Zeroday 01100100011010010

A recent Ars Technica article on ASUSGATE pointed to this blog and named me as a blogger who was caught with his digital pants down. I wanted to capture some of my incident response procedures now that some time has passed and my stress levels are back to normal. As noted in the article the first thing I did was shut down all non-necessary services such as FTP and Samba. Luckily for me I never liked the idea of AiCloud so that service was already off. Next I ran a port scan on my external IP address from an server outside of my home network to make sure that no ports were left opened. My goal was to ensure that literally 0 ports were open to the outside world and my router didn’t respond to uninitiated packets sessions. I ran an nmap scan that checked ports 1-65534 and found a port in the very high ethereal range (something like 32000) and dug back through the ASUS interfaces until I found the culprit. Apparently I had forgot to turn off the VPN pass through option from my time working at Akamai. I ran the scan again focusing only on the port that was found in the previous scan and it was off.

I’m still concerned that I have a known IP address though. At the very least anyone who doesn’t like me could send a DDoS (or just a DoS with a strong enough connection) and make sure I don’t see the internet for a while. From the research I’ve done cable companies like Comcast dole out IP addresses using DHCP but the leases can be for years. The only time they change them is when the MAC address changes so my next step is to disconnect my ASUS and connect a laptop running a liveCD directly to the cable modem in hopes of getting a new IP address.

When ASUS contacted me they sent notes on the best practices they were announcing to existing customers and details of a beta patch that was rolling out. What I didn’t see was that the FTP service would explicitly not be open on the WAN interface and require authorization from the user to open up their files to the internet. Those victims that put a username/password on their FTP should not use default credentials like “admin/admin” since they are well known and, as stated above, the IP address of the router probably hasn’t changed.

Lastly I want to nitpick on the editor’s choice of describing my folly as being “caught with my pants down”. I think this was a great way to spice up the story but the analogy doesn’t work that well. I didn’t expose anything that I would be ashamed of. The image of my pants being down is my genitals are exposed and that’s something I don’t show in public and so a more apt analogy would be that my digital fly was down. Anyone in the world could get a peek into my digital pants, and it’s certainly embarrassing, but since I don’t walk around “commando style”[1] I was covered underneath that undone zipper.

[1] Military commandos who operate in the jungle often do not wear underwear because of the health issues associated with increased moisture and lack of air flow. http://en.wikipedia.org/wiki/Going_comma…

EDIT: NullFluid points out that they aren’t the group that performed the intrusive scan but are only hosting the text file. [0]

There was a definite sense of dread when I started reading the txt file [1] disclosing a massive flaw in Asus routers. I’ve had an RT model ASUS for nearly two years now and recently hooked up a giant USB hard drive to it so I could stream movies from my blueray player. But I thought there was no way I was affected since I went through the settings for the FTP service and disabled all outside access. I did leave the FTP security set to anonymous because I thought anyone not logged into my WPA2 protected wifi couldn’t even see the service.

Out of curiousity I entered ‘ftp://[my external ip address]’ into my browser and sat wide eyed when I saw the contents of my media server show up. I reasoned it must be because I’m already inside the network (which doesn’t even make sense really) but panic was starting to set in. So I pulled out my phone and turned off the wifi connection and tried it there. Now I was worried.

I started downloading the torrent of directory listings and quickly turned the FTP service off. I checked the pastebin with all the IP addresses that had the dir listing bug [2] and there was my IP address. Worry was now turning to fear. After the torrent finished I looked for my IP address and found that it was under ‘partial listings’.

There’s no point in my denying that I got pwned because in the file listings are things like ‘OLIVER_DAY_GMAIL_COM_201401052241083414.pdf’ which is a copy of a boarding pass I downloaded. I’d started pushing stuff from my Downloads folder onto the media drive for convenience sake. I’m not worried about what’s on that drive however I’m terrified by the idea that someone replaced a file with some malware and then I opened it assuming I was safe.

