Security Woes

Crackers are always on the lookout for new chances to access your accounts, either if you’re a private / regular internet user, or a multinational corporation like Sony who recently fell victim to several attacks affecting their flagship console, the PS3, and their Playstation Network.

It began when their PS3 private keys, that sign all data transactions and operations, got public. I won’t digress here, you can find a lot of info on Google, just look for GeoHot / Sony. The latest attack to the PSN has managed a downtime of a week by the time I’m writing this, and only today Sony has come forth with a press release on this issue, as well as a FAQ, saying that all their entire PSN user base got their data compromised, including Credit Card data.

I’m yet to believe that Sony hasn’t released the full extent of the information about the attack, so for now there are three crucial steps that PSN users should follow:

 

  • If you’re using the PSN password in any other service / account, change it. Change it everywhere. You are probably using the same email address you used on the compromised PSN account.
  • Change the password of the email address you used on your PSN account.
  • Change your credit card number, or cancel the card and get a new one. If you can’t do this, be on the lookout for strange credit card transactions and never, ever, release the confirmation code to anyone. Sony states that the cc confirmation code wasn’t stored on their database.

Read the FAQ, they have more info there, but follow these three steps and when the PSN is up again, change your password for something unique, not used on any other account / service and remove your credit card number from the account.

 

Still on Security

With the advent of social networking and connected services, we’ve witnessed a lot of centralized authentication methods. It’s now usual for us to access services that use other site’s accounts to authenticate, like “Login with Facebook” or “Authorize on Twitter”.

This can be very useful because you don’t have to memorize a ton of different passwords but, if you see your Facebook, Twitter or Google account compromised, all those services using “third-party” authentication will be compromised as well… so what to do?

 

  • Use strong passwords. Having a password like your birthday date is not secure. Having your pet name, girlfriend, mom, dad, favorite actor is not secure. Any dictionary word is not secure. Use random stuff with numbers, signs, uppercase and lower case, like “1M4ecur3!?”
  • Use a password manager like 1Password for Mac or Keepass Password Safe for PC. Not only you’ll have an encrypted and organized password safe, but these apps can also generate random passwords.
  • Use HTTPS always when possible. This will encrypt your traffic to these sites. Twitter, Google, Facebook, all of them have HTTPS options, you just have to go to your account settings and turn it on. Facebook can even warn you by email and SMS when other devices accesses your account. Google has a 2 Step Authorization process for your account, using verification codes and an app for your mobile device that works like a token, giving you real-time generated verification codes.
  • Don’t use free Wi-Fi. Sure, it’s cool to use a free hotspot, but you never know who’s listening. People using free Wi-Fi are exposed to virus and password sniffing. This can happen in your neighbors unprotected Wi-Fi or even your school’s network.
  • The usual crap: use a secure OS. Mac OS X and Linux are secure by nature. If you must use Windows, turn on the system’s firewall and get another one, as well as an AntiVirus. Be sure that they’re always updated.
  • Don’t trust your passwords to anyone.

Remember, even with all these precautions you’re never totally safe.

 

Still on Squid integration with Active Directory

I wrote a post a few months ago explaining briefly how to integrate a Squid proxy with a Microsoft Windows Active Directory.

While with Windows XP and Vista the single sign on works flawlessly, with Windows 7 it needs a little tweak.

You’ll need to change your a GPO on your AD:

Computer configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Find “Network Security: LAN MANAGER Authentication Level”
Set it to “Send LM * NTLM – use NTLMv2 session security if negotiated”

This happens because Squid uses NTLMv2 after version 2.6 but it is Negotiated NTLMv2, rather than
straight NTLMv2 (dunno why). Windows 7 refuses to negotiate by default and accepts only NTLMv2.

You might come across with other issues in some apps like having to authenticate manually, Dropbox is one example but there may be others.

As usual, do this at your own risk!

LAN IPs on Mail.app Email Headers

Dear Apple,

please explain why is my computer (added to not be mistaken with the router’s IP) LAN IP address showing on the email headers of the mails I send with Mail.app.

Thanks!

