Friday, July 30, 2004

SysAdmin Appreciation Day

Did you feel appreciated today? I sort of did. I got chocolate (thanks David et al), and people generally left me alone. Apart from that it was business as usual in the zoo.

I had a weird no-advance-notice visit by some people from Uni Lesotho. They came to find out how Rhodes' IT division worked -- how we handled support issues, what software we used, etc. It was sort of interesting to find out something about other institutions too. It would have been more interesting if I wasn't in the middle of upgrading a web server at the time.

It was probably appropriate that about 3pm I cut 110 odd people off the network. They're the ones still vulnerable to the LSASS exploiting viruses that are doing the rounds, and they'd had three days warning of their imminent disconnection. We started getting e-mails within ten minutes promising that machines had now been patched -- "please reconnect me, I need to work over the weekend". They're still sitting in the ticketing queue ... I guess there is a bit of BOFH lurking in me somewhere. There are public labs they can use.

True to form, we knocked off a bit early, as we do every month, and headed down to the local pub to have a few beers and talk shop. The usual crowd were there and we had a reasonably interesting discussion about the state of wireless in Grahamstown. I guess a cold one was a fitting end to sysadmin appreciation day :)

posted by guy at: 19:17 SAST | path: /general | permanent link

Tuesday, July 27, 2004

eTV, eBay and News24.

As I mentioned in an earlier post, I send e-mail to eTV about the eBay hacking article that both they and News24 carried yesterday. My e-mail to them was as follows:

Date: Mon, 26 Jul 2004 20:26:05 +0200
From: Guy Antony Halse 
To: info(at)etv.co.za
Subject: ebay hacking article

Hi

After listening to your news article this evening discussing the hacking of
e-Bay's credit card database, I decided to do some basic investigation of my
own.

I find it strange that the only website carrying any form of coverage of
this is news24.com.  All the normal sources of IT-related news have no
mention of it at all (theregister.com, itweb.co.za, slashdot.org, etc).  Not
only that, no other major wire service carries information about it.  Nor
does Google's syndication service (news.google.com) carry any further
sources.

Some other inconsistencies piqued my interest.  For a start, e-Bay is an
auctions company.  They simply facilitate payments between two parties -
they don't handle money (apart from facilitation fees) as such.  As far as I
remember, they hive credit card transactions off to paypal.com, so it seems
odd that they'd keep records of credit card details themselves.

Your article mentioned http://www.419legal.org/.  It seems odd that a site
purporting to be part of the SAPS would be hosted on a .org domain rather
than a .org.za or .gov.za domain.  Looking at ownership information for that
domain
(http://reports.internic.net/cgi/whois?whois_nic=419legal.org&type=domain)
we find:

Registrant ID:GODA-05739656
Registrant Name:D. Squire
Registrant Organization:E-Payments
Registrant Street1:6 Wrenford Place
Registrant Street2:Hillary
Registrant City:Durban
Registrant State/Province:Kwa Zulu Natal
Registrant Postal Code:4096
Registrant Country:ZA
Registrant Phone:+27.7646957
Registrant Email:support@e-payments.co.za

Now there are a few interesting things I notice about this.  Firstly, the
South African Post Office's website (www.sapo.co.za) does not know anything
about the postcode 4096.  The postcode for Hillary is 4094.  In the same
way, the phone number "+27.7646957" does not correspond to the standard
10-digit (or 9 digit + international prefix) format of South African phone
numbers.

Of further interest is that this supposedly South African site is hosted in
the United States rather than in South Africa.  The hosting company's
generic web site can be seen at http://69.93.250.100/

Visiting the web 419legal.org web site, we discover that in order to search
the database we need to enter a credit card number (as opposed to a name or
some other identifying feature, such as surname + last four digits).  In
other words one has to reveal one's credit card number in order to "check"
it.

So my question is this: How sure are you of your sources for this story or
are you being unwittingly used to further fraud?

- Guy
-- 
Systems Manager, IT Division, Rhodes University, Grahamstown, South Africa
Email: G.Halse(at)ru.ac.za  Web: http://mombe.org/ IRC: rm-rf@irc.zanet.net
*** ANSI Standard Disclaimer ***                                   J.A.P.H

Well as I hadn't had a reply by the end of tonight's 6.15 news bulletin, I gave them a call ...

