The DNS Changer: End of the Internet–or not

There has been a lot of talk in the news about this DNS Changer worm, and how it will cause people to lose their internet connection on Monday. I wanted to take a moment to clear some things up, as the news basically points you to the FBI’s site (and their information). The link to their information is here.

So, here we go…

  1. Originally there were over 14 million estimated computers infected with these worms. Through the FBI and ISP’s sending out warnings, that number has decreased dramtically. RIght now, in the US, it’s estimated that only 70,000 devices are infected. (Worldwide stats are available from the FBI.) This is why they’re shutting down the servers.

  2. The FBI set up it’s own DNS Servers at the “rogue” IP Addresses, because with so many infected computers, it would have been catastrophic to shut the sites down cold. Imagine waking up to find that over 14 MILLION people have lost internet access suddenly.

  3. Basically what’s happening is this: DNS is like calling directory assistance and getting someone’s phone number. Your browser does this, when it doesn’t know the address (think phone number) of a website. That virus changed those “Directory Assistance” numbers to it’s own set. So it’s as if you were calling a special number for Directory Assistance, and they gave you what numbers they wanted you to dial (not necessarily the number to the person you were calling). Or they gave you a number that would charge your phone bill on their behalf (like using a Phone card to call).

In terms of DNS, your browser would either get sent to an ad site, porn site, or something else, when you typed in a site name. Or if you did a search, it would fake the results of the search with malicious sites (where you could be infected with other viruses), or it would replace the ads on a legitimate site (since your browser had to get the ads from somewhere), with their own ads. It was hinted that the viruses would also capture your passwords, but I haven’t seen anything openly saying that. Although if someone’s infected with any virus, they’ll want to change their passwords after fixing their computer.

** Another common analogy for DNS is like sending a letter through the Post Office, but to be honest, I’m not sure how this would play out in that scenario.

How do you know if you’re infected with the worm?

The easiest way to check your computer is to visit this site for their steps. They have a page which will tell you (via a green or red background on a picture) if you’re infected or not. One drawback is if your ISP “fixes” or alters DNS entries, it may look like you’re clean, when you’re really not.

As for what to check on your computer, here’s what to do:

For Windows Users:

  1. Click the Start orb, and type cmd in the bottom box (where it says “Search”).
  2. Click on Command Prompt (or cmd) in the results at the top.

** These instructions are for Windows Vista/7 users mainly. In older versions of windows, it would be the start button, then Run… and type cmd, or (in all versions of Windows) you can also press the Windows Key and the R key at the same time, and type cmd in the “Run…” box that pops up.

  1. Type in ipconfig /all (or copy and paste from this post).

You’re going to get a lot of information on the screen. What you’re looking for will say something like this:

Local Area Connection (Ethernet)
IP Address: 192.168.x.x (could be something like
Subnet Mask:
Default Gateway: 192.168.x.1 or 192.168.x.254 (whatever the IP Address from your modem or router is)
DNS Servers:

*Those are what you’re looking for ***

What the link said to do was look at the first set of xxx’s in each DNS server. If it’s in their table, then look at the second set of xxx’s in each server. If that’s in the table, look at the third set, and so on. If at ANY point, you find a set of xxx’s that’s not listed in their table, you can stop. Even if it’s one number.

Here is the table that they are referring to.

Rogue DNS Servers through through through through through through

If your DNS Servers are the same as your “Default Gateway” up above, then you need to log into your modem and check them from it. If you have just a modem, then you’ll probably want to call your ISP for help with this. Unless of course, you’ve logged into it enough times that you know what to do. If you have a separate router (like a Linksys, Cisco, or Netgear router for example) that your computer is plugged into, you should be able to go to their site and get information on how to log in. The steps here are general (as the pages and passwords are different for each router).

