Pages

Wednesday 28 September 2016

Excursion to Ealing

I was out geocaching today. I drove into London, parked, then biked around Ealing. I visited the Elstree Studio, where so many of the movies I like were made.

Not many caches done today; some were too difficult for me to find, and then I had a blowout on my back tire. Not a puncture - the valve got sheered off.

Lunch was a couple of hot sausages from a Polish lady in a tiny kiosk.

Double trojan

Subject: There has been a change to your parcel delivery

I get a lot of email about parcels. I'd guess that a lot of people in the internet receive a lot of parcels, so an email about "your parcel" stands a good change of not being ignored. The interesting thing about this one, is that it came with two files.

encryption_key.zip
tracking_encrypted0928.doc

The explanation in the email was "The new privacy policy. All personal information is encrypted in attached document.".

Neat idea. Except that the encryption_key.zip file contained a javascript program, obfuscated, and I can't be bothered to reverse engineer it, oops, I mean stare at it until I understand it, but it references "http://worinmena.com/l.exe" which I'm guessing gets downloaded and does something unpleasant.

I sent encryption_key.zip to Virustotal, and no product flagged it. I also tried tracking_encrypted0928.doc, which was first submitted about an hour before I received it, and 4/55 products flag it as malware.


Monday 26 September 2016

Pix log analysis

I've been logging all the Pix messages to the system log on a server, and I told that server to keep the Pix messages in a separate file. Today, I had a look at that file.

There were a third of a million messages, and that's just two day's worth. So I wrote a program.

#!/usr/bin/perl
# Analyse pixlog

open PIXLOG, "/var/log/pixlog";
while (<PIXLOG>) {
  if (/exceeds configured limit/) {$bigdns ++; next}
  if (/outside:outside-interface\/23/){$outsidetelnet ++; next}
  if (/outside:outside-interface\/2323/){$outsidetelnet ++; next}
  if (/outside:outside-interface\//){$outsideother ++; next}
  if (/\/23 by access-group \"outside_access_in\"/){$telnet ++; next}
  if (/\/2323 by access-group \"outside_access_in\"/){$telnet ++; next}
  if (/Deny tcp .*outside.*outside.*\/(\d*)/ and $1 > 1023) {$denyootcpgt1024 ++; next}
  if (/Deny udp .*outside.*outside.*\/(\d*)/ and $1 > 1023) {$denyooudpgt1024 ++; next}
  if (/Deny tcp .*outside.*dmz.*\/(\d*)/ and $1 > 1023) {$denyodtcpgt1024 ++; next}
  if (/Deny udp .*outside.*dmz.*\/(\d*)/ and $1 > 1023) {$denyodudpgt1024 ++; next}
  if (/Deny tcp .*outside.*inside.*\/(\d*)/ and $1 > 1023) {$denyoitcpgt1024 ++; next}
  if (/Deny udp .*outside.*inside.*\/(\d*)/ and $1 > 1023) {$denyoidpgt1024 ++; next}
  if (/Deny.*outside.*outside:212.58.55.(\d*)/ and $1 > 224) {$nosuchserver ++; next}

  if (/Deny.*outside.*(outside|dmz|inside).*\/445/) {$samba ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/111/) {$rpc ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/13[789]/) {$samba ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/587/) {$port587 ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/22/) {$ssh ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(343|433|995|500|444|161|1000|8[123456789]|123|17|19|523|520|456|623|417|135|389|990)/) {$ports ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(21|69)/) {$ftp ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(53)/) {$dns ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(25)/) {$email ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(143|110)/) {$imap ++; next}
  if (/Deny.*outside.*(outside|dmz|inside).*\/(80|443)/) {$http ++; next}
  if (/Invalid destination for ICMP error message/){$invalidicmpdest ++; next}
  if (/dst outside:global-out/) {$globalout ++; next}

  if (/regular translation creation failed for icmp src dmz:nsint1-2/) {$regnsint1 ++; next}
  if (/regular translation creation failed for icmp src dmz/) {$regdmz ++; next}
  if (/Deny IP due to Land Attack from up-works-out to up-works-out/) {$land ++; next}
  if (/Denied ICMP type=0, from laddr/)  {$icmp0 ++; next}
  if (/Denied ICMP type=3, code=3/)  {$icmp3 ++; next}
  if (/No translation group found for udp src dmz:sadii.*53/) {$notrans ++; next}
  if (/Deny icmp src dmz:\d/) {$icmpfromd ++; next}
  if (/Deny tcp src dmz:\d/) {$tcpfromd ++; next}
  if (/Deny ucp src dmz:\d/) {$ucpfromd ++; next}
  if (/212.58.55.192/) {$accessto192 ++; next}
  if (/reason: MSS exceeded/) {$mssexceeded ++; next}
  $other ++;
  print $_;
}
close PIXLOG;

print "bigdns = $bigdns  telnet = $telnet outsidetelnet = $outsidetelnet  outsideother = $outsideother \n";
print "deny-oo-udpgt1024 = $denyooudpgt1024  deny-oo-tcpgt1024 = $denyootcpgt1024\n";
print "deny-od-udpgt1024 = $denyodudpgt1024  deny-od-tcpgt1024 = $denyodtcpgt1024\n";
print "deny-oi-udpgt1024 = $denyoiudpgt1024  deny-oi-tcpgt1024 = $denyoitcpgt1024\n";
print "nosuchserver = $nosuchserver samba = $samba port587 = $port587 ssh = $ssh ports = $ports ftp = $ftp http = $http dns = $dns rpc = $rpc\n";
print "invalidicmpdest = $invalidicmpdest global-out = $globalout icmp0 = $icmp0  icmp3 = $icmp3 email = $email imap = $imap \n";
print "voldsout = $voldsout regular translation nsint1 = $regnsint1  regular translation dmz = $regdmz land = $land\n";
print "notrans = $notrans icmp, tcp, udp from d = $icmpfromd, $tcpfromd, $ucpfromd accessto192 = $accessto192  mssexceeded = $mssexceeded \n";
print "other = $other\n";
exit;


That program eliminated the commonest logs. For example, more than half of the logs are telling me about an attempt to telnet to one of my servers. Which is not going to happen, but they wouldn't be doing it unless it works sometimes, so there most be a lot of unsecured things on the internet that you can telnet to. I'd guess that a lot of them are light bulbs or other stupid things that the vendor likes to claim "you can control it with your smartphone" and hasn't bothered with any silly security stuff. I mean, if your light bulb gets hacked, so what? Well, "so what" is that it can be used as part of a bot net, sending out spam of doing DDOS (distributed denial of service) attacks.

