Facebook Servers Pinging Home Users?

I’ve been playing around with splunk lately, and one thing I’ve noticed is that I am getting a lot of pings from a certain range of IPs. I block inbound ping at my firewall, but this was so persistent I got a little curious. Here’s the log exerpt that piqued my interest:



Jan 23 2012 22:02:17 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 22:02:17 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 22:02:16 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.186.228 on interface outside
Jan 23 2012 21:55:05 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:55:05 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:55:04 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.171.228.232 on interface outside
Jan 23 2012 21:45:58 brt-fw-01 : %ASA-3-313001: Denied ICMP type=8, code=0 from 69.63.179.30 on interface outside

That’s the trimmed output, but you can see a bigger set of logs if you’re interested.

So just who are these persistent pingers?



whois 69.171.228.232
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 69.171.228.232"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=69.171.228.232?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       69.171.224.0 - 69.171.255.255
CIDR:           69.171.224.0/19
OriginAS:       AS32934
NetName:        TFBNET3
NetHandle:      NET-69-171-224-0-1
Parent:         NET-69-0-0-0-0
NetType:        Direct Assignment
RegDate:        2010-08-05
Updated:        2010-10-15
Ref:            http://whois.arin.net/rest/net/NET-69-171-224-0-1

OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 S. California Ave
City:           Palo Alto
StateProv:      CA
PostalCode:     94304
Country:        US
RegDate:        2004-08-11
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/THEFA-3

OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  domain@facebook.com
OrgTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  domain@facebook.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#



whois 69.63.186.228
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 69.63.186.228"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=69.63.186.228?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       69.63.176.0 - 69.63.191.255
CIDR:           69.63.176.0/20
OriginAS:       AS32934
NetName:        TFBNET2
NetHandle:      NET-69-63-176-0-1
Parent:         NET-69-0-0-0-0
NetType:        Direct Assignment
Comment:        Contact abuse@facebook.com with issues.
RegDate:        2007-02-07
Updated:        2010-07-08
Ref:            http://whois.arin.net/rest/net/NET-69-63-176-0-1

OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 S. California Ave
City:           Palo Alto
StateProv:      CA
PostalCode:     94304
Country:        US
RegDate:        2004-08-11
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/THEFA-3

OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  noc@fb.com
OrgTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  noc@fb.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RTechHandle: OPERA82-ARIN
RTechName:   Operations
RTechPhone:  +1-650-543-4800
RTechEmail:  noc@fb.com
RTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RAbuseHandle: OPERA82-ARIN
RAbuseName:   Operations
RAbusePhone:  +1-650-543-4800
RAbuseEmail:  noc@fb.com
RAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

RNOCHandle: OPERA82-ARIN
RNOCName:   Operations
RNOCPhone:  +1-650-543-4800
RNOCEmail:  noc@fb.com
RNOCRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

As you can see, both ranges are owned by Facebook. So the question of the day… Why is Facebook ping scanning me?!? Get your guesses in now, because I’m going to email their abuse address and see what they say. 😉

EU – No to X-Ray Scanners

For those who don’t know, the European Union has much stronger safety and privacy laws than the US. The EU just announced their new official policy for the deployment of airport scanners. Two key quotes:

It is still for each Member State or airport to decide whether or not to deploy security scanners, but these new rules ensure that where this new technology is used it will be covered by EU wide standards on detection capability as well as strict safeguards to protect health and fundamental rights.

In order not to risk jeopardising citizens’ health and safety, only security scanners which do not use X-ray technology are added to the list of authorised methods for passenger screening at EU airports.

If only TSA would accept that dosing people with X-rays and taking nude pictures of them isn’t actually necessary for security! Hopefully the new EU regulations will spur Congress to pass similar laws that protect the health and privacy of Americans. As Scientific American reports, the TSA is planning on deploying over 1800 scanners in airports across the country. Write your Representative and Senators now to encourage them to follow the EU’s lead in protecting citizens!

Anti-Vaccine? Cool, Let’s Get Infected!

