Archive for the ‘Computer Security’ Category

« Older Entries

Ongoing large-scale distributed SSH brute-force attack

Sunday, December 4th, 2011

In the past, securing SSH on the public internet has been pretty much as easy as (a) keep your OS patched, (b) don’t let root log in with a password, and (c) run fail2ban to stop brute-force attacks.

Unfortunately, it looks like the bad guys have finally figured out how to put their bots to work running distributed SSH brute-force attacks. If so, then fail2ban is no longer going to be good enough, and more sophisticated (and inconvenient) measures are going to be needed.

Prior to December 1, the five machines I maintain with SSH servers accessible to the public have been probed by an average of 13 different IP addresses per day. On December 1, they were probed by 109 different IP addresses, a 738% increase over the prior average. On December 2 and 3, they were probed by 79 and 72 different IP addresses. Not as high as the first day, but still quite a jump!

I saw this increase across the board on five different machines on four distinct networks run by four different network service providers. I’ve been in correspondence with someone at the SANS Internet Storm Center who says he’s seen a similar spike on machines he maintains.

It seems clear to me that someone is engaging in a distributed brute-force attack trying to break into servers as root via ssh.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Posted in Computer Security, Computers, Internet | 14 Comments »

Post-mortem of security breach on my Linux server

Friday, September 16th, 2011

On the afternoon of September 15, I started getting some strange email messages from cron on my Linux server, which hosts my email, blog, DNS, and several web sites for various non-profit organizations I’m involved with.

(Background: One of the web sites, an old Drupal installation, handles scheduled tasks through a cron job that periodically fetches the URL /cron.php on the site. Each time /cron.php is fetched, Drupal checks if any scheduled tasks came due since the last time it was fetched, and executes the PHP code for those tasks. The scheduled tasks aren’t actually supposed to generate any output, so the cron job that fetches /cron.php shouldn’t generate any output and therefore shouldn’t cause cron to send email.)

All the sudden, the cron job that fetches /cron.php started sending me email every time that it ran. When I looked closely, I saw that the contents of the email were some strange, totally incomprehensible JavaScript fragment. I was incredibly busy, so although I thought it was curious that this should suddenly start happening, I didn’t immediately give much thought to it. After it had been stewing in the back of my mind for a couple of hours, however, I suddenly realized with a start that some script kiddie had almost certainly broken into the server and added malicious JavaScript to its pages, so I had no choice but to stop what I was doing and clean up the mess.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Posted in Computer Security, Computers, Internet, Web | 5 Comments »

Email identity thief strikes again

Wednesday, August 24th, 2011

This time, my email identity thief created an account using my email address at support.mozilla.com. I received email from the site in French asking me to confirm my email address.

I’ve reset the password on the account to prevent him from using it, but I can’t log into the account to see what profile information he specified or what he did on the site, because the site provides no way to recover a lost username. I’ve contacted webmaster@mozilla.com and asked them to provide me with the username as well as information from their logs about who created this account.

They’re a bit more likely to be willing to help then Skype, given that (a) they’re a collaborative, open-source organization and (b) I have an ongoing relationship with Mozilla, having submitted several core and Thunderbird patches and been nominated as a “Friend of the Tree”.

I’ve asked them at the very least, if they’re unwilling or unable to provide me with the username, to delete the account, since I don’t want accounts created by other people using my email address on sites all over the internet.

 

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computer Security, Computers, Internet, Web | 4 Comments »

IMPORTANT UPDATE on Brave New Foundation and Nation of Change

Friday, August 12th, 2011

I wrote several days ago about spam I received from Nation of Change at an email address which had previously only been shared with Brave New Foundation. Earlier today, I wrote about Nation of Change apparently attempting to cover their tracks after their unauthorized use of email addresses was discovered and reported by me.

I have been in conversation about this with a high-level employee at Brave New Foundation, and I am now able to report the following important information:

  • Brave New Foundation does not sell, share or rent their email lists.
  • There is a Brave New Foundation employee with access to their lists who has a relative who works for Nation of Change.
  • Brave New Foundation believes that this Nation of Change employee made unauthorized use of his/her relative’s access to copy an as yet undetermined subset of Brave New Foundation’s email lists for Nation of Change’s use.
  • Brave New Foundation does not believe its employee was complicit in this unauthorized access. In fact, s/he was unaware that it had occurred until I brought it to Brave New Foundation’s attention.
  • Brave New Foundation considers this breach of their data to be extremely serious, and they are actively investigating it.
  • Brave New Foundation is considering legal action against Nation of Change both to prevent any further use of the copied email addresses and to obtain financial compensation for the damage to Brave New Foundation’s reputation and the time and resources spend investigating this incident.

