The Security Skeptic

Investigating the referrer spam in my web log files further, I came across a seemingly benign entry, www dot adminshop dot com. I'm curious who is referring folks to my site, so I visit this URL (don't bother), which turns out to be a vendor of what is call Mass Referrer Marketing software. I won't give the company any air time by revealing the name.

This referrer spammer promotes its own software, a "windows-based tool that enables anyone to send whatever website address(es) they wish to hundreds of thousands of sites as a referrer string, quickly and without any manual work" that comes with a "pregenerated URL list of 11,909 unique blog websites to get you started" - in other words, they sell you the software, and sell you sites most likely to be duped into referring to your site when you spam them, or as the marketing collateral argues, "Instant and high volume traffic to your site(s) from both webmasters checking their referrer statistics and surfers on sites that display their referrer statistics publicly."

They are entirely open about what they do. No conscience, no sense of community, just folks out to make money the old-fashioned way: scam it.

One amusing note. The contact email at this site is typed using name (at) domain instead of name@domain. The webmaster is apparently concerned that the company might be the target of SPAM.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID372 by Dave Piscitello  

I've had my first encounter with referrer spam at my web site. Referrer spam is a good example of how automated publishing can be exploited. Referrer spam exploits the basic browser operation of passing along the URL of a web page to the next page visited. So if you visit www.securityskeptic.com, and then go to www corecom.com, the HTTP request will contain www.securityskeptic.com as the referrer.

And so will a log record of this event.

Spammers can coopt this normal process rather easily, by submitting requests to a site with a the referrer field populated with a site they want you to notice. The result is that web logs of sites spammed in this manner have incorrect and misleading statistics. Aside from creating statistical anomalies, how is this exploitable?

A common purpose of spam is to call your attention or draw you to a spammer's affiliate web site. It seems that enough blogging and web sites are overly zealous to demonstrate their site is visit-worthy, so they process logs, analyze referrers, and post the top visitors and referring links. The process is automated, so referrer spam can covertly bias the analysis, and blog and web sites include links to sites that host porn, phishing, and bogus products. So much for automation, eh?

Mike Healan's written a very good article about referrer spam at spwareinfo.com. He makes some interesting recommendations on how to block referrer spam. Unfortunately, the techniques rely on blacklisting: as your web server processes HTTP requests, detect and rewrite the bogus referrers to a benign site. Several referrer spam blacklists exist to help you jumpstart.

The problem here is the same as blacklisting spam or adware. You enter an arms race with spammers: you update the list, they use a different domain name. What then? When blacklisting begins to fail, are we going to buy security products that visit referring links and scan content?

Perhaps reconsider whether you really need to cater to your testosterone by showing everyone how popular your site is.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID371 by Dave Piscitello  

BBC reports that the World Bank takes exception to the UN's campaign to increase technology access and use in 3^rd world (a.k.a., poorer) nations.

The World Bank apparently feels that having achieved a 50% access to fixed-line telephone, and 77% to cellular service, the world community has closed the gap faster than anticipated. Apparently, the WSIS's conservative campaign goal was 50% by 2015.

I don't imagine the World Bank wishes to be perceived as suggesting we relax for a decade, but don't the deployment figures suggest momentum? Even the most skeptical might at least concede that near-term profits were lucrative, and there's more left to be had, no?

I'm not impressed with the figures, nor the conservative goals. And I'm not certain that counting landlines and cellular subscribers is the most accurate means of measuring the Digital Divide.

Perhaps we could give World Bank officials a taste of what it's like to be digitally divided? Let's have them share a single fixed line and telephone between two offices. Better: let's have four official share three cell phones.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID370 by Dave Piscitello  

I'm listening to Savannah area Pop 40 "morning" show while driving my daughter to school today. One of the radio personalities begins chatting about a couples' shower she has to attend with her husband. I'm momentarily lost - either this woman has an entirely different notion of a .couple's. shower than I (fondly) recall from my younger, less inhibited days, or she's about to take the conversation in an even edgier direction than I want hear with my twelve-year old in the passenger seat.

