Cheap Hack

Hacking Your VoIP Box From The Net

Sat, 04 Oct 2008 13:06:04 +0000

Do you do penetration testing of your own network? Is it comprehensive enough? Read this recent blog from McAfee's Avert Labs and you may wonder. An Avert analyst, reading about vulnerabilities in the Cisco IP phone model 7960 then used Google to try to find publicly-accessible 7960 phones. He found "almost 10" (does that mean 9? awkward turn of phrase). 1 of them had the vulnerable firmware version And the vulnerability was that the phone's web interface reveals a lot of sensitive network information, so the company that holds that phone has a vulnerable network. What was revealed by the phone? "...the IP addresses of the TFTP server/router/DNS server/DHCP server/Cisco Call Manager, as well as some application links, internal device configuration, and debugging information. If there are any exploitable vulnerabilities in one of these linked servers, attackers could use this information to stage further attacks." There's always more to test for, and mistakes you in device configuration can have dire consequences.

Gambling Domains Seized by Kentucky

Sun, 28 Sep 2008 03:32:49 +0000

From reports, it appears that Kentucky Governor Steve Beshear has attempted to seize 141 gambling-related domain names under a state law that allows for seizure of items used for illegal gambling. It appears that the seizure order (click here for a copy of the initial order) was signed by a circuit judge, but later reports indicate that the judge is holding further hearings and seeking further arguments. A hearing will be held Oct. 7, according to TheDomains. See page 4 of the seizure order for a complete list of the 141 domains. Here are some of them:

123bingo.com
777dragon.com
indiancasino.com
jackpotcity.com
powerbet.com
crazypoker.com
vegaslucky.com

That sort of thing. According to DomainNameNews, several of the domains are for popular sites, including PokerStars.com, FullTiltPoker.com, BodogLife.com, GoldenPalace.com, Bet21.com, DoylesRoom.com and IndianCasino.com. It also reports that at least one registrar (Enom) has transferred domains pursuant to the order, including one whose registrant died of a heart attack this summer. The seizure order says that the domains are to be transferred by any registrar to a plaintiff's account at that registrar (the plaintiff being the Commonwealth of Kentucky), but that the domain names' configuration will be otherwise unchanged. This means that any gambling sites run on those domains or, for that matter, anything else on those domains, such as PPC ads, would remain functional. All things considered, this seems like simple-minded grandstanding without any good law behind it. The Constitution vests Congress with power to regulate interstate commerce, which the domain name market clearly is. In fact, these businesses are truly international. And it's a safe bet that none of the gambling companies or registrars operates in Kentucky, perhaps not even any of the domain name holders. That the state argues that residents of Kentucky engage in illegal gambling doesn't give the state jurisdiction. The Internet Commerce Association, a domainer lobby, has weighed in on the matter in opposition to the state's move.

Enhanced Domain Protection Services Emerge

Wed, 24 Sep 2008 04:23:16 +0000

Registrars are beginning to offer new services to protect against domain name loss. Are they worth it? Well, they're worth something, but maybe not all the money being charged. Yesterday, Domain Name Wire revealed that GoDaddy has filed for a patent for "Domain Name Hijack Protection." The basic idea of the service is that domain name transfer-out requests are automatically ignored. The customer gets a notice that the request was received and ignored. The user then has the option of turning off the service, and must supply photo ID in order to do it. Comments on the Domain Name Wire article say it's an intentionally cumbersome process, which certainly works out well for GoDaddy, but I'm not so sure I'd call this innovative. This application may be related to GoDaddy's Protected Registration service, which similarly protects against casual transfers, a service they call Deadbolt Transfer Protection. In order to perform a transfer, more thorough verification procedures are required, probably involving genuine human beings. GoDaddy also claims to protect the domain in case of billing problems, such as "credit card expiration, failed billing or outdated contact information." If your domain expires and cannot be renewed because the credit card expired or some other such reason the domain will be placed in "invalid, protected status" for up to one year. In other words, it will be taken off-line, but not made available for anyone else to register. If you've parked it you may not notice, but if you're using the domain you will, because it won't work anymore. At this point you can go back to GoDaddy and make things right. All this costs $24.99 a year, which is a lot of money compared to the base registration. You'd be much better off with a standard domain lock and just being responsible about your domains and reading the e-mail GoDaddy sends you. And thanks to DomainNameNews for reporting that Moniker, a registrar aimed at higher-volume domain name owners, has launched their DomainMaxLock service. DomainMaxLock, like GoDaddy's Deadbolt, makes you provide more stringent identification for transfers. According to the company you must:

