Categories
Admin Consumer Interest Consumer Tech Firewall Home Computing Linux Scams Security Spam Web Site Technologies

Types of Cyberattacks and other terms from the world of cyber security

Intro

It’s convenient to name drop different types of cyber attacks at a party. I often struggle to name more than a few. I will try to maintain a running list of them.

But I find you cannot speak about cybersecurity unless you also have a basic understanding of information technology so I am including some of those terms as well.

As I write this I am painfully aware that you could simply ask ChatGPT to generate a list of all relevant terms in cybersecurity along with their definitions – at least I think you could – and come up with a much better and more complete list. But I refuse to go that route. These are terms I have personally come across so they have special significance for me personally. In other words, this list has been organically grown. For instance I plowed through a report by a major vendor specializing in reviewing other vendor’s offerings and it’s just incredible just how dense with jargon and acronyms each paragragh is: a motherlode of state-of-the-art tech jargon.

AiTM (Adversary in the Middle)
Baitortion

I guess an attack which has a bait such as a plum job offer combined with some kind of extortion? The usage was not 100% clear.

BYOVD (Bring Your Own Vulnerable Driver)
Clickfix infection chain

Upon visiting compromised websites, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal to fix an issue.

Collision attack

I.e., against the MD5 hash algorithm as done in the Blast RADIUS exploit.

Credential Stuffing Attack

I.e., password re-use. Takes advantage of users re-using passwords for different applications. Nearly three of four consumers re-use password this way. Source: F5. Date: 3/2024

Data Wiper
Authentication Bypass

See for instance CVE-2024-0012

Email bombing

A threat actor might flood a victom with spam then offer “assistance” to fix it.

Evasion

Malicious software built to avoid detection by standard security tools.

Password spraying

A type of attack in which the threat actor tries the same password with multiple accounts, until one combination works. 

Port Scan
Host Sweep
Supply Chain attack
Social Engineering
Hacking
Hacktivist

I suppose that would be an activitst who uses hacking to further their agenda.

Living off the land
Data Breach
Keylogger
Darknet
Captcha
Click farms
Jackpotting

This is one of my favorite terms. Imagine crooks implanted malware into an ATM and were able to convince it to dispense all its available cash to them on the spot! something like this actually happened. Scary.

Overlay Attack

Example: When you open a banking app on your phone, malware loads an HTML phishing page that’s designed to look just like that particular app and the malware’s page is overlaid on top.

Payment fraud attack

In a recent example, the victim experienced “multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties.”

Skimmer
XSS (Cross site Scripting)
bot
Anti-bot, bot defense
Mitigation
SOC
Selenium (Se) or headless browser
Obfuscation
PII, Personally Identifiable Information
api service
Reverse proxy
Inline
endpoint, e.g., login, checkout
scraping
Layer 7
DDOS
Carpet bombing DDOS attack

Many sources hitting many targets within the same subnet. See:

https://www.a10networks.com/blog/carpet-bombing-attacks-highlight-the-need-for-intelligent-and-automated-ddos-protection/#:~:text=Carpet-bombing%20attacks%20are%20not,entire%20CIDR%20or%20multiple%20ASNs.

SYN flood
DOS
Visibility
Automation
Token
Post
JavaScript
Replay
Browser Fingerprint
OS
Browser
GDPR
PCI DSS
AICPA Trust Services
Grandparent scam

A social engineering attack where scammers target grandparents by pretending to be a grandchild in a bind.

GUI
(JavaScript) Injection
Command Injection
Hotfix
SDK
URL
GET|POST Request
Method
RegEx
Virtual Server
TLS
Clear text
RCA
SD-WAN
PoV
PoC
X-Forwarded-For
Client/server
Threat Intelligence
Carding attack
Source code
CEO Fraud
Phishing
Vishing

(Voice Phishing) A form of cyber-attack where scammers use phone calls to trick individuals into revealing sensitive information or performing certain actions.

Business email compromise (BEC)
Deepfake
Threat Intelligence
Social engineering
Cybercriminal
SIM box
Command and control (C2)
Typo squatting
Voice squatting

A technique similar to typo squatting, where Alexa and Google Home devices can be tricked into opening attacker-owned apps instead of legitimate ones.

North-South
East-West
Exfiltrate
Malware
Infostealer
Obfuscation
Antivirus
Payload
Sandbox
Control flow obfuscation
Buffer overflow
Use after free
Indicators of Compromise
AMSI (Windows Antimalware Scan Interface)
Polymorphic behavior
WebDAV
Protocol handler
Firewall
Security Service Edge (SSE)
Secure Access Service Edge (SASE)
Zero Trust

Zero Trust is a security model that assumes that all users, devices, and applications are inherently untrustworthy and must be verified before being granted access to any resources or data.

Zero Trust Network Access (ZTNA)
ZTA (Zero Trust Architecture)
Zero Trust Edge (ZTE)
Secure Web Gateway (SWG)
Cloud Access Security Broker (CASB)
Remote Browser Isolation (RBI)
Content Disarm and Reconstruction (CDR)
Firewall as a service
Egress address
Data residency
Data Loss Prevention (DLP)
Magic Quadrant
Managed Service Provider (MSP)
0-day or Zero day
User Experience (UX)
Watermark
DevOps
Multitenant
MSSP
Remote Access Trojan (RAT)
SOGU

2024. A remote access trojan.

IoC (Indicators of Compromise)
Object Linking and Embedding
(Powershell) dropper
Backdoor
Data Bouncing

A technique for data exfiltration that uses external, trusted web hosts to carry out DNS resolution for you

TTP (Tactics, Techniques and Procedures)
Infostealer
Shoulder surfing
Ransomware
Pig butchering

This is particularly disturbing to me because there is a human element, a foreign component, crypto currency, probably a type of slave trade, etc. See the Bloomberg Businessweek story about this.

