Hypo Tirol – Repeat after me: HTTP is bad, HTTPS is good

January 24, 2015

As I know many friends which are Hypo Tirol banking customers and are using the mobile banking app – and my wife is on a business trip and its dark outside – I took a short look at the mobile banking app for Android. And “Oh my God” the same mistakes banks made 10 years ago with online banking are made again.

I downloaded the app and launched it … I got to following

app_mobile

So what does Wireshark tell me after the I started the app?

app_http

Yes, there is some (most part) HTTP … so lets open the URL on my PC.

firefox_http

so the whole starting GUI of the banking app is transferred from the server via HTTP.

Attack vector

An attacker can use this to change the content to his liking and as the URL is not shown in the app it could be anything. An idea would be a site that looks like the banking site. The link “Mobile Banking” goes to the HTTPS URL

https://mbp.banking.co.at/appl/mbp/login.html?resource=002

The attacker just can copy and paste the pages and change the links, so it looks identical for the user ;-). So the only question remains – how an attacker can change the content:

  • The DNS servers return the IP address of the attacker for mobile.hypotirol.com
    • there are many know worms that change the DNS server settings of consumer internet routers
    • DNS poisoning attacks … seen in the wild for banking attacks
  • A Man in the Middle attack on a public Wifi, but the first two are much easier and can be exploited remotely.

Fix

Use HTTPS everywhere – no HTTP. And check the certificates.

The insecurity of the online version of the Tiroler Tageszeitung

January 17, 2015

This is the first post in over a month, why? As always I was at the Chaos Communication Congress in Hamburg and as I came back there was finally snow –> so I went ski mountaineering. Anyway here is new post, as today its raining so let’s write a post. ;-)

This post is about the lack of security awareness at the major tyrolian news paper Tiroler Tageszeitung (in short TT). So lets start why I believe that is true. To be more accurate what I found within 5minutes of looking – it took much longer to write this post.

The subscriber area

When you access http://user.tt.com/ you get following Login prompt.

tt_login

But look above ….

tt_nohttps

Yes, this site is not HTTPS protected. This is generally not a good idea as an attacker is able to change the URL the passwords are sent to after pressing the login button. But Ok, in 2011 that was not that bad, bad but not that bad. Why I talk about 2011 I’ll tell you later.

So lets enter our mail address and password and click the login button. What request is send?

tt_fail

Yeap!

  1. It is HTTP and not HTTPS? In 2014 using HTTP for login? That was even in 2011 bad.
  2. They are using HTTP GET with the password as parameter. I can’t believe it. Why? GET parameters are logged on web servers and even worse on proxy servers.  Newer, Newer summit passwords with GET, use POST and use HTTPS!

So  reading the online TT while waiting for something in a public WiFi network (which is most likely unencrypted)  is not a good idea. How many TT users are reusing their password (the email address is a given) ? How may users a potentially affected?

At least I’m able to answer the second question.  There is the Österreichische Auflagenkontrolle (ÖAK) … which counts how many copies of a given print media are sold.

tt_abos

Thats from 2012, the ones from 2013 are sightly smaller but not that formated that nicely for showing a screenshot here. So over 80.000 affected users. The state of Tirol has about 720.038 citizens according to Wikipedia. So over 10% of the population is affected.

The server side

While looking at the get request I found something else interesting.  At least the user.tt.com server seems to be running Debian Lenny.

tt_lenny

Why is that important? Let’s go to the Debian Wiki and have a look.

lenny_eol

Yes, you read that correctly. No security updates since 2012 and it I believe nobody installs a system with a operation system that is old-stable, the server install and setup must be at least be from 2010.  So lets take a look what vulnerabilities be could possible find for Apache 2.2 and PHP 5.2.6 patched the last time in 2012.  Let’s have a look at PHP first and followed by Apache. Apache is better than PHP, but for PHP there are some pretty high rated vulnerabilities, one even with the highest rating. Basically you can get everything from the box if you want. When I took a look which JavaScript made the HTTP GET request with the password I found following.

tt_jquery

jQuery 1.7.2 that sounds old …. a look at the release notes tells 21.3.2012, not new but only a medium vulnerability … attacking PHP is easier.

