Is Proxy on Mac OS X Server really an open proxy by default?

Just had a look at an installed Mac OS X Server log file somewhere. Went to switch off the web proxy immediately. There were tons of requests from clients all around the world to GET all kind of stuff ("GET http://www.yahoo.com HTTP/1.1" in the log). A quick search through Apples Documentation, Discussion Board, Knowledge Base, & the Web in general did not reveal any information about how the proxy might be restricted to local subnet users only. So off it went.

More open proxy fun

Looks like the open proxy was used by some people professionally, one of them (clickingagent.com) has a funky website, at least if you're into the SPAM humour mindset. "...is a HUGE help for fooling the sponsors", wow! The "cheating on sponsors" program is only $100. And they have a software to search for open proxies for only $35. Plus the cost of ending for an infinity or two in hell after you die, because you are cheating others.

So, What Is That Thing Called a "Certificate"?

Yesterday a friendly lady from accounting asked me what this invoice really is. It said "SSL Certificate". Is it some kind of software? One could argue in some way that it is (as opposed to hardware), but really it isn't an executable software program.

A certificate is some kind of security device. But security devices are abstract concepts, hard to explain in 2 minutes. If you know the answer you could explain that the certificate is there to enable encrypted SSL connections to our webserver. But that can be had even with a self-signed certificate.

So we could say it is there to assure our customers that our site is really belonging to our company. But given the procedure of getting the certificate, I would say that all it proves is that our site is our site. The prove for the certification company was that they send mail to an "official" address (like hostmaster@ or webmaster@) and that their automatic confirmation system called a number I'd given them on a web form. Any number, does not have to match any company records.

In the end what it does is that the funny error message about "something with 'not secure' and 'a certificate' is wrong" goes away for our customers. I should have told her that the money was for debugging.

Trash Diving Revisited

Look what I found on the street yesterday: A see-through garbage bag labelled "securicleaning", filled with printouts and printed stuff. Now this poses some questions: Is this a company that promises to dispose of your sensitive office trash in a secure way? Do they boast about their security checked staff?

Either way, the word "secure" is a lie on that bag. Heck, you would not even have to rip open that bag to get at the contents. I did not look to close, but even if the bag did not contain letters the breach of cover would be bad. Let's just hope that this company has a shredder and their employees do not put anything remotely sensitive in that bag. But a seasoned Social Engineer could make use of even remotely company related material. Conclusion: The reference to "secure" must be a joke from the side of the cleaning company.

Security On Monday

Monday morning first thing I will go to a one day event "Γενικές αρχές εθνικής στρατηγικής για το απόρρητο και την ασφάλεια δικτύων και πληροφοριών" phew. "General principles of national strategy for the secrecy and security of networks and information". A couple of ministers, university professors and security guys will give speeches. Let's see how it will be like. Link should be at http://www.adae.gr but at the time of writing the site is not reachable. So let's hope the best for national security.

sec congress 1

First batch of speakers heard. Was late but still heard a minister read down his bullet list. then some more interesting uni profs. They were asking for example why still so few uni programs for sec in IT exist. Also heard that Internet access might still be as low as 7% in Greece. Diomedis Spinelli gave a speech on Open Source, some good points to reach the audience of suits and ties in a country in the grip of the big M$ monopoly.

Sum Up Of Security Strategy Conference

I had thought about mobile blogging more of the conference, but it got too tiresome with the tiny mobile phone keyboard. Here are some notes and thoughts though. Overall the day was a surprisingly good experience. Don't expect too much to come out of it, politicians are going to turn it their way anyway. Read on...

My last report had ended with Diomedes Spinelli talking on Open Source. Thinking back I believe he cut have put more fire on it. But Open Source crept in on a couple of other occasions. After all security is today one of the big reasons for Open Source.

After the coffee break was the second batch of speakers, talking more about the involvement of users, providers, banks, and consumers. Despoina Polemi, a female professor from the Uni of Pireus started with some security related projects that involved digital signatures, encryption, smart cards and the like to do for example digital prescriptions in the health industry (my words). Then there was a guy from the Bank of Greece who gave a very interesting speech. He basically lined out the list of rules the Bank of Greece has handed to greek banks a couple of weeks ago. These involve all kind of security related matters in respect to computer security. They demand from internet banking now two levels of authentication, not just username/password any more, but some kind of smartcard, strike list, whatever. Very good, given that for example Alpha Bank currently uses only username/password and restricts the password to 8 characters.

