Saturday, April 25, 2009

Calls on Inactive Number

It is interesting that I get phone calls on an invalid phone number that has been temporarily disabled. The phone numbers are clearly crappy phone calls where someone is trying to sell me garbage about publishing books or something.

How is it that when these people call this number they are able to get passed through to me on my other phones when supposedly this number is inactivated? Are they basically hacking some system to get through? Or did the phone company make some kind of mistake when they parked my number?

I have long wondered if somehow this number was hacked in some way. I switched my business number to a local number and suddenly got a bunch of leads and calls. It was kind of odd because shortly after the switch - it kind of died down again.

Additionally, one of the guys who hired me suddenly couldn't call me anymore. Not sure how he fixed it. Now other people are complaining they have called me but where not able to get through.

Is this all random? Are our phone systems all hacked too?

Friday, April 17, 2009

Images in frames not showing up in IE8

Another interesting change in IE8 - images in frames do not show up in the parent page is HTTPS and the inner frame is trying to display images from a url using HTTP.

I'm torn on this point. First it's better security to enforce a whole page to be completely https. On the other hand do you know how many web sites are going to be completely non-functional by enforcing this? Additionally this is not the functionality provided by other browsers. I think people will just switch over to a browswer that works in this case.

What are the implications of displaying an image from an http url vs an https url on an https encrypted site? It's just an image, not a page with functionality right? However sometimes images can be used to create hacks (search on hack + gif, etc. in Google).

I'm not so sure about this but will just have to make it work somehow in case it doesn't change I guess.

Mac BotNet - Zombie Macintosh Computers

This article points out three things:

Mac BotNet

1. If you download free software off the Internet there may be malware embedded in it. Free is not always free. Who's auditing free software anyway?

2. This is the first reported Mac botnet. Macs are vulnerable as much as PCs, they just aren't typically targeted as much. Most likely if the Mac user base grows significantly this will change. Also if Mac is not as attacked and Mac is not as on top of security like Windows and encouraging computer owners to update, Mac owners may be more vulnerable. Update your software!

3. Web sites that allow comments after their articles and don't pay attention or moderate them are  degrading the quality of their sites.

Tuesday, April 14, 2009

Directory Harvest Attacks - Asia

Recent directory harvest attacks from RIPE and LACNIC:

Begin Time 04/14 10:31:35
End Time 04/14 10:32:47
IP Address 217.197.245.64

Begin Time 04/14 20:56:20
End Time 04/14 20:57:48
IP Address 201.170.118.229

Begin Time 04/14 21:00:38
End Time 04/14 21:02:07
IP Address 201.21.233.128

Weird QuickTime Issue

I uploaded a .tif file to a web site and then when I tried to download it, QuickTime was trying to open it. Why is QuickTime, a movie application, trying to download a .tif file and other static images in my browser? That's odd isn't it?

Then, I tried to change the browser plugin to NOT open any static images - tiffs, jpgs, gifs, etc. I also stopped it from auto playing movies. I restarted my browser. After doing that the plugin continued to try to download the tifs. Why?

I searched around for a way to completely eliminate the plugin from my browsers but couldn't figure that out in a quick fashion, so I ended up just completely removing QuickTime from my computer. After doing that I was able to download the tif files without any problem and without them being embedded in my browser, which is NOT what I wanted.

Is there something odd going on here with QuickTime? I know QuickTime is included with QuickBooks for some reason. Not sure what that was all about.

IE8 - Lots of problems

Is anyone else having a lot of problems with Internet Explorer 8 like I am? Basically a lot of forms aren't working because it seems like some ways to access the DOM or document object model have somehow changed. These same sites work in IE 7 and also Firefox so not sure why they don't work in IE 8. I cannot believe these changes are not affecting other web sites as the programming is very common. Nothing obscure or tricky going on in these web sites - just getting values out of fields via the document object model. What's up with these changes?

Recent Directory Harvest Attacks

Looks like there were quite a few directory harvest attacks around Easter. Perhaps those repsonsible for these directory harvest attacks figured people would have better things to do on the holidays than pay attention to their mail servers.


