Govware: New name for a special kind of Malware

February 9, 2008

In the last weeks and months I increasingly started hearing more and more the new word Govware, which is a special kind of Malware. I though that this is interesting and informative for some of my readers, which leaded to the point that you read this post now ;-). But first things first – what is Malware? Wikepedia defines it this way:

Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. It is a portmanteau of the words “malicious” and “software”. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Govware is Malware which is used by governmental entities to extract information from computers without the knowledge of the user. Govware is a portmanteau of the words “government” and “software”. In Germany Govware is often called “Bundestrojaner”, but the term which is “winning” in the security sector seems to be Govware. I think that this name is coming more from Europe than from the US, but it is really easy and logical – so I think it will stick on both sides of the Atlantic.

One is a coincidence, two are suspicious but three or even four are no coincidence!

February 6, 2008

What I’m talking about? About the four underwater cables in the Middle East and India which stopped working. On the 30.1.2008 the underwater cables “Fiber-Optic Link Around the Globe (FLAG)” and “SEA-ME-WE 4” got cut before Egypt. First everyone was talking about ships which possible cut the cables, but now the Egypt ministry of telecommunication went public with the information that there were no ships within 12 hours in that area.

On the 1.2.2008 the Indian telecommunication company Reliance Communications reported an error with its cable Falcon before the coast of the Emirates. And now last weekend there was an other incident with an under water cable from the Qatar Telecom (Qtel) between the islands Haloul and Das, but this time it seems at least to be a power supply problem.

Anyway quite unstable the underwater cables today …..

Now why I’m posting this? It should show you that the internet can be attacked physically. Most people think the Internet was made for a nuclear war, and it is not possible to damage it to a large degree. Even as this is a myths it had some trues in the past but now everything is driven by the need to be economical. This leads to the point that the backbone of the internet is only provided by a new physical connections / organizations.

But this leads also to the point that I don’t think that this 4 incidents where related ….. or better call it coordinated, as an attacker could do better – or it was a lame attacker. But it should show us that the internet is an not that hard target even for guys which don’t know anything about computers. You need only to know which lines run where find the spots you need to hit at the same time to cripple the internet in a region.

It should be therefore in the strategic interest of most countries to increase the number of physical connections and organizations handling the internet backbone. But I’m aware that this is not that easy – at least the number of organizations and connections should not go down further. With every fusion of backbone providers some manager will look at 2 cables going from A to B will remove one as its more economical. With this attitude we are on the way to a non-failure tolerant internet on which our whole economy builds. I can’t think about a better target to damage a modern economy.

Backup of Appliances: Login and Download

February 5, 2008

I have sometimes the problem that I want to backup a device which has only a web interface (e.g. an appliance). Most of them provide a possibility for this, after a successful login you need only to click in the browser onto the backup link/button to get a file with the backup. So why I’m writing a whole post about this topic?

It is because I don’t want to do it by myself, I want it automatically done every night – now it is not that trivial anymore. Why should I want a backup every night? You say, I just could make a backup every time I change something. I don’t think that this is a good idea, beside that I’m too lazy for this.

I use normally cURL for this task, which I will illustrate with a backup script for a Vlines appliance (an Asterisk server appliance). Take a look at the source:


#!/bin/bash
url=https://xxx.xxx.xxx.xxx
cookieFile=/tmp/vlines_cookie.jar
configFile=accessvoip.vlines
#-----------
curl -d "username=XXX&passwort=XXXX" -c $cookieFile $url/index.php
curl -s -S -b $cookieFile $url/save.php > $configFile
curl -s -S -b $cookieFile $url/logout.php
rm $cookieFile


As you see, it is really easy. cURL has the ability to store cookies which is used by this appliance to store a user session and the login credentials are provided as parameters to the server. After a successful login we just want to get the backup file and log out.

As you see I use a fixed filename for storage – this is because this script is called by rsnapshot which does compare the output of the script with the last run and provides hardlink based snapshots. rsnapshot also sends me a mail if anything within the script provided an output (= indicating an error).

This script should be easily adapted to your device/appliance like access point, router, environment monitor, …. have fund and be secure.

ovpnCNcheck — an OpenVPN tls-verify script

February 2, 2008

If you’ve running an OpenVPN server you may have asked yourself how you can decide which clients can connect even if they got signed by the same CA. A common case would arises if you provide more than one OpenVPN server but not all clients should be able to connect to every one. Sure it would be possible to use a separate CA for each server but that would not be flexible. The clients would need more than one certificate/key pair and if you want to enable/disable access to a certain server for a client you need to generate/revoke the client certificate. Not a good idea!