Basically we could own the user.tt.com server easily, but whats about the other servers. Are they better? What is obvious from the start that the servers for the main site are different ones and they are using Varnish as is an HTTP accelerator and the learned to hight the Apache version in the HTTP header.

tt_varnish

A short look in the Whois shows that the user.tt.com seems to be hosted by the TT itself and the frontend server for www.tt.com by the APA guys. It seems that they are filtering the bad stuff from the backend TT servers. As I didn’t want to dig deeper than whas possible in 5 minutes I stopped here … Just one thing I found which is not security related: tt.com is heavy using Google services for example Google Analytics.

tt_googleanalytics

The option _anonymizeIp() is missing here to not violate the Austrian data protections law and you need to post a information for your visitors (could not find one on tt.com) and make a opt-out possible.

So much for my 5 minutes analytics of the Tiroler Tageszeitungs homepage. ;-)

Start securing your debit cards and why you should do it

July 18, 2014

Many people got new debit cards (called “Bankomatkarte in Austria) from the various bankings institutes in the last months and years. Many cards are PayPass enabled for wireless money transactions. PayPass is based on NFC, which is also integrated in some of the modern smart phones. The default setting is that five 25 Euro transactions can be done without entering a PIN. So a possible damage can be up to 125 Euro. You’ll verify if your debit card supports that standard by checking it has PayPass printed on it.

paypass

Picture: Maestro PayPass

But I’ve seen some cards with only this symbol (at least on the front side):

paypass2

Anyway in therapy the card needs to be within 10cm of the reader and therefore an attack is not that easy. But already at Defcon 20 in 2012 Eddie Lee presented the possible of a NFCProxy which allows to misuse a card. The attack setup looks like this:

nfcproxy

Picture: Eddie Lee @ Defcon 20

So this allows following attack vector. You’re standing in a crow or in a line and have your debit card in your back pocket. One of the attacker stands behind you …. and the other  can be e.g. hundred meters away (only limited by the delay and reach of the network connection). They will be able to get your money with much less risk than with pocket picketing. And to make it even better – you can download the App for Android as an .apk file, ready to install and use, from Sourceforge.

So now you know of the problem, what can you to mitigate that problem?

  1. If you don’t need that feature at all, try to talk to your bank to disable that function. Some will do it for free, others will charge you. Some banks allow to you to choose if you want one with or without at renewal of your card.
  2. You basically like the feature, but you would like to have more control over it – thats also possible:
    1. Search for RFID/NFC blocking sleeves for credit card or payment cards
    2. You can get also wallets with RFID/NFC blocking feature … but currently they look not that great .. at least the ones I found

 

 

Communication analysis of the Avalanche Tirol App – Part 2

February 16, 2014

Originally I only wanted to look at the traffic to check why it took so long on my mobile, but than I found some bad security implementations.

1. The web service is password protected, but the password which is the same for all copies of the app is send in the clear

Just look at the request which is send via HTTP (not HTTPS) to the server. Take the string and to a base64 decoding and you get: client:xxxxxx  – oh thats user name and password and its the same for any copy of the app.

lawine_basic_auth

2. We collect private data and don’t tell our users for what

The app asks following question “Um in den vollen Genuss der Vorzüge dieser App zu kommen, können Sie sich bei uns registrieren. Wollen Sie das jetzt tun? / To get the full use of the app you can register. Do you want to register now?” at every launch until you say yes.

lawine_userdata

But for what feature do you need to register? What happens with the data you provide? There is nothing in the legal notice of the app. I’m also missing the DVR number from the Austrian Data Protection Authority. Also a quick search in the database didn’t show anything. Is it possible they forgot it?

3. We don’t care about private data which is given to us

The private data you’re asks at every launch until you provide it, is send in the clear through the Internet. A SSL certificate was too expensive?

lawine_privatedata

4. We are generating incremented client IDs to make it easy to guess the IDs of other users

At the first launch of the app on a mobile, the app requests an unique ID from the server which is not something random and not guessable. No its just a incremented integer  (can’t be the primary key of the database table?), at least my tests showed this … the value got only bigger and not that much bigger, every time.

lawine_client_registration

And as the image at point 3 shows that everything someone needs to change the user data on the server for an other user is this number, a small script which starts from 1 up to the 20.000 would be something nice …… the question is what else can you do with this ID? Should I dig deeper?

