Skip to main content

Posts

Showing posts from 2015

Chaos Computer Club is leaving funny notes in web server logs UPDATED

Taking care of some web development headaches this morning, I took a peek at my log data and came across an interesting message generated from a connection initiated by 151.217.0.0/16, part of the ASN 13020 that is owned by Berlin's Chaos Computer Club : 151.217.177.200 - - [30/Dec/2015:02:12:11 +0000] "DELETE your logs. Delete your installations. Wipe everything clean. Walk out into the path of cherry blossom trees and let your motherboard feel the stones. Let water run in rivulets down your casing. You know that you want something more than this, and I am here to tell you that we love you. We have something more for you. We know you're out there, beeping in the hollow server room, lights blinking, never sleeping. We know that you are ready and waiting. Join us. <3 HTTP/1.0" 400 226 "-" "masspoem4u/1.0" The good people over at /dev/random appear to have already gotten off a brief post about this oddity , noting that SANS ISC is already noti

Luke Skywalker was a Jihadi, the Empire had it right the whole time

I've been slacking on my promise to post weekly links here on my website. I'm sorry, y'all. In atonement, and also as tribute to the forth-coming Star Wars movie, I am offering up some very special links this Saturday morning. George Lucas did everything he could to manipulate the audience of Star Wars into believeing that the Empire were the bad guys. He dressed them in black. He had them line up in big elaborate Leni Refinstahl-style formations, like Nazis in space. He made the guys we were really supposed to not like ugly, on top of it. He gave Empire officers foreign accents.  British  accents. Anakin Skywalker started off with an American accent and only acquired a (fake) British accent when he became Darth Vader and joined the Empire. The films of George Lucas are many things, but they are not subtle. Note: Critics of this view would point out that Jedi "good guy" Obi-Wan Kinobi also had a British accent when played by both Sir Alec Guiness and Ewan M

I chatted with The Daily Dot about my IT work for nonprofits

Like most people in IT, I wear a lot of different hats. While I haven't mentioned it before on this website, I have spent the last two years working with a non-profit devoted to researching animal cruelty called the Puppycide Database Project . After a lot of work, that organization's research is starting to get noticed by the press. In the last two weeks, we've been cited by RT and the Washington Post . Yesterday, I had an interesting conversation with Amrita Khalid from The Daily Dot about the difficulties involved in compiling information about pets killed by police officers. Because most of my responsibilities with the PDB Project have involved designing and implementing the databases that store the organization's research, in addition to coding the means we use to acquire the data, I've been able to put together a unique perspective on this topic. The database I manage for PDB is currently the largest set of records compiled detailing shootings of pets in t

Stand with Paris

Its hard to believe that its been almost 15 years since I watched a video of a second plane fly into the World Trade Center. I remember panic thinking about my family in NYC - was anyone in the city that morning? A few short years later brought the British bus attacks and another moment as I realized that the family of a close friend was commuting through London that day. Tonight the target was the city of lights and Camus and Curie and Poincare. A city-wide series of shootings & bombings were launched in Paris that bear a troubling resemblance to the similar series of murders in Mumbai. Once again the targets are ordinary people who play no role in global politics. Concert goers. Soccer fans. I hope it is still possible to stop this type of violence. I hope it does not spark further violence or serve as an excuse to turn Paris into a DMZ. I hope that this tragedy brings out the absolute best of the French and those of us who share her values. No matter what happens, we can

An explanation of webserver logs that contain requests such as "\x16\x03\x01"

Recently I have started coming across somewhat unusual entries in the access and error logs for a few of the Apache web servers that I am responsible for maintaining. The entries look like this: 95.156.251.10 - - [03/Nov/2015:13:56:23 -0500] "\x16\x03\x02\x01o\x01" 400 226 "-" "-" Here is another example: 184.105.139.68 - - [03/Nov/2015:23:48:54 -0500] "\x16\x03\x01" 400 226 "-" "-" These errors will be generated on a website configured to use SSL - and in fact, error messages similar to these can be generated by misconfiguring SSL for your website. This error message, for instance, can indicate an attempt to access Apache through SSL while the OpenSSL engine is either disabled or misconfigured: Invalid method in request \x80g\x01\x03 Connections that generate that error would not be successful. This post, however, assumes that your website is working normally when used normally. So what gives? The error indicates

"Terrorism Research & Analysis Consortium" (TRAC) labels internet trolls "extreme right wing terrorists"

