Digital Choke Daynotes

 Sunday, October 3, 2004       mail    link

Yesterday was a bit of cleanup day. Takes a bit of time around here. A full-house vacuum (even the stairs), clean the kitchen floor, another load in the dishwasher, bed sheets into and out of the laundry, clean the bathroom counters, and clean the mirrors. That took a couple of hours. But not all at once. There was a nap in there somewhere.

No post yesterday (obviously). I worked a bit on a new report for the box up above. The new one is a 'simple steps to protect your computer'. There are only a few basic things that are important. And I want to make it easy enough so that you can give it to your family and friends that might not be as technical as you are.

It's almost done, but if you think of some ideas, send me a quick note.

Fun time with the grandkids today. Pam made some "roll-out cookies", and the kids decorated them. Put frosting on top, add sprinkles, and eat. Lots of sprinkles on the cookies ... and the floor. But good times, and good memories for us and them.

 Monday, October 4, 2004       mail    link

A short day at work today. Started out with the usual; the morning network status meeting. A few issues, but nothing I can share. Then some of the usual stuff. Some monitoring of the CF server mail issue from last week, which required some manual manipulation of some mail messages to get them delivered. Created a few VPN certificates for users.

Then wandered into Dreamweaver. I'd been working on a small database application, and was having problems with the SQL query. Turns out that Access confused me again. A database name is not the same as a mdb file name. Once I remembered that, the query page worked just fine.

Then it was off to the dentist for a crown replacement. "Dr. Dave" is excellent; he put in a temporary. Didn't feel a thing, although the drilling of the gold cap was a bit noisy. I'm guessing that gold is a bit more difficult to drill. But I was out of there in an hour and a half, including the 'numbing' time. So I got home an hour earlier than usual.

After the usual evening surfing routine, I wanted to play around with my Xandros installation (in vmWare). It took a while to figure out that the Xandros Network application was where you do updates. Updates require admin (root) access, and since it's been a couple of months since I last used it, I have forgot ton the password. I did write it down somewhere. I just need to find the right notebook. Could be on the desk at work. I suspect that I'll just do a reinstallation; there wasn't anything important in there.

 Tuesday, October 5, 2004       mail    link

I'm learning more about the Cold Fusion (CF) mailing problem. It looks like the version we are using doesn't create a MIME message with all the pieces in the right places. The message header is not quite compliant with the standard. Since our mail server is pretty strict about a properly message, it's rejecting those messages.

This whole process worked right a couple of weeks ago, until we got rid of the mail server that used to process the CF mail messages. That old mail server was running a very old copy of SENDMAIL, which didn't care as much about the incorrectly formatted message header.

I did find a technical note about some extra parameters for that command. I'll give that a try tomorrow. I found some similar information with a Google search, so it's a good possibility.

And I got the "Simple Steps for Home Computers" report done. Check it out; comments are welcomed.

 Wednesday, October 6, 2004       mail    link

The fix for the CF mail pages works, so that's one major thing off my list. (If you are interested, Google "cfmail mime", and look at the Macromedia technical note.)

Dave Markowitz (fellow Daynoter) commented on the "Simple Steps for Home Computers" report. He found a problem with the 'print this page' link; my Javascript code was borked. So I fixed that. He also mentioned that the suggestion that:

Don't use IE. Downloading Mozilla, Firefox, Netscape, or Opera and using one of them as the default browser is the simplest, easiest way to avoid spyware problems. Also, all of them include pop-up blockers which work better than the one included in XP SP2, IMO. And of course, users stuck with previous versions of Windows won't get MS's pop-up blocker, so they need either a stand alone app or one of these browsers to get that functionality.

That's probably true. Although, consider this that I got today from the SANS Institute. It's from their summary of news reports relating to computer security. They have several editors that review each week's entries, and they include any comments about the article. (Good newsletter, by the way, recommend subscribing to it.) The editor's comments is in brackets.

--Mozilla Patches Firefox Flaw (4 October 2004)
Mozilla has released a patch for a vulnerability in its Firefox rowser; the flaw could allow attackers to delete all the files in the Download directory.
(news report link here)
[Editor's Note (Shpantzer): How can this be? I was told that if we switched away from IE then we'd be totally safe over port 80...]

As I've mentioned before here, no software is immune from problems. That's why it is important to keep your software current. I subscibe to another list of bug reports (from Security Focus). There are about 100 messages a day discussing software bugs. A lot of those messages are not about Windows software.

It is true that the open-source based software gets fixed a bit faster. It seems that there are updates for the major packages weekly. I note that if Microsoft released patches every week, there would be (and has been) a big 'hue and cry' about buggy Windows software, and the problem with keeping things current. The monthly Microsoft updates are more manageable than weekly updates.

But the point is that no matter what software you have, you need to keep it current.

And, I note with happiness that John Dominik is ready to join the ranks of the employed. He's had a hard two years since his last regular job. I've enjoyed his writings for a couple of years, and am quite pleased that he is was finally successful. Stop by his place; I think you'll enjoy the visit.

