Archive for the ‘security’ category

Facebook domain type-in hack


You know the drill: open browser, new tab, type ‘’ and in moment you can see who of your online buddies is up to something interesting. This is exactly what I did. Only I did not end up in well known Facebook page, but on something really fishy:

Picture 3

This is definitely NOT facebook. How come I ended up on ‘’ site when I typed in Or did I ? Let’s do it again:

Picture 2

Do you see the problem ? It is the URL. Unlike real, it is Easy to overlook. Modern browsers make our life easier by suggesting domain named. And ‘facebok’ comes in alphabet before ‘facebook’. Which is more than enough to catch many lazy users, like myself.

These guys – – were obviously not Facebook related and judging by their pages behaviour, their were up to no good.

After clicking on ‘Skip this offer’ it opened up another window, did several redirects and reloads.

Picture 4

The new window tried really hard not to allowed to be closed easily. Annoying pop-ups, deliberate language to confuse OK and Cancel, more pop-ups.

Picture 7

Picture 5

The “company” is registered in Florida, US, as the Who Is told, it is Named “Moniker Online Services” with technical contact ‘Moniker Privacy Services’. Not sure what they really are, but certainly what their pages tries to achieve is a disservice to anybody’s privacy.

Lesson learned: use trusted bookmarks, do not click on combo box suggestions.

At least not until there are so many kinds of filthy internet vermin around. Facebook atracts so many new users that are not very experienced in dirty tricks the spammers, phishers and hackers use. Spread the word and help your friends to avoid pages and companies in business of phishing and deception.

Why it is probably bad idea to have Skype always on


no, not because of the memory it takes or CPU cycles burned (does not really matter when you have 4 GB notebook with Core2Duo).

Few days ago, a good friend from old country (well, technically not anymore as he also moved within the EU) made me aware of this presentation “Silver Needle in the Skype (link points to fairly large PDF file) by Philippe Biondi, & Fabrice Desclaux.

To fully digest and fully comprehend the content requires way more time than I am willing to invest – and to make meaningful arguments for or against conclusions does require much deeper special knowledge. It is interesting view into the deep internals of how Skype works and also provides very interesting references to tools available for this kind of exploration. I am not going to stop using Skype just because there is a chance that Skype could possibly be a backdoor or something not so innocent. There can be after all perfectly honest reason for all the obfuscation and anti-disassembling measures – to protect the IP against competition. Or it can be in order to hide something else ? We will probably never know.

But I am not letting Skype start as the machine boots anymore and shut it down after I am done with my call. In other words, you will not find me online on Skype very often :-).

Great solution for offsite backup


I have been using it for over half year now and was very happy with it. After I did today hear Steve Gibson mentioning (and recommending) it on Security Now!, I want to share my experience and add my vote of confidence.

The solution is Amazon S3 service (Simple Storage Service), fantastically affordable system to store your data securely on-line. You pay as you go – the size is unlimited and you are charged only for what you store and bandwidth you consume. Fantastically affordable means 15 cents for gigabyte-month storage and 10 cents for gigabyte transfer in / 18 cents for transfer out which will drop to 13 cents if you use it more. This means that to store my approximately 30 GB collection of pictures I need to upload them first (for $3) and then pay $4.50 monthly for storage – plus the download traffic. But of course, I am not using it for the images because I really need and like the nice album user interface which SmugMug provides. But to archive documents – this is just the perfect solution.

The S3 is focusing on developers and the service is accessible via Web service. You can choose from many available implementations for their API – in Java, Python, Perl, C#, VB, Ruby – you name it. For non programmers, there are client tools available that completely abstract the storage access and make the S3 appear as just another drive. From many clients avialable, I have selected (as well as Steve and Leo did) the Jungledisk. Unlike some other services that are trying to stand between you and your storage, take over not only data flow but more importantly money flow (and often charge fat premium), the good guys at Jungledisk just want to sell you the client and let you pay directly only Amazon fees to Amazon. The price for the client is just $20 – it is no-brainer. For this price you will get client version for all three major platforms (Mac, Linux, Windows) as well as source code of the “engine” part of the solution – in case you want to access same data through UI or programmatically.

