Deerfield Hosting, Inc.

High Performance Web Hosting

Dealing With Extortion Spam

by

email box or mailbox icon e-mail button inbox and outbox e mail

This morning we had a common help ticket request. A customer had received an email telling him to pay up or his secrets would be revealed. The secrets concerned his sexual behavior. He was disgusted and wanted to never get such an email again. I don’t blame him.

The email was almost certainly a shot in the dark, hoping to hit someone unwary. This is what they do. Since few of us have the resources of Jeff Bezos to deal with extortion attempts, we will have to find a more practical way to deal with them than counter-attack.

Following is my response to this customer:

Other than throwing the email away, what did you want to do about it? If you have no reason to believe that the email is anything other than spam, there is nothing more to be done about it.

What the criminals do is send thousands of emails like the one you quoted. Perhaps 1 in 5,000 believe it and send them money. That keeps them sending more.

Email was not designed to run on the Internet. It was designed to be used in a single hospital. There was no thought given to potential abuse because everyone knew everyone else. Bad behavior would result in a person being regarded as a misfit and might even get the person fired. From there, email spread to universities. It was found to be a very useful collaboration tool. It was a collegial environment where misuse would result in ostracism, just as in hospitals.

Universities would sync with each other over phone lines nightly using a protocol called UUCP. With some modification, that evolved into the US defense department network called ARPA net. Eventually, that evolved into the Internet. In 1994 – 1995 the Internet became widely available and was flooded by people who had no concept of how things work and no concept of acceptable use. What it had been until then was lost.

Email is a holdover from those early days.

Many attempts have been made to replace it with systems which include control over who can use what email address, who can contact who, validity verification and more. All have failed. The way email works is too entrenched to be altered in any meaningful way. People dislike change and disruption.

We throw away or refuse more than 95% of the email coming to our mail servers. We can’t get that number to 100% without accidentally discarding wanted emails.

The only remedy is to understand that email is flawed. Don’t waste time hoping for it to be something else. Throw the spam away and forget it. It doesn’t deserve more than one second of your time.

Anti Virus Software

by

A dirty little secret – Antivirus software is nearly useless.

You haven’t heard this before because there is no money to be made telling people not to buy stuff.   Also, the big powerful companies who sell AV software may come down on companies who say this.  Speaking up could cause public relations problems.

There is essentially no evidence that antivirus software makes you safer and growing evidence that it makes you less safe.  Yes, scans sometimes find viruses old enough to be in a database.  The problem is, they never find new ones.   It’s trivial for a criminal to modify virus code slightly, recompile it and release it again into the wild.  It will have a new signature and anti-virus scans won’t see it.  The better scanners are capable of considering signatures based on fragments, but this is not reliable.

It is becoming more clear that antivirus software makes you less secure.  If you want technical details, take a look at some of Googles’ Project Zero.  Or how it can make your browser less secure.  Basically, this is because anti-virus software runs with escalated privileges and injects itself into running software.  If you are skeptical, run a search for, “antivirus software vulnerabilities“. Or check out the vulnerabilities database directly. You will find hundreds of entries.

Marketing material for AV software sometimes implies that it will work in ways which are impossible.  The statements made to sell it are not flat out lies, but close.  Windows has antivirus built in for free, Windows Defender.  Since it’s free, the little bit of good it might do is worth the price.   The virus signature database it uses has been shown to lag slightly behind the others, but the difference is so small that it’s irrelevant.  None of them manage the impossible task of staying totally up to date.

Having AV software running on your computer may make you feel safe, like it’s watching out for you.  That is a false sense of security and that’s dangerous.   No software is capable of stepping in as needed to keep you out of trouble.  It won’t stop you from doing something unsafe and it’s unlikely that it will notice when you have.

There is no way around it.  You need to have a basic understanding of security to keep yourself safe online.   It’s about the same as driving a car safely.   It’s easy, but you will run off the road if you don’t pay attention.  Keep the software you are running up to date.  Keep the operating system on your computer up to date.   Never open attachments you are not expecting.  Never go to web sites you are warned away from.  Use decent passwords.  If you are unsure you know enough, here is a page which talks about how to stay safe at length.

If you uninstall your AV software you will not only be more secure, you will probably find that everything runs faster.

The sky is falling!

by

First two pages of the 1840 children’s illustrated book: The Remarkable Story of Chicken Little, who sounded the alarm for all to hear.

If you are running Windows 7 or worse yet Windows XP – You need to upgrade!

In the last few days we have had several incidents where customers have lost their web sites and identities by ignoring security warnings.  You wouldn’t leave your car running in a busy place.  You wouldn’t wander around with your eyes closed on a busy highway.  Why would you leave your wallet open on the desk by running outdated software?

