Only a matter of time.

Earlier on, I commented on my august universities’ use of a single password for all things. Crack that and you can:

  1. reset grades
  2. redirect salary and payments
  3. raid bank accounts
  4. access grant funds
  5. access and/or corrupt personal information
  6. redirect phone lines and email
  7. and probably a few other things as well.

Thus while “secure” because the password meets various “industry standards”, it becomes a single point of failure and a worthwhile target.

Well I just received my first GSU-specific phishing attempt. Please return your username and password with this email (reply address is not at GSU). I must admit it was not a very professional attempt (hint the user name is the first part of our email address (everything before the ‘@’) and the directory is publicly searchable – you wouldn’t get an ‘A’ in my security class), but at least it shows the scammers are awake.

Written by Rob in: security |

Yup, It’s Cache Poisoning, but Distributed Cache Poisoning

My email “phishing hole” received what looked like a bog-standard phishing email. Nominally from Chase bank, requesting that I update my information. Nothing particularly interesting – standard tricks like using a font with the background color to hide a bunch of random tripe so that Bayesian filters won’t flag them – and the usual redirect at an <a href=”someip”> Chase Online Form </a> where someip is chosen to look realistic. In this case it was “”

As usual, I collected information about the site to use as an example for my class, and then things got more interesting. The end of the web call went “OnlineForm.aspx?chase_id=89″, and I attempted to get the file OnlineForm.aspx. No luck, just a 404 file not found. It turns out that OnlineForm.aspx is the directory where the files are stored and the ?chase_id= term just kicks the web browser into that directory where it returns index.html. This is a cool trick to make automated website slurping fail, and perhaps preserve the lifetime of the site.

These people seem to know a thing or two, albeit the html and php on the site is not exactly high quality.  In fact I’ve seen it before.

None the less I then went to see who the abuse line is because I don’t like ISP’s that register obvious scam addresses and I suspect that the UK’s serious fraud units don’t either (the FBI certainly doesn’t). So a quick pass by whois was in order.

Whois proceeded to tell me that this domain cannot be a registered uk domain because “the domain name contains too many parts”. So how was an IP address associated with an invalid domain name?

Obviously the DNS cache was poisoned. This is neat – not only does the cache actually have a corrupted address resolution, but because the name is illegal it cannot be resolved by a call to normal nameservers.  It will reside until there is a timeout or total flush of the DNS cache.

Digging further with dig, I find a list of five answers (I didn’t ask for more) which resolve to various places. The first address is a cable modem in Canada. The next is a cable modem in Korea (, and the last ones are various cable modems in the good ol’ USA.

It is highly unlikely that a Korean-Canadian-American conspiracy is at the root of this. Much more likely is that these five, among many other, home machines have been compromised and are acting as relay stations. The cache poisoning is used to distribute the relay stations so that any one of them can be removed from the net without compromising the entire system.  A constant message refers to one of many relay machines, thus defeating simple blocking and further backtracking (at least at the level a professor can get to).

Written by Rob in: security |

More overlaps between my worlds

Pete Lane at the Philmont Forum has a neat how to about building a good crew. I won’t steal his thunder, but most of the points are really good basic management and apply in a laboratory context with graduate students. I especially like the point that “Good crews spend quality time together before their trek.” I know from long and sometimes bitter experience in the lab that interpersonal relations can make or break the productivity of a group. This poses a bit of a dilemma for my crew (well really my son’s crew – I’m just an adult along for the ride). I think it would be good to have a social get together, but how do we pull it of without upsetting the other crew from his troop?

Otherwise I’m trying a little quantification for the trip. I’ve been weighing everything and seeing how it adds up. Did you know BSA zipoffs weigh 120g more than REI lightweight ones, or lithium AA cells are about 2/3 the weight of alkaline ones? Depending on where I draw the line and what I use for a tent I can go from about 15 lbs to 18 lbs for base weight and meet all the Philmont guidelines. (although I may be shaving the temperature rating (35F) on the sleeping bag for Mt. Phillips – just have to wear my polypro’s) I’ll post the list when it’s a bit more settled, but I really like the “gram-weenie” approach to planning.

