How to mark mails as read/seen at delivery with the courier maildrop filter?

January 30, 2008

There is no clean way to do this, but I stilled needed to do it so I wrote this hack. Use it at your own risk. I’m using it for the spam mails I get, which have been marked by spam assassin. This mails should be delivered into the Junk folder and be marked as read so only new ham messages are counted/shown if I open my mailbox.

Download the markasseen.py script to /usr/local/sbin/ and set the executable flag. Now you only need to write following into the wished ~/.mailfilter file:


# filter spam mails and mark them as read
if ((/^X-Spam-Flag:.*YES/))
{
  cc "./Maildir/.Junk/."
  JUNK=`/usr/local/sbin/markAsSeen.py "./Maildir/.Junk/."`
  exit
}

Important: This script is only safe to use if all messages in a given folder should be marked as read!!

If you’ve a better way to mark messages as read on delivery tell me!

A1 UMTS card under Linux – just works

January 27, 2008

I got my hand onto an A1 UMTS PC-CARD and I did some research on how to use it with Linux. At first just plug the card into your Notebook and look at the logfile (/var/log/syslog on Debian based distributions). On a Kubuntu Feisty and newer Kubuntu versions and Debian Etch it is supported as /dev/USBtty0. This worked for all Huwai based cards I got my hands on, also the USB versions.

You have now 2 possibilities:

The first is to use the official Linux drivers from Vodafone which work also for A1. Just go to http://www.vodafonebetavine.net/web/linux_drivers/

The advantage of the official closed source program is that it ships with a special program which shows you how good the reception is and if it’s using GPRS or UMTS – but it is closed source and maybe not available for your hardware and/or software platform. And specially it is an GUI application you may want the UMTS internet access for a display less router. The following describes how I did it on an Debian Etch based router.

First you need to install the pppd


# apt-get install ppp

Than you create following files with the shown content:


# cat > /etc/ppp/peers/a1
hide-password
noauth
connect "/usr/sbin/chat -v -f /etc/chatscripts/a1"
debug
/dev/ttyUSB0
115200
defaultroute
noipdefault
user "[email protected]"
remotename a1
ipparam a1
replacedefaultroute
usepeerdns


# cat > /etc/ppp/pap-secrets
"[email protected]" a1 "www"


# cat > /etc/chatscripts/a1
# ispauth PAP
# abortstring
ABORT BUSY ABORT 'NO CARRIER' ABORT VOICE ABORT 'NO DIALTONE' ABORT 'NO DIAL
TONE' ABORT 'NO ANSWER' ABORT DELAYED
# modeminit
'' ATZ
'' AT+CGDCONT=1,"IP","A1.net"
# ispnumber
OK-AT-OK "ATDT*99***1#"
# ispconnect
CONNECT \d\c
# prelogin
# ispname
# isppassword
# postlogin

Now download this perl script and change the PIN code (line 11) to the one of your card. Don’t forget to set the executable flag. Now you can go online with


# ./setpin.pl
# pon a1

The setpin.pl script needs to be called once each time you inserted your UMTS card. This setup is mostly identical for the other Austrian UMTS provides as they sell the same Huwai cards A1 does, just some Init commands are different. It is easy to find the correct ones for your provider with Google.

Script for dialing from within Kontact (Kaddressbook) on an Asterisk server

January 23, 2008

I have a VOIP phone connected to an Asterisk Server (a Vlines appliance in this case) and I wanted to make just one click onto a phone number in my Kontact to dial this number. So I needed to write a script which tells the Asterisk server to ring my phone and when I pick it up – Asterisk should than dial the number clicked in Kontact. This I did some time ago and I thought this script maybe help also others – so here it is!

