Free T-shirts? It’s not a scam, it’s #decodeme again!

Editor’s note: The puzzle code below relies on a peccadillo of Python which makes it version and compiler specific, amongst other things. This means you’ll probably get the wrong results. We do know, however, that the code works on Duck’s Mac, so we’re going to shift to a “cloud model” for solving it. Email Duck the code and the input data (if any) you want to use. If you’re on the right track, he’ll run it “in the cloud” and send you the results. If not, he’ll give you a hint or two to point you in the right direction.

It’s May, and that means it’s time for Australia’s biggest security conference, AusCERT2011, which takes place at the Royal Pines Resort on Queensland’s Gold Coast. The conference runs from Sunday 15 May 2011 to Wednesday 18 May 2011.

Once again, the Sophos stand is going to be the place to hang out.

We’ve produced another puzzle T-shirt in our acclaimed DecoDeme geek fashion range. The puzzle is just hard enough to take a bit of solving, but not so hard that it will distract you from the conference or the evening cocktail parties.

So if you’re attending the event, be sure to come by the stand and pick up your free T-shirt. (Don’t forget to wear it while you’re at the conference!)

You can have a T-shirt even if you don’t intend to solve the puzzle. But we suggest you do – and we’ll be giving out hints on the stand to help you along – because that will put you in line to win a cool 1/16th scale remote-controlled tank.

Solve the puzzle, attend my talk (just before afternoon tea on Monday in the Purple room), and you could walk out with the tank.

In fact, you could win two tanks. We’re also running a prize draw for a second tank. Winning the puzzle prize is clearly the more glamorous option, and will give you several minutes of fame amongst a modestly-adoring crowd of a modest size, but you may as well enter the prize draw as well. Think of it as backup.

If you’re planning to have a go at the puzzle, the source code of the T-shirt is given below to save you typing it in from the image above. (We’ve been a bit sneaky by making the text on the shirt itself very slightly different. We do want to see you on our stand, after all.)

But if you write code to solve this “pre-release” version, you should be able to re-use it to solve the puzzle on the shirt within seconds. So it’s worth putting in a little early research.

And don’t forget, you can ask for hints at the conference. You can also follow me on Twitter(@duckblog) and watch out for clues with the hashtag #decodeme.

Oh. One more thing. We’ve got a bunch of funky-looking Naked Security T-shirts on the stand. But you’ll only know to ask for one if you’ve read this article.

|                                      |
|     import-random!def-shrubbery(     |
|    ni):!-p='ewigsacgtwdbdzaco'!-k    |
|  =dict([[i,chr(97+i)]-for-i-in-rang  |
|  e(26)])!-ra                 ndom.s  |
|  eed(ni)!-                   random  |
|  .shuffle   (k)!-k=dict([[v,i]-for-i |
| ,v-in-k.i    tems()])!-c=''!-for-i-i |
|  n-range(l                 en(p)):-c |
|   +=chr(97+                k[p[i]])! |
|   -return-'http://sophos.    com/an  |
|    z/'+c+'.html'!#-Key-i     s-a-fo  |
|     ur-le                    tter-   |
|        wor                 d-fro     |
|           m-a--Monty--Python--       |
|             sketch!print(shr         |
|                ubbery(key            |
|                  --))--              |
|                                      |

Blue-Light Special on Zeus

With much fanfare and much to the chagrin of ne’er-do-wells far and wide, the Zeus Toolkit source code has been released to the public.

This is notable because normally it would cost quite a bit to purchase the kit and associated services (in excess of of US$10,000). With a release of this sort, the most immediate concern is what will be done with this code, in the wrong hands. Also, how quickly will we start to see examples of those efforts in botnets.

From a vendor point of view, when this sort of thing occurs, we must be ready to respond to customer and public queries about any countermeasures and safeguards that we can offer. Having said that, Zeus is not “new,” and we constantly (and have for years) been dealing with compiled binaries and output from this kit. The current technologies in our tool belt (AV, NIPS, HIPS, app control/whitelisting, firewall, etc.) all provide protection against the output, traffic, and noise from the Zeus toolkit.

ZeuS For Free

Zeus Crimeware Toolkit

We are researching the source packages internally. If any updates are needed, we’ll make those ASAP, and will augment and improve the existing protections that are, and have been for some time, available.

Stay tuned during the next 72 hours for more updates on this one. It should be interesting as the saga unfolds.

