AdvisorBits

There's lots of bleary eyed network admins out here this morning. Looks like another* MS SQL server vunerability being exploited out there. We know of at least one server that was driving 80Mb/s to the Internet.

All this can be avoided by patching your operating systems correctly. Most users can go to their Internet Explorer browser (the big blue "e" on your start menu) and on the Tools menu, choose Windows Update. Follow the instructions. For whatever other beefs one might have with Microsoft, they do their critical update service very well. Its free, and it could save you thousands of dollars.

http://update.microsoft.com

If you run if you run Linux or some other operating system please consult your manuafaturer's update pages, or install some program to automatically download the required software.

RedHat Linux
Apple
SGI (Irix)

* Symantec reports that this activity is related to vunerabilities discovered in 2002, and at the time this is posted the incident has not yet been published at NIPC, CERT or similar sites.

Recently a client who had just had a server compromised by the SQL slammer worm told us he had "applied the patch this summer." By some accounts, this should have protected him. But it got us to thinking about lies, damned lies and statistics again. And how often should we tell our clients that thier systems should be updated? And what's it going to cost?

The graph above represents (in a crude fashion) the number of security advisories released by our two primary Operating Systems vendors over the past few years. That could provide a point of departure, and don't worry this isn't an OS crusade. We think the manufacturers do a fine job of supplying the patches. Problems occur when they aren't applied correctly or more frequently when they aren't applied in time.

Last year RedHat released 293 security or bug advisories. These are not all security related, and certainly a lot of the advisories were for bugs not related to security issues. But that's around one per work day. The potential cost impact is between almost none to review an advisory for software you don't use, to the hour or so that a kernel upgrade will typically involve; these occur about three times a year. It works out to about 51 hours a year.

Or, you can look at it from the other side of the coin. Some Windows boxes were disabled by Code Red and NIMDA in 2001 and more recently we noticed large disruptions on the Intenernet because of the SLAMMER worm which affected (and was spread by) unpatched Microsoft SQL Servers. These disruptions to business cost the global economy heavily. The cost can be measured in price of recovering from the intrusions and to get running again, the business lost while operations are disrupted, and sometimes actully loosing customer confidence. On the web, if they don't have confidence in you, they have a choice.

Some figures place the costs of Code Red at 2.6 billion dollars world wide. While 2.6 billion is a rather abstract number, the more recent SLAMMER worm caused outages in Bank America Corp's ATM network, a direct effect that most Americans can probably relate to. In addition to banking networks, other networks one would expect to be isolated from Internet attack were affected. In an extream instance showing potential global nature of this issue, China Telecom a nationwide phone company shut down all Internetional calls for the weekend, with only limted service being restored

JSW4.NET offers a service for a nominal monthly fee to keep your business servers up to date if you have a dedicated Internet connection with secure remote access.

CSS2 is the current standard for allowing authors to specify style information in web documents. CSS Contains information about the size, placement, color and other visual aspects of HTML entities. The current CSS specifcation is CSS2 which is a superset of CSS1 and allows designers to specify style for various media, such as print.

One of the first things you will find about CSS styles is that they can be defined in a number of places. By specifing styles via an external file designers can use one or several sheets across a whole site. Minor sitewide design changes are then greatly simplified by making the changes in a single file, or stylesheet. The following are the two methods of "attaching" a stylesheet file named mystyle.css

or

I provide some more examples of multpile style sheets being imported, but before you flip over to that, I should give you the official links to HTML, XHTML and CSS because those are the standards I write about and (try to) design to. The official standards body for these languages is The W3 Consortium - w3c.org.

In either case, a link or import via style element, the attribute type specifies the language of the style sheet. It is always "text/css" although it could be some other language in the future without breaking the modular nature of web documents. (Of course CSS works for pure XML too, so its unlikely to be unseated.)

