Diary of a Network Geek

Guess who’s spending the weekend upgrading the company’s main server?

Finally after dealing with an aging server for too long, we’re upgrading.  And, not a minute too soon, either.  I have the joy of migrating Active Directory from a Windows 2003 server to a Windows 2012 server.  Not to mention, I get to migrate printing services, an iSCSI array connection, DNS and DHCP.  Wee!  What fun!

Well, I suppose that’s why I get the “big bucks”, right?  A system administrator’s work is never done!

Published via Pressgram

Do you trust everything you see?

We’ve all seen QR codes, even if we may not have all recognized what they are.  These little, square dot patterns are everywhere these days, especially in advertising.  In fact, some people have gotten so used to scanning them with their smart phones to get more information about products and services that hackers are now exploiting them.  I recently read a very interesting article on TechRepublic by Michael Kassner titled Beware of QR Codes about an exploit found in the wild, and QR code exploits in general.  The problem is, we tend to trust them, mainly, I think, because they’re too new for us to have been burned bad by them yet, and they are popping up everywhere!  Pay attention as you go through your day and see how many of these little deals you bump into.  They’re in everything from magazine ads to product labels to posters to coupons!  Even Doonesbury has run a strip with a QR code in it!

So, as you swim out there, awash in the ocean of marketing and sales that we live in, pay attention to those who might subvert your complacency.  If it’s easy for you to use, it’s probably easy for someone to abuse, just like the QR code seems to be!

DNS has inherent weakness.

In it’s current form the Domain Name System, by it’s open nature, is pretty primed for exploitation.
Some of these attacks are more obvious than others, but there are two that I find particularly troubling.  More so that I can see them being used together to really mess with a website owner.
The first of these two attacks isn’t new.  But, the fact that it isn’t new and has been dealt with before doesn’t mean that it has suddenly stopped being effective.  The attack is called “DNS poisoning” and it works by corrupting the DNS cache on a server, which then forwards those poisoned DNS records as legitimate to other, unsuspecting servers.  The end result is that the attackers can redirect traffic from a legitimate website to their own site.  It’s hard to flat out stop right now, though, once discovered, it can be fixed with relatively little trouble.  This attack was used recently against several websites who were supporting SOPA and PIPA.  Of course, since these folks were trying to make a statement, it was pretty clear what had happened, so techs were working to fix it pretty quickly.
The second attack, which I would think include the first attack at its initial stages, is sub-domain hijacking.  In this attack, the attackers redirect the sub-domain of an existing site to another location.  This is a little more subtle and hard to detect.  In this case, the attackers are looking to profit from a well-established domain by “piggy-backing” on their reputation.  They poison the DNS records to point something like Viagra.google.com to their actual website, selling Viagra, or a site filled with spammy links that redirect a potential victim to their website selling Viagra, or whatever.   This attack takes a proactive system administrator to catch.  Since it doesn’t redirect any of the main, honest, actual site anywhere, but only uses its reputation to improve their own spammy links, it’s not always obvious that it’s going on.  Regular DNS record audits are about the only way to catch this, barring an angry end-user contacting the main site.

The internet is still a wild and wooly place sometimes, folks.  The reasons the professionals get paid what they do is because, theoretically, they have to deal with all that stuff and keep us safe!  Which reminds me, I have to go check my own company’s websites and DNS records, not to mention my own!
(The title, incidentally, was inspired by the movie that helped get me into this business, Sneakers. “Cattle mutilations are up.“)

Hackers are porting Linux viruses (virii ?) to OS X.

Last week Monday, ZDNet reported that hackers have ported code for a trojan from Linux to Apple’s OS X.  For those of my readers who don’t know what a trojan is I’m referring to a malicious program that opens the door for other, usually even worse, programs to come into the infected operating system, like the Greeks did in the classic stratagem known as the Trojan Horse.  It hasn’t been seen in the wild yet, but apparently the C source code for this has been available for quite some time.

