Security – Page 6 – Frank Leonhardt's Blog

How to stop Samba users deleting their home directory and email

UNIX permissions can send you around the twist sometimes. You can set them up to do anything, not. Here’s a good case in point…

Imagine you have Samba set up to provide users with a home directory. This is a useful feature; if you log in to the server with the name “fred” you (and only you) will see a network share called “fred”, which contains the files in your UNIX/Linux home directory. This is great for knowledgeable computer types, but is it such a great idea for normal lusers? If you’re running IMAP email it’s going to expose your mail directory, .forward and a load of other files that Windoze users might delete on a whim, and really screw things up.

Is there a Samba option to share home directories but to leave certain subdirectories alone? No. Can you just change the ownership and permissions of the critical files to root and deny write access? No! (Because mail systems require such files to be owned by their user for security reasons). Can you use permission bits or even an ACL? Possibly, but you’ll go insane trying.

A bit of lateral thinking is called for here. Let’s start with the standard section in smb.conf for creating automatic shares for home directories:

[homes]
    comment = Home Directories
    browseable = no
    writable = yes

The “homes” section is special – the name “homes” is reserved to make it so. Basically it auto-creates a share with a name matching the user when someone logs in, so that they can get to their home directory.

First off, you could make it non-writable (i.e. set writable = no). Not much use to use luser, but it does the job of stopping them deleting anything. If read-only access is good enough, it’s an option.

The next idea, if you want it to be useful, is to use the directive “hide dot files” in the definition. This basically returns files beginning in a ‘.’ as “hidden” to Windoze users, hiding the UNIX user configuration files and other stuff you don’t want deleted. Unfortunately the “mail” directory, containing all your loverly IMAP folders is still available for wonton destruction, but you can hide this too by renaming it .mail. All you then need to do is tell your mail server to use the new name. For example, in dovecot.conf, uncomment and edit the line thus:

mail_location = mbox:~/.mail/:INBOX=/var/mail/%u

(Note the ‘.’ added at the front of ~/mail/)

You then have to rename each of the user’s “mail” folders to “.mail”, restart dovecot and the job is done.

Except when you have lusers who have turned on the “Show Hidden Files” option in Windoze, of course. A surprising number seem to think this is a good idea. You could decide that hidden files allows advanced users control of their mail and configuration, and anyone messing with a hidden file can presumably be trusted to know what you’re doing. You could even mess with Windoze policies to stop them doing this (ha!). Or you may take the view that all lusers and dangerous and if there is a way to mess things up, they’ll find it and do it. In this case, here’s Plan B.

The trick is to know that the default path to shares in [homes] is ‘~’, but you can actually override this! For example:

[homes]
    path = /usr/data/flubnutz
    ...

This maps users’ home directories in a single directory called ‘flubnutz’. This is not that useful, and I haven’t even bothered to try it myself. When it becomes interesting is when you can add a macro to the path name. %S is a good one to use because it’s the name as the user who has logged in (the service name). %u, likewise. You can then do stuff like:

[homes]
     path = /usr/samba-files/%S
     ....

This stores the user’s home directory files in a completely different location, in a directory matching their name. If you prefer to keep the user’s account files together (like a sensible UNIX admin) you can use:

[homes]
     comment = Home Directories
     path = /usr/home/%S/samba-files
     browseable = no
     writable = yes<

As you can imagine, this stores their Windows home directory files in a sub-directory to their home directory; one which they can’t escape from. You have to create “~/samba-files” and give them ownership of it for this to work. If you don’t want to use the explicit path, %h/samba-files should do instead.

I’ve written a few scripts to create directories and set permissions, which I might add to this if anyone expresses an interest.

18-November-1517-March-17

Governments’ hacking fantasies

It’s silly season again.

Yesterday George Osborne warned that Islamists were tooling up and planning deadly cyber-attacks against the UK, targeting critical systems like ATC and hospitals, as he announced government spending on countermeasures would double from about £200M to £400M a year. Mr Osborne shown a rather tenuous grasp of technology in the past, and I fear he’s been watching too many Hollywood movies when forming his current opinion.

I know a bit about ATC, and the chances of a jihadi disrupting NAS over the internet are slight. Damaging aviation is much easier by more direct means.

Likewise, while I have little time for the design of NHS computers systems, even they’d be hard to seriously disrupt. So difficult that it really wouldn’t be worth the bother. If you want to knock out a hospital, blow up the generators and electricity feed – it’s obvious. About the only systemic damage you could do remotely would be to mess up central databases, but these seem to get messed up regularly anyway, and the world goes on.

