Categories
Security & Compliance

How not to do key management

Clearly, the motel management forgot to configure all the locks and keys as they are still in their default state. It makes you wonder about other places with similar setups.

Categories
Internet, Unix en security

Implementing RFC 2142 for beginners

I stumbled on a phishing site for a Dutch-bank in my junk-folder and for once I decided to have closer look to see if the filter was working correctly. Is was, but after reviewing the phishing site I saw two things and it was time to act.

The first one was the hosting service. It was a free hosting service so no defacing or whatever. That makes live very convenient for hosting a phishing site that looks pretty safe. The seconds was the use of a free hosting service for submit and collect forms. The funny part is btw, that the seconds appears to very if a certain tag is in the referral page, but doesn’t check if it really shows up. So to eliminate the inclusion in the webpage, the have added then after the closing HTML-tag. Maybe using XPath was a better design choice over just search for a certain string to enable the service.

As the form was asking for all kind of funny details to do perfect phishing I decide to report this to all involved parties. The site being phished, Rabobank in this case, the hoster T15.org and Formbuddy for processing phishing data. After so checking and didn’t found enough leads on alternative mail-addresses to report this I decide to use RFC 2142 reserved mail-addresses and the following happend.

<abuse@rabobank.nl>: host mail01.rabobank.nl[145.72.107.42] said: 550 #5.1.0
Address rejected. (in reply to RCPT TO command)

<security@rabobank.nl>: host mail01.rabobank.nl[145.72.107.42] said: 550 #5.1.0
Address rejected. (in reply to RCPT TO command)

<security@formbuddy.com>: host ASPMX.L.GOOGLE.com[74.125.79.27] said: 550-5.1.1
The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient’s email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596
d15si7088885eei.16 (in reply to RCPT TO command)

The one that worries me the most is that a bank appears to have no working mail-addresses as described in Section 4 of RFC 2142. Those are basically key for contacting parties in case of emergencies or trouble. The abuse-reject was already noticed by someone last year, but I really wonder how a /16 network can ignore this. Also since there is no abuse-c entry know for there /16.

Update 2012-01-06: The nice guys at T15.org have taken the website down within a few hours after reporting.

Categories
Internet, Unix en security

Chaining CNAMEs en GRC

Mijnheer Gibson heeft weer wat leuks en ook iets ook heel onverstandigs online staan. Een changing CNAME met veel schakels, heel veel schakels, heel heel heel veel schakels. En er blijken voldoende thuisrouters niet tegen te kunnen zoals ook bij Security.nl naar voren kwam. Ook komt hier gelijk wat anders naars naar voren.

Maar eerst over het probleem zelf en ja het is een probleem. Het is misschien ook wel iets waar Bert Hubert van PowerDNS naar hinten tijdens Hacking at Random. Er zitten nog veel fouten in de resolvers die moeten worden opgelost en dit bleek ook tijdens een test in Zweden met DNSSEC waarbij veel thuisrouters omvielen terwijl ze hoorden te blijven werken. Het onderstaande dus met zorg gebruiken.

$ dig vu4juskpieril.dns.grc.com.

< <>> DiG 9.6.1-P2 < <>> vu4juskpieril.dns.grc.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: SERVFAIL, id: 14245
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;vu4juskpieril.dns.grc.com. IN A

;; ANSWER SECTION:
vu4juskpieril.dns.grc.com. 59 IN CNAME 1gmwga5hrrwca.dns.grc.com.
1gmwga5hrrwca.dns.grc.com. 59 IN CNAME wyxhcj5oe4pnj.dns.grc.com.
wyxhcj5oe4pnj.dns.grc.com. 59 IN CNAME 4t3bqsavrixij.dns.grc.com.
4t3bqsavrixij.dns.grc.com. 59 IN CNAME dhykkk0tjnzwd.dns.grc.com.
dhykkk0tjnzwd.dns.grc.com. 59 IN CNAME w2zci5lhiezqe.dns.grc.com.
w2zci5lhiezqe.dns.grc.com. 59 IN CNAME aupbutbnfy1jn.dns.grc.com.
aupbutbnfy1jn.dns.grc.com. 59 IN CNAME tfriugiykoa5f.dns.grc.com.
tfriugiykoa5f.dns.grc.com. 59 IN CNAME bjdvr3qbhor5e.dns.grc.com.
bjdvr3qbhor5e.dns.grc.com. 59 IN CNAME m0iyvioma2ywe.dns.grc.com.

;; Query time: 2597 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Sun Dec 20 11:27:02 2009
;; MSG SIZE rcvd: 295

Er wordt een vraag uitgezet bij resolver en deze moet bijna oneindig bezig blijven om met een antwoord te komen. Of de resolver blijft “eeuwig” bezig, of stopt met werken door een gebrek aan geheugen bv, of omdat het niet op te lossen en geeft een timeout, of geeft alleen het eerst antwoord. Voorlopig lijken BIND en PowerDNS goed te werken en ook de firmware voor routers van AVM aka Fritz!Box.

Als je mensen wilt pesten dan is de bekende 1×1 pixel image in je e-mail, webpagina, etc wel een aardige optie. Zeker omdat dan ineens veel software alles moet gaan werken zoals virusscanner, spamfilters, contentfilters, etc, etc. Hier ligt ook een groot probleem en waarom ik geen voorstander ben van dit soort toepassingen. Het maakt het probleem eigenlijk veel groter dan het eigenlijk is, want vaak zijn die applicaties even slecht geschreven of maken gebruik van dezelfde bibliotheken als normale applicaties.

Categories
Privacy & veiligheid

Going with portableapps.com

I tried, I tried hard, I couldn’t handle it. Microsoft Internet Explorer 6 without a proper Javascript-engine is a real nightmare, but officially I have to deal with it at a customer site. I could install Firefox in my homedir and use some of my limited storage space, but I would still break company policy. On the other side not having access to my sources like some Wiki’s, webmail, Safari Online, etc would stop me from doing my job basicly.

But it appears there is a solution if you can access a thumbdrive as in my case. Most thumbdrives has U3 which allows you to run software of your thumbdrive, but there is maybe an even easier solution. Most open source applications that have a Win32-port can be packaged to run of a thumbdrive. The most famous packaging sites for this is PortableApps.com.

Officially I don’t install any software on a machine and I don’t break any company policies. I doubt how long it would take before CD-drives and USB-connectors are closed again due to dataloss or stolen data. But then again, they could also offer a proper browser. It is also good to know there are companies with even stranger policies and solutions. Security should be about enabling people not trying to stop them as they will work around the issue sooner or later to get things done.