Reading, Writing, Reliability…

It’s probably not the three R’s you were expecting.

Reading – you’re doing that right now (unless you absorb blog posts by osmosis) and it’s what students need to practice. It’s astonishing to me how little time students are spending reading… not just on class assignments, but also on relevant topics and the world at large.

This lack of interest shows up in assignments and in writing. Written communication skills are necessary in most walks of life. If you want to learn to write, first you need to read. I collect writers, both in printed form and on the Internet (see this page for writers I enjoy). Just as you become a better reader with practice, so too do writing skills improve with repetition (as long as you’re not typing the same stuff over and over).

Reliability… the “soft” skill. If you tell me you’re interested in starting a web design business, and then take two or three weeks to return an email, well… I can’t recommend you to any business I stumble across. If you tell me you’re unemployed and looking for work and then don’t follow up on phone messages… I wish these were anomalies, but they’re not. They’re typical.

And that is a very sad state of affairs indeed.


Ruminations on a semester finished…

Summer School is over. Done. Kaput.

This was an experiment, on two levels. One, for me to take a course prior to teaching same; and second, adapting a semester-long course into a six-week quickie version.

Note to self: do not teach advanced classes during a six-week session. There is not enough time for the knowledge to sink in – the eureka moment arrives a bit late for most students.

Second note to self: students do not necessarily recall much if anything useful from prior semesters; even down to the trivia of how to log in to computers in our Hands-On-Lab (procedure has been the same for six years now). Do not expect students to have practiced any of the skills taught in prior courses.

Taking a class in preparation to teach it was an eye-opener. I have a much better idea of where the confusing parts are, which parts will be easy, and how problematic a lecture-intensive class is for non-native English speakers.

I do hope the students this fall read the book before class. It makes it easier on me and they’re more likely to pass the quizzes…

Help! – my hotmail account’s been hacked…

Except of course I never had a hotmail account.

But I know a lot of people who do… and who also have yahoo accounts, gmail accounts, and probably other email accounts as well – which they only access via a web browser.

The real story title is: “Help me – my browser-based email has been hijacked!”

First step in the cleanup – triage. How bad is the damage?

If this is your primary account – the one which you use for everything (online banking, shopping, brokerage, insurance, social media and so on)… you’re potentially in very deep trouble. For most folks issuing the help-me message, this is their primary account.

Now, let’s find out just how bad this is… can you reset the password? You should do so, and ditch the easily-guessed password you were using. Here is one password generator; there are many others. But get clear of the easy passwords.

Next, check your webmail system for forwards – this is hiding in settings. Are you forwarding your emails anywhere? Do you recognize every account listed? If not, you have a substantial headache ahead, because your newfound pen-pal is reading all your mail… including the one just generated by the system which confirms you just changed your password. Next step – remove the unknown mail forward assignments… and change the password again.

Now comes the painful part – you need to immediately reach out and change every password on every site where you used the compromised account as your primary email contact. Remember – your secret pen-pal has the necessary codes to reset your accounts, and may already be doing so. If you can’t get in anywhere… start calling or using other methods.

Still feel that easy password was a good idea? You should use randomized passwords everywhere, and never the same one on multiple sites. (Easy for him to say, but if you read down the blog, you’ll see I went through the same exercise a few months ago, albeit for a different reason).

If you want to save this headache in the future, a good password is a good starting place. I tend to go one step further; my primary email is not accessible via web-based systems, and can only be accessed by a dedicated email client. That’s right, I use a separate program just for email. For most of Internet history, this was the norm; web-based is a recent “convenience” – and is vulnerable to all the gotchas of web-based clients.

I use and recommend Forte Agent and Mozilla Thunderbird. Forte Agent I’ve used since its beginnings – but this is not an easy package to master, and many are turned off by having to pay for it.

The hacker’s tale…

I’m sitting at the computer, busily working away on a couple of projects, and then there’s a drop in throughput to the network… sites won’t load, and now – even one of the local servers won’t respond. Network bandwidth use is up like crazy; and then it drops.

Time to check a couple of logs. I use an Intrusion Detection System of my own design, and it’s caught a problem, and shut down a port on the switch to prevent further damage. I log into the Linux box from the hardwire console, run lastlog, and there it is – one account has been accessed from – uh huh. I don’t think that is from the college, or any local ISP, and a quick check with ARIN says this block belongs to RIPE (uh oh) – and RIPE says it’s from Romania.

Oh dear. We have a hacker.

First things first. This system is disconnected from the outside world (and it was never connected to the inner network); so let’s make a copy for analysis… done. Now let’s look at the image, and see if we can figure out what happened. Hmm… seems the original account holder decided to change his password to “l234” – oh joy. How do I know this? From a logfile, showing all the login attempts, by an automated scanner (from Kiev). The scanner was able to fool the guard-shack software by operating in slow-motion; testing a new combination at a psuedo-random interval of 15-100 seconds apart. It’s been working on this since mid-March… but only on this one account. And – this system is generally hidden from view. How did it know to come here?