Forensic analysis
Sitting Ducks

An entirely preventable DNS hijack exploit. See https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/

Attack vector
Attack surface
Economic espionage
Gap analysis
AAL (Authentication Assurance Level)
IAL (Identity Assurance Level)
CSPM (Cloud Security Posture Management)
Trust level
Network perimeter
DMZ (Demilitarized zone)
Defense in depth
Lateral movement
Access policy
Micro segmentation
Least privilege
Privilege Escalation (PE)
Breach
Intrusion
Insider threat
Cache poisoning

I know it as DNS cache poisoning. If an attacker manages to fill the DNS resolver’s cache with records that have been altered or “poisoned.”

Verify explicitly
Network-based attack
Adaptive response
Telemetry
Analytics
Consuming entity
Behavior analysis
Authentication
Authorization
Real-time
Lifecycle management
Flat network
Inherent trust
Cloud native
Integrity
Confidentiality
Data encryption
EDR (Endpoint Detection and Response)
BSOD (Blue Screen of Death)

Everyone’s favorite Windows error!

BSI (Bundesamt für Sicherheit in der Informationstechnik)

German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik)

ICS (Industrial Control System)
Reverse shell

A text-based interfaces that allow for remote server control.

Crypto Miner
RCE (Remote Code Execution)
Threat Actor
APT (Advanced Persistent Threat)
Compromise
Vulnerability
Bug
Worm
Remote Access VPN (RAVPN)
XDR (Extended Detection and Response)
SIEM (Security Information and Event Management)
User Entity Behavior Analytics (UEBA)
Path traversal vulnerability

An attacker can leverage path traversal sequences like “../” within a request to a vulnerable endpoint which ultimately allows access to sensitive files like /etc/shadow.

Tombstoning
Post-exploit persistence technique
Volumetric DDoS
MFA bomb

Bombard a user with notifications until they finally accept one.

Use-after-free (UAF)

use-after-free vulnerability occurs when programmers do not manage dynamic memory allocation and deallocation properly in their programs.

Cold boot attack

A cold boot attack focuses on RAM and the fact that it is readable for a short while after a power cycle.

Random Prefix Attack

A type of DNS attack. https://developers.cloudflare.com/dns/dns-firewall/random-prefix-attacks/

Famous named attacks

Agent Tesla
Cloudbleed
Heartbleed
log4j
Morris Worm

Explanations of exploits

https://blog.sonicwall.com/en-us/2024/06/critical-path-traversal-vulnerability-in-check-point-security-gateways-cve-2024-24919-2/

Famous attackers

APT29 (Cozy Bear)

A Russia-nexus threat actor often in the news

Volt Typhoon

2024. A China-nexus threat actor

Cybersecurity Terminology

Blast Radius

One of those annoying terms borrowed from the military that only marketing people like to throw around. It means what you think it might mean.

Blue Team – see Red Team
BSI (The German Federal Office for Information Security)
DLS (Data Leak Sites)

Sites where you can see who has had their data stolen.

Red Team

 In a red team/blue team exercise, the red team is made up of offensive security experts who try to attack an organization’s cybersecurity defenses.

SNORT (Probably stands for something)

An open source rule-matching engine to scan network traffic and serve as an IDS.

IT terminology

2FA (2 Factor Authentication)
802.1x
ACL (Access Control List)
AD (Active Directory)
ADO (Azue DevOps)
AFK (Away From Keyboard)
AGI (Artificial General Intelligence)

AGI is the theory and development of computer systems that can act rationally.

AIOps

Applying AI to IT operations.

ANN (Artificial Neural Network)
Ansible

I would call it an open source orchestrator.

anti-aliasing

When you smooth out color in neighboring pixels.

anycast
Anydesk

A popular remote management software.

apache

A formerly popular open source web server which became bloated with features.

APM (Application Performance Management)
ARIN
ARM

A processor architecture from ARM Corporation, as opposed to, e.g., x86. Raspberry Pis use ARM. I think Androids do as well.

ARP (Address Resolution Protocol)
ASCII

An early attempt at representing alpha-numeric characters in binary. Was very english-focussed.

ASN (Autonomous System Number)

Each AS is assigned an autonomous system number, for use in Border Gateway Protocol routing

ASN.1 (Abstract Syntax Notation One)

A standard interface description language (IDL) for defining data structures that can be serialized and deserialized in a cross-platform way.

ASPA (Autonomous System Provider Authorization)

An add-on to RPKI that allows an ASN to create a record that lists which ASNs can be providers for that ASN. The concepts are “customer” (an ASN) and “providers” (a list of ASNs). This is used to do hop by hop checking of AS paths.

ASR (Aggregation Services Router)

A high-end Interent router offered by Cisco for business customers.

AV (anti-virus)
AWS (Amazon Web Services)
Azure AD
BGP (Border Gateway Protocol)
BIND (Berkeley Internet Name Daemon)

An open source implementation of DNS, found on many flavors of linux.

BOM (Bill of Material)
Boot start

A flag for a driver in Windows that tells it to always start on boot.

bootp

A predecessor protocol to DHCP.

broadcast
Browser
BYOD (Bring Your Own Device)

I.e., when employees are permitted to use their personal smartphone to conduct company business.

BYOL (Bring Your Own License)

F5 permits this approach to licensing one of their cloud appliances.

CA (Certificate Authority)
Callback

A routine designed to be called when someone else’s code is executing. At least that’s how I understand it.

CDR (Call Detail Record)

Metadata for a phone call.

CDN (Content Distribution Network)
CDP (Cisco Discovery Protocol)

This protocol allows devices connected to switch ports to learn what switch and which switch port they are connected to. It is a layer 2 protocol.

CDSS (Cloud Delivered Security Services)

Only used in Palo Alto Networks land.

CGN (Carrier Grade NAT)

The address space 100.64.0.0/10 is handled specially by ISPs for CGN. RFC 6598

CHAP
Chatbot

A computer program that simulates human conversation with and end user.

CI (Configuration Item)
CI/CD

An ITIL term referring to the object upon which changes are made.

CISA (Cybersecurity and Infrastructure Security Agency)
CISO (Chief Information Security Officer)
Cleartext

Format where no encryption has been applied.

CMDB (Configuration Management Database)
CMO (Current Mode of Operations)
CNN (Congruential Neural Network)
Computer Vision

A field of AI that leverages machine learning and neutral networks to enable machines to identify and understand visual information such as images and videos.

