Raam Dev’s Weblog

You may remember that AT&T began offering free wifi for iPhone users earlier this year. Shortly thereafter they pulled the service. Why? Because someone discovered the security applied to the system was extremely weak: simply changing the User Agent of your browser to make it look like you were using an iPhone browser allowed you to gain free WiFi access on your laptop. This could easily be done using the Firefox User Agent Switcher extension, or by simply firing up Safari, enabling Developer mode (Safari->Preferences->Advanced->Show Develop menu), and selecting the iPhone User Agent (Develop->User Agent->Mobile Safari 1.1.3 - iPhone).

With the new service, you connect your iPhone to the wireless network, launch the browser, and get redirected to a page that displays a single field requesting you to enter your iPhone phone number. After submitting your phone number, you receive a (free) text message containing a URL. Loading this URL from your iPhone grants you free wifi access to the Internet.

When I tried the User Agent hack mentioned above from my laptop, I expected to at least get the box prompting me for my iPhone phone number. But to my surprise, all I got was a mobile-formatted page with options to purchase service.

So I suspected they were checking the MAC address of the computer connected to the router and checking if it looked like an iPhone MAC address. Luckily, spoofing the MAC address of my wifi card is easy on OSX:

sudo ifconfig en1 lladdr 00:21:E9:52:6A:E3

BAM! Now as far as the AT&T router can tell, my requests are coming from my iPhone. This time when I connected, I got the form asking me for my iPhone phone number. I submitted the number and a few seconds later received an SMS with a link.

I hoped that simply typing this URL in my laptop browser and visiting it would grant me free wifi access, but unfortunately it did not. Instead, it gave me an error saying that page doesn’t exist.

A commenter on the original LifeHacker post describing the User Agent hack left this comment about the new security features applied by AT&T:

AT&T has locked out non iPhones by using an encrypted log on tied to each iphone number. The key is transmitted to the iPhone over the AT&T cell network a minute before login.

By using the AT&T network to transmit the key, they have definitely made it more difficult to gain free access from your laptop. I’m sure it’s still possible (perhaps by sniffing the wifi traffic between the iPhone and the router after a successful connection), but I’m not sure it’s worth the time and effort.

I heard that an official AT&T tethering option for the iPhone will be coming soon, so that might make this a moot point (assuming they make it a free option). Still, it seems only fair that existing iPhone users should be able to access the free wifi via their laptops. Transmitting a password via SMS seems like a safe way to guarantee the person connecting to the wifi actually has an iPhone.

Check out Electronic Art’s description of the upcoming SPORE Origins game for iPods and iPhones:

Eat or be eaten when you play SPORE Origins on your iPod. Guide your spore through its evolution and shape its destiny. Devour smaller creatures, explore primordial worlds filled with bizarre organisms, and avoid larger, lethal life forms. Grow from single-cell to complex predator as you rise through the levels. Customize your spore, and watch it move to the tunes in your iPod. Battle friends by importing their spores into your iPod from the Sporepedia website.

Tell me that last sentence doesn’t sound an awful lot like “importing a virus” onto your iPod. I sure hope they secure the “spores” enough to prevent someone from piggybacking a virus on one.

Here are my notes from The Last HOPE. I started taking notes late, so unfortunately I don’t have notes from all the talks I attended.

Ghetto IDS and Honeypots
* An Evening with Berferd
* Low interaction honeypots: Nepenthes, honeyd, Honeytrap
* Monitor both Honeyd and Nepenthes with Prelude IDS

Monitoring Snort
* SGUIL
* BASE
* SnortSnarf

Remember, tcpdump (a common packet sniffer) writes data in pcap format which ngrep, WireShark, or Snort can process.

Kevin Mitnick - Featured Speaker
* Flowroute + Asterisks can be used to unmask Caller ID (I tested Mitnick’s setup by calling his phone… my blocked number showed up!)

PenTest Labs Using LiveCDs by Thomas Wilhelm
* de-ice.net
* BackTrack, Slax

PenTesting from Firefox URLs:
* isecom.org/osstmm/
* owasp.org/index.php/Main_Page/
* csrc.nist.gov/publications/PubsSPs.html
* vulnerabilityassessment.co.uk/Penetration Test.html
* centralops.net
* nmap-online.com
* hackerwhacker.com (similar to GRC)

Remember, use TOR when doing active tests!