Turns out, the account holder advertised he had a new account on a new system and was learning Linux and posted messages about this in several forums… gee, thanks, guy.

Time to clean it up. The IDS is on a separate system, and when it noticed unusual traffic, simply contacted the switch and shut down the offending port, and then sent a few messages about what it did to the usual suspects. By turning down the switchport, the hacker lost connectivity immediately and was unable to execute the usual cleanups. Now I have a history file to peruse, and see what happened.

Three hours pass… and it’s clean. I have a system image preserved for posterity (or at least for the rest of the month), and an improved password policy in place on the system. I thought I had one in place, but a routine update overwrote the file with defaults – I see the update I used was replaced in the repository shortly after I used it; put that one down to bad luck, and add the affected files to the comparator cron job.

Live and learn. Back to electron mining.

…and for the account holder who created the vulnerability? His account and one other (also advertised on WoW forums) have been obliterated. I hope he didn’t use his clever password elsewhere…

Hacking HTTP via GET; part the first.

For the past couple of days the big hack-of-the-month is the Citigroup credit-card data disclosure. Reading today in the NY Times, I was struck by this description:

Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.

The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.

source: “Thieves Found Citigroup Site an Easy Entry” NYTimes June 14 2011

Read that methodology again. They had a program insert the account numbers into the browser address bar and retrieve account settings. This is not, to my mind, rocket science.

Let’s go look at some web addresses. Here’s one from Amazon:

Here is one from the National Weather Service:

And finally, here are several from the Roseberry Homestead:

Peruse the above links carefully. You should note something in common: the parameters being passed along to the websites. In each case, the website receives parameters from the user – the indicator being the “?” separator. For Amazon, it’s quite involved. The NWS is a bit easier to read, and for Roseberry, it’s a simple “p=” followed by a number.

Let’s “hack” Roseberry. Open a new browser (ctrl-n works). Now copy one of the Roseberry links and paste it into your new browser window – but change the number to 228. Thus your “hacked” link should read as this:

and then load this page. Compare its content to the page link you originally copied. Different content  – it is a different page.

But why stop there? Let’s try “hacking” the National Weather Service. This one is a bit harder since you need to change one or more items in the URL; but it’s still readily doable. You do have to know a bit about how the NWS is organized, but it’s not like they hide this stuff.

Take the original URL above, copy and paste it into your browser, but then use the arrow keys or mouse, and replace the letters “PHI” with “MHX” – and then load the resulting page. Now go back and change “MHX” to “EAX” and “PNS” to “FLS”, and load the result. What you should get is the Flood Statement issued by the Kansas City weather office. What we’ve been changing is the issuing office value (PHI, MHX, RAH, EAX, OAX, etc) and the product type (PNS, FLS, AFD, etc).

Congratulations. You are now versed in the Citigroup hacking method, at least as described in most press accounts. Note how hard this was, and then go back and read that NY Times quote again.

This “vulnerability” is part of the original HTTP specification – it’s called the GET method. In the second part, I’ll, er, get into what methods are and why the GET exists, and how things could be done for better protection of valuable data.

ps – all links quoted herein are working as of time of authorship.

A technical note about hosting…

I provide a lot of hosting support for my students. It’s best to learn on real-world systems, not XAMPP or other self-contained simulators. Thus I’ve registered a domain, set up GoogleApps for email and wiki-like services; and configured a linux-based host for the class.

This doesn’t have to cost a lot. The “SmallMan” server was built new for a budget of $325. It consists of: Intel 510DMO (dualcore 1.6Ghz Atom cpu), 4GB RAM, 500GB disk drive, dual-network addon card, an extra fan, an ITX case and P/S, and a DVDROM drive. It hosts three VMs, providing 23 webhosts, two email servers, various other support services… and draws a whopping 25 watts under heavy load.

Unless I look at it I can’t tell it’s running.

Time to move…

It will be moving day soon. Not for me, but for students wanting to take their accomplishments forward.

Since January, I’ve been teaching a course in Web Architecture. In practice this has left students with a number of websites, in various states of completion/construction/disrepair and so on. Most will have a customized WordPress install, and a Drupal 7 system.

For the time being, the course is hosted mostly on my little in-house server. By the end of the calendar year, students will have to move off this server.

But where to go?

There are generally three possibilities: host it yourself, pay for hosting, or  take it down.

Host it yourself works only IF (big IF) you have: 1) requisite knowledge to install and configure a web hosting environment; 2) a computer to do this on; and 3) appropriate rights for hosting from your service provider. While my class teaches the first component, the others are beyond my control.

I think most will opt for paid hosting; or take it down. It’s too bad the college doesn’t provide hosting support for student projects.