When using the "rel" attribuite in a link tag, and author can also specify an alternative style sheet by setting the value of that attribute to "alternate" should force a choice on users. I tested this for the article you're reading and IE6.0 does not seem to support this part of the standard. So, for cross browser compatibility we usually use the @import method to specify more than one style sheet. (I always wondered why we did it that way. )

The idea of defining styles in an external sheet could be further modularized by grouping certain kinds of styles, such as table formating, into individual files. Using the import method, this is accomplished as follows:

Whether you choose to write your pages utilizing multiple sheets or only a single style sheet, sites that are written to standards will survive the test of time bettter than those that are written to the "anything that looks right is OK" standard. Those sites seem to break almost every time the powers that be release a new browser. With the exception noted above, it's my recent experience that the browsers become more and more standards compliant with every successive release.

I really hope to get some more articles about web development posted soon, but so much time is spent keeping up to date on systems and servers sometimes the articles get put on the back burner. Anyway, all systems administrators should be aware by now that as of yestrday morning their Sendmail based mail servers were vulnerable. This is a pretty serious exploit which would give total control over the server to the attacker. Sendmail is software that is bundled with almost all Unix and Linux operating systems. Some estimates place Sendmail on 72% of all Internet mail servers.

Internet Security Systems Inc. is the company who discovered the vunerability and has helped coordinating the response.

This information was released yesterday:

http://www.sans.org/webcasts/030303.php (A free archive of the webcast is available, sign up is required. It's pretty cool if you want to hear a the guys who discovered and developed fixes for these security issues. Bonus information about hardening your mail server is included.)

http://www.nipc.gov specifically http://www.nipc.gov/warnings/advisories/2003.htmSendmail has both an Open Source, free product and a commercial product.

What's up with that?

Interestingly enough, as of this posting the Department of Homeland Security has not recognized this as a threat. This is presumably more about getting the information posted than an actual shortcoming in thier threat assesment process. We searched the site for 'sendmail' and 'Sendmail'. All the Operating Systems vendor's we checked had updates or patches available on their web sites.

I was checking out the Hiveware site today, and they have an interesting solution to the problem of putting email links on web pages. In the early days of the web, this was one of the first ways in which we used to explain the inherent difference of the medium to prospective clients: It allowed for simple and direct feedback from user (potential clients from anywhere in the world) 24 hours a day, 365 days a year. GREAT!

Then someone wrote program to parse the email address out of any web pages, and set that spider loose on the net harvesting unsuspecting addresses off of the new entruprentuers' sites. SPAM is a real problem, but that feedback mechanism is critical to providing an additional channel for customer service.

Hiveware uses JavaScript in their free product "Enkoder" to scramble email adresses in order to confuse the address harvesters. It makes addresses hard for a script to harvest.

We came accross this while we were reading an article about how to use Apache's mod_rewrite to block access to the web servers. As Mark Pilgrim says on his site:

You will never stop all abusive behavior from all automated robots and rude programs, but you can minimize their effects and reduce the abuse to acceptable levels.

If you get over to his site, be sure to see "100" a work in progress consitsting of photopraphs and creative writing. I guess eventually there will be 100 items here?

(Note on 7/26/03: Below you will find a bad reference to Apendix A of the HTML 4.0 specification. This is incorrect. The reference is actually in Appendix A of the CSS 2.0 specification.)

A lot of artists fear a blank canvas. It's a almost sterotype that writers get blocked when faced with a blank page. I'm a little this way about style sheets. I use pretty plain HTML typically without class or id attributes if possible. How many different classes of h1 can we reasonably expect users to be able to apply?

I remembered that when I was learnings CSS I had found "the default" style sheet. At the end of the HTML4.0 specification, there is a typical style sheet, based on "extensive research into current UA practice." Which means that all the default CSS selectors are specified here in such a way that if we don't override the values with our own style declarations, this is what is rendered. (Sort of.)

See the sample and a more complete explanation of the file in Appendix A.

