Author: Alan

Afraid of the wrong thing and how to know

Everyone needs to know about Snopes.com.

A woman I used to work with contacted me via Facebook messenger a few days ago. She was passing along a warning regarding a video containing a virus that formats your phone. The video was called “Dance of the Pope” and the notification included the suggestion to forward “to as many as you can”.

I hadn’t heard of this virus so did some searching right away before sending any warnings. As some of you may know, this is a hoax. Snopes reported it as such a few years ago. And a little more searching turned up .uk websites with articles dated this year that reported the hoax.

I thanked my friend for the warning and let her know that what I had found identified the message as a hoax. I also let her know about using the Snopes website to check for hoaxes and provided her with the link as well as links to some of the .uk articles I had found.

The unfortunate truth is people have tools in their hands that they know can cause pain or even economic loss if the tool is lost to them. What too few people know is where to get accurate information about risks and how to respond. Unfortunately, as far as I know, there’s only Snopes. And unfortunately, not enough people know about it.

If you read this, pass it on. Use Snopes to check for hoaxes.

Of course, malware writers are smart. And always devising new ways to infect systems. One day it may be true that “Dance of the Pope” is weaponized so if it is opened it does cause damage.

When that day comes the usual guidance of don’t open things you aren’t expecting will need to be a mantra everyone follows. And there will be an even greater need to know where and how to get reliable information to protect your digital life.

More phishing…

There’s more than one way to hook a fish.

Lets say you’ve become comfortable in your ability to recognize phishing email. You’re able to spot the strange “From” address hidden behind the reassuring “Billing Department” or “Customer Service” label that’s been applied. And even if that looks like it might be legit you know how to hover over links in the email and recognize something that says it came from Amazon should have amazon.com/ as the last part of the web address that comes before that very first single forward slash, “/”.

A business web address should always be https://businessname.com/maybemore or https://www.businessname.com/maybemore or https://businessname.org/maybemore and so on. The critical part of the address that tells you where the link will take you is between the paired // and the very first single /.

What do you do when everything looks legit? The “From:” doesn’t look strange, the subject isn’t alarming.

The message itself doesn’t try and make you panic. You can see the full email address and it looks legit. There’s no business website listed in the message but the part of the email address after the @ looks legit. And if you put the part after the @ into your web browser it does go to a legit website, in this case “equitybrands.com”.

Stop right now! There’s no contact info provided in the message. No corporate website identified. No contact phone or email provided. And there’s no info what this is about. Did you buy something and there’s a payment issue, forget to return something, detail about a pending refund…? There’s just nothing except a big blue “View File” button.

In case you can’t resist taking a peek at the “Payment doc.excel” file I did it for you.

It isn’t a regular Excel file because the last part of the file name would be .xls or .xlsx. Sorry but you do need to know that. Ignoring all this I clicked the “View File” button. It got me to the screen below.

If you haven’t got suspicious yet you should turn and run now.

There’s no identifying information for the company.

Why are you being asked for your email? It came to your email. Why is it asking for that now?

What password do you need to enter? Since your email is asked for it seems like a reasonable password would be your email password. Don’t!! Your email password is to get into YOUR email. Nobody else needs that.

Then there’s a conflicting statement at the bottom of this web page. See just below the “Submit” button? It says “Never submit passwords through Google Forms.” That’s because this phishing message is bringing you to a Google Form to collect your email and password. The criminal can’t prevent Google from showing you that warning on a Google Form but they’re hoping you won’t see it or will ignore it.

In summary, even if everything looks legit, if you’re asked to enter your email and password somewhere and you got there by clicking a link in an email DON’T DO IT!

Email and password are for you to get into your accounts. Don’t give them up at a website you got to by an email link.

Always go to the website your usual way and login. Then check your account to see if anything is needed.

If it isn’t a website you remember having an account at do not, do not, do not provide credentials to login. Call the business and ask what’s up!

Coronavirus and work from home :-/

Communication and planning make a world of difference.

The office I work from is in Manhattan, NYC. Up until yesterday we were going into the office for work. About 5pm an email was sent to all staff that they should begin work from home the next day. Not much other guidance except — work from home.

My primary function is to connect to remote point-of-sale systems and poll their transactions if the routine automated polling from the night before isn’t successful. Depending on the day there are a few hand fulls of locations to poll. I’m not currently doing a lot of end user support because there’s another person who has that for their primary role.

