Two phishing¹ attempts made it through the work spam filter earlier this month, and they show the creativity of bad guys as they try to get access to your machine. The attempts at social engineering were interesting enough I thought I’d describe them here. We’re getting pretty close the line where we can’t tell a legitimate e-mail from ones with nasty side effects.

The Fake Bounced Message

Screenshot of a fake bounced e-mail message.

Received: from cyber.net.pk (124.72.91.188) by mail.lyrasis.org (10.10.10.2) with Microsoft SMTP Server id 8.1.436.0; Sun, 16 Oct 2011 06:48:44 -0400

The payload is in the ‘document.zip’ file. I downloaded it without opening it, and uploaded it to the Microsoft Malware Protection Center. It told me that it was a version of Mydoom — an old e-mail worm that installs a backdoor on your computer. Mydoom is listed on Wikipedia as dating from early 2004, so maybe this isn’t all new — but this is the first one I’ve seen leak through the e-mail firewall in quite some time.

Fake Scanner-to-Email Message

Screenshot of a fake e-mail message from a networked scanner.

In short — be careful out there everyone, and if you see something suspicious or unexpected, ask someone about it. (Oh, and keep your anti-virus and internet security software updated!)

Footnotes

1. I think these would be classified as spear phishing as defined by Webopedia: “A type of phishing attack that focuses on a single user or department within an organization, addressed from someone within the company in a position of trust and requesting information such as login IDs and passwords. Spear phishing scams will often appear to be from a company’s own human resources or technical support divisions and may ask employees to update their username and passwords. Once hackers get this data they can gain entry into secured networks. Another type of spear phishing attack will ask users to click on a link, which deploys spyware that can thieve data.”

This morning the World Wide Web Consortium (W3C) announced the publication of the final report of the Library Linked Data Incubator Group. The abstract is reproduced below.

The mission of the W3C Library Linked Data Incubator Group, chartered from May 2010 through August 2011, has been “to help increase global interoperability of library data on the Web, by bringing together people involved in Semantic Web activities — focusing on Linked Data — in the library community and beyond, building on existing initiatives, and identifying collaboration tracks for the future.” In Linked Data, data is expressed using standards such as Resource Description Framework (RDF), which specifies relationships between things, and Uniform Resource Identifiers (URIs, or “Web addresses”). This final report of the Incubator Group examines how Semantic Web standards and Linked Data principles can be used to make the valuable information assets that library create and curate — resources such as bibliographic data, authorities, and concept schemes — more visible and re-usable outside of their original library context on the wider Web.

The Incubator Group began by eliciting reports on relevant activities from parties ranging from small, independent projects to national library initiatives (see the separate report, Library Linked Data Incubator Group: Use Cases). These use cases provided the starting point for the work summarized in the report: an analysis of the benefits of library Linked Data, a discussion of current issues with regard to traditional library data, existing library Linked Data initiatives, and legal rights over library data; and recommendations for next steps. The report also summarizes the results of a survey of current Linked Data technologies and an inventory of library Linked Data resources available today (see also the more detailed report, Library Linked Data Incubator Group: Datasets, Value Vocabularies, and Metadata Element Sets).

Key recommendations of the report are:

• That library leaders identify sets of data as possible candidates for early exposure as Linked Data and foster a discussion about Open Data and rights;
• That library standards bodies increase library participation in Semantic Web standardization, develop library data standards that are compatible with Linked Data, and disseminate best-practice design patterns tailored to library Linked Data;
• That data and systems designers design enhanced user services based on Linked Data capabilities, create URIs for the items in library datasets, develop policies for managing RDF vocabularies and their URIs, and express library data by re-using or mapping to existing Linked Data vocabularies;
• That librarians and archivists preserve Linked Data element sets and value vocabularies and apply library experience in curation and long-term preservation to Linked Data datasets.

I’m so happy to have been a part of the creation of this report. I think it is an important stake in the ground that documents where we are now and where we could be going with connecting library data to a wider world. There was such a huge interest in linked data at the American Library Association meeting this past summer in New Orleans that it was hard to keep track of all of the programs.

The question now becomes, “what next?” The W3C has a new type of work effort called Community Groups where work could continue, and there was some discussion on the Library Linked Data Incubator Group discussion list about continuing work as a community group. (To date, I don’t think anyone has stepped up to lead it.) Or is this something that IFLA or JSC could take on?

Last week I saw a post on the IETF Announcement List seeking feedback on the possible formation of a “Reputation Services” working group. That posting has more information, but the basic abstract is posted below. Now I will admit up front that I tend to see the world through librarian-colored glasses, but creating a mechanism that helps uses make a “meaningful choice about the handling of content requires an assessment of its safety or ‘trustworthiness’” sounds like something librarians should be involved with.

