Given the whole trojan horse thing, the subject of half my post that you somehow overlooked. For instance:
A new Microsoft Excel virus is targeting fantasy football league fans, luring them with an offer of worksheets to track the performance of their team.
The XF97/Yagnuul.A virus can infect users' dot-xls spreadsheets once the attachment is opened. The virus deploys an infected fantasy league file on the computer's hard drive and may also modify a user's data, according to an alert on Monday from security company Sophos.
http://software.silicon.com/malware/0,3800003100,39158763,00.htm"Open Source system" ... "Excel VBA application"; again with the one track resume. "Open" VB source is little better than closed source, since it can only be "compiled" through a proprietary Microsoft API on a huge Windows bullseye, leaving it open to numerous routes of attack:
What can VBA do to me?
Bad VBA code has been talked about in several previous articles. For example, the VBA.Interaction.Shell command which executes a command on the local system is a quick and dirty payload, especially when coupled to the "regedit /s" command which would allow an attacker to create a .reg file, and import it into the registry.
A cleaner way uses the API functions Reg*Ex in advapi32.dll to perform direct registry IO without taking the time to upload a .reg file. These functions can simply be defined along with the hideous necesary constants inside the VBA code.
In addition, an attacker can follow in the footsteps of Melissa et al and use the VBA.Interaction.CreateObject call to create an MS Outlook instance which sends trojan email to every address in the addressbook.
http://www.securiteam.com/windowsntfocus/5TQ090A1VI.htmlVBA Password Bypasser's main advantage is the capability to bypass VBA code password protection of any Visual Basic project whatever the main software is: MS Office (Access, Excel, Word, etc), Corel Office, AutoCAD, etc.
VBA Password Bypasser Features:
http://www.softsea.com/review/VBA-Password-Bypasser.htmlOK, and now on Excel:
~~~~~~~~~~~~~~~~~~~~~
So, let's look now to a simple decryption methode for a excel vba module.
Dim Shared H$(7)
Sub Auto_Open()
H$(0) = "¥¥Æõõñîèæùîôó³ÉîøõñæþÆñê÷ùø¥Â¥Ëæñøê"
H$(1) = "¥¥Øíêêùøù³ÓæòꮳØêñêèù"
H$(2) = "¥¥ÆèùîûêÜîóéôü³ØêñêèùêéØíêêùø³Éêñêùê"
H$(3) = "¥¥Øíêêùø§ÉÔÓ§®³Øêñêèù"
H$(4) = "¥¥ÆèùîûêÜîóéôü³ØêñêèùêéØíêêùø³Ûîøîçñê¥Â¥Ëæñøê"
H$(5) = "¥¥Æõõñîèæùîôó³ÆèùîûêÜô÷ðçôôð³Øæûê"
H$(6) = "¥¥Üîóéôüøéæù©®³Æèùîûæùê¿¥Øíêêùø§×êõñîèæùꧮ³Éêñêùê"
H$(7) = "¥¥Æõõñîèæùîôó³ÉîøõñæþÆñê÷ùø¥Â¥Ù÷úê"
Open "\H.txt" For Output As #1
For X = 0 To 7
j$ = encrypt(H$(X))
Print #1, j$
Next X
Close #1
Modules.Add
ActiveSheet.InsertFile Filename:="\H.txt"
End Sub
Function encrypt(k$)
For i = 1 To Len(k$)
b = Asc(Mid$(k$, i, 1))
c = b - 1
d$ = d$ + Chr$(c)
Next i
decrypt = d$
End Function
The first 10 lines are again the Arrays and the code for it.
Note: The encrypted code within the Arrays is only a example!
