betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

Entries : Category [ security ]
Stuff mildly related to security and privacy.
[digital]  [language]  [life]  [security]  [media]  [zope]  [tourism]  [limnos]  [mac]  [athens]  [travel]  [montage]  [food]  [fire]  [zwiki]  [schnipsel]  [music]  [culture]  [shellfun]  [photography]  [hiking]  [pyramid]  [politics]  [bicycle]  [naxos]  [swim] 

02 April 2007

PGP κρυπτογράφηση και άλλες μοντέρνες παράνοιες

Σεμινάριο PGP με τον betabug

Αν μέχρι τώρα δεν εμπιστευόσασταν τα email για λόγους ασφαλείας...

Από τις 22 Απριλίου και μετά θα ηρεμήσετε.

Το HelMUG, διοργανώνει:

στις 22 Απριλίου 2007 και ώρα 13.00 στο χώρο του Dasein cafe, Σολωμού 12 στα Εξάρχεια το πρώτο θεματικό σεμινάριο: "PGP κρυπτογράφηση και άλλες μοντέρνες παράνοιες". Παρουσιάζει ο Sascha Welter (betabug).

Παρακαλώ δηλώστε συμμετοχή στο papakiteliatziar.gr/PGPSeminarAnnouncement!


Posted by betabug at 19:37 | Comments (0) | Trackbacks (0)
17 April 2007

Underground

A book about "hackers" from the old times

A few days back I had discovered over at adamo's site a link to the online version of the book "Underground". I downloaded the book (of course choosing the plain text version - update: the old link lead to a scam site) and started reading. Kept me hooked busy for a few days of intensive reading. The book recounts the days of old, when teenagers dialed their modems into BBS's and later learned to "hack" (which in this context means to break into other people's computers). I enjoyed the book and it ignited some good thoughts...


Part of the reading reminded me of when I started out with home computers (even though most of the book is set slightly later), and some of the people seem a bit familiar. Mind that I've never been into that scene myself.

At the time when I was reading the book, I was heavy into real hacking, meaning I was programming and fixing bugs on Zwiki code. While *that* meaning of "hacking" is an activity with very prudent background, the intensity and concentration on the task is similar. Following hot on the scent of some bug through various layers of code seemed to be very similar to the description of the kids going through various layers of security in host systems and networks.

Another note in the book rang a bell: Next Sunday I will be giving my PGP talk. The book is full of examples where the "hackers" broke into computers and the very first thing they do is to read the system administrators mail: Looking for mentions of break-ins or break-in attempts, looking for passwords and information to get into other systems. Had those system administrators used PGP for their mail, the kids breaking in would have had much more trouble. The one example where encryption was used to protect a file posed a major problem to the intruders -- even though it was the very low-grade "crypt" encryption program.

Posted by betabug at 20:51 | Comments (2) | Trackbacks (0)
26 April 2007

Speaking of "Underground"...

Hello Nortelnetworks! Nice to hear from you...

While I was doing some logspotting yesterday I discovered a couple of accesses that came from some hosts that looked like a lot of open proxies or a botnet or something. Someone was likely abusing them for scraping mail addresses off web sites. One of them rang a "Bell": I had seen the name "NorTel" in the book "Underground" (see this post). Even thouth the IP didn't have a reverse DNS entry, the "whois" showed it belonging to "Bell-Northern Research" aka "Nortel Networks". In the book, the "hacker" kids find a way into one of Nortel's telephone exchanges and later into their company network. So maybe one of the researchers set up a test server and forgot to lock it down? ...and now some "hackers" got into it?...


