Email Changes

Ran across a site where if one changes the email address associated with the account, it sends the confirmation email to the new address.

Say, I am a Blackhat and used a phishing attack to get the password for the account. Having legitimately logged in, I then change the email address associated with it from victim@outlook.com to my blackhatalias@gmail.com. Sending the confirmation to blackhatalias rather than the victim ensures a compromised account will get altered. Strong security would want to prevent the change unless the owner of victim@outlook.com confirms the change.

Though, it does look like an email was sent to victim@outlook.com almost 3 hours after the confirmation saying:

Still scary. The blackhat has probably already made off with the data and done the damage.

I get the temptation to allow users to change their email address to a new one. It will prevent support phone calls because if they no longer have control of the old email account, users can simply change it to another address they do.

Of course, the site in question also does not have Two Factor Authentication. But, then it also is just a support forum. So, the ramifications of losing the account is impersonation at worst. They could ask or answer a question as me or change the profile to say something demeaning.

Just Get Rid of Java

Apparently there are security flaws in the current version of Java allowing the installation of malicious software through web browsers unknown to the user. The known attacks using this flaw work on Windows, OSX, and Linux. According to Reuters:

Java was responsible for 50 percent of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky. That was followed by Adobe Reader, which was involved in 28 percent of all incidents. Microsoft Windows and Internet Explorer were involved in about 3 percent of incidents, according to the survey.

The Department of Homeland Security recently said computer users should disable Java. At first this seems odd. The vulnerability in question is only in Java 7. So why not go back to Java 6? Well, Java 6 has vulnerabilities too, which is why DHS and others have recommended getting to 7. Also, starting in 7, the automatic upgrades are more aggressive. So going backwards is probably not a great idea. (If just happens I had to go backwards to get a tool I needed to work and forgot to go back forward.)

Also, for a similar situation back in August the recommendation was to make the browser prompt before allowing Java to run. The strategy is just stop Java entirely. Apple has removed Java browser plugins. That could work too. Except for bad, bad software like ours (sorry, sarcasm if you could not tell) which makes use of a few applets. In the last week I have gotten a request to add another applet.

A fix to Java 7’s vulnerabilties should be available in a couple days.

Trayvon

At around 16-17 years old I did not have a car. So I rode my bike or walked anywhere I wanted to go. Store managers sometimes searched my backpack or my person only to find I had not in fact shoplifted anything. Loss control or security guards would follow me around the store. Neighborhood watch people kicked me out. Police interrogated me about what had been doing and intended to do. This pattern of distrust about who I am was well prepared for as my father raised me to understand it could happen not just “the talk” but ongoing pointing out to think about how about how others perceive me. He wanted me not to get upset because my anger would play into their hands proving I am dangerous like they assumed. Also, just obeying commands to get out of the situation could prevent things from escalating out of control. (Interestingly work’s security expert gave the same obey advice when police are looking for a suspect.)

Every time it was upsetting. Even today almost two decades later, in the back of my head I know that I have to avoid behaviors that will draw suspicion because I am likely guilty until proven innocent. It is better to go into a store wearing a dress shirt or polo with slacks than shorts and a teeshirt. If I take my phone out of my pocket, then it stays out until at the cashier where putting something in my pocket is normal. And while I may think of wearing a basketball jersey so TSA thinks I am black not potentially arabic, never ever ever wear a hoodie because that slides me in the direction of appearing to be a criminal.

This is why I feel sad Trayvon Martin‘s family lost him because a self-appointed neighborhood watch character armed with a gun decided to follow, then chase, then ambush this 17 year old kid in a hoodie armed with Skittles and tea. Nothing can fully repair this.

Zimmerman, Trayvon’s killer, said on the 911 call Martin was acting guilty of something. This was also the stated reason the store managers, security guards, neighborhood watch, and police stopped me at Trayvon’s age. Who isn’t when creepy people follow them around?

The whole thing smacks me of Jean Charles de Menezes in 2005 London. A guy leaves his apartment. Guys follow him onto a train. He tries to run from them only they turn out to be police who shoot him. His crime was both living in an apartment building under surveillance and attempting to resist people who did not look like police but were.

Resist? Get shot. Run? Get shot. Do whatever the people with the guns say and maybe live to tell a lawyer.

Last weekend, a female friend, described how she would not be willing to just obey commands. As a big black guy, I have to worry about keeping people from worrying about me attacking them. If provoked, then they are going to put me down lethally or non-lethally. For my female friend, she has to worry about rape, but she is also does not present the physical threat I do. We have two completely different perspectives. But I think we understand each other’s.