Copilot

Microsoft’s AI built into their productivity software. Sorry, no more Clippy.

Courrier

A well-known fixed-width font.

CPE (Customer Premise Equipment)
CSR (Certificate Signing Request)
CUPS (Common Unix Printing Systems)
Customer Edge (CE)
CVE

CVEs, or Common Vulnerabilities and Exposures, are a maintained list of vulnerabilities and exploits in computer systems. These exploits can affect anything, from phones to PCs to servers or software.  Once a vulnerability is made public, it’s given a name in the format CVE–. There are also scoring systems for CVEs, like the CVSS (Common Vulnerability Scoring System), which assigns a score based on a series of categories, such as how easy the vulnerability is to exploit, whether any prior access or authentication is required, as well as the impact the exploit could have.

CVSS (Common Vulnerability Scoring System)

Part of CVE lingo.

DAST (Dynamic Application Security Testing)
Data at rest
Data in motion
Data Plane

A physical security appliance separates data traffic from its management traffic, which transits the managemenbt plane.

Data Remanence

The residual representation of data that remains even after attempting to erase or initialize RAM.

DDI (DNS, DHCP and IP address management)
Debian Linux

A nice distro which I prefer. It is free and open source. Its packages are relatively uptodate.

Deep Learning

A subset of machine learningthat focus on using deep neural networks with multiple layers to model complex patterns in data.

Deepfake

A manipulated video or other digital representation produced by sophisticated machine-learning techniquies that yield seemingly realistic, but fabricated images and sounds.

DHCP (Dynamic Host Control Protocol)
Distributed Cloud

A Gartner term for a SaaS service which runs over multiple cloud environments.

DLL
DLP (Data Loss Prevention)
DNAT (Destination NAT)
DNS (Domain Name System)
DNSSEC (Domain Name System Security Extensions)
DOA (Dead on Arrival)

Usage: That equipment arrived DOA!

Docker
DoH (DNS over HTTPS)
Domain
DRM (Digital Rights Management)
DVI (DeVice Independent file)

See LaTEX entry.

EAP
East-West

Data movement with a data center, I believe, as oppose to North-South.

EBITDA (Earnings Before Interest, Taxes, Depreciation and Amortization)

Hey, an IT person needs to know some business terminology!

Eduroam
Enhanced Factory Reset (EFR)
Entra

From Microsoft. The new name for Azure AD

EU AI Act
EULA (End User Licnese Agreement)
Exact Data Matching (EDM)
FAQ (Frequently Asked Questions)
Fedora Linux

Free and open source linux. New features are introduced here before migrating into Redhat Linux

FEX (Fabric Extender)
FIFO (First in, First Out)
FIPS (Federal Information Processing Standard)

Government security practices. Best to avoid if possible.

FMO (Future Mode of Operation)

As opposed to CMO.

FN (False Negative)
Forensics
Fortran

An ancient procedural programming language popular in the scientific and engineering communities from decades ago.

FOSS (Free and Open Source Software)
FP (False Positive)
freeBSD

A Unix variant which still exists today.

Fritz!Box

A popular home router in Germany.

GA (General Availability)
Gartner Group

A well-regarded research firm which reviews software and SaaS products. They decide which vendors are in the Magic Quadrant.

GBIC

A type of fiber optic transceiver that converts electric signals to optical signals.

GCP (Google Cloud Provider)
GDPR (General Data Protection Regulation)

An EU directive to achieve data privacy.

Generative AI

AI which can create new human-quality content, including text, images, audio or video.

GMP (Good Manufacturing Practice)

FDA lingo that implies their rules are being followed.

GMT – see UTC
GRE
GSLB (global Server Load Balancing)
GUI (Graphical User Interface)
HA (High Availability)
Hallucination

When an LLM perceives patterns that are non-existent creating nonsensical or inaccurate outputs.

Hands and Eyes

When you don’t have physical access to a server, you need someone who does to be this for you.

HIBP (Have I Been Pwned)

https://haveibeenpwned.com/

HIP (Host Information Profile)

Only used in the world of Palo Alto Networks.

HLD (High Level Design)
HPC (High Performance Computing)
HSM (Hardware Security Module)
HTML (HyperText Markup Language)

I started with version 0.9!

Hypervisor
IaaS (Infrastructure as a Service)

E.g., brining up a VM on AWS.

IANA (Internet Assigned Numbers Authority)
ICANN (Internet Corporation for Assigned Numbers and Names)
ICS
IDE (Integrated Development Environment)
IdP (Identity Provider)
IDS (Intrusion Detection System)
ILEC (Incumbent Local Exchange Carrier)
Incident Response Team

Variations include: Computer emergency Response team, Security incident Response Team, etc.

IPAM (IP Address Management)
IPI (IP Intelligence)

At least in the world of F5 this means IP Intelligence, i.e., the reputation of a given IP address.

IPS (Intrusion Prevention System)
IPSEC
IPv6 (Internet Protocol version 6)
iRule

F5 specific lingo for programmable control over load-balancing and routing decisions. Uses the TCL language.

ISC (Internet Software Consortium)

A body which maintains an open source reference implementation for DNS (BIND) and DHCP.

ISO 9001
ISP (Internet Service Provider)
ITIL (IT Infrastructure Library)
JSON (JavaScript Object Notation)

Pronounced JAY-son. A popluar format for data exchange. Sort of human-friendly. Example: {“hi”:”there”,”subnets_ignore”:[“10/8″,”192.168/16”]}

Kanban

Agile way of tracking progress on tasks and brief meetings.

Kernel mode
Kerning

Adjusting the spacing between letters in a proportional font.

KEV (Known Exploited vulnerabilities)

CISA maintains this catalog.

K8s (Kubernetes)

Open source system for automating deployment, scaling, and management of containerized applications

KVM (Kernel Virtual Module)
L2TP (Layer 2 Tunneling Protocol)
L3, L4, L7 (Layer 3, Layer 4, Layer 7)

Refers to ISO 7-layer traffic model.

