Showing posts with label internet. Show all posts
Showing posts with label internet. Show all posts

Wednesday, August 21, 2013

security state

what with all the stuff in the news lately about the State spying on the internet in all sorts of deeper-than-expected ways, i thought this was interesting:

my institute was recently eaten by Mass Eye and Ear Infirmary, MEEI, a hospital. rather than fully digest us, MEEI dissolved parts of our organization and replaced with their own, so really it's more like the ant that is infected by a fluke that effectively replaces or overrides parts of her brain, or the caterpillar whose internal processes are slowly displaced by wasp larvae. i think the ant example is better.

anyways, as a part of this absorption, our computer network was transferred to the control of the MEEI network, and they are insane about security. it's as though we're at los alamos. everything is supposedly super secure. patient privacy, etc etc. as a part of this transfer of authority, every computer in the institute was infected intentionally with a suite of spyware that allows the MEEI IT people to control or observe all of our data flow. in theory. our internet is filtered, our emails are filtered (unless we take simple steps to avoid the filtering), all access to local computers is supposedly filtered. it's irritating in the all-encompassing authority they take on, at the same time that it's ridiculous how easy and convenient and necessary it is to get around everything they try to do.

one set of spyware is called "DeviceLock". you can always see it running in the background, under processes named DLservice.exe, DLtray.exe, etc. this is a program for, supposedly, ensuring that external storage devices must be encoded or they can't be used with institute systems. but i've discovered additional functions, which are mentioned in that link. there's a process running in the background, "DLSkypePlugin.exe". what does it do? who knows! let's ask DeviceLock:

""Skype" control supports blocking, allowing, auditing, shadowing and content analysis of outgoing instant messages and files as well as auditing, alerting, shadowing and content analysis (for contingent shadowing) for incoming instant messages and files. Also, supports blocking, allowing, alerting and auditing of incoming and outgoing audio/video calls;"
 where does a hospital IT department get the authority to do something like this? can someone explain to me, please?

on a final note, while most of the IT spyware can't easily be disabled - i, the virtual owner of this computer, don't have the "authority" - the DL programs can be terminated without any special privileges. an oversight, i'm sure.

Wednesday, March 20, 2013

update march '13

nothing in particular to write about here, just an update on current events:

work
1. blur adapt paper is back in review; i want this one to be over.
2. classification spectrum paper nearing completion; i really like this one.
other work in progress (paper with SM et al, they seem receptive to my suggestions).
3. still need to discuss new experiment with CPT, putting that off; boss suggests writing up a paper on it to figure out which data needs replication the most.
4. started low-level talks with potential collaborators on the migraine-mapping stuff.
5. haven't applied for new jobs yet, NECO seems unlikely to respond.

other
6. reading a new book, "history of tennessee" by James Phelan, written in the 1880's (it's not tacitus, but it's free). he has a habit, sometimes interesting sometimes irritating, of making close analogies between seemingly asymmetric historical events, usually tennessee vs. england, and is fixated on 'anglo saxons'. interesting going at any rate--
7. on piano, mainly trying to master chopin's "minute waltz" over the past few weeks, if i can play it straight through in 2.5 minutes i'll be happy; also on music, greatly enjoying a 2 year old album of french electropop; the songs 'civilization' and 'ohio' are great background when your daydreaming about the colonization of america.
8. this paper on a rogue study using a research botnet to scan pretty much the entire internet is one of the most interesting things i've seen in a while. there's an awesome .gif figure in there, basically showing the earth's rotation in the average number of pingable public IP addresses plotted across the globe.
9. way too much time wasted on reddit, which i only just discovered lucky for me, and playing MH2.
10. i have a horrible, horrible urge to write a longer historical narrative centered around the life of Gideon Morgan. trying my best to resist...

Thursday, July 26, 2012

cloud

Hey! Internet post!

I still do not have a "smart phone" (the quotes there represent my fingers doing the quote gesture as I say "smart phone"). So, you might think that I am behind on the internet times.