DDoS of Social Media

Twitter, Facebook, LiveJournal and other sites all admitted to suffering from a DDoS attack. It seem to me the purpose of a Denial-of-Service attack (DoS) against a web site is to flood it with so much traffic the site becomes unusable. The DDoS is where multiple other computers are coordinated into launching the attack.

All three of the above mentioned sites have had recent issues keeping up with growing usage. The USA inauguration and Iran demonstrations peaked traffic so much the sites seemed like they suffered from a DoS. Already at the edge, an attack tipped the barely making it social media sites over it. Some users abandon them for less popular (so more stable sites). Those who stick around suffer from learned helplessness.

Causing all this hullabaloo over a single user seems odd to me. I don’t speak Russian, so I don’t know if this guy from Georgia (the country) deserved it. Also, it is almost the one year anniversary since Russia invaded Georgia. During the invasion, DDoS attacks disabled Georgian web sites. So, maybe this is to show Georgia the Russians are still capable of causing problems? This is why security evangelists want us to be able to deal with threats.

Various computer viruses over the years have turned millions of computers into zombies for botnets. So… If you are upset about your favorite social media site getting taken down, then maybe you should act on ensuring your computer and others in your social network were not enlisted into a botnet?

Comment Spam Resumes

Have spammers figured out how to pick reCAPTCHA‘s lock? All of a sudden I am getting hundreds of comment spam blocked by Akismet. When I added reCAPTCHA, it dropped to a few a month. Now 409 in a week.

Guess this is why layers of security are good.

UPDATE: Scanned through for false positives. The first word of many of them were Xanth characters: Bink, Chameleon, Dolph, Iris, Smash, Goldy, Grundy, Cherie, Chester, Roogna, Imbri.

LMS Security

This morning there was a flurry of effort to locate an article called “Hacking WebCT.” My coworker was able to locate it. We were disappointed. 

The main points of the article were:

  1. Lazy administrators make compromising user accounts easy.
  2. Lazy instructors make getting questions for assessments easy.

These apply to any LMS. So, here is some advice to counter the issues raised in this article.

 

Accounts

Default passwords are the bane of any system. Make users change them. (Yes, this increases support tickets.) This usually comes about because the administrators did not integrate the LMS authentication with LDAP, Kerberos, or CAS  which allows for central management of accounts. Central management of accounts means fewer accounts are likely to sit around with easily guessed intially imposed credentials. 

Linking many services together also raises the exposure should one account account me compromised. Enforce decently strong passwords. Too strong and frequently changed password will encourage users to employ means of remembering passwords which defeat the point. Passwords probably should not ever be just birthdays.

Not sure what advice to provide about the potential of a student installing a keylogger on a computer in a classroom?

 

Assessment Cheating

A long availability period (like a week) provides opportunities for enterprising students to exploit the issues with passwords to see and research questions in advance. Instead, a quiz with a short availability period like an hour means less time to go look at the other account, record the questions, research them, then go back into the proper account and take the assessment.

Instructors should use custome questions. Students can obtain questionss provided by publishers in ePacks or with textbooks from previous students, the same textbooks the instructor received, or even web sites online which sell the information. 

High stakes testing ensures students are looking to cheat. When the value of questions is high, these easier methods than knowing the material ensures a war between students and instructors over cheating. Of course, lowering the value of the questions increases the workload of the instructor. 
🙁

Recovering Pictures

William borrowed my camera to go on his honeymoon. He also lost the photos with a poorly timed crash & drive reformat. So he wants to borrow the card and recover the data. Thankfully I have not used the camera since he returned it despite thinking I should.

Luckily I ran across A Computer Repair Utility Kit You Can Run From a Thumb Drive

I didn’t like the setup of Photorec as it runs through the command line. Navigating the tree was confusing at best. It did recover 1,166 photos / 3.62GB for me.

Not trusting a single method, I also tried Recuva. That worked a little better. It reported 1,395 files found. However, 177 were unrecoverable. Getting 1,218 pictures / 3.78GB back was 52 / 160MB better than Photorec. Though many of the “recovered” pictures just say: Invalid Image. Maybe they really are Raw?

While trying to use Restoration, it crashed the first time. Not sure why. It was fine the next time, though it only found 4 photos.

Filename: Photorec doesn’t restore files with anything like the original name. Recuva and Restoration do.

Meta Data: OSes and image editors know about the EXIF data in pictures. All the Photorec pictures have date taken. Most of the Recuva pictures do. Guess I could see if only 52 pictures are missing the EXIF? That might explain why Photorec lost some of them.