LACP (Link Access Control Protocol)
LAMP (Linux Apache MySQL and PHP)

An application stack which gives a server needed software to do “interesting things.”

LaTEX

A markup language based on TEX I used to use to write a scientific paper. I think it gets transformed into a DVI, and then into a postscript file.

LEC (Local Exchange Carrier)
Link
Linux
LLD (Low Level Design)
LLD (Low Level Discovery)

A command-line browser for unix systems.

LLDP (Link layer Discovery Protocol)

See also CDP

An open source OS similar to Unix.

LLM (Large Langiuage Model)
lynx

A command-line browser for linux systems.

MAC (Media Access Control) Address

Layer 2 address of a device, e.g., fa-2f-36-b4-8c-f5

Machine Learning

A subfield of AI that deals with creating systems that can learn from data and improve their performance without explicit programming.

Magic Quadrant

Gartner’s term for vendors who exceed in both vision and ability to execute.

Management Plane

See Data Plane.

Mandiant
MD5 (Message Digest 5)
MDM (Mobile Device Management)

Management software used to administer smartphones and tablets.

MFA (Multi Factor Authentication)
MITRE ATT&CK
Modbus protocol
MS-CHAPv2
MSS (Maximum Segment Size)

Set by a TCP option in the beginning of the communcation.

MTTI (Mean Time To Identification)

Probably only Cisco uses this acronym e.g., in their ThousandEyes product.

MTTR (Mean Time To Resolution)
MTU (Maximum transmission unit)

Often 1500 bytes.

multicast
NAESAD (North American Energy Software Assurance Database)
Named pipes

I read it’s a Windows thing. huh. Hardly. It’s been on unix systems long before it was a twinkle in the eye of Bill gates. It acts like a pipe (|) except you give it a name in the filesystem and so it is a special file type. It’s used for inter-process communication.

NAT (Network Address Translation)
NDA (Non-Disclosure Agreement)
.NET
Netflow

Think of it like a call detail record for IP communications. Metadata for a communications stream.

NGFW (Next Generation FireWall)

Palo Alto Networks describes their firewalls this way.

NGINX

A web server that is superioir to apache for most applications.

NLP (Natural Language Processing)

A branch of AI that uses machine learning to enable computers to understand, interpret, and respond to human language.

NOC (Network Operations Center)
North-South

Data movement from/to the data center. Also see East-West.

NSA (National Security Agency)
NTLM

Relies on a three-way handshake between the client and server to authenticate a user.

OAuth bearer token

A security token with the property that any party in possession of the token (a “bearer“) can use the token in any way that any other party in possession of it can.

OCR (Optical Character Recognition)
Offensive Security – see Red Team
OKRs (Objectives and Key Results)

HR lingo.

OpenRoaming
openssl

A common open source implementation of SSL/TLS.

OS (Operating System)
OSFP (Open Shortest Path First)
OSS (Open Source Software)
OT (Operational Technology)
ova

The image filetype for a virtual host.

Overlay

See underlay.

OWASP (Open Worldwide Application Security Project)

An online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security.

PAP
Patch
PaaS (Platform as a Service)
PBR (Policy Based Routing)
PCI (Payment Card International?)

A standard which seeks to define security practices around the handling of credit cards.

PDF (Portable Document File)
PDU (Protocol Data Unit)
PE (Provider Edge)

Telecom lingo so cisco uses this term a lot.

PEM (Privacy Enhanced Mail)

The format certificates are normally stored in.

PHP (Probably stands for something)

A scripting language often used to program back-end web servers.

PII (Personally Identifiable Information)
PKCS (Public Key Cryptography Standard)
PKI (Public Key Infrastructure)
Plain Text

A human-readable format, i.e., no encyrption and not a binary file.

PLC (programmable logic controller)
PM (Product Manager)

Could also be Project Manager but for me it usually means Product Manager.

PO (Purchase Order)
POC (Point of Contact)
POC (Proof of Concept)
Port Channel
Portable Executable (PE)
POTS (Plain Old Telephone Service)

Voice-grade telephone service employing analog signal transmission over copper 

POV (Proof of Value)
Private Cloud
Prompt Engineering

The practice of crafting effective prompts that elicit high-quality answers from generative AI tools.

PS (PostScript)

A file type I used to use. It is a vector-oriented language, stack-based, which tells the printer how to move its ink pens around the page. Before there was PDF, there was postscript.

PS (PowerShell)

A versatile scripting language developed by Microsoft and available on all Windows computers.

PTO (Paid Time Off)
Purple Team

Purple teams combine red team and blue team functions. See Red Team.

PyPi (Python Package Index)
Python

A popular programming language, not the snake.

QSFP (Quad Small Form factor Pluggable)

A newer kind of SFP.

Rack Unit
RADIUS
RAG (Retrieval Augmented Generation)

A method to train LLMs.

Ray

An open-source unified compute framework used by the likes of OpenAI, Uber, and Amazon which simplifies the scaling of AI and Python workloads, including everything from reinforcement learning and deep learning to tuning and model serving.

RBAC (Role-Based Access Control)
RDP (Remote Desktop Protocol)
Recursive

A function which calls itself.

Redhat Linux

A commercialized version of Fedora whose packages are always dated, usually by years.

Redirect
Remediation

Addressing a security flaw.

Remote Desktop Licensing (RDL) services

Often deployed on Windows severs with Remote Desktop Services deployed.

Retrieval-Augmented Generation (RAG)
Reverse Engineer

To figure out the basic building blocks or code by first observing behavior of a system.

Reverse Proxy

A TCP gateway which terminates a tcp connection and maintains a separate tcp connection to a back-end server.

RFC (Request for Comment)
RFI (Requst for Information)
RFO (Reason for Outage)
RFP (Request for Proposal)
RFQ (Request for Quote)
RIPE
RIR (Regional Internet Registry)
RMA (Return Merchandise Authorization)

You hear this a lot when It guys need to get a replacement for failed equipment.

RMM (ReMote Management)
ROA (Route Origin Authorization)
ROCE (Return on Capital Employed)

Hey, an IT person has to know a few business terms!

Route 53

In AWS-land, an intellugent DNS service, i.e., geoDNS +.

