…and around it goes

A subscriber brought RexSpy to my attention after reading here that I took the plunge into a smartphone.   This, of course, sent me off on a fact finding journey through Google.  There seems to be some trepidation at validating this threat.  It may just be a company (SecurStar) trying to drum up business for their product.  In fact, little has been heard of it since it was announced and I cannot even find the supposedly free removal tool offered by Securstar anymore.  However, it did make me wonder about the safety of what I had thought were plain text messages.

It appears that there is a new version of SMS that allows embedding, because of that SMS messages are not all that secure.  So even if RexSpy was just a marketing ploy it is apparently possible for an invisible SMS message to execute things on the phone, change settings, and potentially copy info while the phone shows nothing happening (apparently all newer smartphones are vulnerable).  Granted, there are limitations and it’s not easy, but it is possible.

This lead me to delve into my Blackberry for some type of solution.  It turns out that it’s firewall (Settings->Security->Firewall) gives you the ability to block SMS, MMS, PIN, and more for: all, all but address book contacts, and all but address book and special addresses (I need to find out what the special addresses means).  Of note is that blocked items are lost if you accidentally block something you want, but I suppose that strict settings here would help mitigate an SMS attack.  I set mine to just address book.

Smartphones, while useful, are still relatively new and as such are probably not going to be trustingly secure for a while, I’d use them with that understanding.  Do a battery pull in any really secure environment you need to be in (or leave your phone behind) and any remote access done should have a secondary access control that is out of band from the phone, like SecureID, either that or utilize a one time use password design.  Also favor certificates for internal authentication, so that you are never typing reusable passwords on the phone.  That way even if the phone is lost or compromised it is less likely to lead to a network compromise.

PS: SMS isn’t your only threat, don’t forget that your phone is a mobile workstation and as such vulnerable to bluetooth attacks, WIFI attacks (if it has WIFI), application vulnerabilities, and viruses/trojans.

Further information on securing your blackberry.

More on the Blackberry firewall.

Phone web sessions hijacked via SMS.

Youtube video showing SMS hotspot attack.

A rough weekend hardware-wise has me now using the OQO as a desktop.  I’ve never used it this way before.  Once I tried connecting it to my KVM, but the resolution was only 800 x 480 and on a 22″ wide monitor that was horrendous.  This time I connected it directly to the monitor and I guess this allowed it to detect the monitor because it snapped into 1680 x 1050 without issue.  I then plugged in all my USB drives and peripherals and I was good to go (I’m a USB nut and went USB everything, my desktop was basically just a cpu, ram, video, and an OS drive).  Turns out the OQO, while certainly no power house, is surprisingly usable as a desktop machine.

I shouldn’t be surprised, it is what the OQO is designed to do, to use it as a desktop machine that you can take with you and stick in your pocket.  I just never used it as a desktop until forced.  I may stay with it for a while.  It may be no gaming machine, but my desktop is strictly work anyway (ok, I may occasionally watch hulu too), and for that it is fine.  I can only assume that the OQO didn’t like being confined to mothballs except for weekend trips and so it offed my desktop while I was sleeping.  I’ll have to watch it more carefully.

I was reading the latest accusation against the NSA for overstepping it’s legal bounds on truthout.org (article).  It’s interesting, but really nothing new or unexpected.  History has taught us all that powers given will be abused if they can be.  I’ve noticed (and I’m sure many others have as well) that most often that abuse will be by the entity controlling those powers for it’s own protection and preservation.  Granted, the NSA doesn’t yet appear to be at that stage (NSA folks are probably laughing at this comment), but could it become this type of monster?

Well, we originally had checks and balances to guard against the creation of  a self-protecting powerful entity at a risk of self-preservation becoming it’s main goal.  By removing oversight we are creating just such a potential monster and then playing Russian roulette with it.  Which political entity will be in power when it’s finally all powerful after passing through administration after administration that removed checks and balances?  Think of the influence on the democratic process such an entity could exert.  Stop allowing oversight to be removed now and put more in place.

After all, you have nothing to fear from oversight if you have nothing to hide.

I frequently receive questions similar to the following:

“I came across this link (http://cryptogon.com/?p=877), and was wondering if you folks were aware of this type of activity; also, can your Proxy/Tunnel service help to mitigate my exposure.”

Some questions also mention Tor and ask which is better protection.  I recently answered another of these and thought the (now slightly edited)  answer was a good entry for this blog.

The answer:

No proxy service can guarantee to hide you from governments or guarantee flawless anonymity, there are too many areas of potential compromise in every one of them.  The closest to anonymity out there is Tor, due to it’s design, but because it still has to be as real time as possible to be functional it is subject to traffic analysis (an entity who sees both sides can time your packets going in and match them to packets coming out by factoring in the delay it takes to pass through.  In an overly simplistic analogy, cars maintaining the same steady rate of speed enter a tunnel staggered, you know that they will slow down in the tunnel and by how much, you can calculate when each one of those cars will exit that tunnel even if they change lanes inside).

One must also assume a large number of hostile exits with Tor (a researcher recently set up Tor exit nodes and published captured passwords and usernames (PDF), I have to believe that he’s not the only one who ever thought of this).  Yet even given these pitfalls, Tor is still the closest you can get to anonymity because of its decentralized approach and onion encryption.  That makes it the best protection from an entity who can only see the exit, which is most.  Unfortunately given the nature of it’s setup (untrusted and potentially hostile end users running servers), it’s going to be slow and you should probably never use it to log into bank accounts, etc.  Even though many of those are end to end encryption you place yourself at a greater risk of man-in-the-middle attacks.  Your safest bet with those types of accounts is direct access, you lose little as theoretically they already have your personal information.

Paid services and single hop proxies are even more vulnerable to traffic analysis because they are more centralized, strive for as little delay as possible (speed is everything to them), and pass through fewer hops.  Its much easier to match the packets going in to those coming out (the faster the proxy the easier the traffic analysis).  They suffer somewhat like Tor in the way that you must trust that the service you are using is not capturing your login and passwords or compromising you itself (ie. maliciously being a man-in-the-middle), which you can trust most well known paid services in this manner (I would not easily trust free single hop proxies, I have to wonder what they get in return for the cost).  Where paid services really fall behind Tor is back tracing from an entity that can only see the exit.  Tor is going to provide you with better anonymity there.

Both Tor and paid services/single hop proxies can protect you from the unwashed masses as well as snooping ISPs.  Both can also provide you ways of accessing data you might not otherwise be able to access.  Tor will provide you with better anonymity than a paid service/single hop proxy will for an entity that only sees the exit, at the cost of speed.  But neither can protect you from a government that wants to get you.  To be honest, they likely wouldn’t even need traffic analysis in either case.  Their preferred mode of intercept for proxy users appears to be to trojan their machine via a vulnerability in either the browser software and/or plugins and through email or messaging client vulnerabilities (see: http://blog.wired.com/27bstroke6/2009/04/fbi-spyware-pro.html)

It all means that if you want to hide from a government focused on catching you, it’s going to take a lot more than just a proxy.

For those unaware of CIPAV, you can get details here and here.  It’s really not a new concept but it does bring up a point I’d like to make again for the novices.  If the FBI can do it, malicious people or oppressive governments can do it too (and actually have been for some time).

It’s extremely important that you choose the software you use carefully and that you stay current with patches.  Many of your favorite applications have had serious vulnerabilities in the past and may so again in the future.  Only you can protect yourself from what is allowed to run on your machine.

Things running on your machine are your greatest risk.  They can get any information that is available to them and send it anywhere, negating any proxy or vpn, even Tor.  There is nothing automated that will secure everything for you and keep it all updated properly.  You will need to learn about your system and it’s configuration, pay attention to what runs on it, watch for reported vulnerabilities, and patch them.

Each system is different so I won’t try to go into details, but favor peer reviewed open source to closed source whenever possible and get it from jurisdictions that have no issues with how you intend to use it (helps minimize prospect of source tampering).  In other words, don’t download from any entity software you may be using to report abuses by that entity (this should be common sense).

Those of you in serious situations should lose the “cool things” on the net, like video, flash, java, and other plugins, or at least run something that makes them unavailable to untrusted sites.  Participation in Facebook, Myspace, and other large social networks should probably be avoided where possible in favor of a blog you fully control (users may request our web hosting, which allows even a novice to easily install and run things like this blog).

Try to remain as text based as possible on the Net.  Run antispyware, antitrojan, and antivirus software and frequently scan.  Don’t open unknown attachments and don’t follow unknown links sent by mail or message.  Don’t leave your computer on or able to be woken up when you are not at it.  And as always, stay up to date with security patches (not enough of you do this).

Google and ask what you do not know and investigate anomalies.  Everything mentioned is especially important for those of you reporting on abuses or accessing forbidden information from behind a wall of information blackout.