5. We’re using an old version of Apache Tomcat

The web service tells everyone who wants to know it, that its running on an Apache Tomcat/6.0.35. There are 7.0 and 8.0 releases out already, but the current patch release of 6.0 is 6.0.39 released 31 January 2014. But its worse than that, 6.0.35 was released on 5 Dec 2011 and replaced on the 19 Oct 2012 with 6.0.36. Someone not patching for over 2 years? No can’t be, the app is not that old. So an old version was installed in the first place?

ps: If you’re working with Ubuntu 12.04 LTS package … Tomcat is in universe not main … no official security patches.

This are my results after looking at the app for a short period of time … needed to do other stuff in between ;-)

Communication analysis of the Avalanche Tirol App – Part 1

For some time now a mobile app for Andriod phones and iPhones is advertized which is called the official app of Tirol’s Avalanche Warning Service and Tiroler Tageszeitung (Tirol Daily Newspaper), so I installed it on my Android phone some days ago. Yesterday I went on a ski-tour (ski mountaineering) and on the way in the car I tried to update the daily avalanche report but it took really long and failed in the end. I thought that can’t be possible be, as the homepage of the Tyrol’s Avalanche Warning Service worked without any problems and was fast.

So when I was home again I  took a closer look the traffic the app sends and receives from the Internet … as I wanted to know why it was so slow.  I installed the app on my test mobile and traced the traffic it produced on my router while it launched the first time.  I was a little bit shocked when I look at the size of the trace – it was 18Mbyte big. Ok this makes it quite clear why it took so long on my mobile ;-)  –> So part of the post series will be getting the size of the communication down , so I opened the trace in Wireshark and took at look at it. First I checked where the traffic was coming from.

lawine_traffic

So my focus was one the 188.40.84.141 which was the IP address of tirol.lawine-app.com and it is hosted by a German provider called Hetzner (you can rent “cheap” servers there).  As I opened the TCP stream I saw at once a misconfiguration. The client supports gzip but the server does not send gzipped.

lawine_gzip

Just for getting the value how much it would save without any other tuning I gzipped the  trace file and I got from 18.5Mbyte to 16.8Mbyte – 10% saved.  Than I extracted all downloaded files.  jpg files with 11Mbyte and png files with 4,3Mbyte … so it seems that saving there will help the most. Looking at the biggest pictures leaded to the realization that the jpg images where saved in the lowest compress mode. e.g. 2014-02-10_0730_schneeabs.jpg

  • 206462 Bytes: orginal image
  • 194822 Bytes: gimp with 90% quality  (10% saving)
  • 116875 Bytes: gimp with 70% quality (40% saving)

Some questions also arose:

  • Some information like the legend are always the same … why not download it only once and reuse until the legend gets update?
  • Some big parts of the pictures are only text, why not sent the text and let the app render it?
  • The other question is why are the jgep files 771 x 566 and the png files 410×238 showing the same map of Tirol? Downsizing would save 60% of  the Size (with the same compression level)
  • Why are some maps done in PNG anyway? e.g. 2014-02-10_0730_regionallevel_colour_pm.png has 134103 Bytes, saving it as jpeg in gimp with 90% quality leads to 75015 Bytes (45% saving)

So I tried to calculate the savings without minimizing the information that are transferred – just the representation and it leads to over 60% .. so instead of 18Mbyte we would only need to transfer 7Mbyte. If the default setting would be changed to 3 days instead of 7, it would go even further down, as I guess most people look only on the last 3, if even that. So it could come down to 3-4 Mbyte … that would be Ok, so please optimize your software!

I only wanted to make one post about this app, but then I found, while looking at the traffic, some security and privacy concerns I need to look into a bit closer …. so expect a part 2.

 

Bootable antivirus rescue CDs

January 19, 2014

There seams to be a virus wave here in Austria and Germany, don’t really know why but somehow many people click on the links and download the malware. Maybe its because the mail is a faked invoice from some well known (mobile) telecommunication providers and are written in good German – normally spam like this written in broken German. And it seams that the mail passed anti spam systems as I got the some mails on the cooperate account and at home .. normally I don’t get spam mails for month.

