Diary of a Network Geek

At least, as much as you can secure anything.

Some time back, I pointed you all toward an article about extending your wireless connection. Some of you expressed concern regarding security in relation to wireless connections in general and, specifically, after expanding the range of your wifi router. So, I thought I should get you all some links on how to batten down the hatches, so to speak.
I do think it’s important, though, to say a little something about security in general first.
Nothing is totally secure. If a computer is on a network, it can be compromised eventually, given enough time and money. Security is a matter of degrees, of balancing ease-of-use with peace-of-mind. And, while having wifi makes mobile communication easy, it is, by it’s very nature, insecure. Anything that broadcasts over an unsecured medium can only be so secure, you know? So, I think it’s important as you look at the links below to keep in mind that a determined attacker is going to get into your wifi network, no matter what you do. And, personally, I am more than a little paranoid, so there are just some things I wouldn’t do over a wireless network.

Okay, so, without further ado, here are the links:
First, if you don’t mind the pop-ups on About.com, here are Ten Tips for Securing Your Home WiFi Network. They’re not bad, but, really, some of them aren’t all that secure. Or, rather, they just give a somewhat inflated sense of security. Still, they’re better than nothing.
Better than those tips, though, is the Lifehacker Guide to Setting Up a Wireless Home Network. This takes you through setting up a wifi router and network from scratch and gives you fairly good tips about securing it along the way. (But, make sure to follow the link to their article ToDo – Secure Your Wireless Home Network!) Better still, follow the article at Ars Technica titled The ABCs of Securing Your Wireless Network.
Freakishly, Microsoft, who’s not known for their security practices, has an article about making Windows XP wireless a little more secure. If you run XP, it’s worth a look.
And, finally, for those of you with a little extra time, some spare computer resources, and a high level of paranoia, read the Step-by-Step Guide at SearchWindowsSecurity.com titled How To Create A VPN For Your Wireless Network. (Or, if you’d rather download a printable PDF, check out TechRepublic’s A Secure Wireless LAN Hotspot For Anonymous Users. It’s another way to do the same thing.) Frankly, it doesn’t get much more secure than that!

Hopefully, that gives all those curious minds out there enough to chew on to keep you off the streets at night!

Why you should always change default passwords…

I don’t always agree with the bloggers over at TechRepublic when they insist that they have the five or ten most important links on a subject, but, every once in a while, they get one that’s really good. I can’t say much about most of the links in Chad Perrin’s post, Five must-have security resources, but his link to the RedOracle Default Password list is great! They have default passwords for just about everything there and, while that might not mean much to all my readers, if you have to do an emergency reconfiguration on something and take it back to the manufacturer default, having that password can really simplify your life.

Also, since these are so well documented, it’s a good illustration of why the first thing you should do after configuring, or reconfiguring, something is to change the default password.

Free government guidelines.

When it comes to computer security, the National Security Agency is the shiznit. Or, at least they were. I think they’ve sort of fallen behind a bit, as government agencies tend to do.

In any case, they have a whole website of government-level guidelines on computer security that you can download for free. So, even if they’re not the cutting edge any more, they’re still good guides and free.

A “new” technique that’s more than three years old.

Huh. So, there was this article on MSN recently titled Lock Bumping: A new burglary threat. Now, I remember reading about this in 2600, the Hacker’s Quarterly a really, really long time ago. And, I seem to recall it was a topic at DefCon a number of years ago, not to mention that Bruce Schneier talked about it in 2005.
But, what gets me is that the article itself mentions that the technique was mad popular by a video in Germany back in 2004.

So, how is this a “new” technique again?

Hey, I get paid to be a geek, right?

So, I’ve been having some issues with my network and several Windows XP machines. In a nutshell, these machines seem to lose connectivity after approximately nine hours and fifteen minutes from the last restart. In other words, when my crazy-dedicated engineers work past their ninth hour, their machine slows to a crawl and eventually locks tighter than a Catholic school-girl’s knees. In any case, after weeks of troubleshooting this issue, I’ve come up empty. The best that I’ve got for these guys is either a) Don’t work such long hours or b) Reboot the machine at lunch.
In a further attempt to fully understand what is happening and at what level, I’ve gotten one of these machines and I’m going to install Windows 2000 on it. If we have the same issue, I know it’s hardware. If I don’t, I’ll be certain, within a reasonable percentage of sureity, that the issue is some arcane aspect of Windows XP. Either way, I should be closer to a real answer.