More useful URLs:
* gdataonline.com/seekhash.php
* passcracking.com
* hash.insidepro.com
* md5this.com
* gdataonline.com
* us.md5.crysm.net
* md5.rednoize.com
* milw0rm.com
* freerainbowtables.com
* netcraft.com

Pen Testing the Web with Firefox

Firefox Extensions:
* FireCat
* ExploitMe (XSS-Me, SQL Inject-Me, Access-Me)
* Tamper Data
* Passive Recon
* Add N Edit Cookies
* Firebug
* HackBar
* Web Developer
* xssed.com

Using Firefox as a Front-End: Proxies
* Tor Button
* Paros Proxy
* SPIKE Proxy
* Burp Proxy

Web Frontends
* Metasploit
* FastTrack
* Inprotect (web interface for Nessus and Nmap)
* BASE (web front-end for Snort)

Use Firefox profile manager to install different selections of extensions to help with memory concerns.

FEBE (Firefox Environment Backup Extension)
CLEO (Compact Library Extension Organizer)
OPIE (Import/Export extension preferences)

Places/Things to hack “safely”
* OWASP WebGoat Project
* PwnOS (VMWare image, requires forum login)
* Your own VMWare lab

Identification Card Security: Past, Present, Future

The Complete Amature - ID Making Operating Guide by Doug Farre

* Epson Stylus R800 photo printer
* Laminator
* Dye cutter
* Magnetic stripe encoder
* Custom rubber stamp (simonstamp.com)
* Black light
* Scanner
* Signature pad
* Photoshop
* brainstormidsupply.com

Minimal needed materials:
* Laser Teslin
* Laminates
* Pearl-Ex pigment powders
* Ultraviolet pigment powder
* Transparent base

(Get these from practicingperfection.7p.com. That site is down as of right now, so you need the guy’s email address to contact him.)

Documentation on ID security can be found at idsysgroup.com.

Books to Read
* 1491: New Revelations of the Americas Before Columbus
* Hackers: Heroes of the Computer Revolution
* The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers

Random URLs:
* foodhacking.com
* hackerspaces.org
* telephreak.org

When the LogWatch report from yesterday (for web.akmai.net) arrived in my Inbox, it had over 20,000 failed SSH login attempts. Today I decided it was finally time to do something about all those attacks.

After looking around a bit, I found several different solutions. Some solutions utilized firewall rules and others monitored your /var/log/secure (or /var/log/auth.log) log files for multiple failed login attempts and then added those IPs/Hosts to the /etc/hosts.deny file.

I decided to go with the latter method and quickly found a nice tutorial for setting up DenyHosts (be sure to download the latest version (2.6 as of this writing) instead of the older version 2.0). Rather than reinvent the wheel, here is what the DenyHosts website says about itself:

What is DenyHosts?

DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host.

Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host.

An email report can be sent to a system admin.

Since I was setting up DenyHosts on a RedHat-based machine (CentOS) and not a Debian-based machine, I needed to change this line:

update-rc.d denyhosts defaults

to this:

chkconfig denyhosts --add

Other than that, the installation steps were just as the tutorial described. I decided to enable the ADMIN_EMAIL option so that I would receive an email every time something was added to hosts.deny, but within minutes of starting DenyHosts I had a dozen attacks with a dozen emails on my BlackBerry. I had to disable ADMIN_EMAIL to stop the spamming!

To make sure DenyHosts was working properly I tried logging in with the wrong password three times. When I tried to connect again, here is what I received:

ssh root@akmai.net
ssh_exchange_identification: Connection closed by remote host

DenyHosts also has the ability to report to a central server the hosts that are trying to break in and you can also download a list of hosts that have been reported by others. I choose to opt out of doing this for now. The DenyHosts statistics page is pretty cool. Notice how the majority of the hosts come from China? Hmm.

UPDATE:
I quickly discovered that DenyHosts was adding my IP address to the hosts.deny file. When I watched /var/log/secure I discovered the problem:

Jun 13 20:18:46 web sshd[5959]: reverse mapping checking getaddrinfo for 75-147-49-211-newengland.hfc.comcastbusiness.net failed - POSSIBLE BREAKIN ATTEMPT!
Jun 13 20:18:46 web sshd[5959]: Accepted publickey for fooUser from ::ffff:75.147.49.211 port 57926 ssh2
Jun 13 20:18:48 web sshd[5994]: Did not receive identification string from ::ffff:75.147.49.211

I’m not entirely sure how to fix this, but for now I added my IP address to /usr/share/denyhosts/data/allowed-hosts (I had to create this file) which prevents DenyHosts from blocking my IP no matter what (see this FAQ for more info). Also, I had to restart DenyHosts (/etc/init.d/denyhosts restart) before the change to allowed-hosts took effect.