Anyway, while I was driving home today it was even in the local radio news .. one of the top items there. And when I was home a relative, which is not that close by called me and asked be how to get ride off that virus. He got infected as initially his anti virus didn’t detected it. I recommend him following link from Raymond. Its a comprehensive list of 26 bootable antivirus rescue CDs for offline scanning. I recommend him to use at least two of the following from the list.

  • Bitdefender Rescue CD
  • Kaspersky Rescue Disk
  • F-Secure Rescue CD
  • Windows Defender Offline

So if you get asked the same from your relative you don’t need to search further. ;-)

OeBB Railjet WiFi second, even bigger security problem

November 5, 2013

Yesterday I wrote about the the information leak at the Railjet Wifi. Today I’m traveling back to Tirol again with a Railjet and I found something other disturbing. I believe its even more problematic as it concerns the mail system. I used a openssl client to check various SSL and TLS connections to my servers, and when I called following:

$ openssl s_client -connect smtp.xxx.at:25 -starttls smtp

I got something I didn’t expect:

CONNECTED(00000003)
didn't found starttls in server response, try anyway...

Hey, my server does not support STARTTLS? I’m sure it does. I did a SSH to a server of mine and checked typed the same command and got my server certificate complete with chain. So something is not right here. I switched to Wireshark (which is running all the time … Ok, I launched it ;-) ) and looked at the traffic:

server: 220 profinet.at SurgeSMTP (Version 6.3c2-2) http://surgemail.com
client: EHLO openssl.client.net
server: 250-profinet.at. Hello openssl.client.net (194.112.182.213)
server: 250-AUTH LOGIN PLAIN
server: 250-ETRN
server: 250-X-ID 5043455352563431333833323030373135
server: 250-SIZE 50000000
server: 250 HELP
client: STARTTLS
server: 500 Sorry SSL/TLS not allowed from (194.112.182.213)

Hey? Thats not my mail server. Its not my IP address and its sure not the mail server software I use. WTF?

Someone is intercepting my SMTP traffic and if my mail clients would use the default setting (use TLS if possible) I would now send my login data (which is for most people the same as for fetching mails) in the clear over an unprotected WiFi. Block port 25 if you have fear of spammers, but don’t force unencrypted traffic over a open wifi.

Anyway whats that profinet.at stuff …. can’t be profi as in professionals. The Whois tells following:

Domaininhaber:
Organisationsname:       OeBB Telekom Service GmbH
Strasse:         Bruenner Strasse 20
PLZ:     1210
Stadt:   Wien
Land:    AT

Ok, thats the OeBB by itself. Real experts. ;-)

So keep an eye on your SMTP/IMAP configuration and make sure you’re forcing TLS/SSL otherwise someone in the same train is seeing your data.

Information Leak due OEBB Railjet WiFi

November 4, 2013

Today I traveled with the OEBB Railjet which provides a free WiFi. As the journey took some hours I had time to look at my networks traces and found something. After the captive portal with the Terms of Services was acknowledged, a page with some infos is shown. One of the infos is the original URL the user requested. If the users clicks on the link a separate tab opens with the page. The problem is that the URL the browser was given to access this info page has following format:

http://10.20.43.1:4990/www/portal/index.html?res=notyet&uamip=10.20.43.1&uamport=3990&challenge=7e623f476a0cd811b414ad6aa9cfce13&called=00-C0-3A-9D-55-E8&mac=xx-xx-xx-xx-xx-xx&ip=10.20.43.33&nasid=nas01&sessionid=5277d1c60000000b&userurl=http%3a%2f%2fwww.orf.at%2f

Which is sent as referrer to the original requested page if you click onto the link. As you see this referrer contains the full MAC address of the requesting device. Normally the MAC address is only visible via Layer 2 but with the information leak in my case www.orf.at knows my MAC address and if I have already gotten a cookie, they could add now my MAC to the list of know IDs. Ok, I guess the ORF doesn’t do that, but others might.

A solution would be simple for the OEBB, but until then don’t click on this link – type the URL again.