I won't list each and every speaker, just some that left a strong impression. Stelios Maistros from the greek cert talked about their work, some statistics and went so far to even mention Bruce Schneier and his book "Beyond Fear". Coincidentally I'm just rereading that book, I think it is definitely the book for these suits to read. But I don't think the suits will actually go so far and pick up a book and really go and gulp, ...read it. Speakers from the Greek Internet Users Union talked about digital signatures that are required by some organizations but can be obtained only through american companies. They and the guy from the Workers Union pointed out problems with privacy in modern technology.

After a hefty good lunch (thanks go the Greek Democracy for inviting me in) we went in for the 3rd session. Talks about Security, Trust and Development. Standing out was George Epitideios from the Greek Internet Professionals Union. Not only his style of talk was interesting, with lots of lively examples and involvement of the audience. But he gave good information and advice around the question of security problems and public image. Another talk was about why companies hesitate to sell products online and why consumers hesitate to shop.

After we had heard all the talks, three smaller rooms awaited us, where we would discuss and work on the three topics of the day (1: Globalisation and the greek outview - more a strategy thing. 2: Consumers, Privacy, Banks, Providers. 3: Security, Trust and Development.) I chose to go into room 2, as some points in the banking talks had risen my interest.

In the workgroup I was only listening at first. There were representatives of banks, internet and communications providers, user groups, uni people. Quite often someone would talk up: "We as the xy want that abc happens." The greek democratic process at work. The paper from the Bank of Greece was thought of being sufficient. I spoke up that I had missed one question in there though: When something really goes wrong (and there always does), who will pay? The bank or the customer? It's not so long ago that the banks denied any claims from customers who had been victims of small cameras and spoofed card readers on ATMs on the basis that their systems are totally safe. So the question of liability got into the paper.

Later I also gave my opinions about digital signatures (which have a terrible way of breaking down on citizens when they are issued and managed by government, just imagine having to defend against someone abusing your "official ID digital signature"), which was one of the big points of the user groups and some providers representative. The telco people were mainly worried about the chaos around privacy questions: On one hand privacy laws dictate that they erase customer trace data, on the other hand law enforcement obliges them to keep that stuff around. Now what to answer to customers who want their records erased. We also got the demand of open standards into our list, for government projects and banking interfaces.

All workgroups summed up their findings in the big room at the end. Most notable at this point was that Open Source and open standards had come up on all the three topics. Few attendants had remained till the end, but for me it was worth it. At the end I want to mention what the guy from one of the telcos told me though. He did not expect anything to come out of it. Politicians do what they want, and then there is still the EU. We swiss have a bit of a different expectation about democracy. So lets see and hope for the best. Personally it was a fun day.

Who Is Behind the Greek National Security Organisation?

For a long time people were worrying who is actually behind the Greek National Security organisation. I can't tell you just now, but the answer can be found on the streets of Athens. Obviously, whoever it is, their phone number starts with "522".

I noticed this abandoned van on the street behind a building of some army school (!). Since I was there at night (don't ask), I had to come back to snatch some pictures during day time. This I did in spite of the scary signs "No Photos!" around the building. Civil disobedience must prevail in the face of the military industrial complex, even if it comes (drives?) in the form of a Mitsubishi van.

Burning Down the Telcos

This is a burned down telco installation box, outside some university in Athens. I don't know who burned it down (it wasn't me, honestly). And I don't know why it's always me "finding" this sort of objects, seems like other people just walk by and look away. Anyway, this thing triggers some thoughts in me. First of all, what exactly is it? Why was it burned down? And is there any security to protect against such incidents? ...

Look away!