RPC (Remote Procedure Call)
RPKI (Resource Public key Infrastructure)

Provides a way to connect Internet number resource information to a trust anchor.

RPi (Raspberry Pi)

A popular small, inexpensive server aimed at the educational crowd.

RPZ (Response Policy Zone)

A concept in DNS for either a DNS firewall or way to overwrite DNS responses.

RR (Resource Record)
RSA

Asymmetric encryption standard named after its creators, Ron Rivest, Adi Shamir and Leonard Adleman.

RTFM (Read The “flippin'” Manual)
SaaS (Software as a Service)
SAML
SANS

Private outfit in the US which specializes in information security and cybersecurity training.

Sans-Serif

A font type which does not have the fancy rounded blobs at the tips of the letter, such as Helvetica.

SASE (Secure Access Service Edge)
SCADA
Scale sets

In cloud, a service which automates the build-up or tear-down of VMs behind a load balancer.

SDWAN (Software defined WAN)
SEO (Search Engine Optimization)
SFP (Small Form factor Pluggable)

A type of optic transceiver that converts electric signals to optical signals.

SGML (Standard Generalized Markup Language)

If you ask the French they proudly point to this as the predeccesor to the more widely known HTML.

SFTP (Secure file Transfer Protocol)
SHA (Secure Hash Algorithm)
SIEM (Security Information and Event Management)
SRE (Site Reliability Engineer)
SMP (Symmetric Multi Processing)
SMTP (Secure Mail Transfer Protocol)
SNAT (Source NAT)
SNI (Server Name Indication or similar, I think)

When multiple HTTP[S web sites whare a single IP this technology can be used to identify which certificate to send to a requester.

SNMP (Simple Network Management Protocol)

All security appliances support this protocol which permits system monitoring.

Spoofing

When a source IP address is faked.

SSH
SSL (Secure Socket Layer)
SOC (System on a Chip)

I believe the RPi is described to be this.

SOC (Security Operations Center)
Solaris

A Unix variant possibly still available. Offered by Oracle and formerly Sun Microsystems Corporation.

SSL (Secure Sockets Layer)
SSL labs

A Qualys (so you know it has to be good quality) service where you can test a web site’s SSL certificate.

SSO (Single Sign On)
Steal with Pride

To unashamedly build on someone else’s work.

SVI (Switch virtual Interface)

A layer 3 on-switch routing between vlans on that switch. It’s a Cisco thing.

TAC (Technical Account or something?)
TAM (Technical Account Manager)

Another Cisco term.

Cisco uses this term a lot.

TCP (Transport Control Protocol)
TeamViewer

A remote management tool.

Telnet
Terraform
The epoch

The first moment of January 1st, 1970

TI (Threat Intelligence)
TLP (Traffic Light Protocol)
TLS (Transport Layer Security)
Tooltip

An element of a graphical user interface in the form of a box of text that appears when a cursor is made to hover over an item; normally used to explain the function of the item.

TPM (Trusted Platform Module)

TPM, a Microsoft security feature required by Windows 11, is a dedicated chip designed to provide “hardware-level security services for your device,” keeping your private information and credentials safe from unauthorized users. 

TSF (Tech Support File)

Palo Alto Networks-specific lingo for a dump file they require for a firewall support case.

Ubuntu Linux

A commercialized implementation of Debian Linux from Canonical.

UC (Unified Communications)

Cisco likes this term.

udev rules

udev rules in Linux are used to manage device nodes in the /dev directory. Those nodes are created and removed every time a user connects or disconnects a device.

UI5

SAP’s UI for HTML 5.

Ultrix

A Unix variant which ran on DEC workstations.

Underlay

SD Wan terminology for the underlying network. As opposed to overlay.

Unit testing
UPS (Uninterruptible Power Supply)
URL
Use case
UTC (Universal Time Coordinated)

What used to be called GMT.

UTF-8

Common representation of common language characters. I think of it as a successor to ASCII.

Validated

In FDA parlance, an adjective used to describe a system which follows FDA controls.

VDI

A virtual desktop offered by Citrix.

VLAN
VM (Virtual Machine)
VMWare

Will Broadcom destroy this company the way they did to Bluecoat/Symantec?

VNC (Virtual Networking Computer)

VNC is a software used to remotely control a computer.

VPC (Virtual Private Cloud)
vPC (Virtual Port Channel)

A virtual port channel (vPC) allows links that are physically connected to two different Cisco FEXes to appear as a single port channel by a third device.

VPG (Virtual Port Group)

A Cisco-ism.

VPN – Virtual Private Network
VRF

A logically separated network when using MPLS.

WAF (Web Application Firewall)
Webhook
Website
Wiki

A less formal and usually more collaborative approach to documentation, the prime example being Wikipedia.

Windows PE or Win PE

A small OS for repairing or restoring Windows systems.

WWW (World Wide Web)
x86

A type of processor architecture. Found in most Windows PCs.

XHR (XMLHttpRequest)

I.e., ajax.

XML (eXtensible Markup Language)

Common file format for data exchange, but not too human-friendly.

YAML
YARA
Zabbix

An open source infrastructure monitoring system.

Categories
Scams Spam

Latest spear phishing: your password plus extortion

Intro
Three users that I know at a certain company have all received spear phishing emails worded very much like this one:

Spear Phishing shows you your password and extorts you

The details
I don’t really have many more details. One user described it to me as follows. He got this email at work. It displayed to him a password which he uses for some of his personal accounts and maybe for a few work-related logins. He said the wording was very similar to the one I showed in the above screenshot.

This one comes from IP 40.92.6.45, which is a legitimate Microsoft-owned IP. So it has an air of legitimacy to traditoinal spam filters.

I htikn all the users are reluctant to pursue the normal methods o reporting phishing, which involve sending the entire email to some unknown group of analysts because the email does in fatc contain a legitimate password of theirs. This makes it that much harder for an incident repsonse team to kick into gear and start a detailed analysis.

I mentioned three users – those are just the ones brought to my attention, and I’m not even in the business any more. So by extrapolation, this has probably occurred to many more users at just this one company. It’s disturbing…

November update
Another one came in to a different user. I have the text of this one and have only changed the recipient information.

