Recently saw where a person decided to impersonate an employee of the company on LinkedIn, but something did not quite add up when the name was cross-referenced. Some due diligence located a deceased person whose obituary photo had been usurped for the fake LinkedIn account. Smart enough not to take the bait on contact request, but lots of interesting log entries hitting this site without a valid vhost. Lesson to be learned by the folks who accepted the contact requests, validate a supposed co-worker is actually an employee or contractor before accepting the request. Trust, but verify when using social media.
Originally a Facebook post and note.
So a friend’s Facebook account got counterfeited (duplicated and made to look like her messenger account) and started contacting me over messenger. So I played along, while making contact with her via another comms channel to verify and let her know. Starts off simple enough; then there is a reference to some money via a grant. A quick Google turned up it was indeed fraud. So, I shared to link to my server in hopes they would follow it and let me see their source IP address. They took the bait and wouldn’t you know that my friend from Clayton is hitting my web site from Lagos, Nigeria. Sadly they dropped off before the details could be gathered on how the scam worked. I decided to tell them their game was up with me using Google translate into Huasa. My guess is they send a bad check that makes me lose funds, or they want upfront funds to make the grant application go through. So always be aware and note that anyone offering you money via a “social private grant fund” is probably sitting behind a computer half a world away who just wants your money. Hopefully the messenger images are in order.
Even after this conversation, the scammer uses Facebook messenger again the next day and provides a number a should text for my grant.
In trying to get a little more life out of my 2009 Mac Book Pro (MBP), I decided to pick up a Solid State Drive (SSD). My original plan was to clone the old drive over to the new SSD, but that plan was eventually discarded in favor of a clean install of OS X El Capitan.
The issues I ran into with the clone attempt were several. First, the new drive was 960GB while the existing drive was 1TB. In Yosemite, I could get into Disk Utility from the option key boot menu. The problem was the disk recovery partition booted from was part of the boot drive’s main partition I wanted to resize. That problem, on top of having to boot into single user mode and run /sbin/fsck -fy a couple of times to fix some problems before I could try to resize, made me give up as I kept getting a can’t unmount or mount error to complete the resize. So I updated to El Capitan on the MBP and was surprised to see that I could more easily resize the partition using the El Capitan version of the Disk Utility and there was not a warning that it did not succeed due to the mount issue. I booted back into El Capitan and saw no issues after the resize. So another Disk Utility session was started with the new SSD connected via a USB adapter. I was able to start the restore from the 1TB to the new SSD. I left this running overnight and through the day, but the process appeared to be stalled and I eventually stopped it. At that point the disk recovery/disk utility boot option would start and get about two-thirds complete, based on the progress bar, before the machine would power itself off. The MBP would still boot OS X El Capitan, but I could no longer access the recovery boot option to try another cloning session via the Disk Utility restore option.
I considered my options and actually booted with a live Gparted disk, but decided against a partition resize even though I had a Time Machine backup I made after the El Capitan upgrade. I also tried Clonezilla, but it did not like the fact that the new drive was smaller than the original and even when I did the expert mode option to allow the size difference, it failed to complete the clone of the main partition. At this point, I am thinking I have a nice SSD drive to use somewhere, but not in my MBP.
On the third effort, I started looking at doing a clean install of El Capitan OS X directly on to the new SSD. I will not try to completely recap that process here, but I leveraged the information at http://mashable.com/2015/10/01/clean-install-os-x-el-capitan/#iPW8YGRnrEqp. I will say don’t get discouraged during the creation of the bootable USB drive using DiskMaker X version 5 and the El Capitan installer application. I felt like it took forever during several of the steps, but it ultimately completed. So I opened up the MBP and swapped the SSD in and booted from the El Capitan clean install bootable USB drive. Again, I would say don’t get discouraged with the speed of this process. The time estimates and progress bars seemed like they were tied to some other universe’s clock.
Once I got past the first reboot of the install process, I was asked if I wanted to transfer any data from another Mac, a Time Machine backup or other source. I tried to chose the option for Time Machine and for some reason the My Book drive of my Time Machine data was not seen. I backed up one step and connected the old 1TB drive via my USB adapter and it was seen. I was given a list of items I would like to transfer or migrate over to the new install and I selected my data and applications only. I went ahead and clicked next a couple of times even though the install was still trying to compute the overall size of applications and my home folder. A few minutes later the transfer of data started and as I type this on my wife’s laptop, I have about six hours left to go on the transfer.