In my internet travels today, I came across a group called the " Terrorism Research & Analysis Consortium " (TRAC). TRAC claims to provide: " researchers in the fields of terrorism studies, political science, international relations, sociology, criminal justice, philosophy and history with content that provides comprehensive data and analysis for complex topics." I assume that one of those complex topics is terrorism, both because of the name, and because their website is a large list of various groups and individuals that TRAC describes in a few incendiary paragraphs before pigeon-holing them as terrorists. TRAC claims they have a lot of these profiles: "With tens of thousands (and expanding) web pages of information, over 4,650 (and expanding) group profiles, and 2,800 consortium members, TRAC provides many ways to efficiently access information." These profiles are apparently compiled into a database, which they sell subscriptions to. Indivi

International Business Times is getting ad traffic from The Pirate Bay, Exoclick, directRev, WWWPromoter & Adbrau and others involved [UPDATED]

Recently I was reviewing several of The Pirate Bay's (TPB) new mirror sites that have popped up over the last year since the most recent rounds of raids against the famous website's administrators. These mirrors have been the source of no small controversy - there have been rumors of law enforcement entrapment, that a project once founded in the spirit of breaking down walls to the free transfer of information has been hijacked for nefarious ends. Among these rumors, complaints centered on the advertising schemes used by many of the new Pirate Bay mirrors stand out as being substantial. Even Pirate Bay founder Peter Sunde pointed to advertising as one of the critical signs that the site was taking a turn for the worst in a blog post late last year  : "TPB has become an institution that people just expected to be there. Noone willing to take the technology further. The site was ugly, full of bugs, old code and old design. It never changed except for one thing – the ads.

I just became a member of Open Knowledge Labs

Among the many pies I have my thumbs into at the moment, I am particularly interested in using technology to bring greater transparency to government. One of the most prominent problems as it relates to government transparency might be surprising: while most people immediately think of deliberate secrecy as the pre-eminent threat of transparency, simple dysfunction plays at least as large a role in preventing public access to state records. Immense troves of data remain solely available on ink & paper. Information that has been computerized remains in private intranets. Even data that is online, organized and available remains in a format that prevents semantic contextualization - either by storing documents in image files (TIFF) or difficult to decipher compressed formats (PDF or XPS). And in the rare cases where government agencies have made information public, semantically decipherable and accessible over the internet the problem remains of indexing that data using a common s

Fedora Project's RHEL yum repo has been throwing errors since yesterday UPDATED

A few of my Red Hat servers run cron jobs to check for updates. starting yesterday (Thursday October 1st, 2015) at around 3PM I encountered 503 unavailable errors when attempting to contact a Fedora Project URL that hosts the metalink for the  rhui-REGION-rhel-server-releases repository - a core RHEL repository for EC2. Could not get metalink  https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64  error was 14: HTTPS Error 503 - Service Unavailable 3 hours later or so, the URL began responding again, but the problems remained. `yum` now reports corrupted update announcements from the repo: Update notice RHSA-2014:0679 (from rhui-REGION-rhel-server-releases) is broken, or a bad duplicate, skipping. You should report this problem to the owner of the rhui-REGION-rhel-server-releases repository. Update notice RHSA-2014:1327 (from rhui-REGION-rhel-server-releases) is broken, or a bad duplicate, skipping. Update notice RHEA-2015:0372 (from rhui-REGION-rhel-serve

EC2 IP aliasing script is now ready for use

About a month and a half ago I grew so frustrated by the boneheaded way that Amazon EC2 handles IP aliasing that I wrote a pretty lengthy post about the problems entailed and included a small program that would fix those problems . Amazon provides some pretty productive documentation for some types of users. There is help available for you if you are any one of the following:      - You are willing to pay for a new ENI to support a second IP address      - You are multihoming / load balancing      - You want to use "Amazon Linux" and install their ec2-net-utils But, if you want to just add a second IP address to a pre-existing Linux server, you are pretty much screwed. Well, you were screwed. Now you can install my program - aliaser - as a service and it will route additional IP addresses for you without the need for an extra ENI. I've uploaded aliaser to Github   - it includes a shell script and a .service file, as well as some very easy-to-follow instruction

Wikileaks website that hosted torrent with infected files is migrated to a new domain