I’m a little paranoid when it comes to wireless security. Even if I’m on an encrypted wireless network, I won’t access any of my bank accounts or login to any website that requires a password without securing my traffic with an additional layer of security using SSH tunneling.

SSH tunneling can also be used to circumvent network-based restrictions in the workplace or on a free public wifi hotspot, giving you the freedom to browse whatever websites you want. If implemented on an OS networking level, you can even use the tunnel for your email and other applications. However the focus of this post is on using SSH tunneling to secure your web traffic.

Here is a quick list of what you’ll need:

• Firefox or Internet Explorer (this technique also works with Opera and Safari, although I don’t cover those here)
• Putty (Windows); The terminal (Linux or OS X)
• SwitchProxy Tool (nice-to-have Firefox Plugin)
• Access to an *nix-based computer. This will probably be the most difficult to obtain and if you’re not familiar with Linux or OS X I recommend you ask a friend if they wouldn’t mind giving you an account on their Linux computer. You can try to find a free shell that allows port forwarding, but they are rare.

Setting up the SSH Tunnel

Windows

Since Windows doesn’t have an SSH client built in, you will need to use the wonderful SSH client application called Putty. After you’ve downloaded and launched Putty, you should be presented with the main screen. Fill in the Host Name (or IP address) field with that of your Linux computer and be sure to select SSH from the Connection type.

On the left column of options, select Connection -> SSH -> Tunnels. Enter 9000 in the Source port field, select Dynamic from the option at the bottom, and then click Add. Your screen should now look something like this:

Note: If you don’t see the Dynamic option in Putty, make sure you have the latest version.

Now go ahead and click the Open button to connect to and login to your Linux computer. Once you have successfully logged in, the tunnel will be open and you can proceed to configure your web browser to use the tunnel.

Linux/OS X

Since you’re using a *nix based system, your computer already has everything it needs to setup an SSH tunnel. Simply access the terminal (Applications -> Utilities -> Terminal.app on OS X) and connect to the remote Linux computer as follows:

ssh -l -D 9000

After logging into the remote computer, the dynamic SSH tunnel will be opened and we can continue to configuring the web browser.

Configuring the Web Browser to use the SSH Tunnel

Firefox with SwitchProxy Tool plugin (the method I use)

Download and install the SwitchProxy Tool plugin. After installing the plugin, open its configuration window (Tools -> Add-ons -> SwitchProxy Tool -> Preferences on OS X). This will open the basic configuration window for the plugin. Click Manage Proxies and then Add. Choose Standard for the proxy configuration type and click Next. Fill in the fields as shown below.

After saving the connection, you should be able to use the plugin to easily switch between browsing through the SSH tunnel and browsing without it. I have it configured to show in the Firefox Status Bar, as I find that to be the easiest method of toggling between the two:

Firefox without SwitchProxy Tool

Although SwitchProxy Tool to easily switch my proxy settings, I will also explain how to configure the browser without the plugin.

Open the Firefox Preferences (Firefox -> Preferences on OS X) and click the Advanced icon at the top. In the connection section, click the Settings... button. Choose Manual proxy configuration and fill in the SOCKS Host and Port fields as shown below.

Internet Explorer

From the Internet Explorer menu, choose Tools -> Internet Options. Select the Connections tab and then click the LAN Settings button. Enable the Use proxy server for your LAN option and click Advanced.

In the Servers section, make sure all the fields are empty except for the Socks field. Type localhost in the Socks Proxy address field and 9000 in the Port field. Your screen should look something like this:

Click the OK button all the way back to your browser. You should now be browsing the Internet securely through the SSH tunnel! An easy way to confirm this is to disconnect from the Linux computer by closing Putty and checking if you can still browse the web. Since the browser has been configured to use the tunnel, you won’t be able to browse the web if that tunnel is closed.

If you wish to revert back to browsing the web normally, simply uncheck the Use proxy server for your LAN option in LAN Settings.

