

Don’t believe me? Well take a look at this example:

Try and browse http://www.opensource.org/licenses/bsd-license.html through Websense and you are greeted with this response:

Presumably the legal department must have a fair bit of influence at Websense, Inc. as I don’t think anyone else would consider reading software licenses ‘Entertainment’.

It just goes to reinforce the enhancement Mitch Denny made in his Software Development Pitfalls talk to point 5 of Jeff Attwood’s Programmer’s Bill of Rights :

Every programmer shall have a fast, unfiltered internet connection

Ah, we can but dream.

BinScope and MiniFuzz

Following on from seeing Michael Howard at TechEd last week, here’s a couple of new tools to help with analysing your applications for security issues.

“BinScope is a verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations”

“MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviours”