HOEI

Apple announced this week an advanced preview of some new features that will appear on iPhone 3.0.  These “new” features include the ability to search your iPhone as well as cut-copy-and-paste.  These features which have been found standard on many other PDAs for years will arrive on iPhone later this year.

It is simply amazing how well iPhone has done while missing some very simply features.  Marketing is a powerful tool and the Apple guys have it figured out. There are and have been PDAs on the market for years that do most of the things iPhone advertises plus simple things like cut/paste across applications, searching, sending/receiving SMS (with pictures).

I have been an avid Palm user for years.  I started on the Handspring Visor Deluxe about ten years ago and have progressed through the Treo 650 and 700p in recent years.  Today I use a Palm Centro and love it.  Cut-and-Paste has been a stand a feature on Palm products for years, long before iPhone was conceived.  Palm has also for years offered as standard features many of the cool things iPhone offers like phone, sync with Exchange, camera, video, MP3 player, games, SMS, plus access to a ton of custom applications.

While I will admit that the built-in wifi feature is on iPhone is neat, it seems to breed illegal wifi use.  I know that some people see the use of open wifi as a murky subject, but it is not.  If you do not have permission from the wifi access point owner then you are stealing.  The iPhone is to open wifi as a slim jim or lock pick are to a car doors.   Just because you carry something in your pocket that makes it easy to get in does not mean you have the legal right to do so.  Yes, you can do the same thing with a wifi enabled laptop, but the iPhone makes it way more convenient.  Enough of that soapbox.

The bottom line is that the folks at Apple are the masters of selling an Eskimo and ice cube. In other words, they have mastered the art of selling people something they don’t necessarily “need”, but will certainly help make them more cool.

The MakeUseOf.com domain seems to have been hijacked over the weekend.   The guys over at MakeUseOf.com have set up shop temporarily on a Blogger platform at makeuseof-temporary.blogspot.com. The hosting company (GoDaddy.com) released the domain to someone who was impersonating the owner of the domain.  Here is what Mark from MakeUseOf.com had to say:

“Now it turns out that in order to transfer the domain, Ferank (or someone helping him) called up GoDaddy and impersonated Aibek. At that point he had already access to our account (or at least had enough information to recover the username/pass for the account) and basically said “hi, I’m the owner of MakeUseOf.com, please transfer the domain”. GoDaddy then complied. “

The Real Truth Behind The MakeUseOf.com Domain Crack

The plot has thickened because the hijacker (aka Ali Ferank) has requested a ransom of $2000 for the safe return of the MakeUseOf.com domain name.

What I would do if I woke up in Mark and Aibek’s shoes:

1) I recommend that the MakeUseOf.com team go over and take a swim in the ICANN registrar transfer policies to determine what pressure can be placed on GoDaddy.com to take some responsibility for what happened.

2) I would get Google involved since the  person currently holding the registration is using Goggle as the email host provider.

The following shows the current WhoIs for MakeuseOf.com:

Registrant Contact:
DomainsGame LLC
Ali Ferank

Alhana baghas nara St
Dubai, NA 85445
AE

Administrative Contact:
DomainsGame LLC
Ali Ferank ()
+1.5544415212
Fax: +1.5555555555
Alhana baghas nara St
Dubai, NA 85445
AE

A quick nslookup for the MX record for the email domain listed in the registration information shows that DomainsGame.org is using Goggle as a host for email services.

> domainsgame.org
Server:  vnsc-pri.sys.gtei.net
Address:  4.2.2.1

Non-authoritative answer:
domainsgame.org MX preference = 30, mail exchanger = aspmx3.googlemail.com
domainsgame.org MX preference = 30, mail exchanger = aspmx4.googlemail.com
domainsgame.org MX preference = 30, mail exchanger = aspmx5.googlemail.com
domainsgame.org MX preference = 10, mail exchanger = aspmx.l.google.com
domainsgame.org MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
domainsgame.org MX preference = 20, mail exchanger = alt2.aspmx.l.google.com
domainsgame.org MX preference = 30, mail exchanger = aspmx2.googlemail.com
>

3) I would give these guys at Moniker Privacy Services a call to see who registered DomainsGame.org.

A WhoIs on the DomainsGame.org domain shows it registered to:

Admin ID:MONIKER1571241
Admin Name:Moniker Privacy Services
Admin Organization:Moniker Privacy Services
Admin Street1:20 SW 27th Ave.
Admin Street2:Suite 201
Admin City:Pompano Beach
Admin State/Province:FL
Admin Postal Code:33069
Admin Country:US
Admin Phone:+1.9549848445
Admin FAX:+1.9549699155
Admin Email:

4) I would not assume this to be an international issue just because the person gave a Dubai snailmail address.

