Thursday, November 29, 2007

How to practice safe computing

For the home user out there without an IT department or computer science degree it is unfortunate that the software industry has put such a buggy, generally insecure, high-maintenance headache of a machine on the market they call a computer.

But, you can't do much about that (except lobby for liabilty for software security).  And it's the holiday season when the spammers and scammers come out of the woodwork.  I've already seen a huge spike in spam activity.  Here's what you should do to protect yourself.

[Note that I have written these as positive statements of what you _should_ do because research has shown that when you try to tell people about a myth or anything, they often remember the words of the bad examples but forget that the example was incorrect so they end up being trained to believe a falsehood on accident.  So, staying all positive should help your brain help you to remember how to practice safe computing.]

General security practices:
  1. Know that You are a target!  Yes, there are people who want to break into your computer for all kinds of reasons.  They may not care about stealing your high-school term paper, but they would love to either steal your passwords, credit card numbers, or even just add your computer to their network of others that are used to send spam, host malicious websites, and attack other systems on the Internet.  Your CPU cycles are valuable on the black market!
  2. Run Windows Update and install patches regularly!  New patches come out about every first Tuesday of the month for Windows so make sure you keep up!
  3. Upgrade your browser!  Internet Explorer 7 or Firefox 2.x are much, much, much more secure than the old Explorer was.  You can avoid lots of attacks with this simple change and get better active protection while surfing the Internet.
  4. Do not surf the Internet on a Windows XP or Windows 2000 computer as an Administrator!  This makes it way too easy for bad software to be installed that can ruin your day.  Create yourself an Administrator account that you can use for installing software, printers/hardware, and patches.  For everything else day-to-day, use an account that is only in the Users group.  Ask a geek for help setting this up!  It is simple but can really tighten your security.
    1. Also, when you have friends come over to use your computer, create a separate account for MyGuests that is only a lowly User so you don't let them screw up your computer or infect it with viruses.  Who knows what they will change or install (or whether they even know what they did...)
  5. Make sure all the rest of the software you have installed is also patched.  Run the update managers included in each package, such as iTunes, Firefox, and Acrobat Reader.  A ton of security holes are in these programs so keep them patched to -- Microsoft sure won't patch them for you!  A good program to use for this is the free Secunia Personal Software Inspector (PSI)
  6. Run a decent anti-virus, anti-spyware, and firewall program.  Oh, and be sure that your virus signatures are up-to-date!!
    1. I recommend AVG Freeware for the budget-conscious or Kaspersky or F-Secure for those wishing to purchase solid vendor packages.  I wouldn't let my worst enemy use McAfee and Norton is oft a resource hog.
  7. Do use different passwords for financial and shopping sites than you might use for your email, myspace, recipe site, etc.
    1. If someone steals your email password, you don't want them to also be able to get into your Quicken or online banking site!
  8. Use a free and secure password manager program such as KeePass to keep track of your passwords and other sensitive data and help you fill in online forms!
    1. You have no excuse for using bad passwords because these programs can help you use stronger passwords that you don't need to remember -- or even type in yourself! 
  9. Be very careful when accessing financial sites or shopping sites from computers at a hotel, library, school -- and especially at your relatives or friend's houses.  If you can, wait until you can use a trusted computer.  You wouldn't drink an unmarked cup of mystery liquid you just found next to a stop sign, and you should reserve similar caution when using an unmarked computer you just don't know is secure or not.
    1. If you must do something risky from a public computer (like at an Internet cafe in France...) then change your password right away when you return home!
  10. Check your credit reports from all three credit bureaus every year For Free!  But only use this site Annualcreditreport.com since it is the official one organized by the FTC to get you your reports that you are guaranteed by US law.
Shopping tips:
  1. Use reputable websites if at all possible when making online purchases.  Deal with the amazons and bestbuys of the Internet and be wary of some vendor you've never heard of.  When in doubt, ask someone to help you check an offer or website out for you!!  If it sounds too good to be true, it probably is.
  2. Check your credit card and bank account statements often, especially during the holiday season.  Use the power of online websites to stay up-to-the-minute and catch unauthorized charges early to minimize your losses.  Federal law allows banks to not cover fraudulent charges if you don't report them in a timely manner!  You are normally only liable for $50 maximum if you report it promptly.  Although these days, I recommend getting a $0 liability credit card and then you don't have to worry at all.  But you don't really need to fret so much anyhow since you aren't really liable for much.  And the risks of using checks these days far outweigh many other online risks.
  3. I recommend against using Debit cards online just because the laws protecting consumers are VERY different for those and your banks DO NOT have to honor any maximum liability caps (though most do).  You should only use them if you could handle the worst case event of all of your money in your checking (and if you have overdraft--your savings) being siphoned out and want to deal with the hassle of dealing with some shmo in the fraud/risk department of your bank begging to get provisional credit back so you can buy groceries or beanie-babies or what-have-you.  I've had my debit card stolen and it can be a real P.I.T.A.  It would be much nicer if it was someone else's money that got stolen...like your bank's.
Email tips:
  1. Spammers and scammers love it when you forward chain emails because they know they can trick you into doing their dirty work for them and spread their lies and filth.  Stop these dead in their tracks and just delete them when you receive them.  Do not forward them, even though your friend Susie sent it to you.  You don't need to send that chain email around "just in case" you might get bad luck from not continuing the chain.  You may be giving your friends bad luck if you happen to send something malicious...
  2. If you must send something out to a large swath of people, check the veracity of the claims at Snopes before doing so.  It only takes a second.  And Snopes should be easy to remember.  There is so much misinformation on the Internet and you are part of the problem if you keep sending it around.
  3. Ignore any email claiming to be from a (Bank, paypal, ebay, amazon, etc.) and needing you to "verify your identity" or similar.  Those are all scams.  All of them.  I'm serious.  And the ones that aren't are from companies that you absolutely should not be doing business with anyway because they obviously do not know or care how to protect your security.
For the Advanced Placement members of the class:
  1. Use the excellent secure-deletion program Eraser to shred files securely from your computer.  The basic Trash can does not remove all traces of your data, just like throwing it in the trash is not as good as in a cross-cut shredder.
  2. Question sites that require you to provide personal information to get something, even software downloads.  Often there is nothing preventing you from putting in bogus information.  You can also try the website BugMeNot for lots of free logins and passwords to sites that require you to register so you can avoid proliferating your name, address, etc..
  3. Opt-out of junk mail at home, and opt-out of telemarketing.  Also call 1-888-5-OPTOUT (888-567-8688) to tell all three credit bureaus to not sell your info for pre-approved credit applications.  It works.  You will get tons less junk mail that you have to shred.
Other resources:


