The Blog of Harald

(No, not retinal scans :)

After upgrading the home server today, I was looking through the logs, and noticed several simultaneous username/password guessing scripts probing the machine, connecting via SSH. Fortunately the machine that actually serves incoming SSH connections is a virtual machine, locked down with few packages installed and (relatively) good passwords. I still feel dirty, though.

I’m going to have to install a good portknocking package, I think. In the meantime, I’ve locked down the home server to only accept incoming SSH from a small number of machines. I should have done this long ago (both persephone and penelope already have this), but custom firewall rules with DD-WRT are hard, and so I punted.

This also means I’m probably going to have to replace my crappy Linksys running DD-WRT with a full-blown Linux box so that I can create a proper firewall. I really wonder sometimes if this whole “Internet” thing is worth the trouble.

I saw a story recently about a musician who took out an ad in a magazine to sell CDs, and ended up only receiving four orders. I don’t want to quote the whole thing, so the original is worth reading (“and if only one percent of those people…”:http://gapingvoid.com/2009/09/28/and-if-only-one-percent-of-those-people/).

In particular, the punch-line struck me as interesting in the context of SPAM and 419 scams and similar issues:

bq. He forgot there was a number lower than one percent.

Why do SPAM and email scams work? because there is a number lower than one percent, and because sending millions of e-mails is virtually free. Taking my recent “work on a cruise ship” scam e-mail, we have to remember that if only 100 people are sucked in, that’s still $32,000 revenue for the scammer…

I just received unsolicited email offering jobs on a cruise ship; all I have to do is send a bunch of personal data and $320 for processing. They say all unplaced applicants will have their money refunded… Do you believe them?

Apparently there are many secret cables buried in and around Washington, DC. The “call before you dig” guys don’t know about them, so if you dig one up, guys in suits driving black SUVs arrive. Which of course creates a social engineering attack:

bq. So if I want to stop a construction project in the DC area, all I need to do is drive up in a black SUV, wear a suit and sunglasses, and refuse to identify myself.

“Secret Government Communications Cables Buried Around Washington, DC”:http://www.schneier.com/blog/archives/2009/06/secret_govermen.html

Schneier on Security: Fear of Aerial Images

Yet another “refuse to be terrorized” article from Bruce Schneier, this time about satellite images in online mapping services…

bq. “It struck me that a person in a tent halfway around the world could target an attack like that with a laptop computer,” said Anderson, a Republican legislator who represents San Diego’s East County. Anderson said he doesn’t want to limit technology, but added, “There’s got to be some common sense.”

The usual rebuttal applies:

bq. Criminals have used telephones and mobile phones since they were invented. Drug smugglers use airplanes and boats, radios and satellite phones. Bank robbers have long used cars and motorcycles as getaway vehicles, and horses before then. I haven’t seen it talked about yet, but the Mumbai terrorists used boats as well. They also wore boots. They ate lunch at restaurants, drank bottled water, and breathed the air. Society survives all of this because the good uses of infrastructure far outweigh the bad uses, even though the good uses are — by and large — small and pedestrian and the bad uses are rare and spectacular. And while terrorism turns society’s very infrastructure against itself, we only harm ourselves by dismantling that infrastructure in response — just as we would if we banned cars because bank robbers used them too.

(the last quote is from http://www.schneier.com/blog/archives/2009/01/helping_the_ter.html).

Yet another example of the premise that if you want to understand the world around you, look for the incentives…

Schneier on Security: Perverse Security Incentives

bq. Incentives explain much that is perplexing about security trade-offs. Why does King County, Washington, require one form of ID to get a concealed-carry permit, but two forms of ID to pay for the permit by check? Making a mistake on a gun permit is an abstract problem, but a bad check actually costs some department money.

bq. In the decades before 9/11, why did the airlines fight every security measure except the photo-ID check? Increased security annoys their customers, but the photo-ID check solved a security problem of a different kind: the resale of nonrefundable tickets. So the airlines were on board for that one.

And so on…

“The World’s Biggest Diamond Heist”:http://www.wired.com/politics/law/magazine/17-04/ff_diamonds

These guys managed to blow through many layers of hi-tech security with careful planning and some low-tech tricks, and one huge security gaff: the “unduplicatable” key for the vault was hung on the wall in a storeroom next door.