In the open Internet, making a meaningful choice about the handling of content requires an assessment of its safety or “trustworthiness”. This is based on a trust metric for the owner (identity) of an identifier associated with the content, to distinguish (likely) good actors from bad actors. The generic term for such information is “reputation”. This working group will develop mechanisms for reputation reporting by independent services. One mechanism will be for a basic assessment of trustworthiness. Another will provide a range of attribute/value data that is used as input to such an assessment. Each service determines the attributes it reports.

Various mechanisms have been developed for associating a verified identifier with email content, such as with SPF (RFC4408) and DKIM (RFC4871). An existing reputation query mechanism is Vouch-by-Reference (RFC5518). It provides a simple Boolean response concerning a domain name used for email. The current working group effort will expand upon this, to support additional applications — such as Web pages and hosts — and a wider range of reporting information.

The announcement points to five IETF internet standard drafts, the first of which is an overarching document: A Model for Reputation Interchange. In that document there are these statements:

It could also be useful in rating the security of web sites, the quality of service of an Internet Service Provider (ISP) or Application Service Provider (ASP), the customer satisfaction levels at e-commerce sites, and even things unrelated to Internet protocols, such as rating plumbers, hotels, or books. Just as human beings traditionally rely on the recommendations of trusted parties in the physical world, so too they can be expected to make use of such reputation information in a variety of applications on the Internet.

What do other people think? Could libraries serve as independent rating bureaus for content? That seems to be possible in this sort of framework. The deadline for comments on whether the IETF should form a working group is October 4th, which is roughly 24 hours after I post this message. If the working group is formed, though, I wonder if libraries should play a part in the development of the standard. I haven’t worked in the IETF process before, so I’d especially be interested in hearing the perspectives of any library technologists that work within the IETF.

I was doing some maintenance on the Amazon EC2 instance that underpins DLTJ and in the process managed to mess up the .ssh/authorized_keys file. (Specifically, I changed the permissions so it was group- and world-readable, which causes `sshd` to not allow users to log in using those private keys.) Unfortunately, there is only one user on this server, so effectively I just locked myself out of the box.

$ ssh -i .ssh/EC2-dltj.pem me@dltj.org
Identity added: .ssh/EC2-dltj.pem (.ssh/EC2-dltj.pem)
Permission denied (publickey).

After browsing the Amazon support forums I managed to puzzle this one out. Since I didn’t see this exact solution written up anywhere, I’m posting it here hoping that someone else will find it useful. And since you are reading this, you know that they worked.

Solution Overview

1. Stop the target EC2 instance (i-target).
2. Note the location of and unmount its root filesystem, and detach its EBS volume (vol-rootfs) from the target instance (i-target).
3. Attach the volume (vol-rootfs) on another EC2 instance (i-scratch) and mount the filesystem.
4. Change the file permissions (or whatever needs to be done).
5. Unmount the filesystem and detach the volume (vol-rootfs) from the other EC2 instance (i-scratch).
6. Attach the volume (vol-rootfs) to the target EC2 instance (i-target) and start it.

Assuming you’ve got all of the environment variables set up with the appropriate AWS credentials, these are the commands:

Stop the Target Instance

$ ec2-stop-instances i-target

Detach Root EBS Volume

$ ec2-describe-instances i-instance
INSTANCE	i-instance	ami-xxxxxxxx	ec2-[your-IP].compute-1.amazonaws.com	[...lots of other stuff....]
BLOCKDEVICE	/dev/sdh    vol-datafs      2011-07-12T01:37:21.000Z
BLOCKDEVICE	/dev/sda1   vol-rootfs      2011-07-12T01:37:21.000Z

In this case we need to remember /dev/sda1. (Note that we can ignore the vol-datafs — on my instance it is where the database and other data is stored. If you don’t know which volume is your root volume, you might be facing some trial and error in the steps below until you find it.) Now we detach it:

$ ec2-detach-volume vol-rootfs

Attach Volume Elsewhere

$ ec2-attach-volume vol-rootfs --instance i-scratch -d /dev/sdf

Now log into i-scratch and mount the volume.

$ mount /dev/sdf /mnt

Make Changes

$ chmod 600 /mnt/home/me/.ssh/authorized_keys

Unmount/Detach from i-Scratch

$ umount /mnt

Detatch from the scratch server.

$ ec2-detach-volume vol-rootfs

Reattach the Volume and Start the Server

$ ec2-attach-volume vol-rootfs --instance i-target -d /dev/sda1
$ ec2-start-instances i-target

After the instance starts, you should be able to log in. If not, go through the steps again and read the syslog files in /var/log to figure out what is going on.

The W3C Library Linked Data (LLD) Incubator Group invites librarians, publishers, linked data researchers, and other interested parties to review and comment on drafts of reports to be published later this year. The LLD group has been chartered from May 2010 through August 2011 to prepare a series of reports on the existing and potential use of Linked Data technology for publishing library data. The group is currently preparing:

• A report describing Benefits of LLD, an Overview of Existing Vocabularies and Data Sets, Relevant Technologies, Implementation Challenges, and Recommendations
• A survey report of use cases describing existing projects
• A survey report of Vocabularies and Datasets

Submitting Comments

The incubator group invites comments in one of two ways. Feedback can be posted as comments to individual sections on a dedicated blog. Comments can also be sent by e-mail to public-lld@w3.org using descriptive subject lines such as:

    Subject: [COMMENTS] "Benefits" - section on "Benefits to Developers"

Comments sent this way are archived in the public mailing list.

Comments will be especially welcome in the four weeks from 24 June through 22 July. Reviewers should note that as with Wikipedia, the text may be revised and corrected by its editors in response to comments at any time, but that earlier versions of a document may be viewed by clicking on the History tab.

It is anticipated that the three reports will be published in final form by 31 August.

Wandering into public or semi-public wireless networks makes me nervous because I know how my network traffic can be easily watched, and because I’m a geek with control issues I’m even more nervous when using devices that I can’t get to the insides of (like phones and tablets). One way to tamp down my concerns is to use a Virtual Private Network (VPN) to tunnel the device’s network connection through the public wireless network to a trusted end-point, but most of those options require a subscription to a VPN service or a VPN installed in a corporate network. I thought about using one of the open source VPN implementations with an Amazon EC2 instance, but it isn’t possible with the EC2 network configuration judging from the comments on the Amazon Web Services support forums. (Besides, installing one of the open source VPN software implementations looks far from turnkey.) Just before I lost hope, though, I saw a reference to using the open source DD-WRT consumer router firmware to do this. After plugging away at it for an hour or so, I made it work with my home router, a AT&T U-verse internet connection, and iOS devices. It wasn’t easy, so I’m documenting the steps here in case I need to set this up again.

Prerequisites

DD-WRT comes with support for a point-to-point-tunneling-protocol (PPTP) server. I know PPTP has some inherent security risks. At this point I’m just aiming to be harder for someone passively listening on the public wireless network to eavesdrop on my connections. I’m not doing anything ultra-sensitive that I need advanced encryption; I just don’t want to make it easy to watch what my devices are doing.

Setting up the AT&T U-verse Residential Gateway

1. Connect to the web interface of the residential gateway, select the Settings tab followed by the Firewall tab then the Applications, Pinholes and DMZ tab.
2. This screen has two steps: 1) Select a computer; then 2) Edit firewall settings for this computer. Click on the link to “Choose” the DIR-825 router (by name).
3. In the second step choose the “Add a new user-defined application” link. Use “PPTP” for the Application Profile Name.
4. Select “TCP” and put “1723″ in the From text box, under Application Type select PPTP virtual private network server and leave the rest of the boxes blank for the defaults; click on Add to List.
5. Repeat everything in the last step except choose UDP in place of TCP.
6. Click on the Back button to return to the Allow device application traffic to pass through firewall screen.
7. Select the Allow individual application(s) radio button, click on the User-defined applications list, pick “PPTP” from the Application List, and click on Add.
8. Click Save.

The U-verse residential gateway will now pass everything inbound on ports 1723/TCP and 1723/UDP to the D-Link router. You’re done with the residential gateway setup now.

Setting up the PPTP Service on DD-WRT

1. Log onto the DD-WRT web interface, select the Services tab then the VPN tab.
2. Enable PPTP Server, Broadcast support, and Force MPPE Encryption.
3. Put in the WAN IP (listed in the upper right corner of the web page) in the Server IP box. (Some instructions I have seen said that this can be left blank and the firmware will automatically pick it up. That didn’t work for me.)
4. For Client IPs, put in a range of LAN-side IPs that aren’t being used by the DHCP server. In my case I’m using “192.168.68.200-210″.
5. Put in one or more CHAP-Secrets. These are the username and passwords used on the PPTP client to connect to this server, and they follow a weird form: username-space-asterisk-space-password-space-asterisk. For example:

   username * password *

6. Leave Radius disabled.
7. At the bottom of the screen, pick Apply Settings.

The second step is the startup script:

1. Select the Administration tab then the Commands tab.
2. Put this in the Commands text box, then select Save Startup:

   #!/bin/sh
   sed -i -e 's/mppe .*/mppe required,stateless/' /tmp/pptpd/options.pptpd
   echo "nopcomp" >> /tmp/pptpd/options.pptpd
   echo "noaccomp" >> /tmp/pptpd/options.pptpd
   kill `ps | grep pptp | cut -d ' ' -f 1`
   pptpd -c /tmp/pptpd/pptpd.conf -o /tmp/pptpd/options.pptpd

3. Go to the Management subtab of Administration and at the bottom select Reboot Router.

This script comes from the PPTP Server Configuration page. The bulk of it is from the iOS 4.3 heading with the addition of the sed line to force encryption.

Configuring the iOS Device

iOS PPTP VPN Configuration

1. In the Settings app, choose General then Network then VPN.
2. Select Add VPN Configuration…
3. At the top choose PPTP and give this configuration a descriptive label.
4. For Server put in the IP address of your U-verse residential gateway. (Setting up something like Dynamic DNS with DD-WRT is left as an exercise to the reader.)
5. For Account put in the username field from the CHAP-Secrets text box above.
6. Leave RSA SecurID off and put in the password field from the CHAP-Secrets text box.
7. Under Encryption Level select Maximum.
8. Select Save in the upper right hand corner.

Now when you connect to a public network, before starting any applications that will access the internet, go into the Settings app and near the top will be a choice to turn on the VPN. Give it about five or six seconds to make the connection, and you’ll then see a blue VPN icon in the status bar at the top next to the WiFi icon.

Acknowledgements

[Update on 10-Jun-2011: The answer to the question of the title is "not really" -- see the update at the bottom of this post and the comments for more information.]

Yesterday Google, Microsoft Bing, and Yahoo! announced a project to promote machine-readable markup for structured data on web pages.

Many sites are generated from structured data, which is often stored in databases. When this data is formatted into HTML, it becomes very difficult to recover the original structured data. Many applications, especially search engines, can benefit greatly from direct access to this structured data. On-page markup enables search engines to understand the information on web pages and provide richer search results in order to make it easier for users to find relevant information on the web. Markup can also enable new tools and applications that make use of the structure.

- schema.org – Home

The problem is, I think, that the markup they describe on there site generates invalid HTML. Did they really do this?

Take this example from the Event description page:

< !DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <title>Test</title>
</head>
<body>
<div itemscope itemtype="http://schema.org/Event">
  <a itemprop="url" href="nba-miami-philidelphia-game3.html">
  NBA Eastern Conference First Round Playoff Tickets:
  Miami Heat at Philadelphia 76ers - Game 3 (Home Game 1)
  </a>
 
  <time itemprop="startDate" datetime="2011-04-21T20:00">
    Thu, 04/21/11
    8:00 p.m.
  </time>
 
  <div itemprop="location" itemscope itemtype="http://schema.org/Place">
    <a itemprop="url" href="wells-fargo-center.html">
    Wells Fargo Center
    </a>
    <div itemprop="address" itemscope itemtype="http://schema.org/PostalAddress">
      <span itemprop="addressLocality">Philadelphia</span>,
      <span itemprop="addressRegion">PA</span>
    </div>
  </div>
 
  <div itemprop="offers" itemscope itemtype="http://schema.org/AggregateOffer">
    Priced from: <span itemprop="lowPrice">$35</span>
    <span itemprop="offerCount">1,938</span> tickets left
  </div>
</div>
</body>
</html>

The problem is in the first <div> line and the attribute ‘itemscope’ that has no value associated with it. If you copy-and-paste that markup into the W3 validator (using the “Validate by Direct Input” option and manually removing the space between the less-than sign and the exclamation point in the first line), it comes back with:

Line 7, Column 16: required character (found i) (expected =)

A bare attribute may be valid in some forms of HTML, but it certainly isn’t valid XML, and I think that will cause all sorts of problems down the line. Does anyone else see this as an issue?

Update

One of the great things about the Shibboleth inter-institution single sign-on software package is the ability for the Identity Provider to limit how much a Service Provider knows about a user’s request for service. (Not familiar with those capitalized terms? Read on for definitions.) But with this capability comes great flexibility, and with the flexibility can come lots of management overhead. So I was intrigued to see the announcement for an online webinar from the InCommon Shibboleth Federation with the title “The Challenges of User Consent” covering the issues of managing who gets access to what information about users.

