Wednesday, December 31, 2008

SSL Certificates Hacked

Here's an article about hackers breaking SSL. In fact they found a way to spoof a secure site so it looks like a particular site you are going to is sending your data encrypted across the Internet when it is not. The hack applies to certificate authorities that use the MD5 algorithm such as Verisign's RapidSSL.

Hackers Break SSL

Additionally the article points out that the hack is in SSL certificates using MD5. As the end of the article states:

"It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard."

I did some reasearch to find out which CAs are using MD5 encryption instead of SHA and found that this particular hack was targeted at VeriSign's RapidSSL.com:

MD5 SSL hack analysis

I was able to confirm that Network Solutions does not use MD5 encryption.

Microsoft claims this hack poses no major threat to users
Microsoft says SSL MD5 hack poses no real threat

Sunday, December 28, 2008

Microsoft IE8 beta 2 bug report

I don't understand why Microsoft makes it so difficult to submit a bug to them. It would be so nice if qualified users who are programmers and such or "expert" users could easily submit a bug report. Other companies do this and I imagine it helps them find key issues and solve problems more quickly. Since I don't see an easy way to do this with IE beta 8 I'll list some bugs I found here:

When I visited one web site with flash I could not scroll down to content at the bottom of the page.

When I copy and paste certain URLs from Firefox to IE (because, for instance the home page of a site with flash doesn't scroll correctly so I go to Firefox to get to the URL I want) and then I try to copy and past the URL back into IE - CRASH. Big time. Everything hangs. I haven't figure out if it is every URL or just that one.

The blogger home page doesn't display correctly, nor does https://update.microsoft.com.

I think I listed the problems with my webmail site earlier - messages disappearing and strange duplicate images appearing on the screen.

CitySearch traffic - suspicious jump

There's been a significant jump in traffic from citysearch.com and some of it does not look legitimate. For instance we'll see a group of hits in a row from the same IP address or a block of hits from different IP addresses within seconds of each other. The amount of traffic in December has almost doubled - in a month where typically traffic falls. The increase in traffic is not leading to additional sales or leads so I doubt it is actual web surfing people looking for the products and services on the web site to which they were referred by citysearch.com.

This jump in traffic comes shortly after blocking out other countries where we do not do business (RIPE, APNIC, AFRINIC). Multiple IPs hitting the site in succession seconds appart matches the M.O. of these particular hackers. Additionally we have been reporting on traffic from seemingly odd and bogus URLs and the traffic seems to have jumped. Not sure how related all this is.

Are hackers using the citysearch site and hacked computers to gain access to our sites, or is the citysearch traffic rigged somehow? Not sure but somethings smells hacky.

Friday, December 26, 2008

IE 6 traffic - 91% referrals

A quick analysis of traffic this month shows that 91% of traffic from IE6 browsers is via a referral link.

This may or may not be legitimate but seems a bit odd.

Garbage Sites and Traffic Logs

I find it interesting when I review my logs and see hits from totally random URLs with complete garbage content like this one: www . esitesbuilder . com/pid/1/index.html

There are a bunch of related sites that look like garbage and links designed to get sites better rankings - but waste everyone's time in the process. If the sites would instead post quality information and do legitimate business they would get rankings.

I also find the referrals from these garbage sites to be questionable. Anyone who goes to these sites and does not immediately click off the page I'm guessing is some kind of bot. This is further reinforced by the bad traffic we get from the networks that click on these links.

This IP, for instance, came from a complete garbage referral site and clicked onto a site on our server that has nothing to do with the content on the page from which the click was referred. I highly doubt this is a valid web surfer who wants to buy products on the site clicked on, not to mention the web request was invalid:

HOP ONE: 209.160.65.50

This is just pointing out that not all traffic is good traffic and not all links are worthwhile. I wish Google would just eliminate these garbage sites for their listings. They seem like they are pretty easy to spot. They all are structured the same way.

Sunday, December 21, 2008

Wildblue.net - Denial of Service Attack?

Today we were hit by four different IP addresses and multiple user agents from the Wildblue.net network in an apparent DOS attack. It ended up causing some problems on our web site. There were about 80 hits in less than one minute.

We have reported the incident to abuse@wildblue.net so hopefully it will not happen again.

Failed Logins - Excellent addition to any web site

Having a display of any recent failed logins, time, date and computer address is a GREAT addition to any web site. The benefit of this is that a given user will know if they did not attempt a login at that date/time. Technical users can help non-technical users determine if the IP logged in from does not belong to the owner of the account. I wish every web application in the world had this function. I am adding it to all of mine. Of course this function needs to be secure ...so it cannot be accessed or modified by hackers through some sort of injection as well.

Thursday, December 18, 2008

Strange Traffic = IE5 + Opera?

Got a whole bunch of requests on a site tonight from this user agent:

Mozilla/4.0 (compatible; MSIE 5.0; Windows XP) Opera 6.05 [en]

This looks a little odd and the traffic was hitting the same site alternatively on www. and without the www. - basically hitting all the pages in the site.

The IP address: 67.43.136.74

Time: 12/17/2008 7:40:44 PM

Strange Referrers

We're getting traffic directed from strange referring sites. I have noticed this in the past and not sure why it happens, but I am guessing it's related to some sort of hack or attack on our sites and possibly from hacked servers.

Here are some examples with the IP that made the request and the referrer - these three requests came one after another so would kind of assume they are related in some way:

24.17.158.209
http://salondirectory.com/results-sp.php?search=landscape%2Blighting&location=ferndale%2C+wa

24.17.158.209
http://www.entertainmentdirectory.com/results-sp.php?bcat=landscape+lighting&place=Ferndale%2C+Wa

67.183.111.250
http://click.zipcodez.com/zip2.php?keyword=organic+gardening&aff=4345&urlparm=ppc&blob=de60dc8b237b1761616efb5f44307d8c-MTIyOTU3NDEzMAk2Ny4xODMuMTExLjI1MAkJcF9yczAxCTQzNDUJb3JnYW5pYytnYXJkZW5pbmcJc3VwZXJwYWdlcwlodHRwOi8vY2xpY2tzLnN1cGVycGFnZXMuY29tL2

Friday, December 05, 2008

Zero Day Threat

Here's a very interesting blog with some good security topics:

Zero Day Threat

Monday, December 01, 2008

AOL Traffic Spam - MOOZILLA

We have a site that literally just got bombed by traffic from AOL with user agent MOOZILLA. The interesting thing is that the IP addresses in each request are not the same. Is someone initiating a bunch of different sessions to try to kill the server? What is this? We've notified AOL...we'll see if that does any good.

Sample traffic:

12/1/2008 10:32:03 PM 207.200.116.138
12/1/2008 10:32:03 PM 207.200.116.138
12/1/2008 10:32:03 PM 207.200.116.69
12/1/2008 10:32:03 PM 207.200.116.138
12/1/2008 10:32:03 PM 207.200.116.136
12/1/2008 10:32:03 PM 207.200.116.69
12/1/2008 10:32:02 PM 207.200.116.136