I’ve therefore written two scripts with solve this problem. These scripts check if the peer is in the allowed user list by checking the CN (common name) of the X.509 certificate against a provided text file. For example in OpenVPN, you could use the directive:

tls-verify "/usr/local/sbin/ovpnCNcheck.py /etc/openvpn/userlist.txt"

This would cause the connection to be dropped unless the client common name is within the userlist.txt. The bash script will just check if a common name is in one of the lines (one CN per line) and the python version parses the provided regular expressions. Every line should hold one regular expression in this case which can also be just one common name (don’t forget to escape stuff like .?^()[]\ with a \). Empty lines or ones which start with a # are ignored. The bash version works also on a “out of the box” OpenWRT installation.

Python version: ovpncncheck.py
Bash version: ovpncncheck.sh

Hope it helps you!

How to mark mails as read/seen at delivery with the courier maildrop filter?

January 30, 2008

There is no clean way to do this, but I stilled needed to do it so I wrote this hack. Use it at your own risk. I’m using it for the spam mails I get, which have been marked by spam assassin. This mails should be delivered into the Junk folder and be marked as read so only new ham messages are counted/shown if I open my mailbox.

Download the markasseen.py script to /usr/local/sbin/ and set the executable flag. Now you only need to write following into the wished ~/.mailfilter file:


# filter spam mails and mark them as read
if ((/^X-Spam-Flag:.*YES/))
{
  cc "./Maildir/.Junk/."
  JUNK=`/usr/local/sbin/markAsSeen.py "./Maildir/.Junk/."`
  exit
}


Important: This script is only safe to use if all messages in a given folder should be marked as read!!

If you’ve a better way to mark messages as read on delivery tell me!

A1 UMTS card under Linux – just works

January 27, 2008

I got my hand onto an A1 UMTS PC-CARD and I did some research on how to use it with Linux. At first just plug the card into your Notebook and look at the logfile (/var/log/syslog on Debian based distributions). On a Kubuntu Feisty and newer Kubuntu versions and Debian Etch it is supported as /dev/USBtty0. This worked for all Huwai based cards I got my hands on, also the USB versions.

You have now 2 possibilities:

The first is to use the official Linux drivers from Vodafone which work also for A1. Just go to http://www.vodafonebetavine.net/web/linux_drivers/

The advantage of the official closed source program is that it ships with a special program which shows you how good the reception is and if it’s using GPRS or UMTS – but it is closed source and maybe not available for your hardware and/or software platform. And specially it is an GUI application you may want the UMTS internet access for a display less router. The following describes how I did it on an Debian Etch based router.

First you need to install the pppd


# apt-get install ppp


Than you create following files with the shown content:


# cat > /etc/ppp/peers/a1
hide-password
noauth
connect "/usr/sbin/chat -v -f /etc/chatscripts/a1"
debug
/dev/ttyUSB0
115200
defaultroute
noipdefault
user "[email protected]"
remotename a1
ipparam a1
replacedefaultroute
usepeerdns



# cat > /etc/ppp/pap-secrets
"[email protected]" a1 "www"



# cat > /etc/chatscripts/a1
# ispauth PAP
# abortstring
ABORT BUSY ABORT 'NO CARRIER' ABORT VOICE ABORT 'NO DIALTONE' ABORT 'NO DIAL
TONE' ABORT 'NO ANSWER' ABORT DELAYED
# modeminit
'' ATZ
'' AT+CGDCONT=1,"IP","A1.net"
# ispnumber
OK-AT-OK "ATDT*99***1#"
# ispconnect
CONNECT \d\c
# prelogin
# ispname
# isppassword
# postlogin


Now download this perl script and change the PIN code (line 11) to the one of your card. Don’t forget to set the executable flag. Now you can go online with


# ./setpin.pl
# pon a1


The setpin.pl script needs to be called once each time you inserted your UMTS card. This setup is mostly identical for the other Austrian UMTS provides as they sell the same Huwai cards A1 does, just some Init commands are different. It is easy to find the correct ones for your provider with Google.

Script for dialing from within Kontact (Kaddressbook) on an Asterisk server

January 23, 2008

I have a VOIP phone connected to an Asterisk Server (a Vlines appliance in this case) and I wanted to make just one click onto a phone number in my Kontact to dial this number. So I needed to write a script which tells the Asterisk server to ring my phone and when I pick it up – Asterisk should than dial the number clicked in Kontact. This I did some time ago and I thought this script maybe help also others – so here it is!

