Aja Lapus

Tag: Attacks

  • Is Yahoo! under attack?

    I could not get onto Yahoo! Messenger right this moment. Even Yahoo! Mail and Web Messenger wouldn’t load. With only a few Yahoo! services I make use of,[1] the only thing I could currently load is the homepage.

    I was thinking about a localized network issue on my part since PLDT myDSL has had a lot of negative feedback from subscribers.[2] But my cousin from another city just got online on Gmail with Chat/Google Talk, and though he is on the same provider, I could confirm this isn’t an isolated issue. Unless of course the whole of PLDT’s network couldn’t resolve a connection to select Yahoo! servers.

    So, I thought: Is Yahoo! under attack? It is, basically, on a distributed network of servers. So I could think that only the mail and messaging servers were targeted with DoS attacks. Could anybody confirm this?

    Losing a heavily used communications tool is much of a hassle for someone like me especially at these times of night. And all those cyber crime in TV shows and news articles I’ve read just fuels my h4x0r imagination.

    Ohhhkay. The moment I hit “Publish”, Messenger popped-out having just signed on again. That was weird, but the 2½-hour downtime is still something considering Yahoo! is a very large Internet corporation. So I still ask: Was Yahoo! attacked? Or should I consider changing my Internet Service Provider now? 😛

    1. ^ Those two mentioned above, Messenger and Mail.
    2. ^ Though I am still 95% positive about the service I am getting.

  • Firefox Phishing Exploit

    Firefox has a built-in phishing filter that checks whether a site is blacklisted, and warns the user of the potential fraud and information theft a phishing site could do. It uses Google’s database or a downloaded list of sites according to the user’s preference.

    What follows is a quote from The irc.mozilla.org QDB, which caught my attention. Not only because I understood it, but also because I’ve already done it. It talks about a certain exploit to Firefox’s phishing protection/filter system.

    Someone nicknamed Hixie[1] stated:

    woah

    i think i just found a semi-serious issue with the phishing protection in firefox

    i went to a site that triggered the warning

    and my immediate reaction (without really thinking) was “oh i wonder why that is blocked, let’s have a look” and i immediately opened it _in IE_.

    possibly the worst thing i could have done.

    I just realized the gravity of the situation when I remembered doing the same mistake he just said a lot of times before. But, it came to me that there is just no workaround to curiosity.

    Oh, wel— … Hmmm …

    … But then again, there’s Linux.

    Footnote:

    1. ^ I guess this is Ian Hickson, but I’m not so sure.

  • Prevent Autorun-driven Virus Infections

    USB flash drives and portable hard disk drives are commonplace today as PCs and digital media are conquering the market. But, while ease of use and portability of the UFD and HDD [as well as their digital content] increases, the spread of malware[1] on them also increases. There are several ways to prevent this from happening,[2] with or without the help of an AV product.

    Case 1: Clean PC+AV, Infected UFD/HDD; Automatic

    This is the easiest, though not necessarily the best solution[3] to detect and clean autorun-driven malware.

    1. Update the anti-virus product on your computer before plugging in the portable drive.
    2. Do not open your drive contents after plugging.
    3. Scan your portable drive for malware immediately.
    4. Clean all infections found by your anti-virus.

    Case 2: Clean PC, Infected UFD/HDD; Manual

    In some cases, an anti-virus product or an update is not available, or the anti-virus product is just not strong or smart enough.[4] We could do a manual search and destroy for the malware.

    1. Plug on the drive to your computer.
    2. Use the Folders Explorer Bar[5] to open the drive contents on Windows Explorer, instead of double-clicking the drive icon on the main window; or
    3. Right-click on the drive icon on the main window, and select Explore or Open, and not Autoplay or Autorun
    4. Look for the file named autorun.inf.
    5. Open the file using Notepad or the text editor of your choice.
    6. Take note of the line that says, open=<path\filename.ext>, where <path\filename.ext> is the location of the malware itself.
    7. Locate the malware and delete it along with the autorun.inf file.

    Case 3: Infected PC

    You would know if your PC is already infected when it copies the malware and the autorun files to your portable drives automatically. If your AV software couldn’t handle cleaning your system from it, or if you have none, consider browsing the Web for manual detection and cleaning procedures as different variants and, therefore, locations of them would be hard to summarize in this post. Try Trend Micro‘s Virus Encyclopedia.

    Case 4: Clean PC and UFD/HDD; Prevention

    Here’s the nifty part, this is based on a hack from a friend who works on an anti-virus company.

    1. Create a folder on the root of your portable drive.
    2. Rename it as autorun.inf.
    3. Right-click on the folder, and click Properties. Alternatively, select the folder, then go to the File menu, and select Properties. KB shortcut: [Alt]+F, R
    4. Under the General tab, on the Attributes section, check Read-only and Hidden. KB shortcuts: [Alt]+R, and [Alt]+H, respectively

    The above instructions would prevent other infected computers from copying an autorun directive to your portable drive. It doesn’t necessarily mean an instance of the malware itself would be prevented from being copied as well. It just protects you from your own muscle memory of instantly double-clicking the drive icon to open the contents, but instead, running the malware to be installed on your clean PC.

