SECURITY Technology

Twitter and the NYT: what is DNS?

On Tuesday of this week, Twitter, the New York Times, Huffington Post and a raft of other websites suddenly found their traffic getting rerouted to servers Russia and Syria. The rerouting was due to a successful hack by a group calling themselves the Syrian Electronic Army, a name that brings to mind proto-Goth synth bands of the 80’s. Service was restored to most sites quickly enough, but you may be wondering: what the hell even happened?

I’ve covered the ins-and-outs of DNS in the past in the context of a particularly-vicious malware attack a little over a year ago. But now seems like as good a time as any to recap, since after all, most of the media is too busy primping and preening over the importance or lack thereof in the New York Times to inform you.

DNS stands for Domain Name Service, and in short, it’s sort of an address book for the Internet. The pretty alphanumeric domain names we all know and love, like, or, are not the addresses computers recognize. Computers navigate the web by using large numbers assigned to each other computer, often notated by four numbers separated by dots, like

Someone, somewhere needs to map all those domain names to their numbers, and that’s where DNS comes in.

What happened in the case of Twitter, and so forth is that the SEA hacked into the Australian company that carries the official registration of those domain names. By changing the number associated with the domain name, they ensured that anyone looking up those addresses would get the wrong information.

Most people probably never saw any disruption at all. That’s because most ISPs carry their own copies of DNS records, refreshing that data only periodically. In the short term, this was always a pretty low-level threat. But the point was probably more to cause disruption and panic than to do any real damage.


Five good reasons to stay (legitimately) anonymous on the Internet

With dreary regularity, we hear news reports of outrage and shock over anonymous people on the Internet doing something we object to as a society. Recently, the big flap was over anonymous commenters on YouTube spewing racist screeds over a Cheerios commercial featuring a mixed-race family.

It will come as a shock to no one who regularly visits YouTube that the comments section is and has always been a cesspool. A cesspool, by the way, not at all unlike the comment sections of most media websites. Regardless of this, when it happens to a cereal box, we apparently need to comment on it in mainstream media.

The reaction of many has been to take out their frustrations on anonymous commenters. As the theory goes, the anonymous would not be free to spit out vitriol if their names were attached to their online identities. Never minding, of course, that Mohammed Hussein of Iraq is as anonymous to Tom Belknap of Rochester, NY as is FuzzyBunnyFeet2012. Really: what is in a name in a community of millions of online users stretched over an entire globe?

But before we consider “real names” to be a foregone solution to the problem, let’s first consider the benefits of anonymity online. Here are five perfectly good, legitimate reasons to keep your identity a secret online.

5. Don’t waterboard me, bro!

So. You’ve got questions about terrorism. Whom shall you ask?

While many of us have bland English names and white skin, for the majority of the planet, asking these questions with our names  public and avatars personalized might raise suspicions on the Internet that we’d rather not colour the responses.

Yes, you’ll get hateful and predictable accusations. But even well-meaning people may temper their answers to avoid offending a culture you might not even belong to.

I honestly might never have thought of this one had I not searched Quora for questions about anonymity. One of the first questions came up was exactly this. “Is it normal to want to ask questions about terrorism anonymously?”

4. Don’t hate me because I’m beautiful

In line with the next most obvious biases you might want to avoid in cyberspace, gender and sexuality biases are always a concern. You might either wish not to let the general public know your sex or sexuality, or you just don’t want your name attached to a question.

I mean sure: you’re proud of your duck-face avatar with the cleavage hanging out. But that doesn’t mean you need to show off all the time, right?

3. Social agreement

Depending on the circumstances and your point of view, this can be both a positive and a negative of social anonymity. A study done at the University of Amsterdam and published to the Sage Journals shows that anonymous groups take on the agreed upon traits of the group much more readily than groups of named individuals.

It’s all a part of what is known as the Social Identity of Deindividualized Effects (SIDE). The study found that when groups were anonymous, users conformed to the agreed-upon behavior, even if they were introduced into the system much later.

The result is a double-edged sword: on one hand, groups formed around civil discussion are likely to remain that way. Medical help sites tend to be this way. But comment sections like YouTube can get nasty if the agreed-upon behavior is generally nasty. Nevertheless the potential for more productive collaboration – like that in Open Source community projects like WordPress or others – does not just exist: it is well-documented.