Begin Time 04/13 23:55:33
End Time 04/13 23:56:47
IP Address 71.68.21.45
Road Runner HoldCo LLC

Begin Time 04/12 20:11:27
End Time 04/12 20:12:59
IP Address 206.252.161.165
Earthlink, Inc.

Begin Time 04/12 15:57:26
End Time 04/12 15:58:59
IP Address 69.171.162.121
Cricket Communications Inc

Begin Time 04/12 12:53:01
End Time 04/12 12:54:39
IP Address 71.188.170.110
Verizon Internet Services Inc.

Begin Time 04/12 09:44:12
End Time 04/12 09:45:51
IP Address 72.14.74.9
ISP Alliance, INC. / Sjoberg Cable MNCABLE

Thursday, April 09, 2009

Intuit.com - Backup.com - Security Issues

I just tried to get an email from Intuit. They send automated emails from a system and those emails never come to me. They just sent me a temporary password for a system and I'm not getting the email. I'm 99% sure I was entering the right password in the first place and I don't think I ever changed that password so not sure why it wasn't working.

When I do an nslookup to get the mx records for Intuit.com I get 5 mail servers IP addresses. I checked in Postini and these IP addresses are not blocked. Additionally this domain does not have TLS enforcement on. No, the emails are not in any spam boxes.

So I've been on hold going around in circles with this person online who clearly is not a native English speaker and although I asked if this email was coming from an INTUIT.COM email server many times, finally I asked him - is this email coming from within the US? All intuit mail servers are on a 12.x.x.x IP address so if coming from an INTUIT.COM mail server this email would be coming from the US (ARIN).

Finally the guy admits that the mail is coming from a server in India. I have some IP ranges blocked in India due to spam. Aha. Now we are getting somewhere. So to unblock these mail servers I need to know the specific server from which the mail is coming.

Personally, I would rather that Intuit send such emails from within the United States. I also did not like the fact that Intuit is using some unknown mail server to send my passwords for all my backup information around and that it is not one of the intuit specified mail servers so I can enforce TLS encryption and receive my password securely. I also tried to check if Intuit mail servers support TLS and got booted off the mail server so not sure if it is safe to force TLS and ensure emails regarding my backup service and financial applications are secure.

But at this point I thought I understood what the problem was. Wrong.

After getting escalated again to another manager he told me that the mail was not coming from INTUIT.COM but rather BACKUP.com. So again I look up the mail servers and can see that the mail is coming from 4 Symantec mail servers. Again I dig through with nslookup and figure out that these mail servers are in the US (Arin) and are not blocked by my mail system.

The manager suggests sending to an alternate email address. OK that will take two days for them to set up and in the meantime my password is floating around out there. Great.

But wait...just as he's about to do this...he notices that the email address in the online backup system is spelled wrong. Two letters are transposed in the system. Hmm. I have gotten many emails from Intuit and I know that I have not recently changed my email address with them. So apparently my emails from them at some point started going to this alternate misspelled domain name. I checked and the domain name WAS previously registered. That means apparently in the past someone would be able to get my emails from them and potentially get hints as to what my password was and/or call into them and get my backup password information.

Of course they assure me no one else has gotten into my backups. Probably because they do not want to be liable when it is uncovered that someone has stolen all the financial and business information I have been backing up with them.

I assume when Intuit has you put in email addresses for a backup system which is highly critical, that they verify the person who put in the email got an email back from them before they start sending passwords out this way to that email address.

This is a pretty serious problem if you ask me. I am now wondering who has stolen all my data that I have tried to back up with them for security reasons.

Finally -- I'm wondering how, after they reset my password to a temporary password - I can still backup my files. If the password has been reset shouldn't access to the backup system be denied if my local software is using the old password?
_____

OK I just got a call from Intuit again and this manager I was speaking to told me they have regenerated the password email. I still do not have any emails from them. I am calling in again. The person I got on the phone is trying to get information from me and I'm telling him just to get me back to that person so I don't have to spend another hour and a half on the phone....