I’ve written before about the sometimes outrageous actions of folks opposed to vaccines. And now from Tennessee comes another story of anti-vaccine craziness. A few folks there have gotten the bright idea that instead of exposing their children to a weakened-virus chicken pox vaccine, it would be more natural to expose their kids to pox-laden spit from other kids they find on the Internet.

I hate to rain on their parade, but this is completely insane! If I came up to some parent and asked them “Hey, would you willingly let your kids put a biological fluid into their mouth if you saw someone offering to ship it to you on Craigslist?” I have to imagine they would say “NO!” (and probably call the cops on me). But as soon as you frame it as “do anything for the children!”, people’s brains turn off and crazy shit starts happening.

“Even in the best circumstances, exposing your children to a potentially serious or even fatal disease which is virtually, completely preventable by a really safe vaccine is inexcusable. Not even talking about the other accidental risks from shipping, other infections,” said the Tennessee Health Department’s Epidemiologist, Dr. Tim Jones.

Yeah, that’s a good point, Doctor. Not to mention the fact that shipping biological contaminants across state lines is kinda against federal law. Remember how popular the anthrax mailer was? Guess what Pox-Mom, you’re doing the same thing — I know, I know, it’s for the children. But you’re still breaking the law.

I hope it doesn’t happen in this case, but people can die of chicken pox (certainly not common, thank goodness). I would feel like a real ass if I mailed some parent a lolli-pox and then their kid (or their kid’s classmate) died of it. So good luck out there folks – maybe take some time out this holiday season to remember that just because something is “organic” and “natural” doesn’t mean it’s “safer” and “better”…

Complexities of Protecting Information

I love movies where a complex string of innocent circumstances finally draw together into a dramatic finale. Sometimes, life is like that too…

The German publication Speigel has an article about the series of unfortunate events (to borrow a phrase) that eventually resulted in the leaking of WikiLeaks’ trove of US diplomatic cables. Reading over it, it’s striking how each event was just one more step down the primrose path to destruction. For those of us not involved, it’s a dramatic example of how hard it is to avoid unintended consequences while trying to keep information safe and secure. For the unlucky few who are named in the cables, this is a much more dangerous development.

TSA: Like burglar alarms?

Bear with me on this one…

Among the many thoughts I’ve been having on the TSA’s controversial backscatter “strip search” scanners are some musings based in game theory. Let’s look at the “players” in the security game:

  • TSA: Chartered with securing air travel. Strongly motivated to avoid the possibility of blame being assigned to them when a terrorist event occurs.
  • Politicians: Want to be re-elected. Subject to the whims of the polls; right now that means being “tough of terrorists”. Current controversies may swing some politicians away from the “security at any cost” mindset.
  • Pilots/Crew: Concerned with balancing security against their own personal well being and effectiveness as employees.
  • Flyers: Want to be safe, but there are threshold costs for security which won’t be acceptable. Where those thresholds are is subject to some debate.
  • Non-flying public: Insulated from any costs (economic, political, mental, social, etc.) of flying security measures. Hard to uniformly classify motivation as a single group.
  • Terrorists: Want to disrupt American lifestyle sufficiently to achieve their goal (remove US from Middle East/undermine support for Israel/support Sharia law in homeland/influence domestic US politics and laws towards Islam/whatever).

Some interesting features of the game:

One thing that clearly strikes me is that the interests of TSA do not align with the interests of the Pilots/Crew or the Flyers. TSA has no interest in assuming a “compromise” or “balanced” security policy. TSA only wants one thing from both groups – unquestioning compliance. I think this conjecture from the game bears out in the reported demeanor of TSA in real life.

Non-flying public is numerically larger than the flying public. Politicians are influenced by these two groups, but because the Non-flying Public doesn’t bear any direct costs to security, it is natural for the Politicians to under-value to the cost imposed on the Flyers group. The Politicians exert influence on the TSA. So the combination of the TSA having no incentive to decrease costs of security and the Politicians under-valuing costs of security implies that the feedback loop that should limit and control security policy to a reasonable level is actually weak and likely to result in over-costly security policy.