  1. In your browser, type in the IP Address for your Default Gateway and hti enter.
  2. On the screen that comes up, type in the username and password for your router (NOTE** if you haven’t changed these from the default (usually admin for both), YOU NEED TO DO THAT!!!!!!!!!!!)
  3. You will be presented with the setup screens for your router. You want to look for the DNS information screens (first look at your Status screens, and if the DNS Entries aren’t there (or are the rogue entries) then look for how to configure them).
  4. If your DNS Entries are the rogue entries in the table, then you need to change them back to “good” ones (or follow whatever steps are needed to have your ISP automatically provide them). Personally, I recommend using Public DNS entries (like and for OpenDNS or and for Google DNS), but it’s your decision whether to use your ISP’s or not.

Apply the changes, and restart your computers after the modem/router restarts. You should be all set for Monday.

For Linux users, you’ll either want to check your /etc/resolv.conf file to see if it has the rogue DNS servers or manually edit your network connections (or router/modem).

And for Mac users, you’ll want to check the instructions from the FBI’s website link.

If your computer is/was infected, you need to take steps to clean it. On the link that I provided above for detecting whether you’re infected, they have links to tools for cleaning your computer. After running these tool(s) and making sure your comptuer is clean, you most defiinitely want to change ALL of your passwords. This goes without saying for any malware that’s on your computer (not just this one).

Good luck, and I’ll see you on Monday (hopefully).

Have a great day:)

Cyber Security Tip: ST06-002 Debunking Some Common Myths This link is provided for informational purposes only and does not represent an endorsement by or affiliation with the Department of Homeland Security (DHS).

These are some of the common myths that still float around today. The tip was created in 2006.  Along with the five myths that Ms. McDowell wrote about, I would add a couple of more.

Myth: I only check my email and surf Facebook. I don’t surf porn sites or download music/videos, so I don’t need to protect myself. Truth: It’s not so much where you surf, as how well the people/organizations that developed the websites protected them from hacking. Facebook, for example, has viruses floating around in the form of videos, games, and other applications. Even law enforcement agencies have been hacked, because they didn’t protect against some of the more common attacks.

So,  you may be surfing to sites that should be safe–yet they may have malware installed on them without the owners knowledge.

Myth: I don’t run Windows, so I don’t need to protect my computer. Truth: Flashback worm, anyone? It’s not only the operating system that you have to worry about. The latest worms to affect the Apple Mac OS X operating system are Java-based attacks. That’s because Apple doesn’t update Java at the same time as Oracle. People running Linux, Windows, Solaris, and other operating systems weren’t affected by the worm for two reasons: 1. it was designed for OS X, and 2. Oracle had already updated Java months before this attack started.  Apple just chose to sit on their heels and not provide the update immediately.

The point is, no one is 100% safe from attacks–regardless of what operating system you run. That’s not to say that some of them are a lot less likely to be attacked. Just that it can happen, so you need to take precautions. And, the idea of “I won’t use an antivirus because it’s a waste of CPU cycles” is bull. Computers are fast enough now that the CPU cycles used are negligible. And if you’re running applications/games that are that CPU intensive, that’s an issue for the developer of the application/game–NOT the antivirus developer or you.

Have a great day:)

A "Health Certificate" for the Internet? Hmmm…..

A few days ago, a Microsoft employee (in their Trustworthy Computing division) posted a blog entry discussing the need for a “health certificate” to allow computers on the Internet. In order to be considered “healthy” your computer must have all available updates (I’m assuming Security here), and updated antivirus, and an updated firewall. And be virus free.

On the surface it sounds good (and in some other levels also). But, there are some considerations that need to be made.

First, what if your operating system doesn’t have (and isn’t easily susceptible to) viruses? I’m looking at Mac OS, Linux, and other unix variants here. Will there be a provision that states only Windows computers require antivirus software? And if, at some point, the other OS’es find the need for antivirus software, will the provision be put in for them?

Secondly, the idea is that they will be completely blocked from the Internet. So, pray tell, how will they block the computer? Will they do it by MAC Address (the “Physical Address of the Network Card)? Or will they block it at the modem level? This presents two problems: If the computer has multiple NIC’s (wired and wireless for example), they can still get on the Internet for a brief time. Also, how will the user get the needed updates to get their “health certificate”?