My favorite bit, I think, was how they disabled a magnetic sensor on the vault door, that would detect the door being opened; they brought a piece of aluminum covered in double-sided tape, stuck it over the sensor pieces, unscrewed the pieces from the vault door and door frame, and swung them out of the way. The sensor was never triggered because the two pieces remained in contact…

The article is a bit long, but it’s worth reading both for how they got through all of the security, and the one stupid mistake they made that led to them all getting caught…

Who would have thought that a threat to children would be exaggerated by parents, teachers, and the media? “Not I,” he said sarcastically…

I’m not sure how long this link will last, so check it out:

“Internet threat to minors overblown: study”:http://www.theglobeandmail.com/servlet/story/RTGAM.20090114.wgtminors0114/BNStory/Technology/?page=rss&id=RTGAM.20090114.wgtminors0114

bq. The report, released on Wednesday, suggests that the biggest threats to children’s safety online may come from other children, and that their own behaviour could contribute to the trouble they encounter.

bq. “The risks minors face online are complex and multifaceted and are in most cases not significantly different than those they face offline,

bq. They said bullying and harassment, especially by peers, are the most frequent problem minors face both online and elsewhere.

As an aside, I’m particularly amused by the “fairness in reporting” content later in the article. The CEO of a company that _sells software_ to protect minors says that “more needs to be done”. I’m sure everyone agrees that he’s hopelessly biased, but modern journalistic standards require that both sides of a dispute be covered equally, regardless of the distribution of supporters to nay-sayers or the inherent bias of either parties.

Granted, my excerpts are probably biased too, so go read the article yourself. :)

Take a new computer and install Windows XP. Connect it to the Internet to download service packs and other patches. Before you have finished downloading and installing, your computer will have been hacked. There are so many automated probes running that you’re almost 100% sure to be infected by one of them. Researchers do this all the time with honeypots, to find out what payloads are currently in the wild.

I had installed a new Windows 2003 Server, had finished downloading and installing SP2, and was in the middle of downloading and installing the 51 patches released since, when IT Security hacked into the server and shut it down (disabling TCP/IP and the boot, of course)…

*sigh.

And what a way to come back to work it was!

Over the holidays, IT security used the Windows RPC flaw to “break in” to all of my Windows servers. The payload disabled TCP/IP in the registry, and modified the boot.ini to disable system startup. I spent today manually booting servers one by one and re-enabling TCP/IP, so that I could download and install the required patches. I am extremely glad that I have remote consoles on all of my servers, or I would have had to make the long trek out to Mississauga to fix everything!

The important servers are back up, but I probably have another day of this before everything’s back to normal. Ugh…

One of my computers managed to get itself infected with that evil Trojan that keeps popping up the “Warning! Your Computer May Be Infected!” window, to convince you to download and install more nefariously evil software.

I’ve spent the last hour cleaning it with various utilities; they’re starting to report “0 infections” now.

*sigh.

I’m surprised this announcement took so long:

*IBM to Bail Out HP Security Software Customers*

read it at “yahoo”:http://biz.yahoo.com/iw/081001/0439046.html or “marketwire”:http://www.marketwire.com/press-release/Ibm-NYSE-IBM-905733.html.

The Weakest Link

I thought I had posted this photo a long time ago, but I can’t find it now, so here it is again. (It came up on Fairly Oddparents this morning).

I first saw this on “Bruce Scheier’s security weblog”:http://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html.

(As it turns out, I had uploaded it to Gallery, but still never linked it here. Must have been distracted. Damned kids, get off my lawn! :-)

(See “Debian Security Advisory 1571”:http://www.debian.org/security/2008/dsa-1571 and “SSLkeys”:http://wiki.debian.org/SSLkeys)

This seems appropriate somehow:

!http://imgs.xkcd.com/comics/random_number.png!:http://www.xkcd.com/221/

Today I finally learned how to solve the NFS UID problem on Ubuntu.

You see, NFS normally does it’s permissions by numeric UID. If the UIDs on two different machines don’t match, then NFS permission checking doesn’t work; you don’t get access to your own files, and you might get access to somebody else’s files instead!

Ubuntu, of course, has no standard UIDs, not even for system services. So my four ubuntu boxes here each have different username <> UID maps.

