Category Archives: Security

Posts relating to security, both computer and physical

Carry your PIN number in your wallet

I have a confession to make.  I have been carrying the PIN number to my credit cards in my wallet for the last five years!

In my wallet I have a slip of paper right next each of my cards that looks like this…

A B C D E F G H I
6 9 2 1 6 2 4 0 1
J K L M N O P Q R
8 7 9 1 7 2 3 2 4
S T U V W X Y Z
7 7 2 8 1 7 2 0

… I can remember a four letter word easier than four random numbers and have challenged many people to guess my pin number from it.  e.g. if the four letter word was MOVE then the PIN would be 1286 and if the four letter word was CHIP then the PIN would be 2013.

I cryptographic terminology this is classed as a one way hash, a terrible idea for encrypting data on the internet but for data as small as 4 numbers it works quite well.  4 numbers only gives (10^4 =) 10000 combinations at the best of times although there are things that can be done to try and break it.

If we take a standard dictionary file (/usr/dict/words) there are 1778 four letter words that could be used. Based on the example matrix above that equates to 907 different PIN numbers. While this is still too many to guess at random we are down a long way from the 10000 original possibilities. I’ll let you decide if that is an acceptable risk.

It’s worth noting that while most people would probably use a four letter dictionary word there’s nothing from stopping you using things like “A DOG” or “I RUN” or even a pass phase “Am I Nicely Secure?” = AINS.

What are your views? Foolish or clever? Are there any other wallet tricks that people know?

Can you really delete a tweet?

The lovely James Firth has just announced that he will “delete all my old tweets, and only keep the last month or so”.  I think he is being foolish as I don’t believe it’s possible to delete things off the interwebs.  As such I decided to find out which of us was right!

The Test

  1. Post a tweet (Done 20th Sept 2010).
  2. Wait for it to be picked up by search engines and search tools.
  3. Delete the tweet (Done 25th Oct 2010).
  4. Wait to see how long it takes for the tweet to be deleted from these sites.

The Tweet

This is the tweet I will be deleting…

[blackbirdpie url=”http://twitter.com/dogsbodyorg/status/25050638391″]

I’m embedding it with the Blackbird Pie WordPress plugin, It will be interesting to see if it goes from here too!

The Results

Will be posted here when I have done the test.  Add me to Twitter or subscribe to my RSS to find out! 😉

  • GoogleDeleted but took over 2 months.
  • Google RealtimeDeleted in less than 24 hours.
  • Bing – The tweet never appeared in their search.  Can’t test.
  • Yahoo!Deleted but took over 2 months.
  • TweetMeme – The tweet never appeared in their search.  Can’t test.
  • TwitpicNot much you can do if someone takes a picture of the tweet.
  • RetweetThere is nothing you can do if someone has already retweeted you
  • Embedded with Blackbird PieNot Deleted from this site.
  • topsy.comStill appearing in the Topsy index as of 28 Feb 2011.
  • flavors.meStill appearing in embedded sites as of 28 Feb 2011.

If you have written something news worthy that someone else has blogged about or discussed then no, that content can obviously be copied and quoted without issue.  And while tweets about your breakfast may be deleted by large sites such as Google and Yahoo there are plenty more that do not honour Twitters deletion protocols.

In short, I wouldn’t bother deleting things of the Internet.  All you are doing is making work for yourself.

Any other sites? Suggest them in the comments.

The Firehose

This is not a new test.  Until recently deleted tweets weren’t removed from Twitter’s official search resulting in services such as Tweleted.  With more and more sites drinking from the Twitter firehose (Twitters name for having a live feed of public status updates) it will be come harder and harder to stop tweets from being archived which is why I think it’s important to test this every once in a while.

Interestingly Twitter have blurred the line of firehose access with the launch of their new streaming service as a lot of companies that want to drink from the firehose only actually want a subset of the data.  e.g. TweetMeme only needs to index tweets with a URL in them. The Streaming API help has this to say about deleted tweets…

Streams may also contain status deletion notices. Clients are urged to honor deletion requests and discard deleted statuses immediately. At times, status deletion messages may arrive before the status. Even in this case, the late arriving status should be deleted from your backing store.

… urge != must.  It’s not in their T&Cs either that I can see.

I believe there are at least tens of full firehose users and hundreds of streaming users if not hundreds and thousands respectively.  Either way, the number is only going up!

Oh and we aren’t just talking websites and services here. The US Library of Congress has access to every public tweet ever written 😉

P.S.

  • I started creating a list of Twitter Firehose users as I don’t believe any such list exists.  Feel free to update and add to it, it’s public 🙂
  • I have been told to “play nice”, this is not a personal attack on James at all who is a top bloke, this is just an open debate and test.

Securing Majordomo

Did you know that buy default majordomo will give a list of all the addresses on your mailing list to anyone?

I have written a script that will tidy up majordomo config files as follows…

  • Only shows lists you are subscribed to with the ‘lists’ command
  • Does not allow anyone to use the ‘who’ command to get addresses
  • Doesn’t allow anyone to use the ‘which’ command to get addresses

This can either be run once or added to /etc/cron.daily so that any new lists created are forced to the correct settings.

