GSM Networks allow attacks to determine your location without your knowledge

• Researchers at the University of Minnesota have found a way that an attacker using open source software could locate your cell phone to within 1 square kilometer
• The GSM Protocol attempts to mask the identity of individual devices by using temporary IDs, however it is possible to map the phone number to these temporary IDs
• The attack works by placing repeated PSTN phone calls to the mobile number, but disconnecting before the first ring on the handset (~4 seconds)
• This causes the cell towers in the area where the networks believe the user to be to broadcast ‘paging’ requests to the target handset’s temporarily or immutable ID
• By listening in on the radio frequency for this broadcast, the attacker can determine if the target is in range of one of the cell towers near them. A few repeated calls allow the attacker to isolate which temporary ID corresponds to the mobile device they are placing the aborted calls to
• In a large area services by many towers, an attacker can determine if the target is within approximately 100 square kilometers
• This attack could be used by oppressive governments to determine if a person is present at a protest or other gathering without relying on support from the telco, to determine is a victim is away from home before attempting a robbery, or even to locate a high profile individual for stalking or assassination
• Research Paper

Feedback:

Q: (Traci) My webhost has been added to an RBL and now emails sent from my domain and from my website cannot be received by some people, can you explain what an RBL is and why it is blocking my email. (Dreamhost servers blocked by Trend Micro RBL )[https://www.dreamhoststatus.com/2012/02/14/mailservers-on-trend-micro-rbl-working-on-removal-from-list/]

A: An RBL or Real Time Blacklist is a list of IP addresses or domain names that the maintainer of the list feels should be blocked from sending emails. There are many different RBLs which different criteria from inclusion and removal from their lists. Most RBLs operate based on DNS due to its light weight and extremely low latency.

So, when an ISP, say, comcast, receives new email directed to one of its customers, it will check details of that email against a number of RBLs they comcast subscribes to. It checks the sending IP, any links included in the email, etc. If one or more of these RBLs returns a positive result, the email may be flagged as spam, or rejected entirely.

Different RBLs cover different problems, Spamhaus.org has lists that cover spam, Trojaned PCs and Open Proxies, Dynamic IP ranges, Spam Domains (sites that spam links to), and compromised servers. Spamcop.net bases its RBL on emails they intercept at honeypot addresses, and sampling the emails that users pay $30/year to have their email filtered via spamcop.net.

One of the most common ways for a webhost to get added to an RBL is when one or most customers run insecure CGI or PHP scripts that send email. When that happens, and attacker can cause your site to send email, or install a script that sends email. Sending large amounts of spam from the web host’s servers will cause it to be listed in the RBLs until the webhost resolves the issue. Many RBLs are automated, where they will add an IP when it is detected as a source of spam, and remove it once it has stopped sending spam for 24 hours. The other common cause of listing in an RBL is hosting sites that are the target of the spam messages (rather than the source). When a web application such as wordpress is compromised, the attacker may be able to install their own site in a subdirectory, using your hosting to host the link that send out in their spam messages. The target of the spam could be a page directing the user to buy something, a phishing site designed to look like paypal or a bank, or even malware, hosting the executable or javascript that the unsuspecting user will run. This last example is similar to the exploit we saw with cryptome last week, if other websites on the internet were infected and made to load a javascript file from a domain hosted at your host, then anti-virus vendors such as Trend Micro may add your webhost to their block list.

In the past, there have been a number of legal battles against RBLs where senders have tried to prosecute the RBL for blocking their communications, however, in the end, it is up the individuals ISPs to decide which RBLs to use and how to interpret the results returned by the RBL.

Email Blacklist Check – See if your server is blacklisted

War Story:

Another in our continuing series of War Stories submitted by the other other Alan (Irish_Darkshadow)

*
This incident took place in mid-April 1999 about two months into my technical support career with the US Thinkpad desk. Despite my rocky start I had managed to establish a reputation for myself as an agent who liked to tackle the more difficult calls. In addition, I had also managed to avoid having a single customer “escalate” on me. That is where a user demands a superior or someone who knows more about their issue to take over the call. That all changed with a single call.

I arrived to work that day for my 16:30 to 01:30 shift and settled in to take my first call. It was a relatively easy one where the user had picked up their laptop from a servicer and was having boot problems. It turned out to be a simple case of the servicer having left a driver disk in the floppy drive. Top to bottom the call took about 13 minutes including typing up the documention for it in our ticketing system. I sat in Avail on my phone for the next few minutes before my next call arrived.

Once I managed to get the initial greeting script out I was slammed with a guy screaming down the line about wanting to speak to a manager. I was resigned at this point to losing my “no escalation” record but I still needed to follow procedure and determine what grievance had the user so irate before putting a team lead or manager on the line with him. It took me a few mins to calm him down enough and to vent sufficiently for me to start gathering some information. It turned out that he had returned his laptop to IBM on three separate occasions in the first nine weeks he had owned it for various compatibility issues with 3rd party devices he had purchased. I could see his point of view perfectly in wanting an escalation and I placed him on hold to go look for someone in authority to help the guy out.

My team leader (TL) at the time was easily located and once I had explained the situation he decided to delegate the matter to his assistant team leader (ATL). I took her to my desk where she started speaking with the user and I strolled back to my TL to get some ribbing for my first customer escalation. Normally when a TL or ATL takes over a call it results in the user being placated in some manner or else the customer gets transferred to Customer Relations to be dealt with appropriately. Either way, once an agent handed off a call like that they simply waited for a resolution before taking the next call. No such luck this time. The ATL walked up to where I was standing and started to explain the situation to the TL and how the user had returned the machine three times with no faults found but he still could not get his 3rd party devices to work. Nothing too new there but then she dropped the bombshell that she had promised the user that I would troubleshoot the hardware issues for him immediately! This was unheard of, the customer had four devices that I had no familiarity with and this ATL had just thrown me under the frickin’ bus. I looked at the TL for some sanity to be brought to the situation but he had to acknowledge that the ATL had committed a course of action to the customer and I was going to have to pay for her generosity. Back to my desk I went whilst cursing the ATL, her lineage and any future offspring…..but in a harmless way

Once I was back on the call with the user I started to gather some details on exactly what I was dealing with. The user had a Thinkpad 560 which is termed a “single spindle” machine in that it only had a hard drive within the chassis and no floppy or optical devices. The external floppy drive was attachable via an IBM proprietary connector and the machine was a Pentium 120 with 32mb RAM, a 2.1 Gb HDD and an IrDA 1.0 header.

Now that I had some idea of the core hardware I ventured into the realm of 3rd party peripherals that the user was struggling with. He had a backpack cdrom (parallel port optical drive), a PCMCIA modem, a PCMCIA network card and a HP printer that he wanted to connect to via Infrared. I knew I was screwed at that point but figured I couldn’t really make the problem worse since none of the hardware operational anyway.

I began working with the backpack cdrom which was attached to the printer port. Windows 95 v2.1 was not detecting any new hardware once the drive was switched on. I tried the usual places like device manager for clues but all I could determine was that the parallel port appeared to be operational. I put the cdrom to the side and started working on the two PCMCIA cards. Despite the user having the proprietary CardMagic software installed that acted as a crutch to Windows 95 plug & play (*pray) neither card was detected and a pattern was beginning to emerge. The IR printer suffered from the same lack of detection and so I asked the user if he had any other device that we could attach to the laptop just to see if Windows was detecting anything at all. He connected up the external floppy drive and instantly it was detected and accessible in Windows Explorer. SHIT!!! My instincts were telling me that the OS was corrupted in some way and a reload was imminent and I hated having to do that to any user.

I sent an IM to the Team Leader to let him know that I was going to have to do a reload and he told me to stay on the call with the customer until the reload was complete and then resume working on the 3rd party hardware. As I was preparing the user for the reload I had a sudden realisation of how bad the situation really was. A single spindle machine comes with a specific reload solution where a user starts up Windows for the first time and they get prompted to insert floppy disks onto which the reload disk images will be “burned”. At first the customer didn’t recall any such prompt and I began to get a sinking feeling that I would need to have this laptop shipped to IBM for the 4th time just for a reload and then once it was returned to him, I would need to pick up with troubleshooting the 3rd party hardware. The user had a Eureka moment and told me that he believed that he had a shoe box with the floppy disks that had been in his office closet since the day he made them. He managed to locate the shoe box and the 37 floppy disks inside. 26 of those were the base OS and 11 were for the application layer.

I reckoned that the reload was going to take about two hours to complete which presented me with another challenge due to the team leader telling me to stay on the phone through to completion. One of the rules was that there should not be any dead silences during a tech support call so I was going to have to find a way to get this guy talking for the two hours in between me asking him about what was on the screen and how many disks he had left to go through. This was gonna be fun!

For the two hours of the reload, as the customer went through his 37 disks, I managed to lure him into topics like his job and prior computer experience and pretty much anything else I could come up with to keep things flowing. I was trying to hit on a topic that would allow for lots of conversation with minimal input from my side. It turned out that he was a Judge in NYC who handled criminal cases. The only common ground there is that I could explain to him that I loved My Cousin Vinny which I figured would not go down very well. Eventually he mentioned that his son was at soccer practice and he needed to arrange someone else to pick him up while we reloaded the laptop. That was my angle, I started talking to the guy about every possible soccer item that came to mind and the rest of the reload flew by without incident. I got him to go into the BIOS and I set up the the parallel port and PCMCIA slots before dealing with Windows.

Once the operating system was back on there and up and running I got him to attach the backpack cdrom and I heard the detection sound over the phone. That meant I had at least found one issue and corrected it. Device manager showed the cdrom with an exclamation mark and it looked to me like this thing needed to be installed from a DOS perspective before it would work in Windows. He had a driver disk for the cdrom which I was able to get running in DOS mode so that it added the driver to the config.sys file and called it from the autoexec.bat file. A quick reboot later and the cdrom was usable from within Windows 95. Problem #2 solved. Time for the PCMCIA fun and games.

I decided to go with setting up the modem first as it would be easiest to test. Upon insertion the card was instantly detected and I was able to talk him through configuring it in the CardMagic application. He hooked it up to his fax line and was able to connect to his ISP at a staggering, no, blistering 28.8kbps! Either way, problem #3 solved.

The network card was up next and once more upon insertion it was detected and was able to find a driver on the backpack cdrom drive. There was no network near the user that I could test with but I was able to talk him through some ping tests and winipcfg.exe tests that implied the TCP/IP stack was operational and the bindings to the card were good. So we agreed to call that problem #4 solved. I felt that I was in the home stretch now and when I looked at the clock I realised that the call was coming up on three and a half hours already. Now it was time to get the printer operational.

The printer was able to print a self test page from the buttons on it and so it appeared to be working from a hardware perspective. I got the user to test it using the parallel port by removing the backpack cdrom and that was also successful. The problem came when trying to get the IR link to the printer to work. No matter what configuration I tried I just could not get a connection between the IrDA header on the laptop and that on the HP printer. The customer refused to believe that it was the printer and was adamant that the IrDA header on the Thinkpad was at fault. I was completely stuck for a way to prove otherwise. At some point during that desperation to come up with a troubleshooting idea after nearly four hours of work I hit upon an idea that made sense…at least to me. I asked the user to confirm what COM port the IrDA was configured as and then I had him connect to that COM port via the Hyperterminal application. My next request was a weird one, I asked him to get a remote from a TV or a VCR for me. He rummaged around for a while and then found one for some small TV he had in his office that was barely used. I asked him to point it at the IrDA header on the laptop and keep pressing random buttons on it while watching the hyperterminal window. He said that gibberish symbols came up in the window whenever he pressed a button on the remote. EUREKA! I had solved problem #5 by proving that the issue was with the IR port on the printer and not the one on the laptop. He agreed with my conclusion and he asked me if I would set up the printer on the parallel port so that he could just hook up a cable if he needed to. As we were going through the steps of hooking up the backpack to install the driver he told me that he got a blue and then a black screen. The text said “registry not found”. Apparently he had decided to pull out the PCMCIA cards while the LPT printer driver was installing and it had thrashed Windows.

My first attempt at a solution was a reboot into safe mode but that failed with the same error and I was only able to get the system to reboot into DOS mode. From there I backed up the existing registry files and restored the user.da0 and system.dao clean registry files. When he booted back into Windows, we were back where things started….no hardware was detected once attached. EPIC USER FAIL!!!
With just over four hours on the timer, the whole procedure had to be done all over again. I asked the user if I could put him on hold and he agreed. Firstly I dealt with my bladder and then I went to the TL and told him what was happening and the sadistic bastard told me to go back with the user and see it through to completion. Fucker.

I got back onto the call and we started going through the whole process all over again from the ground up with one caveat – don’t do anything with the computer unless I authorised it. During the two hour reload portion of the call I got him to give me his AOL email address and I sent him a copy of a tool from the Microsoft site called E.R.U. (emergency recovery utility). This time around once we had managed to get all of the hardware and software to where it needed to be and we had done enough tests to convince us both that everything was operational. At that point I ran the ERU application and made him store that recovery set in his shoe box of floppy disks. We exchanged pleasanties and parted ways. I checked the timer and 8 hrs 38 minutes had passed.

On an average day I would deal with twenty to twenty five calls in a single shift. On this day I managed a grand total of two calls with 1 pee break and no food as I hadn’t taken any of my breaks. However, I was able to leave the office two hours earlier than expected. That didn’t really help with my complete burnout after that long of a call but at least I had a new record for the longest tech support call in the history of the call center and that record still stands today as far as I know.

Try to get a 8hr plus support call in a current day call center. Aside from the focus on 7 minutes per call I doubt you will find the will and dedication to send a customer away satisfied with the experience.

And I never even got a medal but if I ever get into nefarious matters in NYC, I will be calling in a favour from a certain Judge I know there.

Round Up:

• SSDs have a ‘bleak’ future, researchers say
• Government Pressures Twitter to Hand Over Keys to Occupy Wall Street Protester’s Location Data Without a Warrant
• Dutch government rejects ACTA as a Human Rights Violation
• Anonymous accuses NSA of fear-mongering
• NSA declassifies rejected proposals for a cryptography system submitted by Dr. John Nash (A Beautiful Mind) in the 1950s
• Obama unveils Consumer Privacy Bill of Rights
• EU court rules that hosting companies cannot be force to run anti-piracy filters as it violates privacy of the users and hinders the right to freedom of information
• Australian police spying on web and phone usage without warrants
• [Hall of Shame] Exposed: YouPorn passwords in all their plain-text glory

The post Email Constipation | TechSNAP 46 first appeared on Jupiter Broadcasting.

Breaking

New York Times subscriber list may have been compromised

• This story was first reported minutes before the recording of this episode of TechSNAP, so further information and verification were not possible
• An email was sent to users asking them to reconsider cancelling their home delivery subscription
• The email seems to have been targeted at anyone with a NYTimes.com accounts, not just current home delivery subscribers
• Some people who received the message say that the NYTimes was the only 3rd party that had their email address
• The email appears to have a correct DKIM signature, meaning it was signed with the private key of the email.newyorktimes.com domain
• The email was sent via Epsilon Interactive, a mass emailing company that has previously been compromised
• NYTimes First Responses: Blog.NYTimes.com Twitter
• Email Headers
• It is unclear if the email was the result of the compromise of Epsilon’s servers (and the NYTimes private key), or was accidentally sent to all subscribers instead of the intended subset

WiFi Protected Setup (WPS) flaw exposes millions of devices to trivial attack

• WPS was created to allow users to more easily setup secure wireless networks
• WPS uses either an 8 digit PIN number, or a ‘push to connect’ button on both the AP and Client device
• This security vulnerability specifically targets the 8 digit PIN number
• The 8 digit PIN results in a key space of 10^8 (100 million) keys
• However, the last digit in the PIN is actually a checksum, used to detect typographic errors
• The attack described below exploits a flaw in WPS where the attacker is able to determine by the response from a failed attempt, that the first 4 digits of the PIN matched
• This combined with the last digit being a checksum, effectively narrows the key space of possible PINs to 10^4 + 10^3 (11,000) keys
• Even this key space should be enough to keep attackers out, however it was discovered that many devices do not implement any type of failed login banning, making brute force attacks much easier and faster
• It was also observed that rapid brute force attempts also seemed to have a Denial of Service effect on the targeted AP, exhausting its processor time responding to the authentication requests
• Affected vendors include: Belkin, Buffalo, D-Link, LinkSys, NetGear, TP-Link and ZyXel
• As of yet, there have been no new firmware offerings to resolve this issue
• DD-WRT does not support WPS so is not vulnerable
• To work around the problem, you can disable WPS on your AP, or if it is supported, set a long lockout time for failed attempts
• Technical Details
• Vulnerability Announcement

GSM Phones vulnerable to hijacking

• Security researcher Karsten Nohl, known for his research into exploiting GSM to tap/eavesdrop on mobile phone calls, is set to present new research that he says allows an attacker to impersonate your phone, making calls and sending text messages to expensive premium services operated by the attacker
• Such attacks are commonly executed against corporate land line PBX systems, breaking in to systems and then placing expensive per-minute calls, collecting large sums of money, and then disappearing before the victim gets their next phone bill and notices the problem
• In the days of dialup, computer viruses that cause your computer to much similar expensive phone calls in the middle of the night were also fairly common
• The vulnerability only effects the older 2G GMS network, however most all phones still support GMS as a fallback when newer 3G networks are not available
• “We can do it to hundreds of thousands of phones in a short time frame,” Nohl told Reuters
• Security Research Labs (the company Nohl works for) runs a website where they rank the various mobile providers based on their ease of Impersonation, Interception and Tracking
• “None of the networks protects users very well,” Nohl said.
• SRLabs plans to release data collection software, allowing users to participate in data collection to grow the improve the database
• SRLabs research is focused in Europe and did not review any North American telcos

Anonymous claims responsibility for compromise of StratFor website, releases customer information via pastebin

• The website of US security think tank Strategic Forecasting Inc (Stratfor) was compromised by attackers under the banner of the Anonymous movement
• Other members of Anonymous stated that the attack was not an official operation, and that because Stratfor is a media source, they are protected by freedom of the press, a highly valued principle in the Anonymous movement
• The pastebin posts are only flagged as #antisec and #lulzxmas, and may have been falsely attributed to anonymous by the media
• Stratfor has suspended the operation of its website and email
• The attackers have obtained the credit card details, password, and addresses of 4000 of Startfor private clients
• The attackers claimed to have stolen 200GB of data, including emails and research
• The goal of the #lulzxmas campaign was apparently to make 1 million dollars in donations to charities using stolen credit cards
• Other twitter posts claim the total number of stolen credit cards was in excess of 90,000. Of these, two lists containing 3956 items and 13,191 items respectively, have been published
• The data is said to include the CVV values for the credit cards, it is against the PCI-DSS standard to store the CVV value specifically for this reason, so that when a database is compromised, the CVV value is NOT disclosed, so that online stores that use the CVV value can still prevent fraud
• It also appears that the users’ passwords were stored in plain text. The data that was released via pastebin had the passwords MD5 hashed, but even if that is how they were stored in the database, that is insufficient protection
• Most of these funds will likely be charged back, actually costing the charities money
• Stratfor describes itself as a provider of strategic intelligence for business, economic, security and geopolitical affairs
• Stratfor’s said that they were working with law enforcement to attempt to apprehend the attackers
• “Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me,” wrote Mr. Friedman (Chief Executive of Startfor) in an email to clients
• “Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications,”
• Purported Client List
• Client Details

Round Up:

• Apple fined $1.2 Million in Italy for making customers pay for support that should have been under warranty
• Siemens publicly admits to security vulnerabilities after US Department of Homeland Security issued an advisory warning all critical infrastructure operators to ensure their Siemens systems are not reachable from the Internet. Siemens expectsing to release the first security update/fix late next month
• pfSense 2.0.1 release now available!
• How hackers gave Subway a $3 million lesson in point-of-sale security
• Update: China Denies Responsibility, claims they are under same attacks
• Merry Christmas from the FreeBSD Security Team
• Fjord cooled data center in Norway, worlds greenest data center?
• Chinese Software Developers’ Forum hacked, 6 million plain text user credentials posted online Analysis of most used passwords

The post Unsafe Wifi | TechSNAP 38 first appeared on Jupiter Broadcasting.