During Voxilate's development and honing of HeyTell Voice Messenger, I've thought a lot about how I use (or don't use) voice mail. While a push-to-talk solution like HeyTell is definitely a great replacement for text messaging/SMS, it's also a lot more efficient than a phone call for a lot of simple, immediate use cases like:
- Where are you? Oh, there you are. (Especially with the geolocation...)
- I'm okay, I wasn't in that building.
- You at the store? Can you pick up some milk? [5 minutes later] Coffee, too!!
The thing with voice mail, too, is that while I don't think of myself as a *very* lazy person, I find that I'm almost always too lazy to check it in a timely manner. Here's what checking voicemail requires of me, lazy person:
1. See the Messages icon on my phone.
2. Dial Voicemail.
3. Type in my passcode.
4. Wait.
If I want to listen to it again, I've got to go through it all again.
I'll be honest and share my typical way of handling voicemail:
1. See the Messages icon on my phone.
2. Look at the last Incoming number.
3. Call them back...thereby avoiding the use of voice mail altogether.
4. At some point when there's more time, cycle through *every* message and save or delete one-by-one.
The cool thing, I think, about HeyTell, is the immediacy of it. Click a button, send a message. Click a button, listen to the message. Save it for later or delete it. Replay it.
Also, I'm a shy person and not just a little bit socially awkward. Therefore, the telephone and I already have issues! When I have voicemail, I feel dread. Why? Something about picking the phone up again, dialing numbers, hoping I'm not interrupting whoever it was in the middle of whatever they are doing.
With HeyTell, the whole transaction is like an instant message - say something, wait for a response, and then respond when you're ready. I'm comfortable with IM. I can get my thoughts together before I type. I can work on other things and then return to it. It's nice to do the same thing with voice. I can reduce a little of that social awkwardness, have more control over the conversation, and stop pushing so many buttons.
Voice IM is really, I think, a best of two worlds combination - you get the intimacy of voice, the grokking of intonation and inflection, the speed and efficiency of not dialing, not typing, not waiting for rings and did you forget to dial that 1?, the ability to pull your thoughts and ideas together as coherently as you can in an email or instant message, and retain the ability to multi-task - a phone call requires your undivided attention. A voice IM? Respond when you can. Save and re-play it when you need to. Fantastic for productivity!
Combine it with location-awareness so that my contacts (and *only* those I allow access) can locate me in a crowd, and it's a win-win for me. Hope others feel the same!
Friday, January 29, 2010
Why does the No Free Bugs movement exist?
Having been *a little* bit involved with product development and testing in my time, and being kind of ultra-cognizant of security most of the time, I often wonder about the "No Free Bugs" movement and why it exists.
Why don't companies pay security researchers to find security holes in their products? It seems like a win-win to me.
- By paying the researcher in exchange for signing an NDA (that specifies no disclosure until there's a fix - with a fixed end date, of course!), you get more control over disclosure - less likely to have a pissed off researcher telling everyone about it, plus you've got legal recourse.
- The researcher gets cash, cred, *and* fodder for the security con circuit.
Win-win! Maybe I'm looking at it too simplistically? Is it that researchers don't want to do this? Or corporations don't want to bother? Or don't trust the researchers enough?
External auditing firms are great for CYA, but expensive and still do miss things. Seems to me like augmenting your 'professional' review and internal QA with a few scrappy, bright researchers who are highly motivated to break your security is the ultimate CYA when developing secure products. Each and every layer you can add makes your product stronger and secures yourself against liability.
---
Update - See, Google gets it!
Why don't companies pay security researchers to find security holes in their products? It seems like a win-win to me.
- By paying the researcher in exchange for signing an NDA (that specifies no disclosure until there's a fix - with a fixed end date, of course!), you get more control over disclosure - less likely to have a pissed off researcher telling everyone about it, plus you've got legal recourse.
- The researcher gets cash, cred, *and* fodder for the security con circuit.
Win-win! Maybe I'm looking at it too simplistically? Is it that researchers don't want to do this? Or corporations don't want to bother? Or don't trust the researchers enough?