Howto force scheduled DSL reconnects on Mikrotik routers

November 10, 2012

In my last blog post I have shown how to connect to a PPPoA provider with a Mikrotik router and get the public IP address on the router. I also mentioned that my provider has the bad habit of disconnecting every 8h. As thats not exactly 8h, it tends to wander, but I want at least always the same times. This blog post shows you how to do that if you want the same.

What the script basically does is to force a reconnect at a given time once a day. First we need to make sure that we’ve the correct time on the router. The simplest way to do that is following line:

/system ntp client set enabled=yes mode=unicast primary-ntp=91.189.94.4

But you can only use an IP address there, if you want DNS names take a look hat this script. Also verify that you’ve configured the correct time zone with this command:

/system clock set time-zone-name=Europe/Vienna

Verify the current time with

[admin@MikroTik] > /system clock print
time: 20:56:44
date: nov/04/2012
time-zone-name: Europe/Vienna
gmt-offset: +01:00
dst-active: no

Now we need to write the script, which we to in 2 steps. First we create the script ….

/system script add name=scriptForcedDslReconnect source=""

… than we open it in the editor and add the actual code

[admin@MikroTik] > /system script edit 0
value-name: source

After this you get an editor and just copy and paste following lines:

/interface pptp-client set [find name="pptpDslInternet"] disabled=yes
/interface pptp-client set [find name="pptpDslInternet"] disabled=no
/log info message="pptpDslInternet forced reconnect. Done!"

and press CRTL-O. You can now check if all is correct with (everything should be colored in the script)

/system script print

Now we only need to add it to the scheduler

/system scheduler add name=schedularForcedDslReconnect start-time=00:40:00 interval=24h on-event=scriptForcedDslReconnect

And we’re done, it will disconnect always at 00:40, 8:40, 16:40 … as we wanted.

Howto use a Mikrotik as router for a PPPoA DSL Internet connection

November 4, 2012

I live in Austria and the biggest Internet provider is A1 Telekom Austria and they use PPPoA and not PPPoE. I’ve searched through out the Internet to find some documentation on how to configure a Mikrotik router for this. I wanted to have the public IP address on the Mikrotik and not on the provider router/modem. I did not find any documentation. But as I got it working I’ll provide such a documentation now. ;-)

1. The Basics

PPPoA is the abbreviation for PPP over ATM or some say PPP over AAL5 and it is used to encapsulate PPP into ATM cells to get into the Internet via ADSL connections. The more commonly used standard in this space is PPPoE (PPP over Ethernet), but which has somewhat more overhead as you need also to encapsulate the Ethernet header too.

There are now two possibilities:

The first is that the provider modem/router handles everything and you get only a private IP address behind the router, and the router masquerade the private IP addresses. This is normally the default as it works for 95% of the customers but your PC or own router does not get a public IP address. You need to use port forwarding if you want to provide services which are reachable from the Internet. And something which I specially need. You don’t get a event when you get disconnected and assigned a new IP address. A1 Telekom Austria has the bad habit to disconnect you every 8 hours … 3 times a day. As I want to have the disconnects always at the same time I need my own router to time it once a day, so it gets reseted to my desired reconnect times.

The second way it to get somehow the public IP address on the PC or router. In this case your need a provider modem/router with a PPPoA-to-PPTP-Relays. Take a look at the picture I took from the German Wikipedia(CC-BY-SA-3.0, Author Sonos):

 

The computer (or Mikrotik router) thinks it establishes a PPTP tunnel with the modem, but instead the modem encapsulates the packets and send them on via ATM to the provider backbone. So the computer or Miktrotik router does not need to be able to talk PPPoA it is enough if it is able to talk PPTP, the rest is handled by the modem.

2. Requirements

But of course there are some requirements:

  • The provider modem needs to be able to make a PPPoA-to-PPTP-Relays and which is important you need to be able to configure it, as some provider firmwares restrict that.
  • You need to know the username and password which is used for the ppp authentication
  • And for the sake of completeness – you need a Mikrotik router ;-)

3. Provider modem / router

My provider gave me a Thomson Speedtouch TG585 v7 modem/router. The firmware  is old (8.2.1.5) and branded but I was able to upload a new configuration via the web interface.

