Google Site Search


Monday, December 31, 2007

Stolen BUSINESS Identity: An alarming trend

An eye-opening article by Scott Campbell in the latest issue (December 2007) of VARBusiness maganize, available online at Stolen Business Identity: Could It Happen To You?, talks about stealing the identities of business leaders for monetary gains. I do not think this is a fresh phenomenon, but an article raising this issue is certainly welcome to increase awareness.

Doug Green, executive vice president of CCT Technologies, doing business as ComputerLand of Silicon Valley, said he first heard of the alleged scam when a San Diego-based solution provider, Ricoh Business Solutions, called him to inquire about a RFP for 860 Hewlett-Packard (NYSE:HPQ) inkjet cartridges and 300 Intel (NSDQ:INTC) processors supposedly sent from ComputerLand of Silicon Valley. But Green said he only buys from authorized distributors and had never placed the order.

Upon further investigation, Green discovered that someone had built a Web site ( that closely resembled his company's own real Web site ( It lists the correct street address, but the phone number and e-mail address are not associated with the real ComputerLand of Silicon Valley, he said. "It looks sophisticated for a three-day turnaround from the time we found out about it," Green said.

A call to the phone number listed on the fake Web site was automatically forwarded to a voice mailbox for "Doug Green."

The fake Web site was registered on Sept. 4 and lists a Doug Green in Kentwood, Mich., as the administrator. A man who answered the Michigan phone number listed said he had never heard of Doug Green or ComputerLand of Silicon Valley. He said the phone number was his personal cell number and that the only Web site he had ever registered was for a youth soccer program in Grand Rapids, Mich.

This is really dangerous not only from a business perspective but also from an individual perspective (referring to the Michigan individual whose mobile number was compromised in a scam). I do not think it was difficult for the fraudsters to obtain the mobile number of the MI individual.

Scott McNealy, of Sun Microsystems fame had publicly opined:
The chief executive officer of Sun Microsystems said Monday that consumer privacy issues are a "red herring."

"You have zero privacy anyway," Scott McNealy told a group of reporters and analysts Monday night at an event to launch his company's new Jini technology.

"Get over it."

If a technological business leader makes such an open alarming statement about individual privacy, it certainly is a DANGEROUS road ahead for mankind. :(

While consumers are protected when their identities are stolen for the wrong reasons, a business owner/operator does not have the same privileges as highlighted in "What happens if your business identity is stolen?"
Business identity-theft complaints have been growing steadily since November, says Jay Foley, executive director of the not-for-profit Identity Theft Resource Center in San Diego. Often, they are from mom-and-pop businesses starting to conduct business on the Internet.
"They get ugly," Foley said. "The business has to fight off people who want to collect for these accounts."
Little reliable data on business identity theft exist, experts say, due to the different ways it is reported. Banks find it difficult to tell whether a small business problem is fraud, or related to the company going out of business. Police categorize it as "fraud" rather than "identity theft." The federal identity theft criminal definition does not cover businesses.
Fraudsters, though, easily can get business information through secretary of state offices and the D&B Business Directory.

Sen.Patrick Leahy has introduced a bill in the Senate called as the "The Identity Theft Enforcement and Restitution Act of 2007". A discussion of this bill is provided here : "Identity stolen? Senators want thieves to pay for your troubles". The latest I have heard about this bill is that it has passed the US Senate and is awaiting a decision in the US Congress. A great thing about this bill is that citizens who spend time correcting their post-identity-theft lives to return to the pre-identity-theft scenarios, can be entitled to monetary restitution from the offenders.

While we are on the topic, it certainly is a very welcome sign to hear Greg Garcia, US Cyber-Security Czar welcoming US citizens, residents and visitors to work with DHS to counter cyber-crime.
it's critical for everyone to take cyberrisks seriously, in hopes of meeting his department's ultimate goal: making the United States "the most dangerous place in the real world for cybercriminals to do business."

Thank you Mr.Garcia for this.

Friday, December 28, 2007

Tip 14: Disable Tomcat/JBossWeb Connectors

The location of the configuration file would be server.xml which would be under the conf directory for tomcat and under deploy/jboss-web.deployer for JBossWeb in JBoss 4.2.0

You will see multiple connector definitions based on protocol. 8080 for HTTP, 8009 for AJP and 8443 for HTTPS. If you want to disable any of these, all you have to do is uncomment the connector element for the relevant port.

When should you disable connectors?
- If Tomcat/JBoss is not fronted with Apache or any Native Web Servers (with mod_jk), then there is no need for the AJP connector. So disable the 8009 port connector by uncommenting it.
- If you do not care for HTTPS, but just want to cater to HTTP, then keep the 8443 connector commented out.

Tip 13: Ensure Just Https works on Tomcat

There may be cases where you want to disable the HTTP 8080 port and enable just the HTTPS or 8443 port in tomcat.

For that to happen, just ensure that you *uncomment* the 8443 port connector on Tomcat 6/JBoss 4.2 in server.xml

Tuesday, December 18, 2007

Orkut Scrap Virus

Orkut Scrapbook is another easy target for viruses and phishing scams. I did see some Portuguese/Spanish content scraps from my friends in my scrapbook and likewise they received the scraps from me.

But the comforting factor is that Google has disabled the scrapbook until they clean up all the scraps from the Orkut system. Google good job.

Doing a google search on Orkut Viruses, I did see a bunch of posts from 2006 pointing to a virus spreading scraps with a YouTube link. When users clicked on the link, it asked folks to download stuff which was a backdoor to trojans.

