Digital Choke Daynotes

That weekend was quite busy. As expected, it was mostly taken up with grandparently duties.

I left work a bit early Friday and went over to the kid's house. The plan was to have dinner (after some new baby holding, of course), then take the two older ones to our house so that Christine and Jared could get a break. and perhaps some sleep. So Friday night was taken up with spending time with Joelle and Liam. They went to bed about 9pm, and I decided I was too tired to post.

Saturday morning the kids let us sleep in until about 7:30am. We eventually trooped downstairs for a 'pink pancake' breakfast. After breakfast, it was time for a bath, then we went to the neighborhood park for a while. The rest of the day was spent hanging with the gang, lunch, naps (yeah!), dinner, then another trip to the park. We decided to keep them for another night (hard decision, right?), so it was off to bed about 8:30pm.

Sunday morning was Father's Day, so I got to stay in bed a bit longer than usual. Because of the occasion, the regular morning administrative meetings at church were cancelled. After breakfast, Pam and the kids piled into one car to take them back home. I followed a bit later in the truck. We spent a nice afternoon visiting, with a nice beef roast for dinner. Pam stayed the night again, and I got to go home.

Monday morning to work; nothing of interest today. Tomorrow, I'll be going to a Microsoft security presentation, which may or may not be interesting.

On the RedHat front, I was reminded by Peter Thompson that I could clone a vmWare installation (RedHat, in this case) and it would have the same settings as the original. That would allow me to play with various tools in the clone copy, and perhaps also get all the updates, since it had the same configuration as the original. I'll have to give that a try.

Peter also reminds me that I can put ISO images in a vmWare partition. I have some self-booting security distributions (Knoppix is one) that I want to try out, so will also try that. Obviously, Peter is a bit more informed about LInux than I. His comments are appreciated -- along with anyone else that wants to chime in.

I returned from a Microsoft Security Conference in San Francisco. It was one of the many that were put on around the US (and other places). The intent is to educate users, administrators, and developers how to put more thought into security, whether in the operating system or in applications. There are many who delight in harassing Microsoft about security problems in their products, but I think that they are making good progress in making their products more secure.

Part of the problem with security issues with Microsoft products is that that updating and patching systems is not easy. They are working on that; on the corporate front, the existing Microsoft Software Update Server (soon to be updated) allows business to get the updates to their client computers. The Windows Update process has had great improvements for the end user (if we can just get them to go there). Updates and patches themselves are getting 'smarter' and smaller. Windows 20003 Server is much more secure 'out of the box' than prior versions. There is much good information about security on Microsoft's web site. And there are some good features in the new XP-SP2 update. So, progress (in my humble opinion) is being made.

And there is much noise about Linux. I'll admit to not being expert with it (as you can easily infer from my notes here). I need to work with it a lot more before I can judge for myself on it's security. But the ease of use is still a problem. I don't think it is ready for 'Aunt Minnie' to use; it's still a bit technical and 'geeky'. (I'll admit that I base this on only one 'distro' -- RedHat. I still need to try others.)

An example: When I installed RedHat, it went fairly easy. There were some questions in the install that could be considered 'geeky' (such as 'eth0' and "mounting CD's"). But you could mostly just hit the "Next" button and things would install OK.

Once installed, and restarted, the GNOME desktop is somewhat familiar to Windows users. The basic applications are there: an Internet browser (Mozilla) works similar to IE; and the 'office productivity' (Open Office instead of MS Office) product is there (although I haven't used it yet, and I hear some incompatibility problems with sharing documents that are more complex).

So the basics are there. But try to figure out, as I did, a long-time Windows user (and even DOS, starting with version 1.0) how to install a new program. I downloaded AirSnort (a wireless network traffic 'sniffing' program), and then had to work really hard at getting it installed. I ended up typing several commands at the "Terminal" (similar to the DOS or Command prompt) to get it compiled and installed. Compare that with the installation programs for Windows programs, which seem to be much easier for "Aunt Minnie".

But I did get it installed properly, according to the docs that came with the program.

But darned if I can figure out (yet) how to start the program. The installation didn't put an entry on the "Start, Programs" menu. I see a bunch of files in the application's directory, but I have no idea which one to start.

Now, I suspect that there is some installation program that works with Linux applications. And there is probably some additional things I could do to add the program to my "Start" menu. But I think it is important to look at this from "Aunt Minnie's" point of view. She won't know how to un-tar, use gzip, start a Terminal prompt, type in a 'mount' command to read something off her CD, find the script file to put together an applications parts into a compile file you have to 'make', and then figure out how to get the program on her Start menu.

I know that I'll be able to figure all this stuff out. But for all the problems that are out there for Microsoft products, it still seems easy to me to use Windows-based programs. Perhaps it's my greater experience with Windows programs. Perhaps it's because I used the wrong Linux 'distro'. For sure it's my limited experience with Linux.

But I don't think that LInux is ready (yet) for "Aunt Minnie".

I spent most of Wednesday at work with the RedHat program and vmWare (and several hours at home last night). I was able to clone my basic RH installation by copying all the disk files in that vmWare folder into the test area folder. Once you do that, you switch to the test area (in vmWare), and use a File, Open command to the vmx file. That loads the partition information, then you can start the test area. You have to update the unique ID of that session, but vmWare does that automatically after a dialog box asks. Once the cloned RH install started, it worked just like the base installation.

So now I can play around with the test area, doing all sorts of things, and I'll still have a basic install I can go back to. So, after a hard disk defrag (actually done before copying the base vmWare files), I started playing with some security tools.

The first was Airsnort, which is supposed to be able to sniff wireless traffic. I downloaded the program, then ran through the not-for-Aunt-Millie installation process. First, you have to uncompress the 'gz' file. That was done through the file manager program (GUI, sort of like Windows Explorer) by right-clicking the gz file and extracting the files. Then you have to go into the newly-created folder, and run the 'autogen' file. That is supposed to create all the files needed to compile the program, which creates an executable.