Looked more like "spammers" to me then. Looking at the senderbase report for the IP I noticed quite some activity there:

   Report on IP address: 47.234.Χ.ΥΖ
   Volume Statistics for this IP
                Magnitude Vol Change vs. Average
   Last day     3.2       23830%
   Last 30 days 1.4       363%
   Average      0.7
(This is for today, yesterday the increase of mail out sending was "only" 18618%.) Fired off a mail to their abuse@ address and to hostmaster@, because that's what the "whois" says. The abuse@ address bounced, because it tells me that I should use @nortel.com instead of @nortelnetworks.com -- maybe they should update their ARIN / whois contact info?

Of course I haven't heard back from hostmaster@ today either. I'll fire off a second mail today, this time to the "other" abuse@ address. Could be I should tell them that they have a "hacker" in their network, maybe that would wake them up?

Posted by betabug at 09:31 | Comments (0) | Trackbacks (0)
06 May 2007

Θέλουμε Pirate Good Privacy;

Ή, όπως λέει και ο adamo: People get hacked, not machines

Εκεί που γράφει ο adamo για το λάθος (για να το πούμε διπλωματικά) να κατεβάσεις "άγνωστης προέλευσης binary crack από το Internet" ενώ προσπαθείς να τρέχεις ένα ασφαλείς σύστημα, μου έρχεται ένα mail από κάποιον που ήτανε στο σεμινάριο PGP μου. Ο άνθρωπος δεν βρήκε το κατάλληλο PGP πρόγραμμα για το PC του (το σεμινάριο αναφερότανε πρώτα απ' όλα στα Macintosh). Και τι έκανε;


Κατέβασε το "comercial" PGP από κάποιο torrent της pirate bay. Αυτό μου φαίνεται ειδικά "λάθος" (ξανά μιλάμε διπλωματικά) γιατί και να γουστάρει το "comercial" PGP αντί για το "ελεύθερο" GPG, θα μπορούσε να το έχει κατεβάσει για "noncomercial", προσωπική χρίση δωρεάν και νόμιμα. Το download page λέει ότι είναι "trial", μα όταν διαβάζεις προσεκτικά, καταλαβαίνεις ότι *δεν* σταματάει να δουλεύει.

Σε κάτι τόσο ευαίσθητο (και ας μην είμαστε πολύ παρανοϊκοί) όπως την κρυπτογράφηση τον προσωπικών μηνυμάτων, μας ενδιαφέρει πάρα πολύ από πού προέρχεται ένα πρόγραμμα.

Posted by betabug at 18:43 | Comments (0) | Trackbacks (0)
18 June 2007

Your Papers!

A surreal scene overviewed

On my Sunday evening walk along the coast between Falliron and Kalamaki I came across a surreal scene. It was evening, the sun was just setting behind Pireus in a burst of orange and pink light. The promenade was full of families with little children taking a walk, and people who had spent the day swimming and sunbathing at the beach and who were now heading home. I passed by a couple of men from (judging by what I could grasp from their talk) Romania, who had been at the beach. They were walking towards the Kalamaki tram station. Suddenly there popped up a policeman in the middle of the flow of people...


He wasn't the traffic cop variety, rather wearing the dark blue paramilitary uniform like the "antiterrorist" police or the ones protecting official offices are wearing. He wasn't wearing a cap, neither sporting a big gun, but he had a big nightstick on his side. The policeman addressed the first man with raised voice: "Your papers!" The guy replied: "My papers?" "Yes," said the policeman even louder, "your papers! Papers!" I had fastened my steps, in order not to be pulled in to this spectacular display of state power. But then, a little onwards, I stood as if waiting for the tram while I casually looked at what would happen.

The interesting thing was that there was just this one policeman. Sometimes one sees things that are just wrong, like a car flying on three wheels. Seeing a lone policeman is such a thing, they come in pairs, as every child knows. This single policeman was arguing with the Romanians, them pointing to the beach (and I guess explaining that they wouldn't carry their papers on them while going for a swim, risking their papers ruined or stolen). What I was wondering was what the policeman was going to do now. He couldn't possibly arrest three people, him being alone in a crowd with families and little children. Then explaining his superiors that the three guys in swimming trunks didn't produce papers. Which they might or might not possess, no way to find out except to arrest them and keep them in jail till someone gets their papers, right?

