SoylentNews is people
SoylentNews
State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China
Here's a timely reminder that email isn't the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned.
This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a "confusingly worded typed letter with occasional Chinese characters."
Please insert in election computer.
Also at TechCrunch and Engadget.
(Score: 5, Interesting) by DannyB on Tuesday July 31 2018, @04:35PM
Yes, I can call it evil and I will.
In 1982 there were alternate OSes for the IBM PC. PC-DOS and MS-DOS were not the only ones. And they weren't even the best.
Where it became evil was when Microsoft required OEMs bundling MS-DOS to not sell any other OSes. (Technically: the OEM had to pay for a copy of MS-DOS even if the computer were preinstalled with a different OS from another OS vendor.)
It doesn't have to be stupid to be evil. Often evil is not stupid.
Now as for when XP arrived. By the time of XP things like CODE RED had already spread around the world because of how astonishingly exploitable IIS was. I demonstrated to a coworker at the time that with a fully patched NT 4 box, I could trivially craft an HTTP request to a path that uses the dot-dot-slash technique to walk up the ancestor chain of the directory, right out of the C:\inetpub\wwwroot and into C:\Windows\Cmd.exe. Then the parameters to Cmd.exe could be to call TFTP.EXE (trivial file transfer protocol) which was conveniently bundled right into NT 4. Additional simple parameter allowed TFTP to fetch MALWARE.EXE from EVIL.COM. So then Microsoft "fixed" this.
You know how in an HTTP request that %20 is what you should actually use for a space? Guess what, you can use hex codes other than 20 to produce other characters than a space! Yes really! So even though Microsoft "fixed" the dot-dot-slash way of walking up the directory tree, you could send the dots and slashes using the % hex codes -- which IIS hands off to the Windows file system -- which guess what!!! it will interpret the percent-hex characters into a valid pathname.
Microsoft never really cared about security. (back then) They only cared once it made them look bad. Clearly at some point Microsoft got the security religion. But way too late.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.