Thirdly, what exactly would the “health certificate” be? Will it be like a Digital Certificate? Will it be like the Windows Activation? How will they prevent people from forging their certificates or stealing others?

Fourth, how will this keep me from screwing up my facebook with those stupid lolzvideo viruses that are floating around? (I don’t click those, but I know a lot of people who do) After all, no antivirus protects you from that. And I would imagine that for the average person, that is the biggest hassle. They don’t realize the other dangers, because they don’t play in the big park. They go to their email and surf facebook and youtube.

The Health Certificate is a good theory. If someone actually decides to implement it, it needs to be an independent party with NO interests in any operating system or security software. Because if you have an interest in a product that the health certificate affects, you’re inherently going to shift the balance in favor of your interests. In other words, Microsoft has a good idea, but they shouldn’t have anything to do with implementing it.

One telling thing about this is that between 1 and 10 million Windows PC’s are involved with botnets. The number of Macs, Linux PC’s/Servers, and other devices that run non-Windows code is closer to zero. Now that may change if virus creators figure out a way to hack through OS X or Linux. But the point is that right now, it’s more than likely a Microsoft product that is causing the problems.

All of this being said, I think the health certificates are a decent idea. And after skimming through the actual white-paper on the subject, it raises some good points that aren’t being covered in the media.

Personally I think that the “Health Certificates” should contain the following information:

1. All MAC Addresses in the computer (this should be the ONLY identifiable information)
2. Operating System information (Windows/Linux/OS/etc and version including build where appropriate).
3. A check to see if all required security updates are installed properly.
4. If the Operating System requires a firewall and antivirus, whether these are present, turned on, and updated completely.

The “Health Certificate” should be generated on the fly. This will ensure that the most current information is presented. Tools like Belarc Advisor already generate the information that I suggest (and could easily be incorporated into the Health Certificate program).

Let me know what you think of the Health Certificate ideas. Read the white-papers on the Microsoft site, and do a little research into the idea. Let me know what you’d like to see in one (if they’re implemented).

Have a great day:)

US Fails in CyberAttack Simulation and

Yesterday, former members of the Government participated in a Cyber Security Game called Operation CyberShockwave, which was a test of how well the US Government would handle a cyber-attack.  The results?  We failed miserably.  There’s more work that needs to be done.

The scenario was an application that people downloaded to their Smartphones for “March Madness” was actually a malware program.  In “July, 2011” (the simulated event date), the attacker activates the malware and the phones stop working.  At some point in time during this, IED’s are detonated, which take out parts of the power grid on the Eastern Seaboard. 

Between Power Grid failures, the Electronic Trading Commission being taken down, and the Internet (and smartphones) being taken down, it’s a mess.  So, how did our “Government” do?  They figured out that the server hosting the malware was in Russia, and possibly that the developer was from Sudan.  That’s about as far as we know.

What does all of this mean? Well, if you’re Amish, not much.  But for the rest of us, it means that our Government (and the Private Sector—that’s YOU AND ME, folks) need to come up with a comprehensive plan for dealing with these attacks.  There needs to be a clear-cut determination for when the attack begins (and the Government should start acting) and when it ends (and they should stop).  And there needs to be a clear-cut determination as to whether the Government needs to step in at all.

Some issues that were raised in the simulation are these: 

  1. We know the malware is being hosted on a server in a foreign country. Can we have that Government shut the server down?  If so, do we have to reciprocate if they’re being attacked by malware on a US server?
  2. Should the Department Of Defense take the lead in combating the attack?  If so, how do they coordinate with the Private Sector (who is obviously taking their own steps to combat it and discover the source)?
  3. Would this be an instance where President Obama’s plan to take control of the cyber networks should be implemented? If so, how long should they maintain control?  Should they work with the Private Sector, or basically push them aside?  Will the Public be notified of this and kept up to speed on what’s going on (or will they be kept in the dark “for their own good.”)?