The talk went on for just a short while, when the policeman suddenly passed by the guys and hurriedly marched on towards Falliron, as if there was something he was chasing. Now I couldn't make head or tails about that. Usually when a policeman finds out he can't get a handle on you, he gives you a stern look and "let's you get away with it for this time". In this case he could have given them a talk about their duty to produce their papers at any time. In the end I wondered if this was a real policeman or someone trying to play the part, it was pretty creepy.

Posted by betabug at 16:38 | Comments (0) | Trackbacks (0)
15 July 2007

Is there anyone who cares about the SSH worm?

Bye bye...

Please excuse the rant... everybody talks about Windoze malware, but is there anybody who is at all interested about the tons of Unix boxes who carry the SSH worm around? (Everybody knows which one I'm talking about, the one that closes every couple of login attempts with "Bye bye".) My authlog looks like a playground of the careless Unix owners. I'm getting tons of connection attempts from places like universities, companies, providers, about everywhere. By now I have of course blocked most of the world based on IP ranges, but still there are a lot of attempts.

So, what's it really? Are there so many clueless Unix admins around who use (or reuse) simple passwords? Are there Linux distros around with default passwords? What's happening really?

I know that I'm using pretty tough passwords, but all the connection attempts are annoying and a waste of bandwidth. Before I closed most of the IP space, I had 10000s of login attempts from some hosts and up to a hundred or so hosts with 1000s of attempts every day. The proper course of action of writing to the abuse account of the network range is just not viable (and of course totally useless for e.g. korean IPs). I just can't imagine anyone of these people to care for their rooted machines. So is the Unix world just happy to look down on the Windoze world and assuming that *nix worms are a thing of the past while ignoring the daily filth in our own world?

Update: Here is some analysis of what the attackers try to do. Doesn't address the underlying problem of why they are so successful.


Posted by betabug at 22:17 | Comments (2) | Trackbacks (0)
24 September 2007

Tired and Buying a Smoke Detector

Beep beep

This morning at about 6:20 someone rang the bell on our apartment door. Repeatedly. I turned around in sweet slumber and cursed the lusers. They kept on and started knocking too. I got up and had a look, thinking about if it was safe to open in the middle of the night (not knowing the time yet). Moving over to the hallway I noticed what was wrong, as I looked over to the kitchen: Smoke was coming out under the kitchen door...


I opened the apartment door and let a concerned neighbor in. He informed me that there is something wrong and with smoke coming out of our kitchen. There was another dude, a young guy in what could have been a fireman or coastguard uniform (I guess he's living in the building and was about to go to work). We went to the kitchen and they warned me: "Be careful with the door!". I was not awake enough to really check if the door was hot, but opening it revealed just a lot of smoke, and a pot with some food on the kitchen, left there by my flatmate. Not the first time.

The pot was taken out on the balcony (by the young guy in the uniform), the oven switched off, and all doors and windows opened. I tried to get back to sleep, but the smell of smoke made that impossible. The smoke wasn't too nice for my throat, which is again pretty bad this year with another catarrh. I'm buying a smoke detector alarm this afternoon.

Posted by betabug at 15:27 | Comments (0) | Trackbacks (0)
27 October 2007

Smoke Detector in Place

It's about time

Maybe someone might remember the story Tired and Buying a Smoke Detector in which I was woken up by neighbors who noticed smoke coming out of our apartment. I resolved to buying a smoke detector. Some days ago I finally (!) put it up. Promptly I was asked by my new flatmate what this thing was, so I had to explain the story. Hope we'll never need this thing. But I'm all for doing security stuff in the sense that you'll never need it, kind of Swiss I am there.

When I was roaming Europe in an old 2CV, I had all sorts of spare parts with me. The stuff that broke was never what you had in spare parts with you. So more spare parts in the car. Did I mention I got a smoke detector now?