Frankly, I’m surprised that this doesn’t happen more often than it does.  In the old days, virus writers had to really know something because they used assembly to create them.  Now, with Windows and all the other object-oriented programming languages filled with bloated libraries of programming calls, along with the availability of existing code on the internet, they hardly have to know anything to write fairly nasty malware.  And, as I’ve mentioned before, as Apple laptops become more popular, more malware will start to show up there.  I’m sure it’s only a matter of time before they figure out how to infect iPads and iPhones, too, if they haven’t already.

I hate people like this.
I spent most of my day today cleaning a malware infection off a machine.  This little bugger had not only disabled the Windows Task Manager, which is pretty common these days, but it also cleaned out the Start Menu, including all the built-in things like the link to Control Panel and My Documents and all those things on the right side of the Windows XP default Start Menu.  But, it also flagged most of the drive as Hidden and System, making it even more difficult to load the software I used to clean it.  I had to go into Safe Mode just to get the system clean enough to restart into Safe Mode with Networking so I could update Malwarebytes, which is what I eventually used to get rid of the beastie.   (I used Spybot Search and Destroy to keep the malware from loading to make the machine useable with networking support so I could update Malwarebytes, incidentally.)
So, yeah, these slimeballs keep me in a job, but, really, I’d appreciate it if they stopped helping me stay employed.  I promise I can find plenty of other things to do!

So, look lively out there people!  Be suspicious of what you download and click on!

UPDATE:  Apparently, this has been found out in the wild now.  And, according to TechWorld, it has a purpose; to use your system to generate BitCoins for it’s evil masters.  Very clever.  Nasty, but, still, very clever.

No, seriously, it is.

If it makes you feel any better, most people’s passwords are too weak.
I suppose you think it doesn’t matter how “strong” your Gmail (or Hotmail or whatever free email you use) password is, right?  Well, you’d be wrong.  I recently read an account about how one person’s Gmail account was hacked and used to spam and try to get her friends to send the hacker money, all posed as her.  Of course, that was after deleting more than 4 Gigabytes of stored messages and photos.  You can read that account, as told by her husband, over at the Atlantic, in an article titled “Hacked!”  It’s worth reading, especially if you’re not in the IT business.  And, frankly, even for a fellow professional computer geek, it might be eye-opening to see how hacked email accounts are being used these days.  I have to admit, I was a little surprised that the attacker in question actually used the account personally to try and con money out of the victim’s friends and family.

I was not, however, all that shocked to see how many accounts are compromised on a regular basis.  Think the thousands.  Daily.
Right, so thousands of email accounts on which people depend are hijacked, used and abused on a daily basis.  If it hasn’t happened to you, it’s probably only a matter of time.  So, how do they do it?  Shared, easily guessable passwords.
Yes, it’s that easy.
Stop for a minute and think about how many passwords you use on a regular basis.  How many are the same?  How many accounts do you have for things like bank accounts and credit cards and medical records that use the same password as your email?  And how many of those accounts use that same email address as the username?
Getting the picture?

So, what do you do?
First, stop reusing passwords.
Second, make more secure passwords.  And, don’t think that the old way of replacing “L” with the numeral one or the letter “O” with the numeral zero and that kind of thing will work, either.  The hackers are on to that.  It’s better to use words that are not in the dictionary.  So, yes, made up words.  Or, even better, phrases, which is what I’ve recommended for some time.  Having a hard time coming up with one?  Try using one generated randomly for you at passphra.se, a random passphrase generator which was inspired by an XKCD comic.  The comic explains the reasoning behind the passphrase idea and the generator.  Also, XKCD is pretty funny and if you’re geeky like me at all, it’s well worth checking out.

In today’s world, we’re way too interconnected and digital and reliant on those systems to have relaxed security.  It doesn’t matter if you’re a geek or not.  Please, think about your passwords and how easily they might be compromised.  Then think about what that might mean to your life, digital and otherwise.
Now, if you’ll excuse me, I have to go change some passwords…

Advice from your Uncle Jim:
"Not a shred of evidence exists in favor of the idea that life is serious."

Really?  Are they bringing this one out again?

