Sunday, February 1, 2004

Here it is February already. One of the hardest months to spell. Must remember to think about a present for Valentine's Day, to prevent trouble on the home front.

The usual Sunday morning meetings, along with helping another person with the membership records on the church computer. Then the usual block of meetings, with interesting discussions. By the time all that was done and I got home, the big football game was heading towards the halftime. Christine and family came by earlier (their church schedule finishes earlier than mine). The women and children were upstairs watching "Nemo", and Jared and I stayed downstairs to watch the game. Although the game started off slowly (a defensive game based on the lack of scoring), it ended up to a good, last-minute finish.

There were some good commercials during the game, although I am too tired to think of any right now. Besides, you'll read all about it in other places. And the half-time show was a bit racy, but what would you expect with who they invited. We had dinner during that part (stew and homemade rolls), so didn't pay any attention to it.

Other than that, the usual Sunday fare, as both of my regular readers will tell you. I did spend some time adding the weekly total visit counter to the 'index' and 'current' pages. I may work on adding a 'year-to-date' counter this week.

A visit to the doctor tomorrow, along with the usual stuff at work. A couple of meetings, including an 'all the network administrators in the company' meeting. That's the meeting where we all agree to some standards and practices, then everyone goes back to their department and does their own thing. Sigh. I am hoping that the new temporary CIO, along with the recent experiences of network damage (including a minor virus attack), will put some more teeth into a company-wide enforcement of policies. We shall see.

Monday, February 2, 2004

It's late, so just a couple of links. (After the minor correction two paragraphs back ... the counter is already the total number of visits.)

First, get the update from Microsoft. It will fix the 'fake URL' bug (you can test it here), and two other important problems with IE 5x and 6x. Here's the information released from the new "US-CERT" user mail.

Earlier today Microsoft released patches for Internet Explorer versions 5.01, 5.5, and 6.0. This cumulative patch replaces the one that is provided by Microsoft Security Bulletin MS03-048. The Bulletin is located at:

    http://www.microsoft.com/technet/security/Bulletin/MS04-004.asp

It is reported that this update eliminates a vulnerability in the cross-domain security model, a vulnerability involving drag-and-drop operations during dynamic HTML (DHTML) events, and the vulnerability involving URL parsing which contains special characters. Each of these vulnerabilities is rated at either Critical or Important for any version of Windows previous Windows Server 2003. They are listed as Moderate or Important for Windows Server 2003.

In addition, the basic authentication features of Internet Explorer have been modified to remove handling user names and passwords in HTTP, HTTPS, and XMLHTTP URLs. This change may have a dramatic effect on end-users that may be bookmarking or otherwise storing their passwords as part of the URL. Though this change does improve security, end users may complain about the loss of this ability.

For more information on the URL Parsing vulnerability please see:
http://isc.sans.org/diary.html?date=2003-12-23

I found this link on Dan Seto's pages (one of my regular daily stops); it's quite clever.

Elemental Condimentum: For you chem or physics majors out there, herewith is the "Table of Condiments that Periodically Go Bad."

Tuesday, February 3, 2004

I spent the day at home today due to some minor intestinal distress (but not as bad as what John D reported a while back). I just needed to stay near the porcelin facility the first part of the morning. The rest of the morning I was OK, so I was able to handle some information requests at work via email.

I spent a little bit of time this evening trying to get my laptop to find the desktop in the office. This used to work, but stopped for some reason. I can PING the desktop (and vice versa), and the ZoneAlarm firewall logs on both look OK, and can print to the printer that it attached to that desktop computer, but still can't see the file system. I'll figure this out, eventually.

I made some minor changes to this page (background stuff), mostly relating to the counter value. I also made a private page that quickly shows the counts for these pages and the Digital Choke story. It's all done with a simple PHP program that I got from Greg Mazin. I may need to dig into that program a bit to find a way to track visitor counts, rather than page hits. Webalizer does that nicely, of course, but I want to try other options. I'll also figure this out, eventually.