Download the attached script and copy it to /usr/local/sbin/ and set the executable flag. Go in Kontact to Contacts and there in the Menu to “Settings|Configure Address Book …” and enter in this dialog in the edit field for “General|Script-Hooks|Phone” following

/usr/local/sbin/dialAsterisk.py %N

Now you only need to change the configuration of the script to your setup. The area and country code entries are used to remove these prefixes from an address book number. All non digits are removed with the execption of “+” witch is translated to “00”.

yourNumber = "sip/YOUR_EXTENTION"
user = "YOUR_USER"
password = "YOUR_PASSWORD"
context = user # may differ, if so specify
callerid = "Kontact"


asteriskHost = "ASTERISK_SERVER_IP"
asteriskPort = 5038
asteriskAreaCode = "0512"
asteriskCountryCode = "0043"
asteriskCombinedCode = asteriskCountryCode + asteriskAreaCode[1:]

Download it here: dialAsterisk.py

Active attacks on home routers underway

Only last week I posted about the UPnP attack vector on home routers and now Symantec is reporting active attacks on Mexican internet users. The purpose of this attack is to manipulate the DNS settings of the router so the user is directed to the phishing site for a popular Mexican bank. As there is no change on the computer itself, security software will have a hard time to detect such attacks. Sure the SSL certificate the fake site will provide is most likely faked, but most users just click Ok anyway. But my guess would be anyway that the phishing site is just plain HTTP.

But this is not the only attack vector even if a password is set for the router (not counting the default password). If a router allows the user to authenticate himself via a cookie, than an attacker needs only to provide an URL which includes the commands for the router. Sure the attacker needs to know the router which is used by the user, but thats not that complicated as you might think. For example in Austria an attack would be best done against Alcatel SpeedTouch router (configured to multi user mode) which used by the Telekom Austria since the start of DSL in Austria. And to make it worse, there is no password defined by default, so we don’t need a cookie attack at all.
It is therefore important to change the default password and to make sure the router requires a password each time you start your browser. It is also a good idea to restart your browser after you authenticated yourself against the router and before you surf through the internet.

You ask yourself how to attacker knows the IP address of the router? Thats easy – following possibilities exist:

  • just try 192.168.0.1 (or what is default setting for the router, which should be attacked)
  • get the IP address of the computer, and replace the last number of it with an one. (java script?)
  • use a applet (flash, java, ….) to get the default gateway or DNS server IP address – you’ve your router

The first one is the easiest one, but also the easiest to defeat. Just change the network to a new C-Class network out for 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8. eg. 10.133.122.0/24. So lets change to following mantra a little bit. Recommended steps for setting up your home router:

  • Unbox
  • Throw the disk away
  • Plug in your machine, Turn on the router and navigate to the Web-GUI
  • Turn off UPNP
  • Change the subnet of your router
  • Change default name and password, set WPA-PSK
  • Check that remote management is disabled
  • ….

I’ve changed the subnets of my routers for years, just because the 192.168.0.0/24 stuff didn’t look cool – so be cool and change yours too.

First public version of autoSyncPodder online

January 20, 2008

autoSyncPodder Logo

I’ve just published the first version of autoSyncPodder, which is a software to automatically download podcasts and sync them with your mp3/ogg player – everything without user interaction. The project is licensed under the GPL (v2 or later)!

I’ve have the software running on my media center server which is running 24/7. The download part of the autoSyncPodder is called by cron once a day (in the night). I own a mp3/ogg player (Trekstor Vibez) which works by just coping the files onto it, no rehashing needed. The syncing is started as soon as I plug the player into a USB port. If a file gets deleted on the player the file will get deleted at the next sync on the computer too. After a successful synchronization the software will generate a beep if the user it is running under has the permissions for it.

Take a look at the autoSyncPodder Page.

ICQ / AOL is testing encryption – by adopting XMPP [Update]

January 18, 2008

Florian Jensen beaks the news about AOL adopting the Jabber protocol XMPP – at least on a test server. This is a good move for the interoperability of instant messaging service but also a good one for security and for me.

The ICQ traffic goes unencrypted over the network and I know of special programs which sniff the traffic for pop3, smtp, icq, …. communications and log the login data into a log file (good on routers 😉 ). So you don’t need someone to understand the Oscar protocol, any script kiddie can use these tools . This is the reason I don’t use ICQ except on networks I trust. You’ll ask yourself why I use ICQ (with Kopete as client) at all? Too many friends which I know for a long time (when ICQ was the only instant messaging system – you know the time before it was bought by AOL 😉 ) are still using ICQ. I’ve also a Jabber account and some of my friends have switched to Jabber or are using both as I do, but most use ICQ as their only IM system for > 10 years.