Anyway.

It got the 1/3 million logs down to under 1000, and I could actually check those, and in doing so, I did find some minor misconfigurations of my network.

- some of my servers were using the wrong place to get their daily time check
- some of my servers were being advertised as mail servers, but the firewall wasn't allowing inbound email - that's because it will *all* be spam, I'll explain why later
- one of the rules in my firewall was in the wrong place, after the "deny everything else" rule, and, obviously, there's no point in having a rule after that. So I moved the rule to where it should have been.

So, minor stuff (if there had been anything major, I'd have noticed it before). But it's nice to have everything hunky-dory.

Now, about that spam.

If you do "dig mx drsolly.com" then you'll see in the answer section:

drsolly.com.        3600    IN    MX    5 ns2.drsolly.com.
drsolly.com.        3600    IN    MX    2 ns1.drsolly.com.

Or you might see:

drsolly.com.        3600    IN    MX    2 ns1.drsolly.com.
drsolly.com.        3600    IN    MX    5 ns2.drsolly.com.

What a mail sender is supposed to do, is choose the lowest-numbered server (in this case,
ns1.drsolly.com) and send the mail to there. If that server isn't responding, then you go to the second highest, in this case ns2.drsolly.com. And you can have any number of these. Google has five.

But spammers don't care about the ranking, they just send the spam to the first on the list. So, if you have a list of ten mail servers, everything that goes to the ones that aren't the lowest numbered one, is spam!

Isn't that handy?

So for most of my email, I run a dozen mail servers. Anything that isn't sent to the first two, is 100% spam. It's a nice way to sort it out. And, of course, most of those servers can be fictitious.

Sunday 25 September 2016

I get offers

These are from the last eight hours, to just one of my email addresses..






DEAR SIR/MADAM,

MY NAME IS THOMAS MANU, THE DIRECTOR OF OPERATIONS
AT THE GHANA NATIONAL PETROLEUM CORPORATION. I APPRECIATE THIS CHANCE TO
COMMUNICATE WITH YOU TO MOVE MY INVESTMENT FORWARD AS I VALUE YOUR
EXPERTISE IN THE PROCESS. IN MY QUEST TO ESTABLISH A VIABLE INVESTMENT, MY
SOLICITOR RECOMMENDED YOU AS A PERSON WITH INNOVATIVE PROGRAMS THAT HAVE
SEEN BUSINESSES SUCCEED IN YOUR COUNTRY.

FOR THIS REASON, I AM OPTIMISTIC
THAT YOU WILL FIND MY PROPOSAL OF MILLION, A GOOD INVESTMENT CAPITAL FOR AN
ESTABLISHMENT IN YOUR METROPOLIS WITH HIGH POTENTIAL RETURNS.I WOULD
GREATLY APPRECIATE THE CHANCE TO MEET WITH YOU SO WE CAN START NEGOTIATION
AND TRANSFER PROCESS. PLEASE ACKNOWLEDGE PROPOSAL SO THAT WE PROCEED WITH
DETAILS.

SINCERELY,
THOMAS MANU
DIRECTOR
GNPC










Dear Sir,

I write from the - ICPC (Independent Corrupt Practices Commission). The apex investigative
body saddled with the responsibility of fighting corruption and other related offences.
The ICPC was inaugurated on the 29th of September 2000.
Section 6 (a-f) of the ICPC Act 2000 sets out the duties of the Commission and other related
offences departments such as to receive and investigate complaints from members of the public
on allegations of corrupt practices and in appropriate cases, prosecute the offenders.
With respect to the prosecution of cases, the Corrupt Practices and Other Related Offences Act
2000
provide that every prosecution for offences under it shall be deemed to be done with the consent
of
the Attorney-General.

Your payment file was referred to our office for scrutiny by the Union Bank officials because
in the
process of verifying your status, a woman by name (MRS: KERRY MORTON) came to their office with
an
application stating that you gave her the power of attorney to be the beneficiary of your
outstanding
funds. She made them to believe that you are dead and that she is your next of kin.

The ICPC, officials of the Union Bank and officials from other related Offences have deliberated
and
resolved to treat your file as it appears, with strict and cautionary procedures. The
information is
as follows:
NAME OF BANK: FIRST NATIONAL BANK
  ADDR: 120 SO. 2nd. ST.
  BLYTHEVILLE, ARKANSAS 72315 USA
  ACCOUNT NUMBER: 482986
  ROUTING NUMBER:084107343
  Swift code # : WMSBUS66
  BENEFICIARY: KERRY MORTON

 We therefore want to verify if you are aware of the above information. You are advised to reply
this
message immediately before it will be late. Be informed that you are not allowed to correspond
or contact
any person or office with respect to this transfer other than this office to avoid any
complication, mistake
or leakage of information.

You are advised to contact the Chairman of ICPC on his direct line; +234-81-7559-0470, or email:
chairman_icpc_nig2016@outlook.com, for any discussions relevant to your payment file.

Yours faithfully,

Oglafa, Ebipamowei Elvis
(Secretary to the Commission)

ICPC NATIONAL HEADQUARTERS
Plot 802, Constitution Avenue, Zone A9,
Central Area, PMB 535, Garki,
Abuja, Nigeria.
______________________________________________________________________________
To fight corruption to a standstill and restore Nigeria to the enviable standard of
respectability and dignity
within the comity of nations.









Greetings!

I am Mariamma Akash, a Syrian widow. I lost my husband and 2 of my children to the jihadist
militants from the Islamic State in 2014. The Jihadist militants mostly target (we) the
Christians Minority.

I and my only surviving little daughter (Ninan) left in tears and walked for nine hours without
even knowing where we would end up, or how we would eat, or where we would sleep or find shelter
until we finally arrived Za'atari refugee camp on the Jordan-Syria border.

You can also visit this link for more details about the crisis in Syria:
http://www.bbc.co.uk/news/world-middle-east-26116868

We live in an empty tent here filled without possessions except the few cloths we received out
of charity. Ever since we arrived here, I have made several attempts to cross over to Jordan as
no Syrian is allowed to leave the camp, unless a Jordanian ^Ssponsors?any Syrian and can pay the
fee for their release/crossing.

I and Ninan do not have anyone to sponsor our crossing hence I decided to contact you to assist
us in retrieving 2 suitcases containing some monies that my late husband and I had courier out
of Syria in 2013 via a Private Secured Logistics Channel for safe keeping in the UK before they
get confiscated as Unserviced/Unclaimed deposits. Be informed that the REAL content of the
suitcases are UNKNOWN to anyone including the Cargo Handlers.

My late husband (Oommen Akash) and I had own a dairy farm and a factory in the second city of
Aleppo so the funds are clean, clear and of no criminal origin. You're not sending us any money
nor am I soliciting for any financial assistance whatsoever rather, I am prepared to compensate
you with 10% of the total face value of the 2 suitcases for your assistance in getting them
delivered to you for safe keeping pending when I and Ninan will be able to cross into Jordan and
thereafter relocate to your country.

I thank you for your time and look forward to read from you at your earliest convenience.

Note: Please note that my replies might always comes to you late as I do NOT have a personal
computer nor a personal phone here. This computer belongs to the Camp Manager here and he did
allowed me the use of it because I meet his sexual needs and more so, he's not always on
seat....It's never my intentions to use my body just to get access to the use of a computer, but
I got to do this just to be able to get my story across to you....please I will appreciate your
understanding.

Sincerely,
Mariamma Akash









POWER BALL LOTTERY PROMO.
P O Box 902 Plymouth, PL4 6AB UNITED
KINGDOM
(Customer Services)
Our Ref: AHK/WNL /Feb. /16
Your ReF: PBLP/7204H5/99  Batch: 081/04/LT216

We happily announce to you the draw (#601) of the POWER BALL LOTTERY PROMO,online Sweepstakes
International program held on 21st September,2016.Your e-mail address attached to ticket number:
367600316 299 with Serial number 9271/09 drew the lucky numbers: 1, 28, 63, 67, 69 (bonus no
17.),which subsequently won you the lottery in the 2nd category i.e  match5plus bonus.You have
therefore been approved to claim a total sum of £600,000.00(Six hundred thousand pound sterling)
in cash credited tofile XEW/2053918001/014.This is from a total cash prize of £4,800,000.00
shared amongs the(8) lucky winners in this category i.e Match 5 plus bonus.

All participants for the online version were selected randomly from World Wide Web sites through
computer draw system and extracted from over 100,000unions,associations, and corporate bodies
that are listed online. This promotion takes place weekly. Please note that your lucky winning
number falls within our European booklet representative office in Europe as indicated in your
playcoupon.

In view of this, your £600,000.00(Six hundred thousand pound sterling)  would be released to you
by any of our payment offices in Europe. Our european agent will immediately commence the
process to facilitate the release of your fundsas soon as you contact him or her. For security
reasons, you are advised  to keep your winning information confidential till your claims is
processed and your money remitted to you in whatever manner you deem fit to claim your prize.
Thisis part of our precautionary measure to avoid double claiming and unwarranted abuse of this
program. Please be warned.

CONGRATULATIONS!!!
You are advise d to keep this winning very confidential until you receive your lump prize in
your account. This is a protective measure to avoid double claiming by people that you may tell.

For further Information about your Winnings,contact our Lottery Claims Agent with the following
contact Address.

        Name: Tim Archer
        Tel: +44 705 385 7549
        Official Email: pball.processingdepartment2016@yahoo.com.tw

That way your winning certificate and all other relevant documents/paperwork can be prepared for
you. You would be required to show an instrument of identification when cashing your cheque i.e.
Drivers license or International passport.POWER BALL LOTTERY PROMO.

Please include your winning ticket number and your personal contact information,names, telephone
and fax data for the immediate processing of your claims All prizes must be claimed within three
weeks.

NOTE: If you are under the age of 18, you are automatically disqualified for this star prize.

Yours faithfully,
Rachel Maddow
Online coordinator for POWER BALL LOTTERY
PROMO Sweepstakes
International Program 2016

N.B. Any breach of confidentiality on the part of the winners will result to disqualification.
Contact your claims agent whose contact details are stated above

---
This email is free from viruses and malware because avast! Antivirus protection is active.
https://www.avast.com/antivirus














Attn: My Dear,

I am Mrs Alice Smith, 48 years Old From NewYork United state. I reside there in United state. Am
thinking of relocating to New Zealand, I am one of those that took part in the Compensation in
Africa (Benin, Nigeria) many years ago and they refused to pay me, I had paid over $60,000 while
in the United state trying to get my payment all to no avail.
So I decided to travel to Europe with all my compensation documents, And I was directed by the
(FBI) Director to contact Agent Kelvin Wallace who his a Private Detective representative of the
(FBI) and a member of the COMPENSATION AWARD COMMITTEE in Europe and I contacted him, he
explained everything to me.
he said whoever is contacting us through emails are fake.

He took me to the paying bank for the claim of my Compensation payment.

Right now I am the most happiest woman on earth because I have received my compensation funds of
15,Million US Dollars, Moreover, Mr.Kelvin Wallace showed me the full information of those that
are yet to receive their payment and I saw your email address as one of the beneficiaries,that
is why I decided to email you to stop dealing with those people that are contacting you they are
not with your fund, they are only making money from you i will advise you to contact Mr.Kelvin
Wallace.
Hello Dear, please read carefullyYou have to contact him directly on this information below.

COMPENSATION AWARD HOUSE
Name:Mr Kelvin Wallace
(Private Investigator)
mrkelvinwallace@gmail.com

You really have to stop dealing with those people that are contacting you and telling you that
your funds is with them, it is not in anyway with them they are only taking advantage of you and
they will dry you up until you have nothing.
Mr Kelvin Wallace with the information below so that he can quickly get your file and work on
them for you.

Your Full Name
:
Address:

Phone and Mobile Number:

The only money I paid after I met Mr.Kelvin Wallace was just $400 for the Legal paper works take
note of that.
Once again stop contacting those people, I will advise you to contact Mr.Kelvin Wallace so that
he can help you to Deliver your fund instead of dealing with those liars that will be turning
you around asking for different kind of money to complete your transaction.

Thank You and Be Blessed.
Yours Sincerely
Mrs Alice Smith










You have been Chosen by Warren Buffett to claim charity donation amount. Reply for details











My beloved.

My name is Mrs  marie Luc, I have been suffering from ovarian cancer
disease and the doctor says that i have just few weeks to leave.I am
from Belgium but based in Ivory Coast,Africa since ten years
ago as a business woman dealing with gold exportation,now that i am
about to end the race like this,without any family members and no
child.I have $3.2 Million US DOLLARS in COBACI BANK in Ivory Coast.

But my mind is not at rest because i am writing this letter now through
the help of my laptop beside my sick bed. I have decided to donate $3.2
Million US Dollars in Cobaci bank which i want to entrust into your hands
to use in helping the orphanage home in your country,but you must assure
me that you will take only 50% of the total money and give the rest 50% to
the orphanage home in your country for my
soul to be at rest.

As soon as i hear from you that you are competent to execute my desire, i
will instruct my lawyer and the bank management to make the immediate
transfer into your account.Kindly Contact Me Back please it is very
important
Regards,

Mrs marie Luc

































Hello, We wish to inform you that your email as been selected and awarded the sum of Eight
Million Pounds sterling (£8,000,000.00) with reference number 77100146. This compensation funds
is from the United Nations. To receive payment Send us your full personal details to deliver
your funds as soon as possible. Gloria Peter

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

















I have important transaction for you as next of kin to claim US$18.37m  Mail me on my private
email:   chimwiakim@gmail.com
 so I can send you more details

Thanks

Mr.Chim Wai Kim

===========================================================================

DISCLAIMER: This email and any files it contains are confidential and intended for the use of
the recipient(s) only. If you are not the intended recipient you should notify the sender
immediately and destroy the material from your system.








































FEDERAL REPUBLIC OF NIGERIA
COMMITTEE ON FOREIGN PAYMENT
(RESOLUTION PANEL ON CONTRACT PAYMENT)
ABUJA-NIGERIA
http://www.nassnig.org
Our Ref: FGN /SNT/STB Your ref:

I, The Senate Representative ,Federal Republic of Nigeria , DR GREG MARUME
(GCFR)
and the Governor of Central Bank Of Nigeria , Mr. EMEIFELE in
Conjunction with the EFCC Director , MR MAGU, held a meeting
last week concerning contract payment , both foreign and local contractors
and some inheritance funds.

On going through contractors file yesterday, we discovered that your file
was dumped untreated, so at this juncture, we apologize for the delay of
your contract payment and please stop communicating with any office now and
attention to the appointed office below for you to receive your payment
accordingly.

However,I wish to inform you now that your outstanding contract payment is
($15,000,000. fifteen Million United States dollars).

Now you?re new Payment Reference No.-35460021, Allocation No: 674632
Password No: 339331 , Pin Code No: 55674 and your Certificate of Merit
Payment
No : 103 , CBN Released Code No: 0763; Immediate Telex confirmation No:
-1114433 ; Secret Code No: XXTN013, Having received these vital payment
number , therefore You are qualified now to received and confirm Your payment with
the Federal Government of Nigeria immediately within the next week.

We the entire members of the house of senate are using this urgent medium to

advise you to make payment of your GNAB fee of $120 without any further
delay. Be rest assured that our appointment to handle and take care of the
movement of the fund will not be in vain as we are giving you 100% guarantee

to deliver the work as soon as your western union information reach us at
our house email addresses it is not less than 24hours that the order was
placed.
Note that your fund will be free to move from the bank without any delay if
you get the governments non assessment bonds (GNAB) which is $120 only to
make sure that no government monitor or agent can access the fund during the

delivery remittance. You have to get the gnab written on your name and
stamped before the fund credit to your bank account.
This was why we have not approved or sign off the bonds of your transfer
registry today as the bank insists on the GNAB.
Based on these explanations, you are hereby advised to send payment
information of $120 through our direct email address on or before ten
working days.as the closing date placed.
This gnab will show that the transaction was made through the full capacity
of the government and will not be queried for certain circumstance. Use the
information bellow for the payment of the $120 GNAB requirements:
Receiver name: Mr MODESTUS OZOEMENA
location: Lagos- Nigeria.
Text question---gnab,
Answer----final
Bear in mind that this is the final stage of this transfer.
As soon as this is done, it will take only 24hours for the fund to be
credited in your designated bank account, you will be contacted by your Bank
herself.
Best Regards.
DR DR GREG MARUME
Senate Representative
(Federal Republic of Nigeria)



Saturday 24 September 2016

Pix - logging to syslog

I wanted my Pix to log to the system log on one of my servers. I thought it would be simple, but there were several things I had to get right.

On the Pix, you set the clock with

clock set 19:15:00 September 24 2016

On the Pix you tell it where you're going to log to

logging host inside xantl-in

and to timestamp the logs

logging timestamp


And that you want everything from warnings (usually some access that was denied) up to emergencies ("Your pix has caught fire" - no, I don't think there's a message for that).

logging trap warnings

So now, my Pix was sending all these messages to my server named xantl. Next, I had to tell xantl to listen out for them. To do that, I edited /etc/rsyslog.conf


# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514



Actually, those commands were already there, but commented out, so I just removed
the # in front of them.