This is not an issue of whether or not we could actually combat the attack.  It’s my belief that amongst the 300 million people in this country, someone (or some group) would be able to find the source.  They may even be able to shut it down.  The issue is whether the Government would work with the Private Sector (and the public in general) to combat this.  And how would the Government mobilize on their end?

So for the Government, you have some work ahead of you.  One thing to take into consideration is that we have some of the brightest “Hackers” living in our country.  We also have experts in the Private Sector and in the Educational Sector, who could prove extremely valuable in an attack.  One issue that you’ll face is some of these people will not like (nor want) to work with you.  They’re distrustful of you, and would be afraid that after the attack is finished, you’ll turn your “eye” to them.  So, you need to work on that problem as well.

The clock is ticking. And the world is watching (or at least the “Online world”).  And as much as I hate saying it, the majority of Americans aren’t informed enough to avoid the pre-cursors for such an attack.  So, it’s up to you to make sure we’re protected.

Have a great day:)

Too Good to be True—Probably Is

This post came to me because I noticed something interesting in my Junk mail.  A spam mail for Walmart (supposedly, but most likely not) that had “We want YOU: Walmart Workers 75/h Now.”  I don’t think Walmart pays their salaried people (except maybe at the Corporate offices) $75/h.  So, I thought “Why would they send this out, with such an outrageous salary listed?”  Then it occurred to me that someone clicked on it.  The old adage of “If they keep doing it, then obviously someone is falling for it.”

In these hard economic times, it’s easy to fall victim to something like that.  The hope for a payday or windfall tempts everyone.  In fact, just the hope for steady income tempts everyone (myself included).  The problem is the actual companies are not hiring like this (by sending out unsolicited e-mails).  And they definitely are not offering tons of money per hour. 

The point to this post is this.  If it sounds too good to be true (or sounds like it’s way more than you’d expect someone to make at the company) then it probably is.  It’s more than likely a scam.  They definitely will want your personal information, and maybe will want money.  Either way, you’re taking a chance that they aren’t going to steal your identity or rob you/kidnap you/kill you.  So, be careful.

If you are looking for work, check out the Regional Help Wanted site (, Monster (, CareerBuilder (, or Yahoo HotJobs ( You can also try looking on Twitter, but the same rule applies.  Some of the jobs there are too good to be true.

Have a great day:)

A Few Words about Fake Antivirus and Fake AntiSpyware (aka Rogue AV and Rogue AntiSpyware) Programs

A few minutes ago, I was reading an article about how one of the Rogue Antivirus programs is offering “Live Technical Support” as a way to con-vince people that it’s a legitimate program (the dash is meant to emphasize the fact that they are conning the users).  At one point in the article they mentioned how the Rogue Antivirus programs are still making a dent, because people are getting pop-ups that say your computer is infected (so they download the “fix”).

It boils down to one simple mentality.  If you are NOT (I repeat NOT NOT NOT) on a site that is related to Internet Security, antivirus programs, antispyware programs, or firewalls, then it’s a scam.  If you ARE on one of those sites and the product is not sold/offered by the company who’s site you’re on (or endorsed in the text of the articles or company’s links), then it’s a scam. 

Legitimate companies are not going to resort to placing pop-ups on other websites to promote their product.  They don’t need to.  If they’re legitimate, then chances are you’ll hear about them from magazines, blogs, recommendations from other websites, or word of mouth.  If they’re new to the game, then they will submit their product to sites for review.  They will get the word out—without having to “CON”vince you that you need it.

In short, we need to all get the word out to the average users.  “IF you are not LOOKING for information on Antivirus, Internet Security, Antispyware, or Firewalls; and a pop-up or Instant Message suddenly appears offering you these things, DO NOT ACCEPT THE OFFER!!!!! IT IS A SCAM.”

Please help spread the word.  It’s our responsibility to help the people who aren’t familiar with these scams to avoid being victims of them.