The other day I was writing a script for work and discovered it wasn’t behaving as expected. The web browser didn’t give me any helpful information so I decided to use wget to see what the actual error was:

eris:~ raam$ wget --spider -v mysite.com
Connecting to mysite.com|69.16.69.151|:80... connected.
HTTP request sent, awaiting response... 406 Not Acceptable
16:19:28 ERROR 406: Not Acceptable.

Ah ha! ERROR 406: Not Acceptable. After doing some Googling I discovered the problem is related to an optional (though commonly installed) Apache module called mod_security. This module basically acts as a firewall for Apache to help prevent website attacks, specifically attacks through POST submissions.

To disable mod_security, you can place the following line in an .htaccess file on the root of your site:

SecFilterEngine off

I then confirmed that disabling mod_security actually fixed the problem:

eris:~ raam$ wget --spider -v mysite.com
Connecting to mysite.com|69.16.69.151|:80... connected.
HTTP request sent, awaiting response... 200 OK

So as you can see, the quick solution to fixing the Error 406 problem is to disable mod_security altogether using a .htaccess file. However, this leaves me wondering how much security I’m giving up by disabling mod_security.

I was in a hurry when this happened so I didn’t spend much time investigating what exactly my script was doing that may have caused mod_security to freak out. Sometimes other applications cause the Error 406 problem, such as WordPress or Mambo, and you really don’t have choice except to wait for a fix to be released. Since my own software caused the problem, figuring out why should be easy. I’ll post my results when I determine what was.

I created a web application at work today and instead of implementing a full-blow authentication system (or spending time integrating it with our current authentication system) I decided to use HTTP Authentication.

Anyone who knows anything about HTTP Auth will tell you that it’s very insecure. To add a level of security I used an .htaccess file (placed in the directory of the application) to force the use of SSL (https), which uses the certificate we’ve already installed to secure the rest of the site.

Here is what I added to the .htaccess:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} /path/to/app/
RewriteRule ^(.*)$ https://www.domain.com/path/to/app/$1 [R,L]

If you’re already using an SSL certificate on your site, this is a great and easy way to secure HTTP Authentication.

SSH Client Keys allow you to quickly login to a remote server via SSH without typing your password. This is very useful if you login to a remote *nix server on a regular basis or if you want to automate scripts that need to remotely connect using SSH (using commands such as rsync or cvs over SSH).

I have used SSH keys for awhile now, but whenever I setup a new server I seem to draw a blank when trying to remember how to set them up. Each time I end up searching Google for “SSH Client Keys” and clicking on the excellent O’Reilly page “Quick Logins with ssh Client Keys“. I really don’t like duplicating information that is already available on the web, but I felt it was necessary to explain a couple of points the O’Reilly page misses, particularly about the authorized_keys2 file on the server.

Because I’ve followed the setup procedure so many times, I usually only need to glance at the directions to remember how its done. However, it was doing this that caused me much frustration today. I discovered that it is very important that the server-side ~/.ssh directory (and all files inside) are chmod 0700(!), otherwise this whole process is pointless!

Before I review how to setup SSH Client Keys, let me give a brief overview of the files involved:

Client-side:
~/.ssh/id_rsa (private key, chmod 0600)
~/.ssh/id_rsa.pub (public key, chmod 0655)

Server-side:
~/.ssh/authorized_keys2 (holds a list of public keys, chmod 0700)

Now that you know what files are needed, let me explain how to go about creating them. The procedure for getting SSH keys setup is rather straightforward. First of all, if you’ve never used SSH keys before you probably need to generate a public/private key pair on the client-side (your workstation). From your home directory, run the following command:

$ ssh-keygen -t rsa

When prompted, leave the default options as they are (that includes leaving the passphrase option blank) and simply press Enter until you’re back at your command prompt. If you did not already have a ~/.ssh directory, this command will create the directory and place two files inside: Your private id_rsa and the public id_rsa.pub version of it to use on remote servers.