After installation, the S3 will appear as another disc under windows or network volume on OS-X (I did not try Linux – yet). Jungledisk contains scheduler and can do automatic backup of defined parts of your disc to S3 – or you can use it for manual backup, as a very reliable and somehow slower external disc.

The big issue with remote storage of sensitive documents is security: can you really trust with your precious data to a third party (even if that part is Amazon) ? I think this is up to anyone to decide – but the S3 comes pretty close to my definition of secure-enough system and Jungledisk plays along very nicely. All traffic between you and Amazon is of course encrypted (SSL) and your data is stored as encrypted as well, by default using a private key that Amazon provides you. This allows key recovery – but also allows (in theory) that someone on Amazon side could read your files. If you want however, you can generate your own key pair and use it to encrypt the data – and all you need to do is properly configure your client Jungledisk. Or if you are really paranoid you can encrypt your data even before they even get to Jungledisk and Amazon – if you want to exchange convenience and easy of use for more security. In the last two cases, nobody on the earth will be able to read your files – but if you loose your key, you will need few million years to break it :-).

Give S3/JungleDisk a try – you may like it too …
PS: If you are curious about performance and want more than my subjective feeling of “very reasonble” – read this.

PPS: The Smugmug actually *is* running on Amazon s3 – but because they use hundreds of terrabytes of space, obviously were able to get the storage for a wholesale price. The $59.95 / year membership of Smugmug would buy you on S3 about 15-25 GB storage and reasonable usage. As most people have less than 15 GB images, the Smugmug can actually make some money and employ really talented designers.

The price of anonymity


The combination of software allowing anonymous access to the Net, not too competent police officers and laws not quite 21st century ready can be a very dangerous combination. According this story, the operator of the Tor node was arrested by German police …

I am quite curious how be would situation like this handled in Canada. First of all, would it happen ? Would the RCMP be more technically up to date than Deutsche Polizei ? What defines the responsibility of an operator of server, that moves encrypted content ? I am not crazy enough to try it out just to find out 🙂 – so no, I will not setup a TOR node (even if I do admire this cleverly designed piece of software).

Sometimes volunteering in a not-for-profit case may cost you a lot – as Alex Janssen found out the hard way:

I was arrested. They scared my wife. They confiscated all my equipment. They stopped the investigation. I’m sitting on a pile of bills from my lawyer no one except me has to pay. I’ll sue for compensation, but I don’t think that this will lead anywhere.

What happened to “innocent until proven guilty” ? Is there anything one can do to help stop traps like this ?

Actually, there is. Spread the word.

Limits of virtualization


It’s been over 10 months since we have started to seriously use virtualization and run Windows inside virtual machine to ease installation and configuration pain. It starting first as convenient measure of isolation two different development environments (.NET 1.1 based and .NET 2.0 based) and avoid “crosspolination” in the data analytics project. At that time, my expectations what would be the limits of what you can or cannot do in virtual environment were mostly around performance, responsiveness and device support (USB especially). As it turned out, all of that actually worked much better than I have ever expected. With new versions of Parallels, the performance is very good and user experience (user means fellow developer) is barely noticeable difference against developing on host system. Assumed that you have decent dual-core system with 2 GB of RAM, of course. Using Parallels gives you the added benefit of moving the virtual environment between Windows, Mac and Linux hosts, which is very convenient.

We have also started to use virtualization on the server side, using Microsoft Virtual Server 2005 R2 and I am happy to report that it worked very smooth as well. In the biometric project, we were running UA testing on circuit of 5 instances of replicated SQL Servers, each server using own virtual machine. The circuit was hosted on two quad core (2x dual core) servers with 4GB RAM each. Using virtual machines allowed us to achieve repeatability and consistency in configuration setting up the environment – we cloned one install and renamed the VM’s hosts.

