The View from Landmark

Trends and issues in personal computing from Bud Stolker, a long-time PC consultant. The View from Landmark features tips and techniques to make time spent with your computer more productive and rewarding, commentary on new personal computer policies and trends, plain-English explanations of new hardware, software, and network designs and their relevance to you, and answers to common questions. There may be personal material interspersed if Bud believes it is of general interest.

Tuesday, September 21, 2004

Up in flames; down on the Web

Two of our six Web sites were down yesterday. They are hosted by two different companies in Baltimore. The power grid in that area hadn't failed since 1982, but an explosion and underground fire in downtown Baltimore Monday morning caused the grid to fail. Power was cut to approximately 50 city blocks. City Hall was without power. 2400 city and state employees took the day off. The traffic light system went out. And several Internet providers, including AT&T and Qwest, were left without power.

The problem manifested itself in interesting ways. We could surf the Web using Verizon DSL but could not use any of the features of our landmark.org site (now used primarily for testing, maintenance, and privileged features for some clients). We could get to the Postini Web site, but couldn't log into our spam filter. We could send email but couldn't receive it.

So an underground fire 50 miles away created problems for our Web sites -- and thousands of others.

Our primary Web host's data center has a dual power feed from the so-called "redundant grid with three power generators", with a transfer switch between the two feeds. But when the grid itself failed, the additional power feed could not operate. The data center is installing yet another generator to deal with the highly unlikely event of another grid failure.

In a perfect world this kind of problem would not happen. Makes you kind of wonder just where our soft spots are, how many there are, and how we can protect ourselves from random events and purposeful attacks. In the worst case, if the servers had all fried or all of Baltimore had burned down, we could have moved our Web sites to a different host. We would have been down for 24-48 hours, but our Web sites would survive. At least we were backed up.

More information on the Baltimore fire: http://wbal.com/stories/templates/news.asp?articleid=22926


Wednesday, September 15, 2004

Steganography: new spam/scam technique

Look up steganography and you'll find that it's one of the fundamental branches of cryptology, the study of techniques that can be used to conceal information. Literally steganography means "covered writing", from the Greek words steganos (covered) and graptos (writing).

Now this process is being used to elude spam filters.

The trick, according to a recent eWeek article (http://www.eweek.com/article2/0,1759,1644840,00.asp), is to take all of the text and images that would normally constitute a spam message and embed them in one large image that looks like a collection of text and graphics. The resulting single-image message provides virtually no keywords or other information to a spam filter and thus passes through uncensored.

Most spam filters check for key words (Xanax, Valium, Viagra) or text strings ("free offer", "degrees for sale") to identify spam. That's why so many common words are misspelled: to slip through the keyword filters. And that's why you'll often see meaningless text strings in spam (<qua erskine phony condensible aida sporadic*); they reduce the "spam score" of the message. But if the entire message is one large graphic, the context is unreadable by simple filters.

Below is an example of a stenographic scam. The Amazon logo, text, and hyperlink are all part of one image. Don't worry; the link doesn't work. The message may look a bit out of place here against a darker background, but if you received it as an email message, you could be forgiven for not noticing that the message is a large graphic.


image of a steganographic message














Click anywhere on the original message and it takes you not to Amazon, but to this encrypted address: http://www.amazon.com%6Cexec%6C%6F%62%69%64%6F%73%6C%61%6D%61%62%6F%74@%32%30%33%2E%32%32%39%2E%32%31%32%2E%31%34%35:%32%35%35%32/%69%6E%64%65%78%2E%68%74%6D. The address decodes to a server hosted by Korea Telecom at 206 Jungja-dong, Bundang-gu, Sungnam City, Gyunggi-do, Korea, 463-711. Point to the link and look at the browser status bar to see the actual address.

These scam artists are looking for your credit card number and pin, and any other information they can get. Korea Telecom may have pulled the plug on this particular scam -- as of this writing the link doesn't work.

Other apparently nonsensical messages embedded in the source code of this message: "I advise you without any ega you can't miss it Are you sure? in 1825 That's lovely . . . in 1860 You might put Forget it! 253 No thanks 1 in 1946 292 going to Will you . . . ."

Amazon indeed!

Another way filters can identify spam (or a scam) is by comparing an image against known "bad" images. But it's a simple matter to randomize a few bits in the graphic, thereby altering the file's checksum.

Conclusion: A steganographic message may have a lot more content than meets the eye. Spam may have a scam lurking beneath the apparent message. Either our filters will have to get smarter, or we will.




*random text string culled from today's collection of spam. Here's a longer version, also from today's email:

predominate ossifies antiquarians cordage eme percolate tallymen outpresses leached arachnophagous. aspartyl prealarm neostriatum stalklet regulatively sparged slapdash glaucophanite vaugnerite. apyrases weighted spelled eroses tantawy sodioplatinic zoonomia. eupneic programer lenticula preallow dundee claustrophobe psychopompos gauntries lifo cordage. ciboule priapean blennymenitis stiff! nesses mastectomy sunset inbreathe sabine semioblivious seafarers. dwellers shellacked tractlet ataman smockings unamalgamated cresswort quillaia. geodesical sabine preilluminate halakah nonundulatory superorganize marketeers. apometabolous orthograph tutory palatines blackguard zoosporocyst. scrawler slopeness misunderstander stereognostic rhyming. subserrate contravention myelodiastasis illicitly volplane promote besprinkling extrapelvic eyedropperful. governs esophagectomy palaeography mussuk hemapophyseal. rubidiums muzjiks videlicet lakist misunderstander cytost unmixable reata. steadfastness glamoury pantywaist balden autosign. findal ataman undisinherited skirl bandsmen pickford condemnate sparged. uluhi tannings mesmerizes prisonlike amusively khazens pst eschalots. cacuminous buttocker etatist bullcomber mirv esoterism yappiness. rave gaynesses derival letting smockings despotat nonimmunities malocclusion yens ultramodernist. animists diabolarch docking mussuk coto! neaster yens.