Now that you have the Client-side files you need, it’s time to create the necessary server-side files and copy the contents of your public key file (id_rsa.pub) to authorized_keys2 on the server-side. The procedure outlined on the O’Reilly page assumes you don’t already have any SSH keys setup on the remote server and simply replaces authorized_keys2 with the contents of id_rsa.pub. The two commands you are instructed to run are:

$ ssh server "mkdir .ssh; chmod 0700 .ssh"
$ scp .ssh/id_rsa.pub server:.ssh/authorized_keys2

While this is fine for those who are setting the keys up for the first time on a new server/account, it may slip up those who already use them. If the file already exists, it will overwrite any existing keys listed in the authorized_keys2 file. The authorized_keys2 file is simply a text file list of the public keys (the contents of ~/.ssh/id_rsa.pub on the client-side).The easiest thing to do if the file already exists on the server-side is to simply copy the contents of your ~/.ssh/id_rsa.pub file, SSH over to the server, open authorized_keys2, and paste your key at the bottom of the list.

Now you should be able to type ssh server and automatically login without typing a password!

So apparently, not only is Comcast throttling BitTorrent traffic (as I proved with a little experiment a few weeks back), but they are forging your traffic to do it! They actually modify your individual TCP packets as they travel between your computer and their intended destination. This is the same technique China uses for the Great Firewall of China to prevent citizens from accessing certain material on the Internet deemed “sensitive”.

As Slashdot seems to always have the most informative and well educated commenter’s, I will post what HiThere wrote with regards to the legal implications this may have for Comcast:

If the ISPs filter based on torrent source, then they cease to be common carriers, and lose common carrier protection. Then they immediately become liable for every case of copyright infringement that they are accessory to.

I don’t think they’d like that choice.

If they are common carriers, then they are supposed to be indifferent to WHAT they are carrying, like the mail or the phones. If an extortion threat is transmitted by mail, you can’t sue the post office. Not just because it’s acting as an agent of the govt, but because it’s a common carrier. (UPS is just as protected.) They aren’t supposed to know or care what they’re carrying. If they did, and demonstrated the capability of filtering it by filtering some of it, then they would lose their common carrier status, and become liable as accessories to extortion, e.g.

OTOH, I don’t want them pretending to be me. Not at all. That should be grounds for a suit. It should also be grounds for criminal prosecution not only of those who implemented it, but of all of their supervisors, managers, etc. also. Including the boards of directors. It shouldn’t have a particular onerous penalty…say 10 days for each separate offense. Cumulative. I’ll be generous, and say 1 day per instance. I.e., 1 day per false packet.

Seriously, if you have a choice, please consider switching to another ISP!

Update: Since I’m going to continue following news related to this topic, I will post relevant news articles I come across below.

Comcast is also Jamming Gnutella (and Lotus Notes?)

Forged reset packets are normally the kind of thing that would only be present if a hacker was attacking your computer, but in this case, it’s the ISP you pay money to each month that is sending them.

Comcast filtering Lotus Notes (Update)

I finally have an end-to-end trace to share which shows that Comcast is filtering the port 1352 traffic. The images below show that Comcast is impersonating and using man-in-the-middle tactics to filter the traffic as stated in the CNet post.

Not only is Comcast filtering P2P traffic, it’s also toying with other traffic! What a surprise!

Comcast Cheating On Bandwidth Testing?

Upon further investigation, it appears that Comcast is delivering this bandwidth only for a few seconds after any new request and it is immediately throttled down. Doing a download and upload test using a significantly large file (100+ MB) yields results more in line with everyday usage experience, usually about 1.2 Mbps down and about 250 Kbps up (but it varies).

The comments on this Slashdot article are really great. Lots of people offer explanations as to what Comcast is doing.

Comcast gets US FCC notice on Web traffic blocking

Comcast, the largest U.S. cable television operator and the second largest high speed Internet provider with more than 11 million subscribers, has repeatedly refuted allegations it blocks certain Internet traffic or applications.

The company said it used bandwidth technology on its network that can slow the delivery of files, but it would not block them outright.

BitTorrent Plugin Detects ISPs Raping Your Torrents

A plugin for Azureus allows you to voluntarily submit reports of possible sabotage by your ISP.

Comcast Makes Nice with BitTorrent

BitTorrent, Inc. maybe. The BitTorrent protocol? I doubt it.