Tomorrow will be busy. A user security presentation in the morning, a meeting or two, and the monthly meeting with all the company's network administrators. Some interesting topics will be presented. We'll have to see if there is any real action (and committment) from the group

Wednesday, February 4, 2004

I mentioned the other day about the Microsoft fix for the 'fake URL' (follow that link to my test page that will demonstrate it; as is usual here, links open new browser windows). It is a pretty serious problem, as evidenced by several email 'phishing' attempts, including the one that was supposed to be from the FTC. (For information and samples of 'phishing', see the "Anti-Phishing" site.) Most of the phishing attempts involve financial sites (like banks), and they try to get you to enter your credit card number, PIN, Social Security #, your mother's maiden name, etc. Once you enter that information and send it along, you can guarantee that someone will start draining your credit line (and possibly hijack you entire financial identity) within a couple of hours.

The latest example of phishing that involves fake URLs is the email you get telling you that your credit card has been charged for access to an adult site. If you click on the link, you are asked for your credit card number, etc. Some of the bank scam sites use the fake URL vulnerability; there have been a lot of them in just the past month.

So, Microsoft issued a fix this week to prevent that particular technique. If you apply the fix, my test page will prove that the problem is fixed. (Note that the problem only applies to Internet Explorer, all versions. Other browsers don't have this particular problem.) The fix involves how IE 'parses' (takes apart) an address, especially one that has an "@" sign in it.

There is a way to include a user name and password in a URL. It would look something like:

http://username:mypassword@www.somecompany.com/signin.html

IE parses the part after the "at" sign as the actual place to go. But a specially crafted URL, with a web site before the "at" sign, along with a couple of unprintable characters, will show the web address shown before the "at" sign, while actually sending you to the web site that is after the "at" sign. (That may have not been the best sentence I have crafted, but it's too late to fix it. Read it a couple of times, and try my test page, to see what happens.)

So, to review. There is a problem with these bad links. It's being used by phishers to get credit card info. Everyone yells at Microsoft to fix it. Microsoft fixes it with a patch. All is well.

Except.

Some web programmers have used the username/password as part of a login process. Not very secure, since anyone with a sniffer can catch your username/password. Sloppy programming practice, actually. So these sloppy programmers are complaining that Microsoft broke their program. Not that they are sloppy programmers for not having a secure login screen. Not that their users have a risk of their user name and password exposed. Just that Microsoft broke their web page.

Now, you might wonder what brought on this tirade. I read this article: http://www.msnbc.msn.com/id/4165095/ about how the Microsoft fix is breaking lousily programmed web pages. And this last part is what got me angy.

"All of a sudden, you come in one day, and things aren't working anymore, because (Microsoft has) determined that a way they are doing things is not secure," he said. "There should be an opt-in system for that."
After looking at the options, Angus Systems will likely have to reverse Microsoft's security move by giving people a registry update to turn off that part of the patch, Aisa said.

Now, that's a good solution. Cover up your bad programming with an option that turns off security on a customer's computer. Good plan. As Snagglepuss says "Sheesh!"

On to other things.

John D.'s having problems with his computer; he details it on his posts the past couple of days (start here). It looks like a virus/worm infection, because he has some open ports that aren't supposed to be there. The port number looks like an infection of the "Blaster" worm that somehow got into his system. The worm is already there, so his scanning for an infected file didn't find it. At least the scanners that he used.

So I sent John some advice. It may be that he has already done those things, since he's a pretty sharp computer dude. I think that there are some leftover pieces of Blaster on his system that his virus scanner (Norton) can't find. There are some total Blaster removal tools (Network Associates has one called "Stinger"). And Microsoft came out with a "Blaster Removal Tool" a couple of weeks ago. If you have done your Windows Update regularly, you've probably already got it. My theory (which again may be totally wrong) is that if John uses the "Stinger" tool along with the Windows Update, he should be able to get rid of his problem. Since John sometimes stops by, I thought I would share it here, as well as via an email to him. His late Wednesday post seemed to indicate that he was going off-line for a while. (I hope not, his pages are even better than mine. Way better, actually.)

This is today's lesson (a repeat from past lessons). Three things you can do to your computer to make it safe. Windows Update, Anti-Virus updates, Firewalls. All of this described at www.microsoft.com/protect . Go there and do it. Then help your friends and relatives to do it.