If you don't see it, it may not really have happened. As I walk in the streets of this city, I see not only the nice new building, streets and public transport. I also see the fucked up old buildings, abandoned and reeking of piss and garbage. Looking away does not make it go away. Some people are obviously upset, even upset enough to burn something down on occasion. Most likely young people, anarchists, communists, whatever. These are just guesses. I am not judging if they have a reason to be upset, they might as well be bored rich peoples children on some lame revolt. But a burned down telco box does not fit in with the european councels plan for the development of the mediterranean member states I guess.

Why burn it?

Athens became much more nice, clean and polished. At least in some parts. Don't look at the other, dark side of town. Some people drive Mercedes now, some people have to live on 160 Euro retirement money. We have immigrants now from Bangladesh, China, Africa, wherever. Developments like complete neighbourhoods populated by foreigners (not tourists) are new and alien to greeks, who had lived in some isolation since they always were an immigrant exporter, not an immigration destination. The move to a new european society leaves the country with some conflicts. Rising prices and internationalization also lead to the famous "new" poverty. Conflicts lead to aggression.

If I personally had burned it, I would state a much different reason. Something much more basic: Hey, give me decent communication without costing an arm and a leg. First of all, give me ADSL without having to go through burning hoops. Tear down telco monopolies, burn down telco installations, or so. Not that I think it would change anything. I'm not a luddite, by a long way. I think the main result of that burned down box was some poor guys left without telephone and a small rise in the utility costs of OTE (the greek state telco).

What is it?

I don't really know what it exactly is. Or rather was before it was burned down. It looks like a telco installation. It had a UPS (upright in the left compartment). There are some other rackmount form factor boxes in the right compartment. And lots of small cables below, which leads to me guessing for telco. Cables are too thin to be utility electricity. Burning down happened a while ago, so there is some garbage in there too.

Security

How could one avoid such an event? Of course it would be possible to build a stronger box. Put a better lock on it, thicker steel around it. But then someone lighting that stronger box up with a couple of molotov cocktails would make that moot. You can't really place these installations under guard, given that they have to be all over town (they are). Better lighting on the street would probably not help, same as surveillance cameras. Why? Because very likely the box was not burned down on a quiet night, but in a demonstration or riot situation.

So what gives? These installatins are really just protected by an old mechanism. The one that also protects people walking on the streets and mail lying on the doorstop of an appartment building. It's just our human relience on the general good behaviour of other humans. Normally people don't go around burning each others equipment. We don't steal each others mail, break windows on random cars parked outside our houses. The more stable and just a society is, the better this mechanism works. You might get more immediate security for the box in a police state, but I doubt it. Oppressive systems usually end up producing lots of conflicts. There might be more quiet while oppression works, but in the end it just pops up all together.

Bot Attack

Starting from yesterday I am having lots of accesses by what appears to be a bot or spider. At first when I found my stats file inflating certain pages views, I had expected to have been hit by referrer spam. But there is no referrer. Only the blog part of my site is being targeted, the same URLs are hit again and again, sometimes more than 200-300 times. The browser ID string is always "Mozilla/4.76 [en] (Win98; U)"...

Originating IPs seem to be all over the place, from places as far away as China and Germany.

I have now blocked access to this from apaches httpd.conf, returning 403, in order to save some bandwidth and retain sane access statistics. The attacks remain.

The browser ID string is always the same, it seems to be one that has been often used as an example in perl and web spidering books. I have not had a legitimate page request with this browser id string in the last 4 months (that I could overview from log files). So I do not expect that there is a legitimate userbase being denied access.

Here is a small sample from the access_log file:

213.162.50.228 - - [25/May/2005:16:28:47 +0200] 
"GET /blogs/ch-athens/30 HTTP/1.1" 403 299 "-" 
"Mozilla/4.76 [en] (Win98; U)"


219.95.111.181 - - [25/May/2005:16:30:40 +0200] 
"GET /blogs/ch-athens/65 HTTP/1.0" 403 287 "-" 
"Mozilla/4.76 [en] (Win98; U)"


213.162.50.228 - - [25/May/2005:16:40:04 +0200] 
"GET /blogs/ch-athens/107 HTTP/1.1" 403 300 "-" 
"Mozilla/4.76 [en] (Win98; U)"

213.162.50.228 - - [25/May/2005:16:40:12 +0200] 
"GET /blogs/ch-athens/104 HTTP/1.1" 403 300 "-" 
"Mozilla/4.76 [en] (Win98; U)"

So: Has anyone seen this before? Is it targetting weblogs in general? Is it targetting COREBlog? Or just me? Any comments on this?