On my office laptop, I discovered the Internet Explorer “Remember my password” checkbox option was missing. This was quite annoying, as I started using Eclipse’s internal browser to test my development work on the staging server I setup at home. The staging server is protected by a simple .htaccess file, which prompts you for a username/password with a dialog box like the one below:

As you can see, its missing the “Remember my password” option, which means I have to reenter the credentials every time I want to login. After a lot of research on Google, I finally figured out the problem: the Protected Storage service needs to be running. Either I disabled the Protected Storage service or a Windows security update did. Either way, after changing the “Startup type” to Automatic and restarting all IE browsers, here’s how the password dialog looked:

I have a feeling that a Windows, or an Internet Explorer, security update changed the way IE stores passwords. For most users, the update had no effect since the Protected Storage service is set to Automatic by default. But not for me; I love tinkering with stuff. I disabled a lot of unnecessary Windows XP services on my laptop last year to help keep it secure while I’m on the move.

When I came home from the gym last night, I tried accessing Google, however it timed out. After suspecting my PC, and then my router, and finally my cable modem, I discovered the problem was much further away. A quick traceroute showed where the problem was:

raam@pluto:~$ traceroute google.com
traceroute: Warning: google.com has multiple addresses; using 64.233.167.99
traceroute to google.com (64.233.167.99), 30 hops max, 38 byte packets
1 192.168.2.200 (192.168.2.200) 1.816 ms 1.711 ms 1.718 ms
2 73.161.232.1 (73.161.232.1) 7.747 ms 7.374 ms 12.562 ms
3 ge-1-38-ur01.cambridge.ma.boston.comcast.net (68.87.151.137) 7.865 ms 8.434 ms 7.420 ms
4 te-8-1-ur02.cambridge.ma.boston.comcast.net (68.87.144.70) 8.473 ms 7.992 ms 7.890 ms
5 te-9-2-ur01.malden.ma.boston.comcast.net (68.87.144.73) 8.014 ms 18.855 ms 9.047 ms
6 te-8-1-ur02.malden.ma.boston.comcast.net (68.87.144.177) 8.101 ms 9.937 ms 8.489 ms
7 te-8-4-ar01.woburn.ma.boston.comcast.net (68.87.144.173) 8.477 ms 10.514 ms 8.416 ms
8 PO-10-ar01.foxboro.ma.boston.comcast.net (68.87.146.50) 9.407 ms 9.656 ms 10.243 ms
9 po-11-ar01.berlin.ct.hartford.comcast.net (68.87.146.33) 16.007 ms 12.353 ms 12.006 ms
10 po-10-ar01.chartford.ct.hartford.comcast.net (68.87.146.29) 13.468 ms 13.450 ms 13.957 ms
11 * * *
12 te-3-1.car1.NewYork1.Level3.net (4.71.172.109) 302.002 ms 301.466 ms 302.540 ms
13 ae-31-55.ebr1.NewYork1.Level3.net (4.68.97.158) 354.448 ms * ae-32-52.ebr2.NewYork1.Level3.net (4.68.97.62) 371.114 ms
14 ae-2.ebr1.Chicago1.Level3.net (4.69.132.65) 334.429 ms ae-1-100.ebr2.NewYork1.Level3.net (4.69.132.26) 376.366 ms ae-2.ebr1.Chicago1.Level3.n et (4.69.132.65) 325.988 ms
15 * * ae-11-55.car1.Chicago1.Level3.net (4.68.101.130) 326.044 ms
16 ae-11-51.car1.Chicago1.Level3.net (4.68.101.2) 323.914 ms GOOGLE-INC.car1.Chicago1.Level3.net (4.79.208.18) 322.442 ms 325.340 ms
17 66.249.94.133 (66.249.94.133) 325.499 ms 72.14.232.53 (72.14.232.53) 324.420 ms *
18 72.14.232.70 (72.14.232.70) 326.975 ms * 331.300 ms
19 64.233.175.26 (64.233.175.26) 321.481 ms py-in-f99.google.com (64.233.167.99) 320.482 ms *


As you can see from the bold line, the NewYork1.Level3.net server took a full 302.002 ms to go round trip. I tried to traceroute Google from other sites (online traceroute utilities) and they got through without any problem — but that was because their route through the Internet didn’t take them through those specific Level3 servers.

After 20 minutes or so, the problem seemed to clear up and a new traceroute showed a much more healthy response from te-3-2.car1.NewYork1.Level3.net: 11 te-3-2.car1.NewYork1.Level3.net (4.71.172.113) 14.475 ms 14.944 ms 15.518 ms

I’m sick of scanning through the list of comments caught by Akismet to see if there are any false-positives — I have had a few false-positives, namely from DJT.