Simply download the file, change the directory path at the top of the file if required and execute. Download Here.

Black boxes in cars

I would love to know the percentage of cars in the UK that have these things!?  The scary thing to me isn’t that cars have them but that people are driving around in cars and don’t know they have them.  I may be wrong but I would imagine that it would help prevent accidents if you knew that your car could prove your driving… saying that, I can see that that may not be a selling point!

Investigators found a palm-sized tattle-tale under Michael J. Wilson’s hood in an effort to show a jury that the Arnold man should go to jail for the crash that killed his pregnant wife and another driver.

The device is called an event data recorder, or EDR. Some call it a “black box” because its function is similar to that of an aircraft’s flight data recorder. An estimated 64 percent of all model year 2005 vehicles driven in North America have one, according to the National Highway Traffic Safety Administration.

Full Story

Bluetooth security and advertising

I was watching BBC’s Click program today which had an piece on how technology was being used in advertising to make billboards stand out [1]. The bit that got my interest was using bluetooth to connect to passing mobiles, this interview sums it up well. If the bluetooth UID of a mobile phone can be picked up by a poster as you walk past, and all these posters are networked together then how long before the information is sold to tracking agencies?

We already have mobile phone tracking sites that allow you to find out where in the country a phone is logged on (to quite a good resolution too). While most of these sites require some form of authentication with the phone for public use the information is obviously there to phone company employees and the people behind these sites, who knows who has access to this info.

The other security concern is the vulnerabilities of the phones, apparently with Coldplays latest album, posters in London were offering to upload a free mp3 track from the album to bluetooth phones passing by. Nearly all first generation phones that support bluetooth are hackable with new vulnerabilities being discovered on phones all the time. Bluetooth can already be used to control a vulnerable phone, for example to make it call a premium rate number without the owner knowing. If I were to use Internet Explorer as a browser I could pick up spyware just by visiting a webpage, now people will be infecting their phones by playing affected MP3’s that they have downloaded for free from rogue posters. Neither of these techniques are new but in this ever mobile age the transport methods are changing and the speed these changes are implemented are getting faster.

Checking for Rootkits

In the same vein my last post, here is page on installing chkrootkit and Rootkit Hunter on CentOS / BlueQuartz.

A root kit is the name given to a piece of software written to try and elevate someone’s permissions to root level, commonly used by hackers/crackers/script kiddies to infect a system. There are many rootkit checkers however we are going to install two of the most common which are both are free and open source.  Some people prefer one over the other, I say, why not use both!

chkrootkit

The website is http://www.chkrootkit.org/ and the following is based on v0.47

# Pick a location
cd /usr/local
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar zxvf chkrootkit.tar.gz
rm chkrootkit.tar.gz
# Fix the permissions
chown -R root:root chkrootkit-0.47
cd chkrootkit-0.47
make sense
# A quick tidy up
mkdir docs src
mv *.c Makefile src
mv READM* chkrootkit.lsm ACKNOWLEDGMENTS COPYRIGHT docs
./chkrootkit -q > good.output 2>&1
# CHECK THE good.output FILE IS OK AND HAS A KNOWN GOOD OUTPUT
touch current.output
touch /etc/cron.daily/chkrootkit
chmod 755 /etc/cron.daily/chkrootkit
vi /etc/cron.daily/chkrootkit
# Place the following text in the file...

#!/bin/sh
SERVER=`hostname`
cd /usr/local/chkrootkit-0.47
rm current.output
./chkrootkit -q > current.output 2>&1
DIFF=`/usr/bin/diff current.output good.output`
ERRO=`/bin/cat current.output`
if [ "$DIFF" != "" ]
then
/usr/lib/sendmail -t << EOF
To: root
Subject: ${SERVER}: Chkrootkit Output
====> A diff between current and good output is:
$DIFF
====> The current output is:
$ERRO
EOF
fi

Rootkit Hunter

The website is http://www.rootkit.nl/projects/rootkit_hunter.html http://rkhunter.sourceforge.net/ and the following is based on v1.2.8

# Use a working directory where you can execute code
cd /home/.tmp
wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
tar zxvf rkhunter-1.2.8.tar.gz
cd rkhunter
./installer.sh
cd ..
rm -r rkhunter rkhunter-1.2.8.tar.gz
# Rootkit Hunter does however complain about the user root-admin.
# As far as I can tell there is no need for this user on BQ so I remove it.
userdel root-admin
touch /etc/cron.daily/rkhunter
chmod 755 /etc/cron.daily/rkhunter
vi /etc/cron.daily/rkhunter
# Place the following text in the file...

#!/bin/sh
SERVER=`hostname`
OUTPUT=`/usr/local/bin/rkhunter --versioncheck`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root
fi
OUTPUT=`/usr/local/bin/rkhunter --update`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root
fi
OUTPUT=`/usr/local/bin/rkhunter --cronjob --report-warnings-only`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Rootkit Hunter Output" root
fi

I hope this is of help to people.

