Facebook domain type-in hack

2009/07/24

You know the drill: open browser, new tab, type ‘www.facebook.com’ and in moment you can see who of your online buddies is up to something interesting. This is exactly what I did. Only I did not end up in well known Facebook page, but on something really fishy:

Picture 3

This is definitely NOT facebook. How come I ended up on ‘quiz.us’ site when I typed in http://www.facebook.com. Or did I ? Let’s do it again:

Picture 2

Do you see the problem ? It is the URL. Unlike real http://www.facebook.com, it is http://www.facebok.com. Easy to overlook. Modern browsers make our life easier by suggesting domain named. And ‘facebok’ comes in alphabet before ‘facebook’. Which is more than enough to catch many lazy users, like myself.

These guys – quiz.us – were obviously not Facebook related and judging by their pages behaviour, their were up to no good.

After clicking on ‘Skip this offer’ it opened up another window, did several redirects and reloads.

Picture 4

The new window tried really hard not to allowed to be closed easily. Annoying pop-ups, deliberate language to confuse OK and Cancel, more pop-ups.

Picture 7

Picture 5

The “company” is registered in Florida, US, as the Who Is told, it is Named “Moniker Online Services” with technical contact ‘Moniker Privacy Services’. Not sure what they really are, but certainly what their pages tries to achieve is a disservice to anybody’s privacy.

Lesson learned: use trusted bookmarks, do not click on combo box suggestions.

At least not until there are so many kinds of filthy internet vermin around. Facebook atracts so many new users that are not very experienced in dirty tricks the spammers, phishers and hackers use. Spread the word and help your friends to avoid pages and companies in business of phishing and deception.

Advertisements

Why it is probably bad idea to have Skype always on

2007/11/25

no, not because of the memory it takes or CPU cycles burned (does not really matter when you have 4 GB notebook with Core2Duo).

Few days ago, a good friend from old country (well, technically not anymore as he also moved within the EU) made me aware of this presentation “Silver Needle in the Skype (link points to fairly large PDF file) by Philippe Biondi, & Fabrice Desclaux.

To fully digest and fully comprehend the content requires way more time than I am willing to invest – and to make meaningful arguments for or against conclusions does require much deeper special knowledge. It is interesting view into the deep internals of how Skype works and also provides very interesting references to tools available for this kind of exploration. I am not going to stop using Skype just because there is a chance that Skype could possibly be a backdoor or something not so innocent. There can be after all perfectly honest reason for all the obfuscation and anti-disassembling measures – to protect the IP against competition. Or it can be in order to hide something else ? We will probably never know.

But I am not letting Skype start as the machine boots anymore and shut it down after I am done with my call. In other words, you will not find me online on Skype very often :-).


Great solution for offsite backup

2007/10/25

I have been using it for over half year now and was very happy with it. After I did today hear Steve Gibson mentioning (and recommending) it on Security Now!, I want to share my experience and add my vote of confidence.

The solution is Amazon S3 service (Simple Storage Service), fantastically affordable system to store your data securely on-line. You pay as you go – the size is unlimited and you are charged only for what you store and bandwidth you consume. Fantastically affordable means 15 cents for gigabyte-month storage and 10 cents for gigabyte transfer in / 18 cents for transfer out which will drop to 13 cents if you use it more. This means that to store my approximately 30 GB collection of pictures I need to upload them first (for $3) and then pay $4.50 monthly for storage – plus the download traffic. But of course, I am not using it for the images because I really need and like the nice album user interface which SmugMug provides. But to archive documents – this is just the perfect solution.

The S3 is focusing on developers and the service is accessible via Web service. You can choose from many available implementations for their API – in Java, Python, Perl, C#, VB, Ruby – you name it. For non programmers, there are client tools available that completely abstract the storage access and make the S3 appear as just another drive. From many clients avialable, I have selected (as well as Steve and Leo did) the Jungledisk. Unlike some other services that are trying to stand between you and your storage, take over not only data flow but more importantly money flow (and often charge fat premium), the good guys at Jungledisk just want to sell you the client and let you pay directly only Amazon fees to Amazon. The price for the client is just $20 – it is no-brainer. For this price you will get client version for all three major platforms (Mac, Linux, Windows) as well as source code of the “engine” part of the solution – in case you want to access same data through UI or programmatically.

After installation, the S3 will appear as another disc under windows or network volume on OS-X (I did not try Linux – yet). Jungledisk contains scheduler and can do automatic backup of defined parts of your disc to S3 – or you can use it for manual backup, as a very reliable and somehow slower external disc.

