Email and Forum Questions Profiles in IT: Rob Glaser Infrastructure Controls Vulnerable to Hacking Website of the Week: Shodan Broadband Advertising Assessed for Accuracy Archives Appoints Wikipedian in Residence DHS develops software security tools RIM unveils BlackBerry 7 OS phones AT&T tightens up password security SpaceX Set Launch to International Space Station
Email from Ellen: Dear Tech Talk, How can I tell who owns a particular website? Thanks Ellen
Tech Talk Responds: Domain name ownership is contained in the whois database. A good place to look up this data is from www.domaintools.com. Just enter in the domain name and all registry information is provided. Frequently an owner will pay a third party (usually their ISP) to be the public point of contact.
Email from Ralph: Dear Dr. Shurtz. My router’s not accepting my password. How do I reset it? Thanks Ralph
Tech Talk Responds: I’ll assume you mean your router’s administrative password – the password you need in order to make changes to your router’s confinguration.
The specific answer will depend on the manufacturer and model of your specific router, but the good news is that it’s almost always very easy to do.
Most of the time if you visit http://192.168.1.1 or http://192.168.0.1 – the default address for your router. You will see a login screen. Try all your possible passwords. If that fails, you will have to reset your router to factory defaults.
You will have to know the default password. You can get this by downloading the user manual from the web. It is usually something like admin/admin. But it is different for each manufacturer.
The reset button should be on the back of the router. Or in a small hole in the back. Press the reset for 30 seconds and let the router reboot. Then enter in the default user name and password.
That’s important to realize. When you reset to factory defaults you’re resetting everything. If there were other customizations made to the routers configuration besides just setting a new password you’ll need to re-enter those configuration settings after you’ve successfully logged in.
Now you will have to reconfigure the security. First change the password to something secure. Second enable encryption (WEP, WPA, WPA2).
Email form Dominic: Dear Tech Talk, I have two iPads at home and would like to keep them synchronized. I only have on iTunes account and don’t want to get another one. What are my options? Thanks Dominic
Tech Talk Responds: You are in luck. iTunes allows you to sync two devices to one iTunes account. When you download an application to one, it automatically downloads to the other device. And you only pay for the app once. It is very convenient.
Email form Alicia: Dear Dr. Shurtz. I have been posting items to Wikipedia and someone else keeps posting to my article anonymously. Their posting only shows their IP address and not their name. Is there a way to find who owns that IP address? Thanks Alicia
Tech Talk Responds: You can use the lookup tool from the American Registry for Internet Numbers (ARIN). The web address is: http://whois.arin.net/
Email from Tung: Dear Tech Talk. I added a someone as a friend by mistake. How can I remove them from my Facebook account? I cannot find a link on my page to do this action. Love the show. Thanks, Tung
Tech Talk Responds: Go to their page. The link is not on your page. On the left bottom of their page below their contacts, you should see a link named Unfriend. Click on this link and confirm. They are not notified that you have unfriended them.
Profiles in IT: Rob Glaser
Rob Glaser is founder and CEO of RealNetworks which produces RealAudio, RealVideo, and RealPlayer.
Rob Glaser was born January 16, 1962 in New York City.
His father had a printing company, sparking his interest in journalism and media.
Glaser’s mother was a psychiatric social worker who helped set up a center for disadvantaged children, instilling in him son a sense of social responsibility
While growing up, he loved to listen to the radio and to music.
His summer camp counselor was working at his college radio station. After the camp was over the counselor invited him over to the station.
That experience prompted him to start a radio station while still in high school.
Glaser attended Yale, earning a BA and MA in Economics and a BS in computer science.
At Yale University he set up his second radio station and became one of the editors of the Yale Daily News.
After Yale, in 1983, he joined Microsoft. He managed the MS Word team then went on to become VP of multimedia and consumer systems.
In 1993, he left Microsoft after having become a millionaire to start new ventures.
He felt that the Internet could be used to deliver a multimedia experience.
In 1995, he founded Progressive Networks. The original goal of the company was to provide a distribution channel for politically progressive content.
It evolved into a technology venture to leverage the Internet as an alternative distribution medium for audio broadcasts.
Progressive Networks became RealNetworks in September 1997.
RealNetworks went on to launch the first streaming video technology in 1997.
According to some accounts, by 2000, more than 85% of streaming content on the Internet was in the Real format.
Glaser, while Chief Executive of Real Networks, clashed repeatedly with Tony Fadell, Godfather of the iPhone and iPod, who then left the company after 5 weeks and went onto founding the products for Apple.