Have a great day:)

Grandma endures wrongful ISP piracy suspension

Grandma endures wrongful ISP piracy suspension

Luckily for Cathi Paradiso, she was able to prove that the illegal downloading was not her fault.  Unfortunately, she fell victim to something that a lot of broadband users are unaware of.  The use of their internal networks for illegal means.

Cathi has a Qwest DSL modem.  Either she had wireless connectors at one time, or it was enabled for some other reason.  The wireless network WAS NOT SECURED, and people were using her modem as a gateway.  Some of them were downloading movies and television shows.  Her DSL was suspended due to this illegal downloading.

The article goes into the argument about whether ISP’s should be the Copyright Cops or not.  I’m going in a different approach—although I do have an opinion on that issue.  I’m looking at what YOU need to do to make sure that you’re not a victim (or make sure that the “Copyright Cops” have no reason to look at you).

If you do not have any wireless computers connected to your network, shut off the wireless on all routers, switches, and modems.  In the settings screen (one of them should be labeled Wireless or something similar), you should have the option to “Enable” or “Disable” wireless access.  Disable it.

If you do have wireless computers, make sure you’re using PKA or PKA2 (preferred) for your wireless security.  When you enable this, you’ll create a passphrase (NOT A PASSWORD) like “My very elderly mother just said Uh No Problem.”  (this is a phonetic to remember the planets back when Pluto was considered one).  You want to make it something that people can’t guess easily.  So, don’t make it your favorite quote, or a phrase that you blog about.  Make it something only you, and maybe your immediate family will remember.

I recommend OpenDNS for your DNS needs.  Your ISP will automatically supply you with their DNS, but OpenDNS will allow you to filter (read block) sites based on categories.  So, you can block movies and music and file sharing sites.  Of course this only works if the person jumping onto your network doesn’t have their own DNS specified (although if they have OpenDNS specified, it will use yours—not theirs).

Make sure that your router, modem, and OpenDNS passwords are strong.  It should be a minimum of 8 characters, contain Upper- and lower-case letters, numbers, and/or symbols.  And it should not be something that you blog or talk about (no pet names or anniversaries).  In fact, it needs to be fairly random—not really a word at all.

These tips won’t guarantee that you’ll never fall victim to copyright thieves (or the ISP or entertainment industry), but they will go a long ways towards protecting you.  So, please take the time to learn how to secure and set up your equipment, and make sure you do it.

Have a great day:)

Google Joins the IE-6 Must Die Campaign

ComputerWorld is reporting that starting on March 1, 2010, Google Docs and Google Sites will no longer support Internet Explorer 6.  Considering that IE6 is 9 years old, it’s not surprising.  There have been two versions of Internet Explorer in the past 9 years, alongside offerings from Mozilla, Apple, and even Google themselves.  Corporations have NO excuses for not updating their applications and services to support the later versions of Internet Explorer (or the alternative browsers). 

If you are a web-developer, I strongly urge you to drop support for Internet Explorer 6 in your sites.  Redirect the visitor to a page that says something to the effect of "The browser that you are currently using is old, outdated, and insecure.  Here are some links to the latest browsers which are supported on this site."  In fact, I would suggest following Google’s lead and dropping support for Firefox 2.x, Apple 2.x, Google 3.x, or earlier browsers.

Here are some links for coding the version detection into your websites. This page is geared mainly for older browsers to show the page in an optimized format.  You can easily modify the code to redirect the user to another page that recommends they upgrade.  (instead of (ie5up), you could use (! ie7up)). The code in this site parses the browser’s information for the version number.  You can modify their example inside of the "You are using…." box to create your redirection (if browser < IE7, Firefox 3, Chrome 4, then redirect here.).  This script does not detect Safari–due to how Apple formats their browser identification string, but you could probably add it in fairly easily (you just need to know the internal version number of Safari 4 which is any number greater than 528.18.  It’s 530.17 on Mac, 530.17 on Windows (4.0.1) but 528.18 on their iPhone, so I would just use the lower value because there are no "versions" on the Mac or Windows that contains that number (source )).

