Security Watch

MLB Offers Sports Plus An Eyeful

Also: Chinese bloggers get DDOS'd; Microsoft does its part to warn users on legacy file support; Sears doesn't come clean on privacy.

DoubleClick accidently served up malicious ads on ESPN's Soccernet back in December. So, is it an accident when it happens a second time? Once again, DoubleClick has served up ads on Major League Baseball's MLB.com site -- but this time, site visitors clicked on a criminally crafted ad that redirected to a porn site (read about it here).

When will ad networks stop acting like they don't care about the customers who are viewing the ads? It matters not whether there are agreements within the chain of ad suppliers that make up an ad network. ultimately, the site who delivers the criminally crafted ad needs to act more responsibly that it's delivering safe and secure ads. Whether such incidents end up in court isn't as important as the damage that can be done to the reputations of DoubleClick's customers.

Chinese Bloggers Denied In Other Ways
Bloxun, a U.S.-based site that allows Chinese dissidents to blog, suffered a significant DDoS attack on Dec. 24, 2007. The site's editor said the blogging server was taken down completely, affecting some 2,000 blogs, according to this article from DarkReading.com. Even more disconcerting is that some blogs may not be fully recovered.

It is important to realize that controversial content may very well tick some people off, and if it does, you should expect to encounter such attacks. So, you should make regular backups and arrange for a proper defense if you become a target of an attack.

Back to the Future? Not for this Office 2003 Update
Office 2003 Service Pack 3 introduced blocking of a number of file types which Microsoft said cannot be securely parsed. The file types include Lotus 1-2-3 and Quattro files, as well as various older versions of Word documents. Excel 4.0 charts, PowerPoint files before PowerPoint 97. Also blocked are dBase II files. All can be re-enabled with an additional update from Microsoft, or, registry entries can be adjusted to allow only those you actually require.

Some Slashdot users complained about the blocking. Clearly they failed to read the information provided with SP3 prior to installing it. Service packs, unlike security bulletins, are not automatically installed and do (and should) contain feature changes such as this. This effort by Microsoft, to help prevent future exploitation of the Office platform, makes sense and should be applauded. Granted, some users may very well be using such old file formats, but they should be aware of the risks they are taking. This effort will make them aware, and Microsoft has provided a way for them to consciously accept the risk and modify the registry to allow their use.

Sears Should Come Clean on Spyware Program
ComScore, an Internet measurement firm, is in the news again. This time due to its affiliation with Sears via its "My SHC Community" program. The program provides Sears' customers a way to give the company feedback on products they'd like to see Sears sell. The software, downloaded on to some community members PCs, tracks everything a user does including Web site visits, SSL sessions, e-mail headers, etc. According to Ben Edelman, the program also violates FTC guidelines regarding informing users sufficiently before the software is installed. Edelman claims the software does not provide advanced warning of its functionality, nor does it fully disclose all of the information it obtains.

One truly has to wonder how a company the size of Sears could be convinced to offer such a tool to its customers. Perhaps it was only told of some of the features and/or data the tool would collect, or the deal was so attractive that it did not matter. In any event, this sort of negative publicity for a community cannot be helpful, and such practices means the program will continue to be under the scrutiny of researchers for some time.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular