Are you paranoid yet? Are you worried that the secret you shared anonymously might come right back to you? Or wondering why advertisements seem to follow you around from web page to web page? Or just creeped out by internet-enabled services tracking your every move? Or angry that mobile carriers made it very easy for anyone to track every page you visited from your smartphone? Or maybe you will simply give up any personal information for a delicious cookie? (Are you paranoid now?)
Someone out there on the internet is repeatedly hitting this blog’s /xmlrpc.php service, probably looking to enumerate the user accounts on the blog as a precursor to a password scan (as described in Huge increase in WordPress xmlrpc.php POST requests at Sysadmins of the North). My access logs look like this:
220.127.116.11 - - [04/Sep/2014:02:18:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 18.104.22.168 - - [04/Sep/2014:02:18:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 22.214.171.124 - - [04/Sep/2014:02:18:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 126.96.36.199 - - [04/Sep/2014:02:18:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 188.8.131.52 - - [04/Sep/2014:02:18:22 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 184.108.40.206 - - [04/Sep/2014:02:18:24 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 220.127.116.11 - - [04/Sep/2014:02:18:24 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 18.104.22.168 - - [04/Sep/2014:02:18:26 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
By itself, this is just annoying — but the real problem is that the PHP stack is getting invoked each time to deal with the request, and at several requests per second from different hosts this was putting quite a load on the server. I decided to fix the problem with a slight variation from what is suggested in the Sysadmins of the North blog post. This addition to the .htaccess file at the root level of my WordPress instance rejects the connection attempt at the Apache level rather than the PHP level:
Two weeks in a row! This week’s DLTJ Thursday Threads looks at how Twitter changed its timeline functionality to include things that it thinks you’ll find interesting. Next, for the academic libraries in the audience, is a report from the New Media Consortium on trends and technologies that will libraries will likely encounter in the next five years. Lastly, news about research into how USB devices can spread malware in ways we can’t detect.
Welcome to the revival of DLTJ Thursday Threads. With the summer over and the feeling of renewal towards this blog and its topics, I’m happy to be back sharing tidbits of technology that I hope you will find interesting. Today’s set of threads covers the gnarly security issues behind the bright-and-shiny chip-on-payment card systems being rolled out by banks and retailers in the U.S., a list of resources for checking things that you read about online, and a heads-up on changes to how your phone will work in the near future.
It is a security/privacy edition of DLTJ Thursday Threads this week. First a link to a 3-page PDF that talks about the use of password managers to keep all of your internet passwords unique and strong. Next a story about how the W3C standards body is looking at standardizing digital rights management for browser content. And finally, a story about a site that one personal data broker put up that gives you a glimpse of what they know about you.
Two phishing1 attempts made it through the work spam filter earlier this month, and they show the creativity of bad guys as they try to get access to your machine. The attempts at social engineering were interesting enough I thought I’d describe them here. We’re getting pretty close the line where we can’t tell a legitimate e-mail from ones with nasty side effects.
The Fake Bounced Message
This message has the appearance of being a bounced e-mail from a server called ‘cyber.net.pk’.
Part experimental, part disruption, and part heads-up in this week’s edition of DLTJ Thursday Threads. The first story is a proof-of-concept demonstration of a way to browse an “infinite” bookshelf of virtual items. Next is the announcement of how a content producer (Pearson) is trying to disrupt a deeply embedded technology company (Blackboard) by giving away a learning management system in the cloud. Last, a list of what researchers think will be the most prevalent computer security problems next year.
Wandering into public or semi-public wireless networks makes me nervous because I know how my network traffic can be easily watched, and because I’m a geek with control issues I’m even more nervous when using devices that I can’t get to the insides of (like phones and tablets). One way to tamp down my concerns is to use a Virtual Private Network (VPN) to tunnel the device’s network connection through the public wireless network to a trusted end-point, but most of those options require a subscription to a VPN service or a VPN installed in a corporate network. I thought about using one of the open source VPN implementations with an Amazon EC2 instance, but it isn’t possible with the EC2 network configuration judging from the comments on the Amazon Web Services support forums. (Besides, installing one of the open source VPN software implementations looks far from turnkey.) Just before I lost hope, though, I saw a reference to using the open source DD-WRT consumer router firmware to do this. After plugging away at it for an hour or so, I made it work with my home router, a AT&T U-verse internet connection, and iOS devices. It wasn’t easy, so I’m documenting the steps here in case I need to set this up again.
“How much effort do you want to spend securing your computer systems? Well, how much do you not want to be in front of a reporter’s microphone if a security breach happens?” I don’t remember the exact words, but that quote strongly resembles something I said to a boss at a previous job. Securing systems is unglamorous detail work. One slip-up plus one persistent (or lucky) attacker means years of dedicated efforts are all for naught as personal information is inadvertently released. See, for example, what happened recently with Sony Online Entertainment’s recent troubles.
Two entries on big data lead this week’s edition of DLTJ Thursday Threads. The first is at the grandest scale possible: a calculation of the amount of information in the world. Add up all the digital memory (in cell phones, computers, and other devices) and analog media (for instance, paper) and it goes to a very big number. The authors try to put it in perspective, which for me brought home how insignificant my line of work can be. (All of our information is still less than 1% of what is encoded in the human DNA?) The second “big data” entry describes an effort to make sense of huge amounts of data in the National Archives through the use of visualization tools. Rounding out this week is a warning to those who run public computers — be on the look-out for key loggers that can be used to steal information from users.