www

Aug 22 2008   8:02PM GMT

Poor Spelling = Identity Lost

Posted by: Troy Tate
administration, awareness, blog, design, howto, intellectual property, man-in-the-middle, MITM, browser, Networking, network analysis, Security, CA, certificate authority, forensics, malware, SSL, online identity, reporting, risk, vulnerability, web, website, www

Well, I am not the best speller and I know that is true for most people. I have recently discovered how this human weakness can get you into trouble and cause identity loss as well as potential financial loss.

This issue has recently come to light with some of the Black Hat presentations. The actual presentation can be found here. This example actually refers to SSL VPN attacks but consider what would happen if an attacker was able to create a man-in-the-middle SSL proxy using a typosquatting domain name. For example, what if you typed https://www.mybnak.com/myaccount into your browser. The actual address should be https://www.mybank.com/myaccount. This is just a simple typographical error right? Hmmmmm… maybe not!

Consider if an attacker purchased the domain name mybnak.com. They then were able to get an SSL certificate or create a self-signed one that to an uneducated user looked ok. Have you ever seen a message like the following?

How many of you (come on, admit it now) have clicked on this or know someone who would click on this without thinking a second time? Say you did click on Yes and proceeded. The website you go to looks exactly like the one where you intended to go! This is because the address you mistyped into your browser actually goes to an SSL proxy and you just said you trusted the website. You have now fallen into the man-in-the-middle attack.

This looks like the following picture:

This attacker now takes all the traffic you send it, reads it, saves what it wants, repackages it, sends it to your intended destination and returns information back to you (keeping copies of what information is returned) without you knowing that someone is between you and your intended bank. Phishers do use a similar mechanism although a savvy consumer might actually see that the address in the address bar does not match their intended destination at all. In my example, YOU mistyped the address!

Well if this does not scare you into making sure you can type addresses or keep accurate bookmarks then read some of the following and make up your own mind:

Mozilla SSL Policy Considered Bad for the Web

SSL VPN might not be as secure as you think

Black Hat 2008 Aftermath

But, on the other side of this argument consider this story about how a MITM attack saved Columbian hostages.

The internet is not a place to be ignorant about your surroundings. Users must be vigilent and savvy about its use. Maybe there should be internet driver testing and licences?

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 22 2008   3:46PM GMT

Trolls on ITKE - I think not!

Posted by: Troy Tate
administration, awareness, blog, design, intellectual property, CIO, IT education, Networking, internet, Security, online identity, reporting, risk, web, website, www

Here’s an interesting blog entry I came across this week. I have great respect for John Postel mentioned in the article. He contributed immensely to the design of the protocols on which we depend on for data networks. I really like his Robustness Principle. “Be conservative in what you do, be liberal in what you accept from others.”  This is a good statement for life but can be a challenge to address in the IT world. The article and follow-up postings have a lot of nuggets of great thought. Maybe add your thoughts to Mr Schwartz’s post or add some thoughts below here.

Have you had to deal with a troll? What were your challenges and how did it end up? What are your suggestions for handling this global issue?

It is quite amazing if you take a minute to think about it how the global internet provides a whole new environment for crime and abuse. There is no single legal body that can deal with this environment. There are no borders (although countries like China try to control what information crosses theirs).

I do want to commend ITKE for seeming to keeping the trolls away from this useful internet resource. I know it is a challenging job but the TechTarget folks are doing a great job! Let’s thank them for all their hard work by keeping up the knowledge sharing.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 20 2008   6:19PM GMT

Did you see this? - Need some Exchange advice/support

Posted by: Troy Tate
administration, anti-virus, awareness, design, howto, CIO, DataCenter, DataManagement, Exchange, email, Exchange 2007, Outlook Web Access, OWA, spam, Microsoft Windows, Powershell, CA, certificate authority, digital signatures, Policy, Performance, policy enforcement, RSS, tools, blog, toolkit, web, website, wiki, www

Maybe you have already read my post about implementing new Exchange 2007 mailboxes for over 2000 users. If not… look here. So, as you see from this event, ongoing support for these global users on a new messaging system is going to be a real challenge.

I found a great blog posting with links to some excellent Exchange resources. Keep this in your toolkit for those times you just can’t find the answer elsewhere to those nagging Exchange problems. I see lots of other IT people struggling with this system and looking for support here at IT KnowledgeExchange.

