April 2011 – Frank Leonhardt's Blog

Infosec Europe 2011 – worrying trend

Every Infosec (the Information Security show in London) seems to have have a theme. It’s not planned, it just happens. Last year it was encrypted USB sticks; in 2009 it was firewalls. 2011 was the year of standards.

As usual there were plenty of security related companies touting for business. Most of them claimed to do everything from penetration testing to anti-virus. But the trend seemed to be related to security standards instead of the usual technological silver bullets. Some of the companies were touting their own standards, others offering courses so you could get a piece of paper to comply with a standard, and yet others provided people (with aforementioned paper) to tick boxes for you to prove that you met the standard.

This is bad news. Security has nothing to do with standards; proving security has nothing to do with ticking boxes. Security is moving towards an industry reminiscent of Total Quality Assurance in the1990’s.

One thing I heard a lot was “There is a shortage of 20,000 people in IT security” and the response appears to be to dumb-down enough such that you can put someone on a training course to qualify them as a box-ticker. The people hiring “professionals” such as this won’t care – they’ll have a set of ticked boxes and a certificate that proves that any security breach was “not their fault” as they met the relevant standard.

Let’s hope the industry returns to actual security in 2012 – I’ll might even find merit in the technological fixes.

6-April-1130-March-16

Google Phishing Tackle

In the old days you really needed to be a bit technology-savvy to implement a good phishing scam. You need a way of sending out emails, a web site for them to link back to that wouldn’t be blacklisted and couldn’t be traced, plus the ability to create an HTML form to capture and record the results.

Bank phishing scam form created using Google Apps — Creating a phishing scam form with Google Apps is so easy

These inconvenient barriers to entry have been swept away by Google Apps.

A few days back I received a phishing scam email pointing to a form hosted by Google. Within a couple of minutes of its arrival an abuse report was filed with the Google Apps team. You’d might expect them to deal with such matters, but this still hadn’t been actioned two days later.

If you want to have a go, the process is simple. Get a Gmail account, go to Google Docs and select “Create New…Form” from on the left. You can set up a data capture form for anything you like in seconds, and call back later to see what people have entered.

Such a service is simply dangerous, and Google doesn’t appear to be taking this at all seriously. Given their “natural language technology” it shouldn’t be hard for them to spot anything looking like a phishing form so, I decided to see how easy it was and tried something blatant. This is the result:

No problem! Last time I checked the form was still there, although I haven’t asked strangers to fill it in.

5-April-1129-August-11

Fetchmail, Sendmail and oversized emails

There’s a tendency for lusers to try to email anything these days. If you though a few Gig of outgoing mail queue was enough you haven’t come across the luser who decided to email the contents of a CD (uncompressed) to all her friends. Quite what they’d have made of their iPhone trying to download it I’ll never know.

Sendmail has a method for limiting emails to a sensible size. As a reminder, inside host.example.com.mc you need to add:

# The following sets the maximum message to 5Mb - otherwise it's infinite define(`confMAX_MESSAGE_SIZE', `5242880')

Then run “make” and “make install” and “make restart”. This will generate the sendmail.cf (and any hashmaps) before restarting. The bit you always forget when changing .mc files is the “make install”. This is all for FreeBSD – Linux types, please do it your own way.

So this is great – anyone sending an over-sized email is bounced from their server, and local users submitting email will be similarly clipped into the world of sane and sensible (if you regard something as large as 5Mb as sensible for an email).

But I came across one interesting issue recently and it could happen to you, too, if you’re using fetchmail.

For those who haven’t come across it before, fetchmail pulls emails from a POP3 box and delivers them to local users – dropping them into your local MTA by default. This is reasonable, as everything then goes through the spam filtering, procmail and anything else you have defined. It’s really useful for legacy situations where someone’s ended up with a POP3 box somewhere and you need to integrate it with the rest of their mail.

Fetchmail does plenty more besides, and has a config file to match the functionality. Presumably as a reaction against the complexity of the sendmail.cf syntax, this one tries to operate in plain English. I’ve never quite figured out the full syntax, but it’s designed to be “flexible” and figure out what you’re trying to say. Personally I don’t think it succeeds in being any more friendly then sendmail.cf in spite of being on the other end of the spectrum.