And here comes the catch: because it is very easy to copy virtual disk in order to test some new software or plugin or configuration, after some time we have ended up with quite a collection of virtual machines and experienced first limit of virtualization: configuration management. It is pretty hard to keep exact track of what is exactly installed in which VM – what version of which software, what are the network settings, user accounts, access rights. It can easily lead to administrative nightmare and can require effort comparable with managing environment of hundreds of computers (it essentially is that environment). In development shop as ours you can cheat a bit a standardize on same usernames and passwords for each VM, but it is not very secure and hardly recommended approach for production …

Second limit we have seen is Windows update effect. The VM’s which represents “alternative universes” seldom run at the same time. With Windows updates coming almost daily, first things that happens after you get back to start using VM which was sitting idle for 3 months is installation of 37 updates, interwoven with 7 reboots. A pretty time consuming and boring activity. If you are math-geek, you can define a function that will compute number of wasted hours from number of VM’s, their inactivity and frequency of security updates – and find out how many VMs you should own so that all your working hours would be consumed by switching the VM’s on / off and waiting for the updates to finish …

There is no really 100% good solution for this. Running all VM’s all time is not practical and switching the updates off completely is dangerous. Again, in development shop you can (and should) batch the updates an update in “waves” – it will still consume time, but at least the “patchlevel” of the VM’s will be consistent and you will save some time with merging some reboots. And it is not only Windows updates that is causing problems: keeping e.g. versions of assemblies installed in GAC (or Ruby GEM’s) in sync across multiple virtual machines can be a challenge too.

Third challenge is licensing and license management. I do not mean the legal side of software licensing related to running software in VM’s – just pure technical implications of doing it. Many software products and subscription based services are using client requests’ tracking to enforce only allowed number of client installs. For example anti-virus, which must download almost daily new library version, can use the “get update” and current client version as mean to track that only licensed number of clients are getting the updates with same license id. It can get quite confused when you repeatedly roll back the VM state and return to starting point two weeks ago – or alternate running two different snapshots of same VM in time. Even if there is never more than single instance of VM running at the same time with the licensed version of software – and only one licensed copy was ever installed, it is very hard to distinguish this from situation where second (illegal) copy of software were installed on second host – virtual or not. I can imagine this will lead to some quite interesting challenges on both technology and legal sides …

Walking season … and SPAM


Today I have started the walking season 2007. I did some gentle preparation during the week – few short, 4-5 km strolls around the neighbourhood, but it was today when I really started. It was beautiful day in Ottawa – sunny, temperature around 8-10, so I took off and did 12 km loop through Westboro, down south and around Dow’s Lake up to downtown. Just fantastic. The companion on the road were Security Now! – I was behind few episodes, but I managed to listen to almost full 3 episodes.

Interesting one was about Spambots – fleet of Zombies, remotely controlled that are used to send out spam. Conservative estimates are that from around 600 milion PC’s, about 150 millions are infected zombies – without their owner’s knowledge or consent, of course.

Steve was speaking about the way how to detect from email headers that the email was spoofed. Basically, what you need to investigate is where the chain of Received headers which contains IP address of the sender is broken – that determines the point where the spammer connected to some SMTP server and send out message, all other headers beneath can be spoofed. I know this is not best explanation, but it is pointless to rephrase what Steve explained very nicely – listen here or read the notes.

So while walking and listening that,  I have got an idea – with all the social websites and Web2.0 communities there may are realistic way how to cut down the spam wave that is everywhere around us (it is estimated that over 80% of all email is spam).

Key ingredients of the solutions are:
1) – owners of the zombie machines who do not know about the “service” their PC’s are providing. It is not easy to identify these machines and they may not know what to do
2) – who suffer the spam effects (and should be motivated to fix it) are the ISP’s of these zombie users, because it is their bandwidth and their IP ranges who get blacklisted
3) – those who would happily cooperate is everybody who hates spam (all of us, minus the spammers) and would not mind to do something – as long as the participation would be easy …

What I was thinking about a Web site/ Web service – something like where you can forward the spam you get which ends in your Junk folder or bounces back to your address. The service would analyze the headers and extract the IP’s of zombies – and keep building and maintaining the list. Extraction is not that hard and doable with nice Perl/Python/Ruby script :-). After a while, it would lead to a list of IP’s with activity record attached to it (which would allow the IP to drop off the list) …

Now imagine that the ISP’s could register themselves and enter the range of their IP’s. They would get back subset of the Zombie list residing in their own address space – and deal with them – for example notify users, ask them to download some malware removal program or even sell some additional service. It clearly must be ISP to deal with the Zombie owners, because they are only one who has access to their identity and it is in their interest to limit amount of bad things origination from their network. It is not only about spam – infected machine that sends spam can as easily and likely be part of DDoS attack, which is quite different legal category of problems. Either way, at the end, the result would be less active zombies around.