The big issue with remote storage of sensitive documents is security: can you really trust with your precious data to a third party (even if that part is Amazon) ? I think this is up to anyone to decide – but the S3 comes pretty close to my definition of secure-enough system and Jungledisk plays along very nicely. All traffic between you and Amazon is of course encrypted (SSL) and your data is stored as encrypted as well, by default using a private key that Amazon provides you. This allows key recovery – but also allows (in theory) that someone on Amazon side could read your files. If you want however, you can generate your own key pair and use it to encrypt the data – and all you need to do is properly configure your client Jungledisk. Or if you are really paranoid you can encrypt your data even before they even get to Jungledisk and Amazon – if you want to exchange convenience and easy of use for more security. In the last two cases, nobody on the earth will be able to read your files – but if you loose your key, you will need few million years to break it :-).

Give S3/JungleDisk a try – you may like it too …
PS: If you are curious about performance and want more than my subjective feeling of “very reasonble” – read this.

PPS: The Smugmug actually *is* running on Amazon s3 – but because they use hundreds of terrabytes of space, obviously were able to get the storage for a wholesale price. The $59.95 / year membership of Smugmug would buy you on S3 about 15-25 GB storage and reasonable usage. As most people have less than 15 GB images, the Smugmug can actually make some money and employ really talented designers.


The price of anonymity

2007/09/17

The combination of software allowing anonymous access to the Net, not too competent police officers and laws not quite 21st century ready can be a very dangerous combination. According this story, the operator of the Tor node was arrested by German police …

I am quite curious how be would situation like this handled in Canada. First of all, would it happen ? Would the RCMP be more technically up to date than Deutsche Polizei ? What defines the responsibility of an operator of server, that moves encrypted content ? I am not crazy enough to try it out just to find out 🙂 – so no, I will not setup a TOR node (even if I do admire this cleverly designed piece of software).

Sometimes volunteering in a not-for-profit case may cost you a lot – as Alex Janssen found out the hard way:

I was arrested. They scared my wife. They confiscated all my equipment. They stopped the investigation. I’m sitting on a pile of bills from my lawyer no one except me has to pay. I’ll sue for compensation, but I don’t think that this will lead anywhere.

What happened to “innocent until proven guilty” ? Is there anything one can do to help stop traps like this ?

Actually, there is. Spread the word.


Limits of virtualization

2007/07/16

It’s been over 10 months since we have started to seriously use virtualization and run Windows inside virtual machine to ease installation and configuration pain. It starting first as convenient measure of isolation two different development environments (.NET 1.1 based and .NET 2.0 based) and avoid “crosspolination” in the data analytics project. At that time, my expectations what would be the limits of what you can or cannot do in virtual environment were mostly around performance, responsiveness and device support (USB especially). As it turned out, all of that actually worked much better than I have ever expected. With new versions of Parallels, the performance is very good and user experience (user means fellow developer) is barely noticeable difference against developing on host system. Assumed that you have decent dual-core system with 2 GB of RAM, of course. Using Parallels gives you the added benefit of moving the virtual environment between Windows, Mac and Linux hosts, which is very convenient.

We have also started to use virtualization on the server side, using Microsoft Virtual Server 2005 R2 and I am happy to report that it worked very smooth as well. In the biometric project, we were running UA testing on circuit of 5 instances of replicated SQL Servers, each server using own virtual machine. The circuit was hosted on two quad core (2x dual core) servers with 4GB RAM each. Using virtual machines allowed us to achieve repeatability and consistency in configuration setting up the environment – we cloned one install and renamed the VM’s hosts.

And here comes the catch: because it is very easy to copy virtual disk in order to test some new software or plugin or configuration, after some time we have ended up with quite a collection of virtual machines and experienced first limit of virtualization: configuration management. It is pretty hard to keep exact track of what is exactly installed in which VM – what version of which software, what are the network settings, user accounts, access rights. It can easily lead to administrative nightmare and can require effort comparable with managing environment of hundreds of computers (it essentially is that environment). In development shop as ours you can cheat a bit a standardize on same usernames and passwords for each VM, but it is not very secure and hardly recommended approach for production …

Second limit we have seen is Windows update effect. The VM’s which represents “alternative universes” seldom run at the same time. With Windows updates coming almost daily, first things that happens after you get back to start using VM which was sitting idle for 3 months is installation of 37 updates, interwoven with 7 reboots. A pretty time consuming and boring activity. If you are math-geek, you can define a function that will compute number of wasted hours from number of VM’s, their inactivity and frequency of security updates – and find out how many VMs you should own so that all your working hours would be consumed by switching the VM’s on / off and waiting for the updates to finish …

There is no really 100% good solution for this. Running all VM’s all time is not practical and switching the updates off completely is dangerous. Again, in development shop you can (and should) batch the updates an update in “waves” – it will still consume time, but at least the “patchlevel” of the VM’s will be consistent and you will save some time with merging some reboots. And it is not only Windows updates that is causing problems: keeping e.g. versions of assemblies installed in GAC (or Ruby GEM’s) in sync across multiple virtual machines can be a challenge too.