 Thursday, October 7, 2004       mail    link

I worked on the server "as-built" document today. It's an attempt to standardize the settings and configuration of new servers. If you configure a system properly, it will be less vulnerable to attacks, both inside and outside.

That's also the intent of the latest report. If you can get those basic security settings on your computer, you'll be less likely to have problems with your computer. And it's not just the settings or configuration of your computer. Part of the problems with computers are caused by the "PBDAC" -- "Problem Between Desk And Chair" (related to "PBE" -- "Problem Between Ears"). You must be alert to things that aren't as they seem.

Case in point. One of my regular daily Internet visits is to Dr. Jerry Pournelle's site. He has a few more readers than I do, and he gets lots of mail. One asked about an email that looked like it came from Microsoft. (Here's the link to that part of his site. It's at the end of the Thursday section. Although the letter from the soldier in Iraq is quite interesting, as are many of his postings.) His message gave him a link to click on where he could go get information on the XP SP2 patch.

But links in emails can be faked quite easily, as evidenced by techniques that also work on web pages. See my report about "Phishing for Fun & Profit".

Here's what I sent off to Dr. Pournelle:

Today's (Thursday) View had a question from Mr. Steve Erbach about a mail message from Microsoft. The message was from "communications_wincs_fpp@communications3.msn.com", and purported to be a quick way to get the XP SP2 patch.

"Danger, Will Robinson!!"

Even though the link in the mail message might look like it goes to www.microsoft.com/protect , the underlying code in the message might point to somewhere else. A very common technique for 'phishers' is to use a "on-mouse-over" command. The parameter for that command will show text on the status line, but the actual link that is executed when you click on it might be somewhere else.

You might recall that I alerted you to this technique in a report at my place. There are samples of how that works here: http://digitalchoke.com/daynotes/reports/bank-phish01.php .

At work, we get several dozen bank 'phishing' attempts each day, and all of them use the mouseover technique to fake the actual address. Although my report shows the technique for web pages, it is just as easily done in HTML mail.

In the reader's question, the "communications.msn.com" site really belongs to Microsoft. (I checked via "Arin" at www.whois.net , where you can get registration info on any domain name or IP address.)

But it could have easily been a spammer that was verifying your email address with a script attached the the URL in the message, then a re-direct to Microsoft's site. The script could do more, like attempt to hack your computer.

Worse, it could be a hacker trying to "own" my computer. If I (as a hacker) send out a mail message to everyone telling them where to get SP2, most of the people who will respond probably don't have SP2. So my page will attempt an attack via a pre-SP2 problem, then redirect to Microsoft (or anywhere else). The result could be that I get to "own" your computer, and you won't know it.

So my recommendation is to be very careful with links in unsolicited messages. They might be legit or nefarious. In today's world, the chances are that it's nefarious. Mr. Erbach and others should be careful.

Let's expand a bit on how this type of thing could be dangerous. With my hacker hat on:

First, let's build an exploit for a pre-SP2 problem. These exploits are readily available in the hacker underground. Our exploit will install a 'bot' on the computer. Our bot will respond to special commands that we send it. Or, it might install a keystroke logger that looks for credit card or bank account numbers.

Next step is to create a web site. The main page on the web site will do three things. It will verify the email address that belongs to the user that clicks on the link in the mail message. This good email address will be added to a list that will sell to our friendly neighborhood mail spammer. Or, perhaps I use it for myself.

The second thing that my web page will do is to run the exploit script that installs my bot.

And the third thing will be an immediate redirect to Microsoft's update page.

Now I am ready for my attack. Using easily obtainable mail spammer lists and software, I'll send out a nicely crafted message "from Microsoft". This HTML message will have a visible link to the Microsoft update page. Since I'll use the 'on mouseover' command to display the Microsoft URL, a casual user will see the Microsoft URL when they move the mouse over the link. But the underlying link (not visible unless you take the time to look) will take you to my web site. My message will alert you to a quick way to get the SP2 patch.

So you, as the unsuspecting user (and someone who hasn't bothered to install the SP2 patch), will click on the link. And these three things will happen faster than you can see:

1. My web page uses the parameters of the link to verify your email address, adding it to my spamming list.
2. The script file will execute that installs my 'bot' on your computer.
3. The real Microsoft page will be displayed because of my immediate 're-direct'.

All you will see is a short delay while my web page is loading, runs the script, then loads the real Microsoft page. And it will happen faster than you can see -- or stop it.

And then I 'own' your computer. You won't know what hit you.

The lesson here? Be very careful of messages (or pop-up screens) that purport to help you with computer problems. In the information security business: "Trust, but Verify".

(On reflection, perhaps more people should follow that advice for things other than computers. Like intelligence reports.)

 Friday, October 8, 2004       mail    link

Well, I have stared at this particular spot for about a half hour. And didn't think of anything terribly interesting to report.

But tommorow will be watching a security expert do a deep audit of a web server. It's had some unusual outbound traffic according to the iDS logs. So it should be interesting to see all the tools he uses to find the problem.