Monday, November 26, 2007

SONY compromised?

I noticed that one of the throw-away email addresses I registered years ago for sony style product registration and accessories is now receiving spam.  Was sony compromised or did they have an insider sell their addresses?  Who knows...  I know that I didn't give it out to anyone...



Sunday, November 25, 2007

Postfix + DSPAM 3.8.0 + Ubuntu

I have been wrestling with my dspam configuration on Ubuntu for quite some time and think I finally got it set up the optimal way. It took building a custom modern dspam package myself, with the help of a kind soul who built a custom package for Debian etch.

I get tens of thousands of spam messages to my personal accounts each month. And there are many more going to other users at my domain. It has been getting worse recently. This primarily caused me to take more drastic action and implement realtime blackhole lists to block spam from even entering my mail system. It is absolutely stunning to see how much spam gets blocked vs. how much gets in now. I haven't calculated the stats but on a cursory look at my logs, it is well over 70% that is being dropped on the floor now.

I was having a really bad issue with dspam 3.6.8 that comes with Ubuntu. Turns out this is a very old version of dspam. 3.8.0 has been out for well before the current 7.10 release yet it is only now being looked at for inclusion in 8.04 in April 2008. Ugh. Part of the problem is that upstream Debian hasn't upgraded yet in any of their repositories -- even unstable. Reference: https://bugs.launchpad.net/ubuntu/ source/dspam/ bug/160139

Alas, I set about building my own. I found a great resource at http://packages.kirya.net/debian/pool/main/d/dspam/ that had binary builds for debian etch and the source packages. Rather than wrestle with redoing the work of applying 3.6.8 patches to 3.8.0, I started with this and it actually builds everything cleanly on Ubuntu 7.04 just fine.

First thing is to make sure you have all of the prerequisites for building packages and building dspam. dspam requires at least mysql, postgres, ldap, zlib and other libraries to build, as well as automake and other build tools.