While you are reading this blog post, I STRONGLY suggest you to read the following cyber security tip from US-CERT:
Avoiding Social Engineering and Phishing Attacks

Existing Identity Systems

Just another view of the disjointed identity world. Convergence is still a long way off.

Existing Identity Systems

With the enterprise landscape getting complex, we neither need specifications/standards solving one thing ONLY nor the lack of interest in converging.

Now, I clearly understand what Kim Cameron means by an "Identity Meta System".

Jeff Hodges: New Technical White Paper (SAML vs OpenID)

Although in the draft stage, the following white paper is certainly a good step in understanding the key differences between OpenID and SAML.

Technical Comparison: OpenID and SAML

Sunday, December 16, 2007

SAML and JBoss

UPDATE (Dec 09):

The following content is outdated:

I know that there are many JBoss users hoping to see SAML v2.0 support in JBossAS. We will get there once OpenSAML v2.0 development by Internet2 middleware reaches some stable milestone. What I like about OpenSAML is that it provides a library to build components that are saml aware. A nice thing is that v2 will contain bindings like http redirect, http post etc that we can reuse.

Well, I am just thinking that there is broad expectation of saml2 support in JBoss. Why don't you tell me by leaving a comment?

UPDATE (Feb 09): Use the Identity Community Platform

UPDATE (Oct 08): We are working on a common identity project at JBoss. As part of this project, we will provide you Identity Management as well as Federated Identity stack (SAML etc).

Keep Kids Safe On the Internet

With the growing usage of the internet around the world, it is a fact that the population of young kids getting online is on the rise. With cheaper computers and wider broadband footprint, the days are gone when a parent could ignore kids getting computer savvy. There are hoards of toys imitating regular computers available for kids around age 2 and above. Hence it is natural for kids to progress to a regular computer as they grow. Now, the first thing that they will learn would be to use the browser. Then comes registration for chat rooms (where the dangers abound).

As they learn to search for stuff, they may use Google to search on their favorite shows, characters etc. This is where the search engines need to take leadership in providing a safe searching environment for Kids. There is mention of Google Safe Search, but I could not locate it.

Some resources:
1. Internet Safety Education
3. Keeping Internet Kids Safe (KIKS)
4. NetSafeKids
5. FBI:Parent's Guide to Internet Safety
5. CyberSmart! School Program
7. Ready Kids

Most important of all, kids need to be guarded from online predators.To Catch a Predator

Online Social Networking Sites such as MySpace are increasingly becoming dangerous traps for growing kids. Here is an instance of cyber-bullying that went FATALLY wrong. Frontier justice in an online world?

Technologists and regulators have to make adequate efforts at making the Internet safe for kids. But the responsibility of the parents is critical. In the end, it is the kids of the parents that are vulnerable.

Tuesday, December 11, 2007

Disable Tomcat Caching Principal

Tomcat caches the Principal (GenericPrincipal) in the catalina request object. If you want to disable this, such that every request goes through authentication and authorization, thereby providing you ability to refresh roles in a session, you can do the following:

cache="false" />

Place this in a context.xml in META-INF of your war file in stand alone tomcat or in WEB-INF of JBoss.

The above works for FORM authentication.

Remember, performance will be slow.

JACC EJBMethodPermission rant

The EJBMethodPermission has a constructor that takes the method signature as an array.

I am referring to:

public EJBMethodPermission(String EJBName,
String methodName,
String methodInterface,
String[] methodParams)

Creates a new EJBMethodPermission with name corresponding to the EJBName and actions composed from methodName, methodInterface, and methodParams.

EJBName - The string representation of the name of the EJB as it appears in the corresponding ejb-name element in the deployment descriptor.

methodName - A string that may be used to indicate the method of the EJB to which the permission pertains. A value of null or "" indicates that the permission pertains to all methods that match the other parameters of the permission specification without consideration of method name.

methodInterface - A string that may be used to specify the EJB interface to which the permission pertains. A value of null or "", indicates that the permission pertains to all methods that match the other parameters of the permission specification without consideration of the interface they occur on.

methodParams - An array of strings that may be used to specify (by typeNames) the parameter signature of the target methods. The order of the typeNames in methodParams array must match the order of occurence of the corresponding parameters in the method signature of the target method(s). Each typeName in the methodParams array must contain the canonical form of the corresponding parameter's typeName as defined by the getActions method. An empty methodParams array is used to represent a method signature with no arguments. A value of null indicates that the permission pertains to all methods that match the other parameters of the permission specification without consideration of method signature.


Now if methodParams is an empty array, it indicates a method with zero arguments where as if it is NULL, then it indicates all overloaded method signatures. This is a subtle aspect that can go horribly wrong for container vendors (if not given due attention :) )

Monday, December 10, 2007

Open Source Directory Servers

Reading the e-Week Article "It's the Directory, Stupid", I got thinking.

From a commercial scale perspective, Active Directory has done quite well. The author mentions that RedHat/Fedora has not really pushed the Directory Server into the enterprise. I am not going to comment on that but would like to say that the FreeIPA ( initiative is certainly an excellent platform for enterprise customers to handle Identity, Policy and Audit requirements in an heterogeneous infrastructure. The proponents of the FreeIPA program told me that there are customers who have deployed Active Directory based infrastructure would like Linux to inter operate with it.

Coming over to efforts on Java based Open Source Directory Servers, the prominent DS at the moment with rich feature set is the Apache Directory Server. On the other hand, the Sun Open Source Java Directory Server, OpenDS, has had some bumps along the road recently.

Multiple SMB infrastructure may be running on OpenLDAP, but I have to agree that when it comes to scalability at the enterprise level, it has fallen short (as mentioned in the eWeek article).