But no! If you think this you are wrong. I use three computers (home, office, and lab), and they are all linked together. They share a Dropbox, which has basically replaced FTP in my daily file-shuffling. From what I hear, once MEEI has finished eating SERI, they're going to do away with our FTP server anyways, so that's fine. My computers also are all equipped with Logmein, so I can use any of them from anywhere, so long as they remain connected. Effectively, all three computers can be used as one.

Those are both pretty basic, though. The thing I'm excited about is SVN: version control. D* just taught me about this last week, and I'm already using it to manage my manuscripts. You create a repository to store files for a project, and it contains all versions of the project over time, as you make changes. It is amazing.

Sophisticated users, e.g. software developers, will give SVN its own server so it can be accessed from multiple locations by different users. What I'm doing is leaving the repositories on Dropbox; so, wherever I am, so long as the files are synchronized (i.e. as long as the internet is working between the two relevant computers), I can always get to the current version of my files. This is great. I don't have to worry about whether I'm moving the right ones, or which were the most recent versions (on which computer) after a long pause in a project - the most recent versions are all contained in the central Dropbox location, and I don't have to think about it. I'm sure there's a pitfall there.

The Dropbox is backed up on the lab and office computers, but I haven't set up a backup on my laptop yet. Need to do that. Anyways, I feel this is a great advance in organization. We'll see what my files look like after a few years of this. Next big modeling project should definitely take advantage of this system!

Thursday, June 07, 2012

zimbra

internet post!

So, earlier today, I got an email from the "Security Operations Lead" at NASA Ames, saying that a whole batch of people's passwords and account names had been accessed. I had an account there for a meeting I went to earlier this month; coincidentally, immediately after attending that meeting, I noticed that one of my peripheral email accounts had been accessed, and at the time I blamed it on the hotel.

Just now, I get an email from something called Zimbra, informing me that:
You requested your Email Account  on June 7, 2012 at 11:02 PM CS to be deactivated and deleted from a location in with this IP number; 201.130.47.33.
2. Click on  (https://secure.zimbra.com/verifyf?intl=us&.partner= cancelrequest) to cancel this request; else your email account will be deactivated and deleted within 24 hours
The sender's address was "bankofcard@yahoo.com". Yeah. Zimbra is apparently some sort of open source email server software for Linux machines. So this doesn't have anything to do with Zimbra.

The IP address leads to a machine in Mexico, with the URL niie2e.nextel.com.mx. This machine seems to have all ports open, i.e. it's either a totally open proxy server, or some sort of disguise for something else.

That URL to 'secure.zimbra.com' was actually an alias in the email (no I did not click on it, I am not stupid), for "http://www.contactme.com/4fcf723e2e22a2000103d1b6". From their website I can't tell what the hell contactme is, but it looks their site was probably co-opted. I wonder what's there...

Anyways, the relationship to the NASA thing is just coincidental timing, but makes me a bit paranoid.

*edit 6-19-12*
Got called down to to the network office this morning to change my password; apparently the NASA thing had gotten distributed to everyone whose ids were leaked. The admin forwarded to me the info he'd gotten through the Harvard IT director, and based on that I found this:


http://pastebin.com/nSJ9Nn9Z

who knows how long that link will stay alive. anyways, it's a list of the email addresses, but no passwords, for everyone that attended that workshop.

the header on the document:

[HACKED] NASA.GOV - AMES RESEARCH CENTER - By ZYKLON B
 ...
Join me on twitter : https://twitter.com/#!/bzyklon

Author : ZYKLON B
Target : NASA Ames Research Center - Ocular Imaging Laboratory (ace.arc.nasa.gov)
Reason : Curiosity, Challenge.

IS THE TARGET COMPROMISED ? YES.
Note : NASA Glenn research center already hacked 5-6 weeks ago.

anyways, that's interesting. you look down the document, and there we all are! yeah, hackers have twitter accounts!