Placement of the smoke detector was a bit of a riddle. I first thought it goes into the kitchen, but the docs say that's a big "no". Cooking fumes will clog the detector and cooking smoke may trigger false alarms. OK, so it goes into the hallway, central point of the place. More checkpoints: Minimum distance from walls, place central on ceiling, highest point, but not when roof is going up, ... etc. etc. Well, all that stuff can't work here. Our ceilings are really high, there is a horizontal structure crossing it (so the highest point is not in the flow of the smoke, kind of like the "roof is going up" situation), the hallway is not very wide (distance from wall...). In the end it went on the horizontal structure. Hope that does the trick if it ever has to.

Also, as for buying the smoke detector... I had looked at a few electricians shops in the neighborhood. They did not have something so fancy. I'd have to go to the center, around Athinas street. Which I didn't, because Eleni was at that time flying over from Germany. She happened to pass by a big electronics store there and picked up a smoke detector for something like 6 Euro. I must admit it was the cheap way out of hunting it down and learning where these devices are sold in Athens. But at some point lazy was good enough.


Posted by betabug at 21:23 | Comments (0) | Trackbacks (0)
06 April 2008

Google Mailservers used for Dictionary Attack

Looks like there is trouble

The last few days I noticed a nice, big dictionary attack targeting my lowly mail server. It's not been the first time and I'm not the only target of this, looks like Tor has seen it too. What is interesting about the attack is that it's abusing a lot of google servers...


Here are some sending mail servers spotted in my logs::

relay=wx-out-0506.google.com [66.249.82.227]
relay=fg-out-1718.google.com [72.14.220.158]
relay=wf-out-1314.google.com [209.85.200.174]
relay=py-out-1112.google.com [64.233.166.177]
...

Of course there aren't only google servers abused in the attack, but there are so many of them, that I spotted them immediately in the logs.

Makes me wonder if nobody at super-hightech google noticed this. Searching around on the web I didn't find anything regarding the attacks at first, until I noticed in a comment in this (only slightly related) post about google mailservers being blacklisted at the New York Times that apparently the captcha test for creating gmail accounts has been broken. According to that comment, it might well be that those accounts might be put to use now by the spammers.

The dictionary attack didn't "get through" on my server of course - I didn't notice a single mail being delivered from it. But that is not such a big relief, the ugly things with dictionary attacks is that even if they don't get through, we loose. Every mail that doesn't get through allows them to strike one match off their space of possible addresses. They are also abusing our server resources, but with the mail server set up to deny mails right at the SMTP prompt, without generating bounces, that's not hurting so much.

Posted by betabug at 10:03 | Comments (0) | Trackbacks (1)
01 March 2010

Faking it on someone's tumblr blog

Push it baby, push it real good

tumblr is a blogging service that is well known for its ease of use: Basically you can send in posts to your personal (and secret) tumblr mail address and they will appear on your blog. Cool. My COREblog has a similar "moblog" feature, but I have to give some special formatted information to make the post work - and to make it authenticate, I have to include a password (which is sent in cleartext, no real security there). This morning with my friend saad we wondered about the security of tumblr's offering: Given that someone got hold of your posting address, how good are they at weeding out faked posts?


The answer: Don't let anybody know your blog's secret tumblr email-address. Being geeks and security minded, we wanted to try this out. Saad gave me his secret address and told me the address he usually posts from. Not information you find randomly on the web. But information you could spot from 2 minutes of access to a cow-orkers computer during lunch break.

Saad had said that:

according to what I've read, they use some header combination in your email to "try to tell" that [it] is you

so I was expecting not to get away too easy with this. What I tried first was to go through my mails and find an old message from saad. I copied the headers found to a text file. I then munged them along, changing dates and times of the "Received" header lines, cutting them off at a point where one could (in theory, assuming theories ran in funny mail circles) assume that a mail from his provider was routed through my server to tumblr's mail server.