If the really big email services such as GMail and Yahoo – or big cable/DSL providers would participate and supply their own filtered spam (or even filtered list of Zombie-candidates) the database would IMHO start to provide valuable data very soon.

What do you think ?

Security of the browsers


I have just finished listening to the back-episodes of Security Now! # 38, where Steve Gibson describes his approach to securely browsing Web without antivirus and with Internet Explorer. The idea in a nutshell is – use properly locked down IE zones. Steve has modified the security settings of the default (Internet zone) to maximum: not allowing any scripting, cookies etc. Which makes many sites unusable, of course because increasing number of browsers does require Javascript enabled – or else game is over.

For the sites that do need the scripting, Steve recommends adding them to list of trusted site EXPLICITLY, one by one, site by site. This way, only the sites you use and are interested in will get any chance of running code within you browser.

This is very good idea, but has two weak points. First is that it is Internet Explorer and Windows only technique. True enough – combination of Windows users with IE defines the most virus/malware sensitive group of the Net population, but many exploits are impacting Firefox users as well and in Firefox, the zone technique does not work. The second problem is that your list of trusted sites is machine specific. If you are using multiple computers, you will have repeat the process of granting trust to your sites on each of them. I am afraid that few users will have the stamina of doing it … Even with single computer, it requires patience of a saint.

As many times before: when there is a trade-off between security and convenience, guess what will win ?

Evergreen Security Now!


I have started to listen the Security Now! podcasts from the very beginning – sometimes in summer 2005. Unlike some  news-and-rumours podcasts that sound kind of weird if you listen them month later, this one did not loose a bit of it’s freshness. Even listening the story of Sony Rootkit discovery again was very entertaining. I am now at first “mod-4” Q&A podcast, Number 16.

Every time I listen to Steve Gibson, one of two things happens. Either I learn something new, or I discover new, better way how to explain something I knew about in a very nice, accessible way. Steve’s handling of differences between WEP and WPA, explanation why MAC address filtering gives no security and his VPN coverage was an excellent example of the later.

On the NAS building front: I have decided to go with 4 SATA + 1 IDE configuration and keep all 4 SATA disks fully RAID-5-ed. I have not yet decided which distribution I will put on. Probably will start with OpenFiler, but Ubuntu looks pretty good too and deservers a try. Btw, Peter is trying to convince me to use BIOS RAID and build a Windows 2003 server – but that is still a Plan B. If time permits, will move the yardstick on Saturday night. It may be delayed, because the biometric security project is quickly approaching the release phase and – as usual – time will be a precious resource.

How to recover lost Win XP password


If it ever happens to you that you need to restart old computer which you have not logged on for 2-3 months and you find out you have no clue what the password could be, do not panick. Exactly this happened to me yesterday. Fortunately I have remembered reading something on lifehacker few days ago about bootable CD which contains live Linux distribution with password cracking open source software Ophcrack. It runs from CD only, does not touch your file system, only loads local SAM and tries cracking the hashes. And boy, it works !

I downloaded and burned the ISO and rebooted the old Windows box. It had the password in less than 8 minutes. Then, just out of curiosity, I booted up my Windows notebook which I use for one of the projects with the crack CD. On this notebook I use fairly reasonable password, 9 characters, combination of uppercase, lowercase and numbers, which is not valid word in any language (to avoid dictionary attacks). About two minutes after boot and start the notebook fan started to go full speed, a clear signal that the 3.2 GHz Pentium 4 HT works like crazy. The password was cracked in 18 minutes.

This thing is pretty scary, if you consider all possibilities.