From the webinar description:

Are you starting to see more requests from SPs seeking user attributes? Would you like to explore methods that would simplify the attribute release process?  You aren’t alone. Campuses are seeking a scalable approach to managing attribute release that will minimize admin involvement and allow users to access sites like those that support collaborative work and want such attributes as EPPN, name, and email.

Automating the user consent procedure, combined with metadata-driven attribute release, provides an approach that greatly simplifies this process for all parties, and allows users to reach sites without delay.

Join us for a discussion and demonstration from Brown University and the University of Southern California.

Host/Moderator: Tom Barton, University of Chicago and InCommon Technical Advisory Comittee

Presenters:
Steven Carmody, Brown University and InCommon TAC
Russ Beall, University of Southern California>

Lots more abbreviations and technical terms there, so here is a short primer:

Service Provider (SP)

A web server protected by Shibboleth that a user wants to access.

Identity Provider (IdP)

A web server that can authenticate a user (determine who the user is, typically with username/password) and store User Attributes.

User Attributes

Data about a user, including name, email address, affiliation status (student, employee, faculty, etc.), eduPersonPrincipalName, and TargetedIDs.

eduPersonPrincipalName (EPPN)

A string in the form of user@domain that uniquely identifies the user at an Identity Provider. (InCommon technical definition)

TargetedID

An opaque string stored/generated by the Identity Provider that is unique to each user and Service Provider pair. Passed as a User Attribute between the Identity Provider and the Service Provider, it can facilitate long-term user sessions at the Service Provider without revealing the identity of the user.

This is all stuff that as librarians we should be concerned about. Arguably, a Service Provider should only have enough information to satisfy the demands of a license agreement, and in most cases those demands can be satisfied with an assertion that a user is of a proper affiliation with a library (e.g. “patron” or “student” or “employee” or simply “member”). It is baked into the Shibboleth trust model that the Service Provider will honor the User Attributes presented by the Identity Provider.

What makes the announcement of this webinar interesting is that Service Providers seem to be asking for the non-opaque eduPersonPrincipalName attribute. I’ve long thought that TargetedID — an opaque/random string shared between the Identity Provider and Service Provider — is a much better answer to enabling privacy for functions like marked-item-lists, relevance ranking based on user search history, and other services that are unique to an individual. Because TargetedID doesn’t give away the person’s identity yet is guaranteed by the IdP to be unique to one person at one SP, it is ideal for situations when the SP doesn’t really need to know exactly who is making the request. (Sure, if a user coming to an SP with a TargetedID then gives the SP his/her name or e-mail address, then that person is no longer anonymous but that was a choice the user made.)

So I’m planning on tuning in next Wednesday to get caugh up on what is happening with User Attributes in Shibboleth-land. If you care about this kind of stuff, perhaps you can join me, too.

Thanks to everyone for participating in the first Code4Lib Virtual Lightning Talks on Friday. In particular, my gratitude goes out to Ed Corrado, Luciano Ramalho, Michael Appleby, and Jay Luker being the first presenters to try this scheme for connecting library technologists. My apologies also to those who couldn’t connect, in particular to Elias Tzoc Caniz who had signed up but found himself locked out by a simultaneous user count in the presentation system. Recordings of the presentation audio and screen capture video are now up in the Internet Archive.

Lessons Learned

Second, some comments I got were about cranky Java applets and applications. LYRASIS has two conference tools at its disposal — Java-based Centra and Flash-based Acrobat Connect — and I chose Centra because running Flash on LINUX is an issue. Maybe this will need to be revisited (or maybe there is another Java-based conference system that can do better).

Third, since we were not limited by space and other timing constraints, can the five-minutes-per-presenter limit be relaxed? I have mixed feelings about this; I think defined time limits promote better presentations, but the four presentations this first go-around went to the end of the five minute time limit and there was no opportunity for questions or audience interaction.

On the whole, it seemed like a positive experience from my perspective and from that of the feedback I’ve received so far. I’m going to start a conversation thread in Code4LibCon (where all of the Code4Lib meeting planning discussion takes place) to see if it is worthwhile to do again and to identify what should be done differently. If you are interested, please consider joining and contributing to the discussion. Or e-mail me privately and I’ll reflect your comments into the group discussion.

Footnotes

1. “In addition to the continuous maintenance of the standard described above, a comprehensive review of a database standard at regular intervals may be necessary which is organized in accordance with the rules in the ISO/IEC Directives and the ISO Supplement for the systematic review process.” Procedure for the development and maintenance of standards in database format. Annex ST of the ISO supplement to the ISO/IEC Directives.