Tuesday, January 18, 2011
So the first thing I did was go to their website based on the email address. Oops! just a standard Windows Lives template - STRIKE ONE!
Next I did a whois on the domain, the name matched the name on the fax but - STRIKE TWO!! - the domain was registered just yesterday and domain privacy is enabled. Now I'm curious.
So I went to Google maps and put in the address and did a street view. Turns out it is a residential street with older one story inexpensive small ranch houses - STRIKE THREE!!!
Next I went to the State of Washington business lookup database and found there is no legal business registered by that name - STRIKE FOUR!!!! (anybody from the state of WA listening?)
Just for good measure I did some additional google searches and found out this person has registered 104 domains - STRIKE FIVE!!!!!
The fax wanted availability of items, pricing, method of payment and contact person (name, phone...) - this gives the phisher a name and possibly an email for their database - if they are a phisher. They wanted the quote faxed back, which gives them a verification that the original fax number (mine) was good and possibly a new fax number as part of the fax back of the quote.
What are they doing? good question. Are they looking for additional contact info to build or verify their sucker list of fax numbers, email addresses, names and phone numbers? Who knows?
Phishing or fishy? definitely fishy if nothing else.
Friday, January 14, 2011
I spent a good deal of time this week looking for a better solution. I looked at storing the registration information in a common area, but that presents it's own problems. I found a suggestion on a forum that made sense and worked: Create the registry key in HKLM with read/write permissions for the EVERYONE group during installation. Why during installation? Because when an installer is run, it is run at higher privileges (administrator) than a normal user has.
So I have now modified the methods used to create the HKLM key during running of the installer so that the key has read/write privileges. This has been tested on all versions of Windows that NetScanTools Pro v10 supports: 7 down through 2000, also on Server 2003 and 2008. Now any privilege level user should be able to complete the registration process without a problem. You still need admin privs to install the software - I can't change that.
Along the way I learned a bit about SID, ACE, ACLs, security descriptors and how to apply them to registry items using SetSecurityDescriptorDacl, RegCreateKeyEx and RegSetKeySecurity. Complicated.
The installer for NetScanTools Pro v10.98.1 was modified to include this change and published on Jan 13, 2011 at 3:53pm Pacific Time.
Tuesday, January 11, 2011
The SNMP engine was upgraded to v5.5. The complete effects of this are unknown, but may help out some mappings due to different SNMP implementations. I've been using this version of the SNMP engine for several months in the development of NetScanTools Pro v11.
The SQLite DLL was upgraded to 3.7.4. SQLite is arguably the most widely distributed non-client/server database engine. It's in your iPhone, Firefox and more.
Other changes were also important but less recognizable. We had one user who had problems with the Switch Port Mapper hanging up. Together we found that it was a corrupted snmp.tmp file. This new version deletes that file automatically when you exit the software and also deletes the html report .tmp file.
Another user had a strange problem a couple weeks ago and it was what accelerated this release. Someone at his university had a MAC with a dynamically updated DNS name of "John's MAC" (with the double quotes). First of all DNS names are not to have single quotes or spaces in them - it is a violation of DNS RFCs - why the DNS accepts them I have no idea. When our software tried to execute the SQL command with that extra quote, it failed because single quotes are used to define strings in SQL. So now our software removes single and double quotes returned by DNS.
The final important change was to the way VLANs were handled. The change corrected the VLAN results shown when you map a Cisco Small Business SF 300-08 switch. Previously there were 'extra' VLANs noted like vlan 0 which doesn't exist.
In case you are wondering, the Managed Switch Port Mapping Tool is Windows compatible software used to discover MAC and IPv4 addresses of devices connected to an SNMP managed network switch. If any of this interests you, please visit http://www.switchportmapper.com/ or http://www.netscantools.com/spmapmain.html
Thursday, January 6, 2011
The methodology of shortened URLs is fairly straightforward. When you access the shortened URL, the shortened URL provider's web server sends back a HTTP 301 Moved Permanently message with the new location URL. You can clearly see it in the two examples below - I used NetScanTools Pro's URL Capture to grab the text. Your web browser will not show these hidden headers and it will act on them before you have a chance to think about the final target URL. That's why I used the tool in NetScanTools Pro - it grabs only the text and does not accept anything else like scripts or images.
This first methodology used by tinyurl.com is the simplest. It only sends back the 301 redirect message.
Starting Timestamp: 01/06/11 22:06:18
Input URL: http://tinyurl.com/37dnopw
Web server IPv4 address: 188.8.131.52
***###Received Web Page text begins after this line###***
HTTP/1.0 301 Moved Permanently
X-tiny: cache 0.00097513198852539
Date: Fri, 07 Jan 2011 06:05:40 GMT
The next methodology used by the bit.ly URL shortening service is a bit more involved. Not only does it send back the HTTP 301 moved message, but they also provide a web page with the embedded redirected target link just in case the web browser does not follow the 301 command.
Starting Timestamp: 01/06/11 22:06:40
Input URL: http://bit.ly/i9TxQY
Web server IPv4 address: 184.108.40.206
***###Received Web Page text begins after this line###***
HTTP/1.1 301 Moved
Date: Fri, 07 Jan 2011 06:06:01 GMT
Content-Type: text/html; charset=utf-8
Set-Cookie: _bit=4d26ad49-003c1-00673-b3a08fa8;domain=.bit.ly;expires=Wed Jul 6 02:06:01 2011;path=/; HttpOnly
Cache-control: private; max-age=90
...web page omitted...
There are plugins for Firefox and other browsers which do that first step of contacting the URL shortening server, then they present the final target to you - and it's your decision as to whether to continue. I have showed the mechanism and how to use our software to see this. Not only is this text only URL capture tool in NetScanTools Pro, it is also in NetScanTools LE (law enforcement).
This release was posted around noon today and it includes the following changes:
-Notes field can now accept much more information than in previous versions.
-Packet Capture now parses spanning tree protocol, hp switch protocol and makes sure WinPcap uses the interface IPv4 address in the event that IPv6 is also enabled on the computer.
-updated left panel control icon images.
-Updated dates to 2011.
-Updated SQLite DLL to version 220.127.116.11.
-Updated database files.
Wednesday, January 5, 2011
NetScanTools Pro 10 only writes to one specific portion of HKLM and it only does that when you complete your registration (Validate and Save) or if you change your Maintenance Plan expiration date or Email Address using About/Edit Maintenance Plan. If you try that on Windows 7-64 with normal administrator or user privs, you get an error that it cannot write to the registry. It does not write to HKLM in the normal course of program operation, registry writes are done to HKEY_CURRENT_USER (HKCU).
The next release 10.98.2 will address this by giving a much more descriptive message explaining that in order to complete the task, you have to exit and restart with 'run as administrator'. It will also have some other changes to address some things we recently learned about the SNMP toolset.
We are working on 10.98.2 and should have it done shortly.