Update: The migration of data and applications completed without any issues and my MBP looks like I just did an upgrade versus a clean install at this point. If the folks in Redmond only got this concept, I would not dread a fresh Windows install to fix the cruft that builds up on their OS’es. As far as the new SSD goes, a reboot that would take about four minutes is now only 30 seconds from clicking reboot until I get a login prompt and application starts are much more responsive. One program, Microsoft Office 2011, did want me to go through the registration/activation process when I opened the program the first time. Luckily, it was installed via an employee purchase program with the registration key delivered in e-mail or I would still not be able to use it. I now keep my software keys in my password keeper, KeePass, to avoid having to sift through e-mails to find keys.
After having some issues with this new server build and Apache2, I decided to move over to Nginx for the web server. This meant I had to figure out how to get a Linux, (e)Nginx, MySQL, and PHP (LEMP) server going. Although I am not a DigitalOcean customer I used a great tutorial from them to determine what I needed on the Nginx and PHP5-FPM side of things and left off the other steps pertaining to Linux and MySQL. I also had to recreate my self-signed cert for SSL which I did using these instructions from DigitalOcean. These portions of the upgrade, I actually did from remote while DJ’ing for an 80’s gig, but I did need to finish up swapping the Apache2 and Nginx daemon start ups the next day. All in all, it was a pretty effortless job to make the Apache to Nginx switch until I started investigating what I needed to do to continue blocking web visitors by country.
So the next step was to enable the MaxMind GeoIP modules in Nginx and configure the web site profile to block countries other than the usual five. For this portion, I found another tutorial from how-to-forge that walked through the process step by step. Just like the previous effort to do this under Apache, there are methods to allow all countries and specify a few to block or block all countries and specify a few to allow. The latter is the method I chose. The one option that I really like with this setup is instead of giving a 403 – forbidden response to blocked visitors, I followed the tutorial’s recommendation to use a 444 – no response method which just keeps the browser at the other end hanging on and waiting for a response.
Between country blocking, using a self-signed SSL cert and a captcha requirement for administrative access, the number of attempted password guessing attacks against this site has gone from several an hour to zero.
In addition to WordPress, my site also includes Zenphoto 2.0 for the photo gallery. While it initially looked like wordpress and zenphoto were functioning correctly under nginx, if you went into any of the albums you would get a 404 error. Turns out that mod-rewrite and php needed some attention to get Zenphoto back to health. Here is a post I made to the Zenphoto 2.0 forum on the adjustments needed.
try_files $uri $uri/ /subfolder/index.php?$args;
try_files $uri $uri/ /zp/index.php?$args;
Deciding on which web hosting provider to use should be based on more than the hosting fee, or you stand the possibility that your site will end up on a blacklist that may prevent many of your potential visitors from reaching your site. Whether you are hosting a blog or a small business website, your ultimate goal is to have your site serve your visitors the content you want to share. But if your site is hosted as a virtual site on server that might be actually hosting hundreds of other web sites, you shouldn’t be surprised when potential visitors claim they can no longer access your site.
When this happens, many site owners don’t consider blacklists as the source of their problem. Blacklists are the customary means for security tools such as content filters and DNS systems to block access to web sites or servers that are known to be providing malicious content or redirects to other malicious web sites. Now when you start to think about the inexpensive web hosting company placing hundreds of sites on the same server, you can start to see an analogy to a physical neighborhood in the virtual neighborhood represented by the many sites hosted on a single server. If you are opening a new business that you expect your customers to visit in person, you might consider the square foot cost of the lease, but more importantly you consider the location for both convenience and safety of your customers. But this logic is often ignored when setting up a web presence as price seems to be overriding logic with little if any consideration given to potential web site visitor safety.