Personally, I prefer the second route to the first one.  I may include it in my blog at some point (redirecting people to this post or another page).  However on the first page, they actually discuss the >= or in your case < (use gte for >= and lt for < in your if statements).

Have a great day and if you’re using one of these older browsers, then you may want to switch things up. or


Microsoft Releases Out of Band Update for Internet Explorer

If you haven’t heard this already, there was an incident where Google and about 20 other companies were hacked last month.  It allegedly is tied into the Chinese Government.  Because of this, a few things have taken place.

Google is threatening to pull their Search engine out of China (at the very least they are threatening to stop censoring search results at the request of the Government) and they threatened to delay the release of their new phone in China.

People were throwing blame around at different companies and different applications for this hack.  It turned out that the hack was done on Internet Explorer 6.x—due to an unannounced vulnerability.

Microsoft is reported to be releasing an out-of-band update today for this vulnerability.  They also recommend the following steps to mitigate it:

  • If you are running Internet Explorer 6, it’s time to upgrade. 
  • Regardless of whether you are planning on upgrading, you should set your Internet Zone to “High”
  • Internet Explorer 7 and 8 users (on Vista or Windows 7) should enable “Protected Mode”.
  • All users should enable Data Execution Prevention (DEP) on their computers.  DEP prevents the computer from executing code which is stored in memory that is supposed to only contain non-executable code.
  • You should be running in non-Administrative accounts (or have UAC enabled) to restrict the rights of an infected user.  This is something that everyone has been preaching since the dawn of Windows XP.

There are people who are trying to tweak this vulnerability to work in Internet Explorer 7 and 8 on Vista and Windows 7.  One of the people claims that DEP won’t mitigate this, if the application doesn’t “opt-in” to it.  I’m not sure if he is referring to Internet Explorer (which you will opt-in by enabling DEP) or the malicious code.  Also I’ve read that some systems (namely netbooks and older CPU’s) do not have “Hardware DEP”, so enabling it doesn’t actually work. ***I can’t verify this***

So, what should you do???

First and foremost you need to get updates.  This is regardless of whether you use Internet Explorer or not.  It’s better safe than sorry—especially since some programs do not follow the rules about default browsers.

This is a good time to try out Firefox with the No-Script addon and also Google Chrome.  I would even suggest Apple Safari, but I haven’t used it very much to know what it’s limitations are.

Some people would say this is the time to remove Windows, and switch to another Operating System (namely Linux) or buy a Macintosh.  While I love Linux, I don’t think that is the best solution in this case (although I would encourage people to try a Live CD out).  And I definitely cannot recommend spending $1,000+ on a new computer—just to get a Macintosh.

The short end of the stick is this.  Update your computer after 10:00 am PST today.  I would recommend an alternative browser.  However, since this potentially affects Outlook, Outlook Express, Windows Mail, Windows Live Mail, and anything else that uses Internet Explorer, you NEED to update the computer.

On a side note, Microsoft is also releasing an advisory about a Kernel vulnerability.  This requires the attacker to be able to log into your computer from your computer (meaning not from the Internet).  It remains to be seen if they will have a patch for this today or not.

Have a great day:)

Video: Stealing identities on the street is easy | Graham Cluley’s blog

Video: Stealing identities on the street is easy | Graham Cluley’s blog

I saw this on Twitter yesterday, along with a recommendation to retweet it.  I posted it to my facebook also because I have friends on there who have lots of information listed as public.

I was amazed in watching the video, just how many people were willing to give out their personal information.  And it makes me wonder if they asked for Social Security Numbers (or the equivalent in the United Kingdom), would the people have given it too?

Either way, the most important point from the video is near the end—when they ask people “What is Identity Theft?” and most of them realize that the very information they gave out (Full name, Date of Birth, e-mail address) is enough to make them a victim… 

So now I ask you…  How many of you have this information public on your facebook, twitter, or myspace account?

Have a great day:)