External auditing firms are great for CYA, but expensive and still do miss things. Seems to me like augmenting your 'professional' review and internal QA with a few scrappy, bright researchers who are highly motivated to break your security is the ultimate CYA when developing secure products. Each and every layer you can add makes your product stronger and secures yourself against liability.
---
Update - See, Google gets it!
Thursday, November 19, 2009
Who's attacking your web server today?
We're going to go a little off-book today for a segment I'd like to call, "Who's attacking my server today?"
I administer a few servers and they, like most anything connected to the Internet, are constantly under attack. Searching through my logs, I've seen a large number of pretty basic attacks trying to exploit a vulnerability in Parallels Plesk - a hosting control panel. If you're using hosting "in the cloud1," you're bound to see a lot of this sort of thing. Mostly automated. And often launched from "the cloud" itself!
Here's a little command line I've been using on my server to find out who's attacked today:
for i in `cat /PATH/TO/MY/ACCESS_LOGS/MYACCESSLOG_0911*.txt |grep login_up |awk '{print $1}' |sort -u`; do nslookup $i|grep "name = "|awk '{print $4}'|sed s/.$// ; done;
What this crude little command line does is search through all of my logs from November (insert path to your log file there), searches for accesses of login_up - which is a hallmark of people trying to access the Parallels Plesk control panel, grabs the IP from the front of the line (the awk '{print $1}', sorts it and removes duplicates (plenty of these as they scan!), looks up the hostname using nslookup, greps out the hostname, and removes a trailing . that shows up in nslookup output. Crude, yes, but it gets me a nice little list of baddies like:
mail.lib.ua.edu
theman.cba.ua.edu
174.36.240.16-static.reverse.softlayer.com
174.36.254.180-static.reverse.softlayer.com
raq2.raqdedicados.com
212-174-14-27.ip.ciklet.net
advertinet03.shawneelink.net
rrcs-24-43-133-99.west.biz.rr.com
maps.2hn.com
win-268.ourcp.com
JoshKraker.com
mail.thallium-dns.net
f2.2.5d45.static.theplanet.com
triton15.lifeofandyman.info
ai.imb.br
ip-72-167-38-177.ip.secureserver.net
ip-72-167-45-11.ip.secureserver.net
72.232.228.82.svservers.com
214.104.233.72.static.reverse.ltdomains.com
ehcsla.com
serversemidedicado.joinhost.com.br
win3a-mail.ixirhost.com
mail.infocesme.com
mssql.infocesme.com
mysql.infocesme.com
webmail.infocesme.com
www.infocesme.com
infocesme.com
ftp.infocesme.com
mail.mersinhost.com
mail.finalpazarlama.com
u15180592.onlinehome-server.com
host-84-51-38-150.teletektelekom.com
38.160.isimtescil.net
ubihost.net
win3a-mail.ixirhost.com
win3a.ixirhost.com
202.249.hostcini.com
ip-97-74-194-192.ip.secureserver.net
And there we go, a list of who's attacking our Web server today!
1"Cloud" is a fancy term we sometimes use; it too often just means "server is not in your basement."
I administer a few servers and they, like most anything connected to the Internet, are constantly under attack. Searching through my logs, I've seen a large number of pretty basic attacks trying to exploit a vulnerability in Parallels Plesk - a hosting control panel. If you're using hosting "in the cloud1," you're bound to see a lot of this sort of thing. Mostly automated. And often launched from "the cloud" itself!