The work from home email went out about an hour before we closed for the day. I installed the needed remote host on my work pc so I could get to my internal resources and informed our acting CIO (small shop but the IT department head is referred to as CIO) it had been done. My credential on LogMeIn enables me to download the host associated with our account but, once the host is installed, the CIO or another person needs to add it to the list of hosts before I can actually make a remote connection.

When I let the CIO know what I had done his reply was, “What email?”! He hadn’t even been informed before the work at home email was sent to everyone that it was going to happen. And this for a change that would cause a significant number of people to contact IT and ask how they would be able to continue working. I would have been astounded except that I have now seen too many instances of poor to no internal communication which lead to ad hoc responses to many needs and inconsistent implementation of solutions.

I was fortunate to be IT director for a number of years at a business that was very proactive about communication and planning. (The business, sadly, was shut down by the parent and I haven’t succeeded in finding a similar role since.) As director I oversaw and participated in creation of policy and procedure for nearly every significant business operation that IT was part of or could have an impact on. The idea that a course of action would be taken that could require significant response from IT, or any department, to support it without consulting those departments prior to making the announcement would be unthinkable. How else to ensure some degree of readiness?

Who could’ve foreseen coronavirus? Depending the sources you read, several organizations and people have been advocating for more resources to study potential risk and impact from zoonotic diseases for years. If you haven’t seen it I highly recommend the following article / interview, The Man Who Saw the Pandemic Coming – Issue 83: Intelligence – Nautilus. Even though the specific virus couldn’t have been foreseen the effects of such an infectious disease and actions needed to counter have been foreseen.

After 9/11 many companies did make efforts to be prepared for disaster. Those efforts either never were taken or have been forgotten by my current employer.

I do very much yearn to be part of a forward thinking, proactive organization once again.

Fake news!

Be informed, not misinformed.

Fake news has been a problem since the Internet (before actually, but much easier to recognize then). With the rise of social media it has become a serious problem that is influencing large numbers of people with false and misleading information.

With a presidential election in the offing and intelligence services currently warning about active foreign interference, now would seem a good time to brush up on identifying fake news. Prevent oneself from going off half cocked on someone or making a choice based on a false story.

I found an NPR article, With An Election On The Horizon, Older Adults Get Help Spotting Fake News, and training about the problem.

And although the article’s title includes the words “Older Adults” the lessons are for everyone. There are many adults who need to be able to recognize and acknowledge fake news. Not only “Older Adults”.

Definitely good resources to be familiar with and to share. Please spread far and wide.

JavaScript and modular pages

An easy example of simplified page maintenance.

I have written about a website I maintain, the Senior Computer Learning Center. It was built from scratch when I knew absolutely nothing about coding webpages. And no understanding at all how to use libraries or a cms to style and customize pages.

One thing I realized right away, even on a simple site, it would be useful to build the navigation menu once and reuse it on each page. Less coding per page and a single place to edit the menu for changes.

With my first ever attempts at coding a simple web page I couldn’t find out how to load external elements into the page if they didn’t have a tag like <img>.

Now I’ve done it, learned how to load a document node from an external file. Understanding the JavaScript selector, $(), and how to pass an object to a function solved the problem.

Trying to solve the problem of maintaining the menu in one place and using it on multiple pages I searched and searched but couldn’t find examples that helped. I was trying to add a predefined menu to any <body> I wanted by loading it from a file.

After a lot of reading and trial and error I ended up with an external JavaScript file, custom.js. Currently it contains only one function. It adds DOM elements to the page so the menu is built dynamically when the page is loaded. Same menu on each page and only one place to maintain it. Much better maintainability.

Below is the HTML for the menu, which used to be in each of the seven pages of the SCLC site, embedded in an html() function that adds a node to the document.

function myMenu(target) {
    target.html('<h2>Winter 2019<br>Spring 2020</h2> \
                   <a href="index.html">Home</a> \
                   <a href="announcements.html">Announcements</a> \
                   <a href="schedule_changes.html">Schedule Changes</a> \
                   <a href="course_desc.html">Course Descriptions</a> \
                   <a href="schedules.html">Schedules</a> \
                   <a href="calendar.html">Calendar</a> \
                   <a href="enrollment.html">Enrollment Information</a>');
}

Now each of the seven pages uses a short <script> to get the menu when loading. Nothing to change when the menu changes.

<nav id="mainMenu">
     <script>myMenu($("nav#mainMenu"));</script>
</nav>

Modify the html() in myMenu() and all pages display the updated menu when refreshed.

Plenty more to do to the SCLC site to make it more maintainable and more useful for end users. Using a common routine on multiple pages is just one of the first steps.

