The hacker’s tale…

I’m sitting at the computer, busily working away on a couple of projects, and then there’s a drop in throughput to the network… sites won’t load, and now – even one of the local servers won’t respond. Network bandwidth use is up like crazy; and then it drops.

Time to check a couple of logs. I use an Intrusion Detection System of my own design, and it’s caught a problem, and shut down a port on the switch to prevent further damage. I log into the Linux box from the hardwire console, run lastlog, and there it is – one account has been accessed from 188.24.238.197 – uh huh. I don’t think that is from the college, or any local ISP, and a quick check with ARIN says this block belongs to RIPE (uh oh) – and RIPE says it’s from Romania.

Oh dear. We have a hacker.

First things first. This system is disconnected from the outside world (and it was never connected to the inner network); so let’s make a copy for analysis… done. Now let’s look at the image, and see if we can figure out what happened. Hmm… seems the original account holder decided to change his password to “l234” – oh joy. How do I know this? From a logfile, showing all the login attempts, by an automated scanner (from Kiev). The scanner was able to fool the guard-shack software by operating in slow-motion; testing a new combination at a psuedo-random interval of 15-100 seconds apart. It’s been working on this since mid-March… but only on this one account. And – this system is generally hidden from view. How did it know to come here?

Turns out, the account holder advertised he had a new account on a new system and was learning Linux and posted messages about this in several forums… gee, thanks, guy.

Time to clean it up. The IDS is on a separate system, and when it noticed unusual traffic, simply contacted the switch and shut down the offending port, and then sent a few messages about what it did to the usual suspects. By turning down the switchport, the hacker lost connectivity immediately and was unable to execute the usual cleanups. Now I have a history file to peruse, and see what happened.

Three hours pass… and it’s clean. I have a system image preserved for posterity (or at least for the rest of the month), and an improved password policy in place on the system. I thought I had one in place, but a routine update overwrote the file with defaults – I see the update I used was replaced in the repository shortly after I used it; put that one down to bad luck, and add the affected files to the comparator cron job.

Live and learn. Back to electron mining.

…and for the account holder who created the vulnerability? His account and one other (also advertised on WoW forums) have been obliterated. I hope he didn’t use his clever password elsewhere…

Advertisements

Hacking HTTP via GET; part the first.

For the past couple of days the big hack-of-the-month is the Citigroup credit-card data disclosure. Reading today in the NY Times, I was struck by this description:

Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.

The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.

source: “Thieves Found Citigroup Site an Easy Entry” NYTimes June 14 2011

Read that methodology again. They had a program insert the account numbers into the browser address bar and retrieve account settings. This is not, to my mind, rocket science.

Let’s go look at some web addresses. Here’s one from Amazon:

http://www.amazon.com/Hardware-Systems-Implementation-Computing-Works/dp/0070053960/ref=sr_1_4?ie=UTF8&qid=1308152624&sr=8-4

Here is one from the National Weather Service:

http://forecast.weather.gov/product.php?site=NWS&issuedby=PHI&product=PNS&format=CI&version=1&glossary=0

And finally, here are several from the Roseberry Homestead:

http://www.roseberryhomestead.org/?p=224
http://www.roseberryhomestead.org/?p=2
http://www.roseberryhomestead.org/?p=523

Peruse the above links carefully. You should note something in common: the parameters being passed along to the websites. In each case, the website receives parameters from the user – the indicator being the “?” separator. For Amazon, it’s quite involved. The NWS is a bit easier to read, and for Roseberry, it’s a simple “p=” followed by a number.

Let’s “hack” Roseberry. Open a new browser (ctrl-n works). Now copy one of the Roseberry links and paste it into your new browser window – but change the number to 228. Thus your “hacked” link should read as this:

http://www.roseberryhomestead.org/?p=228

and then load this page. Compare its content to the page link you originally copied. Different content  – it is a different page.

But why stop there? Let’s try “hacking” the National Weather Service. This one is a bit harder since you need to change one or more items in the URL; but it’s still readily doable. You do have to know a bit about how the NWS is organized, but it’s not like they hide this stuff.

Take the original URL above, copy and paste it into your browser, but then use the arrow keys or mouse, and replace the letters “PHI” with “MHX” – and then load the resulting page. Now go back and change “MHX” to “EAX” and “PNS” to “FLS”, and load the result. What you should get is the Flood Statement issued by the Kansas City weather office. What we’ve been changing is the issuing office value (PHI, MHX, RAH, EAX, OAX, etc) and the product type (PNS, FLS, AFD, etc).

Congratulations. You are now versed in the Citigroup hacking method, at least as described in most press accounts. Note how hard this was, and then go back and read that NY Times quote again.

This “vulnerability” is part of the original HTTP specification – it’s called the GET method. In the second part, I’ll, er, get into what methods are and why the GET exists, and how things could be done for better protection of valuable data.

ps – all links quoted herein are working as of time of authorship.