For the record, the number eTV give after their news bulletin is 021-481-4700. It appears this number corresponds to their customer care number (unsurprisingly) and you have to jump through a few hoops to get to someone who might actually be in a position to do anything useful. After sitting on hold for a few minutes and being passed through four people, I eventually got hold of someone who answered to the title of news editor.

It appears that mine wasn't the only e-mail they got last night. They realised from the number of concerned messages that something might be amiss, and so they've spent most of today researching things. I'm told that they've managed to get a statement from the police about what's going on, and they're going to carry a partial retraction of the story this evening on the 7pm new bulletin -- the news editor wouldn't give me details on the phone about what the story would entail, but mentioned that they were as concerned as I was about the possibility of people being inadvertently defrauded. So now we watch and wait I guess ...

Well that was disappointing. eTV did indeed carry the story in tonight's broadcast, fifth from the top. They said that ebay denied they'd been hacked and that their database was "virtually impossible" to hack. The article also mentioned that Jo'burg Commercial Branch had distanced itself from Mr Visser and that they were "still in the process of investigating Mr Visser's evidence." The intimation was that Mr Visser had spoken out of turn and without consulting his superiors.

What they didn't do was tell people not to type their credit card numbers into 419legal.org. Instead they carried a full-screen shot of the 419legal.org including the big header that says "419legal.org" on it. So while they didn't directly tell people to go there this time, they certainly pointed people in the right direction. The number of inconsistencies in the way the page is set up wasn't even mentioned.

Update: 2004-08-01.23h08
Okay I've been bad and I haven't posted the update to this. eTV did eventually get back to me, late on Friday afternoon. There e-mail says "With regards to your query below, we would just like to confirm that our news department are in the process of investigating this particular story." and not much else. That said, their Thursday night news bulletin did cover the issue of 419legal.org being a phishing attempt and they finally got around to telling people not to use the 419legal.org to check their credit card numbers. They instead suggested an e-mail address, this time on the saps.gov.za domain. Less secure perhaps, but certainly more trustworthy.

posted by guy at: 18:13 SAST | path: /issues | permanent link

eBay hacked ... or really?

Last night, Russell and I had a lively debate on #rucus about whether News 24's article on eBay being hacked was legitimate or not.

It seems that this discussion has become a lot larger than our little network and I've been asked to publish some comments I made on our local 'varsity discussion forums forum available in a more public place. So here we go:

Posted by guy: Jul 27 2004, 12:02 PM

There are lots of inconsistencies with this. My gut feel is that it is a scam and that eTV and News24 have cleverly been tricked into furthering malicious goals.

For example, why is "Johannesburg Commercial Branch" hosting information on a .com and .org domains when they have a perfectly good .gov.za domain. Take a look at http://www.saps.gov.za/divstat/commercial/ and http://www.commercialbranch.com/ and tell me which you trust more? Why is 419legal.org or commercialbranch.com not mentioned on http://www.saps.gov.za/crimeprev/nig.htm#nig

Also have a look at the registration information for those domains and notice they're registered to someone in Durban (odd for Jo'burg), that both the post code and the telephone number are almost, but not quite right, etc. Why is not registered in the SAPS's name, or why hasn't it been changed to be? Why were the domains were registered through a US-based registrar when we have several perfectly good registrars in South Africa.

The 419legal.org site is hosted by a generic hosting company in the USA, yet the rest of the SAPS's site is hosted on the government's own netblock in South Africa. Add to that the fact that they thank RealXchange.co.za for hosting -- yet RealXchange.co.za is hosted on a completely different network in the UK.

Then realise that every one of the logos and pictures you see on 419legal.org can be found on other web sites (for example, the Jo'burg commercial branch's logo is on the saps.gov.za site, the RealXchange face is on their web site, etc).

The final straw is that they ask you to enter your credit card number in order to check it. There is no way in hell that's good Internet practice. They could have asked for your surname and last four digits, or something similarly unique. They purport it to be a "secure" site, but notice how they don't have their own SSL certificate. Instead they piggy-back of someone else's (www2.securesiteserver.co.uk). Why is that? I suspect it is because they couldn't provide the necessary certificate of incorporation, etc required by all commercial SSL vendors.