But, before I wipe my current experimental machine, I decided I wanted to back it up. Naturally, I turned to my old friend, Linux. A quick Google turned up a blog entry titled “Cloning XP with Linux and ntfsclone“. So, with a few modifications for my own environment, I followed the instructions there. Incidentally, I used the latest version of Knoppix as a boot CD.

First, open up a terminal/shell session and create a mount point with the following command:
# mkdir /tmp/server

Then, because my DHCP server didn’t give the Knoppix virtual machine the right DNS information, add your server to the /etc/hosts file.
Next, mount the network share that you want to dump the images on.
# mount -t smb -o username=administrator //server1/share /tmp/server

Check how your live CD sees the partitions you want to save with the following command:

# cat /proc/partitions
major minor  #blocks  name

8       0   78150744  sda
8       1   76211608  sda1
240     0    1939136  cloop0

I want to save that 80 GB disk sda, which has a primary partition sda1. First I saved the partition table and the Master Boot Record this way:

# sfdisk -d /dev/sda >/tmp/server/images/cad1r-sfdisk-sda.dump
# dd if=/dev/sda bs=512 count=1 of=/tmp/server/images/cad1-sda.mbr

and then the partitions:

ntfsclone -s -o - /dev/sda1   | gzip | split -b 1000m - /tmp/server/images/cad1-sda1.img.gz_

Note that this saved disk image in 1G files, in case the way I mounted the share to the network server didn’t allow for large files. Sometimes that can get tricky going from Linux to a Windows 2003 server and back, so I decided not to take any chances. It makes a mess of files, but at least it took the guess-work out for me.

Coming soon, the restore process! Keep an eye out!

Well, as you can see by the picture to the left, the phisher was at it again.

So, me being who I am, I checked on this nasty phisher again and, naturally, he’d cleared the content and put his own back up. Well, this time, I went a little more subtle on him.  Instead of renaming his old file and uploading my own, I just uploaded my own over his.  If you look, you can see that I left most of his work in place, but added my own warning to anyone who might click on the link this stupid phisher put in his spam message.  I might keep this up for a bit, since it’s so easy and will hopefully drive at least one scumbag out of business.

Now, you might ask yourself why I don’t just assault the phisher or his site directly.  Well, there’s two reasons.  First, I imagine that this is a compromised site and not the phisher’s own.  So, if I attacked the site itself, I’d be damaging his victim twice.  Secondly, this way, if anyone does click on the link, I might educate someone so that they don’t just click on any link they get via e-mail.  The best way to hit these scammers is by way of educating people enough so that they don’t fall prey to these tactics.

Oh, also, notice that I left the compromised site’s address visible in the graphic.  Since this has become an educational tool, I figure everyone who reads my blog might as well get educated!

Advice from your Uncle Jim:
They say integrity is what we do when no one is watching. What are you doing now?

I probably shouldn’t have done this, but…

You know, sometimes, I just get so irritated with the scams I get via e-mail that I just can’t help myself. This morning I read one too many eBay phishing scams in my inbox and, well, I had to do something about it.

So, this is the e-mail I got that sent me over the edge.
Notice how this looks like a legitimate e-mail from eBay. It has all the same things that the official notices from eBay would have, including links to what look like official notices and actual sign-in screens.
The only real problem with this is that it was sent to an account that’s not associated with my eBay account and I haven’t bought or sold anything on eBay in over a year. What bothered me, though, was that I know people who would click on this and get scammed.
For fun, I hovered over the links to see where they led. If you look at the bottom of the linked screen capture here, you’ll see what I saw, but with the IP address obscured for safety’s sake.

This is the page that the phisher wanted me to go to.
Again, notice how it looks like a legitimate page on eBay’s website. It looks so good because the phisher’s page actually links to the graphics on eBay’s site. But, if you look in the address bar in the browser in the linked screen capture, you’ll see what led me to mess with the scammer.
The link is to an FTP site and includes logon information, complete with password.
Naturally, this was just too good for me to resist.
So, I popped open a DOS prompt and loaded the default FTP client on my Windows machine. When I connected to the FTP address listed in the link, I was prompted for a userID and password. When I used the credentials in the link, the FTP server let me in!

Naturally, this was far too good an opportunity for me to pass up.
So, while keeping the connection open, I renamed the phisher’s scam page from “ne.html” to “nono.html”. Then, I created my own “ne.html” and uploaded it.
In the linked image to the left, you can see that it gives anyone who loads it a warning not to click on just any old link they get in e-mail. Hopefully, this will serve to not only frustrate the phisher, but also educate anyone who might click the link.