Conclusion

In the meantime GoDaddy has told the MakeUseOf team to realax in a bowl of legal stew.  GoDaddy is obviously trying to determine their liability in this matter before taking too much action.  Lets hope that GoDaddy is not one of the registrars described in the Wikipedia explanation of Domain Hijacking and Domain Theft.

“However, it is well documented that some registrars will admit no fault in accepting the forged credentials and will refuse to correct the record until forced by legal action. In many of these cases, justice is not done and the hijacker retains control of the domain. The victims of such theft often do not have the resources or willingness to invest the effort necessary to regain control of their domain, which may require a lawsuit or a lengthy and time-consuming arbitration process, especially if the hijacker and victim are in different countries.”

GoDaddy.com has a chance to avoid more of the “GoGaddy Sucks” articcles if they handle this correctly.

Click for a full-screen view

This is a capture of my current iGoogle Page. We talked about iGoogle a little last year when the new name surfaced. Today I want to share with you how iGoogle and some cool add-ons like Google Reader can be used to make you more productive. The following list helps you understand a few things I am doing with my iGoogle page.

A - I track the weather in the two cities I spend most of my time: Goose Creek, SC and Washington, DC

B - I track the feed of a group blog that I manage (GrowingKids.org)

C - I track current events

D - I track the feed of Simply Recipes my 2nd favorite food blog

E - Google Reader copy #1 tracks Information Security related feeds that have been placed in my Security folder.

F - Google Reader copy #2 tracks blogs that I placed in my General folder.

You will also note that I use multiple tabs. The BLOG Watch tab is a post for another day. There I track blogs using custom feeds created mainly from Google Blog Searches.

I want to offer a few more comments on the multiple copies of Google Reader found on my iGoogle page. You can add multiple copies or you can switch between folders using the pull-down on one of the readers. Using Google Reader in this way allows for a quick view of a hot subject (folder). For instance, I subscribe to several dozen blogs in my general folder. It is pretty easy for a high priority topic related network security to get lost in the midst of dozens of other posts in a general category. The security folder for me allows for a focus on blogs and new sites that provide RSS feeds related to information security. These RSS feeds are related to announcements on the release of patches from vendors like Cisco, Microsoft, Red Hat, and Oracle to address security vulnerabilities.

A flurry of comment spam has been going around in recent days with the following message:

“very interesting, but I don’t agree with you
Idetrorce”

There is no URL and the message is exactly the same on all the blogs where you find this comment.

What is this comment all about and who is Idetrorce?

In my humble opinion, this is a pre-attack campaign for a bigger spam campaign that will come in the next few weeks. The comment above would be okay on most blog posts since it is not trying to link people back to a product of service and it is just a polite disagreement. Once posted on a loosely moderated blog, the blogger might get a bad rap for deleting such a non threatening comment. Read the editors comments on the wormblog comment number 12.

“So I googled and found that it is indeed SPAM.

I am leaving it up though as I would never wish to be accused of deleting someone who simply disagreed with me.”

If a blogger does not block the email address and user name associated with this comment, then they could be opening themselves up to something much bigger coming down the pipe. That is just one man’s opinion. I am not afraid to delete and edit comments on my blog. I have even deleted some comments from people who agreed with me. When it’s my blog I will do what I think is in the best interest of my blog.

I do strict moderation on all comments on some of my blogs. There are very few terms I force moderate on here on this blog, but this user name and email address will be added to my list. I recommend you do the same with your blog. I just don’t have a good feeling about this Idetroce character.

In Wordpress

Go to your Dashboard and select Options/Discussion. Scroll down and enter the user name, email address and IPs from this commenter. By the way, the IPs this person is sourcing from are out of Amsterdam.

When ranking the security status of a PC on a scale from 1 to 5, with 5 being the most vulnerable, this PC ranks an 87.

This is a screen capture from the Windows Update site for one of my laptops shortly after installing Windows XP Professional and adding Service Pack 2.  Choosing to ignore these updates leaves a PC very open to attacks especially if the machine has not anti-virus software and a firewall is not running.

Visiting the Windows Update site is a good first step to securing a PC.  There are a few other things that I would highly recommend when building or buying a new PC.

1. Purchase and install an enterprise grade anti virus application and subscribe to automatic signature and software upgrades.
2. Install a client based firewall application, especially if you will be connecting to public networks.
3. Use VPN software and SSL (https) web sites as much as possible when on public WiFi. (more HOWTO details to come on this subject)
4. Update your other third party applications on Windows regularly and enable automatic updates where possible. (i.e., iTunes, QuickTime Viewer, Java run-time, etc.)
5. Verify that your PC is not trying to automatically reconnect to Windows Network shares at logon.