Some other Exchange resources I recommend are:

Microsoft Exchange Server Resource Site

E-mail archiving

Seven ways to organize your e-mail

MessagingTalk.org - Portal for Microsoft Exchange Messaging & Collaboration

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Aug 18 2008   7:24PM GMT

Did you see this? - Online tools/tutorials - RingOfSaturn

Posted by: Troy Tate
administration, awareness, design, diagnostics, howto, IT education, DataCenter, DataManagement, troubleshooting, Networking, internet, LAN, network analysis, WAN, wireshark, Security, malware, Monitoring, Storage, VoIP, metrics, online identity, packet capture, Performance, reporting, research, risk, tools, web, website, www

Ok, I admit it. I’m a network tool junkie. I constantly look for neat tools to perform tasks in the easiest manner possible and give me reliable information. This website from RingofSaturn.com is definitely one of the cooler online tool websites. Check out the browser sniffer tool if you are curious about what information your browser gives up while surfing the web. You might be surprised!

Check out the TCP/IP tutorial. It’s a quick easy read that you can share with those you are trying to explain how a network works.

Checkout this website. I guarantee that if networks are in your blood, you will find something of interest here.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jul 25 2008   12:58PM GMT

I know who I am - Do you know my name?

Posted by: Troy Tate
administration, awareness, design, howto, blogging, Database, DataCenter, DataManagement, Development, Exchange, email, Exchange 2007, Microsoft Windows, browser, subscriptions, troubleshooting, internet, Security, Policy, online identity, policy enforcement, reporting, research, website, wiki, www

If you read my previous post then you know we recently went through a major e-mail system migration. Part of that e-mail migration included moving from various naming conventions (firstname@domain.com, firstname.lastname@domain.com, FirstInitialLastName@domain.com, etc.) to a single naming convention of firstname.lastname@domain.com. Of course this was a huge undertaking and also a political move. One thing I am sure of is that the users will never understand the discussions taking place behind the scenes and will continue to take place about names of other non-user specific mailboxes like a project engineering team or an application mailbox.

Another thing which struck me during this process is that we netizens are identified by our e-mail address in many places on the web. Have you ever looked to see how many places you are identified by your e-mail address? I had to take some time and go out and change my e-mail address wherever the old one was in use. That is not a easy task let me tell you! First of all I went through the mailing lists I subscribe to. I went to their websites and tried to find the area to change my profile’s e-mail address. There are some sites where I could never find this and/or could not change it. So, webmasters & publishers…. please make it easier for your subscribers to modify their e-mail address or credentials! There is this need for companies that may get purchased or change names. There is the need for the users who change names when getting married or divorced…. this should not be as difficult as I found it to be.

In the end, I’m not sure what I will be missing out on when we go back and clean out all of the non-standard names which we will likely do by the end of the year.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jul 8 2008   5:12PM GMT

Browser warnings - Danger Will Robinson! - or did it just cry “Wolf!”?

Posted by: Troy Tate
Data security, Google, Firefox, anti-virus, awareness, botnet, honeynet, IT education, Development, Security, antivirus, forensics, honeypot, malware, Policy, metrics, online identity, policy enforcement, reporting, web, website, www

I sometimes browse the internet using Firefox. I say sometimes because Internet Explorer is the standard browser at my company and Firefox is not supported by IT. Well, since I work in IT, sometimes you have to test things on behalf of users and also to see how certain sites are different depending on the client browser.

Well, I recently upgraded Firefox to v3. It does seem much better than v2 although some of my useful addins are now broken (when will YSlow get fixed for v3?). One of the new features of Firefox v3 is the ability to report to the user if the visited website is a known potential malware site. This is a good feature! It provides the user with some useful information and education about the dangers on the internet. However, how accurate is this feature? What if you are visiting a trusted website that you frequently visit and now get this message?

For your information, this is the message that you will see when you attempt to visit a site deemed as risky.

Reported Attack Site!

This web site at certification.xxxxxxx.org has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

I blanked out the actual website address above. However, those of you with a bit of detective in you are likely going to figure it out.

What is interesting about this particular warning message is that it is referring to a website that has security as a guiding principle. When you see this message in Firefox, you have three options presented:

• Get me out of here!
• Why was this site blocked?
• Ignore this warning - in very tiny print at bottom of message.