Naturally, I don’t expect this to be up for very long on the phisher’s site, but, I figure if I help anyone with this little stunt, it will have been worth it. Though, you will notice that I obscured the IP address in my graphics to protect anyone the phisher may have hacked to run his scam. Also, it’s entirely possible that I was technically breaking the law by doing this, but I don’t expect the phisher is going to actually try to prosecute. After all, just how would one explain this to a judge?

Oh, and when I checked on it just before posting this, the phisher had changed the files back.  So, I did it again.

Advice from your Uncle Jim:
"Our dignity is not in what we do but in who we are."

Hmm, maybe I could have a second job…

So, I saw a guy adverstising on the web for “Internet Marketing Services”, specifically, “Business Blog Services” and “Social Marketing Services”. Sounds simple enough to me. Frankly, I’ve done plenty of blog work for folks and I can’t imagine adding a business component to it would be that much extra work. But, this guy was asking for $600 to set up a blog! With WordPress, I’d be done in about 30 minutes, including upload time and configuration. $600 for less than an hour worth of work… Oh, and then, if you want his “daily blogging” service, wherein he will make a blog entry for you, seven days a week, that’s $500 per MONTH! And, if you want him to optimize your blog for the search engines, that’s another one-time fee of $500.
But, what got me was the ad copy for what he called “Social Media Optimization“. That service, his site claimed, includes “Search Engine Reputation Management, Social Marketing Team Launch & Management”. “Search engine reputation management”? Are you kidding me?! For not submitting your page to the search engines too often and making some minimal effort to make sure you don’t get black-balled by Google, he’s going to actually negotiate a fee? What’s more, it’s a variable fee, no doubt based on how much you know about search engines and the web. I have a feeling that the less a customer knows, the higher the fee.

Wow, I could make a bundle at this kind of thing. If only I didn’t have ethics and the last vestige of a conscience…

(And, if you haven’t voted yet, check out the pictures from two posts ago and vote!!)

Wow, people sure are paranoid about nothing.

Look, I’m all in favor of high-level paranoia.  In fact, there have been times that a major portion of my job has been all about being paranoid enough.  And, God knows, in this age of identity theft and on-line fraud, being a little extra paranoid is probably a pretty good idea.  (For those of you with ex-spouses, or soon-to-be ex-spouses, that goes double.  Trust me!)  But, this big noise over on Slashdot about the latest version of WordPress sending “private, user data” back to servers at WordPress.org is just going a bit too far.

First of all, the only thing it sends to the server is the url of the blog, the version of WordPress and its plugins and the basic server settings of the web server running the blog.  I mean, c’mon, that’s mostly public information in the first place!  I can collect two thirds of that data from most servers in less time than it took me to write this post!
Secondly, Matt Mullenweg, the main developer of WordPress, and a Houston native, posted about this on the developer’s mailing list, including how to install plugins to disable the code.  (If you’re paranoid, the plugins are called Disable WordPress Core Update and Disable WordPress Plugin Updates.)
Thirdly, let’s not get ahead of ourselves on blaming a free, OpenSource project like this for not being great about disclosing absolutely everything they’re doing behind the scenes.  I mean, it’s not like they’re doing silent updates without notifying paying customers or anything.

In any case, I thought I should mention the issue, and the solutions, since I’ve been so vocal in support of WordPress in the past.
So, there you have it.

Be kind to your IT staff.

Don’t do this to them. Do not walk into their office and ask questions like “Are we having a problem with the server?” or “Is the Internet down?” Asking us questions like that result in responses like “No, the server is fine. But why don’t you tell me about your problem now?” and “No, I’m on the web right now and it’s fine. Do you have an error message?” or even “Why don’t you tell me if you’re having a problem?”

I swear by all I hold sacred, there is nothing more frustrating than having someone who really has no idea whatsoever how anything on a computer or network works wander into my office with that special stunned cattle look on their face only to ask me very specific questions about a problem they’re having. Even when I answer their question with another question in the voice I normally reserve for precocious toddlers, for the fifth time, they come and waste our collective time doing this, instead of simply describing their problem to me.

Don’t do this to your IT staff. Just tell them what the problem is. Don’t make them guess what you really want. Please.

Advice from your Uncle Jim:
"People are just as happy as they make up their minds to be."
   --Abraham Lincoln