Wednesday, December 07, 2011

MIT VPN

Just when I've lost interest in the internet, I get the following random email on my Gmail account (found it in the Junk folder):

Dear Outlook client, Notification ID: KG932J ========================================== - Please reconfigure your Microsoft Outlook information again . - Click on the link below to setup . http://outlook-mail-setup.gert54d.from-ks.com/index.php?id=KG932J ========================================== Microsoft Outlook 2012 .

Obviously this is a phishing thing. What's interesting is that the url refers to an IP address at MIT. The address is no longer active as far as I can tell, but it seems to have belonged to the MIT VPN network, because other addresses on the same /24 block are attached to vpn-ip.mit.edu urls.

So, my guess is that someone set up a site on the MIT VPN to direct their phishing business. That's all I've got.

Oh, coincidentally, just yesterday I was reading about VPNs, wondering about a convenient way to get past the China firewall from the inside. Seeing that MIT has a VPN makes me wonder if Harvard has one, and if I can use it...

Thursday, September 01, 2011

1k/mo

Got over 1000 page views for the month of august, basically because last week was HUGE for my classic comedic dialogues and self-indulgent essays. No no no, really, it was MS-WBT server. Observe:
Yeah, I don't know what's going on. Whatever it is that causes people to google "MS-WBT server", and wind up here for a few seconds, got a little worse last week - visits increased by something like 30%. Google is weird, the internet is weird, MS-WBT server is weird.

Going to Nashville tonight!

Thursday, April 14, 2011

lorica-in

Here's a mystery which I don't have time now to investigate, but I want to remember it for later.

Matlab has a constant open connection with.. itself.. through ports 4079 and 4080. All I can find is that 4080 is associated with something called "lorica", and 4079 with "SANtools". SANtools is a some sort of general utility for disc access, network storage.. I don't know what. It's familiar, I've encountered SANtools somewhere before, but can't remember. I have no idea what "lorica" could be.

Later.

Tuesday, March 29, 2011

TeliaSonera

For the first time in a while, saw an outgoing packet that I didn't recognize.

It was a TCP packet sent to 213.155.157.32. This seems to be part of the telia.net domain, though this address doesn't actually have a domain name. Telia is a Swedish IP that extends throughout Europe. Hostsearch says the address is maintained by Akamai, which is based here in Cambridge MA, but that it's located in London - so this is an Akamai International host, accessed through the Telia network. The packet was sent by one of those generic svchost.exe processes, and I didn't notice it in time to see if netstat could have told me anything else.

The host has open http ports - my packet was sent to port 80, so maybe it was an attempt at opening an http session. Maybe some Microsoft component was checking for an update - I've noticed before that Microsoft updates are often hosted on Akamai servers - but it's weird that it tried with a single packet and gave up. Other option (more likely maybe) is that it was a long delayed "close connection" packet, from a website I had opened much earlier - the web browser had been closed for a while, though I don't remember how long it had been.

The packet was sent from port 22095. This doesn't appear to be associated with anything interesting...

Oh well, this was pretty boring.

Wednesday, October 13, 2010

Audio

Ok, here's something slightly interesting. It has to do with Skype - the only traffic I can see here that isn't building business, or something I'm doing (webpages, ftp, updates, etc.) is Skype, so I guess that's what I live with until I go figure out something new.

Anyways, I've mentioned before about how my Skype account seems to use port 34268 to advertise its existence - UDP packets go in and out through that port, and sometimes a link gets established with one of the associated addresses, and a conversation starts - i.e. my computer gets used as a relay in the Skype network. Sometimes I see the UDP packets go out, looking for another node, and nothing comes back - they go out a few more times, and give up.

So, what I noticed is that tonight, my computer is sending RTP packets, which I haven't seen before, rather than UDP packets. RTP is apparently used for transferring video and audio, especially with VOIP applications. So, Skype is looking for someone accepting video/audio streams, trying to establish an RTP network? I have no idea.

Each of those RTP messages was reciprocated with a UDP response, by the way. Nothing else followed, however - there's a single conversation going on through Skype, leisurely exchanging TCP packets every few dozen seconds, so I would assume this is a text conversation - but it's a one-sided conversation, since my computer is communicating only with one other address! If I were relaying a conversation, I should see connections with two other hosts, not one. Maybe some sort of routing table content is being transferred, updated, etc., very slowly?

