Christmas Hackers 2010

 The 2010/2011 cybercrime season has been one of the most prolific I remember. There have been the usual script-kiddie attacks, wasting bandwidth. These largely consist of morons trying to guess passwords using an automated script, and they’re doomed to failure because no serious UNIX administrator would have left guessable passwords on proper accounts. And besides which they’re guessing system account names you only find on Windows or Linux.

What seems to be a bigger feature this year is compromised “web developer” software written in PHP. This is set up by designers, not systems people, and they really don’t understand security – hence they’re a soft target.

This year it appears that phpMyAdmin has been hit hard. This seems to be a vulnerability caused by poor installation (leaving the configuration pages up after use) and using a weak version of the code that was actually fixed a year ago. When I looked I found several copies of the old version, still active, and dating from the time when the web designer had initially commissioned the site.

The criminals appear to be using a mechanism that’s slightly different from the original exploit documentation, but is fairly obvious to any programmer looking a the setup.php script. It allows arbitary uploads to any directory that Apache has write access too.

The nature of the attacks has also been interesting. I’ve seen scripts dropping .htaccess files into all likely directories, redirecting accesses elsewhere using the mod_rewirte mechanism. This appears to intended as a simple DoS attack by overloading target servers (homelandsecurity.gov and fbi.gov being favourite targets).

That this is the work of script kiddies there is no doubt. They’ve left botnet scripts written in perl and python all over the place on honeypot machines. Needless to say this makes them really easy to decode and trace, and you can probably guess which part of the world they seem to be controlled from.

My advice to users of phpMyAdmin (a web based front end for administering mySQL) is to learn how to use SQL properly from the command line. If you can’t do that (or your hosting company won’t let you, which is a problem with low-cost web hosts), at least secure it properly. Upgrade to the latest version, keep it upgraded and remove it from the server when not in use. If you don’t want to remove it, at least drop a .htaccess file in the directory to disable it, or make it password protected.

chkrootkit finds bindshell infected on port 465

The current version of chkrootkit will throw up a warning that bindshell is INFECTED on port 465 in some circumstances when this is nothing to worry about. What it’s actually doing (in case you can’t read shell scripts, and why should you when there’s a perfectly good ‘C’ compiler available) is running netstat and filtering the output looking for ports that shouldn’t be being used. Port 465 is SMTP over SLL, and in my opinion should very definitely be used, but it is normally disabled by default.

As to whether this should worry you depends on whether you’re using secure SMTP, probably with sendmail. If you set up the server you should know this. If someone else set it up and you’re not too familiar with sendmail, the tell-tail line in the .mc file is DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl. Note the ‘s’ on the end of smtp.

Assuming you are using SMTPS, you can easily stop chkrootkit from printing an error (or returning an error code) simply by modifying the bindshell() subroutine to remove 465 from the list of ports to check. It’s on line 269 on the current, 0.49, version of the script.

I’m not so convinced that chkrootkit is any substitute for an experienced operator, but it’s out there, people use it and its better than nothing.

FBI hacks every VPN on the planet

Can VPN’s be trusted?

I got wind of an interesting rumour yesterday, passed to me by a fairly trustworthy source. I don’t normally comment on rumours until I’ve had a chance to check the facts for myself, but this looks like it’s going to spread.

Basically, the FBI paid certain developers working on the OpenBSD IPsec stack to and asked for back-doors or key leaking mechanisms to be added. This occurred in 2000/2001. Allegedly.

The code in question is open source and is likely to have been incorporated in various forms in a lot of systems, including VPN and secure networking infrastructure.

Whilst I have names of the developers in question and the development company concerned, it wouldn’t be fair to mention them publicly, at least until such code is found. If you’re using the IPsec stack in anything might want to take a good look at the code, just in case.

However, if the code has been there for nearly ten years in open source software, how come no one has noticed it before?

Prince Charles’ attackers lucky to be alive

At about quarter past eight this morning, on on Radio 4’s Today programme, the head of the Metropolitan Police (Sir Paul Stephenson), remarked that the protection officers in Prince Charles’ car had “shown restraint” last night when the Prince and his wife were attacked by anarchists. The presenter (Sarah Montague, I think) picked up on this, and asked what he meant by “restraint”, sensing he might be implying that the armed officers might have shot some of the rioters. He declined to spell it out. So, in spite of it being obvious, I will.

