The Blog of Harald

I’m astonished that this has not been fixed yet, given the huge problems lately with Movable Type and comment spam.

Joe Grossberg: MT Post Status Vulnerability

This explains why I’ve been getting comment notifications for old posts, even though I’m running an automatic “close comments after 2 weeks” script.

Proving once again that open source developers are not any better at security than everyone else :-)

So the first time I fired up the VPN client, the rules on the firewall allowed the ISAKMP negotiation, but not the ESP data. I fixed that and tried again. This time, the firewall no longer rejects packets, but doesn’t pass them through, either. Debugging ensues. Debugging is made extra challenging by the fact that the VPN client disallows split tunnelling, thus killing the SSH session to the firewall each time it is started. Lots of running tcpdump in the background is required.

Eventually I gave up and ate supper.

I tried again after supper. The VPN comes up perfectly; the spiffy intranet portal appears. Apparently something previously cached has been un-cached. However, the connection only lasts about 5 minutes, then dies. Debugging does not follow; it’s time to play Euchre.

The next evening arrives. I fire up tcpdumps and a script to monitor /proc/net/ip_conntrack, under the assumption that connection tracking isn’t working properly (leading to the 5 minute timeout). I start the VPN client. Everything works; no session timeouts, no firewall issues. Hours of rapturous intranet browsing follows. I also play with using SSH through the VPN, out the corporate firewall, and back to the home firewall :-).

While I’m happy that everything’s working, I could live without the whole “attempt to debug problems that later mysteriously vanish” thing…

I have a webserver at home that has two purposes:

# serve my start.html page to the various computers around the home network
# serve a Java SSH client for remote access when I am travelling

otherwise, it’s empty; there’s an index.html that redirects visitors to “www.cfrq.net”:http://www.cfrq.net/.

So in the spirit of “joy”:http://www.cleverhack.com/blog/ I offer one weeks worth of log entries:

bc. 64.210.196.197 – – [05/Oct/2003:08:00:28 -0400] “GET /robots.txt HTTP/1.0” 404 1044 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; Girafabo
t; girafabot at girafa dot com; http://www.girafa.com)”
64.210.196.197 – – [05/Oct/2003:08:00:30 -0400] “GET / HTTP/1.0” 200 346 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; Girafabot; girafabo
t at girafa dot com; http://www.girafa.com)”
202.62.124.246 – – [05/Oct/2003:08:57:23 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
195.199.113.93 – – [05/Oct/2003:09:11:20 -0400] “GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir” 404 1040 “-” “-”
217.235.215.221 – – [05/Oct/2003:13:26:02 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
4.65.206.189 – – [06/Oct/2003:03:52:41 -0400] “GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir” 404 1040 “-” “-”
130.39.12.96 – – [06/Oct/2003:09:36:03 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
129.16.97.149 – – [06/Oct/2003:10:07:45 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
202.63.163.46 – – [06/Oct/2003:16:26:29 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
218.103.70.82 – – [07/Oct/2003:05:04:48 -0400] “GET / HTTP/1.1” 400 298 “-” “-”
62.94.18.69 – – [07/Oct/2003:07:35:18 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
64.68.82.169 – – [07/Oct/2003:08:51:01 -0400] “GET /robots.txt HTTP/1.0” 404 1044 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
64.68.82.169 – – [07/Oct/2003:08:51:12 -0400] “GET / HTTP/1.0” 304 0 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
211.38.42.212 – – [07/Oct/2003:11:06:28 -0400] “GET / HTTP/1.1” 400 298 “-” “-”
80.50.49.231 – – [07/Oct/2003:16:09:35 -0400] “GET /sumthin HTTP/1.0” 404 1040 “-” “-”
211.233.37.239 – – [07/Oct/2003:19:40:15 -0400] “GET / HTTP/1.1” 400 298 “-” “-”
64.68.82.38 – – [08/Oct/2003:06:19:30 -0400] “GET / HTTP/1.0” 304 0 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
64.216.223.109 – – [09/Oct/2003:01:03:38 -0400] “POST http://64.216.223.109:25/ HTTP/1.1” 200 346 “-” “-”
67.97.3.89 – – [09/Oct/2003:12:21:16 -0400] “GET /sumthin HTTP/1.0” 404 1040 “-” “-”
64.68.82.167 – – [10/Oct/2003:10:43:21 -0400] “GET /robots.txt HTTP/1.0” 404 1044 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
64.68.82.167 – – [10/Oct/2003:10:43:28 -0400] “GET / HTTP/1.0” 304 0 “-” “Googlebot/2.1 (+http://www.googlebot.com/bot.html)”
206.98.253.78 – – [10/Oct/2003:20:43:37 -0400] “GET /sumthin HTTP/1.0” 404 1040 “-” “-”
213.206.74.231 – – [10/Oct/2003:23:29:19 -0400] “GET / HTTP/1.0” 200 346 “-” “-”
64.81.53.154 – – [11/Oct/2003:08:43:44 -0400] “GET /scripts/nsiislog.dll” 404 1040 “-” “-”
66.77.73.44 – – [11/Oct/2003:17:32:30 -0400] “GET /robots.txt HTTP/1.0” 404 1044 “-” “FAST-WebCrawler/3.8 (atw-crawler at fast dot no; http://fa
st.no/support/crawler.asp)”
12.247.47.7 – – [11/Oct/2003:19:11:29 -0400] “CONNECT 1.3.3.7:1337 HTTP/1.0” 405 964 “-” “-”