In the “mini-game” of a Terrorist attack, it’s not necessary for the attack to succeed in order for it to benefit the goals of the Terrorists. This means that it’s actually possible for a failed terror attack to be viewed as “positive outcome” to both the TSA and the Terrorists. The TSA because they can claim success and justification for their security measures. The Terrorists can as well, as long as the attack foments alarmist media and political coverage and results in increased fear.

Another striking feature of our “game” is that Terrorists and TSA are not diametrically opposed to each other. It’s possible for TSA and Terrorists to both “win” (or at least, both not lose) assuming the Terrorists can find a way to disrupt America that doesn’t depend on attacking the airline industry. Here at last is the feature of the game that inspires my title! Economics and game theory say that a burglary alarm doesn’t necessarily prevent all burglaries, it only has to prevent burglaries against the homeowner who pays for it. If it causes burglaries to shift to adjacent homes, there is a benefit to the alarmed homeowner, but a consequent loss to the neighbors. TSA is, in effect, like a burglar alarm – it encourages Terrorists to attack other targets. As long as the targets aren’t aviation related, TSA “wins” their part of the game. Of course, the problem is that the actions TSA takes to win are not necessarily the best for the public at large.

Just a few quick concrete examples of why this feature of the game should be so worrisome:

  • Security spending is limited to a finite budget. Ideally we should optimize our security budget over all policies and activities to result in the best security possible. Or, in the terms of our game, we should optimize our security spending so the Terrorists get as low a score as possible in the game. TSA (and all other single-scoped security agencies) are not motivated to do that. They are motivated to increase their security budget as greedily as possible in order to maximize their chances of securing their sector in the game, regardless of how cost-effective any given policy is.
  • Shifting behavior and secondary effects may impose costs higher than the Terrorists. For example, driving is much more dangerous than flying. Every time someone decides to drive instead of fly a long distance, we are increasing the number of deaths and injuries suffered on the roads. Since the death and injury rate from Terrorists is so very low, it doesn’t take many additional deaths to negate the benefits of enhancing aviation security.

The secondary health losses are one of the big controversies over the backscatter x-ray searches, and are also a perfect example of the second point. Even though the health risk is likely minuscule from a single scan, if the scanners are widely used on a significant percentage of fliers, the minuscule health impacts accumulate into being more damaging than the Terrorists. Since terror attacks are such a highly improbable event, even scanners that sound very very safe in the context of a single scan could easily accumulate a negative impact that outweighs any benefit to stopping Terrorists.

I’d love to see a more detailed analysis of this game, but from just my cursory knowledge of game theory it’s obvious to me that the flying public must 1) become very vocal about the costs of the TSA policies and 2) gain support from the non-flying public. Only then can we muster enough influence on Politicians to push through and influence the TSA.

If you agree, I encourage you to write or call Congress, talk to your friends and family about why you disagree with TSA policies, and, if you’re flying, opt out of the invasive body scanners. You’ll be subjected to an invasive “enhanced pat-down” as a result. I would encourage you to complain to your Congressional representatives as well as the ACLU if you feel that the TSA policy is inappropriate.

If you’re interested in a huge collection of links related to the TSA policy situation, please check out this post from Bruce Schneier: TSA Backscatter X-ray Backlash.

Rant: Who watches the watchers?

Computer security can be an arcane subject, especial for the “uninitiated” who don’t know what phrases like “risk mitigation”, “threat profile”, and “single-loss-expectancy” are talking about. But a lot of computer security boils down to fundamental ideas about trust and security that we’re used to in the real world. This week at work I was handed a very frustrating example of these fundamentals.

In security jargon, we talk about “controls” – especially “technical controls” vs. “procedural controls”. Let me break that down into plain English for you. Procedural control basically means “we told someone not to do a bad thing, and we trust that they’ll listen to us.” Technical control means “we don’t have to trust someone, because the system won’t do the bad thing even if the person wants to.” In the security world, technical controls are almost always preferable, since they allow your organization to take someone’s trustworthiness out of the equation.