If anyone's been looking (and I know of three... a vast number relatively speaking) over the past week or so, some changes have been happing to the style and to a lesser degree the layout of AdvisorBits. This is not a totally original design. I am still using Movable Type's default templates (mostly) and the stylesheet is taken more directly than you might imagine from the "Stormy" style that is supplied with Movable Type.

The big changes are how posts are selected for display on the main page, and changing the <div> with the id "links" on the right side of the page.

I write about things as I am inspired. Inspiration often comes to me when my clients ask questions or raise issues. Although I am really commmitted to keeping this site fresh, I do not have a firm "I will post something every day, or every week" kind of schedule.

That is one of the reasons I removed the calendar. I have also changed the "<MTEntries>" from the default of showing the last few days as configured through the MT interface; to showing the last three entries without regard for the age of the posts. The code for this is in the "index template" and it looks like:

<MTEntries lastn="3">

I've also used a couple of CSS tricks to make the "links" <DIV> appear more like a navigation area. Previously I though it looked like, well, the right hand side of the page. I have put a border on all four sides of the area, instead of just one dotted line visually separating the primary content from the navigation. I have also used the frequently misunderstood position:relative in order to tie the navigation box visually into the whole page. It still breaks if the user agent viewing window is too narrow. (Your browser doesn't have enough pixels, its not my problem.) Here's the changes I made to the MT Stormy style sheet with regard to <div id="links">:

#links { position:relative; left:-80px; background:#ccc; margin:5em 0 0 0; width:160px; padding:5px; border: 1px solid #630; }

It should be noted that we're still validating.

And one day I know I'll get rid of all the warnings too. As always, your comments are welcome. Next on the list of improvements is an about page, a privacy page, and some new stuff on the navigation area.

So, although yesterday's AdvisorBits design work looked beautiful in Explorer 6, it broke in Netscape 7 and Opera 6. Problem was that when the content div is floated left, you can't set the width on the links div. I imagine the content div is floated so that the links div comes after the content div in the code. This will cause it to break gracefully with links at the bottom of the page in browsers that don't understand css. (Like Netscape on my SGI-O2)

For those of you that don't use a modern VISUAL browser, I apologize in advance. Maybe I could put in a link that only renders in aural browser that says "Go right to the text". I read the latest AlertBox, and I think I know wht he's talkin about. I'm just not sure what to do about this. (And it's more than enough of a discussion for its own post.)

By swaping the order of the divs, and floating the links div right I get much closer to what I want, in fact it was erie, because Opera rendered more or less like I ultimately wanted it to, but Netscape and IE both gave me what I expected. I am aware that if you use a broswer that doesn't understand this that you'll probably get lost.

Or if you resize the browser in such a way that the fixed width of the links div... anyway, the 65% width had to go. By playing with the right margin and padding of the content I was able to get about what I expected in all three browsers. Here's how the CSS ended up:

#content {
margin-right:95px;
padding-right:95px;
padding-bottom:10px;
background:#ccc;
border-right:1px solid #333;

}

#links {
float:right;
width:150px;
background:#ccc;
margin:5em 10px 10px 10px;
padding:10px;
border: 1px solid #630;
}

Remember that I switched the order of the divs in the index.html template, and I really have to figure out a better way around that. It may validate for CSS but its really ugly for accessible. But now it looks like I want it to. I'm pretty sure it will validate again with only the same warnings about inherited colors.

O'Reilly Network: [April 15, 2003] has a complete listing of Linux commands and example usage from agetty to znew.

If you don't use agetty I'm not suprized its usually called by init to set terminal parameters. And znew converts ".Z" zip files to ".gz" zip files of course.

If I start posting more of these straightforward links with only the briefest of comments, it's because I installed "bookmarklets". Which are only kinda working, but that's another story.

The Apache web server is argueably the coolest thing since sliced bread. On a site I maintain, we have archives of a few public mailing lists. I originally set these up to get mail out of my own in box, and found that it was convenient to have the resources close to me on the web. Subsequently, I have added a search feature and opened it up for public access.