In August 2003, RealNetworks acquired Listen.com’s Rhapsody music service, and renamed it RealRhapsody. It offers streaming music downloads for a monthly fee.
Despite this success, problems arose because his business model depended upon the sale of servers. Microsoft and Apple were giving those products away.
As MS and Apple servers became more capable, Real’s server sales eroded.
Also a new open sound format, MP3, gradually replaced RealNetworks format.
On April 6, 2010, Rhapsody was spun off from RealNetworks.
Glaser was a leading backer of Al Gore’s Air America Radio, loaning at least $9.8 million according to its bankruptcy filing.
Since June 2010, Glaser has been a partner at global venture firm, Accel Partners, focusing on digital media technology, social media, and mobile service investments.
Glasers’s net worth was estimated to be $490M, as for 2010.
Infrastructure Controls Vulnerable to Hacking
Black Hat Conference was held in Las Vegas this week.
Engineers from Red Tiger Security and FusionX presented a paper about SCADA vulnerabilities
SCADA systems are used to run power plants and other critical infrastructure.
SCADA stands for Supervisory Control and Data Acquisition.
Many lack critical security precautions to guard against hackers.
Some even are listed in simple Google searches by using search terms associated with a Programmable Logic Controller which is embedded in a control device.
Most SCADA protocols do not use encryption or authentication, and they don’t have access control built into them or the device itself.
This means that when a PLC has a Web server and is connected to the Internet, anyone who can discover the Internet Protocol address can send commands to the device and the commands will be performed.
To know exactly what to search for on the Internet, the researchers bought a PLC with an embedded Web server that had an identifying string of characters associated with the hardware and then typed that information into Google.
While SCADA security has been an issue for decades, as legacy systems have been connected to the Internet and remote technologies have emerged.
The Stuxnet worm that spreads via holes in Windows but specifically targets Siemens SCADA systems and uses other sophisticated methods.
Experts theorize that Stuxnet was designed to sabotage Iran’s nuclear development program.
It’s likely that a nation-state was behind the development of Stuxnet, and that it took several years to develop and a full-time team of operators to develop and control, according to Parker.
Despite the fears sparked by Stuxnet–the first malware known to target SCADA
While Stuxnet appears to have run its course and had minimal impact, SCADA systems are at risk from vulnerabilities and exploits in general.
Shodan is a web service that scans the entire Internet for specific services (HTTP, HTTPS, Telnet, SMTP, SSH and FTP). It can be used to find SCADA devices, web cams, or any device connected to the Internet that responds to a ping.
If it finds an IP that responds to an initial search, it proceeds to grab a banner that contains information about the service. Finally, the IP gets correlated with other sources of data, such as geographic location, to complete the picture.
To cloak a computer from Shodan, systems should simply refrain from responding to either the first crawl or subsequent connection attempts by configuring their firewall to block unknown sources from connecting.
John C. Matherly launched Shodan and immediately people started finding systems.
They ranged from a cyclotron at the Lawrence Berkeley National Laboratories to infrastructure-level network switches and water treatment facilities.
A quick search for openly accessible Cisco switches returns almost 7,000 results.
Shodan is just scratching the surface of unprotected or misconfigured SCADA devices.
Since it mostly looks for computers running a web server, it misses any device that relies on a custom daemon operating on a different port.
That doesn’t mean that such systems are undiscoverable. It just means that Shodan isn’t looking for them.
The good news is that a few, simple security precautions would prevent the problems.
Such measures include the use of strong passwords, removing default user accounts, setting up a VPN for remote access, properly configuring the firewall and having emergency response procedures in place, constantly testing network security and monitoring for file system changes.
Operators should use Shodan to check whether their systems have been indexed.
Finally, there’s an API for Shodan that lets system administrators periodically check whether any of their machines are publicly accessible.
Broadband Advertising Assessed for Accuracy
A new FCC report indicates that the average speeds ISPs give their customers are about 80 to 90 percent of what they advertise.
The FCC has found that actual sustained download speeds are much closer to the speeds advertised by ISPs than was the case in early 2009.
Sustained speeds refer to speeds averaged over a period of several seconds, and the FCC used this measure because broadband Internet access service is "bursty" in nature, meaning there are some periods where it’s faster than others, due to network congestion.
Various factors impact download speeds, and performance varies significantly by technology and provider, the FCC said.
Overall, fiber-based services were faster, cable services came next, and DSL-based services were the slowest of the three.
On average, during peak periods, fiber-to-the home services such as Verizon’s FiOS, delivered 114 percent of advertised download speeds — meaning the average delivered speed was actually faster than advertised.