Chasing my tail and finding something new to learn

Experience and keeping notes helps limit chasing tail.

In my last post, Help people get the job done, I wrote about disappointment with how a change was made in the end user’s environment at my office. The change required they do something different to accommodate a purely technical change in systems. Once connected their work was no different than it had been.

Why we didn’t build in the logic to connect them to the new resource and make it transparent for the user seemed to me like a failure on our part. Simplify the user experience so they can focus on the work they do by IT using our skills to make the computers work for people rather than the other way around.

I made some changes to personal websites to demonstrate redirection could be used to point at the correct work websites. It was meant to illustrate the analog idea that one work website could be pointed at the other. Going to my websites, train.boba.org and sclc.boba.org, immediately sent a browser to the intended work website. Success!

After demonstrating the capability I disabled it so my URLs go to their originally intended websites.

So where’s chasing my tail come in?

While experimenting with the redirect I modified the boba.org configuration. For a while it wasn’t possible to get to that site at all. Then depending on the URL got to it or andrewboba.com. Putting boba.org in the browser’s address bar ended up at andrewboba.com, but not correctly displayed. Putting http://boba.org went to the correct site but didn’t rewrite the link as secure, https://.

To stop being distracted by that issue and continue testing the redirect I disabled the boba.org website.

Worked more with the redirect over a few days. Got to the point I felt I understood it well and tried boba.org again.

It wouldn’t come up no matter what I tried. Everything went to a proper display of andrewboba.com.

I increased the logging level. I created a log specifically for boba.org (it didn’t show up which was my first clue). Not seeing the log I went through other site configurations to see how their custom logs were set up. They appeared to be the same.

Finally I decided to try boba.org without a secure connection. I wasn’t sure the name of the .conf file for secure connections and decided to look in Apache’s ../sites-enabled directory to see if there were separate .conf files for https connections.

And guess what I found? There are separate .conf’s for https, yes. There were no .confs of any kind for boba.org! Then it hit me. There had been no log files for boba.org because there were no ../sites-enabled .conf files for boba.org.

And then I finally remembered I had disabled the site myself to focus on the redirect. Chasing my tail because I’m very new at Apache webserver administration. I disabled a feature to focus on making something happen then forgot the change I made when I resolved the first challenge.

Better notes, and more experience, would have helped me remember sooner.

And I also found something new to learn. While boba.org was disabled, andrewboba.com was being displayed. Would prefer “not found” or something similar to show up rather than a different website on the server.

New challenge. Figure out how to serve a desired site/page not available message when a site on this server is down.

One of the reasons I like information technology. Always something new to learn at every turn.

Help people get the job done

IT’s job is supposed to be making things easier for users.

Users have been using a single URL for access to all their web applications and now the backend for just one is moved to another server to avoid end of life? If you’re where I am now users are sent a new URL and told to use it if that application is needed.

It is accessed via Citrix and I don’t understand Citrix architecture well I have to say. However the users of this app apparently don’t use any other app via Citrix.

In the meeting about the change I wondered out loud whether users could just be redirected? No need to learn a new URL, no need to know when or if to use it. Just send the apps’ users to the new URL when they attempt to use the app.

The response was, “no, can’t do that”, “don’t have wild card certificates”, “can’t install existing certificates on other servers”, “can’t change DNS”, “can’t send people from the old site to the new site”, and so on…

My reasoning was to simplify the user experience. Why make people learn something new if there’s a way to get them to the new webapp without learning a new URL? As a technologist I feel VERY strongly my job and the job of others like me is to enable people to do their work and not force them to understand or learn technology that is not relevant to that.

Back to the objections. A DNS name can have its network address updated periodically. This very website has a dynamic address and can still be found by name even after an address change. The server is running a job to monitor the public address and update DNS when it changes. Automatic. Hands off.

No certificate changes required. If siteA and siteB are continuing to operate as siteA and siteB and each has their own valid certificate then no change in certificate needed. When someone browses to the site the browser requests a secure connection. The trustworthiness of the connection is determined by information the site provides and certificate authorities the browser trusts. No need to move certificates anywhere. Even if there were that can be done without renewing certificates.

Sending people from one site to another, in its simplest (as far as I know) form only requires a Redirect. For wesiteA and websiteB, if visitors to websiteA should actually be going to websiteB tell websiteA’s webserver to redirect browsers to websiteB. When somebody browses to websiteA the webserver sends a message back to the user’s web browser which says you need to ask for websiteB instead. Then the browser does just that and ends up at websiteB even if it’s on a different server in a different country.

