Naturally, 1234 is the most common passcode: mimicking the most common internet passwords. To put this into perspective, these 10 codes represent 15% of all passcodes in use. Most of the top passcodes follow typical formulas, such as four identical digits, moving in a line up/down the pad, repetition. 5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683), once again mimicking a very common internet password: “iloveyou.”

Interestingly, 1990-2000 are all in the top 50, and 1980-1989 are all in the top 100. I would interpret this occurrence as a subset of users that set their passcodes to the year of their birth or graduation.

Today I needed to generate 1350 passwords. My favorite tool generates them 50 at a time. What is an IT guy to do? The first thing is to start Googling around. After a brief search I came across a linux utility called makepasswd. After a few command line entries and some brief cleanup in a text editor I was ready to go!

To Install makepasswd (in Ubuntu):

sudo apt-get install makepasswd

To generate the passwords:

makepasswd --chars 8 --count 1350 | cat >> /path/to/file/passwords.txt

The end result is a quick and dirty file of passwords ready to be handed out. These may not be the most secure but they are certainly several orders of magnitude more secure than if I let my folks pick their own. I think I’ll dump the website generator from now on. I have an easy to use and powerful Linux utility right at my fingertips!

There’s nothing better than a dose of high octane stress to kick off a week just right.  I came in this morning to find out that no one could connect to the server anymore.  Our office was flooded with calls wondering what was wrong with the e-mail server.  In the past people could have clicked past the expiration error and kept on trucking.  I quickly renewed the certificate, downloaded and installed it.  Then the real problem started.  All of our clients could now access the server but they were getting trust errors.  Turns out the new Thawte certificates need to have an intermediate CA certificate installed.

Thawte uses Intermediate CAs to enhance the security of SSL and Code Signing certificates. Installing the correct Intermediate CAs or CA bundle for the certificate being used is absolutely essential to ensure that users don’t see certificate errors when visiting a website or running software secured with a Thawte certificate.

I didn’t know about this since it had changed in the last year.  After running it by their technical support (they give great chat by the way) I was pointed to an article discussing the issue.  Turns out this new requirement was implemented on June 27th, 2010.  I downloaded the required certificate and added the following line to ssl.conf:

SSLCACertificateFile /usr/local/ssl/crt/cabundle.crt

One quick Apache restart and all is well.  Now it’s noon on Monday.  Time to get the week started!

Beware the security devils!

This is the graphic that you now see when you are visiting a website with a valid certificate that is loading page elements that are not encrypted.  It’s not a terrible thing security wise but nevertheless, beware the red skull of security!  Even though I know it is going to generate support calls I still love it.  Well done Google!

56FE71501A1C 1695 Fri Jul 30 08:32:19 noreply@nowhere.com
(host hrndva-smtpin02.mail.rr.com[71.74.56.244] refused to talk to me: 421 4.7.1 - Connection refused - - Too many concurrent connections from source IP)

Due to Roadrunner’s rather draconian inbound rate limit policy, we receive this bounce error almost constantly. A fairly large number of the e-mail that is sent out over our servers is headed for Roadrunner’s system. Given that much of the traffic is generated from local church mailing lists, a delay of a few hours usually isn’t that big of a deal. At least, it hasn’t been up until this week. Once I got in this morning however, I saw that we had almost 5,000 messages in the queue with the same error. Alarm bells went off and the IT Office shifted into DEFCON 1.

Searching through the 5,000 messages quickly showed me that there was one sender who was doing most of the work. Grepping through /var/log/maillog quickly showed me which server the traffic was coming from. Once I had this information handy I shut down the main gateway server to stop the bleeding until I could figure out what was going on. I headed over to the server in question and started searching through those logs as well.

Turns out that there was an old Squirrelmail plugin that the spammer was using to generate plain text spam messages internally. Specifically these were nigerian phishing scheme messages. Since they are plain text, coming to and from legitimate addresses and were constantly changing, they were very difficult for our spam filters to stop. Once I updated the plugins, cleaned out all of the mail queues in question and restarted the affected services we were back in action.

The only problem remaining was to convince my fellow e-mail administrators that we were no longer sending spam. All of the major ISP’s use different filtering systems, real time blacklists (RBL’s) and their own internal policies. This meant visiting each ISP listed in the queue as a bounced message and reporting to them individually that the issue was resolved.