I prepared the complete message, minus the "envelope from header" in the textfile. Then I opened a telnet connection to port 25 (smtp) on my own server and manually sent the message to the secret posting address.

My first attempt failed miserably. Turns out that I had made a very stupid mistake... during copy-and-pasting, no less. The copied headers had extra spaces at the end of lines, which generated an extra line break in there, resulting in non-functioning headers. tumblr didn't post that, but didn't give saad a notice of a failed post attempt either.

I gave it a second try, cleaning up things. Still no luck, but still no notice to saad either. So I went and gave it another try, just a wild shot. I simply sent a mail from my normal mail client (mutt), from one of my normal mail addresses to the blog mail address. Nothing happened... at first. A couple of hours later though, saad informed me, that I had managed to post to his blog.

Long conclusion: Maybe I had done something really wrong (hey, I don't fake mail headers all day long) or probably all the advanced header checking in tumblr indeed does work... but in the end is futile, since any valid message to the proper address will get through anyway.

Funny enough, since saad's blog is set up to post to twitter and facebook too, I generated my first ever tweet and my first ever facebook message, along with the memorable post to saad's tumblr blog. In the meantime saad has of course removed the post in question, since it wasn't written by him.

Posted by betabug at 14:24 | Comments (1) | Trackbacks (0)
12 March 2010

Παγκόσμια μέρα εναντίων της λογοκρισίας στο διαδίκτυο

Πες κάτι...

Σήμερα από τους Reporters Sans Frontières έχουμε την "Παγκόσμια μέρα εναντίων της λογοκρισίας στο διαδίκτυο" (δική μου μετάφραση). Το διαδίκτυο μας δίνει - μεταξύ άλλων - την δυνατότητα να εκφράζουμε γεγονότα και γνώμες με πιο ανοικτό και ελεύθερο τρόπο από όσο το κάναμε πριν. Σε κάποιους όμως αυτό δεν αρέσει καθόλου. Με πολλές δικαιολογίες προσπαθούν να κόβουν το λόγο σε όσους δεν εκφράζουν την γνώμη του οποιουδήποτε "υπουργείο της αλήθειας" τους.

Εγώ θα χρησιμοποιώ την ευκαιρία να αναφέρω εδώ το blogme.gr... το θυμάστε; Δεν χρειάζεται να πάμε μακριά για τέτοια παραδείγματα. Ένας Liarkopoulos και οι "φίλοι" του "cyberμπάτσοι" φτάνουν να μας δείχνουν "την θέση μας".


Posted by betabug at 14:49 | Comments (1) | Trackbacks (0)
07 October 2010

crypto cult programming

To the tune of "cargo cult programming"

crypto cult programming /n./ The believe that if you throw enough crypto babble at your code, put in enough hashes, rounds of encryption, bits of keys, you will end up with secure code. Somewhere along the line of cargo cult programming (link to the jargon file).

I was sitting here, thinking about one project idea that seems to have stalled due to some inherent trust problem in a client-client relationship. Then I read the post Putting Unique Codes on Objects to Detect Counterfeiting from Bruce Schneier. Hey, I said to myself, maybe something like that could do the trick. But yeah... no trust is no trust here, no matter if you make it cryptographically twiddleable.

Which reminded me about a flash game that one company I worked for back in .ch had made. Some people were cheating on the high scores. We thought long and hard about how to encrypt stuff, sign stuff, crypto up stuff... but as long as everything is on the clients computer, really "secure" is not going to be an option, it's still gonna be crypto cult programming.


Posted by betabug at 09:35 | Comments (0) | Trackbacks (0)
09 December 2010

Liebe Postfinance...

Was man so alles lernt

... die Evolution hat uns doch schon länger gezeigt gehabt, dass es mit fehlendem Rückgrat schwerfällt, sich gegen Primaten zu verteidigen.