Provide a government I.D. number for verification of your identity.
Set up custom security questions and answers, further safeguarding your domain assets.
Provide special verification instructions and artifacts to ensure that your unique business or ownership interests are protected.
When you request that your domains be unlocked, our security team works directly with you to verify all of the above off-line - further eliminating risks of doing business in an online world!

It's essentially an admission of the failure of automated services with respect to security. The idea is we can trust humans in person, not software. The service costs $34.95 per domain per year for a limited time, but the cost will increase later to $59.99. These verification services are similar in many ways to those performed by CAs (certificate authorities). Since GoDaddy is also one of those, it's likely they can get better utilization out of that staff by offering such services.

Office 2003 SP2 Approaching End of Life

Mon, 22 Sep 2008 16:45:30 +0000

The Microsoft Office Sustained Engineering blog reports that support for Service Pack 2 for Office 2003 is coming to a close. Microsoft's support lifecycle policy for service packs states that they get one year of support after a successor service pack is released. It's about a year since Service Pack 3 for Office 2003 was released and Microsoft is recommending—strongly—that all users upgrade. The policy also is that security updates are continued into the next Patch Tuesday, so there may still be patches for Office 2003 SP2 in the October Patch Tuesday.

Dell System with Useless Memory

Sat, 20 Sep 2008 03:03:21 +0000

In my e-mail this morning was a flier from Costco. I have to go buy some stuff there this morning, so I read it and noticed a Dell desktop computer among the items. Note that the Costco links above probably have a short lifetime, so if you're reading this weeks after the posting date (9/20/2008), they won't work. What immediately struck me about the newsletter was that it said that the system had 4GB of RAM. As I discussed in my recent column on when Windows goes all 64-bit, in 32-bit versions of Windows at most 3.1GB to 3.5GB of RAM are usable, probably more like the 3.1 number. You need 64-bit Windows to use all of the memory. Was Costco selling a Win64 system? Nope, the ad says it has "Microsoft® Windows® Vista Home Premium 32-bit." Beware of this sort of thing. It's not a lot of wasted money, but it's still a waste. I suspect it will become more of an issue over time as vendors try, as they always do, to beef up computers and run up against this wall.

U.S. Olympic Committee Trying to Take Chicago2016.com Away from Grad Student

Fri, 19 Sep 2008 15:03:00 +0000

In 2004 graduate student Stephen Frayne Jr. bought the domain name Chicago2016.com. Now the U.S. Olympic committee and the Chicago group organizing an Olympic bid for that year want it from him. They have filed through arbitration processes to have the domain turned over. The committee is currently using chicago2016.org as its domain, but that's not good enough. "We certainly see Chicago2016.com as the logical default domain for our site, and we believe having someone else control it is misleading for people seeking information about Chicago's bid," said Patrick Sandusky, a spokesperson for Chicago 2016. The Chicago Tribune article on this story describes "Chicago 2016" as "a moniker protected by trademark." I did a trademark search and there are several with that string in it, none of which were filed before 2006. Frayne launched the site to be, he claims, a forum for public discussion of Chicago's bid. He also owns Tokyo2016, another city bidding for that Olympiad, and is also being pursued for that domain. My own opinion: There are no trademarks in "Chicago 2016" that the committee can reasonably claim ownership of. Obviously it just hasn't offered Frayne enough money for the domain yet. Hat tip to DomainNameNews.