The retort I have heard is, “I’ve been running that for years.  I don’t believe that it suddenly became insecure.” – This is true!  It didn’t suddenly become insecure.  It always was insecure.  What changed is that criminals learned how to take advantage of it.

And no.  I am not chicken little.  But the sky will fall on you if you pay no attention to security.  Sooner or later.  Usually sooner.  It’s a fact.

If you can’t afford the (yes, ridiculous) price of Windows software, run Linux.  It’s FREE.  Most people don’t need to run anything which requires Windows.  The vast majority of the Internet runs on open source software like Linux not because it’s free, but because it’s better.  It is virtually always more secure due to it’s development history.

A Denial of Service Attack

by

 

Online Security

On Friday, October 21 an exceptionally large attack was launched which affected a huge number of sites on the Internet.   Some prominent sites were affected including PayPal, Amazon, NetFlix and Twitter.  No sites we host were affected, although some sites using PayPal as a payment gateway did have some trouble.

To get some sense of the scope of the attack, you can take a look at downdetector.com and Threat Post.  This incident has yet again pointed out that security on the Internet is a mess.

You may have unwittingly participated!

As is usual with slightly technical information, the news media reports of the incident were roughly 75% factually inaccurate.  It is exactly the general ignorance of security which enables this kind of attack so this is unfortunate.  It’s not difficult to understand what happened and how you may have participated.   If you are among those people who often use the acronyms, DR, TL, get a clue.  Didn’t Read; Too Long isn’t a reasonable attitude in this case.  If the Internet is to continue to be useful, we all need to take some responsibility for it.  That’s just how it works.

How the Attack Works

When your computer (or phone or any Internet capable device) wants to connect to a web site or other service on the Internet, the first step is to get the numerical address of the service.  It’s basically a 3 step process.  It gets the address by using what is called DNS, Domain Name Service.  There is a centralized repository which exists for the purpose of translating domain names (paypal.com, netflix.com, amazon.com, etc.) into numerical addresses.  The first step is to query the repository for a list of servers which have the wanted address.  In step 2, your device uses the domain name to connect to one of those servers and get the numerical address (called the IP address).  The last step is using the address to connect to the service.

In many cases, the news media reported that web sites and services were hacked or were not functioning.   This is sloppy reporting and is not correct.  Sites and services were not even attacked.  What was attacked was DNS service.  This means for example that while NetFlix was up and running with no trouble, a lot of people couldn’t find out where to connect to it.  They couldn’t get the address using the DNS system.

As I write this, a very large DNS service provider dyn.com continues to be under attack.  For many sites a quick fix was put in place, adding DNS service based with other providers.  The DNS system is very resilient.  When your machine can’t get an answer from one DNS server, it will try the next and the next until it either gets an answer or the list of servers to try runs out.  By extending their DNS server lists, many sites and services were able to quickly restore availability.  But that isn’t the end of the problem.

The attack is a distributed denial of service attack.  Essentially, the service provider is flooded with so many requests for service that it can’t answer them all quickly enough.  The usual way to deal with attacks like this is to identify the source as an attacker and then ignore any further connection attempts from that address.  The problem is volume.  Each connection attempt has to be read at least to the point where the source address is found and that address compared to a list of addresses to ignore.  This takes resources.  As the list of blocked addresses gets longer, the time it takes to check it also gets longer.  For technical reasons, when you double the size of the list, the time it takes to do a lookup more than doubles.  The increase is at best logarithmic.

cropped-6575

 

In a DDOS attack,  resource availability at the service provider is usually the biggest problem, but it can get worse.  As it was in this case, the volume can be so great that there is not enough space on the wire (bandwidth) for all the data coming in.  There isn’t enough left to use for answers.  The service is hosed.

This attack is being perpetrated by what is called a bot net.  The participating devices are running compromise software called Mirai.  A bot net is a collection of compromised computers being controlled remotely and acting in concert.  By some estimates, more than a million devices are compromised in this way.  This is the distributed part of the attack. By instructing potentially tens of thousands of devices to do DNS requests at the same time and keep doing them, huge amounts of traffic can be generated.

Who is Behind the Attack

No one knows who is controlling the botnet(s) doing this attack.  Some news reports are quoting “authoritative” sources who are giving definitive answers.   It doesn’t take a great depth of technical understanding to see that there can’t be a general definitive answer.   Anyone who says otherwise is unequivocally wrong.  There are sometimes some clues and the dumbest botnet operators get caught.  The smarter ones use a chain of compromised computers to issue their orders.  You would have to solve every compromise in the chain to lead back to someone.  That’s nearly impossible.

Some people have been making the case that attacks like this are state sponsored.  That may well be part of a larger picture.  The article contains some misinformation, but Bloomberg has some theories and a bit more analysis.