Ein Opfer von (nota bene wohl illegalen) DDoS-Attacken zu sein ist sicher nicht schön. Die eigenen Kunden draussen stehen lassen zu müssen noch weniger. Hättet Ihr doch mal ein kleines wenig Rückgrat gezeigt. Sicher konntet ihr nicht wissen, dass es so kommen würde (konnte wohl niemand wissen), aber dass Ihr selbst ohne die DDoS-Angriffe da freiwillig in ein PR-Desaster rennt, das hätte Euch doch schon klar sein müssen.


Posted by betabug at 15:54 | Comments (0) | Trackbacks (0)
14 March 2012

Ελευθερία του λόγου

Στο hackerspace.gr

Είμαι αυτή την στιγμή στο hackerspace.gr και ακούω μια ομιλία, "... από μια σειρά "παρουσιάσεων, με θέμα την ελευθερία του λόγου και την προστασία των επικοινωνιών στο Internet" (βλέπε εδώ).

Μέχρι τώρα μιλάμε για κρυπτογραφία για να φτάσουμε μάλλον σε θέματα όπως το PGP. Δηλαδή κάτι που ξέρω αρκετά καλά. Το κάνει αρκετά καλά, νομίζω ότι και οι αρχάριοι θα το πιάσουν το θέμα.

Να δούμε και μετά τι θα ακούσουμε...


Posted by betabug at 18:44 | Comments (0) | Trackbacks (0)
13 April 2012

CTF coming up at hackerspace.gr

April 21

Yesterday evening I went to the hackfest10 at the hackerspace. There were only two lightning talks, but very good ones. First we learned about the "green hack" window gardens that are being built at a window in the backside room of the hackerspace. The plan is to grow some strawberries there.

The other talk was about the upcoming 24h Capture The Flag competition on April 21st 2012. Lots of preparations went into this, there are some tickets to be won and fun to be had. Unfortunately I won't be there, for two simple reasons: First, I'll likely be out of town and second, I have no clue whatsoever in these things :-)


Posted by betabug at 18:16 | Comments (0) | Trackbacks (0)
31 May 2012

SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys

Book review: An introduction to using SSH

Some weeks ago, undeadly.org published an announcement for the book "SSH Mastery" by Michael W. Lucas. The book isn't expensive and I was in the mood, so I bought it at smashwords. (At smashwords I was able to get it both in PDF for reading on the 'puter and in epub for the ebook reader. No DRM either, very reasonable.)

Now, this book came probably a few years too late for me. If you aren't using the ins and outs of ssh yet, if you feel confused by all this stuff ssh does, this is the book for you. It covers OpenSSH and Putty. There's a lot of practical info in there. But then the author clearly says what the book is not:

This book is not intended to be a comprehensive SSH tome.

Too bad, since that would be really nice to have! So for myself I haven't found much new stuff in there. Well, there were some details that I tended to forget and got a good reminder. Also I had never really played much with X Forwarding. I'd like to play around more with X Forwarding just for the cool factor, but right now I don't have any setup where I could use it.

The description of how to do an ssh based VPN gave me much more confidence to try it myself one day... if opening an ssh login for root wouldn't freak me out (even with all the restrictions that you are dutifully guided to set up).

I found one big mistake in the book, it says:

Also note that all IP address bindings must be chosen before opening
your SSH session. You cannot add port forwarding to a live SSH
session, or change the IP addresses bound during a session.

Indeed we can: We use ssh escapes to do exactly this, at least for sessions with a pty. Type newline + ~C and you'll get a prompt where you can add and remove port forwardings.

In general, escape sentences are missing from the book. This is a pity, since even a beginner might find ~. useful to kick out a stuck ssh session. Apart from these few points I can really recommend the book!


Posted by betabug at 23:25 | Comments (0) | Trackbacks (0)
Prev  1   2   [3]