Posts Tagged security

What do I do if my account’s been hacked?

Feb 23

Posted by wes in hosting, security | No Comments

A friend of mine recently asked me via Facebook what he should do if someone he didn’t know and wasn’t friends with on Facebook was able to access private information in he and his wife’s Facebook and email (and presumably other) accounts. Since this is a fairly common concern and question I figured I’d post my response below. Enjoy!

Most likely they have your password (which they might have gotten from a virus, trojan, back-door-worm, or something else.

While anti-virus is great (at this point I feel obliged to mention my employer, McAfee) one area constantly overlooked are apps on Facebook which are malicious. I just got through telling my wife not to install apps on FB unless she absolutely had to (which means, something you will use and use constantly). I used to be bad about installing all the poll and quiz applications on Facebook I came across until I went back through my installed apps one day and noticed that many of them weren’t even named the same thing they were named when I installed them.

So if you are worried that someone has hacked your online accounts the best thing to do is to immediately change all of your passwords. Make sure you use a strong password too (that goes for your wife as well as you).

Also, I highly recommend going through your Facebook applications and uninstalling anything you don’t use as they could be used to harvest your information. Not that you should remove them all (I love Mafia Wars) but if you were to read what a developer has access to you’d certainly think long and hard about each application you install

Finally, (for the super-paranoid) if you are using a wireless router you should certainly be using some form of wireless encryption (hopefully not WEP because it is vulnerable to attacks). Otherwise all of your information is being transmitted in the clear and can be easily captured with minimal effort.

It’s possible that this person might be getting your personal information another way (via ESP perhaps? ) but I think the most likely culprit is your computer/network security.

There’s more that you can do to harden your systems against attack, but these are the most often used avenues of attack. If your adversary is a hacker let me know and I’ll continue listing things you can do to make your systems secure.

Good luck!

Next, we’ll look into some security products and practices that can help you secure your systems.

Tags: identity theft, passwords, security

Governments calling citizens to ditch Internet Explorer

Jan 28

Posted by wes in hosting, it industry, security | No Comments

Google was recently hit by an exploit McAfee has named “Aurora”. This exploit involves all versions of Internet Explorer (though version 6 is getting most of the attention) which has prompted the governments of France and Germany to warn it’s citizens not to use Internet Explorer at all.

Microsoft initially tried to claim that this exploit was trivial but has since issued an out-of-cycle emergency patch for all versions of Internet Explorer.

Looks like now is the perfect time to switch to one of the more superior browsers like Chrome or Firefox.

Here’s a video detailing how this hack works in action in case you are like me and interested in the juicy technical details:

Tags: exploit, hacking, internet explorer, malware, security

Passwords revisited

Jan 26

Posted by wes in hosting, it industry, security | No Comments

An analysis of 32million leaked passwords provided some interesting insights into the password selection practices of users. Among the key findings are:

The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”

Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.

Recommendations for users and administrators for choosing strong passwords.

Also, here are the top 10 most commonly used passwords they found:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

I’ve said it before, the first step in computer security is having a strong password policy.

Tags: passwords, security

Password policy: Creating and remembering strong passwords

Jan 12

Posted by wes in hosting, security | 2 Comments

Passwords are often the weakest part of any security system, partly because we don’t take the time to make them strong enough, change them very often, or use the same one all over the place.

Strong passwords which include a combination of upper and lowercase letters, numbers, punctuation, and are not based on a dictionary word are often not very easy to remember. And if it’s not easy to remember, chances are we’ll either end up writing it down (bad idea!) or we’ll choose a simpler password. Additionally, since we are often faced with a myriad of sites which all require separate accounts (and passwords), using different passwords for each site we use tends to fall by the way side in favor of convenience.

It doesn’t have to be like this.

Here’s a technique I’ve found helpful for creating strong, easy-to-remember passwords. It involves coming up with a unique method of transforming a simple word into a strong password using a few simple rules. The beauty of this system is that, unlike a strong password generator, the passwords you come up with using a system like this are easy to remember and can be unique to each site you use them with.