I’m also going through memories of flaky wifi in the last month plus some weird issues with the drive itself and wondering if it was due to others accessing my drive at the same time I was. It’s a really sickening feeling although I got off pretty lucky. In my life I’ve had friends who were pwned by rival hackers and had entire mail spools dumped, financial information leaked, etc. All I lost was a directory listing and some face.

Going through the file listings of other IP addresses I see insanely personal items like whole backups of laptops, family photos, porn collections, and tax documents. Anyone that has the list of IP addresses can potentially download any of those files. I wrote some python to walk through the list of IP addresses and check to see if logging in anonymously is still possible. I’m not bothering to look at anything just see if ftp.login() works and recording the statistics. The numbers are not reassuring. The code is also on pastebin for those who want to run it and help report the numbers. [3]

While I’m not entirely opposed to the idea of full disclosure I’m not sure I agree with nullfluid’s Brothers Grim, et al dump of vulnerable IP addresses. Even though this act caused me to discover the vulnerability in my own hardware I’m not okay with the idea that he took a snapshot of my FTP directory and made that part of the torrent. What was the point in that? It would have been just as effective to list the IP address and I would have reacted and benefited the same. All he’s they’ve done is made certain people way bigger targets because the listing shows movies, or music, or porn, or very very personal files. If nullfluid Brothers Grim, et al is going to poke into everyone’s drives anyway why not leave a note in the root of the FTP directory warning the user of the vulnerability? That’s the biggest problem I have with his their approach is he they told the world but he they didn’t tell the victims. Fine I’ve patched my Asus router and now question whether I should keep it at all. I agree it was a very poor decision on Asus’s part to make those default settings the way they were and I doubt I’ll turn the FTP service back on anytime soon. But including full directory listings of all these victims is on you nullfluid Brothers Grim, et al. It was a mistake on your part and you should apologize to us all.

[0] The text file lists the following as the crew that performed the scan: The Brothers Grim, Chuck Palahniuk, Gargamel, Debra Morgan, Gollum, Voldemort, Skeletor, Duke Igthorn
[1] http://nullfluid.com/asusgate.txt
[2] http://pastebin.com/ASfYTWgw
[3] http://pastebin.com/fpB7U1gb http://pastebin.com/HWLASXaY http://pastebin.com/zunt8jeu

During Source Boston I became fascinated by the idea of using SDR to listen in on wireless mics. It occurred to me that corporate meetings in hotels with lots of sensitive information are probably vulnerable to that type of eavesdropping. I looked into encrypted wireless mics but they are very expensive and I can’t imagine a lot of people outside of the Fortune 10, military, and some parts of the government can afford them.
My first find was a page of wireless mics that were in the 700Mhz range and now banned by the FCC for intruding upon emergency communications. [1] @0xabad1dea pointed out rather quickly this wasn’t the list I thought it was. But I had also scraped together another list from product pages I’d browsed the previous evening.
G1 Band 470-530 Mhz
H4 Band 518-578 Mhz
J5 Band 578-638 Mhz
L3 Band 638-698 Mhz

Once I get a better grasp of GnuRadio I can probably cobble together a wireless mic scanner for the next conference I visit. Or maybe just hang around hotel lobbies and look for stray conversations.

[1] http://www.fcc.gov/encyclopedia/wireless…

This month I’m conducting some research into web hosting security issues and ran into the aftermath of the German law passed in 2007 banning security research publication. The policy has had the effect of silencing security researchers from that country. While investigating issues in PHP security I came upon the Month of PHP Bugs website and when I attempted to download a proof of concept to illustrate what type of security issues PHP had back in 2007 I got an explanation from security researcher Stefan Esser explaining why he no longer feels comfortable publishing results to the Internet.

Instead of summarizing his explanation I’m going to repost it here:

Dear Visitor,

since Friday 10th, August 2007 a new and very troubling law is enforced in
germany.

It is no longer legal to create and/or distribute so called hacking tools in
germany. This includes port scanners like nmap, security scanners like nessus
or simple proof of concept exploits like the MOPB exploits. They are now illegal
because someone COULD use them to commit crimes.