I can not impress upon you bloggers how important number three is for those of you who frequently log onto your blog software via http (tcp port 80) over a public wireless access point from a hotel, coffee shop, or your favorite lunch location.  The software to enable a hacker with the capability to capture your user ID and passwords over a public access point is widely available and very easy to use.   The same from utilities can be used to capture unencrypted passwords used when accessing email, ftp servers, and web site control panels.

I have worked in recent years as a network security engineer. One task I faced was making various network devices authenticate to a central AAA solution. Most of the devices were pretty straight forward with the exception of Linux.

Most network environments I have been exposed to where there is an interest in creating a single sign-on solution have been focusing on getting all their devices to authenticate against Microsoft’s Active Directory or some third party two-factor authentication tool. My work on this little project led me into a hole that none of my local Linux guru friends could dig me out of. While most of this information can be gathered straight from various sources on the Internet, I have yet to find anyone put it all together in a step by step procedure like found in this post.  These instructions worked on RedHat enterprise and Fedora while running against a variety of radius servers including Microsoft IAS and SafeWord from Super Computing. The following steps assume that you have a functional radius server in place that can already accept and authenticate user logins from devices like Cisco routers and switches.

HOWTO configure Linux SSH users to authenticate to external Radius

1. Log in to the Linux box that needs to authenticate against Radius using root privileges.
2. Download ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz using the FTP command
3. extract the pam_radius-1.3.17.tar.gz file to a subdirectory of you home directory called /pam_radius-1.3.17
4. Switch directories to /pam_radius-1.3.17
5. Edit pam_radius_auth.conf to reflect actual Radius server IP, ShareSecret and timeout.
6. Execute the “make” command
7. Copy file that was created during the make over to /lib/security - cp pam_radius_auth.so /lib/security
8. Make a backup of the /etc/pa.d/sshd - cp /etc/pam.d/sshd /etc/pam.d/sshd.BU
9. Edit /etc/pam.d/sshd to read as follows: (Note: the client_id in line one is optional and configurable)

#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so debug client_id=linux
auth sufficient pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so

10. Edit /etc/ssh/sshd_config and add the following line to the bottom of the file:

UsePAM yes

11. Create accounts on the Linux box for all users requiring access to this server via SSH using AAA authentication. Assign a blank password to each account on the Linux box.
12. Verify that the IP addresses and shared secret(s) have been added to the AAA server clients configuration for this Linux box.
13. Verify that all users requiring access to the Linux box have AAA accounts configured on the radius server.

These instructions were compiled from mostly trial and error based on instructions found at FreeRADIUS.org.

Disclaimer: I consider myself to be an intermediate Linux administrator. Please feel free to share links in the comments to more clear and comprehensive solutions for authenticating Linux against and external AAA server if you have them.  I would especially like to hear ideas on how to get around the need for matching ids on the Linux server.

Google Images got censored for being classified in the “Extreme, Pornography” category by SmartFilter. SmartFilter is a web filtering product from Secure Computing. The SmartFilter product helps network managers control what content their users access on the Internet. I work as a Tier III support engineer for 65 locations around the world that use this product to control the Internet access of tens of thousands of users. Today our help desk got a call that required me to determine why some users could no longer browse to images found in a search on Google Images. The users were being returned an error page telling them that the Goggle Images content was blocked form being categorized as “Extreme, Pornography”.
The redirect URL for all images on images.google.com begins with “http://images.google.com/imgres” and is followed by a question mark and eventually the URL of the site where the image is actually hosted.

I used the URL Checker on the SmartFilter web site to determine that the users were getting blocked because the categorization of the above mentioned Google URL. I contacted SmartFilter and they responded back telling me that this categorization was a mistake. As a result of my email they have since fixed to problem and now this Google Image URL is back to being categorized as a “Search Engines, Visual Search Engine”.

This issue today raised a question. Should Google images actually be filtered as adult, pornograhy, and/or extreme? The only thing keeping users from finding potentially offensive material is the default Google SafeSearch Filtering settings. Users are a radio button away from getting images from thousands of URLs that have not been categorized yet by filtering software like SmartFilter.

A story hit Slashdot today that caught my attention.  A professor at an unnamed university has given his students the following task.

“Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.” Source: SANS

The Slashdot posting was filled with plenty comments of outrage over such action by this college professor.

I have no problems with professors teaching hacking techniques to students in a security program, but there is a place for this type of stuff.  The hacking should be done in a very controlled environment that is isolated from public networks.  The students should NOT be instructed to perform reconnaissance “remote security evaluations” on random Internet devices.  While reconnaissance in itself is not generally considered a hack, it is the first step any hacker takes in the hacking process to determine what he or she is up against when planning a hack a device over the Internet.