But this seems positively sane and sensible compared to today’s report from the “US-China Economic and Security Review Commission”. They’re all exercised about those nasty Chinese guys pinching trade secrets by hacking in to US companies and their government agencies. I’m sceptical about the idea that the Chinese government is behind this, and the Commission has weakened the credibility of their claims with their suggested response to the activity:

Yes folks, their suggestion is that Americans hack in to the Chinese systems and steal back or delete the stolen data. How exactly does one steal back data? And do they really think it’s possible to locate, identify and delete stolen data found in a foreign country. Deleting all copies of data from a local system is hard enough, and if the IT department knows its stuff, it’s impossible as it won’t all be on-line.

Whilst there’s plenty of evidence that people in China, and possibly the military, are engaged in cyber-espionage, this idea reads like the plot of another Hollywood movie of the type George Osborne seems to have been watching. Everyone in the security world knows that the majority of criminal activity on the Internet actually comes from…. the USA. This doesn’t mean the US government is behind it – by the sound of the advice they’re getting, they wouldn’t know how.

People like me have been saying that cyber-crime is (going to be) a big problem for many years now, and I welcome governments waking up and taking it seriously at last. The private sector has done spectacularly badly, as the money is in the superficial stuff, and real security gets in the way of profits. It’s just a shame that governments have woken up and are groping groggily around in the dark.

24-October-1517-November-16

TalkTalk Ransom Demand

So, the head of TalkTalk (Dido Harding) has received a ransom demand following the latest hack? From a bunch of Islamist gangsters? I don’t think so. Okay, she probably received an email extortion attempt. Several in fact. It’d be form for Islamist gangsters to have a go, amongst the usual suspects. But the idea that whoever is behind the attacks also sent the ransom demand does not sound like the normal MO. It smells wrong to me. Extortion attempts of this kind generally follow a demonstration that the criminals can disrupt a web site, not after a long-term outage.

I get the vibes that TalkTalk doesn’t know what happened, and take everything they say with a pinch of salt. The only certainty is that their web site was toppled. Data theft, or script kiddies? I suspect the latter, actually. They floated the possibility of widespread data theft, which is very responsible of them until it’s figured out what exactly happened. This is a possibility in any attack.

Meanwhile, people are now questioning whether the stolen data (if there was any) was encrypted, and if not, why not. On a live system, data can’t be encrypted. Think about it! This is allegedly a hack of a live system, so the criminals would have access to the same data that he live system would.

This whole story has been hyped up way beyond the facts. No one (including TalkTalk) wants to suggest it may be overblown for fear of being branded irresponsible by a technically illiterate news media and opportunistic politicians. But it smells all wrong to me. How much more embarrassing if it was was actually script kiddies getting lucky, rather than the APT being hinted at.

23-October-1523-October-15

No talk from TalkTalk

Charles Dunston’s budget ISP TalkTalk has been hacked again. Yawn. This time it’s big news on TV; the headline story in fact. Their website has been KOed for a couple of days, but it’s back online with a front page showing a different news agenda. They get their feed from AOL (also part of the Carphone Warehouse family), who probably just missed the kerfuffle; there’s no celebrity connection after all. Not yet, anyway.

If you’re a TalkTalk retail customer (or possibly a business customer – who knows how their systems interrelate and what data’s been pilfered), and you’ve used the same password with TalkTalk as any other sites, change your password on those sites NOW. The popular media is full of speculation as to what’s been compromised but they’re not mentioning passwords, presumably because TalkTalk will have told them that any passwords would have been encrypted. But if the criminals have got hold of the hashes, which is likely, it’s only a matter of time before they crack them.

How worried should customers of other ISPs be? Pretty worried, as on the serious side of the business they’re known as Opal Telecom, a significant LLU operator providing the link between the last time and the data centre for a large number of Broadband providers.

I can, of course, only speculate as to why this keeps happening to them. One reason might be related to several conversations I’ve had with people from ISPs TalkTalk has taken over along the way. Apparently they really don’t like hard stuff like UNIX/Linux, and within months of a takeover they force a switch to Microsoft before making all the UNIX people redundant. Any fool can use Microsoft – low levels of technical understanding are required, meaning cheap engineers and lower costs. But do their Microsofties actually know what they’re doing? I dare say that some of them do, and some of them don’t. But the bar for a point-and-click Microsoft house going to be lower.