When a web site owner has experienced being on a blacklist, they will usually try to find out if their site is truly malicious. For the non-technical this is often a challenge. For some host names, the google web crawler aka Spider can tell a site owner if their site has been found to be malicious. Google also offers the ability for web site owners to check out how their site appears to the google crawler. https://support.google.com/webmasters/answer/158587?hl=en
With the appropriate URL, web site owners can also view the status of their pages through the google malicious URL service. In most cases this can be done based on IP address, host or domain name or AS number. So if we take a site that is known to be clear of any malicious content and check it, it should show that google has found no problems with the site. If we use the AS number, which includes all of the sites on the hosting provider network, you can check provider for reputation as seen by the google crawler (http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:46606). One can think of this as the neighborhood that the hosting provider represents. Here are some examples of this using the site from my local bike shop cycle-logic.biz. The report for this site at http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=Cycle-logic.biz shows no malicious content has been found on the site over the past 90 days. So why would this site end up on a blacklist? Simple answer is the Internet neighborhood in which the site resides has a very poor reputation. The IP address represents all of the sites commingled with the cycle-logic.biz web site. If we go a little further and look at virustotal’s report for the IP address 126.96.36.199, many sites from this IP address are listed as being suspect. https://www.virustotal.com/en/ip-address/188.8.131.52/information/. The best source for checking to see if an IP address is showing up in any blacklists is http://dawhois.com/rbl_check/. Currently this site is reports the IP address hosting cycle-logic.biz, 184.108.40.206, is listed in 11 blacklists.
So if you are considering hosting a web site or blog, research the provider’s reputation through their AS number. If there are multiple sites noted in their record at google, try another provider. Reputable providers will usually act quickly if notified of malicious content on a customer’s site and either notify the customer or take down the content. While these providers may cost a little more than $5.95 a month, you will significantly reduce the risk that your site will get on a blacklist due to other sites being hosted on the same IP address are providing malicious content or redirects to other malicious web sites.
After much monitoring of malicious traffic and hacking attempts against this server, I have taken the ultimate draconian measure of blocking all countries except our US allies: Canada, United Kingdom, Australia and New Zealand.
The attempted attack that broke the camel’s back came yesterday with an attempt to have WordPress download malicious content from another site. The attempted download failed, but I manually went and got the files only to find they were trying to load an IRC Bot, web shell, deface my site, and use it to scan for other victims. So recky aka bogel, and x0re; sorry it failed for you. If anyone has any hosts talking out to *.blackunix.us, block the traffic. Nothing good can come from the hosts answering up on that domain name.
bot.blackunix.us has address 220.127.116.11
bot.blackunix.us has address 18.104.22.168
bot.blackunix.us has address 22.214.171.124
bot.blackunix.us has address 126.96.36.199
bot.blackunix.us has address 188.8.131.52
bot.blackunix.us has address 184.108.40.206
After seeing how many attempted WordPress logins for invalid accounts there were through Wordfence, I decided to look into blocking the offending countries that were routinely in the list. I started by trying to use TCP wrappers and adding country IP ranges to the /etc/hosts.deny file. This seemed to be an exercise in futility and not very effective. While the IP ranges are available lots of places on the Net, there were none already formatted to the required hosts.deny syntax. After a couple of weeks, I gave up on hosts.deny idea and started looking into doing it on my firewall (openwrt). That resulted in a crash burn as the router puked when trying to add 3,000 ranges to the custom firewall rules. A little more research turned up two helpful sites on enabling the Apache GeoIP module and using it to block by country using a GeoIP database. The first version I went with was from Drew Scogin (http://scog.gump.in/post/45108381598/how-to-block-foreign-countries-in-apache) and I think it worked, but my testing did not seem to be getting the country code correctly, or at least that’s what I thought. So my second effort used the methods posted by Shadowbringer (http://shadowbringer.com/guide-how-to-set-up-apache-geoip/) and is pretty much exactly the same other than Drew’s implementation allows countries and Shadowbringer blocks countries. The other difference is were they place the config for the GeoIp module. One does it in the vhost file and the other in a stand alone file that is included in the vhost file. Shadowbringer also shows how to use the rewrite module to send blocked visitors to a specific site or page instead of just letting Apache respond with a 403 Forbidden status code. So far the number of failed logins from blocked countries is zero.
Now I realize this is a little bit of security through obscurity and I am dependent on up to date GeoIP data and that’s okay with me. I know that a persistent hacker is going to locate hop points in a country that is not blocked and recon and attack from there; and there is not much I can do about that other than the security controls I already have in place like Wordfence. GeoIP is a viable first line of defense (https://blog.damballa.com/archives/1131).
It’s sad that I have to implement such Draconian measures for such a simple web site as this one. I guess between hackers and some cyber spies, there is no longer a safe harbor anywhere on the Internet.