From: [email protected] <[email protected]>
Sent: Thursday, November 29, 2018 11:55 AM
To: Dr J <[email protected]>
Subject: [email protected] has been hacked! Change your password immediately!
 
Hello!
 
I have very bad news for you.                                                                                                                                 03/08/2018 - on this day I hacked your OS and got full access to your account [email protected] On this day your account [email protected] has password: drj1234
 
So, you can change the password, yes.. But my malware intercepts it every time.
 
How I made it:
In the software of the router, through which you went online, was a vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.
 
After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
 
A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I'm talk you about sites for adults.
 
I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!
 
And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!
 
I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.
I think $709 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!
 
Pay ONLY in Bitcoins!
My BTC wallet: 1FgfdebSqbXRciP2DXKJyqPSffX3Sx57RF
 
You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy
 
For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.
 
After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.
If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".
 
I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)
- Do not try to contact me (you yourself will see that this is impossible, the sender address is automatically generated)
- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.
 
P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!
 This is the word of honor hacker
 
I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.
 
Do not hold evil! I just do my job.
Good luck.

Conclusion
A new disturbing type of spear phishing campaign is presented. The email presents an actual password (no hint as to how the hacker obtained it) and then tries to extort the user for quite a bit of money to avoid reputation-damaging disclosures to their close associates.

References and related
This is a useful site, albeit a little frightening, that shows you the many sites that have leaked your Email address due to a data breach: https://haveibeenpwned.com/

Categories
Admin Internet Mail Scams

The latest trend – Google search engine spam

Intro
I’ve been seeing an uptick in brief spams which provide links to a very legitimate site: the Google search engine!

The details
I’ve been getting a lot – several per day – that look like this one:

From: [email protected]
To: [email protected]
Subject: Legal drugs forum
 
Legalize!!! Read about strongest legal drugs in the world, and buy it online: https://www.google.com/url?q=http%3A%2F%2F%77%77%77.le%67a%6C%69z%65r%2EDRJinfo%2F&sa=D&usg=AFQjCNG0coaOvXJMkOn0nEMvP-dl11XKnQ
 
Attention: MDMB(N)-BZ-F is not allowed now!

Here’s another example which appears to be a different spam campaign using the same technique which I received several weeks after initially posting this article:

From: [email protected]
Subject: Turn your bedroom into paradise of satisfaction
 
https://www.google.com/url?q=http%3A%2F%2F%73lip.h%65al%69DRJn%67%73%65%63%75re%65%73hop.%65%75%2F&sa=D&usg=AFQjCNFeP_XevUiXV-m-DtxAJVi3SMRtVQ

I’ve changed the links slightly so no one gets in trouble by actually following it.

The link is changed each time and so is the sender.

How to report this?
I have been reporting these to Google directly on their page to Report malicious software, https://www.google.com/safebrowsing/report_badware/.

I have reported five to then of these and have never received a response from Google. It seems the best we can hope for is that Google engineers are sufficiently annoyed by my reports that they begin to agree hey there’s a problem here and maybe people will think less of us if we continue to do nothing.

Why this is particularly devastating
Because the malware link uses this combination:

– https (which encrypts everything)
– a very legitimate web site, www.google.com
– malware

It is very tricky to defeat. Many URL filters, e.g., those used on explicit proxies, cannot peer into https traffic and so have to make a single judgment for a whole site, even one as complicated as www.google.com. Either it is all good, or it is all bad. Who would have the courage to categorize Google as a source of malware and hence block all users from it?

So these perpetrators have engaged in what amounts to link laundering. Some of the URI is encoded in hex, I suppose to help avoid detection and create many valid patterns that are hard for Google to stamp out.

This started over a month ago and is stronger than ever today, so we know at press time Google, in spite of all its advanced technology, does not have a handle on it.

If you see something similar I suggest to report it directly to Google. They may need a little more motivation than I can single-handedly provide them.

Conclusion
Link laundering is now an avenue to sneak spam through. It uses links that point to the Google search engine itself. It seems to have eluded them or been under their radar in spite of many reports. Let’s hope the bad guys don’t have the upper hand permanently.

Appendix
If you are interested in how the URL looks decoded I figured there would be decoders available on the Internet and indeed there are. For instance at http://meyerweb.com/eric/tools/dencoder/

So the URL mentioned above decodes as (again just slightly obfuscated to not make good people do bad things by mistake:

https://www.google.com/url?q=http://www.legalizerDRJ.info/&sa=D&usg=AFQjCNG0coaOvXJMkOn0nEMvP-dl11XKnQ

References
enom-originated spam is discussed here.

Categories
DNS Scams

What if someone approaches you offering a domain?

Intro
As a domain owner you will sooner or later get an unsolicited email like the following one I received March 28th:

Hello,
 
We are promoting the sale of the domain name johnstechtalk.com that is being returned back to the open market very soon.
You own a very similar domain and we wanted to give you a first chance to secure johnstechtalk.com. If this offer is of any 
interest to you, the link below will lead you to our website where you can leave an early offer:
 
http://baselane.net/acquire/c00bsn1ub/J8jIGPiguH
 
Alternatively you can simply reply to this e-mail with your offer and we will manually process your order.
 
Here are a few quick notes about the offer:
-You are leaving an offer for full ownership and control over the domain. 
-You do not have to use our hosting or any other service, you are bidding only for the domain.
-This is a single transaction, no hidden surprises. 
-We will not give away your personal information to anybody.
-You will not need a new website or hosting you can easily redirect your existing website to point to this one.
-Our technical team stands at your disposal for any transfer/redirect issue you may have.
 
Thank you for considering our domain name service!
Please feel free to call us any time we would be really happy to hear from you!
 
Kind regards,
Domain Team

The thing is, this is not complete spam. After all, it is kind of interesting to pick up a shorter domain.

But is this a legitimate business proposition? What can we do to check it? Read on…

The details
The first reaction is “forget it.” Then you think about it and think, hmm, it might be nice to have that domain, too. It’s shorter than my current one and yet very similar, thus potentially enhancing my “brand.”