Anyway, the fun comes when fetchmail downloads an over-sized email from the POP3 box and delivers it locally via Sendmail. Sendmail will reject it, and send a bounce back to the original sender. So far, so good but f Sendmail is running as a cron job every five minutes, the luser gets a bounce back every five minutes because the outsized mail is stuck in the POP3 box. Opps! It may serve them right, but they shouldn’t be allowed to suffer for too long.

Fortunately one of fetchmail’s many options allows you to control the maximum download size, if you could figure out the syntax. It’s available as a command-line option –l , but if you prefer to keep things in the .fetchmailrc file (the best plan) you’ll need to proceed as per the following example. They keywords are “limit” and “limitflush”.

local-postmster-account is the login for your local postmaster – undelivered emails go there.
pop3.isp.co.uk – mail server with the POP3 box
users-domain.co.uk – Domain name who’s email ends up in POP3 box above
pop3-username, pop3-password – what you use to log into the POP3 box
Tom, Dick and Harry are local mailboxes, with tom being the default. set postmaster local-postmster-account poll pop3.isp.co.uk proto pop3 aka users-domain.co.uk no envelope no dns: user "pop3-username", with password "pop3-password", limit 5242368 limitflush to dick "dick@users-domain.co.uk " = dick "richard@users-domain.co.uk " = dick harry "harry@users-domain.co.uk " = harry tom "tom@users-domain.co.uk" = tom "*@ users-domain.co.uk " = tom
here

This isn’t intended as a tutorial in writing .fetchmailrc files – only an example of the use of limit and limitflush.

So what’s going on? The limit keyword must be part of the poll statement, and is followed by the size (in bytes) of the maximum email to be retrieved. In the example it’s 512 bytes less than the 5Mb used in Sendmail (I feel I need a bit of slack on a boundary condition; it may be okay if they’re identical but I why push your luck?)

Please read the fetchmail documentation for full details (although it’s light on examples). With just the “limit” keyword in use, over-sized mails will be left I the POP3 box. The following “limitflush” keyword will silently delete over-sized emails so they don’t bother you again. You may not want to do this! If you don’t, someone will have to retrieve or delete the emails form the POP3 box manually.

Note that putting a limit on the download will prevent the bounce messages going to the original sender as it won’t get as far as sendmail.

4-April-1113-January-12

Billing problems 1899.com

1899 and 18866 are two apparently linked low-cost telecoms companies. They’re so-named because that’s the prefix used to route through them.

Now some time ago I started using their services and wrote a couple of articles recommending them, with the proviso that you shouldn’t expect any kind of customer service. The company appears to be based in Switzerland and they don’t want to talk to anyone. But they’re legit. The only thing I said back then was to pay by credit card and get consumer protection. If you don’t mind this, they do deliver. Or did deliver.

After many years I had to change my credit card number, so I filled in the billing change for both companies. 1899 took no notice, and after several months tried to bill the old card – and was rejected. I made sure they had the right one, and told them to try again, but they wouldn’t. When I eventually got through to someone apparently from 1899 they said it was their policy not to try a card a second time and asked me to send the money using an international transfer, after which they’d start billing the card again. I don’t think so. This could have been anyone’s bank account, and if genuine it’s a very strange way to do business – as well as costing me £20 for the transfer. Apart from which, they weren’t trying to charge the old card again – it was a new number. That’s the point!

Their terms of business say you need to pay by credit card – no problem, they can charge the card.

They didn’t.

I wrote back saying charge the card, or if you really don’t want to, you can have cash. This is an offer to pay using legal tender – if they refused they won’t have a leg to stand on if they want the money any other way. I assumed they’d see sense.

They didn’t.

This went back and forth. I made it clear – charge the card (recommended), take the cash or I’ll see you in court. It’d be interesting to meet these guys if they went for one of the last two options.

It’s over a year now. I still owe them for the calls, and haven’t heard anything about it. It’s annoying that I owe them money. The service doesn’t work any more (unsurprisingly). I can manage without it. 18866 still works (that half of the company is using the correct card).

So do I still recommend 1899 and 18866? Well I suppose I do, but as I said in my original articles, it’s fine when it works but don’t expect any sane or sensible customer service if it doesn’t.