Tuesday, August 1, 2006
WebCT Impact 2006 Conference Presentation
We are one of the first few universities who have migrated from WebCT CE4 to CE6/ Vista4 soonest as the product was released. Together, we presented "Lessons Learned : Migrating From CE4 To CE6/ Vista4" in the WebCT Impact 2006 Conference. Here are the slides from our university:
Wednesday, May 3, 2006
Signs That Your Machine May Be Compromised
Here are some of the signs to look for which may indicate your machine is being compromised.
- Your web site is being defaced, or have javascript inserted that send users to another site.
- Your machine is listening on some new or unknown ports.
- The logs suddenly become much larger than what they usually are.
- The logs are not logging any thing.
- Disk space utilization of your machine suddenly increases.
- Network utilization of your machine suddenly increases.
- Your machine runs unusually slow.
- Someone reported that your machine doing some kind of attacks on theirs, or spamming, or hosting copyrighted movies, etc.
- Google search for "viagra site:yourwebsite.com" or other keyword. Result came out positive, but you did not post those pages there.
Monday, May 1, 2006
Virtual World, Real Money - Her Second Life is Good!
The front page of the current issue (May 1, 2006) of Business Week caught my attention.
It talks about a Chinese entrepreneur is making real money out of the Second Life virtual world. The entire article can be found here:
http://www.businessweek.com/magazine/content/06_18/b3982001.htm
This virtual reality thing is not just a game anymore. There are lands out for auctions, bidding price start at USD1000. There are all kinds of products selling inside the virtual world. There is even currency (Linden dollar to USD) fluctuation.
And you wonder... why would someone pay over a thousand dollar for some pixels on the computer screen?
The days of one way internet is gone. This or the next generation don't just logon and read something. They want to engage in doing something. The games, tools or web applications (however you want to call them) allow them to do so. They empower the people, engaging them, enabling them, allowing them to be creative, and to interact. Just like the wikipedians, the "players" are all very passionate in what they are doing. And the value of the application is the community.
It talks about a Chinese entrepreneur is making real money out of the Second Life virtual world. The entire article can be found here:
http://www.businessweek.com/magazine/content/06_18/b3982001.htm
This virtual reality thing is not just a game anymore. There are lands out for auctions, bidding price start at USD1000. There are all kinds of products selling inside the virtual world. There is even currency (Linden dollar to USD) fluctuation.
And you wonder... why would someone pay over a thousand dollar for some pixels on the computer screen?
The days of one way internet is gone. This or the next generation don't just logon and read something. They want to engage in doing something. The games, tools or web applications (however you want to call them) allow them to do so. They empower the people, engaging them, enabling them, allowing them to be creative, and to interact. Just like the wikipedians, the "players" are all very passionate in what they are doing. And the value of the application is the community.
Sunday, November 20, 2005
WSUWiki Initial Log Analysis Result - Month of November 2005
I'm running a log analysis tool called Awstats against the logs of some of our applications.
I downloaded the result into Excel, and do a little massaging on the data - Basically, I separated all the "action=" with the pages-URL. Among all "action=" pages, I added the counts of "action=edit", and "action=submit" together. They are both generated by the process of editing (Edit, Preview, Save). Among all individual pages, I added /index.php and /index.php/Main_Page together. They are basically the same page.
Here is the top 10 most viewed Pages-URL:
Notice that both Chinese Calendars are high on the list, I am pleasantly surprised.
But then, as I look more... I was even more surprised. I have only promoted the URL of the AAPI page to the asian groups. It's been over a month ago. Being too caught up at my main duty, I admit I haven't done much since then.
But the two Chinese Calendars (linked from the AAPI page) are on the top 10 most visited list, but not the AAPI page itself.
They have very high "Entry" counts. Apparently, once people found those calendar pages, they bookmarked them.
The 2006 version has a much higher "Viewed" count then the 2005 version. (Due to student groups planning on events and gatherings of next year... e.g. looking at when the Chinese New Year is, maybe?)
Among the top 5, the "Entry" counts are several times higher than the "Exit" counts. This implies that once people visit a page (and find it useful), they also wander off, looking at what else could be interesting to them on the site.
Finally, I added the "Viewed" counts of all individual page.I found that in this month of November, so far there are 6865 views and 967 edits. There are 7 times more views than edits.
Ok, maybe I should exclude "/index.php/Main_Page" in the numbers.
This gives 5418 views and 967 edits. Still over 5 times more views than edits.
People are visiting (and re-visiting) pages for "reference". They would generally poke around further on the site if the information on some particular pages are useful to them. Information here flows one direction only.