Things to do to a blank BlueQuartz install

After just rebuilding a BlueQuartz box I thought I would copy my install notes. This is an entirely personal list of things that I do to a vanilla install of CentOS/BlueQuartz.  I thought it may be useful to other people.

Contents

  • Change root passwords
  • Secure SSH
  • Apache Obscurity
  • Install ImageMagick
  • PHP upload settings
  • Add Mime Types
  • yum checker
  • Setup floppy drive
  • Majordomo logfile

Change root password

BQ is initially set with no root MySQL password and the systems root password is set the same as the admin user. These should be changed to something different!

  • Change MySQL password wth `/usr/bin/mysqladmin –user=root password NEW_PASSWORD`
  • Change root password with `passwd`

Secure SSH

SSH is obviously better than telnet but did you know that the SSH protocol v1 has been cracked for quite some time now. I lock all my boxes down to only use protocol v2 and haven’t had any come back on compatability issues.

  • Modify `/etc/ssh/sshd_config` to set `Protocol 2`
  • Run `/etc/rc.d/init.d/sshd reload`

Apache Obscurity

Yes, this is security through obscurity but everything helps. The following will remove the “signature” at the bottom of pages generated by Apache and will also only report the webserver as “Apache” instaed of the full version number and OS

  • Modify (and add if necessary) the following lines in `/etc/httpd/conf/httpd.conf` & `/etc/admserv/conf/httpd.conf`
ServerSignature Off
ServerTokens Prod
  • Run `/etc/rc.d/init.d/httpd reload`
  • Run `/etc/rc.d/init.d/admserv reload`

Install ImageMagick

A must for most hosting nowadays.  Simply run `yum install ImageMagick ImageMagick-perl` as root.

PHP upload settings

In this new broadband age people are uploading pictures and such to their sites so I change the PHP upload defaults.  Change lines in /etc/php.ini (or your own php.ini) and run `/etc/rc.d/init.d/httpd reload`

post_max_size = 20M
upload_max_filesize = 10M

Add Mime Types

There seem to be some common mime types missing from the default install.  Add the following to `/etc/mime.types` and run `/etc/rc.d/init.d/httpd reload`

application/x-ms-wmz wmz
application/x-ms-wmd wmd
audio/x-ms-wax wax
audio/x-ms-wma wma
image/x-icon ico
text/csv csv
video/x-ms-asf asf asx
video/x-ms-wm wm
video/x-ms-wmv wmv
video/x-ms-wmx wmx
video/x-ms-wvx wvx

yum checker

Now I love the Nuonce/Solarspeed automatic yum installer however I like to install patches on systems when I am there, that way if there are any problems I can fix them straight away.  I have this little script that mails me when there are packages to install.

  • touch /etc/cron.daily/yum-check
  • chmod 755 /etc/cron.daily/yum-check
  • vi /etc/cron.daily/yum-check
 #!/bin/sh 
SERVER=`hostname`
OUTPUT=`/usr/bin/yum check-update`
EXITCODE=$?
if [ ${EXITCODE} != 0 ]
then
echo "${OUTPUT}" | /bin/mail -s "${SERVER}: Yum Updater" root
fi

Setup floppy drive

If your system has a floppy disc drive you won’t be able to use it until you run `floppy –createrc > /etc/floppy`

Majordomo logfile

I know it’s silly but I like all my log files to be in one place….

  • cd /var/log/mail
  • ln -s /usr/local/majordomo/log majordomo

I hope this is of use to people

The Conscience of a Hacker

This was taken from Phrack Volume One, Issue 7, Phile 3 of 10. It is a poem by a hacker that was arrested back in 1986, funny how it still seems to be appropriate so many years on. Incidentally, bits of this file made it into the movie “Hackers” (I sense Emmanuel Goldsteins influence there!!) I know it’s kinda sad but in some ways I like this, if nothing else but that it’s a nice bit of poetry. Anyway, here it is in its original format:

The Conscience of a Hacker

by

+++The Mentor+++

Written on January 8, 1986


Another one got caught today, it’s all over the papers. “Teenager Arrested in Computer Crime Scandal”, “Hacker Arrested after Bank Tampering”…

Damn kids. They’re all alike.

But did you, in your three-piece psychology and 1950’s technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world…

Mine is a world that begins with school… I’m smarter than most of the other kids, this crap they teach us bores me…

Damn underachiever. They’re all alike.

I’m in junior high or high school. I’ve listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. “No, Ms. Smith, I didn’t show my work. I did it in my head…”

Damn kid. Probably copied it. They’re all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me…

Or feels threatened by me…

Or thinks I’m a smart ass…

Or doesn’t like teaching and shouldn’t be here…

Damn kid. All he does is play games. They’re all alike.

And then it happened… a door opened to a world… rushing through the phone line like heroin through an addict’s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought… a board is found.

“This is it… this is where I belong…”

I know everyone here… even if I’ve never met them, never talked to them, may never hear from them again… I know you all…

Damn kid. Tying up the phone line again. They’re all alike…

You bet your ass we’re all alike… we’ve been spoon-fed baby food at school when we hungered for steak… the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us will- ing pupils, but those few are like drops of water in the desert.

This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.

+++The Mentor+++