To check it out without tipping your hat use Whois. I use Network Solutions Whois.

Doesn’t the offer above make it sound like they have control over the domain and are offering you a piece of it? Quite often that’s not at all the case. For them to control the domain to the point where they are selling it would require an upfront investment. So instead what they do in many cases I have encountered is to try to prey on your ignorance.

When I received their offer the Whois lookup showed the domain to be in status

RedemptionPeriod

Form what I have read the redemption period should last 75 days. Its a time when the original owner can reclaim the domain without any penalties. No one else can register it.

If they actually owned the domain and were trying to auction it off, it would have had the standard Lock Status of

clientTransferProhibited

or

clientDeleteProhibited

Furthermore, domains being auctioned usually have special nameservers like these:

Nameservers:
  ns2.sedoparking.com
  ns1.sedoparking.com

Sedo is a legitimate auction site for domains.

johnstechtalk.com, having entered the redemption period, will become up for grabs unless the owner reclaims it.

If I had expressed interest in it I’m sure they would have obtained it, just like I could for myself, at the end of the redemption period and then sold it to me at a highly inflated price.

Not wanting to encourage such unsavory behaviour I made no reply to the offer and checked the status almost every day.

New status – it’s looking good

Last week sometime it entered a new status:

pendingDelete

I think this status persists for three days or so (I forget). Then, when that period is over it shows up as available. I bought it using my GoDaddy account for $9.99 last night – actually $11.00 because there’s an ICANN fee of $0.18 and I rounded up for charity.

And this is not the only domain I have bought this way. I bought vmanswer.com because I was annoyed by the number of unsolicited offers to “buy” it! That purpose was achieved…

But I am watching another domain that was offered to me and really did go to the auction house Sedo, where it is currently sitting (which means no one else is all that interested). I am curious to see what happens when it expires later this year.

Save the labor
How could I have avoided the trouble of those daily whois lookups? Well, on my Linux server there is the ever-handy whois, as in

$ whois johnstechtalk.com

But sometimes it gives fairly complete information and for other domains not so much. It depends on the registrar. For GoDaddy domains you get next to no information:

[Querying whois.verisign-grs.com]
[Redirected to whois.godaddy.com]
[Querying whois.godaddy.com]
[whois.godaddy.com]

I suspect it is a measure GoDaddy takes to avoid programmatic use of WhoIs. Because if it answered with complete information it would be easy for a modest scripter like me to write a program that runs all kinds of queries, which of course would mostly be used by the scammers I suppose. In particular since I wasn’t seeing the domain Lock Status from command-line whois I didn’t bother to write an program to automate my daily query. Otherwise I probably would have.

What about cybersquatters?
In the case mentioned above there is no trademark at stake. Often there is. what should you do if you receive an offer to sell you a domain name which is based on one of your own trademarks? I get lots of those as well. My approach is, of course, to not be extorted. So at first I was ignoring such solicitations. If I want to really go after the domain, I will sic my legal team on them and invoke UDRP (ICANN’s Uniform Domain Dispute Resolution Policy). UDRP comes down heavily in favor of the trademark holder.

But lately I wanted to do something more. Since this is illicit activity at the end of the day, I look at where the email comes from. Often a Gmail account is used. I gather the headers of the message and file a formal complaint with Google’s Gmail abuse form, which I hope leads to their account being shut down. I want to at least inconvenience them without wasting too much of my own resources. Well, I don’t actually know that it works, but it makes me feel better in any case 🙂 .

This is the Gmail abuse page. Yahoo and MSN also have similar forms.

Conclusion
Unsolicited, sound-similar domains is one of the many scams rampant on the Internet. But with the background I’ve provided hopefully you’ll be better at separating the scams from the genuine domain owners seeking to do business through auctions or private sales.

Interested in reading about other scams? Try Spam and Scams – What to Expect When You Start a Blog

Categories
Scams

Spam and Scams – What to Expect When You Start a Blog

In my case – not much! It appears that despite providing top-notch content the only “readers” are those trying to profit from me. To use the word “scam” may be a bit strong, but any outfit that demands money upfront to supposedly help you make money is highly suspect in my playbook.

So I’ve heard from Tina. It goes like this:
Admin – I’ve checked out http://drjohnstechtalk.com/blog/2011/06/grep-is-slow-as-a-snail-in-sles-11/ and I really like your writing style like in your post Grep is Slow as a Snail in SLES 11 | Dr John’s Tech Talk. I am looking for blog authors who would like to write articles as either a full time job or part time job (for some extra money). I think your writing style would work very well. You receive pay per article, anywhere from $5 to $50 per article depending on the topic, article length, etc… If interested you can find more information at www.onlinehomewriter.net.

Please do me a favor and do not follow that link. It redirects you secure.signup-way.com, some strange-looking URL that McAfee categorizes as Malicious Sites, High Risk. So I don’t think I’ll be going there.

Then there’s Tony:
Blog Admin – If your blog isn’t bringing in as much money as you would like it to check out my site www.QuickCashBlogging.com. We show blog owners how to maximize their blogs earnings potential. Tony

McAfee verdict: Spam site, medium risk. That’s just great.

The McAfee URL checker I use is http://www.trustedsource.org/en/feedback/url.

Clearly these people have program trolling the Internet for new domains and new blogs, trying to squeeze some $$ from them. Unfortunately I’m not sure any person who could benefit from the information has read my blogs. So I feel I am making negative progress – instead of elevating the level of discourse on the Internet helping it to be used for more spam and scams.

I just feel bad for humanity. Is this the best we can do? A well-meaning person embarks on a quixotic journey to provide better technical information on some topics, and the average response from my fellow human beings is to try to take advantage of a hopefully vulnerable and naive newbie? I am literally concerned for us as a race.

August 16th Update
The spam and scam started as a trickle. Now it’s raining spam in my inbox. I continue to be disappointed. In email the ratio of spam to “ham” may be about five to one, so not knowing any better you could expect a similar ratio with WordPress blogs. Not so! Of my fifty comments, not counting the ones from myself, the legit comments number about two-and-half, more like a twenty to one ratio. I will probably use a WordPress plugin to cut them off, but since I started on this public service mission, here are some more scams.