Here are a few other strong-password-generating ideas:

Microsoft: Create Strong Passwords
McAfee: I Hate the Password Policy!
About.com: Creating and Maintaining a Strong Password System

No matter what you choose to use to help you generate strong passwords. It’s always a good idea to check your password’s strength to gauge how hard it would be for an attacker to guess your password.

Tags: identity theft, password, security, strong passwords

Hacking your router for effective internet monitoring

Dec 1

Posted by wes in bash, it industry, java, software development | 1 Comment

The Why: Preamble

Working in the information technology sector, one of the most common questions I get asked by parents is about monitoring internet access of their children.¹

Most parents want to know what their children are doing online but also recognize that most off-the-shelf products are just as easy to disable or circumvent (or are far more restrictive/bloated than they want) as they are to install or operate. And sadly, enterprise solutions that capture and control network traffic at the most basic level (making circumvention next to impossible) is still very expensive and therefore out of reach for the average family.

What I needed was a cheap and hackable router that I could modify to send captured URLs to a central source for storage and processing.

The What: WRT54G

After studying my options I remembered reading a lot about the Linksys WRT54G-series routers and how they were originally based on a heavily modified version of Linux and how Linksys made headlines when it lost a court case regarding the GPLed code it used in their router’s firmware.

So I did a little digging.

What I found was a whole router-hacking subculture built around the WRT54G. While it seems that much of the initial fervor has subsided, many of the packages show a last update time of 2007 or so, the documentation is still valid for the most part. The most popular projects which provide custom firmware are the OpenWRT and DD-WRT. While OpenWRT is the original, I found DD-WRT to be a lot more polished and (as we’ll see later) configurable without much headache.

It’s important to note here that the WRT54G has many variants and its easy to fall into the trap of thinking that any old WRT54G will do but a little diligence and study of the differences between the hardware revisions will certainly save you time and money.

After buying a few different routers and bricking one (a Buffalo AirStation WHR-HP-54G² ) and a false start with a newer WRT54G v7 (anyone need a highly configurable, albeit not-very-hackable router?) I discovered that the best router for hacking is the WRT54GL (which was designed by Linksys to allow for user modifications).

The How: URLSnarf and custom shell scripts

Space on a router is very limited. On the WRT54GL model I eventually ended up using I had 4Megs of space to work with.

The first order of business was to find a package that could monitor all of the network connections (wired and wireless) on the router and capture requested URLs. For this task I discovered that URLSnarf, part of the dsniff OpenWrt package, worked quite well.

To install packages I used DD-WRT’s firmware modification kit which allowed me to simply add the scripts and packages I wanted without having to recompile everything.

Next I needed to transform the captured URL into a URLencoded string in order to send it to my monitoring service via a simple wget request. Initially I tried using several variations of user-generated Python and PHP packages but they both took up far more space than I could afford so, instead, I searched for a pure command-line based solution.

After some more digging I found a handy sed substitution script that worked like a charm. The script worked in two parts, the first one being the substitution script (/usr/bin/urlencode.sed):

s/%/%25/g
s/ /%20/g
s/ /%09/g
s/!/%21/g
s/"/%22/g
s/#/%23/g
s/\$/%24/g
s/\&/%26/g
s/'\''/%27/g
s/(/%28/g
s/)/%29/g
s/\*/%2a/g
s/+/%2b/g
s/,/%2c/g
s/-/%2d/g
s/\./%2e/g
s/\//%2f/g
s/:/%3a/g
s/;/%3b/g
s//%3e/g
s/?/%3f/g
s/@/%40/g
s/\[/%5b/g
s/\\/%5c/g
s/\]/%5d/g
s/\^/%5e/g
s/_/%5f/g
s/`/%60/g
s/{/%7b/g
s/|/%7c/g
s/}/%7d/g
s/~/%7e/g
s/	/%09/g

and the command line to use it:

sed -f urlencode.sed

To tie it all together, we can pass captured URLs to it via pipes from the command-line with:

urlsnarf | sed -f urlencode.sed

At this point, the only missing link of the capture chain is a script to continually read from the command line and send the urlencoded capture data to our storage application (described in the next part). For this task I used the following script (/usr/bin/urlmon.sh):

