Dan Q

Tag: security

The Worst Server Infection I’ve Ever Seen

With my day job at SmartData I’ve recently been doing some work for a client, transporting their data from the Microsoft SQL Server that back-ends their desktop application and converting it to a different schema on a different database for a new, web-based application. Because there’s quite a lot of data, the schema are quite different, and the data needs to be converted in a “smart” way: I’ve written a program to help with the task.

My program takes data from our client’s old server and moves it to their new server, making several alterations along the way.

Unfortunately, it’s  a slow process to move all of the data over. So, to test my program as I continue to develop it, I thought it might be useful if I could take a copy of the “live” database to somewhere more local (like my computer). This would remove the overhead of going through the Internet each time, and reduce the run time of the program significantly – an important consideration during its ongoing development.

Unfortunately, a quirk in the way that Microsoft SQL Server works is that the backup file I can make (ready to restore onto my computer) doesn’t appear on my computer, but appears on the old server. And I don’t have a means to get files off  the old server. Or do I? I have a username and password: I wonder if there are any other services running on the server to which I might have access. To find out, I use a program called Nmap to try to get a picture of what services are running on the server.

The results of running Nmap on the server. That’s a lot of open ports…

And that’s when I realised that something might be wrong. For those of you who aren’t inclined toward understanding the ins and outs of network security, the screenshot above should be considered to be more than a little alarming. There’s pretty obvious and clear signs that this computer is infected with Trinoo, NetBus, Back Orifice, and quite probably other malware. It’s almost certainly being used as part of denial of service attacks against other computers, and could well be stealing confidential information from our client’s server and the other computers on their network.

How have things gotten so out of control? I’m not sure. I’ve never seen such a rampant runaway set of infections on a server system before. Computers belonging to individuals, especially individuals inclined to installing BonziBuddy, Smiley Central/Cursor Mania, and so on, are often littered with malware, but one would hope that a server administrator might have a little more wisdom than to let unauthorised code run on a server for which they were responsible. At the very least, a Windows-based, Internet-accessible server ought to be running a strict firewall and antivirus software (virtually all antivirus software would have detected all three of the infections I’ve named above).

Just about  anybody can get onto the ‘net, these days, and I can just about forgive a regular Jo who says says, “I don’t know anything about computers; I just want to play FarmVille.” It’s disappointing when they end up inadvertently helping to send email advertising “$oft C1ALIS tabs” to the rest of us, and it’s upsetting when they get their credit card details stolen by a Nigerian, but it’s not so much their fault as the fault of the complexities they’re expected to understand in order to protect their new computer. But when somebody’s running a service (as our client is paying for, from a third-party company who’s “managing” their server for them), I’d really expect better.

The Bit for the “Regular Jo”

And if you are a “regular Jo” on a Windows PC and you care enough to want to check that you’re part of the solution and not part  of the problem, then you might be interested in a variety of free, trusted:

  • Anti-virus software (essential)
  • Adware/spyware removal tools (useful if you routinely install crap downloaded from the web), and
  • Firewall software (essential if you connect “directly” to the Internet, rather than via a “router”, or if you’re ever on networks on which you can’t trust the other network users – e.g. free wi-fi access points, shared Internet connections in student houses, etc.)

Edit: And don’t forget to regularly install your Windows Updates. Thanks to Gareth for the reminder that regular Jos should be encouraged to do this, too.

× ×

Article posted at UTC on .

2 comments

SuperGenPass In MicroB On The Nokia N900/Maemo

In the unlikely event that I’m not the only person who uses SuperGenPass to manage my passwords and MicroB on Maemo on my Nokia N900, here’s a few tips that I thought I’d share (they’re also valid on the N800 and N810 and “hacker edition” N770s, too, I expect):

  • You don’t have a Bookmarks Toolbar (where would you put it on a 3½ inch screen?), so once you’ve customised your SuperGenPass bookmarklet, you’ll need to click-and-hold on the generated link, and then select “Add bookmark” to save it to your bookmarks).
  • Use it as normal: either fill your master password into the form and click your Bookmarks menu and select the bookmarklet, or select the bookmarklet and give it your master password. Don’t forget when using complex forms or changing passwords that Maemo provides a full clipboard so you can copy/paste passwords around where the need arises (thankfully quite rarely).
  • If you’re irritated by the “You have requested an encrypted page that contains some unencrypted information” warnings that you see when logging into SSL-secured websites (and the fact that unlike desktop Firefox, you can’t turn it off from the settings), here’s how you disable it:
    • Enter the web address – about:config
    • Agree to the warning page, if you’re presented with one
    • Type “security.warn_viewing_mixed” into the search box, or browse the properties list for that option
    • Select it by clicking on it, and tap the Enter key to toggle it from true to false.
  • I don’t yet know the reason for the fleeting “Maximum number of characters reached” message, but it doesn’t seem to impact on functionality of SuperGenPass. Does anybody else know what it’s about or how it can be suppressed?