I’ve heard about the dangers of “cyber war” almost since I got started in this business twenty years ago.  Essentially, since the internet existed, people have been claiming that dangerous hackers are going to take over our infrastructure from within.  Sound familiar?  Like, oh, say, the Red Threat of the Cold War?
It’s pretty easy to get IT guys like me whipped into a frenzy about this.  Back in the day, Winn Schwartau wrote THE go-to book on the subject, [amazon_link id=”B00127UJMO” target=”_blank” container=”” container_class=”” ]Information Warfare[/amazon_link], and in that book he talked about a so-called “Cyber Pearl Harbor” that ushered in a new era of digital warfare.  Well, now, it seems, ZDNet is reporting that we may have already had our so-called Cyber Pearl Harbor.  According to security researchers at McAfee, and elsewhere, several targets, including the United States, have been under a five year sustained cyber attack and they went on to speculate that a “state actor” was likely behind the attacks.  A security consultant at Sophos pointed out that fingers are usually pointed in China’s direction when government-funded and supported cyber attacks are discussed.  And, I have to admit, based on the other forms of espionage, especially industrial espionage, that we’ve seen from them over the years, it wouldn’t surprise me if they were using the Internet to attack various sites remotely in an attempt to get restricted information of various kinds.

But, is this a “Pearl Harbor”-like event?  I mean, really?
Do you see people rallying around this issue?  Are hackers joining the U.S. Military to defend our cyber borders?  If they are, it’s one of the best kept secrets in the world right now.  Seriously.
Pearl Harbor was a galvanizing event in our history.  That one event is what got us off the fence and into World War II, as a nation.  Honestly, I don’t see that happening here, or anywhere that high-level computer tech is the focal point of the debate.  We may rely on that tech to get our jobs done or to entertain us, but, really, most people don’t have any idea of the security work that goes on behind the scenes.  This is an invisible war, if it even can be called that.
Again, I think it’s a new form of Cold War.  It’s a battle waged in the shadows against an all but invisible enemy.  It won’t be fought like a conventional war of any kind, much less like World War II.  And, if the cyber war is an apt metaphor at all, then it’s a war we’re already fighting.

Oh, and as for the Chinese, well, they’ve already used their influence as a global market to get a partial retraction from those fine folks at McAfee, who are now claiming that there is no definitive link to any “state actor” of any kind, much less China.  Of course, I’ve only seen the back-peddling on a single, English-language, but Chinese supported, news site.  Still, that, my friends, is the view of the new global economy and the real war.  Big governments will start to throw their weight around and corporations will “adjust” their position on the truth to tap the market and access their bottom line.  Of course, that’s nothing new, either.  China’s been doing that for years.  Only now, they may be the biggest market still available in the entire world.
Looks like we all better start learning Mandarin!

No, not a flu that your synthetic humanoid might catch.

Virus writers target operating systems with a large installed user base.  There’s nothing controversial or even particularly interesting about that statement.  It’s a generally accepted concept based on observation, if not actual hard facts.  For a long time, that’s why there were so many viral attacks on Windows.  Windows enjoyed the greatest market penetration, so Windows users had to put up with the most frequent attempts to penetrate their machines.
But, that’s changing as the distribution of operating systems changes.  Android, in various forms and flavors, is now the most installed operating system.  Yeah, that’s right, someone has been writing viruses (virii ?) that attack your Android phone.

I’ve seen two new stories about this today.  One from a Houston local tech celebrity, Dwight Silverman over at the Houston Chronicle, and elsewhere, both talking about a new Android Trojan that can actually record your voice conversations.
One of the things that people like about Android is that it can load software from places other than a restricted, safe, controlled marketplace, but, that’s also one of the liabilities.  Apparently, the malware takes advantage of that ability to load itself onto your phone’s SIM chip and force the phone to record conversations to the chip then, optionally, upload those recordings to a server, presumably controlled by an attacker.  It’s somewhat unclear how that process would be initiated, but the simple fact that it can do it at all is chilling to me.  Also unclear from the articles was whether or not this has been spotted in the wild.
Hopefully, not yet.

So, here’s another warning for you.  Your devices, of any kind, are not safe.  Not ever.  If you have them powered on and they can connect to a network, even if you think they aren’t, you may still be vulnerable.  The Internet, in all its forms, is a wild and wooly and dangerous place.
Be careful out there, people.

I hope so!