While working a on a very basic cyber security presentation for work I came across a a video of the the father and daughter who sat down with Matt Laurer to talk about their postings and how things might be a little different had they thought a little harder about what they were posting. As of the date of this interview, the father’s video has been watched 31 million times. I liked what the mental health professional said of some of the things people post. “I post, therefore I am.” Here is a link to the interview: http://www.msnbc.msn.com/id/21134540/vp/46857133#46662440
My Original Post:
Okay, even though I can only type with one hand, I feel like I have to comment on fellow North Carolinian Tommy Jordan’s YouTube rant about his daughter’s rant on Facebook. First, who would have thought thirty years ago technologies and the Internet would be where it is today. It is truly mind-boggling when I think back to trying to write my on programs on a Commodore64 to make it do new stuff until today when there isn’t anything a computer on the Internet can’t do. At least that’s what Apple, Intel, IBM, HP, and Cisco want us to think. But the one thing a computer will never be able to do is parenting. My guess is Mr. Jordan’s daughter picked up most of her writing style and opinions from who, Her Dad! There was a mention in the video of Step-Mom and biological Mom, so there two more that could probably share in the development of this teenage girl. And that’s the point. A teenager does not have the benefit of life experience to develop good judgement. While good parenting would help develop this, based on what I saw of Mr. Jordan I think any child in that family will go on to have judgement problems later in life. I get that Mr. Jordan wants to instill responsibility in his children through chores, but once the child has experienced chores for sake of chores because “I said so”, versus when the floor is dirty it’s your responsibility to clean it, not everyday just because, parent’s like this generate hostility in a child. A responsible parent would instruct the child that these particular items are your responsibility, and when they need attention you provide it in the form of cleaning it, making it up, or what ever else it takes to keep it presentable for guests. That’s responsibility, not a checklist of do it everyday whether or not it needs it or not. If you still have to use chores checklists with your child, they have not learned to be responsible. On the daughter’s side, yes lambasting your folks on a public forum like Facebook is disrespectful. But my guess the daughter would have felt the back of a hand across her face if she went directly to her parents and voiced her opinion. The more I think about the laptop and the fact that the father claims to be an IT guy my guess is the hard drive was not in the laptop. Maybe social services can help the young woman and I would not be surprised to see Anonymous pick up her cause on this one.
Information on the dad from his wife’s veterinary clinic in Albermarle, North Carolina. (http://spayneuter.bearcreekvet.net/)
Tommy Jordan: Administrative and Technical Staff
Tommy grew up on the Outer Banks of North Carolina. After graduating high school he went spent the next 14 years in Greenville, North Carolina where he opened his own
IT Consulting and computer networking company, Twisted Networx. He traveled the world for a few years as a Project Manager for an overseas firm and eventually found and fell in love all over again with his high school sweetheart, Dr. Amy.He moved to Albemarle, NC in 2010 to start a family with Dr. Amy and together they have a house-full of ever-increasing numbers of children and pets! His dog Bonnie is never far from his side and travels with him most everywhere he goes.Tommy handles the administrative processes for the spay-neuter clinic, maintains the website, and assists with the technological and day-to-day operations in the clinic when we have in-clinic spays and neuters scheduled.
Mr. Jordan’s IT business is Twisted Networx.
Also interesting is the ist of other videos posted by the same YouTube account include everything from gun cleaning, Bible teaching, vet stuff and a couple of bands videos, but mostly gun stuff. Here is the list to see for yourself. http://www.youtube.com/user/alornmage#g/u
And a last thought, I want to thank Mr. Jordan for promoting the stereotypical view of southern men, especially those from North Carolina. Great job! My only fear is a man like Tommy Jordan may not reserve the use of those exploding .45 caliber hollow points just for laptops in the future.
Okay, so I went with Ooma as my Voice over IP (VoIP) phone service last fall. The premier version that offers some cool features and a second line was $120 per year along with a $3.50 monthly charge for fees and taxes. Compared to the old AT&T landline, even with the cost of the Ooma Telo device ($180 @ Costco), I am already saving money just six months into the investment. Sadly the same can't be said of folks who are looking for help with money needs or credit problems when they answer the unsolicited call to their phone concerning money making opportunities with Nouveau Corporation – ECS Consulting – or Wealth Builders International AKA:financialfreedomsites[dot]com. It seems like each week I am getting another robo-call message from one of the ECS consultants directing me to one of several web sites. This is where Ooma comes in as I can download the message from the my.ooma.com website and attach it to my FCC Do Not Call registry complaint. On the last call, I also complained to my state's Attorney General consumer protection division who snail mailed the offices of ECS with my complaint.