Well, not completely, but my love affair with it has faded.  It fits my needs for a lightly packed weekend trip and it is something I’ll keep for that and for using as a car computer, but I stopped carrying it daily.  Even given it’s pocketable size it’s a tad large to be in your pocket all the time.

In spite of this I was still considering upgrading to the new model for more RAM and the better video performance, but their customer support has fallen through the floor.  Given the unreliability of these machines, that is a huge issue, a showstopper for me.  I won’t be upgrading because of it.  Personally, I think OQO is faltering as a company.  I believe they are trying to find an exit with a buyer now.

What do I use daily now?  Well, I’m trying out a Blackberry Curve 8330 (Verizon had a two for $49 deal when I re-upped and that fit perfectly with my tightwad side…although they did soak me an additional $30 a mo for the unlimited net for it).  I’ve never been one for “smart phones”, to me a phone was just to make calls and use as a modem.  I didn’t even use the contacts list in my last phone.   As for Blackberry, in particular, I’d always though that Blackberries were just glorified phones with a PIM, address book, SMS, and perhaps some limited Internet via their proxy.  I didn’t know they can now do what they do.

So far I am impressed.  I have a SSH client to manage servers with in an emergency (screen is a tad small for any real work on it, but it’s ok for emergency troubleshooting and even managing accounts), I have my e-mail (although I refuse to use Blackberry’s push service and instead use LogicMail, the privacy side of me does not want someone in the middle), I have my real time server monitoring alerts, and I have my web access, in fact I have full net access.  That is all I really need when out daily.

It also has some things that I do not really need, but I like them.  Pandora is something I use a lot.  It’s Internet radio and my first foray into it.  I just plug the phone into the line in jack on my truck then start Pandora and I’m good to go, it even pauses the music if the phone rings.  Slacker is another internet radio app I installed and like.  No need for a Sirius subscription anymore (I think as phone networks and Internet radio progress that it means the death of satellite radio, unless they morph or merge).  I also find myself using Viigo a lot for RSS feeds.

BTW: If you are using a smartphone and Opera Mini, please be aware that everything goes through a proxy in Norway and that it operates as a man in the middle for SSL.  Obviously this is not good from a security or privacy standpoint.  Don’t use Opera Mini for anything like online banking, Paypal, etc. where you really want end to end encryption.

So I have only had the Blackberry for a couple of weeks now which means it is too early to find out if it has staying power, but I do expect it does, at least for a while.  Now I have to WAP enable Cotse somehow as LogicMail, though functional, is very basic. Either that or it’s time to learn to code in Java and write my own mail app for it, which I am considering.

We all already know about our IP address and what it can give away about us (I am assuming, perhaps incorrectly, that readers are privacy and security minded).  I want to talk about other perhaps lesser known risks to your privacy and security that you’ll find in your e-mail headers.   These range from giving away personal and local information to providing an attacker with the keys to your computer.

Lets start with personal information.  Most of you probably use a mail service that hides your IP address, but does it hide/change your message ID?  The message ID is generated by your mail client and may contain information about you, your general location, and/or your machine.   For example, some versions of Microsoft Outlook encode your machine’s IP address into the message ID.  We’ll look at a sample:

Message-ID: <000101c168cc$09359c50$0100a8c0@billsbarn>

You may notice that between the @ and the first $ (moving from right to left) we have c0a80001, that is hex: c0 = 192, a8 = 168, 00 = 0, and 01 = 1, or 192.168.0.1.  Also notice it gives the machine name, billsbarn.  Why give out any unnecessary information?

In the above example it is the IP address of the internal LAN, which gives away information on it’s own, but it could be an externally accessible IP in some situations.  Outlook isn’t alone in this, other clients do it too, be it in hex, octal, decimal, or other base.  It’s not only encoded IP addresses we can find in message IDs, we can often find machine names, isp names, pop account names, and local dates and times, giving away your timezone (in some cases this may matter).  These are often not even encoded.

Besides the message ID, mail clients have been known to stick all sorts of potentially personal information into the mail headers.  The organization you belong to or company you work for, who originally forwarded the message you are quoting, and even your fax and or phone number.   Mail clients are notorious for strewing personal and potentially damaging information throughout the mail headers.

Perhaps the stupidest idea I have ever seen from a security standpoint, most mail clients stamp into the mail headers the software you are using and it’s version number.  And every one of them have all suffered serious vulnerabilities at one time or another. Vulnerabilities that allow an attacker to remotely execute code on your machine.  Potentially giving him access to your computer and all the personal information about you it contains.  The keys to the castle, game over.