Third challenge is licensing and license management. I do not mean the legal side of software licensing related to running software in VM’s – just pure technical implications of doing it. Many software products and subscription based services are using client requests’ tracking to enforce only allowed number of client installs. For example anti-virus, which must download almost daily new library version, can use the “get update” and current client version as mean to track that only licensed number of clients are getting the updates with same license id. It can get quite confused when you repeatedly roll back the VM state and return to starting point two weeks ago – or alternate running two different snapshots of same VM in time. Even if there is never more than single instance of VM running at the same time with the licensed version of software – and only one licensed copy was ever installed, it is very hard to distinguish this from situation where second (illegal) copy of software were installed on second host – virtual or not. I can imagine this will lead to some quite interesting challenges on both technology and legal sides …


Walking season … and SPAM

2007/03/31

Today I have started the walking season 2007. I did some gentle preparation during the week – few short, 4-5 km strolls around the neighbourhood, but it was today when I really started. It was beautiful day in Ottawa – sunny, temperature around 8-10, so I took off and did 12 km loop through Westboro, down south and around Dow’s Lake up to downtown. Just fantastic. The companion on the road were Security Now! – I was behind few episodes, but I managed to listen to almost full 3 episodes.

Interesting one was about Spambots – fleet of Zombies, remotely controlled that are used to send out spam. Conservative estimates are that from around 600 milion PC’s, about 150 millions are infected zombies – without their owner’s knowledge or consent, of course.

Steve was speaking about the way how to detect from email headers that the email was spoofed. Basically, what you need to investigate is where the chain of Received headers which contains IP address of the sender is broken – that determines the point where the spammer connected to some SMTP server and send out message, all other headers beneath can be spoofed. I know this is not best explanation, but it is pointless to rephrase what Steve explained very nicely – listen here or read the notes.

So while walking and listening that,  I have got an idea – with all the social websites and Web2.0 communities there may are realistic way how to cut down the spam wave that is everywhere around us (it is estimated that over 80% of all email is spam).

Key ingredients of the solutions are:
1) – owners of the zombie machines who do not know about the “service” their PC’s are providing. It is not easy to identify these machines and they may not know what to do
2) – who suffer the spam effects (and should be motivated to fix it) are the ISP’s of these zombie users, because it is their bandwidth and their IP ranges who get blacklisted
3) – those who would happily cooperate is everybody who hates spam (all of us, minus the spammers) and would not mind to do something – as long as the participation would be easy …

What I was thinking about a Web site/ Web service – something like where you can forward the spam you get which ends in your Junk folder or bounces back to your address. The service would analyze the headers and extract the IP’s of zombies – and keep building and maintaining the list. Extraction is not that hard and doable with nice Perl/Python/Ruby script :-). After a while, it would lead to a list of IP’s with activity record attached to it (which would allow the IP to drop off the list) …

Now imagine that the ISP’s could register themselves and enter the range of their IP’s. They would get back subset of the Zombie list residing in their own address space – and deal with them – for example notify users, ask them to download some malware removal program or even sell some additional service. It clearly must be ISP to deal with the Zombie owners, because they are only one who has access to their identity and it is in their interest to limit amount of bad things origination from their network. It is not only about spam – infected machine that sends spam can as easily and likely be part of DDoS attack, which is quite different legal category of problems. Either way, at the end, the result would be less active zombies around.

If the really big email services such as GMail and Yahoo – or big cable/DSL providers would participate and supply their own filtered spam (or even filtered list of Zombie-candidates) the database would IMHO start to provide valuable data very soon.

What do you think ?


Security of the browsers

2007/03/06

I have just finished listening to the back-episodes of Security Now! # 38, where Steve Gibson describes his approach to securely browsing Web without antivirus and with Internet Explorer. The idea in a nutshell is – use properly locked down IE zones. Steve has modified the security settings of the default (Internet zone) to maximum: not allowing any scripting, cookies etc. Which makes many sites unusable, of course because increasing number of browsers does require Javascript enabled – or else game is over.

For the sites that do need the scripting, Steve recommends adding them to list of trusted site EXPLICITLY, one by one, site by site. This way, only the sites you use and are interested in will get any chance of running code within you browser.

This is very good idea, but has two weak points. First is that it is Internet Explorer and Windows only technique. True enough – combination of Windows users with IE defines the most virus/malware sensitive group of the Net population, but many exploits are impacting Firefox users as well and in Firefox, the zone technique does not work. The second problem is that your list of trusted sites is machine specific. If you are using multiple computers, you will have repeat the process of granting trust to your sites on each of them. I am afraid that few users will have the stamina of doing it … Even with single computer, it requires patience of a saint.

As many times before: when there is a trade-off between security and convenience, guess what will win ?