Article posted at UTC on .

No comments

HttpOnly Session Cookies using ActiveRecordStore in Rails 2.2

If you’re using CookieStore to manage sessions in your Ruby on Rails application, Rails 2.2 provides the great feature that you’re now able to use HTTPOnly cookies. These are a great benefit because, for compatible web browsers, they dramatically reduce the risk of a Cross Site Scripting (XSS) attack being able to be used to hijack your users’ sessions, which is particularly important on sites displaying user-generated content. You simply have to adjust your environment.rb file with something like:

config.action_controller.session = {
:session_key => ‘_session_id’,
:session_http_only => true,
:secret      => ‘your-secret’
}
config.action_controller.session_store = :cookie_store

Unfortunately, the Rails developers didn’t see fit to extend HTTPOnly cookies to those of us using ActiveRecordStore, where the XSS risk is still just as real. To fill this gap, I’ve produced a very simple and only slightly-hackish plugin which overrides the functionality of Rails’ CGI::Cookie to force all cookies produced by Rails to be HTTPOnly, regardless of the session store being used.

To use it, download this file and extract it into your application’s vendor/plugins directory, and restart your application server. You can test that it’s working using Tamper Data, FireCookie, or whatever your favourite cookie sniffing tool is.

Article posted at UTC on .

1 comment

SSL Client Certificate Authentication In Ruby On Rails

I’ve been playing with using client-side SSL certificates (installed into your web browser) as a means to authenticate against a Ruby on Rails-powered application. This subject is geeky and of limited interest even to the people who read this blog (with the possible exception of Ruth, who may find herself doing exactly this as part of her Masters dissertation), so rather than write about it all here, I’ve written a howto/article: SSL Client Certificate Authentication In Ruby On Rails. If you’re at all interested in the topic, you’re welcome to have a read and give me any feedback.

Article posted at UTC on .

2 comments

LiveJournal Needs To Tighten Security

Hmm… as part of my ongoing work with Abnib v3.0, I’ve noticed a couple of interesting little quirks in the way that LiveJournal handles security for “friends only” and “private” posts. In fact, I’m pretty sure I’ve found a way to – for any given user – produce a list of the times, dates, and URLs of all posts made by anybody – even ones to which I don’t have access. Not terribly disturbing news, as I still can’t get access to the content of the posts or even the comments to them, but it’s an “opening” – a “way in” – which could potentially lead to a full-blown exploit.

For example, I can tell you that there is a post on Andy’s blog that I’m not allowed to read, that he wrote on the 17th of Januaryat about quarter past four in the afternoon (I hope you don’t mind me using you as my “guinea pig”, Andy – you’re the first person I came to who had a “recent” private post).

The numbers near the end of LiveJournal post URLs are supposed to be semi-random to prevent people from just “guessing” their way to posts, but it turns out this isn’t necessary. I’ve e-mailed LiveJournal to try to explain their flaw to them, but as I can’t be arsed to debug it myself (hey: not my weblog at risk, here), I don’t know yet how much of a priority they’ll make it.

Ho hum.

Edit: Further investigations have revealed that I can easily get the title (but not the content or the comments) of any LiveJournal post, including protected ones. For obvious reasons, I’ve now stopped using my friends’ weblogs as testbeds, and I’ve set up a couple of “play” accounts to try things out with. I wonder if I can get the content of posts? That’d be an interesting challenge.

Article posted at UTC on .

5 comments

scan.co.uk

This is a reply to a post published elsewhere. Its content might be duplicated as a traditional comment at the original source.

Ruth wrote:

We are in the process of ordering a new computer. Most of the bits are coming from Scan. Now, their range is lovely, and their postage policy is reasonably sensible, but they have a dumb policy on debit cards.

If you pay with a debit card (instead of a credit card), you can only have the goods delivered to your registered home address. Now, that might seem ok, because where else are you going to want stuff delivered, right? Wrong. You might want thehardware delivered to your place of work because you’re never home during the day. It might be something your buying for a technologically inept relative and you might want it to go to their home, not yours.

Or, like me, you might be a lazy student who uses their mother’s address in far-off North Yorkshire as their home address so they don’t have to change it twice a year.

Things like this which penalise people who don’t use credit cards make me cross. If anyone knows otherwise, please say, but to me it seems that it’s all just a big conspiracy by the banks to make us all use a really, really inferior product.