Enter the ugidd package, which is an RPC daemon that runs on the client. The NFS server calls this daemon when a mount request comes in, and dynamically builds a UID map between the server and the client, based on the string usernames. As a side effect, it also seems to map userids that are not assigned on the client to ‘nobody’. In this way, the nfs server can map UIDs between systems, without the administrator (that’s me!) maintaining static map files.

The one downside is that this feature requires the user-space NFS server instead of the kernel nfs server, so performance suffers a bit. I have CPU to spare, though!

Now I can use NFS between my MythTV boxes :-)

An analysis of a large collection of passwords gathered in a Myspace phishing attack reveals that passwords are getting better, although:

bq. We used to quip that “password” is the most common password. Now it’s “password1.” Who said users haven’t learned anything about security?

Schneier on Security: Real-World Passwords

Schneier on Security: Tracking People by their Sneakers

Researchers at the University of Washington have demonstrated a surveillance system that automatically tracks people through the Nike iPod Sport Kit.

feint and attack; move and countermove. The escalation is constant.

Steel armor meant the end of bows and crossbows. Firearms that could punch through armour made it useless as a defense, since armor only made the soldier slow and uncoordinated; a sitting duck. A close formation of infantry firing volleys by the numbers was unstoppable, until the devasation of the machine gun spelled their demise. Kevlar armor influenced the development of armor-piercing rounds (which, incidentally, are *less* deadly because they tend to go through their targets).

Technology is no different:

* Many modern computer viruses and trojans are capable of automatically disabling anti-virus software.

* Carjackings are on the rise, not because criminals necessarily like violent crime, but because with modern auto security systems it’s the only way to steal the car.

* In Denmark, criminals are breaking into stores and ransacking them; not because they like trashing stores, but because they can install ATM card-skimming hardware while everyone is distracted.

* In the Netherlands, they’re less subtle; they simply blow up the ATM and scoop the cash as it flutters down. (Kind of reminds me of the back-hoe technique of driving up and scooping the ATM out of the wall :).

Plus ca change, plus le meme chose.

I went to log on to my Group RRSP provider’s website today Thanks to a misguided policy that HR introduced this year, my January RRSP contributions ended up in a non-registered plan, and I wanted to fix it. It turned out that I can fix this particular problem on the web, but that’s beside the point.

When I logged in, I was informed that my password had expired, and must be changed. It’s been 18 months since I logged in (yes, I check my quarterly statements, but I’m happy with the results; no changes required). I dutifully filled in the boxes, only to be faced with password strength requirements. Now, the whole point of these things is to prevent high-speed, dictionary-based password guessing attacks. You can’t launch a high-speed guessing attack against this website because it’s really slow, and after a certain number of failures, your account is locked out. And we have the research to prove that these kinds of passwords are less secure, because people cannot remember them and are forced to write them down. But a bunch of security consultants are getting paid to write password policies, and they’re an insurance company so care greatly about liability, so there you go.

Anyway, for as yet unknown reasons, I managed to fumble the password change, so I couldn’t get back into my account. So then I trundled off to the password reset page. And it occured to me:

* My password expires regularly. The problem is, I don’t login regularly (who moves RRSP funds around that often, anyway?).
* Password strength rules are enforced (mixed-case, numbers or symbols, minimum length, etc.)

And yet, the password reset page does none of this, and doesn’t have any other security checks! At least they used to make me phone Ireland to change my password. Now, I type in the answer to my challenge question, my date of birth, and instantly a new password is printed on the screen. The answer to my challenge question doesn’t have to be mixed case or have numbers, and never changes! They don’t even take the minor step of using e-mail to send my either my new password or a temporary, expires soon password reset URL. Granted, this is a minor security enhancement, but it does keep the amateurs out.

Does anyone else see a false sense of security here?

The irony is that I spent the rest of today fighting with our own password reset implementation :-).

Bill Gates has promised that the password will be obsolete in 2007; I’m beginning to hope he’s right…

It figures. After doing a bunch of work to move my backup mailserver to a “virtual server”:http://blog.cfrq.net/chk/archives/2006/01/29/power-and-virtualisation/, it worked fine for about 10 days, and then suddenly I was seeing no incoming email in the logs. This is a sign of a problem; even when the primary server is working, spammers are always connecting to the backup (in the hopes of getting past filters).

Much testing has determined that rogers is now blocking inbound SMTP on my portion of the network (something they’ve apparently been rolling out for over a year now). The best laid plans of mice and men, and all that…