Some security people such as Brian Krebs believe that this problem is just getting started.  If you can’t pull up that link, the likely reason is that it is currently under attack.

The outlook for stopping this activity in the short run is bleak.  There are simply too many vulnerable devices and the compromise is too easy to pull off.  Your local service provider is probably failing to do their part.   At Deerfield Hosting we have long had countermeasures in place.  We often speak with customers who have, unfortunately, been affected by them.

If you have a vulnerable device (such as a router or a security camera from Best Buy), complain to the vendor and manufacturer.   If you have a device which still has the factory password and you can change it, change it!   The Internet is a peer to peer network.  That means almost no matter where you think you are, you are everywhere.  So are the criminals.  They will find it.

It wouldn’t be out of line to complain about the sloppy reporting.  Service providers (like Time Warner and Comcast) generally make no effort to block outbound attack traffic, inform customers that they are compromised or help their customers avoid getting compromised in the first place.  They should be doing these things.  They can afford it.  It’s cheap.   It wouldn’t be out of line to complain to them that they are not.

The problems are endemic to the entire Internet and need to be addressed broadly.   That means all of us.

Expecting someone else to keep us safe is not realistic.   It’s no different than not leaving the keys in your car when you’re out shopping.  It’s common sense.

Privacy on the Internet

by

Normally I try to avoid warnings which you might call Alarmist.  People tend to get numb to them so it’s best to save them for special occasions.   This is one of those occasions.  Actually it’s not so much an occasion as a sudden realization that it’s time to speak up.

The Problem

There has been a steady erosion of privacy on the Internet over the last 5 years.  Most people I’ve asked have shrugged it off as not important.  When pressed, I get responses like, “Oh wow!  I didn’t know that.  That’s creepy”.  Most people seem to have no idea what’s happening, how it works and how it affects them.

When I went looking for graphics for this post, I clicked on the little “i” next to the URL in the address bar. Cookies: 17 from this site, 45 from other sites. Try that a few times. You’ll be surprised.  That 45 from other sites? It is bits of marketable information, where you’ve been, what you’ve looked at, what you’ve clicked on.  It’s for sale.

Every tiny little bit of improvement in targeting translates into reduced cost per sale.  The reason is that conversion rates are almost always low.  For example, you might be selling widgets by paying 25 cents every time someone clicks on an ad and goes to your site.  If 1% of those people buy your widget, it costs $25 per sale.  But what if you could buy better targeted clicks for 35 cents and 4% buy your widget?  Now your cost per sale is $8.75.  The companies selling information about you are making serious money by doing so. Very serious money.   It’s not just Google either.

Should You Care?

Those 45 cookies told a bunch of other companies when and where I was and what I was doing.  I have no idea where it went and what it will be used for.  My ability to manage my identity was taken away.  This happens all the time.  Bit by bit, you get revealed and exposed.  So much information spills out that a fine grained portrait of you gets created and you have no control over what it looks like.

That’s just the marketing side, the growing ability to heard the sheep toward the most expensive pastures.   Try doing a search for, mining big data.  The potential for abuse is gigantic.  Information is power.  What gets revealed about us and the conclusions drawn from it is going to shape the future.   Do we really want to passively give the future away to the highest bidder?

Do you care?  This is avoidable.  Stopping the leaks takes some effort.  Is it worth it?  Does it matter?  I’d really like to hear what you think!

Email Forwarding Problems

by

Many people like to use forwarders so that they only have 1 email account to check.  Sometimes problems occur with this.

Unfortunately, forwarding to gmail accounts is problematical. Forwarding to yahoo.com is even worse. The 2 things which commonly go wrong is gmail deciding forwarded mail is spam and deleting it and the other throttling sending rates.

The cause of the problem is people complaining in their gmail account about spam which has been forwarded to them. We do fairly well at stopping spam, easily 98% and that is as good as anyone, including gmail. But when several or many people mark the remaining spam as what it is, gmail regards the likelihood of mail coming from our servers as being spam much higher. That is, they think spam just came from our server, the probability that the next incoming emails are also spam is much higher. That’s incorrect in this situation, but you can see why it might seem to make sense. When their system reaches a probability high enough, they start throttling and even discarding emails. They would discard emails when other characteristics of a particular email also suggest that it’s spam.

I have sent emails to them several times asking what might be done about the problem. The only response I have gotten is being referred to their bulk mail guidelines. Not applicable and quite pointless. This is not an unusual problem. They ought to account for it, but they don’t.

There are a couple of things you can do. One is to stop using gmail directly by setting up a forwarder:

https://support.google.com/mail/answer/10957?hl=en

You would then check the account which you set up as the forwarding target instead of gmail.

The remaining things you can do are to use an email client instead of web mail and set it up so that it checks multiple accounts or simply check several places.