2. Your creative selves

The old-school Internet users know, even if our modern community tends to forget: you can be whatever you’d like to be on the Internet. Does that seem fake? Artificial? Vain?

Of course! And nobody needs to know but you. Go ahead and create an account, play a role. Creativity with identity isn’t a bad thing, in fact, it was super-popular in the Renaissance. Of course, so was medical blood-letting. It’s not a perfect example…

1. The Internet is forever.

Regardless of which of these reasons you might chose to keep your identity private, one thing I’m sure we must all know by now is: the Internet is forever. Whatever question you ask or opinion you share, there it is, more or less forever.

It’s worth stopping a moment when you chose to express yourself and wonder whether this is really a thought you’ll be OK with surfacing twenty or thirty years in the future, because the potential is there. God help me if the unfettered praise of my 12-yo self for Rick Springfield were still on the Internet. I’d never get a job.

So, before we get to cavalier in our desire to remove the trolls from our midst, remember that you sometimes have to defend what is wrong in order to defend what is right.

Politics Technology

PRISM: it’s not “just meta data”

Briefly, I wanted to touch on the President’s comments about the PRISM program that the FBI and NSA are using to monitor traffic on telephone and Internet networks. I am increasingly disappointed by President Obama’s cavalier attitude toward the program and the public’s objections to it. But in particular, I am disappointed in the way that he and others obfuscate around an important point.

Obama Dismisses ‘Hype’ Over NSA Reports: ‘Nobody Is Listening To Your Telephone Calls’

“When it comes to telephone calls, nobody is listening to your telephone calls. That’s not what this program’s about,” Obama said.

It’s just “meta data,” he and others want you to think. What’s really important about your phone calls is what you said, right? And nobody’s listening to that.

But keep in mind: if you’re not plotting a terrorist attack, the content of your phone conversations is probably completely banal horseshit in the first place. Not even really important enough, in most cases, for you to remember. It is not the valuable part.

Who you call and when – to say nothing of what you uploaded to YouTube, when you tweeted, etc – is far more important most of the time than what you said. That may be different for terrorists, but remember: the government says it’s not listening.


TrendLabs report shows phishing scams blossomed this holiday season.

Tis the season, after all. The season of giving. The season of sharing. The season of buying with PayPal. The season to hurriedly check one’s email and click on links without thinking.

Or so it would seem according to anti-virus software maker TrendMicro. According to their research, phishing, black hole exploits and electronic pilfering of all kinds spiked during the 2012 Christmas season. And color me shocked! PayPal gets the hands-down biggest number of exploits. Including mobile:

Mobile users, unfortunately, are not exempted from this swath of online threats. [click for link] is an example of a spoofed PayPal for Mobile site that users should be wary of. Because mobile users will typically not see the whole URL, users may readily think that they visited the legitimate website.

It is easy to blame PayPal for the persistent problem of bank security online and it is certainly true that they’ve had their lackadaisical response to security issues in the past. But at this point, PayPal represents one of only a handful of high-profile payment gateways that can be used to dupe users.


RIT’s information security program trains students to catch a data thief

RIT’s percentage of students who receive full-time jobs after graduation is currently 95%. The college hopes to keep this number high as the world continues to advance technologically. This is the reason for the recent creation of the Department of Computing Security. This department looks to improve cyber security by combining the efforts of faculty and students from a wide range of fields, such as computer science, software engineering and information sciences and technologies departments.

The students and staff are experts in their fields, making a well-rounded, assorted security program. Between the creation of this department and the changes made to the college’s security-oriented degrees, RIT graduates are educated to better fit the criteria that modern employers have.

The nation as a whole depends on skills that involve strengthening cyber security. The United States relies heavily on technology for military and economic uses especially. Other countries are becoming increasingly technologically based as well, causing for more possible threat to the U.S.

In the recent past there have been reports declaring that telecommunication equipment companies in China are a potential threat. This can increase China’s sabotage abilities to the point where they can render our military equipment useless and block forms of communication during a national crisis or war.

We are moving into an age where cyber security is becoming increasingly more important. RIT is working to make sure that the nation is equipped with intelligent individuals who can protect the public in the case of threats from other countries through technology.