As XMPP is a “good” internet protocol the usage of TLS / SSL encryption is common throughout clients and servers. If AOL is really switching to XMPP it would really increase the security, so lets hope that this is the first step. Even if they are keeping their protocol and only allow XMPP Servers to send messages to their clients it would help me. I just would stop using my ICQ ID and switch completely to my Jabber ID, which than can communicate to my ICQ buddies.

Update: As Edwin Aoki from AOL pointed out in his comment you’re save if you’re using the original AOL clients. Sorry for not making that clear. The problem is only that I don’t know anyone who is using the original clients, even the friends who are using Windows are running alternative clients.

Proof that UPnP on home routers is bad

January 14, 2008

I said it for years it is a bad idea to enable UPnP on systems that protects your local network and/or PC from the internet. With UPnP any program on you PC is able to open “firewall” ports on your home router without requiring a user interaction. UPnP may has its purpose at streaming media within a secure network, which I’m not totally convinced anyway, but letting any malicious or bad written program open your PC/network for the whole internet is plain stupid. Ok, this is all known for years – why now this post?

Some folks at GNU Citizen have created a flash swf file capable of opening open ports into your network simply by visiting an malicious URL. This is done via the UPnP functionality common home routers provide. As flash is installed on the majority of personal computers this is a significant attack vector, specially since a “flash ad” can be inserted quite easily into trusted websites or by hacking such a website.

As this is not a new thread I can just repeat my normal statement when it comes to setting up a home router:

  • Unbox
  • Throw the disk away
  • Plug in your machine, Turn on the router and navigate to the Web-GUI
  • Turn off UPNP
  • Change default name and password, set WPA-PSK
  • Check that remote management is disabled
  • ….

Bruce Schneier is wrong about unencrypted WLAN!

January 12, 2008

Bruce is right with many statements but his last one (Steal This Wi-Fi) is just populist and tries to provoke people. People with an understanding in this topic will see that and take it the right way, but not the ones who have a default setup of a access point / router running at home. They heard in the media that they have an insecure setup at home, and hopefully thought about changing that – but now a security expert tells them that’s not needed. He is simplifying the whole topic and is forgetting some important points.

Most users which have an unencrypted WLAN also have insecure PC at home. What is easier for them to do? Make a Windows System secure besides activating the automatic updates or login onto his router and change the password and configure the WLAN to be encrypted with 20 char long password?
Sure this still leaves the attack vector via malicious websites and emails but it is a start and a drive by attack is now much more complicated. Would a security computer help? Sure, but is it realistic?

Bruce also writes about his dear neighbors, which may need his internet access. Some thoughts about this. Not all neighbors are your friends, just talk to your friends – ask them if all there neighbors are their friends? If you like your neighbors, why not make an encrypted WLAN and tell them the password and share the costs of the internet connection with them. That helps all – except the ISP 😉

But lets look more at his technical points. He says that he is as secure at his unencrypted WLAN at home as at a public hotspot. Public access points normally allow no direct communication between clients. In infrastructure mode all traffic even between 2 clients need to be relayed by the access point and in a public access point setup it just makes no sense to activate this feature. Due the limited address space with IPv4 almost all public access points will provide only local IP addresses which are then masqueraded to one global IP address. Due to this facts it is possible to sniff the packet from and to the clients it is not possible initiate a direct communication to a client.
But still I would not do my e-banking via a public hotspot. Sure I trust my notebook and the CAs I’ve installed and I think the current version of SSL is secure. But still I would not do it. Call me paranoid, but it is different to do something like this at home or at a public hotspot.

I believe in layered security. Bruce writes in this commentary that one layer of security is enough (the one of his PCs). I can’t believe that he really means that. If you want to provide yourself with plausible deny ability then use 2 separate WLANs. One that is unencrypted and provides only access to the internet and one thats encrypted with WPA and at least a 20 char long password, as a passive dictionary attack is possible on WPA . Within this network you and your family can work within a first line of defense. That is a similar setup as FON provides, which he mentions in his commentary. So why should someone like Bruce use the unencrypted network for himself?

Besides these technical points someone needs to look also at the legal ones. He writes about the situation in the US, which is quite different from the laws in Europe. e.g. a German court ruled that the owner of a WLAN is required to make and keep it secure (german)
And I won’t talk about the problems you get into if the police raids your home, even if they don’t find something and to the gossip this leads in your village.