23-October-1522-September-16

The spammed malware attack continues, but Microsoft SE has been getting it wrong

Kudos to Microsoft Security Essentials for picking up the nasty attachment being pumped out like crazy by the clean-skin botnet recently, while most of the other scanners failed to detect it. However, it was wrong about the identity of the malware. It’s not Peals.F!plock, as I originally reported with skepticism. It’s now detected as a variation of something known as Troj/DocDl-YU (to use the name give by Sophos). Read about it here:

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DocDl-YU/detailed-analysis.aspx

This uses Microsoft’s Office macro language to download further malware from the Internet and install it on the victim’s PC, so if anyone activates it there’ll be more than just this Trojan downloader to worry about. As it’s a Microsoft Word document, people tend to open it. If the government really wants to spend money telling the public how to avoid falling victim to cybercrime, they should start by warning about sending documents by email, instead of the current nonsense. Microsoft might get the hump, though, and as I understand it, they’re acting as advisors.

If people have macros disabled on Word, they’re probably okay as long as they don’t get tricked in to enabling them. I’m not hopeful in this regard.

Meanwhile, those behind it are changing the message tweaking the payload to avoid detection – quite successfully! The latest incarnation reads:

From: UUSCOTLAND@example.com

Subject: Water Services Invoice

Good Morning,

I hope you are well.

Please find attached the water services invoice summary for the billing period of 22 September 2015 to 22 October 2015.

If you would like any more help, or information, please contact me on 0345 #######. Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to help you. Alternatively you can email me at UUSCOTLAND@example.com

Kind regards

Melissa

Melissa Lears

Billing Specialist

Business Retail

United Utilities Scotland

T: 0345 ####### (#####)

They appear to be updating it every morning at around 0800Z. Let’s see what we get tomorrow.

19-October-1520-October-15

New botnet spammed malware – Peals.F!plock

This is a big one, coming from hitherto unlisted botnet addresses – and it’s coming right now. I’m cross referencing the blacklisted addresses now to see if I can see who’s had an expansion lately. Spamassassin isn’t that great at picking it up, with about 10% getting straight through and about 90% failing to reach five points.

It’s a Microsoft Word document, apparently containing controversial malware Peals.F!plock. Little is known about this, other than Security Essentials flagging it but others say it’s a false positive. Well someone’s gone to a lot of trouble to sent it a “false positive”.

The messages all claim to come from “Stephanie Greaves”, sgreaves at btros.co.uk, with a fixed subject of COS007202, which is unusual. You’d have thought that if you’re using a clean botnet you’d randomise things a bit. This is a genuine domain name (with no SPF – come on guys!) and for all I know, Stephanie Greaves is the name of a genuine victim. Their MX is a virtual server and they’re probably wondering why it’s been heavily loaded since 9am.

Whoever’s doing this has a pretty comprehensive spamming list, containing nearly all of my honeypots.

Update:

This same malware is now being sent out claiming to be from customerservices@ocado.com with the subject “Your receipt for today’s Ocado delivery”, and an HTML message looking like an Ocado receipt (as far as I can tell – I shop for my own groceries!) Again, Ocado doesn’t seem to have SPF set up.

The message text is:

HERE’S YOUR RECEIPT

Hello

Your receipt for today’s delivery is attached to this email. I’ll be delivering your 12:00-14:00 order and, so you’ll know it’s me, I’ll be driving the Lemon van.

Your order doesn’t have any substitutions, everything’s there.

See you later,

Paul

The fake bombardier one reads:

Good morning,
Please see attached purchase order.
Kind regards,
Stephanie Greaves
cid:image002.jpg@01D01077.BAC48BA0
Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD

Update: 20-Oct-15 11:22

The malware spam now looks like this:

From: Shaun Buzzard <shaunb@hubbardproducts.com>
To: <to_addr}}>  <-- Note error
Subject: Order

Hi ,

Please find attached order.

Kind regards.

Shaun Buzzard

6-October-156-October-15

Safe Harbour Agreement on Data Sharing with Uncle Sam ruled unlawful

Photo Source: Court of Justice of the European Union — Causing trouble – Court of Justice of the European Union

The long awaited ruling about whether the Safe Harbour agreement allowing free transfer of data concerning European citizens to the USA is valid under European Law has just been published. And it’s a doozie.

Basically a Safe Harbour agreement (note the use of the indefinite article here) means that you won’t be sent down the river for doing something that might otherwise be illegal. The specific Safe Harbour agreement in this case (2000/520/EC) says it’s okay for European data controllers to send whatever they like to the American’s because Uncle Sam is a good friend. This would otherwise be a no-no because you’d be giving up control over information that would otherwise be protected by European privacy laws.