Bellow, in red, my computer’s private LAN IP Address. In green my Router’s Public/WAN IP address which is “normal” to be included on most email headers.

Return-Path: <rsaramago@gmail.com>
Received: from ?XX.XX.XX.XX? (pa6-XX-XX-XXX-XXX.netvisao.pt [XX.XX.XXX.XXX])
 by mx.google.com with ESMTPS id 7sm502355eyb.8.2009.11.13.01.07.07
 (version=TLSv1/SSLv3 cipher=RC4-MD5);
 Fri, 13 Nov 2009 01:07:08 -0800 (PST)
Subject: Teste
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/alternative; boundary=Apple-Mail-1-623152288
From: Ricardo Saramago <rsaramago@gmail.com>
To: Testy McTest <test@test.pt>
X-Mailer: Apple Mail (2.1077)

Update: I’ve clarified some descriptions above after some user comments, I realized that It wasn’t clear what IPs I was referring to.

It seems that this is common on most email clients, except for Outlook. This “issue” triggered my attention when I was looking into the mail headers from a mail I sent from Mail.app in response to a mail from Outlook and they were indeed different in this aspect.

The client’s computer Local IP address and the Router’s / Firewall / Modem / whatever public IP address are added by the SMTP Server to the Envelop’s “Received” line, which it probably gets from the EHLO.

Still, this isn’t secure as it allows malicious attackers to map a victims network very easy.

Can Someone explain me this?

# Visit type: Spider – Google AdSense
# IP: 66.249.71.107
# Hostname: crawl-66-249-71-107.googlebot.com
# Url Requested: /blog/category/computer-stuff/security
/?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C4152
45204054207661726368617228323535292C404320766172636861722834
30303029204445434C415245205461626C655F437572736F722043555253
4F5220464F522073656C65637420612E6E616D652C622E
# User Agent: Mediapartners-Google

Why is the GoogleBot requesting a URL from my blog with what looks like an SQL Injection attack?

Little Snitch 2.0 Beta 6

Little Snitch is a Mac OS X app that runs in the background and hooks with the kernel. As the name indicates, Little Snitch warns you when an application tries to make a network connection, asking you to decide if you allow, deny or add a permanent rule for that specific app in future connections.

A good amount of information on the connection being made is presented to the user, and on version 2 (still in beta), besides the improved network filtering, a visual Network Monitor has been implemented, allowing the user to have real time access to the connections as well as some some send / receive icons like Zone Labs’ Zone Alarm. The configuration interface has suffered some changes and it’s now more functional and user friendly than the previous version.

[tags]Little Snitch, Security, Networking, Mac OS X[/tags]

WordPress 2.1.1 compromised

Looks like WordPress 2.1.1 has a security exploit that allows remote PHP execution.

Upgrade to version 2.1.2 is recommended.

[tags]Wordpress, Blog, Security, Exploit[/tags]

Jack?

I’m getting a few hits from someone with this user agent: JACK-O`-LANTERN/1.1

I’ve googled it and came and found nothing… Does anyone know who’s using this?

[tags]JACK-O`-LANTERN, User Agent, Browser, Search Engine, Crawlers[/tags]

Alerta de Phishing – CGD

This is a P.F.P.P. – Post For Portuguese People, please excuse 😉

Entre ontem e hoje a maioria dos portugueses deve ter recebido nas suas caixas de e-mail mais uma nova tentativa de Phishing, desta vez o alvo foram os clientes da Caixa Geral de Depósitos.

Apesar de muito mal escrito, nota-se que é um português “abrasileirado”, o e-mail contém links para um site com um design semelhante aos sites de homebanking da CGD, esses links chegam ao ponto de estarem “disfarçados”

<a href="http://cgdonline.net/GrupoCGD.php" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><span lang="EN-US">https://caixaebanking.cgd.pt<wbr>/servlet/icbApp/</span></a>

Como devem ter reparado, cgdonline.net não tem nada a ver com a www.cgd.pt. Fazendo um WHOIS ao dominio observamos:

DOMAIN
Domain Name : cgdonline.net (CGDONL2-BMN-DOM)
Registrar : BookMyName
Whois Server : whois.bookmyname.com
Referral URL : https://www.bookmyname.com

Registrant / Admin Contact :
PERSON
Sophie CLARK (CLARK5-BMN-PE)

14 Griffin Road

02038 Franklin
UNITED STATES
phone : 508-520-0086
fax :
e-mail : *************@yahoo.com

Billing Contact :
PERSON
Sophie CLARK (CLARK5-BMN-PE)

14 Griffin Road

02038 Franklin
UNITED STATES
phone : 508-520-0086
fax :
e-mail : *************@yahoo.com

Technical Contact :
PERSON
Sophie CLARK (CLARK5-BMN-PE)

14 Griffin Road

02038 Franklin
UNITED STATES
phone : 508-520-0086
fax :
e-mail : *************@yahoo.com

Domain servers :
ns1.mikalow.com (NMC160-BMN-HST)

ns2.mikalow.com (NMC161-BMN-HST)

Created on 07/12/2006 22:02:53
Updated on 07/20/2006 17:16:33
Expires on 07/12/2007 18:02:53

Estes dados provavelmente são falsos e nem vale a pena explorar mais por aqui. De resto o email é enviado de 80.178.119.187.adsl.012.net.il, o que também não deve de ser de grande utilidade porque o que não falta ai são servidores de email escancarados ao mundo.

O Thunderbird classifica este e-mail como “Internet Scam”, o que já ajuda os utilizadores mais iluminados 😉

Mais uma vez, cuidado com os e-mails, isto mesmo mal feito apanha muita gente menos informada e desprevenida.

Agradecimento ao Sérgio por ter facultado o e-mail em questão… o que eu recebi já tinha sido apagado.

[tags]Phishing, Caixa Geral de Depósitos, CGD, Hacking[/tags]

More on Numbers Stations

The Shortwave And The Calling

[tags]Numbers Stations, Spys, Ciphers, The Conet Project[/tags]

The Numbers Stations


dorchester.jpg

My last post was a little challenge: a ciphered message with an url inside. All you had to do was to convert the binary code, reverse the text and decode the string with the ROT-13 cipher. You would then get
http://www.homelandstupidity.us/2006/06/16/cryptanalysis-of-phone-numbers-stations/ (as Bruno did very well).
Besides the little challenge, the point of that post was the link encoded. I’ve been following this story on Homeland Stupidity and it has been very interesting to read about the main theme on which the hole thing is reminiscent: Numbers Stations.

I’m not going to explain what a Number Station is, you can check the Wikipedia link above, I just would like to leave you with one of the most interesting projects I came across – The Conet Project.

The Conet Project gathers in 4 CDs a comprehensive collection of Numbers Stations recordings, which, by the way are spooky as hell. Although you can buy the CDs, the editor allows the download of the CDs in .mp3 as well as the booklet in .pdf.

30 31 30 31 30 31 30 30 20 30 31 31 30 31 30 30 30 20 30 31 31 30 30 31 30 31 20 30 30 31 30 30 30 30 30 20 30 31 31 31 30 31 30 30 20 30 31 31 31 30 30 31 30 20 30 31 31 31 30 31 30 31 20 30 31 31 31 30 31 30 30 20 30 31 31 30 31 30 30 30 20 30 30 31 30 30 30 30 30 20 30 31 31 30 31 30 30 31 20 30 31 31 31 30 30 31 31 20 30 30 31 30 30 30 30 30 20 30 31 31 30 31 31 31 31 20 30 31 31 31 30 31 30 31 20 30 31 31 31 30 31 30 30 20 30 30 31 30 30 30 30 30 20 30 31 31 31 30 31 30 30 20 30 31 31 30 31 30 30 30 20 30 31 31 30 30 31 30 31 20 30 31 31 31 30 30 31 30 20 30 31 31 30 30 31 30 31 20 30 30 31 30 30 30 30 30 20 30 30 31 31 31 30 31 31 20 30 30 31 30 31 30 30 31

[tags]Numbers Stations, Spys, Ciphers, The Conet Project[/tags]