We keep one year's worth of messages to each mailing list. If for instance you wanted to see our MySQL list archives, you would use this URL:

http://www.jsw4.net/info/list-archives/mysql/

Apache has a default module called autoindex_module, and in general, if the server cannot find a document named index.html in a directory that is publically accessible, it will construct a listing of the files in that directory. (Or sometimes, it will tell the viewer they don't have permission to view the directory. It depends on the site specific configuration.)

I've frequently wanted to change the order that the listing is shown in. For instance, the names in the directory above sort from oldest to newest at the bottom of the list. But users will most frequently want to see the recent entries first.

In noticed the listing is rendered with hyperlinks for column headings. To my pleasure, the interface is as you would expect it (if you know that at least one OS I use allows file lists to be sorted by clicking on the heading of such lists) and by clicking on the name heading I was able to change the default sort order from ascending order of names, to decending order. Notice the URL change that has occured:

http://www.jsw4.net/info/list-archives/mysql/?N=D

By reading the docs, I learned that one can also change the default sort order in the Apache configuration file, by use of the IndexOrderDefault Ascending|Descending Name|Date|Size|Description configuration directive.

Hats off the the folks at Apache, again.

Dave's Quick Search Deskbar is a likely to replace my Google Toolbar as most useful Internet Information tool. The idea with both is simple, to put a search box on every screen. Google does this with its Internet Explorer Google toolbar. The downside to this is that the broswer has to be open in order for the search tool to be accessible, and although its ability to search parts of Google is extreamly strong, it searches only Google.

Dave's Toolbar sits in my Windows task bar. (So I guess it won't work for Mac or Linux.) Dave's Toolbar searches Yahoo, and CPAN, both other places I look. It searches SlashDot, the Bible, Walmart On-Line and the Yellow Pages to give you an idea of how many places it works with. It even tracks packages with UPS and FedEx I guess.

The interface is a little tough to get used to, there is only and edit box and on menu button. That may be a matter of of my taste or experience, but I wonder if the average user will understand and use all the extra fetures. There was a glitch unlocking my XP toolbar, but other than that it installed very easily. As an added bonus it shows the time so I was able to recapture some screen real estate by turning off the Windows clock.

Both tools are worth having. (And to disprove the free lunch theory, they're both free.)

This article describes a good basic strategy to take when you are forced by a security compromise to reinstall your servers. It hasn't happened to me in a couple of years, but Mathew Tanase struck a cord with me in "Starting from Scratch: Formatting and Reinstalling after a Security Incident" when he says:

There is a point you reach in the recovery process, after you have done a little digging, put a finger on what might have gone wrong, where you come to the proverbial "fork in the road". Every security professional or systems administrator has faced the decision at some point in his or her career: is it better to try to repair the damage, or just reinstall the system and start from scratch?

Here are some useful (you figure out how useful) things one can do with the amazing Dave's Toolbar I mentioned last week:

Convert temperatures right in the edit box:

temp 70 /f
results in
70°F = 21°C 294°K 530°R

Web designers will find it particularly useful to open a browser window at a certain resolution. For instance I am writing this in the window that opened when I entered this in my toolbar:
winres 800 600 http://www.advisorbits.com

(Or a URL like that anyway...)

Here's one to gererate dummy text for web page mock-ups:

lipsum 12

(If you don't want to get Dave's tool bar just to see what that one does, check this out: http://www.lipsum.com/ for a useful web designer's tool.)

Track Packages :
UPS 1Z23495743892095 (*example tracking number only)
Brings up the summary package tracking information for this tracking number in a web browser window. Haven't tested all shippers, but the menu has UPS, FedEx, DHL, AirborneExpress, and the US Postal Service. (Does this mean Dave's toolbar can "Go Postal?" I'll have to do a security audit. )

While this is not the first time I have seen any of these tools, it is the first time I have seen them neatly gathered together in one place on my Windows desktop. Look for future editions of Stupid (useful?) Pet Tricks (with Dave's Toolbar) as I find other cool things it can do.

