Wednesday, April 13, 2011

Government Remotely Disables Software on Personal Computers

The FBI remotely disabled software installed on privately owned personal computers located in the United States.

If this isn’t controversial, it should be.

The software is presumed to be malicious, having been accused of stealing account information and passwords from hundreds of thousands of people.

Does that make it less controversial?

Hundreds of thousands of computers have one less bot on them. That’s certainly a good thing. Hundreds of thousands of computer owners had their computers remotely manipulated by law enforcement. Is that a good thing? A dangerous precedent?

Interesting, for sure.

Update: Gary Warner has an excellent write-up.

Tuesday, April 5, 2011

Your package has arrived.

I'm impressed by this scam e-mail:
Return-path: <tracking@ups.com>
Reply-To: <tracking@ups.com>
From: UPS Shipments <tracking@ups.com>
Subject: Your package has arrived!
Date: Thu, 2 Dec 2010 14:31:34 +0000
To: Undisclosed recipients:;
Dear client<br />
Your package has arrived.<br />
The tracking# is : 1Z45AR990
*****749 and can be used at : <br />
<a href="
http://www.ups.com/tracking/tracking.html">http://www.ups.com/tracking/tracking.html</a><br />
The shipping invoice can be downloaded from :<br />
<a href="
http://thpguild.net84.net/e107_files/cache/invoice.scr">http://www.ups.com/tracking/invoices/download.aspx?invoice_id=3483273</a> <br />
<br />
Thank you,<br />
United Parcel Service<br />

<p>*** This is an automatically generated email, please do not reply ***</p>

UUCLJNFYSDMJENHSLBIXJFGSUGKCVUTDYVBOGM

I’ve snipped the delivery related headers (not interesting) and *’d out a bit of the tracking number. The links are intact.

What is interesting is that when rendered as HTML, the message contains valid URL's for all visible text, including the tracking URL. If click on the tracking URL and paste in the tracking number, you'll get some poor dudes house in Florida. If you click on what appears to be a valid link to an invoice, you have the opportunity to download what I assume is an interesting payload. (But alas, the golden hour has passed - those how amuse themselves by downloading interesting payloads will have to amuse themselves elsewhere.)

The finance people I know never met an invoice they didn't like. I'd imagine that for them, the temptation to click is overwhelming.

It’s not hard to make a case for reading mail in plain text.

BTW - Most bloggers mangle potentially hostile URL’s prior to publication. This blogger presumes that the readers of this blog are smart enough to know what’s safe and what isn’t.

Monday, April 4, 2011

Add Robert Half to the Epsilon Breech Fiasco

On my work e-mail:

Today we were informed by Epsilon Interactive, our national 
email service provider, that your email address was exposed due 
to unauthorized access of their system. Robert Half uses Epsilon 
to send marketing and service emails on our behalf. 

We deeply regret this has taken place and any inconvenience this 
may have caused you. We take your privacy very seriously, and we 
will continue to work diligently to protect your personal 
information. We were advised by Epsilon that the information 
that was obtained was limited to email addresses only. 

Please note, it is possible you may receive spam email messages 
as a result. We want to urge you to be cautious when opening 
links or attachments from unknown third parties. We ask that you 
remain alert to any unusual or suspicious emails. 

As always, if you have any questions, or need any additional 
information, please do not hesitate to contact us customersecurity@rhi.com. 

Sincerely,

Robert Half Customer Care 

Robert Half Finance & Accounting
Robert Half Management Recourses
Robert Half Legal
Robert Half Technology
The Creative Group

I did not ask to be on RH's e-mail list.

OS X Adaptive Firewall Automated Blacklisting

OS X Mini Server comes with an incarnation of 'ipfw' as its built in kernel firewall. Configuration of ipfw in an IPv4-only world is pretty simple. The Server Admin GUI covers the basics. The details are in /etc/ipfilter.

Along with the 'ipfw' firewall comes something called 'Adaptive Firewall'.  OS X's "Network Services Administration" indicates that this adaptive firewall 'just works':
Adaptive Firewall

Mac OS X v10.6 uses an adaptive firewall that dynamically generates a firewall rule if a user has 10 consecutive failed login attempts. The generated rule blocks the user’s computer for 15 minutes, preventing the user from attempting to log in.

The adaptive firewall helps to prevent your computer from being attacked by unauthorized users. The adaptive firewall does not require configuration and is active when you turn on your firewall.
Apparently my Mac Air is doing something to annoy the Adaptive Firewall on my mini. After a day of running ipfw, my Air looses the ability to connect to the Mini Server and 'ipfw show' shows a deny any for the IP address of my Mac Air. I have no clue why it's blacklisting me - I'm connecting via AFP, Samba and Time Machine, all of which work fine until they don't.

Fortunately I keep a handful of Windows 7 laptops around. They don't get blacklisted even when I try.

To tweak the adaptive firewall start with:


Then:

sudo cat /etc/af.plist

sudo cat /var/db/af/blacklist

And when you get tired of being blacklisted by your own server:

/usr/libexec/afctl -w 192.168.0.0/24

The adaptive firewall may (or may not) log to:

/var/log/alf.log

depending on various sysctl, socketfilterfw and serveradmin settings. As far as I can tell, mine doesn't log anything. Interesting things like 'I've blacklisted you" apparently are worthy only of /dev/null.

I bought the Mini Server for my home network because after a decade of running Solaris, I've decided that I want simple, straight forward technology at home so I can spend less time reading man pages and tweaking config files.