Archive for the 'Security' Category

LAN IPs on Mail.app Email Headers

Published on November 16, 2009 in Apple, Networking and Security. 5 Comments

Dear Apple,

please explain why is my computer (added to not be mistaken with the router’s IP) LAN IP address showing on the email headers of the mails I send with Mail.app.

Thanks!

Bellow, in red, my computer’s private LAN IP Address. In green my Router’s Public/WAN IP address which is “normal” to be included on most email headers.

Return-Path: <rsaramago@gmail.com>
Received: from ?XX.XX.XX.XX? (pa6-XX-XX-XXX-XXX.netvisao.pt [XX.XX.XXX.XXX])
 by mx.google.com with ESMTPS id 7sm502355eyb.8.2009.11.13.01.07.07
 (version=TLSv1/SSLv3 cipher=RC4-MD5);
 Fri, 13 Nov 2009 01:07:08 -0800 (PST)
Subject: Teste
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/alternative; boundary=Apple-Mail-1-623152288
From: Ricardo Saramago <rsaramago@gmail.com>
To: Testy McTest <test@test.pt>
X-Mailer: Apple Mail (2.1077)

Update: I’ve clarified some descriptions above after some user comments, I realized that It wasn’t clear what IPs I was referring to.

It seems that this is common on most email clients, except for Outlook. This “issue” triggered my attention when I was looking into the mail headers from a mail I sent from Mail.app in response to a mail from Outlook and they were indeed different in this aspect.

The client’s computer Local IP address and the Router’s / Firewall / Modem / whatever public IP address are added by the SMTP Server to the Envelop’s “Received” line, which it probably gets from the EHLO.

Still, this isn’t secure as it allows malicious attackers to map a victims network very easy.

Can Someone explain me this?

Published on September 29, 2008 in Code, Google and Security. 13 Comments Tags: , , .

# Visit type: Spider – Google AdSense
# IP: 66.249.71.107
# Hostname: crawl-66-249-71-107.googlebot.com
# Url Requested: /blog/category/computer-stuff/security
/?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0×4445434C4152
45204054207661726368617228323535292C404320766172636861722834
30303029204445434C415245205461626C655F437572736F722043555253
4F5220464F522073656C65637420612E6E616D652C622E
# User Agent: Mediapartners-Google

Why is the GoogleBot requesting a URL from my blog with what looks like an SQL Injection attack?

Little Snitch 2.0 Beta 6

Published on August 31, 2007 in Apple, Networking and Security. 0 Comments

Little Snitch is a Mac OS X app that runs in the background and hooks with the kernel. As the name indicates, Little Snitch warns you when an application tries to make a network connection, asking you to decide if you allow, deny or add a permanent rule for that specific app in future connections.

A good amount of information on the connection being made is presented to the user, and on version 2 (still in beta), besides the improved network filtering, a visual Network Monitor has been implemented, allowing the user to have real time access to the connections as well as some some send / receive icons like Zone Labs’ Zone Alarm. The configuration interface has suffered some changes and it’s now more functional and user friendly than the previous version.

[tags]Little Snitch, Security, Networking, Mac OS X[/tags]

Wordpress 2.1.1 compromised

Published on March 3, 2007 in Code and Security. 0 Comments

Looks like Wordpress 2.1.1 has a security exploit that allows remote PHP execution.

Upgrade to version 2.1.2 is recommended.

[tags]Wordpress, Blog, Security, Exploit[/tags]

Jack?

Published on December 13, 2006 in Computer Stuff, Networking and Security. 4 Comments

I’m getting a few hits from someone with this user agent: JACK-O`-LANTERN/1.1

I’ve googled it and came and found nothing… Does anyone know who’s using this?

[tags]JACK-O`-LANTERN, User Agent, Browser, Search Engine, Crawlers[/tags]

Alerta de Phishing – CGD

Published on July 31, 2006 in Security. 3 Comments

This is a P.F.P.P. – Post For Portuguese People, please excuse ;)

Entre ontem e hoje a maioria dos portugueses deve ter recebido nas suas caixas de e-mail mais uma nova tentativa de Phishing, desta vez o alvo foram os clientes da Caixa Geral de Depósitos.

Apesar de muito mal escrito, nota-se que é um português “abrasileirado”, o e-mail contém links para um site com um design semelhante aos sites de homebanking da CGD, esses links chegam ao ponto de estarem “disfarçados”

<a href="http://cgdonline.net/GrupoCGD.php" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><span lang="EN-US">https://caixaebanking.cgd.pt<wbr>/servlet/icbApp/</span></a>

Como devem ter reparado, cgdonline.net não tem nada a ver com a www.cgd.pt. Fazendo um WHOIS ao dominio observamos:

DOMAIN
Domain Name : cgdonline.net (CGDONL2-BMN-DOM)
Registrar : BookMyName
Whois Server : whois.bookmyname.com
Referral URL : https://www.bookmyname.com

Registrant / Admin Contact :
PERSON
Sophie CLARK (CLARK5-BMN-PE)

