Spam Counter - 2008 August: 1,521

Penis pills and Paris Hilton (declared a national historic monument). Breaks a five month downward trend, alas.

Please Provide a Credit Card Number to Enroll for this Free Offer.

One fascinating comment on this Register story:

Good ol' Tiscali
By Anonymous Coward
In the days of dial up I once signed up with Tiscali as they were offering a free month's trial and being a student I needed to save as much money as possible. As they wanted card details that they were saying that they were only going to start debiting after my free month and I didn't want to risk forgetting to cancel, I entered 4111 1111 1111 1111 as the card number, which is a commonly used test number that validates using the card checking algorithm. This worked and allowed me to sign up for my free month.
Surprisingly (or not) my internet access continued into month 2 .....

Reminds me of the days when Mrs U was driven mad by La Redoute accepting orders with credit card numbers that didn't even pass the checksum test. Surely it won't work anywhere any more....

China Stole the Productivity Revolution

It's hardly possible to avoid writing about China today. Even if it has little to do with security. So I'm going to write about three-packs of knickers for EUR 3, or mobile phones for EUR 10.

Everyone can see that the Chinese cities are getting rich. There are still plenty of people living squalid lives with little money, but the gloss is there and, more to the point, there are more and more hard-working middle-class people. Today, it's the cities and the coasts, but if they can hold on to the currency, the banks and the economy, it'll be the whole country soon enough.

Now the point about hard-working middle-class people is that they don't stitch supermarket knickers or assemble disposable mobile phones. They're too expensive. So we have to ask, once the opulence has worked its way into China, where are our panties are going to come from then? (and theirs too, of course.) Bangladesh/Nepal/Burma just doesn't have the slack to take up the produce of three hundred million pairs of willing hands. India is on its own way already, and Africa is disorganised and thinly populated.

I see the answer to this question taking us back to, ooh, 1978 -- the Year of the Micro. Back then, the unions were huge, offshore manufacturing was inconceivable and the promise of cheap micro-processors was in the robot factories that would provide a life of leisure and customised goods for all.

Well, it didn't work out that way. No. Hey! it's thirty years later -- 2008 -- the future in anybody's language -- and

• If I want a suit, I can't walk into a shop and be measured up by a machine which will cut it, make it and post it to me.
• Mrs U had to buy a Toyota instead of a Nissan because the seats are too long for her thighs and there's no opportunity to get it changed.
• Children's toys are hand-assembled -- and that's not snap-together either. There are dozens of screws -- easy to design, simple to tool, but needing a lot of work to asemble.

How crap is that? What went wrong?

Offshore manufacturing is the answer. There's no point in tooling up with fancy kit if the competition can have it made by hand for less. For a huge range of goods, manufacturing has gone backwards these last thirty years -- those screws in the toys weren't there when I was young. The products are cheaper, more varied, generally better assembled but totally uncustomised and insusceptible to automation.

So my guess is this. When the supply of cheap labour dries up, we're finally going to get the automatic factory revolution. Only, it'll be thirty years better. It'll be lead by the Chinese, because they're the ones with the problem and it's going to suit their convenience not ours. But I feel that I'm within five years of getting my machine-measured suit. It's going to be more expensive than the one stitched in a Fujiian sweatshop. But at least it'll fit.

Time for Tubby Bye-Bye, Meestair Bond

Well, the NMAAJS Daughter has been on Club Penguin for a month or so, and she's been enrolled as a secret agent. You get a tool to move around the site more easily, a range of mission games, a secret tunnel from the sports shop to the surveillance HQ and some fine clothing options like a bow tie and a tuxedo. (Why on earth would a penguin -- the world's most sophisticated bird -- need a dinner jacket?)

But the real meat is in the handbook. You have to report mean penguins and the ones who use bad words, so some harried moderator in Tucson or wherever can review the log and decide on an appropriate action.

Little do they know that the NMAAJSD has essentially no chance of spotting bad language -- we were watching two potty-mouthed puffins F Uing and F U 2ing and she had no idea what it meant. And this is the child who, on her fifth birthday, addressed the author of her being in these terms: "Just fuck off, Daddy."

Still, you have to give them credit. They're at least trying to make it fun to be a snitch, and that puts them a little ahead of the Staasi.

Air Defence Chicken

Mrs U has persuaded the broody hen to hatch eight chicks -- four of our eggs and four (of six) from a Black Rock breeder (I keep wanting to say Northern Rock....) and the time has come to let them out for a little air in an improvised run of their own.