Among all the 967 edits, there are 789 counts of clicking the edit button, and and 178 actually submit. (Submit includes both preview and save. This is just the way the URL is presented to the server). Intuitively, I would think there should be more submit than edit... since people may only click edit once on a page, but preview many times before they save their work. The log analysis result shows that it is not the case. There are 4 times more people click on edit, than actually saving their work.
Could it be due to the wiki (text editor) hard to use for end-user?
What can we do to encourage more contributions?
I downloaded the result into Excel, and do a little massaging on the data - Basically, I separated all the "action=" with the pages-URL. Among all "action=" pages, I added the counts of "action=edit", and "action=submit" together. They are both generated by the process of editing (Edit, Preview, Save). Among all individual pages, I added /index.php and /index.php/Main_Page together. They are basically the same page.
Here is the top 10 most viewed Pages-URL:
| Pages-URL | Viewed | Entry | Exit |
| Main_Page | 1447 | 442 | 246 |
| Chinese_Calendar_2006 | 622 | 405 | 122 |
| Cultural_Politics_of_Sport:_Annotated_Bibliography | 301 | 104 | 42 |
| Fix_Outlook_2003_Phonebook_Issue | 236 | 170 | 51 |
| Chinese_Calendar_2005 | 197 | 125 | 43 |
| Special:Search | 120 | 4 | 16 |
| Category:CES_308_RKing | 98 | 3 | 0 |
| User:Krussell07/CES_308 | 91 | 3 | 0 |
| Category:CoursePagelist | 89 | 1 | 0 |
| History_Of_Sport | 83 | 2 | 4 |
Notice that both Chinese Calendars are high on the list, I am pleasantly surprised.
But then, as I look more... I was even more surprised. I have only promoted the URL of the AAPI page to the asian groups. It's been over a month ago. Being too caught up at my main duty, I admit I haven't done much since then.
But the two Chinese Calendars (linked from the AAPI page) are on the top 10 most visited list, but not the AAPI page itself.
They have very high "Entry" counts. Apparently, once people found those calendar pages, they bookmarked them.
The 2006 version has a much higher "Viewed" count then the 2005 version. (Due to student groups planning on events and gatherings of next year... e.g. looking at when the Chinese New Year is, maybe?)
Among the top 5, the "Entry" counts are several times higher than the "Exit" counts. This implies that once people visit a page (and find it useful), they also wander off, looking at what else could be interesting to them on the site.
Finally, I added the "Viewed" counts of all individual page.I found that in this month of November, so far there are 6865 views and 967 edits. There are 7 times more views than edits.
Ok, maybe I should exclude "/index.php/Main_Page" in the numbers.
This gives 5418 views and 967 edits. Still over 5 times more views than edits.
People are visiting (and re-visiting) pages for "reference". They would generally poke around further on the site if the information on some particular pages are useful to them. Information here flows one direction only.
Among all the 967 edits, there are 789 counts of clicking the edit button, and and 178 actually submit. (Submit includes both preview and save. This is just the way the URL is presented to the server). Intuitively, I would think there should be more submit than edit... since people may only click edit once on a page, but preview many times before they save their work. The log analysis result shows that it is not the case. There are 4 times more people click on edit, than actually saving their work.
Could it be due to the wiki (text editor) hard to use for end-user?
What can we do to encourage more contributions?
Saturday, November 12, 2005
List of CDs with the Evil Sony BMG Rootkit
Details on which CDs, and how to identify them can be found on the Electronic Frontier Foundation's web site:
http://www.eff.org/deeplinks/archives/004144.php
After over a week of furor surrounding this issue, Sony BMG has finally said that they will stop manufacturing CD with the rootkit.
http://blog.sonymusic.com/sonybmg/archives/xcp.html
But does Sony want you to uninstall the rootkit? Read Mark Russinovich (SysInternals)'s blog:
http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html
http://www.eff.org/deeplinks/archives/004144.php
After over a week of furor surrounding this issue, Sony BMG has finally said that they will stop manufacturing CD with the rootkit.
http://blog.sonymusic.com/sonybmg/archives/xcp.html
But does Sony want you to uninstall the rootkit? Read Mark Russinovich (SysInternals)'s blog:
http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html
Monday, June 13, 2005
Using Active Directory Group Policy to Make hosts File Read Only
According to SANS NewsBites Nov 4, 2004 New Phishing Tactic is Stealthy,
But you can change the hosts file to read only and enforce it via Group Policy. Here is how:
MessageLabs has reported seeing what could become a new twist in phishing scams. These emails contain a script that, once the email is opened, rewrite host files to automatically redirect users to phishing sites when they attempt to visit legitimate banking sites.