That's all I've got.

Sunday, October 03, 2010

Private networks are boring

Just as the title says. Since moving into this new apartment, I've been viewing the internet only from within private networks, at home or in the lab. It's very boring. Here, as there, I see absolutely nothing but the browsing traffic and attendance updates between the hosts and the server. Nothing from outside, ever.

I haven't done anything, learned anything internet-wise, since moving here. This is the reason.

Before, when I had that public Comcast address, it was like living on the street, and all the random scans and searches that passed by every other minute were like other street people, bumping around and looking for somebody to take advantage of, or just exploring as I was doing, scanning this or that node, looking for something interesting.

The private network is like living in... an apartment building, or a suburban neighborhood, where all you ever see are your neighbors, and all they're ever doing is routine, everyday, necessary things, which aren't interesting at all except in that they're being done and that they're done every day, routinely - routine has a quality all its own, but it's not much fun to watch.

I need to figure out how to watch traffic from other hosts. It's time to expand my abilities.

Sunday, May 16, 2010

China 222 part 3

not much going on - watched a couple of scans, but haven't studied much. saw the same 222.45.112.59 scan, on ports 8085, 9415, 3246, 9090, and 8090. it probably spins around every few hours, from what others have said on ipillion.com. got a single hit from 222.169.118.106, another chinese location, on a single port. this one actually had a domain name: 106.118.169.222.broad.bc.jl.dynamic.163data.com.cn.

read a bit about routing a few days ago, and got a bit of a sense for it, but not really - but then, Jason gave me a great piece of information that I hadn't gleaned yet from my browsing: routers and other computers broadcast their addresses and routing information across the networks. this is how routing tables get their information. i'm still not totally clear on it, but i'll figure it out.

Jason also suggested i get around to learning how to use linux, and install at least a virtual version of it to use, since that's what real internet people do. i may do that, if only for the fun of it.

but anyways, nothing much learned lately. slow week.

Wednesday, May 12, 2010

China 222 part 2

And, got scanned again by 222.45.112.59, on ports 8085, 2479, and 8090.

DNS server

ok, just got home, thought i'd look at the monitor.

nothing much going on, except i see two reciprocated queries to an address i recognize as something that comes up often as a comcast address - both packets were DNS packets, which as i take it are a type of UDP packet, or maybe not. anyways, i guessed that the address must be a DNS server. since i usually am not using the web browser when i look at the monitor, i wouldn't have noticed this before.

so, i google it and sure enough, 68.87.71.230 is the primary comcast DNS server for massachusetts.

now, one of the queries was for the institute FTP server, which i used to get a file. the other was for tools.google.com, which i do not like, because i did not know google was running something in the background on my computer. the address was then contacted and some packets were traded, a couple were HTTP messages saying "update". i'm going to find out what it is, and kill it. (could be Chrome which i have installed but don't use. i don't have any google plugins or anything for firefox. Chrome must go.)

Sunday, May 09, 2010

not much 2

ok, this is interesting. another packet from ircu.krypt.com. the host at that address has just about all of its ports open. i haven't seen that before. is this some sort of lure?

*edit*
not a lure - i think it's an open proxy. all those open ports are so that other hosts can use it as a proxy for whatever service they want. i can't find any resource that actually confirms this (and i think that having all ports open doesn't necessarily mean it's an open proxy), but i think that's what it is.

always something new to learn...

not much

just observed a sweep from IP 66.186.59.50, "ircu.krypt.com", looking into port 1137. a bit of news suggests this is a vulnerability search. the signal is coming from an IRC line, port 6667. they must be looking at IRC logs and sweeping those addresses, since i've actually been on IRC in the last couple of weeks (and last night).

another thing, i also saw (for the first time) some nonreciprocated requests for port 34268 while skype was turned off. looking for a relay? i scanned the source and it doesn't actually seem to be a skype host, though maybe i waited too long, after they had turned it off. instead, they actually had unfiltered, closed ports 5800/5900, which are used for remote desktop viewing. also, no clue as to the OS, so i don't know what it actually is. another user? something else? it's another comcast host, presumably another user, but who knows?

i'll check it out again later.