So I’ve deactivated Akismet and installed Challenge 1.1. It works by asking the commenter a question. If the correct answer is provided, the comment is posted. I can customize Challenge to ask any question, however I’m currently using a simple, random math problem. Hopefully this plugin will save me from scanning through hundreds of spam comment posts.

One thing I would like to fix, though I don’t think it will be an easy fix, is to save the contents of the users comment in case he enters the wrong answer. Right now, if you enter the wrong answer and click Post, it gives you a message saying you entered the wrong answer. However, when you press the Back button in your browser, you have to retype your comment. So get the answer right the first time!

Go ahead and leave a comment to try out the new system.

EDIT: After deactivating Akismet, I started getting a lot of TrackBack spam. Since Akismet doesn’t have any option to only filter TrackBack’s, I’ve decided to disable link notifications altogether.

I received my Paypal Security Key in the mail today. I jumped at the chance to order one after I happen to read about its release on codinghorror.com. The key fob, which uses the same technology as SecureID’s, works by generating a new 6 digit number every 30 or 60 seconds. When you login to the website using your username and password+passcode, the server computes what 6 digit passcode should currently be displayed on your key fob and, if it matches what you entered, allows you access. Since the passcode constantly changes, even someone who has your username and password would not be able to login without also physically holding your key fob. This is known as two-factor authentication; something you know (username & password) and something you have (key fob).

I have been a fan of the SecureID ever since I worked with them at Getronics, where I supported an international base of banking employees who used a SecureID to login to Deutsche Bank’s internal network. I was responsible for not only educating users on how to use their SecureID, but also for re-syncing the ACE Server (which is used to manage all SecureID’s), generating temporary passcodes for users who had misplaced their SecureID, monitoring the ACE log monitor to help diagnose authentication issues, and adding/removing SecureID’s from the ACE server. It was probably the most fun I had working at Getronics — and because I enjoyed it, diagnosing SecureID issues, and understanding how they work, became second nature to me.

When E*TRADE started providing SecureID’s, they initially gave them out for free to those who were the first to order them. Of course I jumped on the opportunity and within a few weeks I was logging into my E*TRADE account with my Username and Password + SecureID Passcode. In addition to my brokerage account, I opened an E*TRADE checking account, simply because I loved being able to feel secure about logging into my checking account. However, since there are no E*TRADE branches around here where I can make physical deposits, I still need a local bank account. For that I use TDBanknorth. It would be awesome if TDBanknorth provided a SecureID for online access. Now that E*TRADE is offering a savings account, with no minimums, no fees, and a 5.05% savings interest rate (!), I’m going to close my INGDirect savings account (4.50%) and switch to using E*TRADE exclusively. I will now have a checking, savings, and brokerage account with E*TRADE, all which I can securely access from a single site using the SecureID.

Even though Paypal’s Security Key is not an official SecureID, it uses the same technology. SecureID is made and produced by RSA Security. Paypal has created their own version of the SecureID with a 6 digit code that changes every 30 seconds. The Paypal Security Key differs from the SecureID in that instead of always displaying the passcode, the display simply turns off after 30 seconds. You need to press a button on the key fob to turn on the display and show a new passcode. In addition, the Paypal key fob is slightly larger, has an oval shape, feels less durable, and has an annoying string with a metal ring on the end to attach to your key chain. I discarded the string and replaced it with a bigger, more durable keyring. The SecureID is definitely designed better, and the only reason I can think of that the Paypal key uses a button to turn on the display, is to save battery life.

Since Paypal is owned by eBay, you can also activate the Security Key for your eBay account, allowing you to secure both your Paypal account and your eBay account with the same Security Key! I completed the activation process for both accounts, and it was very easy. I simply logged into my account, filled out three boxes (serial number from the back of the Security Key, and two passcodes from the key), clicked submit, and the process was done.

Carrying around two key fobs on my key chain isn’t fun, but if it means I can feel a lot more safe about the security of five of my online accounts (brokerage, checking, savings, Paypal, and eBay), then I’m all for it! In fact, besides my TDBanknorth account, I can’t think of any other accounts that I really wish I could feel safer about accessing online. Of course, even two-factor authentication is vulnerable to man-in-the-middle and other attacks. If the attacker obtains a current passcode, he has a whole 30 (or 60) seconds to reuse that code. So if you combine a hidden screen-capture or key-logger application with the speed of the Internet, you can have an attacker who monitors your computer activity in real-time and logs into your account only a few seconds after you do. The bottom line: don’t allow your computer to be compromised in the first place.

