Category Archives: Security

Insecure self-updates via plain HTTP

2014-03-11 Ralf Bergs Leave a comment

Yesterday I discovered by chance (since I was running the program whose name I will not disclose yet on my Mac where I’m using Little Snitch to control outgoing connections) that a program created by one of the few software giants does not use SSL to ensure the integrity of self-updates, but just uses plain HTTP so that attackers can modify downloads and thereby introduce malicious code.

Immediately I got in touch with the manufacturer of the application, and only 9 hours later they came back to me with the below response:

Right now <unnamed product> download server supports only HTTP and not HTTPS, so we don't have any immediate solution to offer. However we are keeping notes of this concern and we will address it.

Is this not simply unbelievable?!

Remember we’re not talking about someone who does this for a hobby, who may not have the money or time or even knowledge to implement SSL on their server. But we’re talking about one of the largest IT companies in the world… 🙁

I will now wait for a while, and if they haven’t fixed the issue by then I will disclose it on my blog anyway to put pressure on them… But maybe they do it intentionally in order to aid the NSA?! :-/

Computers, Mac, Security

iTunes app downloads are unsafe…

2014-02-28 Ralf Bergs 1 Comment

I recently bought Little Snitch because it was on sale, and just found something strange…

I launched iTunes to download an app that’s currently available for free (ok, so I am a cheapskate… ;-)), and when the actual download was about to start Little Snitch asked for confirmation to allow iTunes to connect to phobos.apple.com on port 80, meaning that the download is not protected by SSL…

IMHO this is a big security risk since it allows attackers to manipulate your download and replace the original app by another one (e. g. one that contains malicious code).

I can’t see any reason why Apple would intentionally not protect downloads by SSL — it just seems to be very bad, careless design… 🙁

What do you think?

Security

Nagios check for Avira AntiVirus definitions

2013-10-13 Ralf Bergs Leave a comment

I wrapped up a quick script to check whether my Avira AntiVirus definitions are current. Since it might be useful to other people I thought I’d just publish it here:

#!/bin/bash

YOUNGEST_FILE=$(ls -tr /usr/lib/AntiVir/guard/*.vdf|tail -1)

WARN=$1
CRIT=$2
WARN=$((${WARN:=3} * 86400))
CRIT=$((${CRIT:=7} * 86400))

function age() {
   local filename=$1
   local changed=`stat -c %Y "$filename"`
   local now=`date +%s`
   local elapsed

   let elapsed=now-changed
   echo $elapsed
}

FILEAGE=$(age "${YOUNGEST_FILE}")

if [ $FILEAGE -gt $CRIT ]; then
    echo "CRITICAL - Youngest file is $FILEAGE sec old"
    exit 2
elif [ $FILEAGE -gt $WARN ]; then
    echo "WARNING - Youngest file is $FILEAGE sec old"
    exit 1
else
    echo "OK - Youngest file is $FILEAGE sec old"
fi

The default (if you don’t supply any command-line parms) is to warn if the youngest of all virus definition files is older than 3 days, and a critical alert will be triggered if it is older than 7 days. If you supply only one parm it will change the number of days until a warning is triggered, and if you also supply the second parm it will also change the days for a critical alert.

I hope this is useful for someone!

Security

Enabling Forward Secrecy in Apache

2013-07-27 Ralf Bergs 20 Comments

I tried to follow the instructions given in this article by Ivan Ristic, but somehow it seems not to be working, or the test at https://www.ssllabs.com/ssltest/ might be broken… 🙁

Unfortunately I can’t seem to comment on Ivan’s article (I even registered just to reply), so I created this blog post, hoping that my trackback will work…

This is what I have in Apache:

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

According to the output of openssl ciphers this should enable the following cipher suites (filtered by only those that contain ECDHE):

ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1

As far as I can tell this should include the below cipher suites which supposedly enable forward secrecy:

    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Unfortunately the above SSL test shows the following when running towards my Apache:

Forward Secrecy 	No

Does anyone know what that means? Is the test just broken, or am I misunderstanding anything?

Security

PayPal-Sicherheitsschlüssel

2013-04-20 Ralf Bergs 19 Comments

Gestern wollte ich während eines Bestellvorgangs mit PayPal bezahlen als ich feststellte, dass mein PayPay-Sicherheitsschlüssel nicht mehr funktionierte. Egal wie oft ich den Knopf zur Anzeige eines Sicherheitscodes drückte, das Display blieb ohne Funktion, das Gerät war wie “tot”.

Es handelt sich bei meinem Modell noch um den ursprünglichen Schlüssel (und nicht den neuen im Kreditkartenformat), der eine gewisse Ähnlichkeit mit den ersten RSA SecurID-Tokens hat:

Das Teil war jetzt über sechs Jahre alt, daher ging ich davon aus, dass schlicht und einfach die Batterie leer war. Da ich nicht riskieren wollte dass mein Bestellvorgang wegen Inaktivität abgebrochen wurde, wollte ich den Schlüssel möglichst schnell “reparieren”. Continue reading PayPal-Sicherheitsschlüssel →

Security

Data Privacy issue: Your Android phone might leak your IMEI…

2012-10-20 Ralf Bergs Leave a comment

Just played around with a new home router and noticed that my HTC Desire S Android phone sends the following hostname when requesting an IP address with DHCP in a wireless network:

Android_3567080XXXXXXXX

Why is this is a problem? Because the trailing part of that hostname is your IMEI, which is a unique number identifying your device. It’s normally only seen on radio-network level, so can normally be considered “private” (because your operator can’t disclose it to anyone).

The IMEI also contains a component called “TAC” (type allocation code) which identified the exact handset model you have.

So if you regularly visit Internet cafes or the like, these guys know how often and when you are there.

Please let me know whether you consider this a problem or not — I do think it is one.

Computers, Debian, Linux, Security

Integrate “AVG Anti-Virus Free Edition” into Exim with ExiScan patch

2012-08-19 Ralf Bergs Leave a comment

If you would like to integrate “AVG Anti-Virus Free Edition” into Exim, using the ExiScan patch, this is actually quite easy.

Just insert the following fragment into your Exim config:

  # Reject virus infected messages.
  # Add message to implicit X-ACL-Warn: header
  warn  message         = This message contains malware ($malware_name)
        set acl_m0      = cmdline:\
                          /usr/bin/avgscan --arc %s; echo -e \N"\navg_retval $?"\N:\
                          avg_retval 5:\
                          \NVirus identified *(.*)$\N
        malware         = *
        log_message     = This message contains malware (avg:$malware_name)

Let me know if this works for you — I hacked this up quite quickly, but it seems to do its job…

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ralf's Blog

Category Archives: Security

Insecure self-updates via plain HTTP

iTunes app downloads are unsafe…

Nagios check for Avira AntiVirus definitions

Enabling Forward Secrecy in Apache

PayPal-Sicherheitsschlüssel

Data Privacy issue: Your Android phone might leak your IMEI…

Integrate “AVG Anti-Virus Free Edition” into Exim with ExiScan patch

Just another WordPress weblog