...ok got through to that person again. Apparently he called and told me the email went through but he checked some system and the change to the email to correct it was not made. So he's going to go back and check again. He says usually this process takes a couple of days and he's pushing it through so I appreciate that. It's just kind of a huge hassle to get this resolved.
____

Hours later...still no email from Intuit. I guess I'll have to call tomorrow a.m.
____

Next day... I had two emails telling me this issue was resolved and asking for feed back...trying to call again...they are making me go through all the questions again and asking what the problem is over and over again...this is really annoying. Don't they have my business name and all that related to the case number?

...OK the manager I was supposed to ask for is going ot call me back in 15-20 minutes....
____

I got a call. It was more than 15-20 but I got a call so that's good. I had to leave my house by that time to run errands so wasn't at my computer. The email hadn't arrived by the time I left my house. The manager re-initiated the email shortly after he called me and when I was able to login to my computer a few minutes later the email finally arrived.

The strange thing is that he told me he received confirmation that the automated emails were sent prior to this one - they never arrived. So why did this one?
____

And in summary...I don't trust online backup anymore. Encryption shemcryption. It doesn't matter if someone can compromise your password - and even after the password has been changed, the software still allows access to upload and download files. Somehow my email got changed in their system, someone set up a fake domain potentially and got access to the files.

Security is not about encryption only. Security is about process and people and auditing and verification and surprise random testing and monitoring.

From here on out I think I'll figure out a way to encrypt my local files before I send them over to the online backup service. This is a total pain as it depends on me remembering my password to encrypt and decrypt the files however so it's a pain.

I think I will also set up a periodic test to download and decrypt my files to make sure someone has not again changed my email, gotten my password, etc. But now it's probably too late. Someone probably has my pertinent data if they already got in there and there's not much I can do about it.
___

Oh and for the record, the email did not come from backup.com OR intuit.com. It would be nice if the service people knew what they were talking about in that regard as well. However it should still be coming from an Intuit mail server and those servers should publish that they use TLS so people can enforce end to end TLS.

Wednesday, April 08, 2009

Firefox Keylogger

When I start up Firefox using some software that is supposed to alert to keyloggers it says there's some keystroke polling/logging going on when Firefox starts up. When I block whatever this software is, nothing I type into Firefox shows up. The same is not true of Internet Explorer. Maybe this keystroke logging / polling is part of Firefox and to be expected. Wish I understood this better and could see exactly what Firefox is doing.

Clearwire Nodes

Yesterday I noticed one clearwire node in my local network while using my Clearwire card. I restricted access from that node to my computer. Then others popped up as noted in my last post. The thing I find odd is that yesterday I only had one node in my newtork after using Clearwire for quite a while. Since blocking that one node, I've got tons of Clearwire nodes popping up in my network constantly. Today when I checked there were 53 Clearwire nodes in my network with "protected" access to my machine, whatever that means.

Also strange - today when I turned on my computer and had my clearwire card plugged in, my computer would not boot up. It kind of froze on start up. The disk was spinning like it was trying to do something but it just kind of sat there. This may have nothing to do with Clearwire at all and just a coincidence. I removed the Clearwire card, rebooted, and the computer was fine. Then I restarted again with the Clearwire card, and it was fine again.

Not sure if any of this is related or matters, just reporting what I see.

Tuesday, April 07, 2009

Machine Accessing My Computer on Clearwire Network?

I was just checking out what was out there connecting to my computer while logged into Clearwire. I noticed a strange machine I didn't recognize had restricted access to my computer. I blocked all access. Then another machine poppoed up. I blocked that one. And so on and so on until I blocked 7 different IP addresses. When I looked them up they all belonged to Clearwire, the network I happen to be connected to at the moment.

So my question is, why does a clearwire machine need access to my computer while connected to their network? After blocking these machines my network still seems to work, so I don't think this is required for network connectivity. In my opinion these machines should not be connecting to my machine. I should connect to their machines when I choose, not vice versa. Is this intentional for some type of network optimization, or is something more devious going on here?