    Footnotes:

    1. ^ malicious software; collective term for viruses, worms, trojan horses, spyware, et al.
    2. ^ Cases assume you’re on the virus-prone Microsoft Windows platform.
    3. ^ Your AV would probably delete only the instances of the malware and not the autorun.inf file for it is intended as a convenience feature for legitimate software manufacturers. You could safely delete the autorun file manually.
    4. ^ This pertains to my experience with a fully-updated AVG Anti-Virus Free Edition on my classmate’s notebook, which was not able to detect a simple autorun-driven malware.
    5. ^ If not visible by default, go to View on the menu bar, locate Explorer Bar, and then check Folders. KB shortcut: [Alt]+V, E, O

  • The Basics of Wireless Security

    Wireless connectivity is probably best described to give convenience to its users. Having a wireless access point on your home gives you the comfort to position yourself almost anywhere provided your devices are within the range of each other—on your living room, on your bedroom, and even on the kitchen. There are still many concerns about having this type of connection, however, and most of them is about security.

    Since laptops, smartphones and PDAs, provide for the needs of busy mobile consumers,[1] and most of them gadgets are now being equipped with Wi-Fi, it has no doubt become the next big target of crackers—much like what happened to Microsoft Windows being targeted on exploits and vulnerabilities, and to bluetooth-enabled mobile phones being targeted with worms and malware when they became popular.

    Common things done by crackers to wireless-enabled devices and networks include piggybacking, wardriving, man-in-the-middle attacks, and spying, among others. Explanations are as follows:

    • Piggybacking refers to the act of obtaining access to resources on a wireless device, which include Internet access. Open networks on public places and services, such as hotels and cafés, usually permit this,[2] but some networks even on the said places[3] as well as on homes generally do not.
    • Wardriving is the act of looking for wireless networks usually with the aid of a vehicle,[4] and a powerful antenna on a wireless-capable device, much like what people with radio scanners do to receive police and military transmissions. After connection with the device has been established, the wardriver could possibly do anything to the network or its users. Some has been ethical, however, and act as a tiger team telling the administrator or owner that the network could easily be breached.
    • Man-in-the-middle attacks are somehow sophisticated that includes a cracker acting as the network access point the victims are trying to connect to. He then connects to the real AP himself transmitting and receiving data both ways to seem invisible. But, in fact, he now controls and sees every bit of information the victims are sending and receiving that seem to them to be secure.
    • Spying has been the most critical and publicized problem existing today—even surpassing the popularity of virus and worm attacks today, IMO. Anti-spyware tools just popped up one after the other from nowhere, haven’t they? And we thought it would have ended with just Web browsing with credit card information, but it obviously haven’t.

    Wired LANs probably seem more secure since the only ones receiving data are the ones connected by wire—of which the owners control—while WLANs have access points and terminals that emit signals that could be received by anyone near the devices. However, this concept is somehow wrong. Wired networks with terminals having an active insecure Wi-Fi device could be entered by these crackers to gain access onto the network as well—much like providing the cracker a jack to plug into.

    Having set up a wireless network at home myself, and after trying to configure each and every option presented to me by my router’s Web interface, I’ve searched through forums, blogs and info sites to find ways of maintaining my network security. Here are some basic instructions:

    • Wi-Fi Protected Access (WPA or WPA2) is the secure authentication and encryption method for wireless networks and should always be enabled. Most consumer wireless devices are capable of using at least WPA and WEP (an earlier security method that has known limitations). But, try to utilize WPA2 first, if it is available. It is an implementation of the IEEE 802.11i standard, and WPA is just its subset.
    • MAC address filtering is a feature from routers and access points that permits or blocks certain devices based on the hardware-embedded MAC addresses on their network adapters. Some NICs allow changing the MAC address to match an accepted one, also known as spoofing, so this should not be the only security measure utilized.
    • Change the router’s default settings such as Web interface password, SSID, and IP address. These settings are known by crackers and would immediately tell them if the user has an insecure network. These changes would at least make it harder for the cracker to find the network configuration and administration interface.
    • Most routers come with a hardware firewall that blocks potentially malicious and corrupted signals. This should never be turned off.
    • DMZ forwards all ports to a terminal so that all connections may pass. This is usually used for applications where the user does not know which ports are being used. The Port Forwarding feature, which is as common as DMZ, is more secure since it only forwards the applications’ required ports. Ask support from the application developers to know which ports should be forwarded, and avoid using DMZ.