I reach to change the station, and one of the male personalities begins to whine about how awful .couples'. baby showers are. I relax, and think about how easily one can misinterpret the spoken rather than printed word.

And how a one-character shift of an apostrophe in a word can change a really pleasant experience into a considerably less pleasant one:-)

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID369 by Dave Piscitello  

Find time to read William Finnegan's commentary, Homeland Insecurity, in the February 7, 2005 issue of The New Yorker.

In the column, Finnegan refers to Stephen Flynn's book, America the Vulnerable, where Flynn draws an analogy between the current state of U.S. "preparedness" against terrorism and the eight months following Hitler's invasion of Germany in 1939, dubbed The Phony War. Finnegan provides facts, background and statistics to corroborate Flynn's analogy, including a sobering look at how the Department of Homeland Security, DOD, Justice Department and Bush Cabinet compete rather than cooperate, and how operators of critical infrastructures and airlines have successfully lobbied to avoid the expense of improving industrial security practices.

Finnegan describes the DHS as "the discouraged, disjointed beast that Michael Chertoff will soon inherit". He concludes the comment with a profound but hopefully not prophetic quote from Flynn...

"The United States is going through its own version of the Phony War. The French and the British did not seriously prepare, when they had the time, for the new style of blitzkrieg warfare that Hiltler had introduced in Eastern Europe. By May 1940, when he invaded France, it was too late."

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID368 by Dave Piscitello  

I've written a handful of articles on firewalls. I've created a page of firewall-related resources to provide a "portal" to these and many other firewall resources I've accumulated over the years. If you know of good, recent firewall articles - and classic ones - please help me add to this list.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID367 by Dave Piscitello  

I use a very useful freeware web log analyzer, Analog. The program generates all manner of interesting web statistics. Unfortunately, many of the report graphics are very basic.

Report Magic generates more interesting graphical representations of web log statistics, from Analog's output. Like Analog, ReportMagic is freeeware. Combined, the two programs provide as good a set of web analysis tools as many of the SMB commercial software I've tried. If you run a modest web server environment, on Apache or IIS, give this duo a try.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID366 by Dave Piscitello  

It's not often a close friend is honored in such a manner, but Vint is no ordinary friend. According to the New York Times, The Association for Computing Machinery plans to announce that Vinton Cerf and Robert Kahn will receive the 2004 A. M. Turing Award for creating the underpinnings of the Internet.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID364 by Dave Piscitello  

My daughter's schoolhouse is radio-challenged.

First, it really is a house, a rancher about 120 by 26, having evolved from a 60 by 26 by the addition of two extensions. It's a temporary facility while a new school building is constructed.

On first appearance, it should be a piece of cake for wireless. The small biz LAN folks installed a Linksys WRT54G router in a closet located in the dead center of the building, to provide broadband access and bandwidth for 20 lightly-used PCs.

Unfortunately, the "wiring and wireless" closet is entirely composed of brick. It's essentially a 6 by 8 fireplace or mausoleum. Predictably, radio signal emission is weak; combined with the succession of interior walls dividing classrooms in both wings, the school was barely able to sustain 2 Mbps to the computers only 50 feet away.

There are probably other locations where we might position the wireless router, but I decided to take this *opportunity* to try a high gain antenna. Maybe I could brute force the signal from the closet. I purchased a pair of the Linksys 7dB High gain antennae for $40 and installed these. The result was a marginal improvement for stations within 30 feet, but no measurable change for the most remote stations.

I next purchased a Linksys wireless range extender for $70. The WRE54G is the WiFi equivalent of an Ethernet repeater. To install it, you choose a location and plug it in. The device is auto-configurable if you disable wireless security: it associates with the nearest AP, obtains an IP address, and becomes part of the network. You can then use a web administration page to enable wireless security on your now-extended WLAN.

