HOEI

The MakeUseOf.com domain seems to have been hijacked over the weekend.   The guys over at MakeUseOf.com have set up shop temporarily on a Blogger platform at makeuseof-temporary.blogspot.com. The hosting company (GoDaddy.com) released the domain to someone who was impersonating the owner of the domain.  Here is what Mark from MakeUseOf.com had to say:

“Now it turns out that in order to transfer the domain, Ferank (or someone helping him) called up GoDaddy and impersonated Aibek. At that point he had already access to our account (or at least had enough information to recover the username/pass for the account) and basically said “hi, I’m the owner of MakeUseOf.com, please transfer the domain”. GoDaddy then complied. “

The Real Truth Behind The MakeUseOf.com Domain Crack

The plot has thickened because the hijacker (aka Ali Ferank) has requested a ransom of $2000 for the safe return of the MakeUseOf.com domain name.

What I would do if I woke up in Mark and Aibek’s shoes:

1) I recommend that the MakeUseOf.com team go over and take a swim in the ICANN registrar transfer policies to determine what pressure can be placed on GoDaddy.com to take some responsibility for what happened.

2) I would get Google involved since the  person currently holding the registration is using Goggle as the email host provider.

The following shows the current WhoIs for MakeuseOf.com:

Registrant Contact:
DomainsGame LLC
Ali Ferank

Alhana baghas nara St
Dubai, NA 85445
AE

Administrative Contact:
DomainsGame LLC
Ali Ferank ()
+1.5544415212
Fax: +1.5555555555
Alhana baghas nara St
Dubai, NA 85445
AE

A quick nslookup for the MX record for the email domain listed in the registration information shows that DomainsGame.org is using Goggle as a host for email services.

> domainsgame.org
Server:  vnsc-pri.sys.gtei.net
Address:  4.2.2.1

Non-authoritative answer:
domainsgame.org MX preference = 30, mail exchanger = aspmx3.googlemail.com
domainsgame.org MX preference = 30, mail exchanger = aspmx4.googlemail.com
domainsgame.org MX preference = 30, mail exchanger = aspmx5.googlemail.com
domainsgame.org MX preference = 10, mail exchanger = aspmx.l.google.com
domainsgame.org MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
domainsgame.org MX preference = 20, mail exchanger = alt2.aspmx.l.google.com
domainsgame.org MX preference = 30, mail exchanger = aspmx2.googlemail.com
>

3) I would give these guys at Moniker Privacy Services a call to see who registered DomainsGame.org.

A WhoIs on the DomainsGame.org domain shows it registered to:

Admin ID:MONIKER1571241
Admin Name:Moniker Privacy Services
Admin Organization:Moniker Privacy Services
Admin Street1:20 SW 27th Ave.
Admin Street2:Suite 201
Admin City:Pompano Beach
Admin State/Province:FL
Admin Postal Code:33069
Admin Country:US
Admin Phone:+1.9549848445
Admin FAX:+1.9549699155
Admin Email:

4) I would not assume this to be an international issue just because the person gave a Dubai snailmail address.

Conclusion

In the meantime GoDaddy has told the MakeUseOf team to realax in a bowl of legal stew.  GoDaddy is obviously trying to determine their liability in this matter before taking too much action.  Lets hope that GoDaddy is not one of the registrars described in the Wikipedia explanation of Domain Hijacking and Domain Theft.

“However, it is well documented that some registrars will admit no fault in accepting the forged credentials and will refuse to correct the record until forced by legal action. In many of these cases, justice is not done and the hijacker retains control of the domain. The victims of such theft often do not have the resources or willingness to invest the effort necessary to regain control of their domain, which may require a lawsuit or a lengthy and time-consuming arbitration process, especially if the hijacker and victim are in different countries.”

GoDaddy.com has a chance to avoid more of the “GoGaddy Sucks” articcles if they handle this correctly.

Click for a full-screen view

This is a capture of my current iGoogle Page. We talked about iGoogle a little last year when the new name surfaced. Today I want to share with you how iGoogle and some cool add-ons like Google Reader can be used to make you more productive. The following list helps you understand a few things I am doing with my iGoogle page.

A - I track the weather in the two cities I spend most of my time: Goose Creek, SC and Washington, DC

B - I track the feed of a group blog that I manage (GrowingKids.org)

C - I track current events

D - I track the feed of Simply Recipes my 2nd favorite food blog

E - Google Reader copy #1 tracks Information Security related feeds that have been placed in my Security folder.