A simple real life example of these two types of controls are locks on doors. In some situations, for example college roommates who grew up together, locking doors isn’t necessary because the people involved are trustworthy. But in another situation, the exterior door on your apartment, you can’t trust the other people and you demand a reasonable lock to secure your living space. And in further extremes, like protecting weapons or biological agents, the people involved are trustworthy but the possible damages are so high that strong locks and other controls (guards, video cameras, fences, etc.) are required.

As you can see from the examples, just because the people involved are trustworthy doesn’t mean systems with lax controls are adequate. If the risk of damage is large, prudence demands that we design a system that “watches the watchers” so to speak.

The example from work wasn’t nearly as dangerous as biological agents. But it was all the more frustrating because I had pointed out the ease with which the operations team could implement better controls on their patching process just a few days ago. Then yesterday it came up that the swing shift operators had installed software patches on the wrong boxes – an error facilitated by the lack of technical control and the attitude from the operations leader that the problem was “reminding the swing shift guys they shouldn’t patch those machines.”

No, the problem is you aren’t even willing to learn from your mistakes and implement new controls even after you’ve been burned once…

The Corruption of Security Culture by Twitter

So, one of the big attack modes in computer security these days is “phishing”. Phishing is when someone induces a victim to disclose a username & password (or other important identity information) using something that appears to be a valid website. For example, someone might setup a fake Bank of America website, then email that link to thousands of people asking them to login and confirm their account. Even if only 1% of the recipients falls for the trick, the attacker gets access to hundreds or thousands of bank accounts.

One of the most important countermeasures to this attack is user education. Organizations have spent lots of money trying to educate users that they should never disclose their password to another site. Things as simple as never opening links from an email and verifying the “SSL Lock” icon on your browser are cornerstones to this process. But more importantly, users should never give their password to a site with the wrong URL. In our example above, if the link in the email goes to http://bankofamerica.com@geocities.com/~spammer/fake_login.html, the goal of user education is to get the user to stop and say “Hey, that doesn’t look right….” In fact, social media pioneer MySpace spent a lot of time and effort combating these exact types of attacks through user education efforts on their login screens and banners.

That brings us to Twitter. There appears to be a whole universe of Twitter related tools and websites that ask you to use your Twitter username and password to access their services. This is a bad idea! First, in the specific instance, we are building up a huge body of websites with access to our Twitter accounts – a break in at any of them could result in massive compromise of Twitter accounts, regardless of Twitter’s policies and security controls.

But more importantly, Twitter’s importance to the “youngins” means that we’re now raising a whole new generation of Internet users that are 1) vulnerable to exploitation because of their age and now 2) trained by prior experience that sharing their username/password with other sites is a good idea. Now, I’m not one of those people that will do anything “for the children”, but this is still a scary prospect.

And before you pooh-pooh me, how many of you out there are using the same username and password for a lot of your social media sites, email accounts, Amazon, Etsy, etc.? I’d be shocked if most kids have strong passwords let alone separate passwords for all the different sites they use on a daily basis. So these phishing vulnerabilities are only going to be more important as time goes on. And the really scary thing – even if you and your kids are smart enough to avoid these pitfalls, the vulnerability has what we call a “network effect”. Even if YOU aren’t vulnerable, someone you’re connected to probably is. And that can be just as bad. Think your 13 year old would never talk to strangers online? What about when his friend’s account is compromised and some stranger is using that friend’s Facebook or Twitter to talk to your 13 year old? Still feel safe? Think you would know better even if your 13 year old wouldn’t? What if your best friend sent you a Facebook message to let you know that the party tomorrow is cancelled? How paranoid are you willing to be….?

What can be done? Well, for starters, Twitter should implement an API Key approach to programmatic sharing like the one used by Flickr (or some other well engineered security mechanism for sharing access). Then they need to lead the charge in educating users not to share their passwords with a site that doesn’t end in “twitter.com”. And parents, don’t forget to spend some time with your kids – and not just explaining this stuff!