As most technical web professionals know, read any CGI programming news group, mailing list, or web based forum long enough and someone will ask a question about uploading files to the server via a form in the user's browser. Its something we all have to do for clients from time to time, and as an administrator, I can tell you it does represent a security exposure.

One should be careful how they accomplish this, pay attention to authentication and authorization, and be careful what is done with the uploaded files until it is known what they are.

Over the years, I have used a variety of CGI programs that have accomplished this for me, and those of you who use perl and use CGI(.pm) will be glad to know that this is supported.

This article is not about programming or even the perl way to accomplish this specific task. This post is to point out a php program for posting photo's to the web in a photo album format. There are tons of other programs that do this, in a variety of languages presumably larger than the two I have mentioned.

But I used Gallery, and you can see the example here. What is useful to some of my clients is the ability to upload binary image files right in a browser, without needing to use FTP. It is limited in the kinds of files that can be uploaded, only pictures are allowed for saftey.

The Comprehensive Perl Archive Network (CPAN) is a collection of reusable perl code building blocks that is freely available. What this means to webmasters is that a number of prewritten scripts are available to use to build scipts you need without having to write every last line of code yourselves. (If you don't even know what perl is, stop reading this and go find out.)

CPAN is also the name of a perl module you can download from the archive. Usually when you first setup perl, you will also setup the CPAN module and then subsequently you can use that module to download other modules from the archive.

To start CPAN in interactive mode from the command line you type:

perl -MCPAN -e shell

The first time you enter the CPAN shell you will be asked a series of configutation questions; the location of various programs on your computer and the you are presneted with a list of mirror sites which you can choose the one(s) nearest to you.

Once you have configured CPAN you can see your configuration by typing :

o conf

This will show you all the current setting for CPAN, and if you ever need to reconfigure the initial values you set, you can do:

o conf init

There are a whole series of configuration varibles you can set, and the ones that got me thinking about htis article are the history file. For some time the CPAN sheel has had readline capabilities, which means that you can get a histoory of the commands you have used in a session. (Amoung other things that his means.)

However, the last time I upgraded CPAN, when I exited it told me that I had notspecified a historyfile so none was written. This made me think about reading the man pages ('man CPAN' not 'man cpan') to see what other variables are in the configuration.

o conf histfile ~/.cpan/histfilename
o conf histsize 200
commit

Specifies that I want a file name histfilename to be created and I want it to be 200 lines long. Now when I exit from CPAN and come back in, I can use command line history to see what commands I executed last time I used the interface.

So I finally got around to an install of RH9. There was a glitch at the end of the first disk and the install died. When I rebooted, I had enough of an install complete that it booted and most services started. I had half a mind to see what would happen if I launched KDE.

Fortunately it was the half that doesn't stay focused on one thing for long, and I rebooted to the installation.

The install started again, but once I made all the basic selections (keyboard, mouse, time zone, etc) and the package selection (um, just upgrade whatever you recognize and leave the rest alone) I was able to upgrade the only redhat installation left on my hard disk, the one that just failed.

And it worked. The install skipped to where it died, installed the rest of the RPMS and everything came back fine.

Except Apache. Sometime between 7.2 and 9 RedHat updated the world's most popular web server from 1.3.27 to 2.0.40 and that played hell with the mod_perl application I am working on here. I got Apache upgraded and running and then it turns out my handler needs upgrading too.

For most users this shouldn't present as much of and issue as I think relatively few people write thier own mod_perl handlers. And those that do are probably more aware of these kinds of changes than I was.

This week both Cisco and Microsoft announced what amount to network crippling vunerabilities, and the availability of fixes for them. You should have reviewed all your Cisco devices running IOS to apply a workaround or to update the IOS image on your routers, switches and other Cisco gear. If you have an outside vendor who is responsible for performing this work, you should contact them to make sure your network has been protected.

Most Windows machines have a feature called "Automatic Update", which shows a little globe icon by the clock on your desktop when your machine needs updates. This week the globe was there a lot.