This one is spam as it was posted to my Sample page:
HTC is a well known name in the smartphone segment. The company has come up with smartphones boasting of exquisite features and HTC EVO 4G is one of the most potent… It came from an address ending in @mail.ru . One of many hats is as spam fighter. Let me tell you you see an a sender address mail.ru and you’re talking pure spam. The IP resolves to Latvia, however, and that fact hardly inspires confidence either.

To my post WordPress, Apache2, Permalinks and mod_rewrite under Ubuntu I got a comment The Best Way To Fix Acid Reflux. Now that’s a closely related topic!

Another one claims to help if I’m looking for information about babies (very relevant for a tech blog. yeah, right!).

Very many fall into the generic flattery category. Like this one:
Hey There. I found your blog using msn. This is a very well written article. I will be sure to bookmark it and come back to read more of your useful information. Thanks for the post. I’ll definitely return.

Or this:
I agree with your Gnu Parallel Really Helps With Zcat | Dr John's Tech Talk, great post.

I had to investigate those a little bit as I almost fell for one the first time. Then you realize that it’s so generic – except for the one where he obviously just pasted in the title of my post programatically – that it could be used for any blog post.

An equally popular scam are the SEO scams – Search Engine Optimization. I think the point of those scams is to shake a little money from you for supposed help to improve your blog’s ranking in the search engines.

Returning to the flattery scams, how do I know for sure this isn’t real, genuine flattery of my wonderful posts? I’ll tell you. There are a couple unambiguous clues and another strong hint.

Let’s start with the strong hint. Since I haven’t told anyone about my blog, pretty much the only way someone’s going to find it who has legitimate interest in its content is through Google or another search engine. So, in the web server access log, where I am recording the HTTP_REFERER (what URL the browser visited just before hitting my blog post), I should expect to see one of the search engines. I should not see some random web site mentioned because there is simply no good reason for browser controlled by a human being to go from someone else’s web site directly to my web site. And yet that is precisely what I am seeing. I would give examples but it would only serve to promote their web sites, so i will refrain from even an example.

But even more damning is to examine how long the poster has spent on my site. A human being has to read the post, contemplate its meaning, then type in a comment to finally post, right? It could rarely be done in under a minute. WordPress tells me the IP of the poster of the comment. I take that IP and search for it in the access log using grep. I am seeing that these comments are being made in one second after the web page was first downloaded. One second. It is not humanly possible. But for a program, piece of cake.

Here’s a real example (some of this may be cut off, depending on your browser):

109.169.61.16 - - [12/Aug/2011:06:31:51 -0400] "GET /blog/2011/06/gnu-parallel-really-helps-with-zcat/ HTTP/1.0" 200 22757 "http://blahblah.net/invest/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
109.169.61.16 - - [12/Aug/2011:06:31:51 -0400] "GET /blog/ HTTP/1.0" 301 340 "http://blahblah.net/invest/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2"
109.169.61.16 - - [12/Aug/2011:06:31:51 -0400] "POST /blog/wp-comments-post.php HTTP/1.0" 302 902 "http://drjohnstechtalk.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
109.169.61.16 - - [12/Aug/2011:06:31:52 -0400] "GET /blog/ HTTP/1.0" 200 110806 "http://blahblah.net/invest/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2"

Also this example illustrates the other damning evidence of lack of human involvement in the comment. A real browser run by a real human being has to pull in a lot of objects to display a single WordPress page. You’ve got stylesheets, external javascript pages and even the image at the top. They should all be requested, and be recorded in the access log. But a programmatically controlled browser needs far less! It needs the HTML of the blog page, and then the page it POSTS the comment to. Perhaps a third page after the POST to show it the POST was successful or not. And that’s exactly what I’ve seen in all the spam/scam comments I’ve checked out by hand, not just the flattery scams. They are all using the absolute minimum page accesses and that simply screams non-human access! I am, unfortunately, not really so special as they would have me believe! And the SEO scams are just annoying advertising. Most of the rest is what I’d call link laundering, where they’re using the legitimacy of my site to try to get links to their shady sites included, by trickery, carelessness or any means. And some are just using it as pure spam to my inbox since that’s where the comments go for review and they don’t even care if I approve their spam for public viewing or not.

Possible Explanation
My hypothesis is that there are specially constructed advanced searches in Google you can do to find new WordPress blogs. You can download the results and programatically loop through them and attempt to post your spam and scams. It’s pretty easy to program a browser like curl using PERL to post to a WordPress blog. Even I could do it! And that low barrier to entry jibes with the level of professionalism I perceive in these scams, which is to say, pretty low, like something I would cook up by my lonesome! Misspellings, poor English, blatant calls-to-action are par for the course, as well as source IPs from remote regions of the world that have no possible interest in my arcane technical postings.

Now you could argue that a real browser could have cached some of those objects and so upon a return visit it might only access a minimum set of objects and hence look a bit like a program. To that I say that it is rarely the case that all objects get cached. And even if they did, you still have to take time to type in your comment, right? No one can do that in a second. The access lines above span the time from 6:31:51 to 6:31:52!!

The Final solution
I think I’ve made my point about the spam. I have followed Ryan’s advice and activated a plugin called Akismet. Their site looks fairly professional – like they know what they are doing. An API key is required to activate the plugin, but that is available for free for personal blogs. I’ll append to this blog whether or not it works!

Feb 28th update
600 spam comments later, 20 in the last few hours alone, I am sooo tired of rotten apples abusing the leave a comment feature, even though I am protected from approving the comments, it is still filling up my database. So I have taken an additional step today and implemented a Captcha plugin. This supposedly requires some human intelligence to answer a simple math problem before the post is allowed. I’ll post here about how well it is or isn’t working.

September update
Well, the captcha plugin has stopped virtually all spam, except one random comment. A user wishing to post a comment has to solve a very simple math/language problem. I recommend this approach. I suppose eventually the scammers will catch up with this defense, but in the meantime I am now enjoying peace and tranquility in my seldom-visited but formerly frequently spammed blog!