Written by Rob in: backpacking,laboratory practice |

Yet Another Trail Map

One more trail map from a Philmont practice hike. 4.6 miles on more or less level ground by the Chattahoochee river at the Jones Bridge river park. Lots of poison ivy, and lots of pawpaws. So we’ll have to revisit in the late summer to see if the deer leave any fruit. According to Dan R., who is organizing the crew, these parks are the result of a rafting competition organized by a professor at Ga. Tech in the 1970′s to raise awareness of the river resources before it was all built of jones bridge hike

Written by Rob in: backpacking,outdoors,trail map |

More on Phishing.

I was ranting yesterday a bit about domain names.  It’s much more likely that the phishermen were using DNS cache poisoning.    The IP address/name association has vanished today and whois never actually returned an owner.   (I didn’t try all the directories but would have gotten somewhere with what I did).  Thinking about it from a security viewpoint cache poisoning has some real advantages for the attacker.

First, backtracking to and then blacklisting the real site is difficult.  Looking at my wget output suggests that there was a relay location in the way.  So it would be possible if you were fast to find the first post in the relay, but it would take an alert security person to find the last post in the relay.  Most of the blacklist approaches would only censor the first location in the relay.

Second, is a software engineering advantage.  You don’t have to re-write the email and webpages with new names.  After all there are only so many realistic variations of that you can have.  The scam setup can be kept constant and the cache attack used to insert new names just before the initial emails are sent out.    The phishermen did not cache poison the main site and its common pseudonyms,  both because this would be an immediate sign of trouble, and because the cache values for that would be refreshed rapidly due to their common usage.  (Imagine trying to insert for – nearly every machine would have a local value and would try to resolve the difference in IP names thus defeating the attack).  Unregistered and unpopular names would last longer in the cache.

Third, you could sell the phishing scheme as an application if you use cache poisoning.  This may be just barely on the legal side of the business.  (“Officer I didn’t know that the mugger was going to use my baseball bat to threaten people – I thought he wanted to play ‘alley ball’”).   Anyway – it would be cleaner money than immediately scamming someone and thus harder to trap and catch.

Written by Rob in: security |

Phishing Trip

Just a short one showing how to analyze a phishing expedition that arrived in my email inbox.

It claimed to be from and baldly stated that my account had been used for something awful (an unauthorized transaction).  Ok, may be its possible, but not likely as I don’t have an active account with them.

A quick examination of the email header shows it is mailed with “the Bat!” from a forged email address.  This is not the way paypal sends email, so its clearly a phishing attempt.  We could stop here, but it’s worth a bit further examination.

Buried in the email is:

Please confirm account information by clicking here <A href=””target=”_self”


This is disgusting.  It is clearly a hired DNS entry that is only for scamming.  Their DNS host should know better – it’s morally (and probably legally) the same as if I lent  my baseball bat to a person I knew wanted to go out mugging.

None the less we use wget to retrieve the page.  It’s clearly copied from a PayPal site – including the copyright and do not use for any other purpose notice.  Most of the links within it take you to the legitimate  website. Except, a) its being logged on and b) one little entry to logon.php.   logon.php is your “bog-standard” form handling php page which gets the information from you and sends it to the bad guys.  It is also derived from a PayPal page, but much more highly modified and probably less realistic than the first.

There are a couple of generic  security issues that can be seen from this.

  1.  Layers of trust – the earliest pages in the sequence are the most carefully crafted to look like PayPal pages.  Once “the mug” has been lured in then the degree of realism is less critical.
  2. Many false clues.  Throughout the pages there are links to legitimate images and websites.  If you depended on an html-only web email client you could not see which were real and which weren’t.
  3. Complicit commercial support for the scam.  They registered a site that looks legitimate.  Since PayPal itself uses other domain names ( for example), this can be hard to detect.  Having registered domain names for a criminal activity is very disturbing.
  4. While I’m ranting about legitimate domain name registration, it’s also possible that the phishermen are using DNS bombing to force resolution of their domain name.  This is a neat trick where you publish the DNS address:name pair and then the local cache of domain names uses your value rather than querying further.  It has the advantage, for them, that the real address resolution disappears after a while and tracing back can be tricky.

My personal choice about these, outside of ignoring them – which I highly recommend, is to use a more “primitive” email client like pine.   I get asked all the time why I don’t receive email with outlook or thunderbird or … .  Now you know.

Written by Rob in: security |

How the small pack worked.