Video Club Identification

Raided the local Video Club yesterday evening with still-flatmate and the gf [1]. They have a very lax system for identification. Basically all you need is some customers name and phone number (no, it won't work with my name :-). It seems some accounts (the newer ones?) also have an identification code. But more interesting: There is a poster on the counter that promotes a special setting on your account. With the special setting they will ask you for a valid ID (ID card, passport, drivers license) each and every time you lend a movie. You probably must be as paranoid as me to let them bug you like that. But it seems that at this video club you can decide on a wide range of security vs. convenience.

[1] If you care: We saw The Jacket which was much more interesting than I had expected. I did not have any problems to "get" the whole "timetravel" thing. The movie has a philosophy (if you can call it that) of balancing life with a predefined fate and being able to change your life in a more than usually accepted way (in this case by going through time). The word "time travel" just does not fit this, for me it was more like going to the future as a ghost. Also it was nice to see Kris Kristofferson again.

Attempted Abuse of Comment Notification Mails

A while ago I received a bunch of comment notification mails. What happened? My blog is pretty quiet in respect to comments, only every now and then one comes in. Now I saw ten of them on the same Thursday morning. Did I finally became famous? I doubted it and even at first glance I noted the signs of someone mischievous working for the SPAM industry. It was an attempt to abuse the comment notification feature of COREBlog. Let's take a closer look at those notification mails...

The lowly SPAM troll tried to find a hole in a simple made mailto form. Assuming our mailto form was constructed to assemble a mail to the administrator, filling in some header values from the form input. This could look like this:

To: weblogadmin@myserver
From: entered@fromtheform
Subject: Entered from the form

Text of mail as entered from the form...

Obviously there would be a few more headers and a bit more stuff around it. Now imagine we entered into our form in the "from" field something like

entered@fromtheform
bcc: testmail@throwawayaccount

(Note the line break!) Then the mail would turn out something like this:

To: weblogadmin@myserver
From: entered@fromtheform
bcc: testmail@throwawayaccount
Subject: Entered from the form

Text of mail as entered from the form...

and since the SPAM crook would have managed to add an additional bcc:-header, ... it get's send to "testmail@throwawayaccount" too, which is what the guy who is trying to send out SPAM wants (who probably has selfesteem equivalent in size and quality to mouse droppings). As we will see from the life examples, the mail address used is probably some throwaway account for testing. Later while actually mass abusing any mailto forms found, there would be hundreds of addresses added.

This only works if the mailto script is very primitive, and after many years with mailto forms on the Web, one would assume no such primitive scripts remain. To avoid such exploits, a mailto script should at least:

• Do not use any form entered value in mail headers
• Check for proper input (e.g. valid mail addresses), especially if it can't be avoided to use user input in header fields somewhere
• Have a programmer who RFTM, which in this respect means to look up security on web applications and input checking.

COREBlogs comment notification works fine in this regard, as we will see shortly in the examples the little turd of a SPAMmer provided us with. I left out most of the headers, since they are not interesting to the job at hand. I obscured only my own mail addresses, not the ones that were obviously used by the SPAMmer. Wherever you see something like 123@betabugch, this was entered by the SPAMmers abuse tool, and in proper shape, I removed the dot to spare my mail server the bots who could pick up that fake address.

There were 10 mails within 14 seconds. Not such a bad performance for my old server and a sign that this is likely an automated tool, not just some kid playing around. I marked the field that is trying to overflow in each example. Let's see what we got:

To: weblogadmin@myserver
Subject: A comment added!
From: defaultfrom@myserver
Date: Wed, 02 Nov 2005 21:43:41 +0100

Author   : r4287@betabugch
Title    : r4287@betabugch
URL      : glance
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: was only for
bcc: battsl1005@aol.com

04b101426afa6a8b952bc3b6f05b55f3
.

EntryID / Moderate :
https://www.