Download the attached script and copy it to /usr/local/sbin/ and set the executable flag. Go in Kontact to Contacts and there in the Menu to “Settings|Configure Address Book …” and enter in this dialog in the edit field for “General|Script-Hooks|Phone” following

/usr/local/sbin/dialAsterisk.py %N


Now you only need to change the configuration of the script to your setup. The area and country code entries are used to remove these prefixes from an address book number. All non digits are removed with the execption of “+” witch is translated to “00”.

yourNumber = "sip/YOUR_EXTENTION"
user = "YOUR_USER"
password = "YOUR_PASSWORD"
context = user # may differ, if so specify
callerid = "Kontact"



asteriskHost = "ASTERISK_SERVER_IP"
asteriskPort = 5038
asteriskAreaCode = "0512"
asteriskCountryCode = "0043"
asteriskCombinedCode = asteriskCountryCode + asteriskAreaCode[1:]


Download it here: dialAsterisk.py

Active attacks on home routers underway

Only last week I posted about the UPnP attack vector on home routers and now Symantec is reporting active attacks on Mexican internet users. The purpose of this attack is to manipulate the DNS settings of the router so the user is directed to the phishing site for a popular Mexican bank. As there is no change on the computer itself, security software will have a hard time to detect such attacks. Sure the SSL certificate the fake site will provide is most likely faked, but most users just click Ok anyway. But my guess would be anyway that the phishing site is just plain HTTP.

But this is not the only attack vector even if a password is set for the router (not counting the default password). If a router allows the user to authenticate himself via a cookie, than an attacker needs only to provide an URL which includes the commands for the router. Sure the attacker needs to know the router which is used by the user, but thats not that complicated as you might think. For example in Austria an attack would be best done against Alcatel SpeedTouch router (configured to multi user mode) which used by the Telekom Austria since the start of DSL in Austria. And to make it worse, there is no password defined by default, so we don’t need a cookie attack at all.
It is therefore important to change the default password and to make sure the router requires a password each time you start your browser. It is also a good idea to restart your browser after you authenticated yourself against the router and before you surf through the internet.

You ask yourself how to attacker knows the IP address of the router? Thats easy – following possibilities exist:

• just try 192.168.0.1 (or what is default setting for the router, which should be attacked)
• get the IP address of the computer, and replace the last number of it with an one. (java script?)
• use a applet (flash, java, ….) to get the default gateway or DNS server IP address – you’ve your router

The first one is the easiest one, but also the easiest to defeat. Just change the network to a new C-Class network out for 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8. eg. 10.133.122.0/24. So lets change to following mantra a little bit. Recommended steps for setting up your home router:

• Unbox
• Throw the disk away
• Plug in your machine, Turn on the router and navigate to the Web-GUI
• Turn off UPNP
• Change the subnet of your router
• Change default name and password, set WPA-PSK
• Check that remote management is disabled
• ….

I’ve changed the subnets of my routers for years, just because the 192.168.0.0/24 stuff didn’t look cool – so be cool and change yours too.

First public version of autoSyncPodder online

January 20, 2008

I’ve just published the first version of autoSyncPodder, which is a software to automatically download podcasts and sync them with your mp3/ogg player – everything without user interaction. The project is licensed under the GPL (v2 or later)!

I’ve have the software running on my media center server which is running 24/7. The download part of the autoSyncPodder is called by cron once a day (in the night). I own a mp3/ogg player (Trekstor Vibez) which works by just coping the files onto it, no rehashing needed. The syncing is started as soon as I plug the player into a USB port. If a file gets deleted on the player the file will get deleted at the next sync on the computer too. After a successful synchronization the software will generate a beep if the user it is running under has the permissions for it.

Take a look at the autoSyncPodder Page.

ICQ / AOL is testing encryption – by adopting XMPP [Update]

January 18, 2008

Florian Jensen beaks the news about AOL adopting the Jabber protocol XMPP – at least on a test server. This is a good move for the interoperability of instant messaging service but also a good one for security and for me.

The ICQ traffic goes unencrypted over the network and I know of special programs which sniff the traffic for pop3, smtp, icq, …. communications and log the login data into a log file (good on routers 😉 ). So you don’t need someone to understand the Oscar protocol, any script kiddie can use these tools . This is the reason I don’t use ICQ except on networks I trust. You’ll ask yourself why I use ICQ (with Kopete as client) at all? Too many friends which I know for a long time (when ICQ was the only instant messaging system – you know the time before it was bought by AOL 😉 ) are still using ICQ. I’ve also a Jabber account and some of my friends have switched to Jabber or are using both as I do, but most use ICQ as their only IM system for > 10 years.

As XMPP is a “good” internet protocol the usage of TLS / SSL encryption is common throughout clients and servers. If AOL is really switching to XMPP it would really increase the security, so lets hope that this is the first step. Even if they are keeping their protocol and only allow XMPP Servers to send messages to their clients it would help me. I just would stop using my ICQ ID and switch completely to my Jabber ID, which than can communicate to my ICQ buddies.

Update: As Edwin Aoki from AOL pointed out in his comment you’re save if you’re using the original AOL clients. Sorry for not making that clear. The problem is only that I don’t know anyone who is using the original clients, even the friends who are using Windows are running alternative clients.