So, I tried to run the whole process from the file manage. No joy. All that process of creating and compiling the files needs to be done from the Terminal ("command prompt"). From the Terminal prompt, you have to use the CD command to change to the proper directory, then you can run the ./autogen.sh script (batch file). After that is done, you have to run the make command, which compiles the program and puts the executable somewhere. To run the program, you have to find where the executable went. It certainly is not on your "Start" menu, like it would be if you installed a Windows program in Windows.

The Airsnort 'readme' file says that three programs are made. After a bit of poking around, I found them in the src folder of the Airsnort folder. So I double-clicked the program file, and it did start (although it is still not properly configured, so it didn't work). I'll have to work on the configuration part.

Then I decided to install Kismet, another traffic monitoring tool, so I downloaded it. It also requires Terminal commands ( ./configure then make then make install). After a while (lots of messages on the screen), the program was installed in /usr/local/bin (one of the messages that was on the screen after the final make install command).. Note that is a different location that what Airsnort installed in. And the program is also not on the "Start" menu. And I still need to configure it to work.

Pam and I went to the bookstore last night during all of this. I wandered over to the Computer book section, and looked at many Linux or RedHat books. No book had a very complete section on installing programs. Well, they had some instructions on how to deal with 'rpm' files, and some info on the make/compile stuff. But I didn't find any information on how to add a program to the 'Start' menu.

And it was getting late, so I gave up and watched "Magnum, P.I." ... at least, until I dozed off.

Before we get to the interesting news, I must admit (after prodding by a couple of readers), that this site is sometimes date-challenged. Occasionally, the days and dates don't match.

I have a good excuse. I write these things at night (usually), and I am not wearing my watch. I do have this big atomic digital clock on top of the TV in the family room, which is where I am usually sitting when I write. And it does have the day and date on the display. But it is across the room, and my eyes are not as good as they used to be. The time digits are two inches high, and I can see those just fine. The day/date display is only one inch high, and I have to concentrate on focusing in order to see it clearly.

And I can hear you (yeah, you in the back) that I could just look at the clock on the taskbar. Well, yeah.

Actually, it's just part of a test to see if anyone is paying attention to these (usually) daily blathers. Yeah, that's it.

The interesting news is the new hack that is widespread and looks to come from Eastern Europe. Evidently, a web crime gang figured out a way to infect web servers. There is a feature in IIS 5 and 6 that allows you to specify a 'footer' that is automatically added to each page that is displayed. This page would normally contain HTML code that would display a kind of signature block on all pages, similar to how your mail system can be configured to automatically add a signature to all of your messages.

It's not clear how they managed to change that setting, which is normally done through a configuration page on the web server. What is clear from the various reports is that the attack was successful on quite a few 'big-name' servers. Nobody is telling the names, but they are characterized as "auction sites, price comparison sites and financial institutions". Your guess is probably as good as mine.

So, the attack changes that setting, and the code that is in that file contains malicious Javascript code. That code is automatically executed when a user 'browses' the page, and there is no indication to the user when it happens. The code apparently installs programs on the victim's computer that, according to one report, "... appears to be focused on stealing credit card data and other personal information for the identity theft market."

This has just cropped up the past few days. Up until this afternoon, there was no detection of this attack with current anti-virus code. McAfee released detection files late today (Friday), along with most other anti-virus vendors.

It is also unclear how the web servers were infected. The Internet Storm Center reports indicate that affected web servers included major sites that are current with patches. Microsoft reports here that web servers that didn't install the MS04-011 patch ("LSASS") were vulnerable. They also said that users with the WinXP SP2 (RC2 - beta patch) would not be affected. Other researchers are saying that this is a new vulnerability for which a patch is not yet available.

Some are saying that this is just a continuation of techniques used to infect home users to turn them into spam 'relays', where the infected home computer will be used to send out spam mail. This seems to be more common, some researchers say that over 50% of all spam is relayed through these infected home computers. In fact, the big Internet Service Providers (ISPs) are starting to be more proactive in finding, alerting, and blocking home systems that are unknowing mail spammers.

So, what to do? If you are in charge of a web site running IIS5 or 6, check the document footer setting to make sure that it is what it is supposed to be. You can also check the 'source code' of a delivered web page to see if there is some unusual stuff at the bottom of the page. (Display a page of your choice, then use the View, Source command. That will open up a Notepad window; scroll to the bottom of the file and make sure it is correct.) And make sure your firewall is blocking the bad stuff.

For home users, the usual mantra applies. Windows Updates, Anti-Virus Updates, and increasing the security settings on Internet Explorer. (The Microsoft link has some more information about how to do that.) Some would consider using an alternative browser, although you need to be careful that your alternate is not using parts of the Internet Explorer engine.

You should also run a weekly anti-virus scan of your computer. And a spyware check is also a good idea. I personally like the "Spybot Search and Destroy" program. Get a pop-up blocker for your browser (I use the one that comes with the Google Toolbar).

And be very careful about filling out personal or credit information, especially if the request comes to you through an email or another unusual site. (Check out the anti-phishing site here.)

And help others do the same thing.

Here's some interesting links (as usual, all links around here will open up a new window); a Google News search will also pull up some good information.

• http://isc.sans.org/diary.php?date=2004-06-25
• http://www.lurhq.com/berbew.html
• http://www.infoworld.com/article/04/06/24/HNnewattack_1.html
• http://www.f-secure.com/weblog/
• http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2004-06/0588.html

"Let's be careful out there."

... more later ...
Last Week	Next Week	Prior Weeks	mail	bookmark	The Digital Choke story