Sylvia Perez-Hardy, chair of the Department of Computing Security, stated; “The interdisciplinary members of the faculty enrich the curriculum by addressing security-related issues that exist within their disciplines in order to offer the strongest, most diverse security degree in the country.”

Rochester Technology

RIT to get new data center security, paid security gigs for students

McAfee’s generosity has landed itself in a sweet position with Rochester Institute of Technology for many years to come. The company donated $2.3 million in security hardware and software to RIT in an effort to enhance information security and research programs on campus. The generous donation will be used towards the establishment of a new data center located in Institute Hall as well as the McAfee Interlock Lab which will be launched in RIT’s B. Thomas Golisano College of Computing and Information Sciences.

These data centers will be available to the entire RIT community. The energy-efficient labs will provide the latest in processing and storage, high-speed networking, and server management. The McAfee Interlock Lab will also provide opportunities for students to perform research and learn more about endpoint, server, and mobile security.
One way McAfee is benefitting of this great partnership is the opportunity to showcase its world-class security solutions in a higher learning environment. As a security provider to one of the top computing and information technology universities in the country, McAfee will certainly get recognition from the media as well as other higher learning institutes. McAfee can also expect new recruits from RIT’s graduating classes within the College of Computing and Information Sciences. What better than to hire individuals who already have experience with the latest technology McAfee has to offer?

The main point of this collaboration is that McAfee will certainly provide more than just increased information security for RIT students. Ultimately, cooperative experiences will be available for students within the College of Computing and Information Sciences. These paid positions would include working on RIT’s information security and performing tasks in the data center itself—while working as McAfee employees.

In an interview with Buffalo news Channel 7, Mike Goffin, a 4th year Information Security student discusses job opportunities in the field.

“I’ve already gotten several offers,” said Goffin. “There are always companies out there that don’t even know if they need security. It’s just really great to get the word out there so companies start to realize that they need to take it up a step. RIT is really providing those students to those companies.”
According to Goffin, the job market in the field of information security is growing and will continue to grow with better and newer technology that becomes available.

Through this brilliant partnership, both sides are sure to reap the benefits. RIT will improve its network security and have the tools to teach more effectively. By providing the opportunity and the technology, McAfee has established for itself a bounty of skilled and well-informed individuals who will be able to apply their knowledge of McAfee products and software their first day on the job.


An open vector? Notification emails are an invitation to malware.

Do you use email notifications on your various social networks to keep yourself abreast of things? New followers on Twitter? Comments on your Facebook pages or pictures? Sophos has recently announced that they’ve discovered at least one new malware threat that exploits just this kind of traffic:

“Be wary of emails claiming to be from Facebook, and saying that you have been tagged in a photograph,” Sophos’ senior technology consultant, Graham Cluley said in a blog post today.

“SophosLabs has intercepted a spammed-out email campaign, designed to infect recipients’ computers with malware.”

Cluley highlighted how to spot the malicious email notifications by a tell-tale sign, as Facebook is misspelled as “Faceboook”, with three “o”s.

The misspelling of the name is probably a means to get around your anti-spam software.

But the real concern is this: whenever you start blending potential vectors for malware – email plus Facebook, for example – you’re doubling the chances of chaos reigning. That either email or Facebook are vectors for viruses is a given. Putting the two together is a recipe for disaster.

Neither is Twitter immune from this same vector. I’ve been in the habit of using emails to notify me of new followers and direct messages for a while, but I’ve begun to rethink that habit. You only need a reasonably well-fashioned phishing email with a link to follow a person to hook a dupe. And I have to admit that, as careful as I’ve always been with security, this has been a blind spot that I’ve taken for granted.

But then, Twitter’s “notification system” is basically non-existent, isn’t it? You can be notified of incoming DM’s if you’re on the web version, but clients including Twitter’s own TweetDeck have to wait in line to be informed of DM’s. Half the reason I have email notifications turned on is specifically because TweetDeck makes a legitimate direct message conversation a near impossibility.

If DM traffic were given a more instantaneous, priority access to the API, it would go much farther towards ending email notifications. For me, anyway, and I suspect I am not alone. In fact, a separate section in the API dedicated to *just* notifications of the type normally sent via email would be great. Currently, the only notification system in place is for tracking other users’ activities.

While it is far from a flawless plan, social networking sites would do well to consider ways of making sure email notifications are entirely unnecessary: find a way to make communicating with the platform entirely internal.