Anyway. Out of a desire not to have the computer bits go to Yorkshire, we’ve given the money to Dan who’ll be placing the prder with his credit card and getting it sent to our new house in PJM.
—-
On the subject of the post, my mother called me last night to ask for my new address so she could re-direct some letters from the university. So the items in question will have travelled from the campus to PJM (that is, over the road) via North Yorkshire. How very, very silly.

Anyhoo folks, I’ve got to go to work. Oh yeah, and house-warming party tonight, number 72 PJM. Punch and cake provided; if you want anything else, bring it with you.

Forcing people to have deliveries sent to their registered address cuts down on card fraud, which is moderately freqent at mail order computer hardware stores on account of the high value, discreetness, and availability of the goods. It’s not possible to accurately perform such checks on credit cards, but it’s easy to with debit cards.

Many banks give special dispensation on their student accounts; allowing them to – for example – submit two addresses which they will automatically switch between throughout the year – or allow two registered addresses to function for card checks (while still delivering the statements to one). Ask your bank if they can do this, and, if they can’t, write a letter to inform them that there are banks that can. If you’re not willing to let your feet do the talking, there’s no way to let these large organisations listen to you.

There’s no reason not to own a credit card unless you feel you cannot trust yourself to do so – or the banks won’t give you one! For many such cards, there is no interest if you pay them off immediately each month (which can be automated thanks to wonderful schemes like Direct Debit): this increases the flexibility of your purchasing power (particularly when purchasing from overseas) without costing you a penny. On a side note, owning one that you only ever use in this fashion increases your credit rating (which is checked when buying a contract mobile phone, getting a mortgage, applying for credit on a car, or whatever). Just for examples’ sake; if you owned an unused credit card, you could have ordered these computer parts and – odds are – immediately transferred the money from the bank account to the card, thereby giving you the bits sooner.

All of that said, I think I’ve quite aptly (and almost entirely) undermined the sense in preventing expensive goods being delivered only to the registered cardholder’s address, because as we’ve just seen there’s always a way to circumvent such checks by routing the money other ways: this leaves a longer paper-trail (banks and credit companies are, by law, required to keep better records for longer than companies that happen to process card transactions), but is otherwise a sensible way to commit fraud without triggering the little alarm bells that debit cards have hanging from them. So yeah; perhaps Scan should be a little less draconian.

Now Chip-And-PIN in the UK: there’s a flawed, insecure, badly-implemented system.

 

Reply posted at UTC on .

1 comment

OpenID For WordPress

Update: 12th October 2007 – this project is to be considered abandoned. Please see How To Set Up OpenID For WordPress Comments instead. Thanks for the support and for your interest in OpenID.

THIS IS ALL HORRIBLY OUT OF DATE. THE DOWNLOAD LINKS DON’T WORK, I KNOW. GET OVER IT. More seriously now, I am working on a new version of this that actually works as a WordPress 2.0.x plugin. It’s very nice, but it’s not finished. Watch this space. In the meantime, why not take a look at OpenID Comments For WordPress (which is based on my preliminary work, here). Thanks for all the attention, guys.

As promised, I’m releasing the first usable version (v0.4) of my WordPress OpenID plugin tool. It’s very, very messy and a little buggy. Plus, installing it requires that you hack a few PHP files… use at your own risk. You’ll need a WordPress v1.5 weblog. Download this package and decompress it to your WordPress directory. It will create an openid_icons directory, a file called openid.php (the main codebase), and a file called openidform.php (the form that appears on your blog). Edit openid.php and substitute your own weblog URL in at the appropriate places (near the top). Link in the login form wherever you like. I’ve done so in my theme’s “sidebar.php” file, with the following code: <?php include (TEMPLATEPATH . '/openidform.php'); ?> In your main index.php, add a line to include the openid.php file. This will allow logins and logouts to be processed. Something like this: <?php require_once('openid.php'); ?> In wp-comments-post.php (the comments processor), substitute the following code in under “// If the user is logged in”: // If the user is logged in get_currentuserinfo(); if ( $user_ID ) { $comment_author = addslashes($user_identity); $comment_author_email = addslashes($user_email); $comment_author_url = addslashes($user_url); } elseif ($_SESSION['sess_openid_auth_code'] != "") { $comment_author = addslashes($_SESSION['sess_openid_auth_code']); $comment_author_email = "openid@example.com"; $comment_author_url = addslashes($_SESSION['sess_openid_auth']); } else { if ( get_option('comment_registration') ) die( __('Sorry, you must be logged in to post a comment.') ); } Notice the extra section, relying upon $_SESSION[‘sess_openid_auth_code’]. That’s the magic bit. And it should ‘just work’. Let me know if it doesn’t; I’ll be improving the codebase over the coming weeks and I’d like to include your suggestions. If you need any help setting it up, I can probably help with that too, or even with adapting the code to work with other applications (than WordPress). Features so far:

  • Authenticate OpenID users
  • Easily authenticate OpenID users from particular servers, including members of LiveJournal, DeadJournal, and Level9
  • Authenticated OpenID users can post comments

Features to come:

  • Cookie-based “remember me”
  • Ability to authenticate WordPress users (e.g. the weblog owner) by an OpenID
  • “Friends Only” protected posts, which can only be read by certain authenticated users
  • AJAX-powered log-in (to save users from having their browsers redirected excessively, and because it can be made to look swish), where supported

If you want to help code, just drop me a message.