Like any network equipment installation, even a repeater can be a challenge. As any seasoned network veteran would do, I avoided any possible multi-vendor incompatibility by buying a Linksys range extender for a network comprised of Linksys adapters and a wireless router. The mathematicians reading will appreciate that this was a necessary, but not sufficient solution.

Autoconfiguration didn't quite work as advertised. Neither did manual configuration. Eventually, convinced I had done everything by the book, I called Linksys support. Earlier, while upgrading the school computers to Windows XP Service Pack 2, I had called Linksys support to resolve an adapter problem, and they had suggested I upgrade the Linksys WRT54G firmware to 3.03.1. At the time, this did indeed solve the adapter problems I'd encountered. This support call, I was told I should "downgrade" the WRT54G firmware to 2.02.7 for "improved compatibility" with the wireless repeater. Experienced networkers already see where I'm being headed, right? I'm mumbling, "You can use service pack 2, or you can extend the range, but you can't extend the range and use SP2" while the support guy is holding his breath...

Surprise! Downgrading actually solved the problem (and this may be a networking first for me...). I downgraded the firmware, reset the range extender to factory defaults, and retried autoconfiguration. Range extender associated with the AP on the wireless router, and once I reconfigured wireless security, all the stations in the now "range-enhanced" wing of the school re-associated with the wireless network. The weakest signal among the computers in that wing is now 36 Mbps. Encouraged, I've ordered a second range extender for the other wing.

The story's not quite over. I swapped the high gain antennae out and re-installed the original equipment pair. The weakest signal among the computers in the wing with the wireless range extender dropped to 24 Mbps.

So the answer to the originally posited question is all of the above

But if you have to choose, go with the range extender.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID365 by Dave Piscitello  

David Glosser has written an antispyware open source Perl script that runs on a Windows host under ActivePerl and TieRegistry. The Perl script scans the registries of all the computers of a Windows domain for the existence of Browser Helper Objects (BHOs), a common form of spyware. The host computer must be a member of the domain and have remote access privileges to the registries of the computers in the domain.

Remote BHO Scanner doesn't remove spyware. It does provide a report of BHOs discovered in the domain. This is an interesting tool for administrators who might want to routinely scan for BHO infestations. The reports will probably help admins convince more senior management that spyware is indeed a corporate as well as consumer problem.

David indicates that Bleeding Snort has volunteered to host Remote BHO Scanner. David also indicates that more information can be found at http://www.mgmg-interactive.com/mgmg/malware.html.

I've only toyed with this script thus far, but it's a very interesting and different way to tackle a growing spyware problem.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID363 by Dave Piscitello  

A new project at SourceForge provides a reconaissance tool for identifying attempts to use/abuse search engines like Google to gain unauthorized access to a web site, or to glean information that has not been properly access controlled and is hence "searchable". Check out the Google Hack Honeypot.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID362 by Dave Piscitello  

Jody Patilla sent me a link to a very interesting - and sobering - article in the Economist. Move over, Big Brother... examines how pop technology like camera and video cell phone technology takes us beyond the Orwellian notion that "Big brother is watching you" to "everyone is watching you, and digitally recording what many of us consider private actions". The Economist calls this a process of *democratising surveillance*...

You really ought to read this column. I've complained about the difficulties of obtaining a cell phone without a built-in camera. Apparently, my cell phone needs lie well outside the public norm, as camera phone sales, approaching 200 million units annually, outnumber digital camera sales by a factor of three, and film cameras by a factor of four. This phenomenal figure underscores the column's concern that (illegal) surveillance is essentially commoditized (i.e., "cheap": consider how many of these phone are free with an annual service contract, and how even discarded models can continue to have *interesting* applications).

The Economist doesn't paint an entirely negative picture, and cites some benefits news media and parents can derive. It also mentions how politicians and social icons must re-think how they act in public, given that anyone within lens range is a potential papparazzi. The concluding paragraph sums up the situation nicely...