Magpies and kestrels are an obvious worry, but it seems that hen is ahead of us. Mrs U thought the was looking a little odd one day, as the chicks cheeped and pecked in the long grass around her. She was carrying her head strangely -- almost as if she was watching the sky. Which she was. There was a single black speck circling in the skies. And the air-defence chicken led her mixed brood indoors.

Spam Counter - 2008July: 1,207

Nearly all penis pills, or visit and get pwned.

Naming Risks

Jerome Kerviel seems to be on the edge of getting a risk named after him. This is not the sort of distinction that will make his mummy proud, but it is a distinction nonetheless. About the only other named risk I can think of immortalises the otherwise obscure Herstatt Bank closed by regulators in 1974 before it had paid out on its forwards settling that day.
Kerviel's activities are set out in the Mission Green report, and if you were following the story at the time, it's interesting to see how wrong the initial spin was: He wasn't stealing passwords, he wasn't modifying control spreadsheets. He was exploiting his back office knowledge, but at a higher level: he knew how to use cancellations and corrections -- all the points where control can't be watertight because trading isn't -- to get his positions off the records, and he'd been doing it for some time. (It was only right at the end that he started to fake forwarded email -- nothing complicated, just editing a real forwarded email.) So this gives us a useful term: Kerviel risk is exploitable vulnerabilities -- uncompleted cycles of review and follow-up -- in a control system. A short name for a rather complicated concept, so maybe it'll stick.
No this definition means that Kerviel's name is not correct for authentication-abused-to-approve-fraudulent-actions risk. But Jagmeet Channa has come along just in time to help us out. He stole a couple of passwords to approve his multi-million pound transfers to his accomplices in N. Africa and Manchester.
The problem is figuring out what risk we're naming here. Channa's not talking so we can't tell if it's:

• Password stealing? -- he certainly did, but maybe that's not the point
• Inserted Insider?
• Coerced Insider?
• Criminal Mastermind who recruited outside help?

I'm going with the authentication, for the present. Channa Role Risk.....
And what makes this a security story? Well, the investigation started by interviewing the colleagues whose passwords Channa used. Don't fancy being in an interview like that? Then guard your password.

The Visitor

If you care to watch out, the light evenings expose one of our regular visitors -- a barn owl cruises the paddocks a little after nine. It looks like a ghost, a big white bird flapping hard so as to fly slowly but totally silent. In the three years it's been coming, I've never seen it stoop but I suppose these summer visits must pay off.

In the winter, when I'm walking across the fields well before dawn, I hear owls calling in the dark, but I can't tell what sort, or whether they're hunting or socialising. Sometimes they sound like they have a warning for me.

Fargo

Everyone raves about Fargo but I never saw it until last night. It is funny, and the premise of this very ordinary copper rolling up a complex, ugly situation almost without any difficulty is attractive.

For me, the best bit in the film is the shot where we see the William Macy character pull up in front of his father-in-law's body. By now, he's so depraved and so far out of his depth, that it takes him just a second to pop up the boot of his car....

Club Penguin Without Being Mad

Club Penguin is an MMPORG a bit like Second Life. Except that you can't use bad language. And your avatar is a Penguin. And it's owned by Disney. This is right up the Not-Mad-At-All-Just-Stubborn Daughter's street and for her ninth birthday treat she was subscribed.
So that's lovely except that the browser applet wouldn't connect.
Now by rights I ought to go off on a LUA rant here about the daftness of software for children that has to be admin to run. Except that CP is fine as an ordinary user and in fact I had an inkling what was wrong as soon as I saw the message.
So I went off searching and found this support page. Take a look at point four.

4. If none of these things work, you should call your Internet Service Provider (ISP). That is the company that you pay to connect to the Internet. They might be using a firewall that is blocking the ports that lead to Club Penguin. When you call them, tell them to open up these ports for TCP traffic, inbound and outbound: 3724, 6112, 6113, and 9875.

That's right, you have to open the ports, inbound and outbound without any limitation by address! "Sure I've got a hardware firewall, except that if you scan these ports you can reach a closed source server written by security numbskulls running on my daughter's PC..."
Long faces all round in the U household.
But it's actually OK. All it really seems to need is those ports open outbound, and it runs fine, with the NMAAJSD playing the mini games to her heart's content.
And that's the reply I expected to get when I opened the reply to my support enquiry. I'd asked for the server server addresses so I could limit the inbound traffic. What I got was a different list of ports (843, 9875, 6112, 3724, 6113 and 9339) with no reference to my questions about direction or limitation. This is software that's intended to be safe for children.
Nice try Walt. But Mad Aggy's happy, and that's what matters.