Thursday, February 5, 2004

The discussion about bad programming practices continued here on Dr. Jerry Pournelle's site (always a great place to go, BTW). One of his readers took exception to my warning to Dr. Pournelle, which he posted today. I sent off a reply; I may have gotten a bit carried away in my judgment, but I think that the basic concept is still true. There are several 'stupid programmer tricks' around; one of them is the practice explained above (the short version is the one I sent Dr. Pournelle).

As a guy who thinks about computer security every day (and night), this type of stuff bugs me. There are enough people out there that can be fooled by a well-crafted 'phishing' email or web site. It can be quite lucrative to the phisher, and damaging to the phishee. Identity theft is very damaging, and expensive to fix. The more that we can do to make things more secure, the better. And educating the users is also important. Help out the 'newbie', don't make fun of them. Go forth and share your knowledge.

Today went fast, not sure how it did. But I worked on a few miscellaneous projects, along with some overall planning.

After work, we met Christine/Jared and children for dinner at Mel's Drive In. It was a birthday celebration for Joelle, who turns four tomorrow. We had a nice visit, although it was a bit hard to eat dinner with two grandkids on my lap.

After a bit of shopping, we picked up the car from the local Toyota place. One of the bolts in the driver's seat broke, so it needed to be replaced. The bolt cost $1.11. The labor to install it was $130. That might seem high, but it is a bit time-consuming to take apart the seat to get to the bolt, which had sheared off. We also had a defective seat belt in the back replaced; it didn't retract anymore. That part cost $130, but only $65 to replace. But, we have minimal complaints. The car has been very reliable (it's a 98 Toyota Camry), and is currently at 130K miles. The only other major expense was replacing the timing belt. The usual tires and brake work and oil changes. So, we're not complaining. We expect the car to last at least another year. At least until Stacy gets out of college.

And, I fixed a couple of links around here that Brian C (official unofficial editor and apostrophe checker) found.

Now, go out and help your neighbor with their computer.

Friday, February 6, 2004

Let's tackle a different subject -- spam.

Unless you are one of my two (maybe three now) regular readers, you might recall that I am an information security officer for a local government agency. Among my duties over the past year was to set up a process to deal with all the spam and offensive mail that is delivered every day into our mail system.

At work, we process about 50,000 messages a day, about 70% are incoming. About a year ago, we put into place an email filtering system from SurfControl. They are one of the top three (maybe two) providers of mail filtering software.

If you aren't familiar with how mail filtering software works, we can digress a bit for a short lesson. Two main techniques are used: known spammers (also known as black lists) and message analysis. For black lists, the vendor maintains a database of known spammers and spam message content. These lists are available from several sources, including submissions by the users of SurfControl. If we get a spam message, we can send it to them, and they analyze it (along with other submissions) and determine whether to add the sender and the message content to the database. SurfControl calls this use of known spam content an 'agent'. The agent can analyze a message and determine the category of the message. The category could be shopping, gambling, adult, etc.

The other technique is an analysis of the words in a message. SurfControl supplies several different categorical dictionaries. A 'gambling' dictionary would contain gambling-type words. Each word in the dictionary is assigned a value from 1 to 100. The more a word is a gambling term, the higher the score for that word.

So SurfControl has two ways to analyze a message: agent analysis (based on known spam content or sources), and dictionary analysis of the words in a message.

You then create rules that use these two techniques to determine if a message is spam. You might have a no-gambling rule that specifies if a message has a total score of 300 (using the gambling dictionary), it is probably gambling spam, and should not be delivered. You might decide to quarantine the message for a period of time just in case it's a valid mail message. Or a shopping agent rule might recognize a known sender of shopping spam and you could isolate that message.

Those are the two main ways to analyze a message. The SurfControl program also lets you analyze a message based on the sender, receiver, attachments, and other ways. (You can get a bit more information on their site. Remember that our usual practice is for links to open up new windows.)

During the preliminary phase of setting up the mail filter, I used their base set of rules, and modified them a bit for our needs. Every message was analyzed, and copies of possible spam messages were placed in a holding area. The original message was delivered. (I should note that our email use policies, and related information system policies, alert our users that scanning of all network traffic, including monitoring of all use of the company-owned equipment. These policies have been accepted by all users as a condition for using the network. And they keep us from violating several federal and state laws. You can find more about that important issue in my "Is that a felony in your computer?" report.)