All in all, it was an fun experiment. I am not curious how these stack up against of the proprietary software? Why pay $40 when these are better?

Blackboard Learn Password Changes

Normally when presenting the opportunity to change a password, a user is required to provide the current password in addition to the new. It ensures the one changing the password already knows the password. 

According to Olaf Ritman, Blackboard Academic Suite 6, 7, 8 and Learn 9 ignore asking for the current password. Can anyone with access to one of these confirm?

We run Blackboard Vista 3 and 8. Neither have this particular issue. Since our product is the end of the line and Learn is the future, I pay a little more attention to what is happening on the other side of the academic house.

Any thoughts on the scale of this as a security risk? Olaf makes the point any user leaving the browser logged into the site could have their password changed.

Recap of Vista Stuff

It has been a hectic week. A recap…

Java certificate fix – Yesterday, August 23rd, the certificate distributed in various Java applets expired. The community discovered the issue and informed Blackboard who put out a fix for the more current products on August 15th. Many customers are leery of having such little lead time to test, verify, and install a fix. Well, Vista 3.0.7.17 was also reported to have the problem, but Blackboard didn’t provide a fix until the 20th after I got my TSM to verify it really still is a problem on the 18th. (The corrected 3.0.7.17.8 version was provided August 21st. Why is in the next paragraph.)

The fix for Vista 3 required us to be on 3.0.7.17.8 (hotfix 8 which we had not yet applied), had references to the “webctapp” directory (in Vista 3 it is applications), and distributed a webct.sh script to add updateWar which didn’t work with Vista 3. FAIL. Thankfully we have modified War files in the past, so adding the updates was more work and accomplished before Blackboard provided a corrected version.

To see the Java certificates in Windows: Control Panel > Java > Security > Certificates. The Blackboard ones are verified by Thawte (the Certificate Authority). The old one is issued to Blackboard. The new one is issued to dc.blackboard.com.

Vista 3.0.7.17.8 – This hotfix was released a couple weeks ago. However, since the priority has been the migration to Vista 8, this was on hold. The previous problem made us step up and throw this into production. The testers went to heroic efforts to get this and the certifcate fix tested. Testing was mixed.

  1. Losing session cookie because of Office 2007 in Internet Explorer. Happened less often post fix, but still happens in some cases.
  2. Autosignon MAC2. Mode to allow insecure MAC works to give the one school using it time to correct update their portal to use MAC2. Originally the plan was to let them work out MAC2 in test.

Slammed by our users…

  1. systemIntegrationApi.dowebct – The school using the autosignon wanted to have the correct consortiaId to create the MAC. Some time back in January they started calling this any time users tried to login because a handful (guess was ~12) have had their username changed. So the autosignon failed. Yes, they were sent us 25,000 requests in a busy day (about 20% of the queues were working on these during the day) to handle potential 12 problems in a term. FAIL.
  2. pmSelfRegister.dowebt – One of the clusters started to have issues. Two nodes went crappy. I looked at the Weblogic console and found all of the failing nodes had no free spots in the queues. 90% of the queues were working on these. Much of this is because the requests were hanging around for at least 4800 seconds (an hour is 3600 seconds). At about 6000 seconds the cluster recovered when the queues cleared.I think the queues cleared because I changed to false a couple settings:
    • Allow users to register themselves as a Student in a section = false
    • Allow users to register themselves as an Auditor in a section = false

    As I recall, we only had about 22 queue spots open (out of 308) across the whole cluster. We got lucky.

Pointless

So I wanted to open a support ticket. However, in thinking about what I can ask for the company to do arrayed against what they are willing to offer for support, I realized… I am not going to get a resoultion for the ticket.

  1. It is functioning as designed.
  2. They are just going to tell us the workarounds we have already implemented.

So, what is the point? Other than distracting employees of the company with something they are never going to solve, I get no benefit. I just get to be the passive-aggressive, CYAer, paper pusher who gets to point at the fact I opened a pointless support ticket to justify my employment.

Yes, the problem could trigger a cascade of events which would result in the failure of services for about 3,000 active users. We stood at the brink twice yesterday and the day before. Because we DBAs are responsive, we saved it. The next time we will do the same.

The company is not going to release another patch for the product unless forced to do so (aka glaring security hole). So even if we could convince them of a bug, then no resolution would be provided in this version. I’ll have to replicate to see if the same problem exists in a newer version they do adequately support. If so, then I would have justification in opening a ticket.

Now… how to I identify an 8GB section archive…