It has scam written all over it in big letters.

There is more to this than meets the eye. Last night eTV carried it as headline news. I e-mailed them straight after their 8pm news bulletin to point out the inconsistencies we'd worked out by that point (we've found more since) and as yet I've had no reply from them. I was going to phone them but unfortunately they don't have a contact number for their news desk on their website. The broadcast it at the end of every news bulletin, so I'll call after the 6.15 one -- I'll probably post more on this later. (and I did.)

Update: 2004/07/28.11h07

It appears that this might be worse than we originally thought. Instead of being the sort of scam that we suspected, it looks like this might actually be sort of semi-legitimate. Neil hinted at this earlier today, and subsequent events seem to be bearing out that notion. I'm still trying to reconcile the idea that so many simple mistakes could have been made in the setting up of a legitimate site.

I've got nothing against the idea of hosting this sort of information online, I'd just prefer it was done properly. If this is indeed legitimate (and we're still waiting to find that out), it'd be nice if some of the inconsistencies Russell and I noticed were cleaned up, and, more importantly, if the whole idea of searching a credit card database was revised. Imagine a stolen credit card database being stolen again, or people illegitimately using the details therein to commit further fraud. If it is a project of the Jo'burg Commercial Branch, I'd like to see someone at the SAPS take responsibility for its proper running. I'd also like proper, traceable contact details to be available on the site.

Anyway, News24 have carried another article on the saga. It claims that a police statement is forthcoming, something we're all waiting with baited breath to read.

Update: 2004-08-01.23h14

It appears the whole ebay hacking saga is almost solved. Yay! IOL carried a story today that just about says it all. I'm just glad we're getting to the bottom of this and that, for once, people (read "the popular media") seem to be taking issues of Internet security seriously.

posted by guy at: 18:01 SAST | path: /issues | permanent link

Monday, July 26, 2004

Sasser Worm hits Rhodes

Yesterday evening Rhodes detected the first Sasser infection on its network, almost three months after the rest of the world has already dealt with this problem.

Sometime in May, when Sasser was first detected by the anti-virus vendors, we sent out e-mail to several mailing lists covering all staff and residence network users informing them of the problems Sasser could cause, and how to patch their machines against it. We didn't actually get infected with the rest of the world because the University's border firewalls and e-mail virus scanners, etc managed to prevent the infection from getting inside our network.

We all knew it was a matter of time however ...

Well the inevitable happened, in perhaps the most predictable way. Last night saw the return of all the students after their July vacation. As people moved back into the residences, they plugged their computers back in. It just took one fool (who happened to live in Cullen Bowles) to bring the infection from their home network and plugged it straight into Rhodes' network. Bloody Idiot!

Hmmm, it seems we have Korgo as well. *sigh*

posted by guy at: 15:01 SAST | path: /systems | permanent link

Wednesday, July 21, 2004

802.1x Supplicant Clients

I'm contemplating deploying 802.1x on our wireless network and am trying to decide whether to use EAP-MD5, EAP-TLS, EAP-TTLS or EAP-PEAP for authentication. Ideally I'd like to use PEAP because it is the most flexible. However I need to know that it'll work on all operating systems. So off I go hunting for PEAP-capable suplicants for all the major operating systems in use here ...

Microsoft Windows XP:
Built in client does PEAP with MSCHAPv2, TLS or MD5-Challenge

Microsoft Windows 2000:
Service pack 4 includes a 802.1x Authentication Client. This can be installed on machines running SP3. Does PEAP with MSCHAPv2 or TLS. There is a document available on getting 802.1x to work.

Microsoft Windows ME:
Who knows? Does anyone use ME? Certain vendors (like Intel) provide supplicants with their drivers. They may or may not support PEAP.

Microsoft Windows 98:
If you're a premier or alliance organisation, you can get a Microsoft client. We're not, but the CS dept might be. Other

Microsoft Pocket PC 2002
Pocket PC 2002 & 2003 have a M$ supplied supplicant (which must do PEAP), but it may not be installed by all OEM vendors. Check with your vendor or look on the web.