A little bit of search engine spider traffic, and a bunch of hack attempts. “Fascinating”, as Spock would say…

The “/sumthin fetch”:http://www.webmasterworld.com/forum11/2100.htm is apparently from a couple of trojans looking for 404 pages, because they often identify the webserver (and its weaknesses). “nsiislog.dll”:http://securityresponse.symantec.com/avcenter/security/Content/8035.html is a known buffer overflow. The POST to port 25 is a spammer looking for an open proxy, and the CONNECT 1.3.3.7:1337 is apparently a newer version of the same scanner (looking for the 405 error on the CONNECT, presumably).

As mentioned before, I run scripts that searches my logs for common hack attempts and blacklists (or RBLs) the source. Now I’ve got some new patterns to search for.

Coming on Monday: “automated comment spam blacklists”:http://www.jayallen.org/journey/2003/10/mtblacklist_monday_hell_or_high_water …

Here’s an entry covering two of my favourite topics!

Today Sensity posted Coventry Cathedral. I love his photpgraphy! I don’t remember how I tripped over his photoblog; if I recall correctly, it was right around the time he built a new studio in the attic. Anyway, I’ve been reading (viewing?) it ever since.

“Coventry” is one of the classic stories of information warfare. To maintain secrecy, the Germans used a complicated machine called Enigma to encrypt their radio communications. They believed (with good reason) that Enigma was unbreakable. By the later part of 1940, the Allies _had_ cracked the code, thanks to the work of brilliant cryptologists at Bletchley Park. It is easy to argue that this project (codename Ultra) won us the war; it’s amazing what you can do when you know the enemy’s plans in advance.

Back to Coventry. On the night of November 14/15, 1940, German bombers substantially destroyed the city center of Coventry, including the 14th century cathedral. 545 civilians were killed; 4,865 were injured. The city’s infrastructure (buildings, gas mains, transit) was destroyed.

Thanks to Ultra, Churchill knew that the raid was coming, some say as early as November 12th. However, if the Allies had _acted_ on this knowledge, the Germans would have known that Enigma was broken, and changed their codes. In order to protect the secret of Ultra, Command chose not to defend Coventry. Many lives were lost, and a city destroyed.

It’s a good story, but it’s not true. The reality is both mundane and more plausible. The Allies knew a raid was coming, but they didn’t know exactly when, and had four different potential targets. The Germans used radio beams to guide the bombers to their targets; it was only shortly before the raid that the RAF determined that the beams intersected over Coventry. Jammers were sent out to disrupt the radio signals bit their equipment was incorrectly set. RAF fighters sent to intercept the bombers downed only _one_ plane (out of over 500). Some believe that this last point is what led to the myth; claiming that Coventry was destroyed to protect Ultra is better than admitting that the RAF completely failed to stop (or even slow down) the attack.

Still, the lesson is a valuable one. Intercepting enemy communcation (encrypted or not) is only part of the problem; the other part is hiding your interceptions from the enemy. If your opponent discovers that an important plan has been intercepted, he’s goign to change that plan (or worse, start deliberately feeding you false information).

