Defensive Computing

Last week I wrote that skepticism may be the most important thing you bring with you when dealing with the Internet. A few days later in the Wall Street Journal, Walter Mossberg said basically the same thing - "...the most insidious Internet security problems today rely on human gullibility, not tricky software."

His article, How to Avoid Cons That Can Lead to Identity Theft, included this advice "Don't click on links to offers for free software or goods that you receive in an email, especially from a sender or company you've never heard of."

The problem with this advice is twofold. First, the From address of an email message is very easily forged. You may get a scam message that seems like it came from a company you know, but really didn't. Also, identifying a company you know has its own issues.

Suppose, for example, you got an email message about a really cheap price for a subscription to the Wall Street Journal. The phony From address could well be subscriptions@wsj.com. Suppose too, that the scam sent you to the www.wsj.biz web site.

Many people know that the online version of the Wall Street Journal is wsj.com. But, wsj.biz has nothing at all to do with the newspaper or with Dow Jones. It belongs to Marc Gaines and the web page that currently displays is a temporary one that GoDaddy provides for their customers. The point being, Mr. Gaines, can do whatever he likes with that website, including tricking people into thinking it offers cheap subscriptions to the newspaper. What better way to learn personal information such as name, address, phone number and credit card number? Perfect for identity theft.

Just because a famous company owns the .com domain, it implies nothing at all about other domains.

In the case of the Wall Street Journal, Dow Jones owns wsj.net and wsj.us. However, wsj.info belongs to Seth Wilkof who is looking to sell it. Wsj.org is also a scam-in-waiting. Today, it is a temporary default web page, but it belongs to someone named Natalia Skuridina.

Even someone who doesn't know that wsj.com is the Wall Street Journal, certainly knows the organization behind wallstreetjournal.com. That's easy. But what about wallstreetjournal.net? And wallstreetjournal.org? They both belong to Dow Jones, but, that's where the good news ends.

It is not clear who owns wallstreetjournal.info, but Dow Jones definitely does not own wallstreetjournal.us or wallstreetjournal.biz.

You can see who registered a domain by doing a WHOIS lookup at the website of any registrar. For example, at Network Solutions, go to networksolutions.com/whois and at Regster.com go to register.com/whois.rcmx.

I focused on the Wall Street Journal, only because Walter Mossberg writes for the paper. The concept though, applies universally. I get bitten by it myself. Two websites that I visit are www.speakeasy.net and www.witopia.net. I don't, however, visit them often enough to train my fingers to type .net instead of .com. Neither company owns the .com version of their domain name.

See a summary of all my Defensive Computing postings.

This introduction to vishing is offered in the hope that being aware of it makes you less likely to fall for a vishing based scam.

Vishing is short for voice phishing. Voice refers to the fact that the scam is perpetrated over the phone. Phishing is a scam designed to "criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity..." according to Wikipedia.

As people get less trusting (deservedly so) of email, the bad guys hope victims put more faith in phone numbers.

A recent article by Brian Krebs at WashingtonPost.com, The Anatomy of a Vishing Scam, describes a particular scam in detail and offers an education by example. In the case Brian describes, the initial contact with the victim was by text messaging to a cellphone, but it could just as well have been via email or instant messaging.

The crucial point is that just because someone or something says that a phone number belongs to a bank or credit union doesn't make it true.

In the old days, tracing a phone number to its true owner was no big deal. But now, according to Brian "the voice mail systems involved in these sorts of scams usually are run off of free or low-cost Internet-based phone networks that are difficult to trace and shut down."

The story is likely to be that something bad has happened to your bank account, or is about to happen to it, and unless you call the phone number immediately you can kiss your money good-bye. The scammer hopes the story will scare you to the point that you don't even consider the validity of the phone number.

Call your bank or credit union, but call the number in the phone book or on your statements. If it's a scam, they should appreciate the heads up. They may not, but they should.

See a summary of all my Defensive Computing postings.

My previous posting was an introduction to both DNS and OpenDNS. Here, I offer a brief review of the features and services offered by OpenDNS.

First though, let's consider what happens when DNS breaks. As noted previously, the DNS system translates computer names into IP addresses. So if it breaks, it may seem that your Internet connection is broken when in fact, it's fully functional. That is, from your ISP's perspective everything can be working fine, all the lights on your modem and router* can be normal, but still, you can't get to any Web sites without DNS being alive and well.