Linux
Xsupplicant supports PEAP with MSCHAPv2. O'Reilly have an article about this.

Other Unices
Xsupplicant is in the process of being ported to FreeBSD. commercial clients are available for Solaris.

Mac OS-X
OSX 10.3.x "Panther" has built in support for 802.1x, including PEAP+MSCHAPv2 support.

And then there is the AEGIS client that does PEAP+MSCHAPv2 (and TTLS, MD5, etc)on just about anything (Windows XP, 2000, NT, 98, ME, Pocket PC 2002, CE.Net, Mac OS-X, Palm Tungsten, Solaris 8, Linux). If you have money to burn.

Perhaps I need to look at TTLS ... All the above support TTLS, and there are more authentication methods available.

A free TTLS client for 2000/XP is available from Alfa & Ariss. Xsupplicant will handle the linux/BSD world.

I guess it'll be a combination of the two. And damn those 98 users.

posted by guy at: 22:12 SAST | path: /systems | permanent link

Monday, July 19, 2004

Our 8600 will do IPv6

While John Stevens was in the USA, he went to a Nortel Networks conference in Los Angeles. One of the useful things that came out of this conference was that John managed to put me in touch with some of the R&D people at Nortel.

posted by guy at: 11:05 SAST | path: /systems | permanent link

Thursday, July 15, 2004

Looking for networking kit?

Just a quicky for people who aren't aware of http://www.netsale.co.za/. They're dealers in second hand networking kit.

Rhodes has bought a couple of PortMaster 3s, a DSLAM and some SDSL routers from them this year, and have found them to be both reliable and efficient. YMMV of course :)

posted by guy at: 15:14 SAST | path: /general | permanent link

Tuesday, July 13, 2004

Powercuts suck

We had a town-wide powercut for about forty minutes today :(

We had the electricians in our machine room at the time installing some new emergency lights, and so got to test one of them within minutes of it having been installed.

Unfortunately power cuts always mean work. In today's one, two machines suffered badly. The first was our voicemail server, the second was the software library machine. Both had serious disk objections to the power failure.

While the power was out, we noticed another little orange light on the mail server. We've lost a second disk in the raid array in two weeks. I'm not sure why, but I suspect this is bad(tm).

Anyway, all this got me thinking about how much we're dependent on power these days, and how a relatively small power outage creates an disproportionate number of problems, particularly for the computer side of things.

When did the world become this dependent on the flow of electrons? When did the flow of electrons become more important than the flow of water? Or is it? We need water to make electricity and electricity to get water to us. It is a sort of cycle, kind of the carbon cycle or water cycle. What do we call it? The hydroelectric cycle or something :)

Maybe I only become philosophical about things like this when I can't have coffee because there is no hot water ...

posted by guy at: 16:44 SAST | path: /general | permanent link

More on an Internet Exchange for Grahamstown

Today has seen two useful developments on the GINX front.

posted by guy at: 16:36 SAST | path: /systems | permanent link

Thursday, July 08, 2004

More on GINX

I spent a large part of today creating a website and a proposal for a peering policy for my GINX idea. You can see/read/whatever http://ginx.ru.ac.za/ for more info.

posted by guy at: 18:15 SAST | path: /general | permanent link

Wednesday, July 07, 2004

One of those weeks

This last week or so has been one of those weeks. It seems as if everyone but me was away, so I was left in the role of secretary, postman, milkman, etc in addition to the sorts of things I normally do. What do I normally do?

posted by guy at: 15:21 SAST | path: /general | permanent link

Thursday, July 01, 2004

Novell iManager

I've been playing around with iManager on our new Novell 6.5 box for a bit, and am starting to come to the conclusion that Novell has the right sort of idea.

We've had a bit of a biased opinion against Novell here at Rhodes for a while ago. The Novell 4.1 boxes we were running as out NDS directory didn't quite cut it any more, and there was slowly increasing pressure to do something about it. Some camps outside the IT division were strongly in favor of our switching to a Microsoft Active Directory model, something which was fortunately resisted.

posted by guy at: 08:22 SAST | path: /systems | permanent link