Roachys Weblog » Security

E-Darwin award winner?

Paul Morgan-Roach — Mon, 22 Sep 2008 09:28:26 +0000

To qualify for a Darwin Award, you need to do something achieving suicidal levels of stupidity, thus rendering an abrubt end to your gene pool…..

It would appear that David Kernell has just achieved that with his “hack” of Sarah Palin’s private Yahoo mail account.

The following article is well worth a read, as it shows that when carrying out a stupid stunt, that level of stupidity is made infinitely less (or more) impressive by broadcasting your act of stupidity and creating a paper trail back to you leaving incriminating evidence of your stupid act…

http://www.tgdaily.com/html_tmp/content-view-39405-108.html

To throw into the mix the potential death of the career of said offenders father makes this possibly the MOST ridiculous act of self-sabotage I have heard of this year…

http://blog.wired.com/27bstroke6/2008/09/fbi-raid-apartm.html

Out of the frying pan…..

Paul Morgan-Roach — Thu, 11 Sep 2008 08:18:02 +0000

Following my scathing comments about Ubuntu and the Debian OpenSSL flaw and my subsequent migration to Fedora…(http://technicalmumblings.wordpress.com/2008/05/23/goodbye-ubuntu/), I was a little concerned when I read the following:

https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

This kind of begs the question, which is the lesser of the 2 evils here? A security breach can occur on any platform and across many platforms…..mistakes do happen. The real trick is how these breaches and vulnerabilities are actually dealt with. To Debian’s credit, it dealt with protecting the users as a first priority, whereas in this case Fedora/Red Hat’s first priority appears to have been covering it’s own arse, with the users put at risk being the second priority. Maybe this is the difference between the 2 vendors outlook and corporate responsibilities….

There’s an interesting discussion on Slashdot here:

http://linux.slashdot.org/article.pl?sid=08/09/10/029231

Google vs. Cuil as a Password cracker

Paul Morgan-Roach — Thu, 31 Jul 2008 14:54:23 +0000

Well, Google is effectively an amazingly powerful data gatherer and indexing tool – check out this article on how Google can be used to check for previously indexed MD5 hashes:

http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/

I thought I’d put Cuil to the test, to see whether they can offer the same “service”….given their bold claims about their number of indexed pages

Step 1 – think of a password – for the sake of this test I’ll choose the weak password, gringo

Step 2 – hash the password (if you’re lazy, like me, this can be done here)

Step 3 – Google it!

Step 4 – Cuil it!

First DNS Hijacks reported

Paul Morgan-Roach — Tue, 29 Jul 2008 07:34:55 +0000

It looks like following Dan Kaminsky’s exploit being made public the first attacks have been reported on DNS servers:

http://www.techcentral.ie/article.aspx?id=12375

I can’t believe that there are many people out there who haven’t yet patched their DNS servers……but it’s worth checking on the Doxpara site (http://www.doxpara.com/)

…that is, of course unless you’re DNS has been hijacked and you are being sent to a spoofed doxpara site

Still bad news for those running Mac DNS servers as Apple still haven’t released a patch, although apparently the Bind team have stated that the BSD version of the patch can be ported….

Further info here:

http://xforce.iss.net/xforce/xfdb/35575

Insecure email

Paul Morgan-Roach — Mon, 14 Apr 2008 12:30:31 +0000

Working for a number of clients, it’s surprising how many people assume that an email sent is secure by default. The number of people (including e-commerce providers) who feel comfortable sending (and requesting) credit card information via email is quite shocking…

It’s worth clarifying that sending an email is the digital equivalent of sending a postcard….anyone, on any number of the hops between the sender and the recipient, could read the contents of that email with relative ease, in the same way that if you sent a postcard, anyone en route between the sender and the recipient who handles that card could read the contents. Worse yet, there are methods of spoofing (pretending to be) the recipient mail server – causing all emails that are destined for the recipient to be captured then forwarded on without the recipient even knowing that this has happened….

There are methods of securing email, however – one of these is worth noting as a free solution – GNUPG http://www.gnupg.org/ and it is worth considering if you need to send any information that you feel is sensitive. GNUPG can be used for digital signing of emails (proving that the email is really from you) and also for the encryption of emails using a private key pair.

There are resources on the use of GNUPG on the site, and it can be used on a variety of platforms (Windows, Linux, Mac) etc.

SSH Port Forwarding again….