All of this information, as well as some additional off-the-record supporting information that I cannot report here, was provided to me directly by an employee of Brave New Foundation. I have no reason to believe that employee is lying, and what s/he told me is consistent with my suspicions and impressions about Nation of Change. However, in the spirit of full disclosure, I want to be clear that I have not seen any hard evidence supporting any of Brave New Foundation’s allegations against Nation of Change.

When you combine these new allegations against Nation of Change with all the other issues I raised in my first posting about them, it seems doubtful that this is an organization which deserves anyone’s support.

 

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: ,
Posted in Computer Security, Computers, Internet, Politics, Spam, Web | 7 Comments »

Nation of Change trying to cover their tracks?

Friday, August 12th, 2011

I wrote recently about spam I received from a new, shady-seeming progressive organization called Nation of Change, sent to an email address that I had only ever used to subscribe to another organization’s mailing list.

I asked a lot of questions about Nation of Change, and thus far they’ve failed to respond to any of them. Here’s what has happened instead.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: ,
Posted in Computer Security, Computers, Internet, Politics, Spam, Web | 1 Comment »

Oracle (née Sun) joins the club of companies who can’t keep their mailing lists secure

Thursday, August 11th, 2011

In September 2009, I registered as a developer at sun.com. When doing so, I used a tagged email address, i.e., an email address part of which was unique to my registration at that site. I’ve never used that particular email address anywhere else or published it anywhere.

In January 2010, Oracle completed its acquisition of Sun. The Sun developer web sites were eventually decommissioned and are not active today. Since the completion of the acquisition, I’ve received no email at the tagged email address I gave to Sun. Until today, that is.

Today, I received this spam sent to that tagged email address:

Received: from mail.recruitingbee-agent8.com (mail.recruitingbee-agent8.com [184.172.232.199])
	by jik3.kamens.brookline.ma.us (8.13.8/8.13.8) with ESMTP id p7BNER5P022529
	for <[elided]>; Thu, 11 Aug 2011 19:14:27 -0400
Received: from find ([127.0.0.1]) by recruitingbee-agent8.com with MailEnable ESMTP; Thu, 11 Aug 2011 18:14:39 -0500
MIME-Version: 1.0
From: "Tech-centric Jobs" <noreply@recruitingbee-agent8.com>
To: [elided]
Date: 11 Aug 2011 18:14:39 -0500
Subject: Technology job openings
Content-Type: text/plain; charset=us-ascii
Message-ID: <EF440C500DF841B3AE10C51197A0EA91.MAI@recruitingbee-agent8.com>
Content-Transfer-Encoding: 8bit

**********************************************************************

Find the latest software & programming jobs http://www.tech-centric.net/

**********************************************************************

A good programmer is someone who always looks both ways before crossing a one-way street. ~Doug Linder

The latest programming jobs are available: http://www.tech-centric.net/

If however you are not interested in exploring programming jobs at this time please optout:

http://www.recruitingbee.com/unsubscribe.aspx?email=[elided]&token=[elided]

All the best,
The Health Medical Job Site
1350 E Flamingo Rd
Las Vegas NV, 89119

It looks like either Oracle sold the email addresses of sun.com web site users to a third party, or somebody stole them. Neither of these casts Oracle in a particularly good light.

I am, of course, going to do my best to contact someone in Oracle who might be willing and able to look into this, but I am rather skeptical that I will have any success.

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: ,
Posted in Computer Security, Computers, Internet, Spam | 2 Comments »

Mysterious identity thief uses my email address to create Skype account

Friday, August 5th, 2011

As I previously reported, somebody has been interacting with Web sites using my email address.

I suspect that in addition to the ones I know about, this individual is probably also doing things that I don’t know about, because I assume that not all the web sites at which he’s using my address are kind enough to send me an email address alerting me to what he’s doing.

Today, however, I did get a notification from one site that I didn’t know about before — he apparently signed up for a Skype account using my email address. They emailed me about it because he attempted to purchase Skype credit but didn’t complete the transaction.

I immediately took advantage of Skype’s password recovery feature to reset the password on the account. I.e., I stole the account from the identity thief, just as I did when he signed up for a gmail account using my email address.

Then I sent this message to Skype’s customer support department. I don’t honestly expect them to respond in any useful way, but I figured it was worth a try: (more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computer Security, Computers, Internet, Web | 3 Comments »

Who’s using my email address, and why?