Body:
r4287@betabugch

In our very first example the sucker is trying to find the most foolish of mailto scripts, those piping their input straight into sendmail. Not only does it set content-type and MIME headers, it also sets the subject (likely important for the lowly lifeforms known as SPAMmers). Then with a blank line it introduces the body of the mail and it even finishes the input to the mail server with a dot on a line by itself.

To: weblogadmin@myserver
Subject: A comment added!
From: defaultfrom@myserver

Author   : dhriven643@betabugch
Title    : dhriven643@betabugch
URL      : dhriven643@betabugch
EntryID / Moderate :
https://www.

Body:
dhriven643@betabugch

This one left me more curious. There is nothing obvious being done, and when the spammer hopes to abuse some scripts who send a copy to the author (mail address entered into the forms "from" field), the he will not find out, as he is using a fake address. Maybe he tried to find out if the comment form per se can be abused. Another possibility would be that he got me here and I did not even notice. But I also did not see a successfull abuse from my mail server logs. And then, successfull abuse of the form would likely have led to a slew of SPAM being sent out, showing up as at least some more comment notification mails.

To: weblogadmin@myserver
Subject: A comment added!
From: defaultfrom@myserver

Author   : where
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: down
bcc: battsl1005@aol.com

f875e032d33080b905834e914991bfc1
.

Title    : avenue8900@betabugch
URL      : avenue8900@betabugch
EntryID / Moderate :
https://www.

Body:
avenue8900@betabugch

Same one as above the first one, he cycles through the various fields, trying to find one that might have ended up in the mail headers. The "URL" field above was not a likely candidate, but the abuser who made this did not mind going a bit further, just in case. It's not his server resources he is wasting after all.

To: weblogadmin@myserver
Subject: A comment added!
From: defaultfrom@myserver

Author   : beautiful
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: at a melancholy
bcc: onemoreaddress@hotpop.com

02ddfe636ffee50072a6dd9af55fda78
.

Title    : city7843@betabugch
URL      : city7843@betabugch
EntryID / Moderate :
https://www.

Body:
city7843@betabugch

This one is not a new development (they are all the same, and I left out something of a repeat of number 2), but it is educating in respect of the address used: "onemoreaddress". And the last one (I left out some more, not to bore you):

To: weblogadmin@myserver
Subject: A comment added!
From: defaultfrom@myserver
Date: Wed, 02 Nov 2005 21:43:55 +0100

Author   : park6237@betabugch
Title    : park6237@betabugch
URL      : tates
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: passage, they had only not yet discovered the right place
bcc: onemoreaddress@hotpop.com

7a94a23b892267b782670953138358cf
.

EntryID / Moderate :
https://www.

Body:
park6237@betabugch

I skipped most of the others, all alike. The last one here is one more try in the same effect. Not sure what the repetition is for. The timestamps reveal that the mails came in just 14 seconds from first to last.

The body that the spammer is attempting to send is likely some encoded value which refers back to which page/form allowed the abuse. I'll investigate a bit further when I have time. Ideas and hints appreciated! Here are all 8 of them (each on one line):

04b101426afa6a8b952bc3b6f05b55f3
f875e032d33080b905834e914991bfc1
ba29c3efe2b428f058c0726478151788
02ddfe636ffee50072a6dd9af55fda78
73e79cb44fadcfae35aa899fd50cf0d6
9adea6f556bcc320b3fcdc44cc1dfc58
45ecbfbc812e282144e6ed291b8f1759
7a94a23b892267b782670953138358cf

Swiss Secret Service and CIA Prisons

Everybody in Switzerland knows that the Swiss have a secret service. But we don't expect it to do much more than spy on this countries own citizens and hunt for ghosts of "communists". This morning it turns out they were able to intercept a fax that seems to prove the illegal and secret CIA prisons in eastern Europe (read at the NZZ in german and english). The ministry of defense refuses to comment on the matter since the document is classified as "secret" (but does not deny anything either).

Other parts of "official" Switzerland are boiling up: Possibly transports of prisoners by the americans may have violated Switzerland's neutrality and there is even the general attorney investigating because it may be that someone had illegally worked for a foreign nation. The matter also moves forward investigations for the European Council. Overall I feel proud of this being brought forward by the Swiss papers (even by something as despicable as the "Sonntags-Blick" tabloid). I wish the authorities the courage to stay tough through this. Maybe the neutrality and diplomatic integrity of Switzerland lives up to it's name for once.