Until today I had hoped that our Bundespresident would stop this insane law with
a last minute veto, but now it is official and our government has rendered germany
more or less defenseless against the threats from outside germany.

Unfortunately our government has been deaf to the warnings from lots of experts
that tried to explain how important these so called hacking tools are not only
for the current generation of security consultants to do their daily job, but
also how important they are for the education of the next generation of
researchers and consultants.

If you do not know how to attack, you will never know how to defend yourself.

Yours,
Stefan Esser

This is incredibly frustrating for someone like me who is doing legitimate research into security problems that are plaguing the Internet. Security research is a rare and valuable skill set which should be cultivated not destroyed. Yet the German law is likely driving away people from this profession due to the impossibility of publication on the Internet without fear of criminal charges. At best the researchers who are turning away in Germany are finding other less beneficial avenues to explore. At worst they are publishing underground only.

I had largely forgotten about this law being passed in 2007 because I too had assumed the President in Germany would come to his senses and repeal it. Germany has had a remarkable history with hackers (see Chaos Computer Club) so it is very surprising they went in this direction.

Some old articles about this:
ars technica
article about aftermath

I need to do some more follow up on this but so far the results look grim.

For the last few years I’ve talked quietly of a project to connect artists with the victims of lawsuits in the name of their bands. After the verdict handed down by the latest case of Sony vs. Tenenbaum I think it is time to put this plan to action. I’ve emailed Joel and received a list of the bands he was sued for and what I’d like to do is draw national attention to the public interfaces these bands have set up for
themselves.

I’ve created a public document which contains a list of the bands and any Twitter, Myspace, Facebook, or other public forums the bands have set up for themselves. I could use help tracking down some of the missing links in this list. In some cases the bands no longer exist but members of the original band still live on in other bands or on their own.

To be clear the purpose of this project is not to harass these musicians. It is to remove the wedge of the RIAA from artists and their fans and ask them to communicate. The one question I’d like to see the artists answer is “Do you support the actions the RIAA has taken on behalf of your band in destroying the life of Joel Tenenbaum?”

Joel is being fined $22,500 for each of the 30 songs that he downloaded
from KaZaa. His total fine is $675,000 for an activity that a majority of the Internet users in this country have and still participate in. This isn’t to say that we should advocate copyright infringement but that we shouldn’t agree with the penalties associated with infringement.

This project is still being assembled and I would appreciate any feedback and help the FC community can muster. I’d like to coordinate a massive feedback storm requesting comment via Twitter, Myspace, etc so these artists can’t escape without saying something. Anything. What we need is dialog from musicians about what is happening to their fans.

The working spreadsheet of bands and their online identities is here:
 http://spreadsheets.google.com/ccc?key=0…

If you would like access to edit the spreadsheet please email me (oliver.day@gmail) and I will add you to the access list.

I finally met someone whose privacy settings were as high as mine. If Facebook has a privacy setting I have it pushed to the highest possible value. The end result is that I’m practically a ghost on the popular social media website. You won’t find me using search functionality and I have absolutely no public footprint. Last night I decided to friend some of the researchers working with myself and Prof Bambauer on an academic paper about shielding security researchers due out this fall.
The two of us appeared to be unable to “friend” each other because of our high privacy settings. I wasn’t really sure how to proceed. We tried messaging each other a few more times in an effort to prove to Facebook our intentions but to no avail. One of us would have to sacrifice a bit of our privacy in order to allow for this seemingly obvious functionality.

Since I initiated I went ahead and dropped my guard a bit and allowed anyone from the Harvard network to see me (thankfully she is an alum!) Of course now that we are friends the curtains have been drawn again around my profile but this is definitely one of the more interesting experiences I’ve had with Facebook.

While I’m glad they offer me so many privacy settings they really need to think about this particular edge case where two privacy loving individuals happen to want to friend each other.