More Details on McAfee's Artemis

Fri, 19 Sep 2008 07:25:41 +0000

I spoke with McAfee recently, following my column about its Artemis technology. I learned a few things. Artemis kicks in when the local anti-virus scanner sees, through behavioral methods, if the file is suspicious. Then it sends a fingerprint of the file up to the Artemis servers for further analysis. I had assumed that this fingerprint was a hash of some kind, but that was a simplistic assumption. The fingerprint includes characteristics of the file, including the ones that the scanner used to determine that the file was suspicious: Is it packed? Using certain packers in particular? Is it compressed (not the same thing)? Is it a certain size? In case I was unclear before, none of this involves signatures in the conventional sense. It occurs to me that this could lower false-positives, compared with conventional behavioral analysis, because it subjects suspicious threats to more extensive analysis in the cloud. It all depends on how aggressive McAfee is at that stage. Another thought I had is that since Artemis kicks in as a result of behavioral analysis, the threat has already hit the system by the time Artemis is invoked. Presumably the process is asynchronous and Artemis could return its analysis some time after the submission. If this is the case, it could be awhile during which malware is running rampant on your system.

Merged Banks' Names Already Cyber-squatted

Fri, 19 Sep 2008 06:08:38 +0000

Domain name speculators are already buying up names of recently merged banks, according to the BBC. In fact, names are being bought even in the speculation of sales. Earlier this week, as Lehman Brothers was failing and rumors circulated as to who might buy them, the names barclayslehman.com, hsbclehman.com, hsbclehmanbrothers.com and bofalehman.com were all reserved. The buyers are in the Netherlands and New York City, and one domain is registered anonymously. The same phenomenon is occurring in the U.K., where speculation surrounding the merger of Lloyds TSB with HBOS led someone to buy lloydstsbhbos.com and hboslloydstsb.com. Some of these domains include a notice that they are for sale. The person who bought bankofamericamerrilllynch.com went further, including a link to an eBay auction where the domain is for sale with a $1,500 reserve. About two days into the auction, no bids have been made. People who reserve domain names with clear trademarks in them routinely lose them in arbitration cases brought, under ICANN's Uniform Domain Name Dispute Resolution Policy, by the trademark holders.

Don't Mix MX And CNAME Records

Wed, 10 Sep 2008 04:59:33 +0000

An ambiguity in RFC 2821, which defines how email should be delivered, causes problems for some users, according to Ferris Research. In their first blog on the subject they relate a story of someone (names are expunged to protect the innocent from embarrassment) who decided to configure his DNS with both an MX record (which advertises the mail server) and a CNAME record defining where the web server was. More specifically, the CNAME defined "the-domain-in-question.com." to be "www.the-domain-in-question.com", the IP address of which was defined in a separate A record. After this, Mr. Anonymous's e-mail wasn't consistently reaching the mail server anymore. Some external servers were no longer finding the mail server. The problem turns out to be that when a server has a CNAME record some sending mail servers will attempt to connect to that and not to the server pointed to by the MX record. So in the example, the outside mail was being sent to the web server, which of course didn't respond to it. The problem, says Ferris, is in an ambiguity in RFC 2821. They have a point. The SMTP standard seems to recommend against mixing CNAME and MX records, but it doesn't prohibit it, and it's unclear on how the server should behave when it finds both. Bottom line: Don't mix them.

Chrome, Safari And Selt-Signed Certificates

Wed, 03 Sep 2008 05:10:29 +0000

I ran a column a couple weeks back about browsers and how they handle unsigned certificates. How does Chrome handle them? For that matter, how does Safari handle them, since I forgot to include it in that column? Chrome, at first, is much like IE7; it puts up an impossible-to-miss warning but lets you continue past it: Then if you do continue, like Firefox, it keeps a warning present in the address bar. Neat. Safari is much like IE7: It pops up warning dialog box: But when you choose Continue it continues with no visible indicator that anything is different.