As always, you should keep up on patches, but in the event a vulnerability which you are unaware of exists, you may very well be telling your attacker how to gain access to your machine just by sending him an e-mail, either directly, via a mail list, or in a web mailing list archive (ever search google for older vulnerable user agent strings?  You find them all the time in current mai lists, for some of them all it would take to compromise the machine is to send the person a properly crafted e-mail).

Unfortunately your options are limited in correcting this as many clients simply do not give you the ability to change or remove these headers.  If you are good with a hex editor you may be able to change or zero out these headers in some clients.  Or you can research clients and what they place in headers and pick one that adds the least or that gives you the most control.  Or you can subscribe to a mail service that gives you the ability to add, remove, or change your mail headers.  Coincidentally, I happen to run one of those and if you are already a subscriber, you’re covered.

I’ve been fighting spam zombies most of the winter.  We are currently hosting over 25,000 mail domains.  Some of these domains come from hosts that simply could not handle the volume of zombies and backscatter, or just dumped it all at the end user, some being hit with 30k bounces an hour backscatter.  Others are our own domains, some of which spammers seem to love.  All of which need some protection where turning off the catchall just won’t do, that’s where my milter comes into play.

This milter was started when sendmail first started featuring milters (we’ve been seeing zombies hit us hard for years and without the protection it would be nearly impossible to offer our service).  Since then it has evolved quite a bit.   The idea behind it is to dynamically identify infected end user machines spewing spam and block those while allowing all validly sent mail, including valid mail servers spewing spam, to still get through (the milter, anyway, then it’s user filters that will block).

It accomplishes this by evaluating a number of items: the helo, the host and number of other related hosts that hit and were identified as a zombie (ie. how many other 123-123-123-123.example.coms have attacked), how it hit the server (ie. slamming, number of concurrent attempted deliveries, etc), number of unknown users it attempted to mail, spamtraps of ours it hit, and more.  Using all of these variables it creates a profile and matches against it.

At first it just dynamically managed a blocklist.  This got cumbersome fast as we grew.  The blocklist had to move to a db and I had to learn to be a better and more efficient programmer.  It now utilizes a few databases, incorporates dynamic blocking, backscatter protection per account or domain, and more.  It also creates a profile of valid mail servers and matches against those as well so that they don’t get caught even if they match the rest of the zombie profile (ie. the server got infected).  The target is only zombies.  We’ve slowed on the number of zombies added, but still pump in a fair amount of new ones every day.  I do expect this to slow again, but I’ve zeroed the dynamic db a couple of times both to redesign it and to test it’s autolearning as I tweaked, so it’s still a rather large amount.

Perhaps one day I’ll write a web interface to the db.  It’s contents paint a very interesting map of infected end user machines, or spam zombies.  I’ve also been able to identify individual botnets by things as simple as the way they helo (type server40.welcometelecom.ru into Google and see what I mean, you’ll see it show up as the helo for a lot of spam with hostnames around the globe). Others are slightly more complex, being fed a list of helo values along with the standard list of from addresses to use or using the machine name, but they form a pattern in other ways over time and become identifiable as well.

My mind is already running with ways to query this data and provide live statistics (number of zombies per botnet, domain, etc) that can be drilled down all the way to the list of machines and date last seen.  Unfortunately that is side work, which takes a back seat to the day to day running of the service so I have no idea when, or really even if, it will end up searchable like that.  Right now I have perl scripts that do it and I use the results to further tweak the milter.

BTW: Greylisting is dead.  I declare so now.  Nearly all zombies I have identified return, even after getting 550 returns to their delivery attempts (I’d say all but don’t yet have positive proof of all, but I do have positive proof that those which return within a typical greylist period are well above 90%.  What I don’t know is if they are resending or sending a new blast).  So those 4xx errors you greylisters return will also have the same zombie return.  If you are greylisting you are likely now accomplishing little but delaying your mail.

Other Battles:

Been battling a rather serious (but not fatally serious) health issue this winter (stomach/bowel).  It’s had me bedridden a lot.  This put a delay in some new features that were planned (they are still planned, just delayed).  I did get a chance to improve a number of backbone things.  Added bandwidth and server power to the mail network, further improved automatic failover (finally addressing the issue of “what if Verizon comes and rips out all the copper to the building again?”), redesigned our DNS, and fixed a number of bugs, but nothing that can really be identified by users as “hey, here’s something new”.