SECURITY Technology

DNS Changer malware: what you need to know

You may have heard about yet another new virus threat that’s making headlines today. As many news outlets have been reporting – with greater and greater urgency – there is a new form of “malware” that’s been loose for some time, but is about to make a much bigger impact on a lot of people’s lives. Basically, if you’ve got it, you’re not going to be able to get on the Internet after July 9th. Because the FBI is shutting things down.

Since a lot of the reporting I’ve seen locally has been… well, terrible.. I thought I’d give you a quick run-down of what exactly is going on. Let’s start with the question on everybody’s mind:


The “DNS Changer” pest has been “in the wild,” meaning actively making its way through public networks and computers, for quite a while under various names. Its purpose was basically to redirect users trying to get on the Internet to bogus websites so that its creators could collect click-through ad revenue. The FBI and officials in Estonia arrested the perpetrators a while ago, but realized they had a big problem: if they shut down the servers that the malware was pointing to, everybody with the malware would get cut off from the web. The solution was to leave the servers running, but instead of pointing to the baddies, the FBI redirected traffic right back to where it was supposed to go in the first place.

All well and good, but there’s still a ton of computers – estimates are in the half-million neighborhood – with that virus, and the FBI can’t keep those servers running forever. Well, July 9th is the cut off date, so if you’ve got this little beastie running on your box, you better do something fast.

Malware? Is that like a virus?

Yeah, sorta.

The only real difference between most viruses and most malware – and to be clear, these terms border on slang, so the definitions tend to be somewhat fluid – is that viruses generally pose as some legitimate bit of software or data and infect silently. Malware generally attempts to cover itself with the veneer of legitimacy by talking you into voluntarily installing the software. Many veteran PC users will remember all those “start-up applications” that ran their PCs into the ground years ago. Stupid crap you thought you were being smart by installing. And by the way, its pronounced “male-ware,” not “mall-wear,” damnit. Think “malevolent” or “malignant.”

Regardless of the definition or how you got it, the point is: it sucks.

What is DNS and why did it change?

Ah, DNS, our old friend! Cornerstone to the Internet and so effective, most people don’t ever hear the term. This is especially clear when watching and reading local news on the subject, sadly.

DNS means Domain Name Service, and essentially, it’s the phone book of the Internet. Every domain name, such as and, refers to a computer or a network out there on the Internet. But which one? Well, your computer doesn’t know the answer to that, so it relies on DNS servers to provide that information.

When you tell your computer to go to, it actually asks one of these servers where is, the server responds with the correct address, and away you go. Typically, your computer would use DNS servers provided by your Internet Service Provider (Time Warner, Frontier, etc), but it doesn’t have to: you can manually set a different set of DNS servers to contact if you wanted to for some reason.

What the DNS Changer did was exactly this: it changed the server that your computer points to from a legitimate one to an illegitimate one. Those illegitimate DNS servers pointed you – not to the Google you know and love, but to bogus servers that look just like Google. You know all those ads on Google’s search pages? People pay money for you to click on them. But with the DNS Changer servers pointing you to bogus sites, all the money that would normally be collected by Google was instead collected by the owners of those servers. With half a million computers still infected, even after anti-virus software has been removing it for months, they must have made a lot of money.

And you can clearly see the long-term problem facing the FBI: if your computer is referring to the wrong “phone book” and that phone book goes away, where do you find all your beloved websites? You don’t. The solution was to just make the DNS servers report correct data, instead of the bogus stuff while people had an opportunity to fix their systems. And again: the FBI will be turning these servers off completely on July 9th.

Awesome. Now what?

Now you need to find out if you’ve got the DNS kruft and if so, get rid of it. If you’re not on a Windows computer, you’re probably safe. If you are:

  1. Run your antivirus software! I trust you have some, yes? Make sure it has been recently updated as well.
  2. Failing that, there is a website, , that will run a quick, software-free scan for you.
  3. has a resource page that will give you more information.
  4. Finally, many ISP’s including Time Warner are providing their own support. As a last resort, you might try calling them.