Free Subway gift card spam spreading on Facebook

We’ve received a number of questions from Facebook fans of Sophos regarding messages that have spread across the social network claiming to offer a $100 gift card for the Subway sandwich chain.

Here’s a typical message:

Subway Facebook message

Free Subway Gift Cards - Limited Time

Get Your Free Subway Gift Card Now! Click for Details

So, what’s going on here? Well, the first thing to realise is that it’s not something endorsed by Subway.

Although the link you click through to has no qualms about using Subway’s logo, and images of meals you can purchase at Subway, it’s actually from an independent third party company.

Subway gift card webpage

Many people will probably be so keen to receive $100 worth of Subway meals that they won’t read the small print at the bottom of the page:

The above listed merchants or brands in no way endorse or sponsor's offer and are not liable for any alleged or actual claims related to this offer. The above listed trademarks and service marks are the marks of their respective owners. is solely responsible for all Gift fulfillment. In order to receive your gift you must: (1) Meet the eligibility requirements (2) complete the rewards bonus survey (3) complete a total of 5 Sponsor Offers as stated in the Gift Rules (4) not cancel your participation in more than a total of 2 Sponsor Offers within 30 days of any Sponsor Offer Sign-Up Date as outlined in the Gift Rules (the Cancellation Limit) and (5) follow the redemption instructions.

The pages ask you some simple and apparently harmless questions: are you male or female, which age group do you fall into, etc.. before asking for your email address.

Subway gift card spam wants your email address

At this point the page tells you that you must post the message onto your Facebook page in order to qualify for the free $100 Subway gift card.

In this way the message is spread virally to your Facebook friends.

But there’s still no sign of your free Subway gift card, because the site now wants you to hand over much more personal information, including your name, address, email address, full date of birth, cellphone and telephone number etc.

Form asks for your personal details

Again, notice that the webpage doesn’t seem to have any issue with using the Subway logo – despite not being affiliated with Subway. Clearly this is done in an attempt to trick Facebook users into believing that they are talking directly to the high street brand.

According to the small print, you’ll have to complete multiple “sponsor offers” before they will even consider sending you a gift card – which may cost you both in time and money, but also the sheer treasure trove of personal information you will have handed over.

My advice? Avoid these “offers” as they’re unlikely to ever prove fruitful, and may result in you handing over a wealth of data about yourself to complete strangers. When you agree to post a message about such gift cards on Facebook, you are putting your online friends at risk of having their privacy damaged too.

If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Emergency alerts from President Obama on your mobile phone?

Barack Obama mobile phoneMobile phone users could soon find themselves receiving emergency text messages warning them of terrorist attacks and natural disasters, under plans announced in the United States yesterday.

The Federal Emergency Management Agency (FEMA) and Federal Communications Commission (FCC) have announced the “Personal Localized Alerting Network” (PLAN) which will see new handheld devices fitted with special chips to receive the alerts, which will be sent by state and local authorities. The system is designed to supersede all other phone traffic, In an attempt to avoid delays.

According to the FCC, users will be able to opt out of all alerts apart from those sent by the US president.

(What makes messages from the US president so special, I wonder?)

In many ways this can be viewed as a logical progression from the other methods that authorities have used to communicate with their citizens in times of emergency – such as alerts via television and radio broadcasts. The wide adoption of cellphones makes it a natural way to pass on an important official message whether it be about a flood, a fire or a missing child.

But an obvious concern about the PLAN system is this: if it’s an easy way to communicate a message to many people in a particular city or area, could it be abused by cybercriminals?

Our hope is that appropriate measures will be put in place to tightly control and authenticate any messages which are broadcast to cellphone users. But it certainly would be an attractive target for scammers, spammers and mischief-makers.

After all, in 2009 Barack Obama’s own Twitter account was compromised by spammers who posted a message to his many thousands of followers:

Barack Obama's Twitter account compromised by spammers

The phone alert service is to be made available by AT&T, Sprint, T-Mobile and Verizon. New York City and Washington DC seem likely to be amongst the first locations to activate the PLAN network, with plans to have the system in place by the end of 2011. Other cities and network carriers are expected to follow during 2012.

By the way, while writing this article I stumbled across the official Twitter account for the Department of Homeland Security’s National Terrorism Advisory System (NTAS): @NTASAlerts:

NTASAlerts on Twitter, but no tweets

It’s a verified account but I probably won’t be following it.

After all, to date it has managed to post a grand total of zero tweets.