And, by that I mean, I hope all that Mac Malware we heard about a couple weeks ago is gone.
Now, I know several Mac fanboy blogs linked to the note I put up about the Mac malware some time back thought I was going out of my way to bash Apple, but, honestly, nothing could be further from the truth.  In fact, I hadn’t given it another thought until Ed Bott wrote “Where did all the Mac malware go?”  I threw the original story out there as a warning to all the Apple users who think the Mac and OS X is entirely free from any malware and utterly safe.  That’s just not true.  It is, I have to admit, much safer, in general, than Windows.  There are a couple reasons for that, but, mostly, it’s because of market share and how Apple does, well, everything.

So, that last explosion of malware may be the only shot you hear fired.  At least, for a while.
Frankly, I hope so.  And, I hope that it put enough scare into people that they take security seriously anyway.  As Apple’s market share grows, their products will all become a more appealing target for hackers and crackers.  Though I hope to be proven wrong, I suspect that there is malware being written to attack Macs and, possibly, iPhones and iPads.   In fact, that malware may be already written and just waiting for the right infection vector.  Maybe.

Maybe I’m just a bit cynical and I’m waiting for the proverbial other shoe to drop.
For years, Apple fanboys have told people that Macs were completely virus free and were more secure by their very nature.  Sadly, that’s not true.  We’ve heard the first shots fired in a new skirmish in the secret war for desktops of all kinds.  It’s big business.  I don’ t think this is the last we’ve heard about Mac malware.
But, maybe I’m wrong.  Maybe Apple has closed that hole and all the other holes, too.  Maybe the Macs are all safe and that’s why we haven’t heard about that malware recently.
Maybe.

But, can you afford to take the chance?

Regular readers may be familiar with my photography obsession.

A number of years ago, I spent some money I’d hoarded on an entry-level Canon DSLR, instead of some medical bills.
I’ll be honest, sometimes I worry that I should have spent the money on the medical bills, but, my shots are getting better.  I take great comfort in the idea that it’s the photographer, not the camera, that takes the photo.  Mostly because the majority of my gear is, well, let’s just say, not “top flight” and leave it at that.  But, still, if my camera were stolen, I’d be quite devastated and I’d want to find it again.  Well, that’s where the Stolen Camera Finder comes in.

First, you should know that this is NOT something you install on your camera.  Nor is it some kind of insurance.  Rather, it’s a webpage.  And, it’s free.
Here’s how it works: You get a photograph which you which you took with missing camera.  You take that photo to the website I linked to above and drop it on the target, per the instructions.  Then, the website does a search, based on the metadata from you photo, which includes the serial number of your camera, to find all the photos it can which match the starting photo.  If, or when, it finds photos posted by someone else that have the same serial number embedded in them as your source photo, it shows you the sites.  You can then go track down the person who used your stolen camera to make some of those terrible Facebook photos, or, I guess now, Google+ photos.

How you handle it after that is up to you.
All that matters is that Stolen Camera Finder helps you find your camera.

Okay, maybe not the “funnest” Friday Fun link I’ve ever posted, but, still, helpful if you’ve had a camera get stolen!

I’m seeing traffic about this, so I thought I’d write up what I found.

I tweeted about a strange DNS-based network/malware attack that I saw on Friday, but, at the time, I didn’t see any interest, so I didn’t go into any real details.  Besides, I may be a hardcore geek, but I do have a life and was going out.  But, now, I’m seeing search engine traffic hitting my blog apparently looking for details, so I thought I’d describe the attack, as I saw it.

First of all, let me mention that I’ve seen a higher-than-usual occurrence of malware infections the past couple of weeks.  I mean, it’s a hazard of my business that, sooner or later, people are going to get infected, either through bad behavior or by accident, but the past three weeks or so I’ve seen way more problems like that than is even remotely normal.  So, bearing that in mind, I’ve been on a kind of high-alert status looking for any malware problems, but this was something new.