The bodyguards to the heir of the throne (and, come to that, the Prime Minister and various other establishment VIPs) are there for one purpose – to protect him from those that would do him harm. They’re carrying guns, not pea-shooters. So, faced with a situation where a bunch of enthusiastic republicans are smashing through the window of his car and shouting that they wished to kill the occupants, what are SO14 officers going to do? Well if the rioters were a credible threat, get out of the car, or get off their bikes and shoot them before they get a chance to kill or injure their intended victim. They’d already broken a window – if they’d got any further into the car I’d have said they were a credible threat.

Sarah Montague, and the rioters, need to grow up.

WikiYawn

So, Wikileaks has dumped a whole load of US diplomatic dispatches on the web. What fun. What interesting tit-bits can be gleened?

Well, it seems like some US diplomats think Robert Mugabee, Kim Jong-il and Mahmoud Ahmadinejad are all bad news. Fancy that. Who’d have thought it? Another diplomat thinks Prince Andrew was a rather forthright on a trade mission – calling the abortive fraud investigation a waste of time. What did this diplomat expect? Kissing babies and collecting flowers?

Apparently a lot of people on the Middle East don’t trust the Iranian’s nuclear programme and want something done about it. No kidding!

This isn’t news. There’s no conspiricy theory being confirmed. This is all an exercise in the art of the obvious. It might have been interesting to learn that South Korea and China weren’t perparing for a change of reigime in the North, but no, they’re on the case.

With no jucy conspiricy being reported, one might wonder what all the fuss has been about. So here’s a conspiricy theory about the conspiricy theory: The news media are reporting all this non-news to distract attention from some really interesting stuff buried in the 250,000 documents released. Perhaps, but given that (apparently) two and a half million American government employees have access to this stuff anyway, if there was anything really new to be found it’d be out in the open anyway.

Error 0x8002007 installing Security Essentials

Good one this! If you’re trying to install Microsoft Security Essentials and it crashes out with Error 0x8002007, clicking on the Help link doesn’t really help.

If you read the technet blurb it relates to the Windows Update service not working, and if you believe this you’re going to waste a lot of time trying to repair it. I did. But the solution was really simple.

If you’re using Windows XP the Microsoft site will give you the Vista/Windows 7 version by default! Hunt around for the Windows XP 32-bit version, download that and it’ll probably work. Just don’t click the “Download Now” button because it doesn’t check which one you need – or give you the choice.

Some genuis programmers at Microsoft didn’t bother to check the version number as soon as start to run the installer. I wonder why not.

The one you get by default is:

mssefullinstall-x86fre-en-us-vista-win7

The one you probably want is:

mssefullinstall-x86fre-en-us-xp

The Church vs the Establishment

The Bishop of Willesden, Pete Broadbent, has said the marriage of our future King (and his future boss) and Kate Middleton would “last about seven years”. He went on:
“We need a party in Calais for all good republicans who can’t stand the nauseating tosh that surrounds this event.”

I always thought the church took marriage seriously, but apparently not.

His employers, the Church of England, have said he was acting as an “individual”. ‘sfunny, I thought he was a bishop.

He’s since apologised. So that’s all right.

On the same day, the Bishop of Manchester, Nigel McCulloch, has complained to Ofcom that News Corporation’s full takeover of Sky “might lead to a harmful concentration of media power”.

I wonder – is he an individual or a bishop?

But Rupert Murdoch is confident that the takeover will not damage competition. So that’s all right.

 

Google is innocent (ish)

So Google’s streetview cars have been driving around harvesting people’s email passwords have they? Well this is probably true. Let’s sue/fine/regulate them!

Actually, let’s not. They haven’t done anything wrong. What Google’s surveying vehicles did was record the wireless Ethernet radio activity as they went along, to get an idea of where the WIFI hotspots are. This is a really useful thing for someone to have done – there’s no other way to find out what’s really where than by doing a ground-level survey.