If you're still running impending demise of 98.)

The vendors have released the fix, and both of them have home page links to articles and information about the issues. I have written about this before, and I will again.

You've been warned.

The Cisco advisory, can be found at thier web site, and has been updated several times.

The Microsoft Advisory has been updated at the security site, and the original advisory can be found from the update page.

I noticed that Microsoft thanks LSD, the security professionals who informed them of the issue and helped to develop the fix.

(Note on Aug 4: Since I wrote this Microsoft has sent two different mailings to me urging me to apply this update. I think they are trying really hard to get the word out. Maybe there's a message in this fact.)

As of version 1.2.7a the netfilter firewall tool, iptables has had a built in target called TARPIT, but the first I had heard of it was the other day on Security Focus, in an article by Tony Bautts. The TARPIT target is an offshoot of the LeBrea project. The LeBrea project is the brainchild of Tom Liston, and you can read about Lebrea at HackBusters.net and at its new offical site, at Sourceforge.net. What the TARPIT target does is slow the spread of infection down, presumably so we have more time to react to outbreaks.

The idea is that when an offending scan comes in we accept the connection and then we set it up ion such a way that the attacker can't close the connection for 12 to 24 minutes.

We know that the msblaster.exe attack was targeting port 135 to spread. So on interfaces and addresses where we don't expect port 135 traffic we accept the traffic and hang the attacking computer up.

The iptables command would look something like:

iptables -A input -p tcp --dport 135 -j TARPIT

If you run RedHat you'll need to pick up an updated iptables rpm over at gnumonks (www.gnumonks.org), and while you're there, you may want to check out the matching ulogd rpm for packet logging features.

Please don't deploy this in a production environment until you have tested it out first. This could cause some big problems for you if you accidentally misconfigure it. You've been warned, now have fun in the tarpits.

Every once in a while for some reason, CPAN fails to work. I get these insane directory names and the whole install fails. I was installing Crypt::OpenPGP which is written by Ben Trott, the same guy who writes MoveableType (the software used to publish Advisor Bits) and this happened to me.

Hey Ben, that's a lot of prerequisites!

I had to install Digest-MD2 the old way in order to get the OpenPGP to work. It took me long enough to remember that I thought it was worth writing here so I can look it up in the future. (Good use #107 for Advisor Bits!)

Here's the generic instructions for installing Perl mods when CPAN is fussed up, for those of you lucky enough to have always used CPAN:

1) Download the file:

wget ftp://ftp.someserver.com/some/long/path/To/YourModule-1.01.tar.gz

2) unpack the stuff

tar -xvzf YourModule-1.01.tar.gz

3) change into the directory

cd YourModule-1.01/

4) Configure the module for compilation and installation

perl ./Makefile.pl

If you need to install anything first, you will find out now.

5) Make the module and test it before installation

make
make test

6) Install the module if everything worked to this point

make install

7) You're done.

In the continuing quest for standards compliance and clean code, a "rollover" that doesn't require client side JavaScript is not only cool as cats pajamas, but it does somethings a lot better too.

For instance, Dreamweaver has been known to miss the "OnMouseOver" images when moving files and adjusting links. (Forget about using wget, it does not interpret JavaScript so it never gets all the images.)

This idea is lifted straight from the master, Eric Meyer. He has a complete explanation of the technique at the O'Reilly Network.

Internet Explorer (version 6 point whatever is current today) kind of flashes the images when changing them a bit, but the effect is not too bad. Opera 7 handles the hover event smoothly. You can see my sketch of this idea at http://www.chathamselfstorage.com/rates.html

I am putting the finishing touches on the JSW4.NET main company site. This is only the third redesign of the JSW4.NET site since it was founded in 1999. There are a few things to polish up and the form script still has to be written. Undoubtedly, I need to run the spelling checker on several pages that I missed.

The CSS on this site is designed very carefully so that the main body of the text is always at the top of the page (code wise) and special care has been taken to make the CSS nice for print media. I changed the visibility attribute of the