The saddest part of all of this are the complaints I can find on-line about the company detail stories of people in need of money or bad credit faling for an investment scheme where they are promised a great return or help with their debt problems. The investment/deposit amounts vary from $3,000.00 to $15,000. Most reports state that no money (i.e. deposit) was ever returned and their business contact who set up the deal has disappeared. My research into the numbers that call and domain names provided has allowed me to trace the call back to a person in some cases. In a way I feel like am victimizing them more by posting them to my list of shame, but come on people, anything that sounds to good to be true – probably is.
List of Shame:
- Paul Kight, Warner Robins, GA (404)448-3286 (helpmebefree)
- Bo Rich, NYC, NY (206)339-8453 (getrichatm, mdmformula, janscashformula)
- Carol Sue Kellum, Santa Barbara, CA (805)880-5102
- Unknown, Seattle, WA (206)984-2424 (cashcomestoyou)
- Virgil Williams, San Diego, CA (877)815-2680 (easycashflowmachine)
- Natalie Marco, Kingman, AZ (702)946-9496 (accessincrease)
- James "Virgil" Beistle, Mesa, AZ, (206)350-7056 (fireyourupline)
I recently saw a news article on the latest free cloud offering. This one is from Amazon and provides 5Gig of cloud based storage. For those unfamiliar with the cloud, it is the commoditization of information technology services. Say you own a company and pay lots of money for servers, software and the geeks needed to make it all work. Well, if you are using standard software or have basic IT needs, you can call on a cloud provider like Amazon to handle all the details of IT and you focus running your company and worrying less about IT. Some people compare it to taking IT and making it a utility just like power, phone, cable, etc… While the cloud services offer efficiencies of scale, there have been concerns that using the cloud could introduce risk. When someone like Amazon is hosting your data, it could exist and probably does exist in multiple data centers across the world. And many times there may be little if any separation of your data from the other customer's data. Approach any cloud offering with some skepticism until the provider can show you their security practices.
So back to cloud drive, I set up an account yesterday and dumped some files up that I had on dropbox and was a little stunned with the lack of security on the cloud drive. What I found was very troubling. If you are authenticated (signed in) and open a jpeg stored on your Amazon cloud drive, it will display in your browser. That is what it should do. Being a security guy, I copied to the URL for my jpeg from Chrome and pasted it into my IE browser's address bar and the jpeg displayed in IE even though I was not authenticated to the Amazon cloud drive. To do another test, I pasted the URL into Safari and again the image displayed without the session being authenticated. I realize the pretty random URL generated by cloud drive for my jpeg would be hard to guess, but it is security through obscurity none the less. If you continue to paste the URL to unauthenticated browser sessions after period of time, you will get a notice that something timed out, but I can't believe Amazon thinks this is real security.
So far I have been really impressed with dropbox. It is a similarly based online storage service to cloud drive, but it comes with a client that will automatically synchronize your local dropbox folder contents to the online storage available from anywhere on the Internet AND synchronize the dropbox folder to your other computers that also have the client installed. Sadly, it costs about twice as much the cloud drive when considering pay offerings for more than 5Gig of space. And I would be remiss if I did not do the same URL copy test on dropbox and I can say that it does NOT work on dropbox. Here are some links to the two services:
Thank you for writing to Amazon.com. Your concerns about your content stored on Amazon Cloud Drive are important to us. Specifically, I understand you are concerned about the security of your files on Cloud Drive. Please keep in mind that your personal information is subject to the protections of our Privacy Notice, which can be found at: www.amazon.com/privacy
I'd also like to address the concern you wrote in to us about, we've run a few tests by using the URL you provided (www.amazon.com/clouddrive#path=/) we were unable to reproduce the security flaws you encountered, in each attempt in a different browser with direct linking to a file within the cloud we were prompted to login even if logged in on a different browser.
In addition, each file is stored within Amazon Simple Storage Service (S3); the same highly scalable, reliable, fast, data storage infrastructure that Amazon uses to run its own global network of web sites.
I hope this helps.
So this morning I capture some screens showing the copy and paste working as well a websniffer.net confirmation of a 200 = Ok status for the URL from one of the just viewed images and forwarded them to amazon. I am not sure how else Amazon needs to be shown that this is a "security flaw". Here is a link to a recording of my screens exposing the flaw with another image.
HTTP Response Header
|Status: HTTP/1.1 200 OK|
|Date:||Mon, 11 Apr 2011 11:12:08 GMT|
|Expires:||Mon, 11 Apr 2011 11:16:19 GMT|
|Last-Modified:||Sun, 03 Apr 2011 01:35:12 GMT|