The average for cable-based services was 93 percent of advertised rates, and DSL-based services averaged 82 percent.
The FCC study looked at services from 13 of the largest broadband services in the U.S. Together, these companies account for roughly 86 percent of all U.S. wireline broadband connections.
The findings in the FCC report were for performance during peak consumer usage hours of 7 p.m. to 11 p.m. local time during weekdays, because this is when performance degrades the most, the report states.
Archives Appoints Wikipedian in Residence
The National Archives and Records Administration has picked its first Wikipedian in Residence.
The new position is designed to serve as a liaison between the archives and the volunteer editors of the free, online encyclopedia.
Archives officials say their new Wikipedian, Dominic McDevitt-Parks, will help them collaborate with users and editors of the site to make the government’s permanent record holdings available through Wikipedia, rather than just through the Archives’ own site.
DHS develops software security tools
The Department of Homeland Security is deploying new tools it hopes will help government agencies, and private businesses do a better job of making sure their software is secure.
The Common Weakness Scoring System and the Common Weakness Risk Analysis Framework are both intended to let IT organizations set secure software priorities.
Instead of trying to tackle every known vulnerability, agencies and businesses will be able to narrow down their biggest risks, and eliminate them before they’re exploited.
RIM unveils BlackBerry 7 OS phones
RIM released BlackBerry 7 OS running on the Torch 9860 and Bold 9900.
BackBerry’s trying to hold on to the corporate market, with a consumer-friendly makeover for BlackBerry 6 OS phones such as the Torch 9800.
The new Torch 9860 and Bold 9900 will initially be exclusive to Optus, to go on sale in September. They feature a 1.2 GHz processor and a new interface powered by Liquid Graphics, an improved Webkit browser and optimised HTML5 performance.
RIM has been quick to push BlackBerry 7 OS’ touch-friendliness and improved social networking integration such as updating the Facebook for BlackBerry app to tighten integration with BlackBerry Messenger.
Probably too little to late to stem the Android and iPhone takeover.
AT&T tightens up password security
AT&T is stepping up the protection of its customers’ voice messages amid mounting security concerns raised by the phone hacking incidents in the U.K.
AT&T its policy today so that a password was the default setting for its cell phone voice mail boxes.
New phones will automatically have the settings changed, and beginning early next year, existing customers who upgrade their phones will also see the change.
AT&T customers can currently access their voice messages without entering a password, a practice standard in the industry.
But the vulnerability was exposed after the The News of the World scandal erupted, as details emerged of journalists who used cloning techniques to mimic another person’s phone and access their voice messages.
The scandal has extended to the U.S., with allegations that the families of the victims from the September 11 terrorist attacks had their voice messages hacked.
The privacy concerns also hit the wireless carriers, which have long been lax on their policies regarding passwords on voice mails, all in the name of convenience for the consumer.
Hackers, however, can use a caller ID spoofing service to place a call using the same number as the intended victim, allowing them easily access their voice messages.
This method of breaking into a person’s cell phone mail box has been around for years, and the service has some legitimate commercial uses.
Verizon is the only carrier that mandates a password protection on its customers’ voice mail. The other carriers allow people to directly access their messages, though they strongly suggest using a password.
Sprint, meanwhile also requires customers to set up a password, but allows customers to disable it after listening to a warning, according to a representative.
Likewise, AT&T said it would still give the option to not use a password, saying it still
SpaceX Set Launch to International Space Station
Space Exploration Technologies (SpaceX), run by Tesla Motors chief executive and PayPal co-founder Elon Musk, is looking at a November launch for its second private space flight to the International Space Station.
It’s one of the first of several launches for the company as part of a 12-flight cargo mission to supply the International Space Station now that the U.S. space shuttle program has ended.
SpaceX secured $1.6 billion in funding to run the mission.
The NASA is currently discussing developing an in-line, disposable space vehicle that would put between 70 and 130 tons of cargo into orbit.
Those rockets are primarily planned for exploration beyond low-Earth orbit.
But there’s plenty of room for a company to handle cargo missions and sub-orbital travel.
There’s also room for companies that specialize in space tourism, like Virgin Galactic.
That company sells tickets for flight’s in sub-orbital paths above the Earth for around $200,000, while there are companies in Russia that sell tickets for orbital flights for around $65 million each ticket.
SpaceX is one of two companies NASA has contracted to fly cargo missions to the International Space Station now that the shuttle program has ended. NASA has also contracted Orbital Sciences to launch cargo missions to the space station.
SpaceX has raised $500 million from investors and $300 million in funding from NASA. The company was the first to send a private space capsule into orbit and bring it back to Earth in December.