Saturday, May 01, 2010

local network

i mentioned earlier that i had tried the traceroute scan on the institute's local network. i had, but it was so dense that trying to look at the graph caused nmap to die. i did it again today, but carefully collapsed the densest nodes, so i could see the 'backbone' of the network. what i saw was interesting, and implies that my thinking was kind of mistaken.

i had been thinking that i would be looking at the institute network - that the institute must have set up a local 192.168 network within the Harvard system, and that by scanning that prefix (up to 192.168.36.255, which was where addresses seemed to stop existing) i would get back a picture of the institute network. instead, i saw that the scan went out into the Harvard 128.103 network, then back into the local network. I think this may have been scanning into systems outside of the Institute, and except for the hosts themselves (on the other side of the Harvard nodes) i got back no IP info, so couldn't see the structure. what i could see was that hosts with names on my side of the Harvard nodes all were associated explicitly with the institute (having the institute initials in the hostname), while those on the other side did not.

but, from institute out, i could see that there's a single way out of the institute network, connecting to two nodes both named something like 'core' (i don't have the scan here at home to look at). one of these led into many, many other private network hosts along those blind pathways, and so did the other, along with leading to the node that exits the system into NOX, or level3, or wherever the localhost is pointing.

so, point is, a traceroute to another address with the same prefix as the localhost may not traverse only other hosts with the same prefix. i had assumed that the 192.168 network was somehow self contained, that any hosts i saw within it must be linked through other 192.168 hosts. apparently this isn't necessarily how it works. i have more to learn.

(actually, i had noticed this last week, in scanning my comcast prefix - i found other systems separated from me by large interchanges with different prefixes (but prefixes common to other interchanges), but themselves having the same prefix as mine. i didn't understand it at the time, but forgot about it. this bugged me more, probably because of the 'private network' label attached to 192.168.)

Wednesday, April 28, 2010

traceroute scanning

something that's lots of fun to do is to scan a network with a traceroute command. what you get back is a (relatively) complete picture of the network connecting all the hosts with the specified prefix. depending on where you point it, it can be very, very big.

like i mentioned earlier, i know which node it is that stands between me and several routers that connect to different parts of the Boston internet. one of those routers goes to NOX, and another one to other residential (i think) comcast accounts. if i point the traceroute scan at a comcast node that's relatively nearby, and that contains the same IP prefix as mine (20 bits is reasonable and doesn't give back 65 thousand possible hosts), i get back a nice, complex picture of a network extending from here and across Boston, and across MA to CT, VT, and the MA-NY border.

i tried the same thing on the private 192.168 network at the institute, and got back something similar, and actually much denser (which makes sense, all hosts within the network have the same prefix, so i could get them all in one big shot, but the comcast network was relatively sparser, and seemed to have same-prefix hosts separated by nodes with different prefixes, which i don't understand...). since it's a single institution, it's organized differently - there are nodes for different users, but mainly the network divisions are more functional, with databases in one place, outgoing servers in another, administrative here, labs there. the comcast network looked much more regional, with a Hartford node, others (i get all these new englandy names confused, they all sound like Westly or Chestford or something like that).

ok, need to step back now and get more acquainted with the specifics rather than just playing with these toys...