14 Griffin Road

02038 Franklin
UNITED STATES
phone : 508-520-0086
fax :
e-mail : *************@yahoo.com

Billing Contact :
PERSON
Sophie CLARK (CLARK5-BMN-PE)

14 Griffin Road

02038 Franklin
UNITED STATES
phone : 508-520-0086
fax :
e-mail : *************@yahoo.com

Technical Contact :
PERSON
Sophie CLARK (CLARK5-BMN-PE)

14 Griffin Road

02038 Franklin
UNITED STATES
phone : 508-520-0086
fax :
e-mail : *************@yahoo.com

Domain servers :
ns1.mikalow.com (NMC160-BMN-HST)

ns2.mikalow.com (NMC161-BMN-HST)

Created on 07/12/2006 22:02:53
Updated on 07/20/2006 17:16:33
Expires on 07/12/2007 18:02:53

Estes dados provavelmente são falsos e nem vale a pena explorar mais por aqui. De resto o email é enviado de 80.178.119.187.adsl.012.net.il, o que também não deve de ser de grande utilidade porque o que não falta ai são servidores de email escancarados ao mundo.

O Thunderbird classifica este e-mail como “Internet Scam”, o que já ajuda os utilizadores mais iluminados ;)

Mais uma vez, cuidado com os e-mails, isto mesmo mal feito apanha muita gente menos informada e desprevenida.

Agradecimento ao Sérgio por ter facultado o e-mail em questão… o que eu recebi já tinha sido apagado.

[tags]Phishing, Caixa Geral de Depósitos, CGD, Hacking[/tags]

More on Numbers Stations

Published on June 20, 2006 in Security. 1 Comment

The Shortwave And The Calling

[tags]Numbers Stations, Spys, Ciphers, The Conet Project[/tags]

The Numbers Stations

Published on June 19, 2006 in Security. 1 Comment


dorchester.jpg

My last post was a little challenge: a ciphered message with an url inside. All you had to do was to convert the binary code, reverse the text and decode the string with the ROT-13 cipher. You would then get
http://www.homelandstupidity.us/2006/06/16/cryptanalysis-of-phone-numbers-stations/ (as Bruno did very well).
Besides the little challenge, the point of that post was the link encoded. I’ve been following this story on Homeland Stupidity and it has been very interesting to read about the main theme on which the hole thing is reminiscent: Numbers Stations.

I’m not going to explain what a Number Station is, you can check the Wikipedia link above, I just would like to leave you with one of the most interesting projects I came across – The Conet Project.

The Conet Project gathers in 4 CDs a comprehensive collection of Numbers Stations recordings, which, by the way are spooky as hell. Although you can buy the CDs, the editor allows the download of the CDs in .mp3 as well as the booklet in .pdf.

30 31 30 31 30 31 30 30 20 30 31 31 30 31 30 30 30 20 30 31 31 30 30 31 30 31 20 30 30 31 30 30 30 30 30 20 30 31 31 31 30 31 30 30 20 30 31 31 31 30 30 31 30 20 30 31 31 31 30 31 30 31 20 30 31 31 31 30 31 30 30 20 30 31 31 30 31 30 30 30 20 30 30 31 30 30 30 30 30 20 30 31 31 30 31 30 30 31 20 30 31 31 31 30 30 31 31 20 30 30 31 30 30 30 30 30 20 30 31 31 30 31 31 31 31 20 30 31 31 31 30 31 30 31 20 30 31 31 31 30 31 30 30 20 30 30 31 30 30 30 30 30 20 30 31 31 31 30 31 30 30 20 30 31 31 30 31 30 30 30 20 30 31 31 30 30 31 30 31 20 30 31 31 31 30 30 31 30 20 30 31 31 30 30 31 30 31 20 30 30 31 30 30 30 30 30 20 30 30 31 31 31 30 31 31 20 30 30 31 30 31 30 30 31

[tags]Numbers Stations, Spys, Ciphers, The Conet Project[/tags]

Root password in Ubuntu 5.10

Published on March 12, 2006 in Linux and Security. 4 Comments

It has been reported here that this file (/var/log/installer/cdebconf/questions.dat ) contains all the installation logs and included in the file are the default user and root passwords created in the install process in clear text. Can anyone check this out and see if it works? I’m running Dapper and it seems the bug is gone.

[tags]Ubuntu, root password, bug, exploit[/tags]

Nyxem.E

Published on January 23, 2006 in Networking and Security. 0 Comments

Following the news over the F-Secure site, I’ve noticed that the Nyxem.E worm has been ranked as a Level 2 Alert (meaning that is only one level below the highest alert level). This guy is spreading like mad all over the world from the USA to Australia. The web counter used by the Nyxem worm now shows over 510,000 infections and keeps rising.

The ‘Nyxem.e’ is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related and file sharing software as well as destroys files of certain types. It is similar to the ‘Email-Worm.Win32.VB.bi’ that was found a few days ago.

The worm’s destructive payload is activated on every third day of the month and replaces the content of user’s files with a text string “DATA Error [47 0F 94 93 F4 K5]“. Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP.

You can get more info on Nyxem.E here.

[tags]Nyxem.E, virus, trojan, worm, DATA Error [47 0F 94 93 F4 K5][/tags]