Then

systemctl restart syslog

and the pix logs started appearing in /var/log/messages, which is where syslog puts everything. But I didn't want them all mixed up with the other messages, I want them in their own file. So I edited /etc/rsyslog.conf again

if $programname contains '%PIX-' then /var/log/pixlog
if $programname contains '%PIX-' then stop


And again systemctl restart syslog. And now all the pix logs go to /var/log/pixlog

There's going to be a lot of them! So I'll rotate the logs; a new log each week.  To do that, I edited /etc/logrotate.d/syslog and added:

/var/log/pixlog

at the start of the file.

So now  all the pix messages are saved on my server, and I can check them to see that everything is as I want it to be.

Job done!


Jpb done!

Friday 23 September 2016

Yahoo got hacked

And 500 million account details were stolen. It's the biggest heist ever.

Yahoo are blaming it on state-sponsored hacking from an unnamed foreign country. I don't really see how they can know that. They can maybe see where the hack originated, but to leap from that to "state-sponsored" is a reach. But it sounds so much better than "Some kid in his bedroom in Bulgaria", so they went with state-sponsored.

Anyhow.

Yes, I have an email account on Yahoo. So I went there to change the password. What I'd really like to do is delete the account, but there's no way to do that, because Yahoo (and similar companies) like to boast about how many users they have.

So I deleted the phone number I'd given (although my phone number isn't a secret anyway) and I deleted the "security questions".

Actually, I don't care even if that account did get hacked. There's nothing that says it's me, I don't think I've *ever* used it, and the password was not something I've used elsewhere.

Which brings me to a couple of points.

1) I hope you see now, why it's a very bad idea to use the same password in more than one place. If you had a yahoo account, and used the same password there as elsewhere, your password elsewhere is compromised also.

2) Yahoo have a couple of "security questions". That's so they can verify your identity in case you forget your password, which must happen a lot. But if you think about it, those security questions amount to an alternative password.

So if a bad person knows either your Yahoo passord, *or* your mother's maiden name, they can access your account. So it follows that your mother's maiden name (or whatever other alternative they use) should not be the same on different places. On your bank site, for example, your mother's maiden name might be "Kennelworthy", on Paypal it might be "Horseposture" and on Yahoo it might be "Youvebeenhacked".  You can have a lot of fun making up mother's maiden names!

But how do you remember all these different passwords and all these different mother's maiden names? The answer is obvous, and I've been telling people this for 30 years. Write them down.

Yes, I know that this isn't 100% secure, but it's a lot more secure than using the same password, or mother's maiden name, at multiple places.

And you can make it more secure. What I do, is as well as letters, I have a few numbers. And I also have a "magic number", which I don't write down. I subtract the magic number from the numbers in the password, and write that down. So if someone steals my list of passwords, they'll be disappointed when they try them.

You can do something similar; some straightforward modification to what you write down, which you can mentally reverse when you use it.

Because Yahoo is the biggest so far, but won't be the last.

Thursday 22 September 2016

My helpful bank

A long long time ago, I started accepting payments via credit card. Banks hadn't heard of the internet, so they called it "mail order". And what I did, was each week, I printed out all the billing details, onto actual paper, and we took them to my local branch. They signed for the batch, and forwarded the sheaf of paper to I know not where, at which place some poor sod typed it all in. I did offer to give them a floppy disk, but they didn't want that.

It worked quite well, until my bank lost a batch of about £5000 worth. They'd signed for it, but it had gone walkabout somewhere between my bank and wherever they processed it. They didn't notice for several months. At that point, they told me about it, and I suggested that since it was their fault, they should stump up the dosh. Their idea was that I should bill the people again, several months after they were expecting to be billed. I pointed out that this would result in a flood of people querying the billings, and I wasn't going to do it. So they stumped up the dosh.

20 years later, it's all very automated and streamlined. I transmit an encrypted stream of data to their server, they transmit back an encrypted stream of data telling me which cards were OK and which were declined.

But they keep changing it.

Most recently, they insisted that I move to the encryption system TLS 1.2, which I have, although I'd guess that 99% of their customers haven't done that, not least because they provided no test bed; they expected people to make the change and go straight to production, which is OK if you can write software flawless and error-free, but the number of people who can do that can be counted on my left thumb.

And now they've come up with two more hurdles. Now you have to send the AAV (Account holder Authentication Value, and I'm none the wiser for being told what the TLA expands to), or your "transactions will be downgraded to insecure", and I know the translation of that, it means they charge you an extra 0.85% for doing the billing.

And they're also introducing "authorisation decline fees". If an transaction was previously declined as R1 or R3 (and the info that I get back from them doesn't include that) then for every fourth and subsequent transaction request will be billed at 1 euro.

This all comes in a little leaflet "Welcome to Barclaycard business essentials" which is their Bad News Newsletter, with a perky, upbeat introduction by "Sharon Manikon" (in my experience, the people who sign these things often don't actually exist) in which she says "we'll continue to help you achieve your business' ambitions" (and yes, that's where she put the apostrophe, which might actually be correct, but doesn't look right to me - tricky buggers, apostrophes).

A more accurate statement would be "we'll continue to put obstacles in your path, just to make your life more interesting and the bank's business more profitable"

Telnet attacks and Pixes

I've recently installed my firewall. It's a Pix 515E (soon to be upgraded to a Pix 525), but since it's newly installed, I'm keeping a careful eye on it. In particular, I see the logs scrolling past, of all the attempts to connect  that it wouldn't allow.

What has surprised me, is that these attempts are very simple. I wasn't actually expecting to see anything clever, but what I'm actually seeing, is about 95% attempts to log in with telnet.

Telnet?

That's prehistoric. Does anyone still use it? I don't. Like (I think) everyone else, I use ssh.  But I see attempts to use the telnet port on all my computers from IP addresses all over the world.

What on earth do they think they're doing? Even if my firewall did allow telnet access through, none of my servers are set up to respond to telnet, and even if they were, you're going to need a username and password.

The other interesting thing I see, and again I have no explanation, is that occasionally there's a flood of UDP packets hitting the firewall, all from the same IP address, working through my range of IP addresses.

So, about that Pix 525.

The one I already had, was a failover device. It worked well, but it rebooted every 24 hours (as per design). So it was OK for a temporary measure, but not for the long term, becaue a reboot means no service for at least five minutes. But what was *very* nice about it, was the user interface for setting it up - web based, called ASDM, and very nice. It took much of the setup pain away.

So then I bid on Ebay for a Pix 525 with an "unrestricted" licence - that means it won't suffer from the rebooting problem. It arrived yesterday, and the parcel had an ominous rattle. When I opened the box, I could see why; it had been put through the Heathrow parcel-smashing machine. The plastic front panel was in smithereens, and the mounting brackets were bent. Inside the Pix, there were fragments of plastic from the catastrophe.

I told the seller that I'd be giving it a very thorough test before leaving feedback; the seller suggested that I report the issue to Ebay. I contacted Ebay, and they said that I should do a "refund request". They assured me that the seller wouldn't be the one to suffer, so I did that, including pictures of the smashed-up front, and the cardboard box, which was also somewhat damaged.

To my surprise, I got an immediate refund, which will come out of the carrier's pocket (the carrier at my end was Yodel, but I don't know where the damage happened). I wasn't actually after a refund, although I'm not going to refuse it. As far as I can tell, the Pix is working OK, although without its plastic front, it's a bit ... ugly.

But it's an old version of the software. Sigh. The version of the software is about halfway between the two versions that I know, so I had to adapt somewhat. But the configuration from my existing Pix 525 translated to the new Pix 525 quite well.

Wednesday 21 September 2016

A message from Vatman

I got an email.

From: HMRC Business Emails <info@gsigov53.top>
Subject: Your VAT return and payment of the VAT
Parts/Attachments:
   1 Shown    ~30 lines  Text (charset: windows-1251)
   2          183 KB     Application
----------------------------------------

www.gov.uk
Date: 20 September 2016
VAT Registration Number *** **** 29

Period ref: 06 12

Your VAT return and payment of the VAT due period 1 April 2016 to 30 June 2016 was not sent in on time.

By law you must submit your VAT return and make sure that payment has cleared to HRMC’s bank account by the due date.

Because of this we have assessed the VAT due as GBP 14,965.13 and this will be debited from your bank's account on 22nd
September 2016.

For more information and how to pay us please see attached statement.
______________________________________________________________________
Make VAT Returns is just one of the many online services we offer that can save you time and paperwork. For the latest
information on all of our Online Services please visit www.hmrc.gov.uk


AAARGHHH! £14,965.13!!!

Except that isn't my Vat number. They only gave the last two digits, but that's not me. However, how many people reading such an email would be able to recollect their Vat number?

Also, HMRC don't send emails from info@gsigov53.top. They do send it from some third party address, which is silly of them, but not that one.

Also, the email address they sent it to, isn't the one that HMRC has for me.

So I sent the attachment to Virustotal, where 9 out of 55 products flag it as malware, which is the usual pathetic detection rate.

So, in my view, this malware email will catch out quite a lot of people, because an email from the Vatman is about as scary as it gets, and lots of people will click on the attachment.

Monday 19 September 2016

Ask, and it shall be given; seek and ye shall find.

But if you don't ask, you don't get.

I needed to cancel two of my broadband lines - with the 100 mbit line, I don't really need anything else, but I kept one of them, just in case. It means I have a way to access the internet if my fibre goes dark.

So I called TalkTalk to do the cancel. A nice lady helped me go through it. We worked out which two I wanted to cancel (one of them is better than the others, so I'm keeping that one). And, as per her script, she offered me a deal if I didn't cancel.

"Well," I said, "that sounds good. Can I have that for the one I'm keeping?" And yes, I can. So my broadband, which was costing me £15.50 per month per line, will now be £11.50. I keep the same password, the same IP address, and everything's good. But my bill goes down from £46.50 plus vat, to £11.50 plus vat.

Then I called BT, because I needed to cancel the two unneeded lines. Again, I spoke to a Caleb, nice man who help me to the cancel, and then I asked if I could get a better deal on the ones I'm keeping.

And yes, I can. So my line rental for the lines I'm keeping, goes down from £21.20 to £15.20, and then Caleb suggested that I move to a different plan for the lines we actually use for outbound calls. Instead of paying £21.20 plus usage (which tend to be about £35/month), I'll pay £15.20 plus £10 for unlimited calls (provided the calls are less than an hour).

With BT, I'll be saving the thick end of a hundred per month.

And all I had to do, was ask!

Saturday 17 September 2016

How hot am I?

Not very. Quite cool, really. Yet, to some extent, hot. But how much? I wouldn't want to be too hot. Or too cool,either.

Down in the server farm, I have a few biggish beasts chomping their way through an amp or more each. I have the aircon set to 29 degrees C - that's a lot higher than most server rooms run, I know that because I've frozen my fingers in several. But I reckon that's cool enough for the servers, and it reduces the amount of power needed to drive the aircon.

But I'd like to know if things get too hot.

I have a thing I built about ten years ago, which uses a temperature-reading device (the DS1820), and is read via the serial port. That's also monitoring the outside temperature, so that I know at a glance what the weather is like outside. But I wanted more. And the Raspberry Pi is the answer.

First, I bought some waterproof DS18B20 sensors. You can get them for £1.07 each.
And that was all I needed, but I did also buy a pack of assorted resistors. I used to have a tobacco tin of assorted resistors, but it seems to have vanished in one of my many relocations.

I connected the waterproof DS18B20 sensor to the Pi as suggested by this diagram, added the necessary modules, and asked the Pi what it could see with "ls -l /sys/bus/w1/devices/". It told me the part number for that sensor, so I did "cat /sys/bus/w1/devices/28-00000283c6cd/w1_slave" and it told me some stuff, including the temperature! Easy.

So I wrote a perl program to keep displaying the temperature, like this:

#!/usr/bin/perl
while (true) {
$tempall = `cat /sys/bus/w1/devices/28-041661ae88ff/w1_slave`;
($temp) = $tempall =~ /t=(\d\d\d\d\d)/;
$temp = $temp / 1000;
$stemp = sprintf("%5.1f", $temp );
print $stemp,"\n";
sleep 1;
}

So now all I need to do is place the thermometers (I got ten of them) in all the places I want to monitor, and tell a Pi to check them in turn, once per minute, and let me know if anything is getting too hot.