I actually set up Redirect on this server to test my understanding and be certain it would work the way I thought. It did. Visiting one of my webhosts on this server automatically directed me to workAppA and visiting another webhost went automatically to workAppB.

In doing the reading to get Redirect set up I learned it could be as granular as by user or program on an Apache server. I suppose it’s possible Citrix doesn’t have a way to support that. But I don’t believe it. I know Citrix apps can be secured by login so userA and userB don’t see all the same apps. I’ve written powershell to report what security groups are associated with which published apps on a Citrix server.

In this case telling end users YOU HAVE TO LEARN SOMETHING NEW to keep doing your job the same way strikes me as IT not doing its job!

Phishing, some examples

A guide to spotting email that is meant to deceive you.

Recently I received a number of phishing emails and shared some with family and friends so they could see examples and hopefully avoid any they might get.

After doing that I decided it would be good to share here too. And I went a bit further and made some (admittedly crude) videos to spotlight some of the indicators that an email is phishing.

The videos are posted on YouTube and I’ve embedded them here.

These were my first attempts at creating videos with effects and titles. Please try not to be critical of the production quality and instead focus on the information provided. You’ll find it useful if you do.

For those of you who might look and say, “They’re too tiny. I can’t see anything.”, after starting the video click in the lower right hand corner of the video window. It will enlarge the video.

This one was meant to get the victim to open an attachment. I may make a post and video of what happens if the attachment is opened. For the time being know that the video has tips to help identify it as phishing so we know better than to try and open the attachment.

This one claims there’s a problem with your Apple ID and has links that connect with a counterfeit Apple website. If you were to click the links and complete the forms you’d be giving away your Apple ID login information. Again there’s titles and effects to help identify the tells that make it apparent this isn’t from Apple.

Technical support

Technical support. Not quite “Vanilla Sky” level stuff but still thought provoking.

I provide some limited technical support on Apache OpenOffice and LibreOffice forums.

Why not Microsoft Office? Because that’s what I do at work. At home I use, and have used for many years, LibreOffice and OpenOffice. Why? Because they save me money, the support forums are generally more congenial and providing support lets me give back a bit for the value I get.

One of the things I really enjoy about providing support is seeing all the ways people are using software to do things they need to do. Things I would never have conceived of. It is a real eye opener to get a handle on someone else’s requirement. And then very gratifying to help someone meet their need.

One of the recent support requests was for a bowling league score sheet kept in Apache OpenOffice. The requestor wished to have the latest match value always be shown in a particular cell. The league has 32 weeks in its season and for each week the bowler’s score is entered for each of three games. The game total and average are calculated and displayed for each week.

The latest week’s match value always needs to show in a particular cell. The method being used was to update the cell manually each time a new week’s scores were entered.

I came up with a solution, posted it. Then, as I often do, rethought the whole idea. What I realized was the way I designed the solution it would always show the value for the 36th week, the last week of the season, rather than the most recently entered week! Not good.

After some deeper inspection I recognized this happened because the formula to show the score for the latest week actually just checked to see if there was anything in the referenced cell. And it counted a formula in the cell as something, even if the formula displayed nothing.

This needed to be fixed! I couldn’t provide a solution that didn’t work.

After some thinking I realized a formula to show the latest value needed to recognize whether the formula on each row displaying the value was showing a numeric value, a blank “”, or a label “DNB”. DNB, Did Not Bowl, was a label indicating the bowler hadn’t bowled that week.

Again, the season is 36 weeks. Scores are entered week by week. This meant the rows showing score and average were always followed by rows showing nothing. Even though cells in the rows contained formulas, the formula result was “” for each week after the latest one entered.

My original formula was detecting a formula in a cell as something. I needed to come up with a formula that could identify the row before the first row with formula result “”. Finally an idea struck. I could use a function that counted the rows where the formula result is “”. A blank. These are always the weeks of the season that are not yet played. The season is 36 weeks. Subtract the number of blank rows from 36 and that’s the last row with a score. Problem solved!

That formula is…

=INDEX($Sheet1.G6:G41,36-COUNTBLANK($G$6:$G$41),1)

With that part of the problem solved I saw that some formulas I hadn’t touched were returning #VALUE! errors. These were formulas that calculated total pins week by week. These errors were happening because of changes I’d made to the formulas to sum the pins for each week and to produce the pin average for each week.

My fixes created the problem so I was determined to resolve it.