To see if DNS is the problem, try to access a few Web sites by their underlying IP address. Here are some to try:

Speed and reliability

OpenDNS claims to be fast. I don't doubt this is true, but this is probably not reason enough to switch. For one, it may or may not be faster than the DNS servers you now use. And even if it is faster, the speed boost may not be noticeable (it wasn't to me). Still, it's not hard to find people who claim the Internet runs faster after switching to OpenDNS [here and here]

You can get a feel for the speed at SiteUptime, which offers a free Quick Check that can be used to compare the speed of OpenDNS with your current DNS servers. The OpenDNS DNS servers are 208.67.222.222 and 208.67.220.220. Its Getting Started page shows you how to determine your current DNS servers for many operating systems.

Take all these IP addresses to SiteUptime, chose the city closest to you, in the drop-down menu chose "DNS 53," and enter an IP addresses in the "HostName or URL" box. When I tried this, the two OpenDNS servers responded in 0.010 and 0.009 second, whereas my ISP's DNS servers responded in 0.025 and .027 second. Your mileage will vary.

Unlike speed, reliability may well be a reason, in and of itself, to switch. OpenDNS operates servers in five physical locations, two on the East Coast of the U.S., two on the West Coast, and one in London. This is likely a much more robust setup than that offered by your ISP. It also accounts, in part, for its speed claims--it responds to queries from the location closest to you.

Phishing

Phishing protection is perhaps the most defensive computing reason to use OpenDNS. Heck, anything that helps prevent ID theft is a plus.

Of course, the latest versions of Firefox and Internet Explorer also include phishing protection. There should be no conflict between the protection from your browser and from OpenDNS.

Neither Mozilla nor Microsoft say where their phishing data (the list of known bad Web sites) comes from. In typical corporate-speak, Microsoft says it comes from "several industry partners." OpenDNS gets its list of phishing Web sites from PhishTank, a sister company it describes as "...a collaborative clearing house for data and information about phishing on the Internet." Anyone can report suspected phishing Web sites to PhishTank. And you've got to love the name.

Typos

Another type of intelligence added to the DNS name -> IP address translation involves typing mistakes. OpenDNS fixes a handful of common mistakes and sends you to the place you probably wanted to go in the first place. For example, typing www.javatester.og (missing r) will take you to javatester.org. So, too, will wwww.javatester.org (four leading w's) take you to my JavaTester Web site.

Five w's at the front is too much though, that OpenDNS considers an error. But, the error page wisely asks if you meant to go to javatester.org. OpenDNS users can get to CNET using either cnet.cmo or cnet.comm. Not earth-shattering, but all in all, a nice feature to have.

Site blocking

If you sign up for an account at OpenDNS, then it can block Web sites for you. At home, this could be used to keep children from playing online games while they are supposed to be doing their homework. In a corporate setting, it can be used to prevent access to Webmail as a way of encouraging employees to use the corporate e-mail system. OpenDNS is able to, for example, block Yahoo e-mail (mail.yahoo.com), while still allowing access to the rest of Yahoo.

The bad news here is that I can't see how this blocking can be enforced. A knowledgeable computer user can simply change the DNS servers used by the operating system.

If you're dealing with children though, the "adult" Web site blocking might be very handy, and it's free. OpenDNS has partnered with the iGuard team at St. Bernard Software to provide it with a list of "adult" Web sites it claims is updated daily. How good is this list? Test it for yourself at opendns.com/support/adult/. If it blocks a Web site by mistake, you can override it using a white-listing feature.

Setting it up

The instructions for enabling OpenDNS on its site are pretty good, but they are click-here-type-this instructions and not defensively oriented.

One thing I would add to the instructions is to make a note of your current DNS servers so that, if need be, you can revert back to them. Also, if you have multiple computers on a LAN and want to kick the tires on OpenDNS before fully converting, then change only one computer to use the service.