More Geeky Fun – Hack Security Cameras

This was one of my most-popular articles in 2005. If you enjoyed it, you might also enjoy:

Here’s a giggle – somebody’s found a cleverly crafted Google search string that will reveal the (unprotected) web interfaces of a particular kind of Panasonic web-capable security camera. Just point a web browser at http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=inurl%3A%22ViewerFrame%3FMode%3D%22, then select one of the cameras (you might have to try a few before you get a working one). If you get a motorised one, you can even remotely control it! Here’s some I found earlier:

Update 17th August 2011: fixed broken link to Panasonic website!

Article posted at UTC on .

14 comments

Security Through Obscurity Reaches A New Low

PowerPizza! It’s a laptop bag that looks like a pizza box! No longer do you have to worry about your attractive laptop being an easy target for thieves – who’d want to steal a pizza box?

Fucking crazy. But I love it.

Note posted at UTC on .

3 comments

Internet Explorer Exploit Of The Day

There’s yet another killer Internet Explorer bug out there, which is manifesting itself in the form of a new trojan, Phel.A. This one only affects Windows PCs updated with SP2 (the supposedly ‘safe’ people) and works by confusing the ‘trusted’ and ‘untrusted’ zones.

I always find reports like this interesting, so I’ve written an exploit of my own. If you’re still using Microsoft Internet Explorer, and you’d like to see why you shouldn’t be:

  1. Click here to look at a web page I’ve set up [update: link long-dead]. It looks kinda boring, I know, but – if you’re using Internet Explorer, it will slyly put a tiny application in your Startup group.
  2. Next time you log into Windows, the tiny application will download and install a bigger application.
  3. Next time after this that you log into Windows, the bigger application will run, and tell you why you shouldn’t be using Internet Explorer.

The information on how to use this exploit is easily available on the web. Before long, we’ll be seeing another wave of web sites that can install software on ant Internet Explorer users’ computer.

If you’re still using Internet Explorer, take a look at BrowseHappy.

Article posted at UTC on .

4 comments

A Selection Of News Items From Around The World

[this post has been partially damaged during a server failure on Sunday 11th July 2004, and it has been possible to recover only a part of it]

[more of this post was recovered on Friday 24 November 2017]

Here’s some stuff I found interesting this weekend:

Swedish health workers, in an effort to stem the growing cases of chlamydia among young people, have launched a ‘condom ambulance [BBC News]. If you find yourself ‘caught short’ in Sweden, just give them a bell and they’ll rush around to your house with a pack-of-three, for the equivelent cost of about £4.

Chinese researchers have used a carbon nanotube [Wikipedia] as a filament in a new, experimental light bulb [The Register]. This bulb emits more light and works at a lower threshold than tungsten at the same voltage, and was still functioning fine after being switched on and off 5000 times. The future of lighting?

And finally, researchers from Hebrew University in Israel may have found a solution to the problems associated with passwords. As it stands, ‘secure’ passwords are hard to remember, and often find themselves written down, whereas insecure ones can be cracker. Plus, for real security, passwords should be …

 

Article posted at UTC on .

No comments

Reply #13106

This is a reply to a post published elsewhere. Its content might be duplicated as a traditional comment at the original source.

Sian wrote:

People are funny. I get to look at the accounts of people who have signed up for Children First newsletter updates, and their passwords make me laugh. The number of people who’s password question is just their password is scary.
I also worry for the person who put their password question as ‘opposite of goodbye’.
Guess the password guys! Yes, it’s Hello!
Password Question: Mums Name. Password: Councillor (What?? The cruelty!)
Password Question: favourite game. Password: Boggle (yay!)
Password Question: Fish. Password: Dolphin (…?)

Most popular theme is pets name, so I’m glad pets have a purpose in this day and age. Another popular theme is the Magic Roundabout which worries me somewhat.

Anyways, I’m sure this is against some sort of rule but I found it funny.

The passwords should be one-way encrypted. Your system is insecure. This is evident by the fact that you can read everybody’s passwords. =o)

 

Reply posted at UTC on .

No comments