Today we feature a case of making a mountain out of a mole hill. The Washington Post released a story about how a Windows Wireless Flaw a Danger to Laptops. I have a news flash for you WaPo. This is a functionality of hard wired Windows based laptops and computers anywhere. Yes, you can gain access in more unsuspecting places like on airplanes via wireless, but this is not a new idea. The types of additional tools required to hack a laptop via a wireless connection as described in this article can also be used to hack a hard wired computer over a dial-up, cable modem, LAN, or DSL. Simply having an IP address on the same IP segment does not constitute hacking a computer as this article suggests. The meat of the story was skipped to satisfy the fear of the general population. In order to gain access to the target Windows computer remotely you must also gain user rights on that computer which requires using software that is not included on Windows computers. Computers plugged in via a standard network cable to a hotel, office, or home network are susceptible to the same kinds of attacks if they are not taking measures to “try” to stop hackers. This news story is not really that big of a story after all. The most interesting portion of the article found below was where they are talking about hacking a laptop while on a plane over international waters.

Loveless said he believes that since the attacks were mostly carried while the plane was over international waters that U.S. law enforcement might have a hard time making the case that he was violating any laws. The real answer to that very interesting question, he said, would probably not be evident until someone gets sued in court for it.

Law enforcement authorities don’t seem to have a problem prosecuting a person for other offences over international waters. What makes computer crime over international waters any different than computer crimes committed on the ground? The bottom line is that your data is only safe when it is on a computer that is turned off, unplugged from power and network, locked in a safe, and guarded by the US Marines.

The word phishing may not be understood by the average person on the street, but if you use email you might want to understand it.  The following is a good definition found on Wikepedia:

“In computing, phishing is the act of attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message). It is a form of social engineering attack.”

It goes like this.  You recieve an email that LOOKS very legitimate from a well known company that you might normally do business with like Ebay.  The email has very professional wording that sounds very conviencing.  It might say that your account will be closed if you do not take immediate action by clicking the link provided in the email.  The link may look conviencing like this: Google.  I’ll bet you thought you were going to Google, and if you didn’t think you where goign to Google you probably had no idea that 69.454153 would take you to the HOEI.COM main page.  I will explain that numberic thing another day, but the point is that things are not always what they appear to be in an email or on a web site for that matter.

I have recently recieved phishing emails that apeared to be from Ebay, PayPal, Wells Fargo, and others using similar tactics as described above.  Most of the others were from people pretending to be respresentatives of some deceased forigner, usually from Africa with a ton of cash that needs to be claimed by someone in the USA.  I was randomly chosen as the luck person to help this representative free up the cash and in return I will get a healthy percentage of the millions of dollars.

There are many people on the Internet that think you can hide from receiving these emails by obfuscating or masking their email addresses. For instance they say you should display your email as hank DOT osborne AT hoei DOT com instead of hank.osborne@hoei.com when posting comments or building web pages.  Hog wash!  I have a hug problem with this approach.  Not everyone that surfs the Internet knows what you are trying to say when you use the ATs and DOTs.  Furthermore, even though I do understand, I don’t want to have to convert a persons obfuscated email address into a real one just so I can send them a message.  Yes, you might avoid having your email picked up by a bot or crawler, but you may also turn away some potentially valuable contacts.

Here are a few recommendations for how to deal with phishing and spam:

• Do not visit web sites using links provided in emails that are from businesses.  Hand type the address into you browser or use a bookmark from a previous visit.
• Do not vistit web sites using links provided in emails from persons that you do know know and trust.
• Don’t be afraid to verify the sender of an email.  Send a response email to the person or company using an email address in your address book and ask them if they recently sent you a link in an email.
• Use filters and rules on your email application. If you only want to receive email from people you know, then set up a filter to do this.  I recommend reviwing the list of filtered emails before deleting them.

You can use a separate email address for all online transactions, posts, advertisements, etc.  This will not guarentee that your fiends, family, or other contacts are going to protect your address even if you ask them.  For instance your Mom may forget your privacy request and sign you up for some cool offer that she found on the Internet not realizing that your email addresses are going to be sold on the open market as a result of her thoughtful gesture.

The bottom line is that if you use the Internet you are going to incure some level of risk.  A little risk is okay, but you have to use a little bit of common sense.  It is like driving a car.  You could bar your doors like a race car and wear a helment and a fire resistant clothing, but who would want to ride with you?  Instead, use your seatbelts, door locks, and keep your care in good repair.  Oh yeah, don’t pick up strangers.  This same level of caution should keep you pretty good shape while using the Internet.

This message is also posted on The Land of Ozz.