Here's a little command line I've been using on my server to find out who's attacked today:
for i in `cat /PATH/TO/MY/ACCESS_LOGS/MYACCESSLOG_0911*.txt |grep login_up |awk '{print $1}' |sort -u`; do nslookup $i|grep "name = "|awk '{print $4}'|sed s/.$// ; done;
What this crude little command line does is search through all of my logs from November (insert path to your log file there), searches for accesses of login_up - which is a hallmark of people trying to access the Parallels Plesk control panel, grabs the IP from the front of the line (the awk '{print $1}', sorts it and removes duplicates (plenty of these as they scan!), looks up the hostname using nslookup, greps out the hostname, and removes a trailing . that shows up in nslookup output. Crude, yes, but it gets me a nice little list of baddies like:
mail.lib.ua.edu
theman.cba.ua.edu
174.36.240.16-static.reverse.softlayer.com
174.36.254.180-static.reverse.softlayer.com
raq2.raqdedicados.com
212-174-14-27.ip.ciklet.net
advertinet03.shawneelink.net
rrcs-24-43-133-99.west.biz.rr.com
maps.2hn.com
win-268.ourcp.com
JoshKraker.com
mail.thallium-dns.net
f2.2.5d45.static.theplanet.com
triton15.lifeofandyman.info
ai.imb.br
ip-72-167-38-177.ip.secureserver.net
ip-72-167-45-11.ip.secureserver.net
72.232.228.82.svservers.com
214.104.233.72.static.reverse.ltdomains.com
ehcsla.com
serversemidedicado.joinhost.com.br
win3a-mail.ixirhost.com
mail.infocesme.com
mssql.infocesme.com
mysql.infocesme.com
webmail.infocesme.com
www.infocesme.com
infocesme.com
ftp.infocesme.com
mail.mersinhost.com
mail.finalpazarlama.com
u15180592.onlinehome-server.com
host-84-51-38-150.teletektelekom.com
38.160.isimtescil.net
ubihost.net
win3a-mail.ixirhost.com
win3a.ixirhost.com
202.249.hostcini.com
ip-97-74-194-192.ip.secureserver.net
And there we go, a list of who's attacking our Web server today!
1"Cloud" is a fancy term we sometimes use; it too often just means "server is not in your basement."
Wednesday, September 30, 2009
Blocking Ads Can Save More Than You Think
Put yourself in a bad guy's shoes:
You have a piece of software that logs usernames and passwords to banking sites. It can do a number of other things, like propagate itself to other computers that share drives with the victims and open address books and email itself to every email address it finds - so that it can log usernames and passwords from even more sites!
It just needs to hit one system, really, to propagate. But as the guy or gal trying to get this software out and productively returning good banking credentials, if you had the chance to propagate more and better, why wouldn't you? How would you easily infiltrate as many computers as possible, and computers used by people who actually might have something in their bank accounts to reliably pilfer? You might want to take a look at something networked, something that gets propagated to a large number of mainstream sites. Because you may be found out quickly, you're looking for somewhere you might slip in surreptitiously, across a large number of trusted mainstream web sites simultaneously...
Ad networks. It's a pretty sweet attack vector, really. Massive, instantaneous, worldwide reach. Immediate impact. Solid customer base. Bi-partisan, even! Simultaneously force malware on readers of MSNBC and DrudgeReport and Salon, Washington Post, and CNN and more? Score!
A few weeks ago, the New York Times got hit with such an attack...and it wasn't stopped for at least 12 hours.
What can you do to protect yourself against drive-by ad attacks like this? Other than not check the news - because I'll be honest, I am going to read the Drudge Report no matter what, daily. Malware will not keep me away.
First thing: Don't install anything when prompted unless you yourself prompted the install and you know what you're installing. A virus scan initiated by a Web site you just hit? Close the window, don't click OK! And don't ever enter your password or allow the some unbidden installer elevated privileges!
Second thing: As much as it hurts the newspapers and advertisers right now, you can choose not to have the ads served using a few different methods. We'll talk about two quick and dirty methods today.
Copy his list at http://someonewhocares.org/hosts/ (or your own list, if you've been keeping score) and paste it into your own system's host file (note that you need to be root or Administrator to do this). In Linux, add the data from Dan's list to /etc/hosts. In Windows NT, 2000, XP, and Vista, add it to c:\Windows\system32\drivers\etc\hosts. In Windows 95/98 and ME, add it to C:\Windows\hosts.
You have a piece of software that logs usernames and passwords to banking sites. It can do a number of other things, like propagate itself to other computers that share drives with the victims and open address books and email itself to every email address it finds - so that it can log usernames and passwords from even more sites!
It just needs to hit one system, really, to propagate. But as the guy or gal trying to get this software out and productively returning good banking credentials, if you had the chance to propagate more and better, why wouldn't you? How would you easily infiltrate as many computers as possible, and computers used by people who actually might have something in their bank accounts to reliably pilfer? You might want to take a look at something networked, something that gets propagated to a large number of mainstream sites. Because you may be found out quickly, you're looking for somewhere you might slip in surreptitiously, across a large number of trusted mainstream web sites simultaneously...