It started with someone from another location, who’s on a totally, physically separate network which uses a different internet service provider to connect to the Internet, calling me with a problem.  It was, apparently, a recurrence of a virus he had previously that we cleaned.  He described being taken to a webpage that featured a maroon graphic background with a white icon of a policeman holding up his hand to indicate “stop”.  The text on the page gave a message that said the user’s browser was not the correct version to access the page and that an upgrade was required.  Helpfully, it provided a button to press to receive the “upgrade”.  Obviously, the “upgrade” was an infection.  (You can see an example of the graphic here.)  Thankfully, I trained my users well enough to be suspicious of these kinds of things and no one who reported this actually clicked on it.

About the same time this happened, I noticed that my iPhone wasn’t connecting to the wifi hotspot I have setup in my office.  I checked the configuration and noticed that the DNS servers listed were wrong.  In fact, they’d all been replaced with a single DNS server; 188.229.88.7  Obviously, that seemed suspicious to me, so I opened a command prompt on my PC and did a tracert to see if I could figure out where this server was and, from that, why it had become the default DNS server on part of my network, despite my having very carefully configured totally different DNS servers that I knew were safe.  It looked like the tracert results showed me a network path that led out of the country somewhere, which was, to me, very suspicious.

Before I could really pursue that, though, I got another call from a user at my location reporting the exact same error message and graphic, but going to a totally different website! I went to his computer and checked the IP configuration and found that his DNS servers had been replaced by the rogue server as well.  I refreshed his network config, several times actually, and the DNS servers reset, but, when I thought to check some other people in the same area of the building, his configuration set itself back to the rogue DNS server!  So, I reset the local network equipment to clear the DNS cache, and whatever other caches may have gotten poisoned by this attack, and the problem seemed to go away.  Unfortunately, whatever had caused the compromise was still active and seemed to poison the DNS cache and the DNS configuration again.  It did seem sporadic, though, as if the ISP was trying to correct the issue at their end.

As far as I can tell, the attack actually seemed to be network-based in some way.
At least, I couldn’t find any computer on my network that was infected with anything that AVG, Norton Anti-virus, or Malware Bytes could find.  It is, I suppose, possible, that this attack was so new that no of those programs had an updated detection pattern for it, but, based on the lack of detection, and the fact that it happened on two physically separate networks almost simultaneously, leads me to believe that this was a network-based attack.  I suspect that an ARP cache or DNS cache or something similar was attacked and compromised on a major network router somewhere.  Possibly one of the edge routers at a trans-continental connection somewhere.  From the tracert results I had, it looked like it was the East Coast somewhere, leading to Europe via London to France, though I could be wrong.  It’s possible that was a blind alley meant to throw researchers off the trail in some way.
Also, as of this writing the rogue DNS server seems to be out of commission, though that might change, too.

The Internet is a wild and wooly place, ladies and gents, and you can’t always count on your friendly, neighborhood Network Geek to watch over you and keep you safe!  So, be careful out there!
(And, if you’re a fellow professional who’s seen this, too, leave me comments and tell me what you found!)
UPDATE: Looks like the server is still active, but my ISP has blocked DNS traffic to it, to fix the problem.
Also?  I hate the bastards that do these things.  I hate every last one of the little rat bastards!

UPDATE/FOLLOW-UP: So, it seems like a lot of people have been effected by this problem!
Check the comments for what other folks did and tools they might suggest to help with the problem.  Frankly, I wish I’d had known about those tools when I started my day!  Yes, I was *totally* wrong when I said it looked like it was coming in from outside the routers.  It was, in fact, *several* PCs that were infected with whatever it was.  I found it, much like at least one commenter, by checking the results of “ipconfig /all” in a command prompt.  I noticed that the DHCP server listed in the config was NOT my actual DHCP server!  So, as I went from machine to machine, I saw several PCs that kept coming up as DHCP servers.  I used Malware Bytes to scan the infected PCs and it seemed to clean them off.  At least, for now.  I’m not sure what I’ll find in the morning.
Apparently, Friday, when it looked like the problem was getting cleaned up, it was really just people shutting their workstations down early for the long weekend.
In any case, as at least one commenter has mentioned, it looks like updates for the various scanners should be coming out this week, so keep updating your antivirus and antispyware programs and scan your networks!  Well, scan them more completely and carefully than you already have.
And, as always, if you have any new information or suggestions for tools to clear up the issue, please, leave them in the comments!