A technical note about hosting…

I provide a lot of hosting support for my students. It’s best to learn on real-world systems, not XAMPP or other self-contained simulators. Thus I’ve registered a domain, set up GoogleApps for email and wiki-like services; and configured a linux-based host for the class.

This doesn’t have to cost a lot. The “SmallMan” server was built new for a budget of $325. It consists of: Intel 510DMO (dualcore 1.6Ghz Atom cpu), 4GB RAM, 500GB disk drive, dual-network addon card, an extra fan, an ITX case and P/S, and a DVDROM drive. It hosts three VMs, providing 23 webhosts, two email servers, various other support services… and draws a whopping 25 watts under heavy load.

Unless I look at it I can’t tell it’s running.

Time to move…

It will be moving day soon. Not for me, but for students wanting to take their accomplishments forward.

Since January, I’ve been teaching a course in Web Architecture. In practice this has left students with a number of websites, in various states of completion/construction/disrepair and so on. Most will have a customized WordPress install, and a Drupal 7 system.

For the time being, the course is hosted mostly on my little in-house server. By the end of the calendar year, students will have to move off this server.

But where to go?

There are generally three possibilities: host it yourself, pay for hosting, or  take it down.

Host it yourself works only IF (big IF) you have: 1) requisite knowledge to install and configure a web hosting environment; 2) a computer to do this on; and 3) appropriate rights for hosting from your service provider. While my class teaches the first component, the others are beyond my control.

I think most will opt for paid hosting; or take it down. It’s too bad the college doesn’t provide hosting support for student projects.

Passwords and Accounts

I’m beginning to be overwhelmed.

A few weeks ago, I lost a USB-key (or flash-drive) with a copy of my master Firefox profile on it. The master profile has all the passwords on it. Think about that for a minute. ALL THE PASSWORDS. In one place.

Ouch.

After a rather frantic day changing the passwords on 227 different accounts, and struggling with a new password regimen, it became clear: I need a way to manage passwords. I probably also need better passwords, or at least more of them.

In the process, I also found which sites had rather poor password policies, and I’ve made a list of places to re-assess. In this day and age,  password policies of “all numeric” or “only eight characters” or “upper-lower case only no numbers” are absurd. I’ve already decided to change vendors in some instances, due to absurdist password policies.

I still have to figure how to manage the passwords. There are several commercial solutions, as well as some open-source, but they almost all suffer from one or more drawbacks. I guess I’ll end up making a compromise, somewhere.

The first problem is with the hardware solutions – you have to carry it around with you, it needs batteries, it only stores a small group of passwords, what if I lose it? I don’t think I’m going to use a dedicated hardware unit.

The software solutions, well, I think I’ll have to go with one of them, but for an alternate path, I’m also beginning to use OpenID. I have accounts on several of the providers, but after having poked around a bit, I think I’ll end up using the Google-based provider most often. In order for this to work, of course, you have to have a Google Profile – and thus a new webpage was birthed.

Along the way I’m also going to finally take the plunge into the smartphone pool – StupidPhone™ is starting to wear out, and it’s about time I stepped forward from the trailing edge of technology. Whichever password manager I pick needs to run on an Android-based phone.

Growing tired of Facebook…

I think I’m about to reach the end of the line on Facebook… not totally, I’ll keep a few people on the list, but I’m realizing it is:

1) a colossal waste of time; 2) riddled with bugs and viruses; and 3) not a particularly viable medium for discourse.

This will get updated some over the next few days, but I’m about to trim the facebook “friends” list from its current 145 to perhaps a third of that number. Among other things, facebook is reminding me why I haven’t bothered to return to Burlington NC for well over 20 years.

 

 

Would the Internet exist without US Government sponsorship?

Yet another post based on the muse of Facebook…

I gotta ask, how subsidized is the “internet”? Would this thing be able to operate on a free-market, in your opinion(I would assume yes, as it has massive profits available to it), but, could the start up of the internet, been possible without subsidization? Not sure how clear my question is.  (a Facebook Friend)

My response:

As it is right now, there are no subsidies involved… it’s self-supporting based on domain registration fees and general good-will of the various commercial suppliers involved. To the extent the US Govt is involved at present, it is as a major consumer of bandwidth, and as a content supplier.

Starting out… The Internet (TCP/IP) protocol suite displaced X.25, which was available commercially from the late 1970s (I had an account from May 1978 onwards via Tymnet). X.25 is based on virtual circuits and is closer in conception to telephone switching than to the current Internet.

In X.25 networks, you connected to a single destination, and relied on that destination to provide your content and services. This was the original function of services such as CompuServe, Delphi, Prodigy and AOL. By 1993 the X.25-based services were handling around 20 million subscribers compared to TCP/IP having perhaps 500,000 users. It’s for this reason Windows 95 did not handle TCP/IP very gracefully; there was a good business argument to be made against the whole Internet “fad.”

In ’93 or ’94 the US Govt started to transition out of running the “Internet” – and opened it up to commercial users. Since TCP/IP ran on damn near anything (X.25 required special switches and lots of infrastructure by comparison) and had no messy royalties and such, it began to catch on quite quickly.