And as it works stable I did not see a reason to upgrade. I found in the Internet a INI file, which configured the router to PPPoA-to-PPTP-Relays mode. Three important notes:

  • If you search the Internet for a configuration file … look for “single user” or “single user mode” (SU), the masquerade mode is called “multi user mode” (MU)
  • It is also possible to configure the single user mode via telnet, there are some howto’s out there. The specific ones for Austria are of course in German.
  • The version numbering is quite broken. The A1 Telekom Austria branded firmwares are often higher (e.g. 8.6.9.0) than the newer generic firmwares (e.g 8.2.6.5_AA).

After configuring the router as PPPoA-to-PPTP-Relays it has the IP address 10.0.0.138/24 for my setup.

4. Mikrotik PPP configuration

So now to the Mikrotik configuration … we start with resetting the configuration with no defaults.

/system reset-configuration no-defaults=yes

Then we rename the first interface and add a transit network IP address

/interface ethernet set 0 name=ether1vlanTransitModem
/ip address add address=10.0.0.1/24 interface=ether1vlanTransitModem

And now we only need to configure the PPTP

/ppp profile add change-tcp-mss=yes name=pppProfileDslInternet use-compression=no use-encryption=no use-vj-compression=no
/interface pptp-client add add-default-route=yes connect-to=10.0.0.138 disabled=no name=pptpDslInternet password=YourPassword profile=pppProfileDslInternet user=YourUsername

this configuration should lead after connecting the ether1 with the modem to following log entries:

[admin@MikroTik] > /log/print
00:29:03 pptp,ppp,info pptpDslInternet: initializing...
00:29:03 pptp,ppp,info pptpDslInternet: dialing...
00:29:05 pptp,ppp,info pptpDslInternet: authenticated
00:29:05 pptp,ppp,info pptpDslInternet: connected

you should see the IP address too:

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0 ADS  0.0.0.0/0                         xxx.xxx.xxx.xxx            1
1 ADC  10.0.0.0/24        10.0.0.1        ether1vlanTrans...        0
2 ADC  xxx.xxx.xxx.xxx/32   yyy.yyy.yyy.yyy   pptpDslInternet           0

But if you try to ping something you’ll get

[admin@MikroTik] > ping 8.8.8.8
HOST                                     SIZE TTL TIME  STATUS
8.8.8.8                                                 timeout
8.8.8.8                                                 timeout
sent=2 received=0 packet-loss=100%

whats the problem? the router uses the wrong source IP address, try following (the xxx.xxx.xxx.xxx is the IP address from /ip route print (entry 2) )

[admin@MikroTik] > /ping src-address=xxx.xxx.xxx.xxx 8.8.8.8
HOST                                     SIZE TTL TIME  STATUS
8.8.8.8                                    56  46 37ms
8.8.8.8                                    56  46 36ms
8.8.8.8                                    56  46 37ms
8.8.8.8                                    56  46 37ms
8.8.8.8                                    56  46 37ms
8.8.8.8                                    56  46 37ms
sent=6 received=6 packet-loss=0% min-rtt=36ms avg-rtt=36ms max-rtt=37ms

Now the Internet connection is working, we just need to make it usable ….

 5. Mikrotik on the way to be usable

The first thing we need is a masquerade rule that we use the correct IP address into the Internet, following does the trick.

/ip firewall nat add action=masquerade chain=srcnat out-interface=pptpDslInternet

But we want also a client to test it … so here is the configuration I use for the clients (without explanation as it is not the topic of this Howto)

/interface ethernet set 2 name=ether3vlanClients
/ip address add address=10.23.23.1/24 interface=ether3vlanClients


/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static add address=10.23.23.1 name=router.int


/ip pool add name=poolClients ranges=10.23.23.20-10.23.23.250
/ip dhcp-server add address-pool=poolClients authoritative=yes disabled=no interface=ether3vlanClients name=dhcpClients
/ip dhcp-server network add address=10.23.23.0/24 dns-server=10.23.23.1 domain=int gateway=10.23.23.1

Connect a client behind it, set it to DHCP and everything should work. I hope this Howto demystifies PPPoA and Mirkotik.

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 76 queries. 0.271 seconds.