"The surveillance society is on its way, just as privacy advocates have long warned. But it has not taken quite the form they imagined. Increasingly, it is not just Big Brother who is watching but lots of little brothers, too."

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID361 by Dave Piscitello  

A firewall-wizards mailing list colleague made note of a recently released NTA Monitor white paper on VPN deployment that reported three key results: (1) 90% of remote access VPN systems have exploitable vulnerabilities; (2) new security flaws have been identified, and (3) VPN deployments generally fail to implement best security practices.

(1) doesn't surprise me. VPNs are software. Software development, even in many security products, is not meeting secure code development standards. Sadly, VPNs were and remain susceptible because they have all the trappings of a "haste-to-market" product: major paradigm shifts in user access (teleworkers, wireless mobility, public broadband); broad competition for a lion's share of a lucrative market opportunity resulting from these shifts; and a technology that was very easily (mis)represented as a panacea to a user community overly influenced by FUD. Honestly, given the hype surrounding VPNs, and the money at stake, is it really any wonder that users perceived VPN systems to be invulnerable?

(2) ought to be "old news". Folks involved with VPNs, particularly IPsec, have known about user enumeration and offline password cracking for a while. Aggressive Mode IKE is a flawed standard. IKE extensions like XAUTH pile one flaw onto another. Anyone who monitors a firewall log can't help but notice the consistently high frequency of IKE probes. A let's not overlook what's not stated here: if you begin by using a user account or email address as a user ID for remote access at a machine level, and persist in using easily remembered passwords, have you really made the best possible choice for identity and authentication?

(3) is an accurate conclusion to draw concerning security in general, and it's not exclusive to VPNs. Security practices are lax, and folks ought to test more frequently, with quality tools. Is this really a press-release quality conclusion, or an attempt at garnering 15 minutes of fame?

My gripe with NTA Monitor's report isn't that what they conclude is wrong, but that they

paint such a misleading and self-serving picture. It's not like VPNs are creating more security holes in networks than existed when people were using telnet/ftp and other plaintext protocols over not-to-be trusted links. It's not the fault of VPN technology that people choose to use email addresses and guessable user names and crappy passwords - these ended up in standards because too few organizations want to make an effort to use a better identity and authentication method. Unfortunately, people make bad choices then wonder why they get blindsided.

Kevin Sheldrake accurately and succinctly summed up what I believe is the 90% case of the real situation:

I don't doubt that a badly configured VPN is insecure and that statistics can claim how many are probably insecure, but I do think that the focus is incorrectly directed at the VPN technology and not at the users/admins/consultants/whoever.

Use certificates. Don't use Aggressive Mode. Patch the software. Don't spread FUD unless you have to. ;)

The other 10%? Fix the standards, clean up the code.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID360 by Dave Piscitello  

I received a comment from a visitor complaining about cookies and Java executable code at my site, in violation of my stated privacy policy:

I was looking for antivirus program reviews and found http://www.securityskeptic.com/antivirus.htm through Google. When I opened the page I got a message from Mozilla asking whether to allow a cookie. I wasn't paying close attention to the source but the name included "trendmicro". I denied the cookie. I'm using Mozilla 1.7.3 on XP Pro.

The Java console window also opened, indicating execution of code at http://wtc.trendmicro.com/common/.

Your site looks unbiased but anything involving any antivirus company would raise doubts. Your privacy policy claims no cookies. Perhaps you overlooked something.

For the record, I don't ask for cookies, ever.

The cookie is from Trend Micro, a trusted antivirus company. I suppose I could change my privacy policy to say that sites referred to by my site may use cookies, but that it seemed implied for a site that acts as a referrer site. Still, I apologize if you feel deceived. Perhaps I should investigate exactly why Trend Micro needs a cookie.

The applet depicts a world map and the infection rates and distribution of the current most prevalent viruses. It's freely offered by Trend for sites like mine.

I do try to be unbiased. I don't earn money from Trend for the use of this applet. I just thought it was very informative.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID359 by Dave Piscitello