Finally, you may think you have converted an entire network to OpenDNS, but all the ducks may not be in a row. Normally, computers on a LAN are assigned their DNS servers at the same time they are assigned an IP address, using a protocol called DHCP. Thus, the standard way to convert all machines to OpenDNS is by modifying the DHCP server software. In non-techie terms, this means making a configuration change to the router. However, it is possible for a computer to always use certain DNS servers regardless of DHCP. So after modifying the router, I suggest restarting each computer and verifying that it is, in fact, using OpenDNS.

Its start page will tell you if OpenDNS is being used or not, as will itsbuttons page (see above).

Making money

All the services described so far are free, as are a couple I skipped over. So how does OpenDNS make money? Quoting its Knowledge Base:

"OpenDNS makes money by offering clearly labeled advertisements alongside organic search results when the domain entered is not valid and not a typo we can fix. OpenDNS will provide additional services on top of its enhanced DNS service, and some of them may cost money. Speedy, reliable DNS will always be free."

Time will tell how profitable this is, if at all. The founder, David Ulevitch, claimed the company was "nearly profitable" in back in July.

Wrapping up

OpenDNS is a service worth paying for. My hope is that ISPs will pay for it and brag about it as a way to obtain or retain customers. This would be a win for the ISP, which no longer needs to be bothered doing its own DNS, a win for their customers and a win for OpenDNS. The only loser would be the bad guys.

If you take the OpenDNS plunge, you're not alone. Its home page shows how many name -> IP address translations it is doing per second. The last few days it has varied between 37,000 and 46,000. Multiplied out, this comes out to more than 3 billion requests a day. Five months ago, it was handling only 1.4 billion requests a day.

Even if you don't use OpenDNS now, it can come in handy as an emergency fallback, should something go wrong with your current DNS servers.

* I wrote The blinking lights on a router are talking to you back in July.

See a summary of all my Defensive Computing postings.

OpenDNS is a free online service that offers an extra layer of safety on the Internet. Technically, the service is DNS resolution, which I'll explain below. The main defensive computing advantage it provides is protection from bad Web sites, most importantly from phishing scams. ID theft is, to me at least, the worst thing that can happen to a computer user, so any extra protection helps. You also get some flexibility in deciding which other types of Web sites should be restricted.

You don't have to register to use the service, and there is no software to download or install. All that's involved is a change to the networking configuration of either your computer or your router. This is a one-time change--OpenDNS requires no ongoing care and feeding. Should you ever want to stop using the service, simply reverse the configuration change. I've used it for quite a while and fail to see a downside.

What is DNS resolution?

This topic can be a bit technical, but some background is required to understand where OpenDNS fits and how it can provide the services it does. I'll be as brief as possible.

Every computer on the Internet is assigned a unique number. Americans can think of it as a Social Security number for their computer. When two computers talk to each other on the Internet, they address each other using this number, which us nerds call an IP address. You can see the IP address of the computer you're reading this blog posting with by visiting www.ipchicken.com, whatismyip.com, whatismyipaddress.com, www.myipaddress.com or other similar Web sites.

Technically an IP address is a 32 bit (binary digit) binary number. For example, when going to www.cnet.com, under the covers, your computer is talking to a CNET machine at this IP address: 11011000111011110111101000110011

For simplicity sake, an IP address is written in decimal rather than binary. To make it especially simple, clumps of eight bits are converted to decimal and the four clumps are separated by periods. Thus, the standard way of representing the above IP address is 216.239.122.51 (without a dot/period at the end).

As proof, enter this IP address in the address bar of your Web browser as shown above. You will end up at cnet.com.*

Just as people have both names and phone numbers, computers on the Internet have both names (www.cnet.com) and IP addresses (216.239.122.51). DNS resolution can be thought of as a telephone book. It is the process of converting the name of a computer to its IP address.

DNS (Domain Name System) is a huge distributed system that functions amazing well, especially considering the initial design predates the Internet as we now know it by many years.

When your computer goes to www.cnet.com (or any other Web site) it first obtains the IP address by making a translation request to a computer called a DNS server. The translation (technically DNS resolution) happens so quickly and transparently you are not aware of it.

DNS is a core service provided by every ISP which runs a pair of computers called DNS servers (at least a pair, maybe more). When you first connect to the Internet, you are assigned a pair of DNS servers. Should one fail, your computer automatically tries to use the other one. Windows Vista, XP and 2000 users can see this by entering the command "ipconfig /all" at a command prompt. Sample XP output from this command is shown below.

