Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday July 31 2018, @01:22PM   Printer-friendly
from the old-but-tested dept.

State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China

Here's a timely reminder that email isn't the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned.

This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a "confusingly worded typed letter with occasional Chinese characters."

Please insert in election computer.

Also at TechCrunch and Engadget.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by DannyB on Tuesday July 31 2018, @03:39PM (7 children)

    by DannyB (5839) Subscriber Badge on Tuesday July 31 2018, @03:39PM (#715224) Journal

    A popular Usenet and email joke sent around the world was that OMG!!! your computer could be infected by merely receiving an incoming email!!!!

    Of course it was a joke. There was no MIME. Email was pure text. All techies got the joke. Newbies would be frightened by the joke.

    Then, years later, after they SHOULD have known better, Microsoft made the threat of that joke into a reality. The I LOVE YOU virus was one of the first major headlines. But not the last. And it spread like crazy. Made national, maybe even international news.

    AutoPlay was another thing that SHOULD have been OBVIOUS even 25 years ago, not just 20. Even by 1993 malware was rampant in the DOS / Windows world. It was a real thing. A scourge. A well known problem. AutoPlay as a vector for malware transmission should have been BLINDINGLY OBVIOUS.

    This can only be explained by stupidity. But considering what we know about the NSA, I would say that one should not attribute to stupidity what can be adequately explained by malice. Causing untold headaches, trouble, and financial cost to millions of users is just a casualty of war if the right piece of malware can penetrate the right NSA target. In a post-Snowden world it is easy now to look back at things through less naive eyes. One thing that is now beyond clear is that no matter how paranoid I was before, things were clearly already much worse.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 1, Informative) by Anonymous Coward on Tuesday July 31 2018, @03:57PM

    by Anonymous Coward on Tuesday July 31 2018, @03:57PM (#715237)

    Yep. When you get accustomed to getting viruses and random adware on your computer... no-one's going to notice the quiet process sending your keystrokes back home.

  • (Score: 0) by Anonymous Coward on Tuesday July 31 2018, @03:59PM (1 child)

    by Anonymous Coward on Tuesday July 31 2018, @03:59PM (#715241)

    should not attribute to stupidity what can be adequately explained by malice

    The project managers and developers simply didn't give a shit. It wasn't until the release of XP and the daily exploits targeting MSIE and IIS that Microsoft realised security flaws could impact their bottom line. You can't call gaining an OS monopoly "stupid" and it wasn't "malicious". We'll just have to settle for "reckless".

    • (Score: 5, Interesting) by DannyB on Tuesday July 31 2018, @04:35PM

      by DannyB (5839) Subscriber Badge on Tuesday July 31 2018, @04:35PM (#715266) Journal

      You can't call gaining an OS monopoly "stupid" and it wasn't "malicious".

      Yes, I can call it evil and I will.

      In 1982 there were alternate OSes for the IBM PC. PC-DOS and MS-DOS were not the only ones. And they weren't even the best.

      Where it became evil was when Microsoft required OEMs bundling MS-DOS to not sell any other OSes. (Technically: the OEM had to pay for a copy of MS-DOS even if the computer were preinstalled with a different OS from another OS vendor.)

      It doesn't have to be stupid to be evil. Often evil is not stupid.

      Now as for when XP arrived. By the time of XP things like CODE RED had already spread around the world because of how astonishingly exploitable IIS was. I demonstrated to a coworker at the time that with a fully patched NT 4 box, I could trivially craft an HTTP request to a path that uses the dot-dot-slash technique to walk up the ancestor chain of the directory, right out of the C:\inetpub\wwwroot and into C:\Windows\Cmd.exe. Then the parameters to Cmd.exe could be to call TFTP.EXE (trivial file transfer protocol) which was conveniently bundled right into NT 4. Additional simple parameter allowed TFTP to fetch MALWARE.EXE from EVIL.COM. So then Microsoft "fixed" this.

      You know how in an HTTP request that %20 is what you should actually use for a space? Guess what, you can use hex codes other than 20 to produce other characters than a space! Yes really! So even though Microsoft "fixed" the dot-dot-slash way of walking up the directory tree, you could send the dots and slashes using the % hex codes -- which IIS hands off to the Windows file system -- which guess what!!! it will interpret the percent-hex characters into a valid pathname.

      Microsoft never really cared about security. (back then) They only cared once it made them look bad. Clearly at some point Microsoft got the security religion. But way too late.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 0) by Anonymous Coward on Tuesday July 31 2018, @04:00PM (3 children)

    by Anonymous Coward on Tuesday July 31 2018, @04:00PM (#715242)

    Think about how you got the CD. You went to the store and paid money for it. It was read-only. It came in a colorful box. Not that this was needed, but law enforcement could trace that box back to the people who created the CD. (follow the money, review warehouse/trucking records, etc.) There was retail, then wholesale, then the software publisher and developer. At the end of the chain you'd find a corporation with people who could be interviewed and arrested. Originally, not even AOL was sending out CDs.

    The only writable direct-access media was the floppy, and on that there was no AutoPlay.

    • (Score: 2) by DannyB on Tuesday July 31 2018, @04:39PM (2 children)

      by DannyB (5839) Subscriber Badge on Tuesday July 31 2018, @04:39PM (#715268) Journal

      I was burning CDs by about 1991. Not everyone was. I lived in an R&D playground with all kinds of toys. (not any more) But even at $400 for a Mac CD ROM burner with Toast software, (in early 1990 dollars) it was possible for bad people to burn CD ROMs.

      Leave a few of them in the restroom or parking lot.

      By 1995 everyone was burning CD ROMs.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 0) by Anonymous Coward on Tuesday July 31 2018, @09:05PM (1 child)

        by Anonymous Coward on Tuesday July 31 2018, @09:05PM (#715393)

        I was handling CD ROMs around 1988, but I am surprised that a burner was only $400 in 1991. I think I paid $200 for my first one in 1998. How much would the hard drive array have cost to hold the CD ROM source data (assuming the image was built on the fly)? I don't think I remember blanks being offered in Computer Shopper then either.

        • (Score: 2) by DannyB on Tuesday July 31 2018, @09:56PM

          by DannyB (5839) Subscriber Badge on Tuesday July 31 2018, @09:56PM (#715423) Journal

          I'm going from memory on the pricing. It might have been much higher in 1991. I think I bought my first personal burner for $400 ish and it was probably more like 1996 or 97.

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.