St. Petersburg Web Design Blog

Archive for February, 2009

Microsoft announced a big security hole in Microsoft Excel 2007.
(Update - the tech specs on this alert have broadened greatly, including almost all versions of MS Excel now)
There is also new info on this , I’ve add it to the bottom of this post.

If users download a malicious Excel file and open it, a Trojan Horse is installed on their computers which can allow the attacker who created the Excel file to completely take over the computer in question.

Most of the few remaining clients I have that haven’t went under yet use Excel on a daily basis and even send / receive them via e-mail or over a corporate network.

If this is you, please have your Network technicians promptly block e-mail delivery of all excel files via e-mail. I mean now. If one person on your corporate network receives one and opens it, it could quickly infect every computer on the network.

This is rapidly infecting corporate networks around the world.

There is NO patch for this as of yet.

Most anti-virus software won’t catch or do anything about this yet.

Microsoft probably will release something to fix this vulnerability in Excel, but it’ll be week in coming, not hours.

If you’re one of the smaller businesses and can’t get your network specialist to lock this down promptly, then call me and I’ll talk you through how to do it on your own.

Also tell your network technicians the symantec article on this subject is erroneous at the time of this writing.

Here’s a tech alert about this.

UPDATE:
The first trojan it installs is called:
Trojan.Mdropper.AC.
UPDATE 2
Not the old trojan with the same name from 2006 that effected MS Word.

03-01-2009:
Microsoft finally acknowledges it’s existence, but still doesn’t have a fix, here’s their tech bulletin.

We’ve learned the exploit won’t work on machines running Windows Vista.

Microsoft has also issued a “workaround”:

1 – Turn on MOICE. MOICE converts the XLS to XSLX before opening. Again, the new XML file format is not susceptible to this vulnerability.

2 – Turn on FileBlock. This option is a little more disruptive to most environments. With FileBlock enabled, Excel will only open the new XML-based file format that is safer. It will not open the legacy binary file format. If your organization has switched over to using the new file format exclusively, this might be a great option, even just long enough for us to get a security update out to address the vulnerability.

- Jonathan Ness and Bruce Dang, MSRC Engineering

So what is MOICE? It stands for “Microsoft Office Isolated Conversion Environment.” It’s an update for MS Office. It’s hard to find, hard to use and converts your office files to MS Office’s “Open XML” format. what MS won’t tell you is that often destroys the file making it permanently unusable or only usable after an expert “fixes” all the info in it by hand.

I’ve got my own work around going:
Open it on a Vista Machine, convert the file to a simpler format, like .csv, and then send it back. This is only if your really need the file. If it’s a case of curiousity, as in I got this excel file in the e-mail and I don’t know what it is, then just don’t open it, the odds are it’s infected.

here’s more.

The FCC has privacy guideines, not laws concerning privacy policies on web sites. Recently they’ve made a few changes to the guideines:

• Extended these privacy guidelines to include ISP’s and mobile phone service providers
• Now urges websites to tell consumers that data is being collected during their searches and to allow them to opt out
• Recommends that mobile companies and Internet service providers also inform customers about data collection and allow users to decline

Pretty lame if you ask me. Especially since there is no reason for companies to comply. Currently internet privacy laws state that yo can basically do whatever you want with data collected from users if you vaguely describe what you are doing with it and how you are protecting the data. The only time you can get in trouble with the law is if you fail to follow your own vague privacy statement, or if you don’t have one and share this data.

At Dream designs we strive to go way beyond these guidelines. One way we do this is by not storing this kind of information. Then it can’t be shared. In some instances we do have to store this information temporarily. For instance if you fill out a contact form, the information you submit is stored until we view it and do something with it, like respond to your question. Then this information is deleted. If you become a client is another example. Obviously we have to store your name and contact info so I can communicate with you about the services you’ve purchased (“Your web site is done early and under budget sir”). Hard to do business without doing this, wouldn’t you say?
That why we have a great privacy policy.
In the future we are going to draft the perfect privacy policy and try ot gain industry wide support for it. It’s a bigger task than you would think. Look for it in the near future.

America has very little privacy laws. Even when it comes to your private health info or private banking info, the law states companies can share it with whomever they like as long as they vaguely describe the manner in which they will give it away or sell it. Evidently these lax privacy laws aren’t enough for the Cable TV industry.

There are some cases where past abuses have been so fraudulent that Congress has acted and specifically denied the sharing of personally identifying information. One such story is with the Cable TV industry. They have specifically forbidden by law from sharing subscribers’ personal information with other parties in limited instances. to be clear, they still share this personally identifying information with lots of companies that they have certain types of relationships with, they just can’t sell it on the open market. They can do even that if they can trick or persuade a citizen into “opting-in” to this sharing. The FCC is to blame for this lame privacy “protection” law.

These freedoms to do almost anything with our personally identifying info like phone numbers, call logs, etc, apparently this isn’t enough for the Cable industry. Recently, the U.S. Court of Appeals for the District of Columbia Circuit denied a petition by the National Cable and Telecommunications Association, which argued that federal rules on telecom carriers’ use of customer data violated free speech rights under the U.S. Constitution, federal law or both.

Well at least a few judges are trying to stick up for the citizens. Now what can we do about our lawmakers?

link to news story

It seems like the greed in the US banking industry just can’t be slowed.

The AP has just uncovered :

” Banks collecting billions of dollars in federal bailout money sought government permission to bring thousands of foreign workers to the U.S. for high-paying jobs, according to an Associated Press review of visa applications.

The dozen banks receiving the biggest rescue packages, totaling more than $150 billion, requested visas for more than 21,800 foreign workers over the past six years for positions that included senior vice presidents, corporate lawyers, junior investment analysts and human resources specialists. The average annual salary for those jobs was $90,721, nearly twice the median income for all American households.”

Maybe we can really count on some “change” here in America, maybe not.

This time the Israeli’s are watching you at the mall, not just sporting events like the Superbowl.

Some of you locals may remember the last time the Superbowl was in Tampa. There was a widely publicized effort to digitally capture every single face that came into the Superbowl.
In the guise of protecting the nation from terrorists Tampa authorities went beyond the law and beyond the constitution. They hired a foreign company to set up camera’s use facial recognition software and run background checks on every single man (or persons?) that entered the super bowl. No approval from the voters and in fact, the program was kept secret until days before the SuperBowl. After it’s release it was touted as the end all to security. Maybe the common man felt safer, but those of us in the know, were worried. Really worried. Well we’re worried again, because they’re at it again.
Read the rest of this entry »