ProxySG Appliance Event 3E0003

Here are some messages you don't want to see:

• 2008-06-24 10:13:30+01:00BST "Virus warning! The ICAP service 'proxyav' detected 'Mal/Badsrc-C' while accessing http://news.bbc.co.uk/sport1/hi/golf/default.stm.

• 2008-05-27 14:47:23+01:00BST "Virus warning! The ICAP service 'proxyav' detected 'Mal/Badsrc-A' while accessing http://www.citrix.com/English/ps2/segments/v/vertical.asp?contentID=1415."

I don't know what Mal/Badsrc-[AC] are -- Sophos are vague -- but I don't want to see them on Citrix.com and the BBC. If this is a sign that the malware distributors are moving up from the loweapline.com and the nla.co.uk, we may possibly all be in big trouble.

Spam Counter - 2008 June: 1,379

A lot of clothes and watches. Somebody is running some excellent UK bank phishing -- caught one of our senior managers.

Auran Trainz 2006 without being an Administrator

It's not hard. As an admin:

1. Install in the normal way. Get it working with the graphics settings etc. DirectX 9 works for me, and OpenGL doesn't.
2. Run these commands as an admin:

   
   C:
   cd \Program Files\Auran
   cacls * /T /G Users:F
   

3. Run Regedit and navigate to HKLM\Software\Auran. Right-click on Auran and select Permissions.
4. Select Users and check the box marked full control

Done! Any user can run and save settings.

Grepping the IE cache

I had to do an investigation the other week. I'm not an investigator and so naturally I screwed up. Here's what I learned.

Complaint was that some abusive hotmail-sent mail had arrived quoting the outside address of our firewall. After a bit of to-ing and fro-ing, I was allowed to see the headers, and that told me a good deal:

• Hotmail does indeed quote an originating IP in the header. Who knew?

• The earliest relay in a hotmail relay list is a name like bay99fd.bay99.hotmail.msn.com. Any hotmail user knows that the bay appears in the URL on the hotmail home page and throughout the user interface. And for any particular account, that bay number is fixed.

• Timezones were going to be a problem. We were in local DST, the victim's mail infrastructure was in their DST and four hours behind, his MUA was working in another zone still and a lot of the Hotmail infrastructure is on Pacific time. Still, given headers, I could convert everything to UTC easily enough.

OK. Time to see if we can knock this out in a single step and get back to proper work. The Log appliance appliance has been gathering proxy logs all year. We're a pretty relaxed site and I've not been asked to report on usage of a named site before, so I have to code up a report with wildcards for client IP, domain-name and the page name. A bit of experimenting gives me a report of access to that Hotmail bay.

Now this is the first place a real investigator would have done it differently: First step should have been a summary report of all the users of the bay over the last three months. That might have been enough to get HR off my back. As it was, I spent a week dipping in and out of the proxy logs data to look at alternatives as the mails emerged from the complaining firm.

That initial set of headers fingered a single user. I could only see two users of the bay, and at the right time only one of them was active. And guess what? Within the two-minute precision of the log upload batch, he used pages on the bay called "compose" and "premail". A bit of experimenting with my own hotmail showed that that is the characteristic signature of sending Hotmail.

This is the second point I did the wrong thing. I've got a budget for investigations and I should have used it. For UKL 1,000 + expenses and VAT, Kroll Ontrack (it used to be Vogon) will send midnight engineer to take a swearable image of a workstation hard disk, leaving you with a handy USB disk copy for your own investigation and the user none the wiser. I was focussed on our local, more rough and ready process, which was a bit too public for HR. It wasn't a total screw-up though. I'd only looked at proxy logs through a read only interface -- I knew enough not to touch the workstation, and so the purity of its evidential status was preserved, even though the Internet cache timeout was ebbing away.

Part of the delay was at the far end. HR can't and won't do anything on a complaint like this without the offending text, and the complainer was a bit coy. HR's reason is good: it might not be offensive in our context. Still, I thought it was a bit silly -- the headers showed that the hotmail address was obviously a real name, and not the name of our user, and he is, or was, a regulated person.

In the middle of that argument, I got a second set of headers for a much more recent mail. Same accounts, same bay, same user matches.