As the name implies, OpenDNS runs their own DNS servers. To use their service, you change the TCP/IP networking software on your computer to point to their DNS servers instead of those from your ISP. OpenDNS provides excellent instructions for doing this.

Why OpenDNS?

Running DNS servers is not a trivial thing--there are many configuration options that need to be understood and correctly set up. In addition, speed and redundancy are critical issues. A cable TV company or a telephone company may not have the in-house expertise to do this well. OpenDNS is a specialist. Consider that the first reason to use them.

Hopefully, because they are specialists, their DNS servers will be more resistant to attack by the bad guys.

Nothing is worse than a compromised DNS server.

I don't say this lightly. If your computer is talking to a compromised DNS server, you can enter "www.citibank.com" (for example) into the address bar of your Web browser and not end up at Citibank's Web site, but instead be looking at a phony imitation Web site. Kiss your identity goodbye.

In addition to infrastructure, OpenDNS adds intelligence to the translation process that was not part of the original design of the DNS system. That intelligence, such as preventing you from accessing known bad Web sites, is the big selling point (if a free service can have a selling point). Next time, I'll go into more detail on the various types of protection offered by OpenDNS.

Let me end by pointing out that OpenDNS protection applies to your Internet connection. Any program that accesses computers by name will be protected, whether it be a Web browser, e-mail program, instant-messaging program, FTP or whatever. I mention this for a couple reasons.

First, malicious e-mail messages sometimes include links based on an IP address (e.g., http://1.2.3.4) rather the name of the computer. Since referencing a computer by IP address does not involve DNS, you always have to be on the lookout for this, as the link is bound to be bad news.

Also, if you have multiple ways of connecting to the Internet on your computer, then you'll have to make the necessary TCP/IP configuration changes for each connection. For example, laptop users interested in OpenDNS should change the wired Ethernet, modem dial-up, and wireless Wi-Fi connection. The same heads-up applies to anyone using one of the wireless data services from a cell phone company.

To be continued...

*It's actually more complicated than this. For example, multiple Web sites can share a single IP address, one computer can have multiple IP addresses and, in a LAN environment where multiple computers share a single high-speed Internet connection, only the router has an IP address on the Internet. The other computers have IP addresses, but these are IP addresses that have been set aside for internal use only, they are never used on the Internet.

See a summary of all my Defensive Computing postings.

My clients often ask my opinion on whether an e-mail message is legitimate or not. The message below, asking for credit card information and claiming to come from Register.com, was a doozy, and a lot can be learned from analyzing it.

First, it addressed my client, who is a Register.com customer, by name and was sent to an e-mail address associated with a domain registered there. Both my clients' name and e-mail address are publicly available. The message did not contain anything private such as an account number at Register.com.

I left out the Register.com logo because I'm not sure of the copyright issues involved.
The logo looked legit, more on that later.

My gut reaction was that the message is a scam because:

1. The domain name registration referred to in the message does not expire for two years
2. The credit card on file does not expire for six months
3. There is only a phone number

A company that registers domains for a living certainly can handle a simple thing like updating a credit card number on its Web site. I would expect a legitimate message to also include instructions for logging in to your account to update the credit card and a link, perhaps to this page, for doing so.

Voice phishing

Plus, this message fits a known pattern of scams that started appearing last year. In April 2006, Joris Evers of CNET News.com wrote:

"In a new twist on phishing, fraudsters are sending out e-mails that attempt to trick people into sharing personal information over the phone...the spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it...As a precaution, people should not dial phone numbers received in an e-mail message..."

The bad guys are hoping that a phone number won't raise the mental red flags that a link such as http://1.2.3.4 does. And, thanks to the latest versions of Internet Explorer and Firefox, even nontechnical computer users now have some measure of antiphishing protection.

This scheme goes by the names voice phishing, VoIP phishing and vishing. Voice over IP (VoIP) is included because the phone numbers use this technology rather than normal landlines. In part, this is because VoIP is cheaper, it may also be harder to track down the real owner of a VoIP phone number.

In his Security Fix column at WashingtonPost.com, Brian Krebs wrote in March of this year about an instance of voice phishing and warned "Generally, it's a good idea not to even dial these bogus 1-800 numbers, as you're essentially giving the scammers your phone number..."

