I’ve temporarily fixed the SSL cert on tolaris.com by rolling back to an older still-valid cert that lacks some DNS names I don’t really need. In the next few months, I intend to upgrade this server and then configure Let’s Encrypt. I’ve had enough of manually dealing with SSL certs.
You are currently browsing articles tagged security.
Thanks to everyone who warned me that my SSL certificate is broken. I’ll find a new issuer soon.
This happened because Google and Mozilla have distrusted my SSL issuer, StartSSL, for very good reasons. I was unaware of this action – StartSSL apparently took no effort to warn its customers – until the warning appeared in recent releases of their browsers.
Shame on you, Wosign and StartSSL.
My company, Talia, provides hosted Voice-over-IP (VoIP) services to our customers. A typical use is a software-based PBX such as Asterisk on our virtual machine hosting cluster (or as the kids say, our “cloud”). We use the same for our own corporate PBX.
In the past month, we’ve experienced two fraudulent attacks costing a few hundred USD each. We have measures to detect and prevent such things, but that’s not what I want to talk about. I want to talk about how these attacks occurred.
WARNING: This is dangerous. The Nmap Scripting Engine (NSE) allows scripts to sniff the network, change firewall roules and interface configuration, or exploit vulnerabilities including on localhost. It’s possible, especially with elevated capabilities, for a clever person to use Nmap and NSE to escalate to full root privileges. If you do not understand these risks, do not do this.
The Wireshark team has long warned us not to run Wireshark as root. However, since Wireshark 1.4 (between Ubuntu 10.04 and 12.04), they’ve raised the stakes. Wireshark no longer loads all its plugins and protocol dissectors when run by root, and it displays warning messages on the CLI and the GUI:
tshark: Lua: Error during loading:
[string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
Running as user "root" and group "root". This could be dangerous.
I’m an IP network engineer. When something goes wrong, the first thing I do is sniff packets. Got a SIP phone that won’t register? Forget reading logs; sniff 5060/udp and read the SIP chatter directly. A customer complains that “Yahoo chat doesn’t work”? Sniff 5050/tcp and look for TCP hangups, login failures, or ICMP “port unreachable” messages.
Sniffing is easy when you have access to the intermediate router, but that isn’t always the case. What if you’re just another PC on the same switch? That’s impossible, right?
One of the awesome features of the last several Ubuntu releases is support for ecryptfs, an encrypted filesystem. At Talia we depend heavily on GPG, OTR, SSH keys and other forms of encryption and secure identification. Loss of those keys and other confidential data to laptop theft, corporate espionage, or the US Customs Service is a big concern for us. This week I secured my laptop, as a prototype of our new corporate laptop setup. Here is how I did it.
Firefox has a very annoying “feature” – it remembers any HTTP authentication tokens for as long as Firefox remains open. Any by “open”, I mean “the browser is running”, not “the tab/window is open”.
Why is this bad? For several reasons. Read the rest of this entry »
In the last 3 weeks our company mail servers have been slammed with a massive increase in spam relay attempts. Logs showed many failures like so.
Jul 12 14:15:26 mailserver.example.com postfix/smtpd: NOQUEUE: reject: RCPT from 184.108.40.206.in-addr.arpa[10.0.12.206]: 554 5.7.1 <email@example.com>: Relay access denied; from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo=<220.127.116.11.in-addr.arpa>
IP addresses have been obscured to protect the guilty (or ignorant, as this is certainly a botnet). Unfortunately, a large number of the IP addresses in question belonged to my own satellite customers. Mail servers for our other domains were almost entirely unaffected. Which tells me that some bastard has written a botnet spam client that looks up its own public IP, finds the reverse DNS entry, looks up the MX record of the corresponding domain, and then attempts to relay mail through that server. This is particularly mean, as it will encourage your own ISP to shut you down.