Ad networks. It's a pretty sweet attack vector, really. Massive, instantaneous, worldwide reach. Immediate impact. Solid customer base. Bi-partisan, even! Simultaneously force malware on readers of MSNBC and DrudgeReport and Salon, Washington Post, and CNN and more? Score!
A few weeks ago, the New York Times got hit with such an attack...and it wasn't stopped for at least 12 hours.
What can you do to protect yourself against drive-by ad attacks like this? Other than not check the news - because I'll be honest, I am going to read the Drudge Report no matter what, daily. Malware will not keep me away.
First thing: Don't install anything when prompted unless you yourself prompted the install and you know what you're installing. A virus scan initiated by a Web site you just hit? Close the window, don't click OK! And don't ever enter your password or allow the some unbidden installer elevated privileges!
Second thing: As much as it hurts the newspapers and advertisers right now, you can choose not to have the ads served using a few different methods. We'll talk about two quick and dirty methods today.
Ad Block Plus plug-in for Firefox
The AdBlock Plus plug-in blocks ads automatically. It blocks and hides ads from view. To install it:- In Firefox, select Tools > Add-ons.
- Select Get Add-Ons, enter "Adblock" in the search window, and press Enter.
- Select AdBlock Plus and click Add to Firefox.
- Click Install Now and restart Firefox when prompted.
Modify your hosts files so that all ad-based URLs redirect to your local system and *not* to the ad site!
Dan Pollock @ SomeoneWhoCares.org maintains a hosts file of known ad servers. You can replace the hosts file on your system with his list, so that whenever a web page requests an ad server, it redirects to your own system instead. Note that it doesn't hide the spots where the ads should be the way AdBlock Plus does - you'll see either whatever your local web server serves, or a failed to connect error if you aren't running a local web server. Basically - whatever you see at http://127.0.0.1 is what you'll see in the ad view boxes.Copy his list at http://someonewhocares.org/hosts/ (or your own list, if you've been keeping score) and paste it into your own system's host file (note that you need to be root or Administrator to do this). In Linux, add the data from Dan's list to /etc/hosts. In Windows NT, 2000, XP, and Vista, add it to c:\Windows\system32\drivers\etc\hosts. In Windows 95/98 and ME, add it to C:\Windows\hosts.
Wednesday, August 12, 2009
Don't be easy!
With the number of systems and web sites you log into every day, generating and remembering unique, memorable, and unguessable passwords can be a real chore. However, a disciplined approach to password security is pivotal to thwarting password-based attacks. Who would use password attacks to break into your accounts? Thieves (your bank account and credit card sites), foreign governments and competitors (your bank and work accounts), ex-boyfriends (your Facebook account), ex-husbands (your personal email account)!
Some of the more common types of password attacks include:
It's important to realize, too, that it's not just security neophytes that end up victimized by password attacks -- more than a handful of security "superstars" have been hacked and hacked hard in recent weeks. Not only that, but some victims used the same password or password pattern for multiple sites and accounts, increasing their exposure to and the severity of these attacks.
How about you? Are your passwords easily crackable? Do you use the same password for Facebook and your online bank? Come on, you're not using your cat's name or your baby's name and birthdate, are you? Or are you more complicated and difficult? If you are, how often do you forget your uber-tricky password and have to reset it to something easier?
One of the very first (and easiest) things you can do when securing your computer and online presence is to come up with passwords that are unique, cannot be easily brute-forced, and are easy for you to remember.
Here are a few tips and tricks to help minimize your exposure to password attacks.
These tips are definitely not comprehensive, but will hopefully will give you a place to start!
Some of the more common types of password attacks include:
- Online attacks: An attacker attempts to physically log into a system. If the system under attack doesn't block the attacker after a certain number of login attempts, they can infinitely attempt username and password combinations to break in.
- Offline attacks: Exploiting vulnerabilities in the computer operating system or other running services, an attacker obtains access to encoded (hashed) password files on the victim system and then uses password cracking software to decrypt passwords.
- Socially-engineered attacks: An attacker tricks you into revealing a password (in some experiments, people gave away their passwords for chocolate!).