F - Google Reader copy #2 tracks blogs that I placed in my General folder.

You will also note that I use multiple tabs. The BLOG Watch tab is a post for another day. There I track blogs using custom feeds created mainly from Google Blog Searches.

I want to offer a few more comments on the multiple copies of Google Reader found on my iGoogle page. You can add multiple copies or you can switch between folders using the pull-down on one of the readers. Using Google Reader in this way allows for a quick view of a hot subject (folder). For instance, I subscribe to several dozen blogs in my general folder. It is pretty easy for a high priority topic related network security to get lost in the midst of dozens of other posts in a general category. The security folder for me allows for a focus on blogs and new sites that provide RSS feeds related to information security. These RSS feeds are related to announcements on the release of patches from vendors like Cisco, Microsoft, Red Hat, and Oracle to address security vulnerabilities.

A flurry of comment spam has been going around in recent days with the following message:

“very interesting, but I don’t agree with you
Idetrorce”

There is no URL and the message is exactly the same on all the blogs where you find this comment.

What is this comment all about and who is Idetrorce?

In my humble opinion, this is a pre-attack campaign for a bigger spam campaign that will come in the next few weeks. The comment above would be okay on most blog posts since it is not trying to link people back to a product of service and it is just a polite disagreement. Once posted on a loosely moderated blog, the blogger might get a bad rap for deleting such a non threatening comment. Read the editors comments on the wormblog comment number 12.

“So I googled and found that it is indeed SPAM.

I am leaving it up though as I would never wish to be accused of deleting someone who simply disagreed with me.”

If a blogger does not block the email address and user name associated with this comment, then they could be opening themselves up to something much bigger coming down the pipe. That is just one man’s opinion. I am not afraid to delete and edit comments on my blog. I have even deleted some comments from people who agreed with me. When it’s my blog I will do what I think is in the best interest of my blog.

I do strict moderation on all comments on some of my blogs. There are very few terms I force moderate on here on this blog, but this user name and email address will be added to my list. I recommend you do the same with your blog. I just don’t have a good feeling about this Idetroce character.

In Wordpress

Go to your Dashboard and select Options/Discussion. Scroll down and enter the user name, email address and IPs from this commenter. By the way, the IPs this person is sourcing from are out of Amsterdam.

When ranking the security status of a PC on a scale from 1 to 5, with 5 being the most vulnerable, this PC ranks an 87.

 This is a screen capture from the Windows Update site for one of my laptops shortly after installing Windows XP Professional and adding Service Pack 2.  Choosing to ignore these updates leaves a PC very open to attacks especially if the machine has not anti-virus software and a firewall is not running.

Visiting the Windows Update site is a good first step to securing a PC.  There are a few other things that I would highly recommend when building or buying a new PC.

1. Purchase and install an enterprise grade anti virus application and subscribe to automatic signature and software upgrades.
2. Install a client based firewall application, especially if you will be connecting to public networks.
3. Use VPN software and SSL (https) web sites as much as possible when on public WiFi. (more HOWTO details to come on this subject)
4. Update your other third party applications on Windows regularly and enable automatic updates where possible. (i.e., iTunes, QuickTime Viewer, Java run-time, etc.)
5. Verify that your PC is not trying to automatically reconnect to Windows Network shares at logon.

I can not impress upon you bloggers how important number three is for those of you who frequently log onto your blog software via http (tcp port 80) over a public wireless access point from a hotel, coffee shop, or your favorite lunch location.  The software to enable a hacker with the capability to capture your user ID and passwords over a public access point is widely available and very easy to use.   The same from utilities can be used to capture unencrypted passwords used when accessing email, ftp servers, and web site control panels.

I have worked in recent years as a network security engineer. One task I faced was making various network devices authenticate to a central AAA solution. Most of the devices were pretty straight forward with the exception of Linux.

Most network environments I have been exposed to where there is an interest in creating a single sign-on solution have been focusing on getting all their devices to authenticate against Microsoft’s Active Directory or some third party two-factor authentication tool. My work on this little project led me into a hole that none of my local Linux guru friends could dig me out of. While most of this information can be gathered straight from various sources on the Internet, I have yet to find anyone put it all together in a step by step procedure like found in this post.  These instructions worked on RedHat enterprise and Fedora while running against a variety of radius servers including Microsoft IAS and SafeWord from Super Computing. The following steps assume that you have a functional radius server in place that can already accept and authenticate user logins from devices like Cisco routers and switches.