“John Udell writes”:http://weblog.infoworld.com/udell/2003/09/28.html#a809 about a new “edge” security technology:

bq. CoreStreet has just signed a deal with Swedish locksmith Assa Abloy that will enable doors to enforce highly granular card access policies without wired (or wireless) connections. When an employee swipes a card at the main entrance, it’s refreshed with a daily set of proofs. The door need only check that the proof binds a resource (itself) to an identity (the employee) at a certain time (today).

bq. CoreStreet’s president, Phil Libin, sketches another interesting scenario. Suppose an employee needs a proof to access her own laptop but can’t contact the network. Since proofs are minimally just 20 bytes, it’s feasible to convey one in a phone call.

This sounds like exactly the style of problem that PKI was supposed to solve, but utterly failed to do. I find this somewhat ironic in the aftermath of “Baltimore’s demise”:http://www.guardian.co.uk/business/story/0,3604,1047749,00.html.

The full story is available at “Infoworld”:http://www.infoworld.com/article/03/09/26/38OPstrategic_1.html.

An internal news clipping service led to a Google search, and I eventually found the original article “Information Security ROI: Not Every Expense Is an Investment”:http://www.metagroup.com/cgi-bin/inetcgi/jsp/displayArticle.do?oid=41867 by Tom Scholtz of “the META Group”:http://www.metagroup.com/.

bq. “Organizations should not consider every expense to be an investment,” adds META Group analyst Chris Byrnes. “Many security expenditures are completely valid and necessary and even legally required, but they are not investments that will produce a quantifiable return. In many instances, ‘What is the return on investment?’ is simply the wrong question to ask.”

This is true of many more things than Information Security, or even IT. Money is not always the right measure; sometimes it’s completely misleading (this is particularly true of environmental issues, but that’s a separate rant).

I’m glad to see someone “official” saying this for a change…

(The META Group article was originally published on 17 July 2003; why is it making the news in September?)

The ideas in “David Brin”:http://www.davidbrin.com/’s “Transparent Society”:http://www.davidbrin.com/privacyarticles.html are interesting. On the other hand, “This article on identity theft”:http://www.pbs.org/cringely/pulpit/pulpit20030911.html is a major reason why I am a privacy advocate.

Proving that you can do _anything_ simply by looking official, a couple of thieves “stole two mainframe computers”:http://www.smh.com.au/articles/2003/09/04/1062548967124.html from Sydney International Airport.

bq. They presented themselves to the security desk as technicians sent by Electronic Data Systems, the outsourced customs computer services provider which regularly sends people to work on computers after normal office hours.

bq. After supplying false names and signatures, they were given access to the top-security mainframe room. They knew the room’s location and no directions were needed.

bq. Inside, they spent two hours disconnecting two computers, which they put on trolleys and wheeled out of the room, past the security desk, into the lift and out of the building.

“blog.org”:http://blog.org/archives/cat_security_and_encryption.html#000745 → “The Register”:http://www.theregister.co.uk/content/55/30324.html :

bq. Nine in ten (90 per cent) of office workers at London’s Waterloo Station gave away their computer password for a cheap pen, compared with 65 per cent last year.

bq. Workers were asked a series of questions which included: What is your password? Three in four (75 per cent) of people immediately gave their password.

bq. If they initially refused they were asked which category their password fell into and then asked a further question to find out the password.

bq. A further 15 percent were then prepared to give over their passwords, after the most rudimentary of social engineering tricks were applied.

bq. The most common password was “password” (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent).

We put a lot of time and effort into getting the security right in our software. It’s nice to know that all that effort isn’t going to waste; people are forced to give away their passwords in order to compromise the system :-)

(That’s sar- I say, that’s sarcasm, boy.)

According to an article in silicon.com titled IT Helpdesks suffering user password hell (login as guest and search for the article):

Up to 80 per cent of calls received by helpdesk staff are from end users who’ve forgotten their passwords – and with each support call costing organisations around £15, the problem is not as trivial as it may sound.

Yes, it’s a UK study. The study goes on to conclude that what’s required is a fast system for resetting passwords. I maintain that what’s required is better authentication techniques, such as smart-card based keypairs. Sadly, while we’ve had the technology commercially available for more than a decade, we still can’t get vendors to use it.