Paul Morgan-Roach — Tue, 18 Mar 2008 08:53:00 +0000

Another cool article on SSH port forwarding:

http://www.cmready.com/polyoperable/?p=7

theres more info on using SSH to proxy outbound connections here:

http://www.debuntu.org/2006/04/08/22-ssh-and-port-forwarding-or-how-to-get-through-a-firewall

and on creating transparent socks proxys and reverse tunnels here:

http://www.linuxlogin.com/linux/admin/sshtunnels.php

Breaking Firewalls with OpenSSH and Putty

Paul Morgan-Roach — Thu, 06 Mar 2008 14:36:13 +0000

Just found this interesting article

http://souptonuts.sourceforge.net/sshtips.htm

IPtables in Ubuntu Gutsy

Paul Morgan-Roach — Fri, 29 Feb 2008 23:02:44 +0000

Ok, well I’ve just had my first unpleasant surprise with Ubuntu Gutsy. Just checked my IPtables rules as i’m at home effectively outside my firewall just testing my security, and it seems that by default, the ruleset is set to allow all traffic…..I’m pretty shocked….. when stacked side by side with Fedora, which i’ve been using at work, which is downright agressive about security from the word go. Ubuntu by it’s very nature is aimed at making Linux more accessible, and from reading the Ubuntu forums the majority of new users wouldn’t even consider checking…

I appreciate that most people seem to think that a firewall is unnecessary on a Linux box, as no daemons are running on a default install – but suppose (as I do) you then install an SSH server, and you want Windows machines on your network to access files….and a plethora of other bits and pieces – eventually you end up with loads of holes. I’d rather find out an application doesn’t work until I open corresponding ports than have data visible from the public internet…

My untouched IPtables config looked like this:

roachy@roachy-laptop:~$ sudo iptables –list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Then after modification (yes I cheated and used Firestarter!)

roachy@roachy-laptop:~$ sudo iptables –list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp — 192.168.2.1 anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp — 192.168.2.1 anywhere
ACCEPT 0 — anywhere anywhere
ACCEPT icmp — anywhere anywhere limit: avg 10/sec burst 5
DROP 0 — anywhere 255.255.255.255
DROP 0 — anywhere 192.168.2.255
DROP 0 — BASE-ADDRESS.MCAST.NET/8 anywhere
DROP 0 — anywhere 224.0.0.0/8
DROP 0 — 255.255.255.255 anywhere
DROP 0 — anywhere 0.0.0.0
DROP 0 — anywhere anywhere state INVALID
LSI 0 -f anywhere anywhere limit: avg 10/min burst 5
INBOUND 0 — anywhere anywhere
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere LOG level info prefix `Unknown Input’

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp — anywhere anywhere limit: avg 10/sec burst 5
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere LOG level info prefix `Unknown Forward’

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp — 192.168.2.11 192.168.2.1 tcp dpt:domain
ACCEPT udp — 192.168.2.11 192.168.2.1 udp dpt:domain
ACCEPT 0 — anywhere anywhere
DROP 0 — 224.0.0.0/8 anywhere
DROP 0 — anywhere BASE-ADDRESS.MCAST.NET/8
DROP 0 — 255.255.255.255 anywhere
DROP 0 — anywhere 0.0.0.0
DROP 0 — anywhere anywhere state INVALID
OUTBOUND 0 — anywhere anywhere
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere LOG level info prefix `Unknown Output’

Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp — anywhere anywhere state RELATED,ESTABLISHED
LSI 0 — anywhere anywhere

Chain LOG_FILTER (5 references)
target prot opt source destination

Chain LSI (2 references)
target prot opt source destination
LOG_FILTER 0 — anywhere anywhere
LOG tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound ‘
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound ‘
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp — anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound ‘
DROP icmp — anywhere anywhere icmp echo-request
LOG 0 — anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound ‘
DROP 0 — anywhere anywhere

Chain LSO (1 references)
target prot opt source destination
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound ‘
REJECT 0 — anywhere anywhere reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp — anywhere anywhere
ACCEPT tcp — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp — 192.168.2.11 anywhere tcp dpt:www
ACCEPT udp — 192.168.2.11 anywhere udp dpt:www
ACCEPT tcp — 192.168.2.11 anywhere tcp dpts:netbios-ns:netbios-ssn
ACCEPT udp — 192.168.2.11 anywhere udp dpts:netbios-ns:netbios-ssn
ACCEPT tcp — 192.168.2.11 anywhere tcp dpt:microsoft-ds
ACCEPT udp — 192.168.2.11 anywhere udp dpt:microsoft-ds
ACCEPT tcp — 192.168.2.11 anywhere tcp dpt:https
ACCEPT udp — 192.168.2.11 anywhere udp dpt:https
LSO 0 — anywhere anywhere

Quite a significant difference…..

How to test for Open Mail Relays

Paul Morgan-Roach — Mon, 18 Feb 2008 16:41:33 +0000

Previously I knew how to test for traditional Open Relays on mail servers – but was looking for some more extensive testing and stumbled across this site:

http://www.dsbl.org/relay-methods

Among the list is methods of testing against double bounce and webmail relaying….

In addition to this the base-64 encoding and decoding tool can be used to test SMTP Auth on servers:

http://legacy.dillfrog.com/tools/base-64_encode/

Very useful