HOWTO configure Linux SSH users to authenticate to external Radius

1. Log in to the Linux box that needs to authenticate against Radius using root privileges.
2. Download ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz using the FTP command
3. extract the pam_radius-1.3.17.tar.gz file to a subdirectory of you home directory called /pam_radius-1.3.17
4. Switch directories to /pam_radius-1.3.17
5. Edit pam_radius_auth.conf to reflect actual Radius server IP, ShareSecret and timeout.
6. Execute the “make” command
7. Copy file that was created during the make over to /lib/security - cp pam_radius_auth.so /lib/security
8. Make a backup of the /etc/pa.d/sshd - cp /etc/pam.d/sshd /etc/pam.d/sshd.BU
9. Edit /etc/pam.d/sshd to read as follows: (Note: the client_id in line one is optional and configurable)

#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so debug client_id=linux
auth sufficient pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so

10. Edit /etc/ssh/sshd_config and add the following line to the bottom of the file:

UsePAM yes

11. Create accounts on the Linux box for all users requiring access to this server via SSH using AAA authentication. Assign a blank password to each account on the Linux box.
12. Verify that the IP addresses and shared secret(s) have been added to the AAA server clients configuration for this Linux box.
13. Verify that all users requiring access to the Linux box have AAA accounts configured on the radius server.

These instructions were compiled from mostly trial and error based on instructions found at FreeRADIUS.org.

Disclaimer: I consider myself to be an intermediate Linux administrator. Please feel free to share links in the comments to more clear and comprehensive solutions for authenticating Linux against and external AAA server if you have them.  I would especially like to hear ideas on how to get around the need for matching ids on the Linux server.

Google Images got censored for being classified in the “Extreme, Pornography” category by SmartFilter. SmartFilter is a web filtering product from Secure Computing. The SmartFilter product helps network managers control what content their users access on the Internet. I work as a Tier III support engineer for 65 locations around the world that use this product to control the Internet access of tens of thousands of users. Today our help desk got a call that required me to determine why some users could no longer browse to images found in a search on Google Images. The users were being returned an error page telling them that the Goggle Images content was blocked form being categorized as “Extreme, Pornography”.
The redirect URL for all images on images.google.com begins with “http://images.google.com/imgres” and is followed by a question mark and eventually the URL of the site where the image is actually hosted.

I used the URL Checker on the SmartFilter web site to determine that the users were getting blocked because the categorization of the above mentioned Google URL. I contacted SmartFilter and they responded back telling me that this categorization was a mistake. As a result of my email they have since fixed to problem and now this Google Image URL is back to being categorized as a “Search Engines, Visual Search Engine”.

This issue today raised a question. Should Google images actually be filtered as adult, pornograhy, and/or extreme? The only thing keeping users from finding potentially offensive material is the default Google SafeSearch Filtering settings. Users are a radio button away from getting images from thousands of URLs that have not been categorized yet by filtering software like SmartFilter.

A story hit Slashdot today that caught my attention.  A professor at an unnamed university has given his students the following task.

“Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.” Source: SANS

The Slashdot posting was filled with plenty comments of outrage over such action by this college professor.

I have no problems with professors teaching hacking techniques to students in a security program, but there is a place for this type of stuff.  The hacking should be done in a very controlled environment that is isolated from public networks.  The students should NOT be instructed to perform reconnaissance “remote security evaluations” on random Internet devices.  While reconnaissance in itself is not generally considered a hack, it is the first step any hacker takes in the hacking process to determine what he or she is up against when planning a hack a device over the Internet.

Today we feature a case of making a mountain out of a mole hill. The Washington Post released a story about how a Windows Wireless Flaw a Danger to Laptops. I have a news flash for you WaPo. This is a functionality of hard wired Windows based laptops and computers anywhere. Yes, you can gain access in more unsuspecting places like on airplanes via wireless, but this is not a new idea. The types of additional tools required to hack a laptop via a wireless connection as described in this article can also be used to hack a hard wired computer over a dial-up, cable modem, LAN, or DSL. Simply having an IP address on the same IP segment does not constitute hacking a computer as this article suggests. The meat of the story was skipped to satisfy the fear of the general population. In order to gain access to the target Windows computer remotely you must also gain user rights on that computer which requires using software that is not included on Windows computers. Computers plugged in via a standard network cable to a hotel, office, or home network are susceptible to the same kinds of attacks if they are not taking measures to “try” to stop hackers. This news story is not really that big of a story after all. The most interesting portion of the article found below was where they are talking about hacking a laptop while on a plane over international waters.