 

Wednesday 14 September 2016

Stung thrice

I was out today with ladysolly doing a circuit in Devon. Unfortunately, while searching for a cache, I must have got too close to a wasp nest, because the next thing I knew was OW OW OW. I hightailed it out of there, and I think I got lucky, I was only stung three times.

I found the cache, though :-)

Fake news

There's umpteen fake news sites, ranging from the well-known Onion, all the way to ... well, that's the problem. How do you know if you're looking at fake news or real news?

And then someone on Facebook retweets the fake news article without realising it's fake, and suddenly everyone is up in arms about the Tory party cancelling the NHS.

Yes, I know that retweeting is a Twitter thing, but it's such a good word, I'm using it more generally.

Actually, I think that fake news sites perform a valuable service. They teach you not to believe everything you read on the internet. Or, indeed, everything you read in any medium. It teaches the valuable lesson of scepticism, the need for critical thinking, of the danger of faith (which is the polite word for gullibility).

It ain't necessarily so.

Friday 9 September 2016

The last big jobs

I had two big jobs to do today, plus a visit to my eye doctor (everything is fine).

The first was, I have a raid of three 3tb drives on one of the servers. Silly, really, I know perfectly well that the Seagate 3tb drives were a disaster. But I'm such an optimist.

They haven't actually failed, but they've been moaning about lost interrupts and suchlike, so I decided to replace them with a pair of Seagate 4tb drives, which I've found to be pretty good. Loading up the data onto those took a *long* time, even though they were partly loaded before I began. So I switched the load to a backup server, took the main server out of action, and the data update took five hours! And that's even using gigabit ethernet (which has proved to be *such* a good idea).

Then off to have my eyes gazed at.

Then back to the other big job; one I've been worrying about for ages. Switching from the Pix 525 to the Pix 515. I'll explain why this was necessary.

The Pix 525 is big and lovely, and can handle 330 mbits of data. Best of all, the one I have has ASDM, which is a very user-friendly way to setting the configuration. The Pix 515 that I have, doesn't have this.

The reason I'm using Pixes instead of the more modern ASA series, is that even a mighty 525 can be had for £45 on Ebay (the 515E is £25), the ASA5505 handles less throughput than the 525, and is £160 on ebay. To get the performance of a 525, you'd need a 5510, costing £260 on Ebay. So the 525 is the firewall of choice, with the 515E a good alternative.

So I did all the complicated setup work (which computer has what sort of access to where) using the ASDM on the 525. Then I saved it to a text file, and fed the text file into the 515, saving me a lot of hard work in composing that text file by hand. But why not just use the 525? Because the 525 that I have, has a "failover" licence. It's supposed to be the secondary firewall of a pair, and if the primary fails, the secondary takes over. But Cisco don't want me to use the failover as a primary, so every 24 hours, it reboots, and there's an interruption in service for a few minutes. Which is going to get annoying. So I'm using the 515E, which isn't as powerful, but can still push through 190 mbits, and since I only (only!) have a 100 mbit line, 190 is more than enough.

I thought it would just be a matter of, move the ethernet cables from the 525 to the 515. But it's never that simple.

The first problem was that although the 515 knew that the lines were up, it said that they were "administratively down". I still dont know what that means, but the cure is:

interface ethernet0
no shutdown
exit


The other problem I had (and I don't know if it really is a problem) is lots of messages "packet length 941 bytes exceeds configured limit of 512 bytes". DNS requests are supposed to be shorter than 512 bytes, but apparently, accoring to my logs, many aren't.
You fix this with "fixup protocol dns maximum-length 768" which I also don't understand, it's just a magic spell.


Thursday 8 September 2016

TLS 1.2

I got an email from Barclays Merchant Services (BMS), back in April, telling me that on August 31 2016, all transactions had to be done using the TLS protocol, version 1.2.

Actually, that's too late; it should have been done by June 30, 2016.

The reason for this is that weaknesses have been discovered in the old SSL protocols. Even TLS 1.0 is no longer good enough for PCI DSS compliance. TLS 1.1 is dodgy, and even TLS 1.2, which is the best we have riight now, has weaknesses.

Let me explain about "weaknesses".

In the context of cipher security, it means that if you hired Alan Turing, built a computing machine that hasn't been invented yet, and spent a couple of years at it, you might be able to read a few messages several years down the line. Since Turin died a long time ago, this isn't actually going to happen. Nevertheless, we all have to conform to the security theater that is PCI DSS.

It's security theater because the real elephant in the security world is people using the same password for loads of things. As you might have read, some big sites have been hacked, millions of username/password pairs captured and published, and right now I'm seeing an attack on my servers from a botnet of several hundred computers trying to guess a working username and password by working down a huge list. That's the real threat. And no-one knows what to do about it (I'm firewalling off that botnet), except to tell users "don't use the same password", which in a world where people are willing to reveal their passwords for chocolate, is going to work about as well as a chocolate teapot.

Anyway. Back in April, I was asked to make this change, deadline August 31, 2016.

My response was, "Sure, I'll do that, do you have a server I can test my changes on?" Because I really don't want to go live with an untested system.

No, they didn't. But they were working on it.

In May, June, July and August they sent me reminders. I kept asking "Have you set up a test system yet?" No, they hadn't. They knew they needed one, but they hadn't done it yet. Cutting it a bit fine, aren't you? For a firm, unbreakable deadline of August 31?

So August 31 came and went, and I was up to my ears in sorting things out for my new fast internet link (which is going very well, thank you) and Bucksnet, the other company I use for card transactions told me the same thing, except they didn't set a deadline, on account of a deadline of August 31 would have been a bit futile, it being early September now.

Oh well. I guess I'd better do something about this. So I retired my old billing server, set up several years ago using Fedora 9, and installed a shiny new server using Fedora 24, which is the latest. And then I called Bucksnet, because they're small, and give each of their techies a telephone, whereas BMS are big, and their techies don't have a telephone (I know this because A) I can't phone them, and B) they never call me back when I leave a message for them). It's a crying shame, but I'm not going to buy phones for them.