This situation is currently being misrepresented in the popular press as being about Facebook (social media being their favourite subject after themselves); it’s not. It’s about all data. The case was brought by Austrian civil rights campaigner, Max Schrems in the Irish courts to test the legality of Facebook doing just this, as a high-profile example. A lot of American companies like to base their data centres in Dublin because, up until now, the Irish courts have been quite relaxed about what goes in compared with certain other European governments. (And lets not forget the tax breaks, and that Dublin is a nice place to be).

Hanging over this is the shadow of Edward Snowden (yet again), raising public awareness and anxiety over government access to PII. The fact that this PII is already in the hands of the likes of Facebook, Amazon, Microsoft, Google and Twitter with the full knowledge of the subjects doesn’t seem to matter – it’s the principle of the thing!

Anyway, the ruling basically says that the initial ruling is incompatible with European Law, and we can’t trust the Yankees to look after it without further safeguards. Where this leaves American companies with European data centres remains to be seen.

5-October-1522-October-15

Edward Snowden says smartphones can be taken over by text message

The most incredible revelation has just appeared on the BBC News web site. Apparently Edward Snowdon has revealed in a Panorama interview that smartphones can be taken over by sending them an SMS.

“The former intelligence contractor told the BBC’s Panorama that UK intelligence agency GCHQ had the power to hack into phones without their owners’ knowledge.” it begins. It continues with “Mr Snowden said GCHQ could gain access to a handset by sending it an encrypted text message and use it for such things as taking pictures and listening in.”

That’s pretty specific, and as I said, incredible. For anyone with a shaky knowledge for the English language, “incredible” means difficult or impossible to believe. If it were true, then one of the following must also be true:

All the handset makers in the world would have to pre-install a wedge to intercept SMS traffic before the OS got to the hardware.
Apple would have to be in on it; and there would have to be something hidden in the publicly available Android source code that no one had noticed.
All the hardware used in smartphones would have the ability to intercept SMS and implement a hypervisor to manipulate the OS in way I can’t even comprehend (and with the chip maker’s collusion.

None of the above strikes me as very likely, so if there is any truth in it, what could it be?

The obvious answer is that GCHQ and the NSA have some dodgy Apps which, if you install them and give them permission, could do things on receipt of a SMS. Not such a big deal – criminals are doing this and I’d be surprised if governments weren’t in on that game too. He could also be referring to known exploits in some phone OSs that could be used to compromise its security. But the BBC quote is clear that this is something “new”, and applies to all, or at least the majority of smartphones. It does not say “some handsets”; the implication is clearly that all handsets can be pwned by the spooks whenever they want. I’ve kept the text of the original article, as I suspect they’ll be needing to change it!

It could also be that Mr Snowden is being grossly mis-represented in a case of sloppy journalism, or in a deliberate attempt to hype the forthcoming Panorama program. The term “encrypted text message” rings an alarm bell here; no one who knew anything about the subject would have used the word “encrypted” to refer to a specially crafted or encoded message.

Or it could be that the publicity-seeking Mr Snowdon has sold some credulous hacks a fairy story and they’ve lapped it up.

5-October-155-October-15

Malware sent in .ace format

This one made me look twice. I’m intercepting a lot of malware spreading attempts with text that starts out thus:

Dear Sir or madam
 Hi
 I'm milad and our company called UTIACHEM CO. located in Tehran-Iran.
 Following a telephone conversation with my colleague.
 I was going to send me your request.
 We have an inquiry from your products as attached file,please check.
 Please answer each request.
 Please certificate and an analysis and data sheet product send it to us.

They’re notable because they contain a pair of files of similar length (454K) which have names ending in .jpg.ace. It took me a while to figure this out; they’re compressed using a program called WinAce, a proprietary (paid for) German program from the late 1990’s. The only people likely to have a copy of this will likely be running Windows 98 – or so I thought. The company is still going, much to my surprise, and there are Linux and Mac versions too – although not UNIX, BSD, Android, Apple OS or anything else you’d need if you wanted to compete as a cross-platform archive format. There is, however, a DLL for unpacking that may be used in other people’s products, so perhaps decoders are more prevalent than might first appear.

I wonder how many they’ll have to spam out before they find someone (a) with an ACE decoder; and (b) dumb enough to use it?

Incidentally, most of these spams trace back to Mandril (aka Mailchimp), and are probably uploaded there by someone abusing an IOMart account (from Nottingham). In other words, zero abuse enforcement, based on previous attempts to contact them.

