March 2005 Archives

I was researching installation instructions for Movable Type, and I got a little off track. I came across this resource for "Free drop-in styles for Movable Type" over at Style Monkey.

I couldn't easily figure out the monkey's name to give the author credit. If you stop by you may want to wish them encouragement on their impending graduation from college while you grab a style sheet to use with the default Movable Type version 3 templates.

I recommend beginning MT bloggers start out with the default templates. They are a good starting point for semantic markup of entries. You can build templates from scratch as I have several times, but even on those occasions I used snips of code directly from the default templates.

Social Engineering is a huge threat in today's business landscape. Just like any other security exposure, before we can protect against it we have to understand the nature of the danger. Darren Miller has written an article describing one scenario in which social engineering is used to defeat external perimeter security without too much effort. Miller's article concludes with a concise and accurate definition of social engineering.

In the world of computers and technology, social engineering is a technique used to obtain or attempt to obtain secure information by tricking an individual into revealing the information.

There's more fun with social engineering at the IRS described at the Security Focus site. And they trust these guys with your social security numbers?

As I was noticing the phpBB critical update of the week, I thought that the real cost of having cool stuff like forums and guestbooks for your site's users, or content management systems in the background is probably not so much related to the purchase price of the product as it is the cost of maintenance. Even if I am wrong about how big a portion of the total cost of ownership, maintenance is still a significant component of the cost over time.

The hosting company I work for (http://www.kinetixhosting.com/) offers phpBB and several other scripts as a part of our hosting plans. It is pretty easy for customers to just turn them on and presto! They have forums on their site.

And when they wake up the next morning they check their site and it is defaced; filled with links to porno sites and heaven only knows what else. The culprit could be a feature in the software, or it could be a bug; which it is will not be really important when your web site is gone.

They could have avoided it all if they had updated to the most recent version of phpBB. Ah... but there's one cost of this free software. You have to read the announcements from the vendor.

You did sign up for the announcements list didn't you? Oh ... you can't because they don't have mailing lists; you would have to subscribe to their forums, which were hacked along with the server they run on. If you were on their forums, now you are in spam lists. ... but that is another post. They claim the rooting (root is well defined in this PC World article from 2001) was because of a flaw in another script they didn't update.

You're starting to get the picture about updating the software on your public web site, aren't you?

After you somehow find out the software has been updated, then you have to act on the information, and that usually takes some time. You have to get the software, and you have to install and test it. If everything goes well, this can cost you less than half an hour. If you have customized your version of the software, you will have to apply the customizations to the new version. That will take a bit longer. Your milage may vary even more if you run into any snags; I once gave up in frustration and reinitialized some forums that had to be updated after only a couple days on-line.

When you are doing a small web site project before you use any complicated scripts, you should know what return you will get on you investment. Plan for on-going maintanence; I usually look at the bugtraq list to see how many times software is mentioned there as an indication of how frequent upgrades are likely to be. Put all of the factors together and get a realistic view of the real costs over time. Then decide if it is worth it.

Know your Enemy: Tracking Botnets

Lance Spitzner's Honeynet project is at it again. I just noticed this paper they wrote about bots... the quote made me laugh. Of all the reasons someone would break into my machine, stealing my Diablo 2 gear is probably pretty low on the list. All the kids on BattleNet tell me my gear stinks. (They usually use a different word.)

Another possibility is to install special software to steal information. We had one very interesting case in which attackers stole Diablo 2 items from the compromised computers and sold them on eBay. Diablo 2 is an online game in which you can improve your character by collecting powerful items. The more seldom an item is, the higher is the price on eBay. A search on eBay for Diablo 2 shows that some of these items allow an attacker to make a nice profit. Some botnets are used to send spam: you can rent a botnet. The operators give you a SOCKS v4 server list with the IP addresses of the hosts and the ports their proxy runs on. There are documented cases where botnets were sold to spammers as spam relays: "Uncovered: Trojans as Spam Robots ". You can see an example of an attacker installing software (in this case rootkits) in a captured example.