So the techie at Bucksnet said that yes, they have set up a server that I can use for testing, and he gave me the URL, and that server rejects anything except accesses using TLS V1.2. So if I can access that server, I'm golden.

So I tried, and it wouldn't.

So I called Bucksnet and asked if they had any suggestions, and they did! I did this:

yum install -y 'perl(LWP::UserAgent)'
yum install -y 'perl(LWP::Protocol::https)'
yum install -y 'perl(Crypt::SSLeay)'

which installs the named items from the Big Heap of Linux Software, and tried again. Success! And they put a png file of their logo on that server, and I was able to download it, using the TLS V1.2 protocol. So far, so good. Now will the same thing work for BMS?

Well, it should. I also tried this SSL/TLS testing site, and that passed it as "good".
So then I tried it on BMS, and it rejected every transaction I sent. Bummer. Then I realised, hey, I changed the server, different IP address, I need to log onto their management thingy and tell them to expect data from a different IP address.

So I did that, and in doing it, I made a really stupid mistake, and it took me about an hour to work out what my mistake was, and there's no point in explaining it because it was a mistake so humungously stupid that no-one else would make it, and when I corrected that mistake, it all worked.

I think it worked. I mean, the transactions came back as authorised they way they should, but I'm pretty sure that they haven't actually enforced the TLS F1.2 yet because the firm unbreakable deadline has passed, and I'm guessing that the majority of developers have totally missed it, including BMS becaue they haven't provided a test platform.

Apparently, they're waiting for their supplier, Ingenico, to do that.  Which is silly, because it wouldn't be that difficult for them to do it themselves. You'd use the dummy card number 4111 1111 1111 1111 which is always used for testing, and you'd send a transaction, and get back "Congratulations, you're using TLS V1.2!". Or not, as the case may be.

So if anyone needs help in implementing TLS V1.2 on their systems, I'm available, and my daily rates are eyewateringly enormous.

Monday 5 September 2016

Distributed password guessing

Something new. Well, new to me, and I couldn't find mention of it with Google.

I noticed that there were a *lot* of password guessing attempts, all to the same place, but from a lot of different places. Someone is using a botnet, feeding it with a huge list of possible username/password pairs, and trying to guess passwords.

That's actually a very efficient way to guess passwords. Never mind about "password", "letmein" and "123456". Never mind about rainbow tables. A very likely password for someone to use, is a password they used elsewhere. I imagine there's tons of free sites that ask you to sign up for kitten videos (so cute!) and choose a username and password. And they're harvesting these for password guessing attempts.

I already have a thing that blocks password guessing attempts, but it assumed that they came from the same IP address, which used to be the case.

So I wrote a little perl program that reads my log file and outputs a list of IP addresses that have been doing this. It turns out there's 152 of them, and I blocked them all using iptables. It's all automated now. My log files will be less full.

Sunday 4 September 2016

Sniping at Ebay

Sniping, in the Ebay context, is when don't bid until the last few seconds of an auction,. The theory is that you might get the item cheaper that way. The conventional way is to tell Ebay your maximum bid, and Ebay automatically bids for you up to that limit. The theory is that some people dont really know how much they're willing to spend for the item, and when they see other bids, they bid more.

Hence, sniping.

And, of course, it can be automated.

I've been sniped a few times on Ebay, It's not a big deal, I always put in a bid that's the most I'm willing to pay. After that, if it sells for more, then I didn't want it at that price. But if sniping might get me a product a bit cheaper, why not?

So I looked into it. Mostly, sniping is offered as a service, and I found that *very* surprising. You tell the service each time you want to buy an item, giving the Ebay item code.

And you give it your Ebay password.

Wait, what?

I give my Ebay password to some organisation whose sense of security is so poor that they ask for a password and expect to get it? If I give them my Ebay password, I am handing over my Ebay account to some third party that I don't know at all. And, by the way, I pay using Paypal, and my Paypal account is linked to Ebay.

Some malicious third party could bid for an expensive iPad, pay using my paypal, change the delivery address to someone convenient for the criminal, and I'm out £1000. And if he changes my Ebay password, I can't even get back into Ebay. And if I complain to Ebay, they'd say, what, you gave your password willingly? Not our problem, chum.

I would guess that the majority of companies offering this service are scrupulously honest, but I have no idea how you would distinguish the sheep from the foxes.

There's software that I could get to run on my computer, so my password stays under my control ... or does it? How do I know what that software actually does without telling me ... a quick email to a criminal consortium is easy to slip in, and there's my password gone.

So if I do any sniping, I'll do it manually; just wait for the last few seconds of the auction, and hit the "Bid" button.

Saturday 3 September 2016

Automated traffic shaping

Things were humming along nicely, and then everything slowed to a crawl. I checked, and I wasn't running out of memory (with 64 gigabytes in the server, I hadn't thought that was likely) and there wasn't a disk problem.

There's a handy utility called "iftop" that tells you where your bandwidth is going, and investigation revealed that one user was hogging about half the bandwidth. So, I thought, let's throttle him.

My first thought was to do it at the firewall, but web searches revealed that this wasn't going to be easy, and possibly not even possible. So then I thought about Apache's mod_bandwidth", but that doesn't work on a per-user basis. Which left only one possibility - doing it at the linux level.

More googling turned up this. I tried it out and it worked. So that became the basis for my solution.

My first attempt was to use iftop to monitor the situation, and cut and past the offending IP to a bash script. OK, that's put a temporary plaster on the situation, but I need something that's ongoing and automated. I couldn't see a way to make iftop output a single snapshot to a file, and I searched the web for a tool that might do it. I found a couple of dozen things that might have been the answer ... but weren't.

Then I thought - OK, I have to write my own. and that was surprisingly easy. I used tcpdump to capture 10000 packets to a file, then a small perl script to read that file, cumulate the packet lengths for each IP, and print out the addresses of any IPs that went over 5 megabits. I tested that, and it worked.

So then I blended the shell script with my perl program, tested it, and put it in a cron to run every five minutes.