Tuesday, April 27, 2010

network scanning

okay, so i know how to use CIDR notation now. knowing this, i can get a network scan to work; you specify a prefix, and look for hosts on that network. last night i did this for a while on a couple of targets (jingping's insightbb network, and an AOL network around Cincinnati that i found through another connected skype user), and found that i could recognize a computer using skype by the ports it had open - all hosts i had looked at which i knew were running skype had open TCP ports on 80 and 443. so, when i saw a couple of hosts with those open ports, i guessed it must be skype, and confirmed it with more intensive, specific scans.

i also looked at my own network. given what i know, i was the only visible skype user. there was another machine which nmap guessed was a VOIP router, which is kind of interesting.

so, looking at networks is interesting. you can see all the hosts at once, get quick summaries of just what type of host they might be and what they're doing, and all of this with a couple of simple tools and some ability to recognize states (which the tools are of course better than me at doing).

also, from my office, i can see that my home network is linked by a single router to a different node than i see from home, one of the NOX comcast nodes (i can't remember what it is from home, but it isn't NOX, which is what ties together all these new england university networks). so, that router has access to several dozen hosts including my computer, and also to several higher comcast nodes, through which it can send traffic off in various directions. in other words, i think that that router is the single bottleneck for traffic from my home computer - i'm one hop from the open internet.

Monday, April 26, 2010

portscan

just got my first portscan result.

it's another address in boston, using skype. it's also a comcast address, and the first 16 bits are the same as my address. the prefix of the server above it says 'needham'. i guess it's strange that it's such a similar location to mine, and i suppose i could be looking into some sort of mirror that i don't understand, but i do think it's a real, other user, somewhere here in town.

nmap saw that its http ports (80 and 443) were open, and decided that they were being used by the Skype service. i can also see that port 2265 is open, the same port from which i'm receiving packets from this computer.

the other open port (2222) is associated with a website administration program, or with who knows what else.

nmap also claims with some confidence that the computer is a pocket PC running some version of windows XP.

still, i have no idea why this computer is reflecting messages through my computer. and i still haven't figured out why there's always an explicit connection through skype with another computer - other than jingping, this is the only skype connection at the moment, so it is *the other* connection. now i'll see if it shows up again...

Saturday, April 24, 2010

nmap 1

got a program called nmap, using the windows gui.

i can't really get a port scan to work on another computer. i tried to get jingping to turn off her firewall, but she said it was already off - i guess norton does its own firewall.

still, nmap has other neat functions. you can get it to do traceroute for you, along with other things, and it will hold on to all the data for you. as you do this, it creates a graphic plot of all the addresses you've been querying. if you're doing tracerouts, it plots ip paths, which is fantastic. here's what i did:

still working off the mysteries of Skype, i ran the network monitor for a few minutes, and got a list of those UDP conversations through port 34368. most of these just consist of my computer sending out a single datagram to some other address, with which i may or may not be also involved in a TCP session. a few ms later, i get a UDP back from the target. there were about 15 of these over a 5 minute period. i plugged them all into the nmap and tracerouted them (had to do this one by one, i'm going to have to get a little more sophisticated), and got back a neat plot showing how all these connections are related to me. these other IP addresses were all over the world, China, NZ, Japan, Russia, France, all over. maybe those are the supernodes, and i'm just registering with them by sending a datagram?

the plot is interesting in itself:


you can't read them but the ip address of every node along the route is listed. the maps are dynamic; you can highlight a node and all its children (those further down the route away from the center), change the center node, rotate, etc.

like i said, most of those UDP exchanges were just 2 packets, one out and one response. there were two other things that happened. one was, I sent 2 UDP packets and got back 1 RTP packet, which i think is actually a UDP packet carrying audio/video information. there wasn't anything else associated with that address, though, so i can't guess what that was about.

the other interesting thing was an instance where i sent 3 UDP packets to a certain address, with no response. i actually guessed the reason: they were being sent to jingping's laptop on campus, on the UofL wireless network, where it hasn't actually been connnected since early friday evening: i sent those UDP packets after midnight, more than 7 hours after she had disconnected.

why did this happen? one thing is, i may have left Skype running on the computer in my office, and during the day that was a connection to her laptop on the campus wireless network. or, i may have turned it off - sometimes i forget, usually i don't, but i don't usually remember if i remembered, only if i forgot (strange how that works). at any rate, for some reason, my computer, being connected with my Skype account, thought to check to see if that UofL address was still on, despite the fact that the account it had been associated with was now associated with another IP address. this doesn't make a lot of sense to me. some sort of cleanup work on Skype's part?

mysteries, mysteries.