The amazing free System Information utility for Windows


I found today something that (after long time) make me to say Wow! – and it had nothing to do with Apple or OS-X. Simple small system management utility for Windows modestly named System info, written by fellow Canadian Gabriel Topala (originally from Romania, but living in Toronto, as I found out from his resume on his web site).

So what is so fantastic about this program:

– it is small (single file, 1.3 MB)
– portable no installer required
– free (although author welcomes donations and encourages registration)
– amazing depth. It gives you more information than you expected, often more than you were aware you may get!
The main (and only) window of the program has three panes:


The navigation tree contains three main nodes: Software, Hardware and Network.

Under Hardware you will find:

all disk information with free space, physical memory, all MB details (model, chipset, vendor, CPU type, socket, max speed, sensors information (CPU+disks temperature, voltage, fans), speed, bios maker, version, CPU information down to Feature Flags. You can e.g. verify if your CPU supports MMX instructions, virtual machine extensions or Processor serial number. Much more details than you wanted to know on system slots, devices, network card, video-card (including supported modes) and 3 screen long details on Direct X …

In Network portion:


you can see e.g. ARP table, MAC addresses and IP addresses of computers around you, windows shares, open ports (inclusive program name which owns them and domain name of remote host it connects to), and wide variety of scans in network neighborhood: FTP, HTTP, NetBios, SQL Server, Telnet, VNC, Oracle, RDP … you name it).



Because I am software developer, it were the features from Software subtree that made say Wow! few times. Let’s start with details of the Windows XP (btw, including all service pack info and all installed patches, showing file name, version, installed data and for many of them with unistall command. As added value, it reveals the serial number and Windows XP product key which may come handy in case you lost the sticker.

You will get list of all installed applications with description, version and uninstall command. This list is MUCH more complete and detailed than what you get out of Control panel. For example, this are two entries for really old Java versions:

Name: Java 2 SDK Standard Edition v1.3.1_12
Versions: empty
Uninstall: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96539824-B716-11D7-88E8-0050DA21757E}\Setup.exe" -uninst

Name: Java 2 SDK, SE v1.4.2_03
Version: 1.4.2_03
Uninstall: MsiExec.exe /I{35A3A4F4-B792-11D6-A78A-00B0D0142030}

The list was 278 entries old on my 3 year old installation of XP.

Special section “Applications” shows much more information for subset of installed programs. The much more in many cases (like Microsoft Office) means showing the product keys, serial numbers and versions of DLL’s that belong to the package (e.g. Visual C++ Runtime)

Very nice is File association section, which shows you name, path to executable and extension of the owner of every registered extension, as well all verbs (open, edit)

And now the killer feature: Processes. SI displays PID, executable name, version, description, parent PID, number of threads, priority, process creation time, lifetime, kernel/user time, size and full path to executable. The Explore menuitem from context menu selects the executable in Finder, I mean Explorer. Clicking on process shows all loaded DLL’s in lower panel (with path version, description, handle). The Loaded DLL’s view goes the other way: upper panel shows all DLL’s and after clicking on DLL you can see list of processes who loaded the DLL into their address space. Very interesting !

Extremely informative is also the section Drivers and NT Services, audio/video codecs, registered ActiveX controls. What is also very useful is list of all open files, including the name and path of the process who opened them. This way you can e.g. see that Skype has open well over 30 file even if you are logged off and inactive – just by sitting in the system tray .. It is very eye opening exercise.

Sysadmins at heart will like the Groups and Users info: all details, inclusive SID, last logon, when and whether will password expire, group membership in one clean page.

The tool allows few interesting security hacks: “Secrets” lists all Form auto-complete passwords (for both IE and Firefox). It can also help you reveal the “starred” password typed into Windows form password fields using menu Tools->Eureka. From Tools menu you can display all cookies, visited websites and Internet file cache.

If you are system administrator or have to keep few Windows machines alive and in good shape, you will want this tool. Go and give it a try – you will be very surprised what it can do for you. And if you find it useful, consider donation or registration – or at least try to help the author some other way (like spreading the word) – he deserves it !