- Guess-based attacks: An attacker guesses your password. This can be kind of easy if you always use your dog's name as your password and you constantly post funny anecdotes about your dog BarnabyJones on Facebook!
It's important to realize, too, that it's not just security neophytes that end up victimized by password attacks -- more than a handful of security "superstars" have been hacked and hacked hard in recent weeks. Not only that, but some victims used the same password or password pattern for multiple sites and accounts, increasing their exposure to and the severity of these attacks.
How about you? Are your passwords easily crackable? Do you use the same password for Facebook and your online bank? Come on, you're not using your cat's name or your baby's name and birthdate, are you? Or are you more complicated and difficult? If you are, how often do you forget your uber-tricky password and have to reset it to something easier?
One of the very first (and easiest) things you can do when securing your computer and online presence is to come up with passwords that are unique, cannot be easily brute-forced, and are easy for you to remember.
Here are a few tips and tricks to help minimize your exposure to password attacks.
- Avoid predictable usernames. Many brute-force password attack programs use a list of usernames and passwords, with more sophisticated users employing additional rules for password generation. Although "JeannaJetsonAmex" is a better username than "JeannaJetson" for the American Express web site, both are very easy to guess.
- Use mnemonics to generate unique but memorable passwords. Use the old "numbers for letters" trick and use special characters, but in non-obvious ways. For example, Jeanna Jetson could use a password like the following for her Amex account: ?1JjTam3x14p4in!di* (I, Jeanna Jetson, Think amex is a pain! Don't I?) Or how about, ?MbP1tw1e5!1i*. I'll remember this, because it stands for "My blog Password is the worst I ever saved! Isn't it?" Choose what's easiest for you to remember and employ tricks that a)you will remember and b)are tricky.
- Use special characters, numbers, and mixed case - and longer is better. Most sites require this - use mnemonic tricks like the ones described above to remember your special characters (!@#$%^&*(<>?:"[]) and numbers.
- Employ varying levels of trickiness based on the site. Save your good passwords for your own systems, your email accounts, bank account sites, and sites you trust. If you don't see "https" in the URL or in your browser status bar when entering a password, it's probable that your password is being transmitted in clear-text and can be sniffed. Don't trust the site and don't use the same password (or even password pattern) here that you use for more secure or critical sites! Another tip-off to a not-so-secure site is a site where special characters are not allowed. You actually do see this a lot for bank sites - they want to be sure that passwords can be entered using a keyboard or a phone keypad, and therefore don't accept anything but numbers and letters and ignores whether the letters are lowercase or uppercase.
- Do not use the same password across multiple sites. I break this rule when using insecure sites, but otherwise - don't use the same password in multiple places. Think of your password as a key - why use the same key to access your home, car, office, and safe deposit box?
- Perform password Spring Cleaning (i.e., HACK YOURSELF!). Whether you use a single computer, share a computer, or administer a server, you should periodically audit the password strength for all users of your systems (especially inactive accounts - if the accounts are inactive, disable them!). There are a few different ways you can do this. If you're a Windows user, try Cain and Abel (Download here. YouTube Tutorial here). If using Linux, John the Ripper rocks (I don't use anything else!). John the Ripper is also available for Windows (or you can copy the SAM files to Linux - Stay tuned for future articles on this subject).
My basic rule of thumb is that if the password is cracked in an hour, it's not strong enough! Heck, if it's cracked in a week, it's too weak! If these utilities are too heavy-duty for your purposes and you just want to verify the strength of a web site password or two, try Microsoft's Password Strength Checker to verify specific password patterns. - Disable remote root or Administrator access to your systems. "root," "admin," and "Administrator" exist in just about every username list. Why make things easier for a brute-forcer? Disable root and Administrative remote login. If an attacker has physical access to your system, it's game over anyway. And if a legitimate remote user (i.e., you) requires elevated access for specific reasons, as part of an Administrators group (Windows) or member of sudoers (Linux), they can elevate themselves as-needed - there's no need for Administrator or root to log into the system remotely.
- Ensure root or Administrator users have complex passwords. I'm sure this goes without saying, but your root or Administrator accounts should never be passwordless and their passwords should be as strong as you can make 'em.
These tips are definitely not comprehensive, but will hopefully will give you a place to start!
Subscribe to:
Posts (Atom)