From who?

Many people make judgments about an e-mail message based on the from address. This is a big mistake. You can not trust the from address of an e-mail message. It is a trivial thing to forge. That's why I didn't bother to include it in the example.

I wrote about this before, but when even the aforementioned Brian Krebs gets this wrong, it needs to be stressed. A couple of days ago, an otherwise excellent posting of his about fake FTC e-mail messages, included this:

"If a message comes from someone you don't know, delete it. If it appears to have been sent from a friend or family member, reply to the message and ask for confirmation that the sender indeed meant for you to view that e-mail attachment."

You should treat all e-mail messages as if you don't know the true sender. Because, without evaluating the hidden headers, you don't. Repeat after me:

You can not trust the FROM address of an e-mail message.
You can not trust the FROM address of an e-mail message.
You can not trust the FROM address of an e-mail message.

Verifying the phone number

Checking the legitimacy of the phone numbers proved inconclusive.

At the home page of Register.com, clicking on Customer Support leads to the link for the Contact Us page, which lists eight different phone numbers. The e-mail message had two phone numbers, a toll-free 877 number and one in area code 902. Neither of these numbers appears on the Contact Us page.

A reasonable person would stop here and conclude the message is fake. But I continue.

A Web search on the toll-free number turned up some references to it in discussions about Register.com. On the other hand, the references were as far from official as can be, they were just made in passing by individuals griping about the company.

The search also turned up a link to this page at the Register.com Web site that does list the phone number.

So, it's legit? Maybe not. There is no date on this Web page, so it may be old. Register.com may have changed its phone number. And, if it is legit, why is it not on the main Contact Us page?

Techie stuff

These mixed signals led me to look under the covers, to examine the underlying header and source code of the e-mail message. Thunderbird, my preferred e-mail program, shows the source code with View -> Message Source.

The source code shows the true destination of the links in the message. Below is the source code for a link in the fine print at the bottom of the message.

To unsubscribe from Register.com marketing emails, please click
<a href="http://link.register.com/us/DWX065/8Z/ISNCO/QF7J4T/
YW5uZUBkZXByZXNzaW9uZmFsbG91dC5vcmc=/">
<font color="#000000">here</font></a>.

This link does go to Register.com. But that means nothing. It is not at all unusual for a scam e-mail message to include legitimate links. The only one that matters however, is the one the victim is directed to click on. In this particular case, all the links are irrelevant to determining the legitimacy of the message.

E-mail messages don't travel directly from the sender to the recipient. The header provides a bread crumb trail of the path taken by the message. It also offers clues to the real origin. Below is an excerpt from the header of this message.

Received: from [127.0.0.1] ([local])
  by bm1-11.ed10.com (envelope-from <DWX065-ISNCO-QF7J4T-H@register.bounce.ed10.net>)
    ...
Message-Id: <31795-740-DWX065-ISNCO-QF7J4T-H@e-dialog.com>

In one place it seems that the message was from e-dialog.com, in another it seems to have originated from a computer named register.bounce.ed10.net and passed through an e-mail server at bm1-11.ed10.com. Three different domains, and none of them Register.com.

Then too, there's that legitimate-looking logo mentioned earlier. The source code shows that it came from ed4.net. You can see it for yourself here.

Four different domains have their fingers in this message. Ugh.

Since the logo definitely came from ed4.net, I decided to focus on that. Its Web site belongs to e-Dialog. Public information about domain names is available from a system called WHOIS. A check of the WHOIS information for ed4.net at Network Solutions shows that the domain belongs to:
  e-Dialog
  131 Hartwell Ave.
  Lexington, MA 02421

This lends some credibility because it's neither hidden nor a post office box. I didn't bother checking if there really is such a company at that address. The domain ed4.net was first registered in 2000, which also lends it some credibility. Often the domain names used in scams are newly registered.

The underlying IP address for a Web site can be determined with a simple Ping command. In Windows, open a command prompt window at type "Ping www.ed4.net." Ping showed that the Web site resides at a computer whose IP address is 64.28.75.199.

Then, I plug this into www.ip-adress.com, which shows the physical location of an IP address. The Ed4.net Web site is in Waltham, Mass., and is registered to e-Dialog. Very legit looking.