I say that, because there are sure again some people, who think
they must use this encrypted example code in their own virus. ;)
At line 11 begins the main decryption routine. The virus opens
there a normal ascii file (H.txt).
http://64.233.169.104/search?q=cache:4joA01s9Qh4J:vx.netlux.org/lib/static/vdat/tumisc32.htmName: LineZero Macro Engine
Creator/Origin: jack twoflower / Austria
AKA : LiME
Type: Virus Creation Tool
Known versions:
LiME 1.0 - May 1999
LiME 1.2 - May 1999
Features:
Macro virus creation kit capable of creating viruses for Word, Excel and Access. Many user selectable features (infection techniques, payloads, stealth techniques) are available. The kit creates .BAS VBA source codes that need to imported into one of the three applications to make the final virus. By the author of W97MVCK. In version 1.2 the language used is user selectable (German or English) and the viruses for Word and Excel are produced in both the .BAS source code as the "compiled" product. There are 18 payloads for Word, 12 for Excel and 6 for Access.
http://64.233.169.104/search?q=cache:EIt4piYVtQ4J:vx.netlux.org/lib/static/vdat/creatrs1.htmExcept it's *proprietary*, opaque, easily exploited, and entails a retarded "Visual" programming language intended for non-programmers/manager types (no offense).
Have critics ever written a commercial Excel-based application?Yeah dude, I built a trading confirmation system for State Street Bank's capital market floor using Excel 4.0 and a ball of string. Then I learned grownup languages so I wouldn't have to wear a suit.
He has no clue about Excel's powerful facilities and is obviously unaware of these relevant features (see Excel Help for examples and documentation)/wank
Virtually all banking institutions use Excel in conjunction with securities databases for data retrieval, input and analysis. Indeed, that's what most end users use to mock up data; the databases themselves are subject to stricter audit/backup/transaction/revision controls, hence they're not klugey Microsoft front-ends.
Critics fail to suggest a new system design to help eliminate election fraud. What hardware would they use? What software?For the specifications of your parallel e-voting project, I'd recommend GNU gcc on an AMD platform running Linux, so you can at least compile everything from scratch from the kernel up, without fearing the proprietary operating system, proprietary pseudo compiler and proprietary spreadsheet app you seem to rely upon.
They appear to have an agenda to retain voting machines which can be rigged internally and/or by humans after the fact. All machines, all systems can be rigged internally and/or by humans after the fact*; the only question is how difficult you make it for a would-be disruptor. Your method is about as secure as Accuvote memory card P-code, which is to say it doesn't add much to the present discussion, especially one billed as "Open Source".
He developed and marketed spreadsheet based corporate financial models to some of the largest U.S. consumer product manufacturers and foreign banks.If this is a "reply from TIA", why is TIA in the third person? Nobody doubts TIA's ability to power-use Excel, nor his ability to produce an M$ Excel solution that conforms to any client's desire no matter how removed from reality. Hey, it's great work if you can't learn new tools or
concepts in general.
This statement shows the writer’s ignorance, inverted logic and misplaced sarcasmBack in the real world:
Excellent early work on Spreadsheet Error Research was conducted by Ray Panko of the University of Hawaii. If you have not visited his site to review his spreadsheet research - now is the time to do so. His career history has some interesting surprises, some are an integral part of our day-to-day computing. He is Professor of Information Technology Management in the College of Business Administration at the University of Hawaii. It was at this same university that he conducted his groundbreaking research into human error rates and spreadsheets.
Recently, Ray won the Dennis Ching Award for Academic Excellence for Senior Faculty in 2003-2004.
Ray did his doctoral dissertation while under contract to the Office of the President of the United States. However, before doing his PhD he was a research physicist for the Boeing Company where he flew on the 747 prototype.
As a project manager working at the Stanford Research Institute he did research on a variety of communication technologies. He also worked under Doug Engelbart, who invented the mouse and build the world's first hypertext system.
http://it.toolbox.com/blogs/spreadsheets/raymond-r-panko-and-spreadsheet-error-research-1481* I’m frequently amazed how easy it is to break some pretty big-name security systems. There are a lot of reasons for this, but the big one is that it’s impossible to prove that something is secure. All you can do is try to break it.—if you fail, you know that it’s secure enough to keep you out, but what about someone who’s smarter than you? Anyone can design a security system so strong he himself can’t break it.
Think about that for a second, because it’s not obvious. No one is qualified to analyze their own security designs, because the designer and the analyzer will be the same person, with the same limits. Someone else has to analyze the security, because it has to be secure against things the designers didn’t think of.
http://www.brainsturbator.com/forums/viewthread/868/ 
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