5-October-157-October-15

iZettle is now contactless on Android

Update 6th October 2015:

What a difference a day makes! Yesterday I was trying to get iZettle 3.0.0 working on my Android 5.0 handset and failing miserably. Today, it’s all working just fine. The difference? Three things:

Don’t have the handset and the reader too close together. Bluetooth was interfering with the WiFi. They’re on the same frequency, and Bluetooth doesn’t really play nice with 802.11n. While the Internet connection was being blocked by the reader, the App became unstable on loading.
Either turn on the reader before you start the App, or afterwards. I’m not completely sure of the timing, but there seems to be a bad spot if they’re both starting up together where they fail to sync and both go funky deux. The photographs following the review show what I mean!
When you turn on the reader, wait for the “Please wait….” to disappear before you considering it to be “on”. i.e. don’t start the App while it’s in that state, and don’t do anything to try to use it if the App is already running.

If you follow the rules above, everything else works like a charm. And like all rules, there are exceptions when it might work anyway.

Review

iZettle is a Swedish company, founded in 2010, offering a complete mobile card payment system for small businesses with Terms of Business and charges that should make the bankers blush. The deal is that they charge a straight ~1.5%-3% dependent on volume, with no minimum transaction fee. You can buy a reader from them, or if your volumes are high enough, they’ll give you a free Chip and Pin reader that connects to some smartphone/tablet hardware (iPhones and a few Android devices) using the microphone/speaker. My advice on the free reader is “don’t be cheap – pay for the bluetooth one”.

Today iZettle released its all-new Android App, version 3.0.0, which allows it to work with the Card Reader Pro Contactless . When I say “released”, it appeared in the Google Play store without fanfare; not even a press release. Apple fanbois have been able to use contactless cards (and Apple Pray) for some time now, but the Android App has always lagged behind; odd, as 90% of smartphones run Android. Perhaps iZettle really likes Objective ‘C’?

The good news, apart from contactless support, is that the new Android App is much cleaner and nicer to use than the old one. On startup, it goes straight in to the screen where all you need do is enter the amount and optional description and add it to a cart (you can’t charge it immediately, for some reason). If you have pre-set items you can access them in grid or list from by swiping left; tapping an item adds it to the cart.

70D_04547c

To take a payment just tap on the cart icon. You get a chance to add a percentage or set value discount and when you’re done it just connects to the card reader and does the business. One very welcome feature is that the display on the reader now shows the amount being charged.

There are other good features lying about in the software. For example, a battery status indication is available in settings. But the main feature of 3.0 is its ease of use.

Teething problems connecting notwithstanding, there are a few possible improvements that spring to mind. It would be handy to be able to enter a number and select “Charge” immediately without going through the cart first. This may be a bug – before you enter an amount the there is a large button marked “Charge” that changes to “Add Item” (to the cart) as soon as you enter something. Also, there are pre-set discount rates of 5%, 10% and 15% and the ability to enter any percentage manually, but you can’t edit the pre-sets. More seriously, you can’t edit the VAT rate table or enter a manual rate. It has 0%, 5% and 20%, which are the current rates in the UK, but they’re going to change. It also makes no differentiation between Zero-rate an Exempt, which does matter for proper accounting.

But these are minor quibbles. iZettle 3.0 is a big improvement on the rather clunky 2.5 and I’ve no doubt the teething troubles with the connection will be fixed. In the mean time, just leave the reader enough time to warm up.

In view of the problems I did have, a means of rolling back updates is needed. iZettle says that they can’t do this at the moment, but given the difficulty of testing Apps – especially Android ones – on the wide range of hardware and OS versions out there, relying on a compatibility list is a bad idea tactically. There’s a danger that people will seek to download older versions of the App if they encounter problems, and a bit of research this morning turned up a few .apk files on the Internet that had definitely been tampered with. I’m trying to persuade iZettle to implement a rollback option but no luck yet.

Rogues gallery: iZettle 3.0.0 going mad yesterday. See update above.

If you get the timing wrong or something interferes with the Internet connection (e.g. it’s masked by bluetooth) you could be in for a world of pain.

70d_04521

Whenever I try to make a charge it either says that an “Unexpected error occurred – try again”, or it crashes out.

70D_04543

This is before it even gets to the “insert card” part. And it’s really flaky when it comes to keeping bluetooth contact with the reader.
70D_04533 70D_04542

It randomly freezes, in the case of the above while it was moving between screens – it appears to be when its thinking about bluetooth connections.

It even manages to crash the reader itself!

70D_04540

For what it’s worth, I’m using Android 5.0, and it worked just fine (albeit Chip and Pin) on the old version of the App.

Fortunately I don’t process a lot of payments, so can live without it but others may be having a really bad day as a result.