The article advised you protect from this particular kind of attack by disabling Windows Scripting Host. However, if your users are technical people and require to use this for their dayto day work, you don't have the luxury.
But you can change the hosts file to read only and enforce it via Group Policy. Here is how:
- In Group Policy Management Console, create a new group policy.
- Go to Computer Configuration | Windows Settings | Security Settings | File System.
- Add the file:
%SystemRoot%\system32\drivers\etc\hosts - Change the permissions of the file to:
Type Name Permission Allow BUILDIN\Administrators Read Allow NT AUTHORITY\SYSTEM Read Allow BUILDIN\Users Read - Save and link this group policy to the desired OU accordingly.
Don't forget to enable security policy enforcement. Best practice is to define this as your baseline policy.
- In Group Policy Management Console again, create a new baseline group policy (or click on your baseline group policy if you already have one).
- Go to Computer Configuration | Administrative Templates | System | Group Policy.
- Click on Security policy processing.
- Choose Enabled radio button, and check the Process even if the Group Policy object have not changed.
- Save and link it to the desired OU accordingly.
Tuesday, May 10, 2005
Using Active Directory Group Policy to Protect Against SYN Flood DoS Attack
I have been seeing waves of SYN Flood denial of service attack against our applications every so often. During the attack, hugh volume of TCP SYN packets was being sent to our web application until they exhausted all the resources on the corresponding server. It is pretty annoying because it affects the experience of our other legitimate users using our applications.
Our firewalls could keep track of the number of connections from a single source, and if that exceeds a certain threshold, they could deny further connection attempts. This does a pretty good job so far. But I am a little concerned about the growing number of those attacks, and eventually a distributed denial of service one.
Turns out on the Windows 2000/ 2003 server, there are several registry settings that one can use to harden the TCP/IP stack. e.g. SynAttackProtect. By setting this registry value to 1, the server will time out all half open connections more quickly during a SYN attack (determined by several thresholds), and be able to recover the resource sooner to serve legitimate users.
I want to enable it on all our servers. Can Active Directory Group Policy help? Yes! Here is how:
Refer to Microsoft KB 324270 article for complete detail on how to harden the TCP/IP stack against denial of service attacks in Windows Server 2003.
Our firewalls could keep track of the number of connections from a single source, and if that exceeds a certain threshold, they could deny further connection attempts. This does a pretty good job so far. But I am a little concerned about the growing number of those attacks, and eventually a distributed denial of service one.
Turns out on the Windows 2000/ 2003 server, there are several registry settings that one can use to harden the TCP/IP stack. e.g. SynAttackProtect. By setting this registry value to 1, the server will time out all half open connections more quickly during a SYN attack (determined by several thresholds), and be able to recover the resource sooner to serve legitimate users.
I want to enable it on all our servers. Can Active Directory Group Policy help? Yes! Here is how:
- Created a custom Administrative Template as follows:
CLASS MACHINE
CATEGORY "Network"
CATEGORY "TCP/IP Hardening"
POLICY "SynAttackProtect"
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN "This registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly during a SYN attack (a type of denial of service attack). Set SynAttackProtect to Disabled (0 - default) for typical protection against SYN attacks. Set SynAttackProtect to Enabled (1) for better protection against SYN attacks. This parameter causes TCP to adjust the retransmission of SYN-ACKS. When you set SynAttackProtect to 1, connection responses time out more quickly if the system detects that a SYN attack is in progress. Refers to Microsoft KB 324270 for more information."
VALUENAME "SynAttackProtect"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
END CATEGORY - Save the file as SynAttackProtect.adm.
- In the Group Policy Editor, go to View menu | Filtering, uncheck the "Only show policy settings that can be fully managed" checkbox.
- Then go to Computer Configuration | Administrative Templates, and use Add/Remove Template to add this SynAttackProtect.adm custom administrative template.
- Now, under Administrative Template | Network, a TCP/IP Hardening category will appear.
- Under this TCP/IP Hardening category, double-click on SynAttackProtection and change the status to Enable.
- Close the Group Policy Editor to finish.
- Link this group policy to the right OU to apply onto all the servers under it. (always do it on test servers first!)
- Within 90 minutes (default time for Active Directory Group Policy refresh), the servers will have the new registry setting.
- You still have to reboot the servers to make the registry change effective.
Refer to Microsoft KB 324270 article for complete detail on how to harden the TCP/IP stack against denial of service attacks in Windows Server 2003.
Subscribe to:
Posts (Atom)