Along the way I noticed that there were two agencies that many of the ISP’s use as a clearing house for online e-mail system reputation. You can sign up your organization and they will independently verify that you are not a spammer. Once you are on their list, the ISP’s that subscribe to their services can verify that you are a legitmate sender. It amounts to a shake down more or less. You have to pay to play. Given the importance of our e-mail systems I decided to go ahead and sign us up. If you need to do the same with your mail servers then visit these companies:

• E-mailReg.org – This service charges $20 for one year of service. After verifying domain ownership they say it will take several days.
• ReturnPath.net – This is the big service that a lot of the major ISP’s use. They charge for their service based on how big your organization is. We received the non-profit discount and paid $200 for the application fee with no monthly fee. This system will take several weeks to verify. You really should sign up for this service when times are good.

All is well now. The spam flow has been stopped and all of our queues are cleaned out. All we can do now is wait on Roadrunner’s rate limits to time out and allow us to resume sending messages.

Affected browsers: Google Chrome, Mozilla Firefox, Internet Explorer and Safari.  All are running the latest patches as of this writing.

Steps to remediate for Windows XP users:

1. Start – Run
2. Run the program “cmd” for the command line
3. Enter “ipconfig /flushdns” and hit Enter
4. Restart the browser

Steps to remediate for Windows Vista/7 users:

1. Start – All Programs – Accessories
2. Right click on command prompt and select Run As Administrator
3. Enter “ipconfig /flushdns” and hit Enter
4. Restart the browser

I have seen some small issues with Ubuntu and Mac laptops.  We resolved those by dumping the browser cache, restarting the network connections and restarting the browser.  I will post an update as I learn more.

Update: June 10th @ 5:24 PM

I’ve done a good bit of googling and found out that the issue is most likely linked to our brand spanking new Linksys WRT320N wireless router (relevant threads can be found here and here).  Apparently that entire family of routers has trouble with DNS requests.  I didn’t see a sticker on the box when I bought it that said something along the lines of “I suck at DNS.”  Who knew?  I updated the firmware at our dinner break.  We’ll see how it goes from here.

Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.

They’re not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.

The new version would allow the president to “declare a cybersecurity emergency” relating to “non-governmental” computer networks and do what’s necessary to respond to the threat. Other sections of the proposal include a federal certification program for “cybersecurity professionals,” and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

Here’s the real kicker:

Probably the most controversial language begins in Section 201, which permits the president to “direct the national response to the cyber threat” if necessary for “the national defense and security.” The White House is supposed to engage in “periodic mapping” of private networks deemed to be critical, and those companies “shall share” requested information with the federal government. (“Cyber” is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)

Now we see the true purpose of this bill.  The government wants to know what is on our computer networks.  Imagine the possibilities for a moment.  Let’s say there is another (God forbid) terrorist attack.  The government already has the power to ground all air travel.  Now they can pull the plug on the internet as well.  What better way to suppress dissent could their be?  The government already effectively controls the majority of the mass media.  Oh wait, this is for our safety.  There I go being paranoid again…

The DDoS problem is a whale of a different color, however. All you people who I’ve warned over and over again to install or update your security software, everyone who can’t stop visiting HotSexyLibrarians.com or downloading music and movies from Igotyourfiles.com, and all those noobs who insist on opening every single e-mail attachment they get—you did this. You and your zombie PCs are to blame.

Many of the news reports I read yesterday used the phrase “denial of service attack” and then the acronym “DDoS.” So, what’s the extra “D” mean? Turns out it stands for “distributed,” which, in this case, means the attack does not originate from one place. Instead, it comes from millions of places. Put simply, a denial of service attack is not come from one big server somewhere in Russia, China, or North Korea that attacks a commercial enterprise’s servers here in the U.S. or elsewhere in the world. If it was, companies could find it easier to block, or at least stop, the attacks when they begin. A DDoS is different. Yes, it’s coordinated, but the coordination is spread across thousands, if not millions, of PCs around the world.

Yes, that’s right.  It’s all our fault.  All of us that are operating infected computers.  Please be sure to update your software and run a strong antivirus program.  There will always be someone out there writing malware, attempting to trick us into installing it.  It’s up to us, however, to make sure that we have fully patched and protected computers.  Let’s hope Twitter comes back soon.  Be sure to take this offline time to patch your computer(s)!