Thursday, June 23rd, 2011

Somebody seems to be using my email address in a weird, ongoing way that doesn’t seem to be benefiting them in any way. The fact that I can’t figure out why they’re doing it concerns me, because I have to suspect that there is some benefit to them, which I just haven’t been able to figure out. I’m worried that if it’s helping them, it’s probably hurting me, even if I don’t know it.

Therefore, I’m blogging what I know, in the hope that perhaps someone else will be able to look at the facts and point out something I missed about why this is going on.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags:
Posted in Computer Security, Computers, email, Internet, Phishing, Spam | 34 Comments »

A study in contrasts: handling stolen email lists

Monday, April 4th, 2011

I try to make a habit of giving out “tagged” email addresses to web sites when I sign up for accounts / mailing lists / whatever. For example, when creating an account at widgets.com, instead of just signing up as “jik@kamens.us”, I might sign up as “jik+widgets@kamens.us”. It ends up in the same mailbox regardless, and it gives me some visibility into who is sharing or selling or allowing my email address to be stolen.

About six months ago, I started getting spam from an email address that I had only used in one place: signing up one of my kids for a Scholastic, Inc. book club through their web site back in 2007.

I contacted Scholastic and told them that either they were selling my email address and it needed to stop, or they had suffered a data breach of at least customer email addresses, if not more.

In response, Scholastic’s CISO informed me that Scholastic doesn’t sell email addresses to third parties; their children’s book club business was sold to Sandvik Publishing in 2008; the email address in question was no longer in Scholastic’s database; and I should contact Sandvik if I wished to pursue the matter further.

I sent a reply to the CISO which read as follows:

I don’t recall ever being asked whether I considered it OK for Scholastic to sell my PII to another company. This is especially disturbing since at that point I was no longer a customer of Scholastic’s for the business that was sold.

Granted, your privacy policy gives you the legal right to sell any information you collect to anyone you want. The fact that you are legally permitted to do that doesn’t make it right.

Your privacy policy also says, “Scholastic ensures that all personally and non-personally identifiable information that it receives via the Internet is secure against unauthorized access.” Alas, you apparently do not consider it your responsibility to ensure that the third parties to whom you sell PII keep it as secure as you claim to do yourselves. That is rather disappointing.

I will contact [Sandvik] as you have suggested. However, if I were in your shoes, I would be extremely concerned that a third party to whom Scholastic had sold PII allowed it to be compromised, and I would consider it my responsibility to investigate the issue myself, rather than leaving the wronged (former) Scholastic customer entirely on his own.

I received no further response from Scholastic.

(more…)

[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: , , , , , , ,
Posted in Computer Security, Computers, Consumer activism, email, Internet, Phishing, Spam | 2 Comments »

Astroturf for (or against?) Obama

Thursday, March 24th, 2011

An interesting comment showed up a few hours ago on an earlier blog posting of mine about Barack Obama: “Just wanted to say that I am eployed at a large Pharmaceutical company in Clayton NC and I support Barack Obama with all my heart. I would love for all my friends and colleagues to re-elect Obama in 2012!! I LOVE YOU OBAMA.”

The commenter gave the name “Diane Pearce Votes for Obama Again” and linked to my.barackobama.com. I thought it was slightly weird, but not weird enough to merit further investigation.

Then, three hours later, another comment came in on a different blog posting, this time from “Diane Pearce Loves Barack Obama”: “All I know is that I work at a large Pharmaceutical corporation in Clayton NC and I endroce Barack Obama with all my being. I would love for all my friends and colleagues to re-elect Obama in 2012!! I LOVE YOU OBAMA.”

That exceeded my weirdness threshold, so I looked into it a bit further.

The two comments gave two different email addresses, Reitter@gmail.com and Lipovsky@gmail.com, both of which appear to be based on people’s names and neither of which is related to the full name given by the commenter.

One of the comments was posted from an IP address in the United Arab Emirates. The other was posted from Indonesia.

I Googled for pages matching “Diane Pearce” and Obama, and there were 264 matches, many of which were similar comments. I did the same Google search a half hour later, and the count was up to 270.

Someone is clearly astroturfing here. The motives for this, and whether the people doing it are in reality trying to help or hurt Obama, are left as an exercise to the reader.

Diane Pearce Votes for Obama Again
my.barackobama.com
Reitter@gmail.com
86.96.226.22
[Digg] [Facebook] [Email] More »
Powered by Bookmarkify™

Tags: , , ,
Posted in Barack Obama, Blogging, Computer Security, Computers, Government activism, Internet, Politics, Web | 2 Comments »

« Older Entries