HOSTNAME=`hostname`
while read url; do
    DATE=`date +%s`
    echo $(wget -q -O- "http://myapp.appspot.com/log?l=$url&h=$HOSTNAME&t=$DATE")
done

exit 0

Finally, we need to have the router start listening for URLs as soon as it is booted. In a Linux environment this is generally done by init scripts. Since our router has limited capabilities, we don’t need to write a full init script. Here is the slimmed down init script I used (/etc/init.d/S50urlmon):

#!/bin/sh

/usr/sbin/urlsnarf -v "/(192.168.1.1|https\://myapp\.appspot\.com)/" | sed -f /usr/bin/urlencode.sed | /usr/bin/urlmon.sh

The Where: Google App Engine

I’ve been itching to try out Google’s App Engine for a while now and this project seemed to be a great fit since I didn’t know how much data to expect and I needed my receiving/processing/display application to be highly available and scalable. Especially if this works well enough that others might want to use it.

Since my initial phase is to merely capture the URLs requested from devices behind the router, and since the capture process should be as efficient and lean as possible (I don’t want the router to take very long logging a URL when it’s primary job is to retrieve that URL for the initial requester) I decided to make a simple Java servlet which simply takes the URLencoded log line generated by URLSnarf.

Google App Engine uses Java Data Objects enhanced by DataNucleus to store data in Google’s massive cluster. Here is the annotated JDO (LogLine.java) I used to store the captured URL:

import javax.jdo.annotations.IdGeneratorStrategy;
import javax.jdo.annotations.IdentityType;
import javax.jdo.annotations.PersistenceCapable;
import javax.jdo.annotations.Persistent;
import javax.jdo.annotations.PrimaryKey;

@PersistenceCapable(identityType = IdentityType.APPLICATION)
public class LogLine {
	@PrimaryKey
	@Persistent(valueStrategy = IdGeneratorStrategy.IDENTITY)
	private Long id;

	@Persistent
	private String host;

	@Persistent
	private Long time;

	@Persistent
	private String line;

	public void setId(Long id) {
		this.id = id;
	}

	public Long getId() {
		return id;
	}

	public void setLine(String line) {
		this.line = line;
	}

	public String getLine() {
		return line;
	}

	public String getHost() {
		return host;
	}

	public void setHost(String host) {
		this.host = host;
	}

	public Long getTime() {
		return time;
	}

	public void setTime(Long time) {
		this.time = time;
	}
}

And here is the servlet that processes the GET request (containing the captured URL in Apache Common Log format)

import java.io.IOException;
import java.net.URLDecoder;

import javax.jdo.PersistenceManager;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.werxltd.webmon.data.LogLine;

public class Log extends HttpServlet {
	private final static long serialVersionUID = 3;

	public void doGet(HttpServletRequest req, HttpServletResponse resp)
    	throws IOException {
			try {
				resp.setContentType("text/plain");

				LogLine logline = new LogLine();
				String logStr = URLDecoder.decode(req.getParameter("l"));
				logline.setLine(logStr);
				logline.setHost(req.getParameter("h"));
				logline.setTime(Long.parseLong(req.getParameter("t")));

				PersistenceManager pm = PMF.get().getPersistenceManager();
				pm.makePersistent(logline);
				pm.close();	

				resp.getWriter().println("OK");
			} catch (Exception e) {
				e.printStackTrace();
				resp.getWriter().println("FAIL");
			} finally {

			}

	}
}

The future

This project is still in it’s early stages. There is no real way to view the captured data just yet, though I plan on incorporating Polliwog, and the router software hasn’t been tested as much as I would like. I’m also leery of any security holes I may have introduced.

So if you have any suggestions or would like to know more, feel free to leave a comment below!

Most actually ask about “controlling what their kids see online” but I generally argue for a observe-only approach as it helps open lines of communication with your child whereas silently blocking “bad” sites will only start a silent war which will only frustrate you once they do find a suitable workaround, such as a proxy. [↩]
I might have had better luck had I seen this helpful guide. Oh well, this gives me a future project in figuring out how to de-brick my WHR-HP-54G [↩]

Tags: dd-wrt, firmware, hardware, monitoring, openwrt, router, security, wrt54gl