PPTP DSL Linux mini howto

I live in Austria and the only broad band Internet connection (not including the UMTS stuff) I can get is from the Telekom Austria and it is PPTP based and I’m using AON as Provider. I often hear from new guys in the LUGT (Linux User Group Tirol) that it is hard to set it up with Linux. It is not! I will explain here how to setup a PPTP tunnel to an Alcatel Speed Touch Ethernet modem on a Debian based distribution.

First we need to install some packages:


# apt-get install ppp pptp-linux

Than we need to set following IP on the network interface which is connected to the modem:


10.0.0.1/255.255.255.0

after this is done following should work:


ping 10.0.0.138

If not check if the LED for the LAN connection on the modem is on and that you’ve configured your interface correctly with “ifconfig”. It is now possible to use something like knet oder kppp to make the tunnel but I describe here the manual way for an small Linux server/router). Create a file
/etc/ppp/peers/aon with following content:


user your_long_aon_number (e.g. 49373880000)
noipdefault
defaultroute
hide-password
connect /bin/true
noauth
persist
debug

And /etc/ppp/pap-secrets with following:


49373880000 aon secret_password

Replace the number above with our own. If you’ve done this you just need to type following to make the connection:


# pptp 10.0.0.138 call aon

As this connection should be persistent we need to add a fail save script which monitors the pppd daemon. With this reconnect script, which I have running for > 5 years, I never had problems even if the tunnel stalled it was discovered and the tunnel reestablished. The content of the /usr/local/sbin/reconnect script is:


#!/bin/bash
/usr/bin/killall pppd 1>/dev/null 2>/dev/null
/bin/sleep 3
/usr/bin/killall pptp 1>/dev/null 2>/dev/null
/bin/sleep 3
/usr/bin/killall -9 pppd 1>/dev/null 2>/dev/null
/usr/bin/killall -9 pptp 1>/dev/null 2>/dev/null
/bin/rm /var/run/pptp/10.0.0.138 1>/dev/null 2>/dev/null
/bin/sleep 2
/usr/sbin/pptp 10.0.0.138 call aon

and in the crontab I’ve:


# m h dom mon dow command
0,30 * * * * ping -c 2 195.58.160.194 > /dev/null || ping -c 2 195.58.161.122
> /dev/null || /usr/local/sbin/reconnect

DMZ on SOHO routers is a joke!

January 10, 2008

If I talk to people with a DSL router/NAT they sometimes tell me they have placed a PC or gaming console into a DMZ (Demilitarized zone) and now they are secure. If I hear something like this I am at the brink of crying. Why?

First let’s take a look at how this routers are making their version of a DMZ. You specify the IP address of the device which should be in the DMZ. Basically that’s it. This IP address is from the same subnet as your other internal devices, which should be protected from the systems in the DMZ. But this is not the case in this scenario! Why? The device in the DMZ can communicate without filtering by a firewall to the devices in the internal network – which is the same anyway. In theory it would be possible by a filtering bridge (Layer2) but at the SOHO routers I checked it’s just an internal switch. As their version of DMZ cannot protect your internal network from your DMZ devices if they get compromised, you are in the false impression of being secure.

How to make a secure DMZ setup with a SOHO router?

I recommend to install openwrt onto your router if you’re fit enough with Linux. You can then specify (at least at the Linksys WRT54GL routers I always buy/recommend) which VLAN should be untagged on which switch port (the Linksys has an internal 6 port switch – 1 for the CPU, 1 for the uplink and 4 for devices). After you’ve specified the VLANs you can configure separate subnets for the internal network and the DMZ. After that configure the firewall rules so that only the internal network can initiate connections to the DMZ but not the other way round.

The problem with this setup is that it requires a lot more knowledge than the wrong version above, and the described solution therefore is not passable for the majority of the users. Anyway this post should show the users of such a DMZ at least the design flaws in their DMZ. And maybe, just maybe, some SOHO DSL router manufacture will create a real DMZ feature.
This is my first blog entry in the IT security segment, so please tell me what you think about it. Thx.

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 25 queries. 0.066 seconds.