The IPs in question which are aparently a variety of Microsoft, Apple and other adaptors are:

96.26.200.234
75.92.204.151
75.92.167.167
96.26.197.19
75.92.248.37
74.61.30.136
74.60.6.73

Sunday, April 05, 2009

Different Browser - Different Google - Same Computer

Just wondering why when I search in Google on the same computer with two different browsers I get different search results for some keywords. I thought Mozilla was off in the past and IE was correct. Now I'm not sure anymore. I know all caching is turned off on my machine. I also turned off a bunch of add-ons and even uninstalled Google toolbar to see if that made a difference. What in the world is going on...is Google displaying different results based on user agent? Is my ISP caching results? Is IE8 doing something weird? What?

I looked further and have something called Search Wiki running. I am not sure how that got onto my computer. Did I install it? I don't remember installing it...The strange thing is it used to only be in Firefox - now it's in IE 8 but it's no longer in Firefox. When I choose to move pages up or down using Search Wiki it totally skews Google results across searches I didn't alter and removes other pages I haven't removed from the search results as well.

I can see pros and cons of this application. The biggest con of all would be someone altering a person's search results on their computer to make them think they have #1 Google rankings when they don't. Con as in con man. But this tool does have some useful application like blocking out sites from search results you don't like. Problem with that is it pretty much skews all your search results across broad categories of pages which I'm not sure is a good thing since Googles search algorithms already work pretty well. I found using search after that had some problems when the results were skewed.

Wednesday, April 01, 2009

Network Solutions certificate re-issue seems to be broken

When I submit a request to reissue a certificate at the Network Solutions web site I get a blank screen after submitting the request. After calling in today I emailed back and forth with someone through their ticket system. After fixing a few issues on my email system, my emails worked up to the point where I sent them the certificate request. However when I sent them the CSR, suddenly the guy noticed that someone started managing the queue and taking out all the messages when they had previously been ignoring it. The CSR took quite a while to come through while the other messages came through almost instantly. He put me on hold for five minutes while he waited for it and finally came back on the phone when he got it. At that point they were supposed to send me back a signed certificate. However sending a certificate through their automated system failed. It never came through. So finally the guy (again, as always) just manually emailed me the certificate. This has happened for the past three years. When I tried to get the issue resolved with the guy, he said basically all SRS Plus people have to get their certs this way. It never works.

For three years? The directions on the web site are wrong for three years? They haven't fixed their systems for three years? Network Solutions is a big company right?

So, I cannot get the reissue to work on the web site, I cannot get the cert off the web site because some tab I'm supposed to see is missing, their automated system for sending me a certificate doesn't work, and my emails get flagged as spam when they are not, and they get more messages from me than I've actually sent.

Not sure what is going on, but I did not send 17 emails to them. I did not send Viagra spam. The second guy told me he didn't see any spam in the system from me as the first guy claimed. Who is telling the truth here? Why is my email getting flagged as spam?

It is hard to believe with these kind of issues that these certificates are reliable.

On the phone however the guy claimed someone has hacked the Verisign EV certificates in some super secret presentation. Basically they could hack a PayPal cert. Is this true or is this just some line to keep people from buying an EV cert? Who knows.

I think it would take getting a PHD to have the time to study and validate all these things. Maybe I will.
---

Update. Finally working.

Ok there is no issue with my SPF records. SPF records are good.

Email is going through Postini.

Messages previously failing are getting through. Emails are flowing in from places I haven't gotten email from in a month or months.

I can look up email servers to see if they support inbound TLS. I have been able to resolve some inbound and outbound TLS restrictions finally and people say they are getting the emails.

I was able to get my SSL cert from Network Solutions after two weeks in a very odd fashion and unbelievable install it and it worked (only the second try this time and didn't really have to go around in circles on hold for hours like last time - though I did have to call in twice and they called me twice).

I just hope the SSL cert is legit after all that rigamarole.

Recent Directory Harvest Attacks

Event Type Directory Harvest Attack
Begin Time 04/01 13:39:07
End Time 04/01 13:40:21
IP Address 68.204.153.83

Event Type Directory Harvest Attack
Begin Time 04/01 01:05:49
End Time 04/01 01:07:03
IP Address 68.40.159.253

Event Type Directory Harvest Attack
Begin Time 03/30 17:13:50
End Time 03/30 17:14:57
IP Address 173.78.34.160