S/MIME Gotcha

I recently reenabled S/MIME signing in my Outlook client. (S/MIME is a way to place a digital signature on an email message so the receipients can verify the sender.) When I tested sending mails back and forth to myself through my various clients, I had no problem. However, when I started sending email to other receipients, they all had issues opening the mail – most with the error message “Your digital ID name could not be found by the underlying security system.”
This error is normally associated with difficulty opening encrypted mail. Since I wasn’t using encryption, I couldn’t fathom why this was happening. Many Google searches and Microsoft Knowledge Base articles later, I still hadn’t found a solution. I finally had an “Ah-hah!” moment and found the problem. So, in the hope that someone will be spared some of my pain, here’s my problem and solution.
I configured Outlook 2007 to use SHA512 for the signature algorithm. Unfortunately, this is not as widely supported as one might hope. Even on another Outlook 2007 installation at work, SHA512 couldn’t be opened. Changing the signature algorithm back to SHA1 let everyone start seeing my emails again.
The “Your digital ID name could not be found by the underlying security system” error message is grossly misleading in this case! The system should really be reporting something like “The security system does not support the algorithm used to sign this message.” I don’t normally bash Microsoft, but in this case… you dropped the ball guys! Since SHA1 has started to show some signs of weakness, I’m hopefully that SHA512 will be more widely supported in the future. But until then, keep your S/MIME certificates set to SHA1 and AES256!

Windows Security for Dummies

I occasionally get called up to fix someone’s computer after it’s befallen the evils of the Internet. Fortunately my immediate family has become relatively computer savvy over the years, so this is less of a problem now. (Although now Mom stumps me with more complex problems that I have no idea how to fix.) In the interest of possibly helping some newbies out there, I’m gonna list some tips for keeping the baddies out of your computer. There are plenty of lists like this on the net already. I’m not claiming this one is better or more complete – just that it’s mine. 🙂 If you’re on a Mac, you’re on your own. If you use Linux, you’ve already declared your independence. This is for the people out there who are stuck on Windows and want it to “Just Work” – not the avid user who argues about vi vs. emacs.

  1. Get a Recent Version of the Operating System (OS). I know it’s expensive, but if you’re running anything other than Windows 2000, XP or Vista, suck it up and buy a new version of the OS. Windows 98 may run fine on your PC, but it has no security. Just give up and move into the modern era. If your PC won’t run at least Windows 2000, then you can hope and pray or you can go buy a newer computer.
  2. Get an Antivirus Scanner. Do you ride in a car without using your seatbelt? Do you own a computer without an antivirus program? Either way you’re being stupid and may have to pay the consequences some day. Sorry, but time to face reality. There are free antivirus scanners out there, so no excuses. Just buckle up, already.
  3. Get an Anti-Malware Tool. Malware (aka spyware) is the latest threat. Anti-malware tools are not as common as antivirus programs, but you should get one. There’s at least three major ones available – Ad Aware, Spybot – Search & Destroy!, and Microsoft’s Windows Defender. I personally use Windows Defender, but anti-malware tools are like condoms – it’s more important that you use one than it is to argue about the best brand.
  4. Run Automatic Updates. You may have heard that automatic patching is a bad idea. If you have a test environment to download and validate patches before using them on your production machines, please do. But if you don’t, suck it up and enable Automatic Updates.
  5. Use Old School Email. Email used to be plain text. Then someone figured out you could send HTML and it would be pretty. Then hackers figured out you could send HTML and fuck up someone’s life. Keep it old school, use plain text email. Set your mail program to send plain text. Set it to open all mail as plain text. This will stop almost every email security attack out there.
  6. Run as a Limited User. Running as a Limited User prevents a virus or malware from completely ruining your computer (most of the time, at least). Check out this article from Microsoft for details on how to set it up.
  7. Turn On Windows Firewall. Like Automatic Updates, just suck it up and do it.
  8. Stop Clicking on Everything. A whole lot of attacks on computers rely on the user (that’s you!) actively doing something to start the attack. So stop opening the spam emails offering you better mortgage rates or a bigger penis. And stop visiting every website you can get your hands on. Curiosity can kill your computer just as surely as it can kill a cat.
  9. Spend 15 Minutes on Education. There’s plenty of places where you can learn a little bit about security so this whole thing isn’t so mystifying. If nothing else, check out Microsoft’s Security page and learn something new.

Well, there you go. I’ll probably add more to this page over time, but those tips should get you started.