In order to determine what kind of service they’re receiving you need to record a bit of the traffic for analysis. If it’s a private service, this traffic will be encrypted so it really doesn’t matter a jot – they’d be mostly recording gibberish. If it’s an open, public service they’d get the clear text of whatever happened to be transmitted at the time if the luser’s weren’t using application-layer encryption. If some technological dunderhead decides to do a radio broadcast of his unencrypted passwords, Google (and anyone else in the vicinity) will end up receiving that too.

Look at it another way – if someone wrote their password on a big sign and stuck it in the front of their house, anyone walking down the road couldn’t help but capture it. Are the pedestrians doing something wrong, or is the owner of the house an idiot?

It’s no good the idiots bleating on about Google. That won’t give them brains. It might, however, give them some of Google’s money and this could be the real motive.

The Information Commissioner, Christopher Graham, has come up with some surprising statements about Google. But on review, they’re only surprising to someone understanding the technical issues here. Does this mean Graham is a technological klutz? It’s one theory – at times it seems like everyone the government appoints to deal with technology requires this as a qualification. However I think it’s far more likely a case of bowing to media/political pressure on the subject and wishing to be seen to be doing something about it.

Then, last Friday, Google signed an undertaking with the Information Commissioner’s Office to train their staff that they mustn’t do naughty things (just in case they were ever tempted). In return for this the ICO promises to leave them alone. Read it for yourself – it’s only three pages long.

http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/google_inc_undertaking.ashx

What’s sad about the whole affair is that the ICO is, first and foremost, a political/media driven entity even if there are some level heads at work behind the scenes. But what a waste of time and money…

Crude Awakening plans to block oil refineries

So who are they? Part of the international Climate Action Justice network, but the group currently blocking the Coryton refinery are probably just an affiliated bunch.

Crude Awakening Coryton DemoThis idea is nothing new – people have been organising high-profile protests against oil dependency for some time. But what is “oil dependency”? Basically, it’s the tendency of politicians to favour the oil industry against all common sense.

One obvious example of this is the motor industry, which enjoys protected status in order to furnish votes. Look what happened when the economy crashed in 2008 – subsidies to the motor industry to “protect jobs”. If Gordon Brown and friends were simply interested in finding employment for redundant motor industry workers they’d have spent the money on building something useful, like cycle lanes or wind turbines. But no – bail out the motor industry as people like cars, and hope no one notices how hypocritical this sounds from a New Labour twittering on about the environment while using it as an excuse to raise taxes.

Other high-profile groups involved in this kind of thing are Plane Stupid and Climate Camp , although this lot are clearly more confrontational about it. If you want the other extreme there’s the World Naked Bike Ride. These are all groups who have woken up to what “Oil Dependency” really means – pollution, congestion, war, greenhouse gasses and political dodgy dealing to secure supply. Would certain countries get away with what they’re doing if they didn’t the off-button the oil supply?

As yet, however, none of these are a political force to be reckoned with. Blocking an oil refinery will get the issue in the news, if they handle things properly, but will David Cameron sit up and take notice?

So good luck to Terri Orchard and her merry bunch (not all-women as reported in the press). From what I understand, Coryton is only the first refinery on the list, and they’re planning to cover a lot more if they can. If this proves correct, I’ll be glad I ride a bike.

Oliver Drage makes mockery out of RIPA

Oliver Drage, suspected trader in child pornography, has just been sent down for refusing to disclose the password he’d used to encrypt his PC. This is an offence under RIPA (the Regulation of Investigatory Powers Act 2000). So if you’ve got something dodgy on your computer, you’ll get locked up whether or not the cops can decrypt it (or you’ve lost the password).

A spokesman for Lancashire police was pleased: “Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.”

Really. Drage is going to gaol for sixteen weeks  (read “two months”) . How long would he have been locked up for if he’d given them the password so they could decrypt whatever it’s alleged he was hiding? Five years? Ten years? Lock up and throw away the key?

This is not what I call “taking it seriously”.

The penalties under RIPA for not disclosing passwords are far lower than the likely sentence assuming someone’s been up to anything of interest of the authorities in this way. They don’t take it seriously at all.