Loveless said he believes that since the attacks were mostly carried while the plane was over international waters that U.S. law enforcement might have a hard time making the case that he was violating any laws. The real answer to that very interesting question, he said, would probably not be evident until someone gets sued in court for it.

Law enforcement authorities don’t seem to have a problem prosecuting a person for other offences over international waters. What makes computer crime over international waters any different than computer crimes committed on the ground? The bottom line is that your data is only safe when it is on a computer that is turned off, unplugged from power and network, locked in a safe, and guarded by the US Marines.

The word phishing may not be understood by the average person on the street, but if you use email you might want to understand it.  The following is a good definition found on Wikepedia:

“In computing, phishing is the act of attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message). It is a form of social engineering attack.”

It goes like this.  You recieve an email that LOOKS very legitimate from a well known company that you might normally do business with like Ebay.  The email has very professional wording that sounds very conviencing.  It might say that your account will be closed if you do not take immediate action by clicking the link provided in the email.  The link may look conviencing like this: Google.  I’ll bet you thought you were going to Google, and if you didn’t think you where goign to Google you probably had no idea that 69.454153 would take you to the HOEI.COM main page.  I will explain that numberic thing another day, but the point is that things are not always what they appear to be in an email or on a web site for that matter.

I have recently recieved phishing emails that apeared to be from Ebay, PayPal, Wells Fargo, and others using similar tactics as described above.  Most of the others were from people pretending to be respresentatives of some deceased forigner, usually from Africa with a ton of cash that needs to be claimed by someone in the USA.  I was randomly chosen as the luck person to help this representative free up the cash and in return I will get a healthy percentage of the millions of dollars.

There are many people on the Internet that think you can hide from receiving these emails by obfuscating or masking their email addresses. For instance they say you should display your email as hank DOT osborne AT hoei DOT com instead of hank.osborne@hoei.com when posting comments or building web pages.  Hog wash!  I have a hug problem with this approach.  Not everyone that surfs the Internet knows what you are trying to say when you use the ATs and DOTs.  Furthermore, even though I do understand, I don’t want to have to convert a persons obfuscated email address into a real one just so I can send them a message.  Yes, you might avoid having your email picked up by a bot or crawler, but you may also turn away some potentially valuable contacts.

Here are a few recommendations for how to deal with phishing and spam:

• Do not visit web sites using links provided in emails that are from businesses.  Hand type the address into you browser or use a bookmark from a previous visit.
• Do not vistit web sites using links provided in emails from persons that you do know know and trust.
• Don’t be afraid to verify the sender of an email.  Send a response email to the person or company using an email address in your address book and ask them if they recently sent you a link in an email.
• Use filters and rules on your email application. If you only want to receive email from people you know, then set up a filter to do this.  I recommend reviwing the list of filtered emails before deleting them.

You can use a separate email address for all online transactions, posts, advertisements, etc.  This will not guarentee that your fiends, family, or other contacts are going to protect your address even if you ask them.  For instance your Mom may forget your privacy request and sign you up for some cool offer that she found on the Internet not realizing that your email addresses are going to be sold on the open market as a result of her thoughtful gesture.

The bottom line is that if you use the Internet you are going to incure some level of risk.  A little risk is okay, but you have to use a little bit of common sense.  It is like driving a car.  You could bar your doors like a race car and wear a helment and a fire resistant clothing, but who would want to ride with you?  Instead, use your seatbelts, door locks, and keep your care in good repair.  Oh yeah, don’t pick up strangers.  This same level of caution should keep you pretty good shape while using the Internet.

This message is also posted on The Land of Ozz.

There has been a lot of buzz lately about personal information being acquired from online resources without the knowledge or permission of the target.  The stealing of credit card information is one thing.  Many people are surprised to find out how easy it is to acquire specific information online like home address, phone number, social security number, and more.  For years there have been free or very cheap resources available online that assist in gathering information on just about anyone.  These resources are just online versions of the same resources that have been around for decades via other avenues like the local court house or the local library.