    There are many more types of security concerns and prevention, but these are the most common ones. Please note that until Windows Vista, Microsoft OSs have not supported an implementation of WPA2. But, a WPA2 update for genuine users of Windows XP SP2 is available for free download. After installing the update, an option to turn off broadcasting of the preferred wireless network list will be available and this would add to security.

    I wasn’t able to test Linux wireless security as I have Ubuntu only on my desktop, which is on a wired connection. You may (and please) reply if you have information about wireless security in these and other operating systems. Thank you.

    One very important rule to security in any digital environment is strong passwords. Choose them wisely; they should not be any dictionary word or phrase, at least one character must not be a lowercase letter, and you should not use one password on every digital account you use.

    Footnotes:

    1. ^ Who are now practically everywhere—students, business people, posers, and everyone else who just have the money.
    2. ^ And are probably not considered as such act.
    3. ^ Where access is restricted to clients and customers only.
    4. ^ The term is usually used on the act using motor vehicles, while warbiking and warwalking are used to refer to wardriving on motorcycles or bicycles, and wardriving on foot, respectively.

  • On Nofollow, Spam and Plugins

    When the search engine giant Google announced that it would implement the rel="nofollow" directive on its crawlers, most people had hopes it would be the end of comment spam, most especially when search competitors Yahoo! and MSN expressed support for the microformat as well.

    But, as the years passed even with WordPress immediately supporting the rel="nofollow" attribute since its inception, comment spam attacks on AjaLapus.com increased so suddenly. The most probable cause of the increase is when my homepage’s PageRank increased to 6 last 29th of January rendering it more visible on SERPs. From 50 spams a day to up to 200, the weight of these spammers causes my server precious bandwidth and processing, and me of my time when checking for false positives. These spammers could just be turning a blind eye on rel="nofollow" as spamming costs almost—if not absolutely—nothing to spread.

    From the words of Ben Hammersley:

    If the playing field is levelled by rel="nofollow", then everyone involved will be forced to try all the harder to get their links out there. The blogosphere will be hit all the harder because of the need to maximise the gains.

    Besides, them spammers are not only aiming to be displayed on SERPs, they are trying to be clicked on by human visitors as well. And, even when 99% of the blogs out there use rel="nofollow", the remaining 689,000[1] blogs that doesn’t could be easily found by mere crawling of these spambots on any link they could find. Why bother to scan for the use of rel="nofollow" when you could just post away spam as easily? These spammers affiliate with porn, pill and casino advertisers that earn thousands of dollars of revenue from clicks and visits from real people, consequently receiving commission from them—providing the motivation for more spamming.

    But, has this initiative from Google done its job? Many people do not think so. Aside from Ben, other people thought of it as utter failure.

    As Dylan Tweney may put it:

    Worse, nofollow has another, more pernicious effect, which is that it reduces the value of legitimate comments.

    It would also reduce the motivation to comment on blogs thinking that there’s no way we could benefit from reacting on someone else’s blog entry since our links would be regarded as nonexistent. So much for Web 2.0 and Web interaction. I know I have experienced this a lot of times before, though it has somehow dissipated with these realizations.

    Jeremy Zawodny has a better angle about this matter:

    I’ve seen that first hand. The “psychology of linking” did change in a fairly obvious way after nofollow started.

    ….

    Look. Linking is part of what makes the web work. If you’re actually concerned about every link you make being counted in some global database of site endorsements, you’re probably over-thinking just a bit.

    Straight to the point. So what do I do now since WordPress has no way of deactivating the addition of rel="nofollow" on comment URIs except for hacking into the source code? I’ve looked through Andy Beard‘s Ultimate List of DoFollow Plugins and found two different plugins that suits my taste:

    I currently use Kimmo’s DoFollow as it was the first one that got me interested. But, I think I need input from you guys: Which of the two do you think would be better to motivate commenters on my blog? The one in which they know their links would eventually be followable [DoFollow], or the other in which they’d have to accomplish a somehow obtrusive number of comments[2] on the whole site before their links would be followable [Link Love]?

    If you’re thinking that I may be then vulnerable to spam comments gaining ranking from my site: I wouldn’t worry, since Akismet has done a good[3] job of screening spam for me. I think Dougal Campbell made me realize this.

    And, I am planning to add another plugin that automatically closes comments on older entries that most spammers tend to target. I know there exists such plugins, I just can’t find them right know. Do you know any? How long should I make entries commentable? I have been receiving legitimate comments on older entries occasionally—a reason why I still haven’t decided about this kind of plugin yet. Maybe you could help me.

    Oh, by the way, there also exists 11 reasons against nofollow from a German site dedicated against the use of rel="nofollow". And, more reasons from Loren Baker, which could be what you really need to understand that nofollow is not the answer.

    Notes:

    1. ^ as Technorati currently tracks 68.9 million blogs
    2. ^ 10 comments as default—a somehow large number for a non-frequently updated Web log like this
    3. ^ not great, though—as there has been about 0.1% of false positives that occured