I was curious as to why this site would be considered as a danger. I clicked on the Why was this site blocked? option. The report I received was interesting and as I mentioned earlier, could this be an example of someone crying “Wolf!”?

The report was as follows:

What is the current listing status for certification.xxxxxxx.org/?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 6 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 07/06/2008, and the last time suspicious content was found on this site was on 07/06/2008.

Malicious software includes 1 scripting exploit(s). Successful infection resulted in an average of 3 new processes on the target machine.

Malicious software is hosted on 3 domain(s), including lokriet.com, clrbbd.com, catdbw.mobi.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including catdbw.mobi.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, certification.xxxxxxx.org/ did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

• Return to the previous page.
• If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.

This is great educational stuff, but did it really happen to this particular website? I don’t know, but apparently Google does. With the report of just one incident, does it make this site really worth the notification? How many incidents should it take before a site is considered malicious and who determines what malicious is?

Just something else to mull over in your copious time as you go perusing websites in Firefox.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jul 2 2008   1:57PM GMT

If no one is answering the front door - try the back door

Posted by: Troy Tate
awareness, diagnostics, howto, CIO, blogging, DataManagement, Development, browser, troubleshooting, metrics, Performance, web, website, design, customer service, www

I recently went to Target and was going to look at my daughter’s wedding registry to see what she and her fiance had selected. When I got to the registry kiosks, there was a Target team member and a customer having problems getting into the service. The Target team member was on the phone apparently with another store or technical support. I heard things like “This is happening at all of the stores.” “We can’t get it to work.” “How do you reset this thing?”

Since there was another open kiosk, I thought I would try my luck and see what errors may appear. The main kiosk user page is intuitive and I immediately found the wedding registry icon and clicked it as any customer would. The application immediately responded with an error page describing some issues with scripting or something. Ahhhh… so I was receiving the same error as the other customer.

Well, the IT detective side came out in me and I started back over at the kiosk home page. Target designed this page with lots of options and ways to get to information that a customer may be looking for. Along the side of this page I found another link to get into the various registry areas, baby, wedding, etc. I clicked on that topic, navigated my way to the wedding registry and lo and behold… I was able to print out my daughter’s wedding registry while the other customer and the Target team members were still grumbling about the other kiosk.

I want to commend Target for providing multiple navigation means around their website. I would hope this experience would encourage more of the same for other vendors. I know, in IT, we like to restrict how many paths a user can go through an application to get to the same information, but in this case, Target did the right thing and provided good customer service.

Jun 18 2008   7:15PM GMT

Did you see this? - Sysinternals LIVE!!

Posted by: Troy Tate
administration, Microsoft, Sysinternals, awareness, Data security, diagnostics, howto, CIO, Database, DataCenter, DataManagement, Development, Microsoft Windows, troubleshooting, Networking, LAN, network analysis, WAN, Security, forensics, Monitoring, Policy, Performance, reporting, tools, web, website, www

If you’re a fan of the Sysinternals tools, check out the beta of Sysinternals Live, a service that makes it easy for you to execute Sysinternals tools directly from the web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals live path into Windows Explorer, or at the command prompt as \\live.sysinternals.com\tools\<toolname> or view the entire Sysinternals Live tools directory in a browser.

If you have not used these tools yet, then you are definitely missing a critical item for being successful in your IT position. Check them out… it may save your reputation some time!

Jun 18 2008   5:26PM GMT

Did you see this? - Infosecurity Magazine RSS feed

Posted by: Troy Tate
anti-virus, awareness, botnet, Data security, DataCenter, Networking, IT education, Security, antivirus, CA, digital signatures, forensics, honeypot, malware, Monitoring, Policy, SSL, metrics, policy enforcement, reporting, RSS, research, tools, web, website, www

Infosecurity Magazine has a very good RSS feed to keep yourself up to date on events/issues and technologies. Check it out!

Jun 17 2008   2:33PM GMT

Did you see this? - can MY browser do this?

Posted by: Troy Tate
diagnostics, browser, DataCenter, Linux, Microsoft Windows, Mobile, Networking, metrics, Performance, reporting, tools, web, website, www

Here’s a great website for testing your browser functionality and understanding the different features of each application.

Thanks for your time. Let’s be good network citizens together & practice safe networking!