But who or what is e-Dialog? Its site says it does e-mail marketing and its list of clients includes Register.com.

Finally, I check the return e-mail address, which is at custhelp.com. Who is custhelp.com? Names like this are often used in fraudulent e-mail messages. If the message legitimately came from e-Dialog, then why don't they handle the replies?

Needless to say, I go to www.custhelp.com to see if it's on the level. But there is no Web site with that name. Instead, I get redirected to www.rightnow.com. So, who is RightNow? They do "Customer Experience Software & Management: IVR, CRM, Sales Lead & Incident Management".

I give up.

Beats me if this messages is legit. If it is however, Register.com is making a big mistake by not displaying either of the two phone numbers in the message on its Contact Us page. Could they be that clueless? Either way, I wouldn't call the phone number. No need to take the risk.

Update November 13, 2007:According to Register.com this message is legit. Quoting them: "This email you received is in fact legitament. This email is generated and sent to you when your credit card information on your account is near or has passed expiring."

My last posting, Defending against a phishing e-mail message, described a JavaScript trick bad guys use to make a link appear to go one place when it really goes somewhere else.

So you can test if your e-mail program (or Webmail system) falls for this type of forgery, I created a test e-mail message.

To receive my test e-mail message, send an e-mail to:

It does not matter what, if anything, is in the subject or the body of your message.

The test e-mail message contains a link that appears to go to CNET, but really goes to my personal Web site. When you move the mouse over the test link, you should see my personal Web site in the status bar. If however, you see the silly message below, then your e-mail program is vulnerable to manipulation with JavaScript.

Hope you pass the test.

I previously made the case that Windows users should use Thunderbird for email. When I got a fraudulent e-mail message on Saturday claiming to come from PayPal, Thunderbird offered two lines of defense.

The first was the big warning that the message might be a scam. Indeed it was.

The body of the message was a pretty standard phishing scam, with the usual typos and the true destination of the link hidden.

Thunderbird's second line of defense was not falling prey to the common practice of using hidden JavaScript code to hide the real destination of a link embedded in the message. In the screen shot below you see that the blue link appears to go to a secure PayPal login page.

This, however, is not the real destination of the link. When the mouse hovers over this link, Thunderbird shows the true destination in the status bar (shown above), a page at mardur.net. Some other e-mail programs reinforce the scam by showing the phony destination in the status bar. They willingly obey hidden JavaScript code. In this case, the code was:

<a onmouseover="window.status=
"https://www.paypal.com/cgi-bin/webscr?cmd=_login-run";return true"
onmouseout="window.status="" target="_blank" href=
"http://www.mardur.net/clickable/paypal-secure/costumers/connexion/
login/index.html">
https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a>

The formula, so to speak, for the above trickery is this:

<a onmouseover="window.status="phony-destination"";
   onmouseout="window.status=""
   href="real-link-destination">phony-destination</a>

The phony link destination is displayed initially. When the mouse is moved over the link, the "onmouseover" code is executed to modify the status line and make it show the phony link destination. When the mouse moves off the link, the "onmouseout" code resets the status line to not show anything.

FROM WHERE?

Received:
from innovas by gator133.hostgator.com with local (Exim 4.68)
  (envelope-from <innovas@gator133.hostgator.com>)

The header also shows the originating IP address. This particular message came from a computer with an IP address of 74.52.58.242. According to dnsstuff.com the machine is in Dallas, Texas, and owned by The Planet. In this case, not very helpful information.

WHO GETS THE MONEY?

Based on the publicly available DNS servers for mardur.net, it's obvious the Web site is hosted at HostGator. Only HostGator knows who is paying for the account.

The public contact information for the domain mardur.net is

David Hayter (kgoodsoft@gmail.com)
+1.45443344
Fax: +1.565434534
South Street
Loave Sowna
Colombo, P 4543343
LK

I know of no way to verify this information. However, the domain was registered by NameCheap.com and they would know who paid for it. At times good Web sites get hijacked by the bad guys for these phishing scams, so we can't assume that David Hayter is a bad guy. It's a safe bet, however, that neither he nor mardur.net is PayPal.

Be careful out there.

Update. October 28, 2007: See my next posting Test your email program for more on this.