So I spent quite a bit of time looking at a sampling of messages that were caught by a filtering rule. That helped a lot as I tweaked the rules to match our business needs. (Although I did learn way too much when I had to analyze the anti-adult message rule.)

I've been keeping track of the spam-catching statistics at our system. Our spam-catching rate averages about 35% of all messages. This is a bit lower than the spam vendor's statistics, which I think are a bit inflated. But there is a lot of spam out there, as you probably know.

There have been a lot of theories on how to stop spam -- even slowing it a bit would be nice. The range from blocking lists, to charging for messages sent over a certain number, to hacking attacks against the spammers, to a redesign of the entire email system. And there has been legislation.

I am not sure of the answer, but I found an interesting new idea.

It's based on the premise of "Follow the Money". (I first saw this idea in a story "Wired News".)

Spammers are hard to catch and block. They keep moving around, using new email addresses and new techniques and new content. They are a moving target.

But all of them are trying to sell something. And to sell something, they have to collect money. So, go after the businesses that handle the payments. This means the Visa's and MasterCard's and the other main credit card companies. It's not clear how this will all work, but I find it an interesting concept. If you are a spammer (and 'spammer' would have to be defined in some manner), then the credit card transaction will be cancelled. The spammer doesn't get the money. No incoming money, no incentive for the spammer to blast out tons of mail.

Spamming can be quite lucrative. You can buy a million names for under $100. Find a product to sell that makes you $10 per sale. Set up a bit of infrastructure (computers, software, order fulfillment, etc.). Then send out a million messages. The average rate of response is 0.05%. That's 5000 sales, or $50,000 profit ($10 profit per sale). Not bad for one mail campaign.

Take away the money, and you take away the incentive. An interesting idea. What do you think? Use the mailbox icon, and perhaps we'll see some ideas on these pages.

Saturday, February 7, 2004

Since today is Saturday, it's probably OK to be less serious today and discuss something other than weighty matters. (You, in back -- quit those comments about my weight!)

Since it was Saturday, we slept in a bit this morning. Then did a bit of cleaning up the joint before Pam fixed a breakfast of french toast (or is it "American toast"? Nah, we're probably past that silliness.) I only had three pieces, with Log Cabin syrup, of course.

When I was a kid (he says, slightly wheezing), pancakes and french toast were among my favorites. Although my mother usually made her own maple syrup, I do recall having Log Cabin maple syrup in it's original container. It was made out of metal in the shape of a log cabin, with two windows and a door and logs painted on the sides. The top of the container was sloped, and a chimney on top, which is where the syrup poured out. You old-timers out there might remember that. So, Log Cabin syrup on my french toast this morning was a pleasant memory.

After breakfast, I did a bit of vacuuming, then Pam and I went over to Home Depot to return one thing and take a look at the closet shelving kits. In one aisle, they had set up a bunch of tables for children to make a small heart-shaped footstool. Each child got their own orange Home Depot apron, and the four pieces of wood along with a couple of screws and some nails. With their parents supervision and help, the children glued and nailed their little footstool together. When they were done, they each got to take their project home, I suspect for painting and wrapping for a present to Mom for Valentine's Day. It's a good promotion; I saw many people with other stuff besides the footstool.

Then Pam went off shopping for some presents for Joelle's birthday, while I went to her parent's house to do a few chores with Jared. Pam's Dad is quite weak from his cancer fight, so is unable to do anything around the house. The live on about an acre of land overlooking Folsom Lake. The view from their back porch is towards the lake, and the weather was so clear that you could see the snow-topped Sierra Nevada mountains. Jared did a bit of spraying weed killer on the slope below the house to control the weeds that are starting to crop up. I helped with some other tasks, along with some moral support. We got a few things into the truck to take to the dump.

Then back home, and a relaxing evening after a short trip to the grocery store. We watched "Secondhand Lions", which was pretty good.

Tomorrow is the usual Sunday drill, with the added attraction of a birthday party for Joelle after dinner. Since the weather has turned nice for a few days, it looks like "steak on the barbie" for the adults, and hot dogs for the kids. Cake and ice cream for desert, some presents, and the usual playing with the grandkids. Should be a lot of fun.

Last Week

Latest

Next Week

mail

bookmark

The Digital Choke story