I created what I call a “dynamic formula”. A formula that changes based on where it is in the sheet or what it reads from a value elsewhere in the sheet. It didn’t work. It has been some time since I created such a formula in OpenOffice or LibreOffice.

There’s quite a bit of compatible functionality between Microsoft Office, LibreOffice and OpenOffice. For the most part spreadsheets created in one work in the other without modification. For the most part.

As it turned out, I was creating the “dynamic formula” as if writing it in Excel. Dynamic formulas are one of the things that are a bit different between the Microsoft and OpenOffice/LibreOffice spreadsheets. Once I recognized that, I was on the way to developing a solution.

The below dynamic formula, “the solution”, totals values in a column beginning at a specific row and continuing to the row the formula is in.

=IF(ISNUMBER(I6),DSUM($G$5:INDIRECT(CONCATENATE("$G",ROW())),1,$BB$5:$BB$6),"")

The formula needs to calculate a sum from a fixed starting row to whatever row the formula happens to be in. And in the case of the bowling league it needs to do that for thirty-six rows. If the formula couldn’t tell which row it was in and sum from the first row to the formula’s row then thirty-six different formulas would need to be entered. One for each row.

Entering the same formula in thirty-six rows is much easier in my opinion. And easier to maintain and easier to modify.

By tackling this person’s question I:

  • Helped solve a problem
  • Familiarized (again) with the difference between Calc and Excel dynamic formulas
  • Learned about a process, a “functional requirement”, I wasn’t familiar with and provided a way to support it

For me, this was a win all around. What could be better than the warm glow of finding the solution to a previously unknown use case?

Certified Information Systems Security Professional, CISSP

Security. Human factors are always important.

I hold a CISSP certification. Information security is something I’ve found intriguing since I first started my technology career. One of the first user trainings I developed was around the time of the “I love you” malware that struck via a deceptive email attachment. And to this day email continues to be a vector for compromising systems. Or actually I should say, email account holders continue to be a vector for attacking systems.

My office at the time of “I love you” wasn’t struck by it but we would have been except for our mail system. Everyone in the business, about 160 people at the time, had gotten the system security training. And a special alert had gone out after the training warning of “I love you”. By and large the people in the company were well educated professionals with uncommonly high expectations around privacy and confidentiality. Our work was providing counseling and permanency for youth and families involved with various states’ child and family services departments.

What I mean to say is the staff of the organization all understood and practiced privacy and confidentiality and so were an interested and engaged audience for the security training.

With the above as background, this is the story of “I love you” in my office.

One day the Executive Director’s Administrative Assistant called me and said, “Alan, I think I’ve done something I shouldn’t have.” She explained she had gotten an email from the building’s manager with an “I love you” attachment. The man was someone she dealt with often and was on good terms with. She was married and was a bit upset by getting an email with such a bold attachment. She was also intrigued wondering why he would send it to her and what message might be inside.

She didn’t delete the email immediately but kept it and wondered what message it might contain. Finally she opened the email and attempted to open the attachment. Nothing happened.

Our mail system was Lotus Notes client and server. The malware relied on Visual Basic Scripting in Microsoft Outlook and so was unable to propagate in our environment.

This is a case where a knowledgeable person with a commitment to privacy and confidentiality and who had gotten security training as well as read the follow up warnings about “I love you” nearly caused a security incident because of curiosity! The only reason there was no incident was because of a technical feature of our environment.

She realized something was wrong when there was no message to see. And then she relied on her training, called me, and confessed to maybe doing something wrong.

This is a lesson that’s stayed with me. You can have good people and good training but good technical measures are still needed to back them up. People will occasionally do things they suspect might not be in their best interest because of some other overriding impulse, like curiosity.

And this brings me to something else, earning CPE (Continuing Professional Education) credits to keep my CISSP current. I generally enjoy the briefings and learn many interesting things while earning CPEs. However I do struggle sometimes because it is difficult at times to find CPE courses that are not too strongly vendor centric. My preference is for training that is less about the knobs and switches of a particular technology and more about the ideas behind threats and countermeasures.

I was really pleased to get a mailing from (ISC)2 the other day. It introduced courses that are free for members that providing training and CPEs. Much of the training looks to be very relevant to my interests and I’m very excited to get started!

Courses like:

  • Techniques for Malware Analysis
  • Web Appliction Penetration Testing
  • Gaining Support for Your Security Program
  • Introduction to NIST Cybersecurity Framework

…and others are all about topics that I expect to be quite enjoyable.

I also will be producing another post with some examples of phishing attacks I’ve received. Some that were quite good and nearly motivated me to reveal credentials.