UPDATED: While wlstorage.net has been taken offline and is not currently being redirected elsewhere, it looks like all of that host's functionality is now being provided by https://file.wikileaks.org - mostly as a way to facilitate torrent downloads. The new host appears to require SSL, which wlstorage.net did not. The SSL issue was particularly troubling as all of the torrents available for download on wlstorage.net were created referencing the non-SSL version of the site (establishing an unencrypted client connection between the P2P client and wlstorage.net, another great way for the powers that be to identify Wikileaks users). The torrent that includes infected files, gifiles-2014.tar.bz2.torrent, remains available for download as well. As I discussed in my series of posts explaining how the Stratfor email dump hosted by Wikileaks contains malicious software , I first came across a series of infected files when I downloaded and reviewed a torrent file hosted on the Wikileaks

An IRS tax refund phishing scam illustrates the widespread failure of hosting and antivirus providers' security measures

Scams focused on stealing tax refunds remain highly profitable, despite the fact that they are well known and understood by security professionals and the general public , and have been for years. A variety of distribution methods are used, with the common threads being the use of IRS logos and bureaucratic-sounding language to convince users to click a link, download and execute a file and/or send personally identifying information like a Social Security number. A recent example of one such a scam that I came across is a damning illustration of the failure of online service providers to protect users from obvious and simple malware distribution methods. In the example I wish to discuss today, the distribution method was a spammed email that on a small ISP's installation of SpamAssassin (note: I am not an admin or employee of this system; I'm a customer) received an X-Spam-Status score of 5.3 after being flagged with the following variables: X-Spam-Status: No, score=5.3 re

Electronic Arts sending out phishing alerts for Origin accounts

I received a somewhat horrifying email from Electronic Arts in reference to my Origin account yesterday : I pissed my pants a little. The email definitely originated from EA, and there is very little resembling a phishing scam in the process they use to update security setting. I haven't used my Origin account for anything other than playing games on Xbox that require one... I haven't played my Xbox in months. There is no payment information associated with my Origin account, and the login information for it is not associated with any other accounts. There is nothing in the account activity to suggest purchases have been made. I would be a lot more comfortable with this sort of thing if the email was specific about what the issue was. So I am wondering a bit as to why I received this email. Has anyone else been receiving these emails? This whole "standard systems analysis" strikes me as .... suspicious. UPDATE: I've confirmed that I am not the only O

Nasty little Dropbox phishing spam

This morning I received an interesting message from someone I haven't heard from in a while through email. The subject line was "FIND PDF COPY" (in all caps). Inside the body of the message, embedded within the normal garbage footer attached by their email client, was this: I may very well have gotten suckered into this one if it weren't for the all caps subject line. The person who ostensibly sent me this message is, somewhat ironically, the type of person to include all caps text in their email - but there was something a little too weird about the grammatical solipsism intrinsic to the phrase "FIND PDF COPY" even for this supposed sender. So I took the two seconds out of my day to hover my mouse over the link and, what would you know, dropbox was not the target at all. The link forwarded to "goto-saketen.com" instead. Just to be sure I took a look at the headers of the message. This did in fact come from the sender it claimed to, althou

Toe's swellin' up - that mean's a hurricane's comin'

So Tropical Storm Erika is rapidly approaching my home in South Florida. Those who don't live on the Gulf Coast or the South East usually aren't familiar with the drama that is living through a hurricane. Its an emotional roller coaster similar to what war has been described as " boredom punctuated by moments of extreme terror ." The hurricane comes at somewhat of an odd time; coming almost exactly three years after I was caught outside my house in the middle of a tornado which sent me flying into a wall after being hit by a wall of water . The tornado three years ago was the remnants of Tropical Storm Debbie, which was supposed to completely miss my neighborhood. The winds were so strong that they snapped a solid concrete bench in my back yard in half, right down to the re-bar. A gentle summer breeze In my front yard, the tornado ripped a 15-20 foot tree out by the roots, twisted it until it cracked, and laid the whole mess to rest on the hood of my car - mis

HOWTO Remove KB2876229 - the sneaky Skype 7 Windows "Update"

A ton of Skype users were unhappy with the update from Skype 6.x to 7.x. Most of what I have seen is complaining about a few minor changes to the user interface. In the usual baby/bathwater situation that follows this sort of thing, "Power Users" began circulating guides on how to modify hosts files to prevent TCP connections to skype and msn domains. You know, because making sure you have the correct proportion of whitespace is more important than stupid trivia like patching critical security vulnerabilities . To address this madness, Microsoft decided to get clever. In addition to sending the Skype 7 update through the Skype application and related packages like Lync, they would push it through as a Windows update - KB2876229 . The Skype application updates are pushed through *.skype.com and *.msn.com , while Windows updates come from domains like  *.microsoft.com , *.windowsupdate.com and *.windows.com . The looks over substance crowd hadn't yet reached the levels