sudo apt-get install build-essential
sudo apt-get build-dep dspam
Obtain the source code and debian patch:
wget http://packages.kirya.net/debian/pool/main/d/dspam/dspam_3.8.0-1.1etch1.diff.gz
wget http://packages.kirya.net/debian/pool/main/d/dspam/dspam_3.8.0.orig.tar.gz
Unpack everything and apply the patch
tar xvzf dspam_3.8.0.orig.tar.gz
gunzip dspam_3.8.0-1.1etch1.diff.gz
cd dspam-3.8.0
patch -p1 < ../dspam_3.8.0-1.1etch1.diff
Now, build everything, including the .deb packages to install. You can skip this and do debian/rules install (as root) if you want to install without packages after compiling.
chmod 755 debian/rules
fakeroot debian/rules binary
Now, install the new packages. Note there is a new dependency on a base libdspam7 package for any of the driver packages. I use mysql by the way.
cd ..
sudo dpkg -i libdspam7-drv-mysql_3.8.0-1.1etch1_i386.deb \
libdspam7_3.8.0-1.1etch1_i386.deb \
dspam_3.8.0-1.1etch1_i386.deb \
dspam-webfrontend_3.8.0-1.1etch1_all.deb \
dspam-doc_3.8.0-1.1etch1_all.deb
There were some changes in the config file from 3.6.8 to 3.8.0 so I would suggest starting with the new config file and integrating your customizations. This worked the best for me, although I did forget a few settings here and there so diff is your friend. That's all it took to get upgraded. My final working DSPAM postfix configuration went through some modifications as well. I originally had DSPAM integrated as a content_filter, but that runs dspam for all incoming _and outgoing_ messages. I didn't think this would be a problem at first, but after seeing it in action it became confusing for end users. What can happen in this configuration is dspam can tag the message subject with your SPAM tag when _the recipient_ (which is often a mailing list) has dspam run on it, but then dspam is run again for each individual recipient upon delivery so can end up deciding that the message is not spam, but the subject is left alone. Thus, users receive a message tagged as spam that isn't, according to their dspam decision. I instead set up using this general guideline, which is excellent: http://gentoo-wiki.com/HOWTO_Spam_Filtering_with_DSPAM_and_Postfix I don't use ClamAV though so that's the major difference. I've seen so many security notices sent to Bugtraq that I'm not sure the cure is better than the disease... I wanted system-wide spam and notspam retraining aliases though, so I included another transport filter in my configuration to handle those special users first before dspam got to them:
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/dspam_retrain_aliases,
permit_mynetworks,
reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/dspam_incoming_filter,
....
permit
Then, in the dspam_retrain_aliases file I have:
[email protected]                  FILTER dspam-fp:innocent
[email protected] FILTER dspam-add:spam
These trigger the following filters in /etc/postfix/master.cf. Note: you need to set up these subdomains in DNS first! You could probably do something like this without subdomains but that's how I and others have gotten it to work.
# only allow local network to post to these entries
dspam-add unix - n n - - pipe
flags=Rhq user=dspam argv=/usr/bin/dspam --mode=toe --user [email protected] --class=spam --source=error
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=192.168.1.0/24

# only allow local network to post to these entries
dspam-fp unix - n n - - pipe
flags=Rhq user=dspam argv=/usr/bin/dspam --mode=toe --user [email protected] --class=innocent --source=error
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=192.168.1.0/24
I also added in some header_checks to reject emails with foreign character sets in them to block additional spams. I've been getting a ton of greek spam and other mid-east charsets it seems.
# Using this to block lots of non-US character set emails
header_checks = regexp:/etc/postfix/header_checks
And I combined several regexes from various Internet sources in there:
/^Subject:.*=\?big5\?/ REJECT No foreign character sets, please.
/^Content-Type:.*charset=.*big5/ REJECT No foreign character sets, please.
/^Subject:.*=\?euc-kr\?/ REJECT No foreign character sets, please.
/^Content-Type:.*charset=.*euc-kr/ REJECT No foreign character sets, please.
/^Subject:.*=\?gb2312\?/ REJECT No foreign character sets, please.
/^Content-Type:.*charset=.*gb2312/ REJECT No foreign character sets, please.
/^Subject:.*=\?iso-.*-jp\?/ REJECT No foreign character sets, please.
/^Content-Type:.*charset=.*iso-.*-jp/ REJECT No foreign character sets, please.
/^Subject:.*=\?koi8\?/ REJECT No foreign character sets, please.
/^Content-Type:.*charset=.*koi8-r/ REJECT No foreign character sets, please.
/^Subject:.*=\?ks_c_5601-1987\?/ REJECT No foreign character sets, please.
/^Content-Type:.*charset=.*ks_c_5601-1987/ REJECT No foreign character sets, please.
# headers with 8 special characters... spam
/[^[:print:]]{8}/ REJECT Special chars in header a no-no.
Hope this summary helps someone...

Update: Fixed the build-dep installation command above. Copy/paste error...

Monday, November 19, 2007

Coolest new find: Wifimug.org

What a great find!  "A Guide to Seattle's Free Wireless Coffee Shops"  They even have them categorized by neighborhood and even ones that are open late (it is annoying how much stuff in Seattle seems to close early...)

The beauty of wikis keeps popping up all over the place.  I was just marvelling at how much data there is on the OWASP wiki and how easy it was to share new information.  Now, if there was only a PC interface to your brain so you could actually consume all that data being generated...

Home Page: Coffee and Wireless in Seattle
Seattle is rich in good, independent coffee shops that offer free, or mostly free wireless access. This wiki is intended to be a guide to the best places in the city to huddle over a table with your laptop, a cup of something hot, maybe a pastry, and get online.


Saturday, November 10, 2007

smbfs is deprecated

Wow, I haven't been paying close enough attention.  Fortunately the problems with smbfs were bothersome enough for me to do some research and find that it is no longer maintained and that cifs is much more stable.  Most of the arguments are directly mappable between the two so migrating is a cinch.

If you are getting any of these kinds of errors, especially after hitting the file share really hard -- even with reads -- then consider switching.

[167285.988223] smb_lookup: find //.Trash-core failed, error=-5
[167296.124968] smb_add_request: request [ea3c5100, mid=53572] timed out!
[167315.978636] smb_add_request: request [ea3c5200, mid=53573] timed out!

Joey Stanford :: Resolution to Mounting Samba Shares - Don’t use smbfs