I will to demonstrate to you a few exercises in acquiring some basic information about a person or business without spending a dime.  These resources are legitimate, free, and pretty accurate.  I spent a short time working as a licensed private investigator (PI) back in the early 90s.  Oh, and if you are cheating or thinking about it, don’t do it!  It is not that hard to catch someone even when they are trying very hard to hide it.  While I did do some of this dirty work, most of my work consisted of serving summons and subpoenas for the courts in my area.  Most of the resources I used to track people for serving court papers are now available online.  I can not imagine how much easier that job would be today.  I was serving an average of 200 court papers per month back then.

The first thing that alarms people is how easy it is to find an address from a phone number.  Here is an example.  I will use a pizza restaurant phone number in my home town of Clinton, SC.  First I will enter the phone number into Google and click search.  I entered 864-833-4373 and clicked search.  The first result gave me the name of the restaurant and three choices for mapping the location of that address using Google Maps, Yahoo! Maps, or MapQuest.  The results were accurate and two of the three map options displayed an accurate map of the location of the restaurant.  This feature can be used for any listed phone number.  There are ways to get your address and phone number removed from this list, but your effort will be futile.  Why? Because there are a few dozen other ways to accomplish the same thing on the Internet without using Google.  Just type the words “reverse lookup” into your favorite search engine.  One of the first few things to pop up is AnyWho.com.  I have been using AnyWho for at least five years to do what Google is offering in their search engine.  Services like AnyWho that offer reverse lookup of phone numbers have become much more accurate in recent years.  Back in the mid 90s you would get information that was at least a year old.  Today the information is much more current.

The feature of finding an address using a phone number is not new and is not limited to only Google.  The feature of locating a person has been available on the Internet for almost as long as the World Wide Web has been around and may go back into the old Gopher days for all I know.  Keep in mind that the Internet as you know it has been around just over a decade.  The features that you get from the Internet today were unheard of in the even as recent as the early 90s.  Google through multiple acquisitions has just tied up the loose ends so you don’t have to use multiple sites to find the address for a person anymore.  The old school way was to use a reverse lookup tool like AnyWho.com to find the address associated with a phone number.  You could then open up you favorite map web site or software to locate the address.  This still works quite well.  The new features of Google Maps like the satellite images of the local area of an address make Google my new first stop when doing a reverse lookup these days.  Keep in mind that many of the satellite images of rural areas will give a picture much like you see from a commercial jet at 30,000 feet.  The Satellite image of my local area is more like flying at 10,000 feet.

There are a number of services that allow you to do things like gathering credit history, criminal background, and other information for a fee.  Most of this stuff if not all of it can be gathered for a single person for under $100.  This is a small price to pay considering the amount of information you get.  So ladies, when your dad or you brother says that they are going to check out this new boyfriend, they are probably not kidding if they are willing to spend a little time on the Internet or part with a few bucks.

My wife was absolutely shocked at the amount of information that could be gathered about a person on the Internet without that person ever knowing.  Most of the detailed financial things like credit card and bank account numbers are harder to come by legally but not impossible as you have seen in recent headlines.  Things like a phone number, address, and family history are a difference story.  The more you want to know the more likely you are to end up spending money.  If you want to get down in the weeds of a persons past without hiring a PI then you will need to spend a little money and have a lot of patience.  I have been able to gather a ton of information on my own family history by using Ancestry.com.  They have a paid service that will allow you to gather more information over a longer period of time, but I just used their 14-day trial.  I got full names, addresses, social security numbers, birth dates, and more for everyone from my dad plus everyone in the family for several generations before him.

Here is another big surprise for most people.  Many counties now list property cards on the Internet.  For instance, the county that I live in will allow for anyone with Internet access to see what I paid for my house, how much I paid in property taxes each year, and the names on the deed.  All of this can be seen by just knowing the street address and the county that I live in.  Similar options are available on the web sites for surrounding counties.  This is all information that could be gathered with a trip to the local courthouse, but the Internet has brought this information to your finger tips in your living room.

The unfortunate thing is that most people have no idea of the amount of information that is available to the general public about just about anyone.  You really don’t have to hire a PI to gather detailed information these days.  You can actually be a PI from the comfort of your couch.

Don’t forget to read:  Online Truth Part One: Junk Email

This story is also posted on The Land of Ozz