I’ve decided to step down from the Advisory Board of the SourceBoston conference. I still think that it is a fantastic project but I have been so busy with academic projects and class work that I couldn’t give them enough time.

I’m also not going to be a regular columnist at SecurityFocus after this month. This was more a decision on their part than mine however I am not going to fight it. I could use the extra time to focus on two very exciting academic papers I have lined up for this year.

A recent project has me thinking about storing of IP addresses in mysql. The natural tendency is to store it as text. My first attempt stored the address as char(16) with a normal index to help speed searches against it. After some reading about high performance MySQL techniques I was reminded that IP addresses in dotted quad form are the least efficient. Instead of storing as a string of characters I could instead convert the dotted quad into a 32 bit integer.

The magic of converting it is pretty easy to find online however if you are using ruby simply install the IPAddr gem.

>> ip = IPAddr.new(‘255.255.255.255’)
=> #
>> puts ip.to_i
4294967295
=> nil

Reversing the process isn’t quite as easy and the documentation fails to mention this possibility. A little digging online will unearth this additional parameter that is needed:

>> ipnum = 4294967295
=> 4294967295
>> ip = IPAddr.new(ipnum, Socket::AF_INET).to_s
=> “255.255.255.255”

When I first tried to store this in MySQL I ran into another problem. In my haste I created the column ip_num as an int(11). The code I ran didn’t raise an exception and converted all the ip addresses in the database. However when I viewed the results a large number of ip addresses came back as 127.255.255.255. This ip address converts to 2147483647 as an integer.

If this number looks familiar it is because it is exactly half of the value of 255.255.255.255. It is also the limit of a signed integer.
“The signed range is -2147483648 to 2147483647”

Ensure that you create an unsigned int column for ip addresses to hold the max value of 4294967295.
The unsigned range is 0 to 4294967295.

EDIT: If you are visiting this post from Encyclopedia Dramatica your PC may be infected by a drive by download. I captured this pic from a vmware image infected from that site

Denizens of 4Chan’s /b/ spent the better part of yesterday coordinating a search for the identity of a teenager who was stupid enough to upload video of himself abusing a cat to Youtube. Dubbed “Operation Dustyce” anonymous agents gathered in #catraid2 on the EFNet irc network and scoured Facebook and other websites matching photos to portions of the video which showed the interior of the house.

An anonymous person then set up www.kenny-glenn.com with details about the abuser and his immediate family including physical addresses and phone numbers. Local news station KSWO is covering the story and has recently reported that Kenny Glenn was arrested then released to his parents.

A post to a Facebook group supporting the abused cat, “Dusty”, states Oklahoma laws can punish animal cruelty of this magnitude with a felony offense:

Oklahoma Statutes, Title 21, Chapter 67
Section 1685: Acts of Cruelty to Animals
Any person who shall willfully or maliciously overdrive, overload,
torture, destroy or kill, or cruelly beat or injure, maim or mutilate,
any animal in subjugation or captivity, … shall be guilty of a felony and shall be
punished by imprisonment in the State Penitentiary not exceeding five
(5) years, or by imprisonment in the county jail not exceeding one (1)
year, or by a fine not exceeding Five Hundred Dollars ($500.00). Any
officer finding an animal so maltreated or abused shall cause the same
to be taken care of, and the charges therefor shall be a lien upon
such animal, to be collected thereon as upon a pledge or a lien.

It is difficult to predict the outcome of the court in matters like this however the online community is easier to predict. The outrage of the community is inversely proportional to the punishment he receives by the State. That is to say, if he is only fined $500 and given a “slap on the wrist” the same mob that tracked him down will demand justice in other ways. Should he register an account with any service they will be there to “out” his past actions. Kenny Glenn, and all those around him, will be haunted by his cruelty for a long time by any means the community can muster. Hate mail, prank phone calls, and possibly even visits in person are not out of the question.

One thing is for sure. Dusty will be avenged.

Youtomb has had a blog for quite some time but it was never linked to the front page for technical reasons. Well no more! Expect a lot more posts from the team now that we are linked to the front of our research project.