Got Hacked?

3 Replies

Green Lock (via Flickr)The talk around Twitter right now is the phishing scam via Direct Message, as reported by many including Read Write Web, Mashable, and Chris Pirillo.  The victims include Twitter accounts for Barack Obama, Fox News, Britney Spears, and Rick Sanchez of CNN.   Getting their Twitter account hacked is a potential public relations nightmare.  The bait was a simple message to direct recipients to a fake Twitter login page, and enters their Twitter passwords.  Unsuspecting users went ahead and entered their information.  A similar trick was done in e-mail for the longest time using pages that looked like E-Bay, PayPal, or a banking site.

I get similar complaints with the websites that I maintain.  What can server administrators do to figure out who’s behind these attacks?   Here are the steps I take:

  1. Ask the business or customer when the suspecting hack happened.  Find out the exact date and time, if possible.
  2. Comb through the web server logs to find the IP addresses of the hackers using the date and time range reported by user.  For example, in Apache HTTPD, the file is normally called “access_log”.
  3. Most hackers try multiple times, in quick successions.   In this case, running through web logs through an analyzer like Webalizer or Awstats will reveal the IP address with the most hits, within a specified time range.
  4. Find out who the IP belongs to using tools like dig or nslookup.
  5. Report the offending IP address to the Internet Service Provider (ISP) as indicated by the lookup tool.  It can be done via email to postmaster@<isp.name> or abuse@<isp.name>.
  6. Depending on the severity, a fax or a phone call to the ISP may be required.  This is usually done when the hacking continues and there’s no indication of the ISP intervention to stop it.
  7. Start using the web server IP filtering features to blacklist the offending IPs.  For example, in Apache it can be done via Deny directive for doc-root in httpd.conf or .htaccess file.
  8. For known hackers’ IP addresses, make it permanent by blacklisting them in the firewall or router level.

Users do get complacent with their username/password.  They type (or even share!) passwords to others without thinking twice.  With more and more sites requiring a login, it’s easy to forget about checking the legitimacy of the page presented on the web browser.  Proactively, the web applications need to be modified to prevent login hacking such as:

  • Using Secure Socket Layer (SSL)   With SSL, most phishing sites will not bother with it because of the cost involved.  If logins are not done securely, users need to be extra careful.
  • Using OpenID, the open standards user login.  A site needs to be registered with OpenID to be able to use this service.  This removes the guesswork if the site is legitimate or not.

Hopefully the word is out for both users and web developers, to do whatever is required to secure login passwords.

Image Credit: Ashenzil

Business Use for Twitter

Leave a reply

I’ve been using Twitter for a while now, and I’ve used it mainly to connect with friends, bloggers, and geeks alike. Although it’s not ubiquitous, it is slowly becoming more and more popular among celebrities, scholars, politicians, and journalists. As more people are starting to spotlight Twitter, it’s inevitable the marketplace is also starting taking advantage of it. Businesses are starting to pay attention to it. There are successful companies on Twitter, such as Zappos, South West Airlines, and Comcast. However, since Twitter is such a new medium, most companies don’t know where or how to start.

I maintained marketing web sites for more than 11 years. I learned the process a company must do to succeed in marketing their product on the Internet. Twitter’s approach to product marketing is fundamentally similar to a web site promotion, with a few unique differences:

Preparation

  1. Have management, or executive level approval. It will serve as an insurance, or a due dilligence, if you will, in case something goes wrong and the finger-pointing starts.
  2. Form a social media committee. Choose the right people to handle Twitter updates. If possible, choose folks who understand Internet Social Media.
  3. Set an engagement policy. Everyone’s must be clear on what information (and when) to share with the public.
  4. Have direct lifeline to the support teams, both technical and business, to escalate difficult questions. These questions need not be handled on Twitter, but can be taken offline via phone, or e-mail.

Execution

  1. Create a professional looking Twitter profile. Update the Twitter profile’s background picture to include company logos, or brand images.
  2. Twitter updates (or tweets) must contain only useful information. Tweets must have value. A good example is OC Register’s @ocreggie. They hand picked the articles posted on Twitter. The human attention to detail is important.
  3. Start slow, and not rush into getting thousands of followers right away. Followers will come when they see the company’s updates are important to them.

The above are steps in the right direction for a business to adopt Twitter as its new communication and customer service tool. There are other suggestions on how companies can succeed with Twitter. There are also questions to ask if Twitter is right for corporations.  Either way, when business takes Twitter seriously, it will reap the benefits, and work out the disadvantages. As long as it focuses on providing creative and valuable information, using Twitter is going to feel natural and easy.

Solid State Storage

Leave a reply

Toshiba 512Gb Solid State DrivesStorage technology has gone a long way.  Back in the 90’s, I used to install 20 MB hard drives that cost hundreds of dollars and weigh a ton.  Now, hard drives are so cheap and capacity has now broken the terabyte barrier!   The next step in storage technology is in solid state drives, using flash memory chips.   Toshiba announced the 512 GB Solid State Drive (SSD) for Notebook computers, game consoles, or other home electronics.  It’s definitely good for lightweight Internet Notebook computers, or Netbooks.  Planned mass production is slated for April-June 2009.

Solid State Drives are good for IT support in many ways:

  1. No moving parts.  It means better reliability:  Less prone to crashes due to shock or mishandling.
  2. Replacement is safe and easy: just unplug and play.  I suspect it may require the device to be turned off first before removing it.  Otherwise, a device with SSDs will need mechanisms to handle hot swapping, either by doing graceful stand-by or friendly warning screen.
  3. Low energy consumption means low heat.  Heat causes more problems in Notebook computers circuitry, ranging from fan failures to circuit board overheating.  It means fewer problems with the overall electronic unit.
  4. Quiet operation.  Less people will complain about the noise. 🙂

Trying to beat Toshiba into the market is Intel’s version of SSDs.  It looks like they’re releasing the smaller capacity 160 GB version.  They’re also slated to release in 2009.  Competition is good because for the technology to gain mass adoption, it needs to go down in price.  First releases will not be as cheap, so business use will be the initial target market.  As a consumer, in this difficult economic condition, it’ll be hard pressed for me to buy one for home use if it’s not below $200.  I’m comparing to a regular 2.5″ hard drive for notebooks, selling around $60 for 320 GB capacity.

My hope is the use of SSDs in Smartphones.  I’m dreaming of an all-in-one “Computer Phone” with plenty of storage capacity.  The next few years will be an exciting development for portable electronics.