There is no security against human stupidity.

For a long time I had been running a Squid proxy on my Linux server, opening an SSH tunnel to the server from my wireless laptop with the -L3128:127.0.0.1:3128 SSH option to create the local tunnel, and then configuring my browser to use the 127.0.0.1:3128 HTTP proxy. This method worked well for a long time, however it had its disadvantages — namely the extra configuration involved.

Probably the most difficult was the setup and configuration of the Squid proxy (getting the access rights configured correctly in squid.conf), but equally as challenging was explaining the whole process to someone else — impossible if they were not familiar with Linux.

Recently, my Squid server stopped working and I wasn’t able to use the tunneling method mentioned above to secure my wireless connection while I was at Panera Bread (currently the largest provider of free WiFi in the USA). For this reason, I didn’t feel safe logging into my Wordpress administration interface to work on a blog entry. So while I was searching for Squid configuration instructions, I came across a much easier way of securing my wireless connection. How simple? This simple: ssh -D 9000 raam@c.rd82.net.

Yes, really that simple. Nothing needed to be configured on the server (besides having the SSH server running, which most Linux installations already have by default). I then opened my browser and configured it to use a SOCKS v5 proxy to localhost using port 9000 and bingo, all web traffic was now encrypted over the SSH connection! I confirmed this by running the netstat command on my Linux server and found several new connections to websites I was browsing on my wireless laptop.

If you’re running Windows, and don’t have access to the wonderful Linux command line utilities such as SSH, you can download Putty. The latest version, v.59, has support for the -D SSH option. After you download and install Putty, enter the connection details to your SSH server (or find a service that provides a free shell account and allows port forwarding/proxying and use that), then click on Connection -> Tunnels in the options on the left. What you need to do is add a dynamic port. You do this by filling out the Port field and choosing Dynamic. Leave everything else blank and click Add. The screen should look like this right before you click Add:

Once you’re done, you can save your connection information and then connect. Once you have logged into your shell account, you will need to configure your web browser to use the tunnel instead of a direct connection. I have included directions for configuring Firefox and Internet Explorer (IE isn’t as straight forward as you’d expect, go figure).

In Firefox, simply choose Tools -> Options -> Advanced -> Network Settings. Choose “Manual proxy configuration:” and in the SOCKS Host field enter “localhost”. For the port, enter “9000″. I choose SOCKS v5 from the options below the SOCKS Host field, but I’m not sure if that matters. Here is what your screen should look like:

For Internet Explorer, it took me a bit of trial and error to get it working properly. Here is what you do. Tools -> Internet Options -> Connections -> LAN Settings. Choose “Use a proxy server for your LAN” and click Advanced. Erase everything in all fields, except the “Socks” and corresponding “port” field. Enter “localhost” in Socks field and “9000″ in the port. Here is what the screen should look like:

Click OK all the way out to your browser, press refresh and you should be loading the web page through your secured tunnel!

This is the easiest method of securing a wireless connection I have come across. Using only WEP or WPA encryption is a joke. If someone is interested in your wireless traffic enough to be monitoring it, you can be certain they know how, and will, break your WEP encryption. At home, I use WEP encryption in addition to this method of tunneling, so effectively I have two layers of encryption protecting my traffic. And if I’m accessing a website through HTTPS, that adds yet a third layer of encryption.

Although you can also use this SOCKS connection to encrypt your E-Mail (at least in Mozilla Thunderbird), you can also use the SSH -L option to encrypt specific connections for which you have no local control over. However, I will leave that for the next HOWTO.

I discovered a bug in StatHound that allows you to get full featured access for any domain on your account, so long as you’re paying for at least one domain. How? I’ll explain in a moment, but first, a little about StatHound.

I use StatHound.com to monitor this, and several other websites. It’s an awesome tool, with ton’s of useful information. Beautiful graphs to see exactly how many visitors have visited your site (both regular and unique hits), entry pages, IP addresses, Time Zones of the visitors, and even their screen resolutions and type of browser they’re using! There is a tiny snippet of code that needs to be placed on the entry page to your site. This snippet of code sends information to StatHound about the person visiting your site, which is then stored in a database. [Read more]