Boilerplate preaching

I know you’ve heard this all before. But if you’ve got this little nasty, that is because you didn’t heed the advice. And hey: we all screw up from time to time. So… once more, this time with feeling:

Never install software unless you were planning on it. If something on the Internet tells you to install software in order to view content or improve your PC, that’s a red flag. Before installing anything from the Internet, you might first want to Google search the name of the application. If it even smells slightly off, there’s a blog post, a forum thread, or something else to wave you off. Most legitimate software that drives content on the Internet is going to be either pre-installed or easily-recognizable: Flash, Acrobat, maybe QuickTime.

And for the love of god, people, use your anti-virus! Keep it up to date, make sure you run scans once in a while – most anti-virus software actually allows you to schedule all this to run without you. But that doesn’t mean you shouldn’t check in from time to time.

Rochester Technology

Game theory: how RIT students beat some of IT security’s best minds.

On March 9th, an RIT team traveled to Franklin, Massachusetts to compete in the annual Northeast Collegiate Cyber Defense Competition. The competition tests students on their ability to protect and prevent computers and networks from being susceptible to hackers or viruses floating over the Internet. Without protection, a company’s private information could be stolen and released, or its network could be destroyed.

Upon arrival to the event, all 12 teams participating in the regional competition had their cell phones, cameras, USB drives and all other electronics taken away for the weekend. Each group of 8 was put in a room with 8 desktop computers, a router switch and a printer network for a total of 20 hours over the three-day weekend. Their mission was to hypothetically replace a previous IT team of a small company and make sure that their client, a blog site, was constantly up and running and safe from attacks by the “Red Team.” The “Red Team” was made up of a group of professionals who were assigned to break into the system and networks of the fake companies that the students were required to protect.

“The first fifteen minutes are critical because everything is wide open with no security in place,” 4th year Applied Network Systems Administration student Jeremy Pollard said. “Getting those first couple of actions to muscle memory is crucial.”

The RIT team set up triggers and alarms to monitor the network traffic; logging the information as website viewers or as someone trying to hack into the account. They used firewalls to protect the inbound and outbound traffic and were required to defend all outward facing nodes, storage, the website, emails and the network printer.

“In addition to securing the company’s current infrastructure,” 4th year Information Security and Computer Forensics student Neil Zimmerman explained. “We were required to build upon it by implementing new technologies, and to write policies to ensure future safety.”

For each attack that got through their system the team lost points. In order to gain these points back the team would need to complete an “instant response report” which explained what happened and how they fixed it.

The team believes they had a leg up on the competition because their teammate, 4th year Information Security and Forensics major Griffith Chaffee, competed on last year’s winning team. The team also believes this because they were taught how to configure systems and networks in school, as opposed to other teams who only knew how to program.

“We had experience from extensive lab work and co-ops,” Pollard said. “Other teams didn’t have any job experience,” Zimmerman agreed.
Although beating teams like Harvard University in the Northeast regional competition was a “nice feeling,” returning member Chaffee says the team still has a lot to prepare for.

“The computers out number you,” Chaffee said. “There are 12-16 computers so you really have to manage resources. Also, the red team is much, much better. The best in the business.”

So until the National round in April, the RIT team will be spending their free time practicing and learning things that they aren’t too familiar with. The team has also ordered new equipment to study and will practice having teammates take over for each other if one should become too overwhelmed.

“We are all from various backgrounds so we divide up work really well,” Zimmerman said.

They will be competing for the national title in Texas against nine other regional winners, including Texas A&M University, Air Force Academy, UNC Charlotte and last year’s winner, University of Washington.


Don’t let your computer feel as miserable as you do this Valentine’s Day

I never understood the overwhelming hatred of Valentine’s Day. Sure, I’m in a happy, healthy, loving relationship, which makes me a prime target for scorn today, as well as completely discredits anything I could possibly have to say about the holiday in general. Still, even during my single years, I never cared. Maybe I just grew up looking at the day differently than most.  You don’t need a “lover” per say, you just need love, and I love a lot of things. Besides, it gave me an excuse to round-up a bunch of my friends to get drunk and watch bad horror flicks – two of my favorite hobbies! Not to mention, um, it’s just a day.

Still, I’d like to think I’m compassionate and recognize I am very much in the minority with those feelings. Starting as early as a week ago, social media sites were beginning to overflow with dread of the impending day. Guys planning to drink whiskey in silence, girls planning to stay in bed with 4 pints of ice cream, and the incessant overuse of the words “cliché”, “Hallmark”, and “singles awareness”.