It all went a bit off course at that point. What I got next were not proper headers with that incriminating source IP and lovely times plainly referred to UTC. It was the nesting of headers in the body of a reply/forward dialogue, and the "on" times there are converted into the time of whoever received the mail. By that time, I was so focussed on matching the time to activity on the proxies that I set to work trying to infer the timezone of each recipient and reconstruct the offenders side of the dialogue. A proper investigator would have realised that this exercise was difficult enough to make uncertain results, and insisted on headers or nothing. As it was, I made mistakes and spent a lot of time wondering how the original mail could have been sent when our target definitely was busy and wasn't on Hotmail. I went as far as trying to rope in the other user of the bay as an accomplice -- that didn't work either. Looking at the times again, I can se my mistake: It wasn't five PM, but seven, and the mail was sent from home.

I'm not privy to the discussion that went on in the business. It's called reputational risk and I guess we were asking the board to trade a reputational compromise with a non-customer against possibly losing an expensively-hired fund manager and telling his customers that their money had been in the hands of a stupid person with weak morals. Glad I don't have to make that choice, but they did the right thing and I was told off to get the dirt.

The Kroll visit was simplicity itself, mainly because I didn't have to stay up all night -- the HR guy did that!

Lunchtime next day I got an urgent package with a 40GB USB hard disk which mounted first time on my non-build laptop. That was another mistake -- if I'd used a Linux laptop, or a regedit fix, I could have controlled the mount to be read only. It didn't really matter as the forensic copy is on Kroll's servers -- the supplied disk is just a playpen. The idea is that you hunt around any way you like, but any defence witnesses or advisers can still work with a guaranteed untouched copy.

This is important -- a lesson I learnt long ago. Never give in to the temptation to take a quick look at a workstation via the admin shares or however. Unless you are collecting them automatically, don't even look at the event logs. Right at the beginning of any question, figure out -- ask -- if there's any possibility that anyone will be held to account for what you uncover. Consider whether (for example) you could work from restores, or with a reporting tool. Tell your interlocutor that if it's possibly going to get as far as swearing evidence, you are less likely to be overturned if you work throughout with a trained investigator.

If you really have no choice, make sure you get a crytographically secure hash of each and every file you access. Make it clear in your notes that you obtained the hash before looking at the file. Print the hash out, note the time it was obtained, sign it and date it. Make sure that the file you keep will generate the hash you print. That way you can swear that it was that way when you found it.

However. I had a scratch copy of a workstation disk and I could do what I liked. There are tools for this sort of thing and I ain't got aught of 'em. Not necessary at my level. You can download an excellent Windows grep from the FSF and anything else is overkill. Remember to put the GNUWin32\bin directory in the path.

With the disk mounted, you'll find the IE cache is at (name changed to incriminate the innocent)

\Documents and Settings\umacf24\Local Settings\Temporary Internet Files\Content.IE5

Make your way there in the command line and issue a carefully chosen grep:

grep -irl madeupname@hotmail.com *

will search for the address in all the cached files in that directory. That matters because hotmail puts the logged on account on every page, so you can see right away whether the user has actually been active on that account -- the one thing the proxy logs can't give you. Those options mean: -i case insensitive, -l list the matching files (as the content isn't much use, as text) and -r recurses down the directories.

I was surprised to find that the IE cache went back a lot further than I expected. It looks as the the "retain for n days" setting only takes effect if space is tight -- this man's cache went back months.

Now the beauty of the IE cache compared to Firefox is that there's no complicated database format. The files cached are the files downloaded. Names are modified, and there's a directory structure to avoid having one huge folder, but the pages can be displayed in the browser. I have an account which doesn't have Internet access, so using that account, I just started IE and browsed to the appropriate files. It was one of my happier moments to see a hotmail folder listing -- looking a bit dodgy, admittedly -- listing times and subjects of the complained-of emails. Access to compose pages actually gave me content of mails which the complaining party had been relectant to reveal. I gather that the colour prints of those pages were particularly unsettling when the confrontation occurred.

I can't write a story like this without a few lessons.

• Serious investigation would have been overkill. We didn't need deleted files, we didn't need to to search for concealled media or executable content. It was just those emails

• Think. Of course he was doing it from home.

• Ask for what you need. I needed headers.

• Don't be afraid to search a PC. I've bought an imaging machine so we can do our own. I could have got those unarguable Hotmail reconstructions much earlier and saved a lot of time.

• You want to keep proxy logs for ever. The depth of context is invaluable when you need to do a lot of learning about what your users get up to.

• Remember that users can't protect themselves. Using gmail over SSL would have made this offence effectively uninvestigatable without bugging his PC. But who knows that?

Good luck to you

Spam Counter - 2008 May: 1,701

Penis pills, with a sprinkling of fake watches.