security

You are currently browsing articles tagged security.

My company, Talia, provides hosted Voice-over-IP (VoIP) services to our customers. A typical use is a software-based PBX such as Asterisk on our virtual machine hosting cluster (or as the kids say, our “cloud”). We use the same for our own corporate PBX.

In the past month, we’ve experienced two fraudulent attacks costing a few hundred USD each. We have measures to detect and prevent such things, but that’s not what I want to talk about. I want to talk about how these attacks occurred.

Read the rest of this entry »

Tags: ,

In another post, I talked about running Wireshark and other sniffing programs as an unprivileged user. You can do the same with Nmap, but it’s a little more tricky.

WARNING: This is dangerous. The Nmap Scripting Engine (NSE) allows scripts to sniff the network, change firewall roules and interface configuration, or exploit vulnerabilities including on localhost. It’s possible, especially with elevated capabilities, for a clever person to use Nmap and NSE to escalate to full root privileges. If you do not understand these risks, do not do this.

Read the rest of this entry »

Tags: , ,

The Wireshark team has long warned us not to run Wireshark as root. However, since Wireshark 1.4 (between Ubuntu 10.04 and 12.04), they’ve raised the stakes. Wireshark no longer loads all its plugins and protocol dissectors when run by root, and it displays warning messages on the CLI and the GUI:

Read the rest of this entry »

Tags: , ,

Sniffing on a switch

I’m an IP network engineer. When something goes wrong, the first thing I do is sniff packets. Got a SIP phone that won’t register? Forget reading logs; sniff 5060/udp and read the SIP chatter directly. A customer complains that “Yahoo chat doesn’t work”? Sniff 5050/tcp and look for TCP hangups, login failures, or ICMP “port unreachable” messages.

Sniffing is easy when you have access to the intermediate router, but that isn’t always the case. What if you’re just another PC on the same switch? That’s impossible, right?

Read the rest of this entry »

Tags: , ,

One of the awesome features of the last several Ubuntu releases is support for ecryptfs, an encrypted filesystem. At Talia we depend heavily on GPG, OTR, SSH keys and other forms of encryption and secure identification. Loss of those keys and other confidential data to laptop theft, corporate espionage, or the US Customs Service is a big concern for us. This week I secured my laptop, as a prototype of our new corporate laptop setup. Here is how I did it.

Read the rest of this entry »

Tags: , , ,

Firefox has a very annoying “feature” – it remembers any HTTP authentication tokens for as long as Firefox remains open. Any by “open”, I mean “the browser is running”, not “the tab/window is open”.

Why is this bad? For several reasons. Read the rest of this entry »

Tags: ,

In the last 3 weeks our company mail servers have been slammed with a massive increase in spam relay attempts. Logs showed many failures like so.

Jul 12 14:15:26 mailserver.example.com postfix/smtpd[19885]: NOQUEUE: reject: RCPT from 206.12.0.10.in-addr.arpa[10.0.12.206]: 554 5.7.1 <symons@yahoo.co.uk>: Relay access denied; from=<yyjaqveh@lpsb.com> to=<symons@yahoo.co.uk> proto=ESMTP helo=<206.12.0.10.in-addr.arpa>

IP addresses have been obscured to protect the guilty (or ignorant, as this is certainly a botnet). Unfortunately, a large number of the IP addresses in question belonged to my own satellite customers. Mail servers for our other domains were almost entirely unaffected. Which tells me that some bastard has written a botnet spam client that looks up its own public IP, finds the reverse DNS entry, looks up the MX record of the corresponding domain, and then attempts to relay mail through that server. This is particularly mean, as it will encourage your own ISP to shut you down.

Read the rest of this entry »

Tags: ,