Okay, I get it. February 14th sucks big time. But does anything bad actually happen on Valentine’s Day that merits the preparation of the Apocalypse? Kind of. I don’t know about going that far, but historically, the day does have some messed up roots, most notably the 1939 Saint Valentine’s Day Massacre in Chicago and most recently, malware attack warnings in our humble little abode of Rochester.

That’s right. As if this day weren’t already annoying enough for the majority of the population, now we have to be cautious of what we do and don’t click on in our social networks! (Which, by the way, you should be doing anyway, but I know it’s a rough day, so I’ll save the lecture.) Yesterday, Aware Bear Computer Repair in Pittsford warned consumers to be apprehensive of Valentine’s Day themed links, messages, and videos already circulating Facebook and Twitter. Andre Alves, Rochester native, as well as owner and founder of Aware Bear, stated:

“An apparently harmless message spreads in email messages with subjects like ‘I Love You So Much,’ ’Inside My Heart’ or ‘You in My Dreams.’ The text of the email includes a link to a website that downloads the malicious code. The page is very simple and looks like a romantic greeting card with a large pink heart. Once it infects a computer, the worm sends out a large amount of emails, creating a heavy load on networks and slowing down computers.”

That’s just one of the social media viruses Aware Bear has faced this Valentine’s season, and apparently, there are many. Chances are, if you’re a V-Day hater, you won’t be likely to click on anything holiday-centric today, anyway. However, for those of you who either have a honey bunny or just simply don’t care, take the normal precautions you’d approach your online interactive decision-making with and double it.

Happy Valentine’s Day, All. Don’t worry, we’re already halfway through it until next year.


Apple’s sets about securing the mobile wallet future.

The site has an exhaustive discussion of what it says is a new Apple patent for security systems. H/T Schneier on Security

Here’s the problem: people don’t like passwords much. In fact, they hate them. Having to remember passwords for every stupid website is tedious, plus having to remember all those passwords for your job. But with the era of mobile phones you wave at the checkout counter to pay your shopping bill, the need to secure your little sidekick is more urgent than ever.

Beyond that, there is the trouble of setting a password for a device and then forgetting it. If you forget your password at work, a bored and modestly irritated tech support guy can usually be torn away from his Angry Birds game long enough to reset it. If you forget the password of your favourite website, they all have means of resetting passwords via email.

But a password set on your mobile phone doesn’t have any means of resetting. That makes setting a phone password a bit dangerous, and as a result, most people don’t bother to do anything of the kind.

Apple’s solution is basically the idea of a charging station or other commonly-used accessory that holds a password recovery system embedded on it. A mobile device that is stolen in the field without this password reset system would be effectively disabled.

There’s a lot of questions surrounding this type of system. Like: what happens if you lose or damage the charging station? And do people really want to go back to buying expensive charging stations when we’ve only just entered the world of plug type standards? Finally, the article makes the point that passwords are a big hassle. Agreed. But what about adding another device to your life – one that requires its own configuration at the time of purchase – makes handling passwords any easier or more likely?

Apple Invents an Ingenious Security System for the iWallet Era – Patently Apple.


All Social Nets is local: friending on #Facebook is a very provincial affair

Remember when you were told that there was this thing, called the Internet, that allows you to speak to anyone, anywhere in the world any time you like? Remember wondering what it would be like to have friends in China, which would surely happen, because of course, it was possible?

I’ll bet you’re still wondering that. Unless of course you already had friends in exotic locations.

Because as Nielson reports today, despite the global reach of the Internet, Facebook users are extremely provincial when it comes to their choice of friends. Rather than the uber-national conclave envisioned decades ago, it turns out that when faced with genuinely social relationships online, we all trend to what we’ve always done in the past: stick to what we know.

82% of respondents to the Nielson poll said that pre-existing meat-based relationships are the primary motivator for friending on Facebook. And of course, friend-of-a-friend relationships also play a big part in finding new friends online, just as they do in reality.

None of this is terribly surprising: trust is a big part of building friendships and its hard to imagine building genuine trust in the absence of at least some connection between you and whatever total stranger is on the other end of the cable. And the social nature of the modern web actually makes trust more important, not less.

For the rest of Nielson’s revelations, have a look at their press release below:

Friends & Frenemies: Why We Add and Remove Facebook Friends | Nielsen Wire.