This weekend I had a chance to try my gossamer gear miraposa plus on a real trip. The troop 77 Philmont crew did an overnight trip on the Pinhoti trail just west of Dalton. Some of the trail guide literature about parking near the north end of our planned itinerary is a bit misleading so we ended up doing an “in and out” rather than an end to end shuttle. Still it was enough to get a good idea of how the pack performs.

map of the trail

With the pack and a new light-weight bag (REI’s version of the mountain hardware lamina 32) I was able to bring my base weight to about 15lbs (tent, alcohol stove and water filter included and with about 3/4 the clothes needed for Philmont). I loaded to pack up to about 35 lbs with a white gas stove, heavier pot, gas bottle, food and water to simulate the type of load I’d have on that trip. There was no difficulty in fitting it all in, and I had room to spare to include more if needed.
pack in front of tent
35 lbs is about the upper limit for this pack. The load was mostly transfered to my hips, but I could feel it in my shoulders. It was still fine for the stroll.

Notes – on performance in more or less random order

  • The mesh outer pockets handle a lot of gear including: tent, fuel bottle, pack cover, sanitary trowel, water filter, GPS, water and poncho.
  • The light-weight fabric is not very waterproof so even with a pack cover it is important to use water-tight packing methods (we had a heavy rain in the morning)
  • The straps on the top are great for holding on rain gear.
  • The pockets on the straps can be cushioned with socks, but are not rain proof and I think the pads may be more comfortable.
  • Using the sleeping pad as part of the frame works, but the pad may get a little damp when it rains.
  • You can pack the pack inside a tarptent and then pack the tent on the pack.

Will I use it for Philmont?

I ‘m not yet sure about this. If it were just me with my share of crew gear and food – yes. The pack is comfortable at the maximum expected loads (carrying extra water for a dry camp, just after a food pickup). However, as adult leader I don’t have full control of my load. If one of the boys is struggling, I have to be able to handle extra things. My other pack will do that. It’s a close decision.

As an aside – I think I’m going with “sissy sticks”. I used one while walking Saturday and then for the last part of Sunday. It made quite a difference – not because my arms were pulling me along, but because the pole would take some of the weight while stepping and allow my legs to rest for a bit. In essence, I was using a rest step walk at a much faster pace than I could without the sticks.

5/9/2008 postscript: There is an interesting website that may make a difference in my thinking. Apparently the ultra-light heretics are making their way even into this bastion of classical backpacking.

Written by Rob in: backpacking,outdoors,trail map |

It’s (almost) CASP season again

It’s almost the start of CASP (comparative assessment of structure prediction) 8 and as usual my group it participating. This is a bit quixotic, because there are some large high-powered groups that will dominate, but it is always interesting and fun.

This year we’re doing something different. I built a server using what is our current best practices. It was so easy, that I built two – one which is a conventional alignment to model server and one which builds many fragments and assembles them. We may not even enter the manual competition. But that’s not what this post is about.

The thing is we’re building a server, and letting untrusted – indeed untrustworthy – users use our machine. How do we keep them from trashing it?

The problem is that the web server is run by the user apache – who has just enough privilege to open a web page and socket – but does not have and should not have any more. If we make apache strong enough to invoke user area commands then we make the apache deamon strong enough to clobber the machine.  Opening directory privileges to allow apache to invoke user area commands allows a malicious script (in principle) do a number of very nasty things. But if we leave it as a lame user then we can’t do any serious work.

block diagram of the server

We solved this with XMLrpc. The web server components present a form to the user. The user’s input is sanitized and checked for validity. The sanitized input is written to an XML file which describes that kind of modeling to be done – but does not give any of the commands used to perform that task. This XML file is then passed using XMLrpc to the local host ( which is inaccessible to the outside and after further sanity checks the server actually builds a model. Eventually the server finishes and returns and email with model information.

Which looks something like:
a picture of a molecule

My students made heavy weather about all this, but it really takes about a week to get all the parts together (working part-time and reading the documentation for the first time as you go). In testing the main server has run about 150 jobs (well we’re not swissmodel) and returns similar quality models to what we get by hand.

One of the neat side effects of automation is that we can now explore more rigorous algorithms (after all its only cpu-time) and support collaborative or cooperative research with minimal human effort.

Powered by WordPress | Aeros Theme | WordPress Themes