Breaking the Seal

Downstairs from my office there is an insurance company. Or was, since last week I walked up the stairs and noticed a strange white band with wax on their door. I asked someone in our office and indeed the insurance company has been shut down, presumably by the state attorney. Mind you, it's an insurance company, not just an agency. I don't know the full story (so I won't give names), but it seems they were one of the insurance companies that just never paid up. They seem to have gotten a few warnings and now it's shut up. Their office have indeed be sealed shut. My point though is a different one: This morning I came in and one of the seals was broken... now what?

What does that mean? Did someone enter the office without permission? With permission, but not replacing the seal? Did someone in walking by rip off the seal? Or did it just fall off? And even if it came off by accident, someone could have gone in and destroyed records. How is anyone to know these answers, the seal is just an on/off kind of thing. It's still there or it isn't. The state attorney should really be able to deduce some information from the seal. But what exactly would the breaking of the seal mean to him (or her)? Finding out if someone from that company went in and altered or destroyed records is not going to be easy.

All in all I think sealing off the offices is a necessary step, but it works just as long as the seal is still on. In that case it proves (to some degree) that the records inside the offices were not tampered with. But the moment the seal is broken a lot of possibilies are open.

The Line Is Up

Yes, everything worked. The technician from Vivodi came around at the specified time. He was delighted to find my two flatmate-grrls there. The installation seemed to have gone fine. I was already looking out to get a wireless kit or some other means to get the net to my room. But then I came home and discovered that the ADSL modem is also a router and wireless access point. Nice.

Even nicer was the setup of the wireless: It was wide open. At least there was a password on the admin account, but the network was open and unencrypted, and the built in firewall was off. So as a first measure I set up that stuff a bit, WEP 128, MAC address registration, and the firewall will at least deter the lazier script kiddies. Anything important will have to be encrypted anyway to go over the line. At least my paranoia is well developped enough that I use PGP/GPG daily, have the firewall on my personal machine on and use encrypted protocols for everything I can. It would be cool to have a Soekris with OpenBSD to secure the wireless, but that is currently out of the reach.

Oh, and the technician was really happy to have my flatmates around, he gave them his phone number and reminded them to call him if they have questions. "Any questions! Just call me!" Yeah, sure :-)

Phone Tapping Scandal in Greece

From before the 2004 Olympics, until March 2005, about 100 mobile phone numbers of politicians (amongst them also the prime minister) and official offices have been tapped by unknowns. One number under "surveillance" seems to have belonged also to the american embassy. In March 2005 the installation was discovered by an audit (or a check up) from Ericsson technicians, and the officials were informed. Not until today though, was the public and ADAE ("Hellenic Authority for the Information and Communication Security and Privacy") informed. The mobile phones were tapped by stealth software in the providers systems...

From what I can understand from an article on the news site in.gr (article in Greek) about the technical details, stealth software was hidden in the parts of the system for conference calls of the provider Vodafone. The phone calls in question were "conference called" to 14 mobile phones with prepaid cards, stationed in the area of Ilissia (which coincidally is around the american embassy). There they seem to have been recorded.

The usual shoving of responsibility (article in Greek) is happening now: The former government vs. the current government. Vodafone informed the officals right away (at least they claim), after "shutting down" the illegal software in question. Some politicians say that investigations were hindered because that software was removed.

To my eyes, the information that obviously has been induced shows that some data for an investigation has been kept (we know: a list of people being spied upon, duration of that observation, places where the "receiver" phones were hidden, the "receivers" being prepaid phones). I don't believe those communications engineers were not making copies or at least dumps of the illegal software used.

No information was given about the suspects who performed the surveillance.

Update: Some English language reports: Hellenic Radio has a news bulletin, a shorter piece by the "Athens News Agency", Reuters (all in English). Duh, had misspelled Vodaphone -> Vodafone is correct.

See also: Vodafone Public Relations in the Phone Tapping Storm

See also: telnetd root Backdoor in Vodafone's Ericsson Systems?