security

Block attacker IP addresses, four ways

If you run WordPress you’ve seen these in your web server logs:

132.232.46.230 - - [29/Oct/2020:13:58:41 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:44 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:48 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:52 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:55 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"
132.232.46.230 - - [29/Oct/2020:13:58:58 -0500] "POST /xmlrpc.php HTTP/1.1" 200 259 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)" "-"

Fucken scanners just slamming xmlrpc.php looking for a way in. When this happens CPU usage just goes through the roof for as long as the scan lasts and it could be five minutes, could be six hours, could be all week; before it ends. The gods help you if you’re paying by CPU usage.

So you have to block access to the file. You could just block all access to XML-RPC but doing this will prevent the WP mobile app from working.

We’ll just block that specific IP address but we need to be quick about it; just do a quick one liner on the terminal before the OS just topples over and becomes completely unresponsive or worse.

iptables

This should work for any Linux distribution that has iptables out of the box which is basically all of them.

# iptables -I INPUT -s 132.232.46.230 -j DROP
  • -I: Insert the rule as the first rule to be applied in the INPUT chain. You could use -A (append) but the sooner we get rid of that traffic the less work the CPU has to do.
  • -s: Source address, in this case 132.232.46.230, which belongs to Tencent.
  • -j: jump to the DROP target. If you use the REJECT target you’re just creating more work for the CPU.

Documentation here but the Ubuntu how-to is far more useful in getting people started.

pf

As it is part of both FreeBSD and OpenBSD base installations it should be enabled in /etc/rc.conf but from reading the (almost useless) documentation and looking around the web You need to fuck around with pf.conf first, then you can manipulate the table. This is the first result on the web when you search for “pf block ip address”. So no one-liner that can save your life.

Edit /etc/pf.conf and add

table <badhosts> persist
block on fxp0 from <badhosts> to any
  • Create table named badhosts, and set it to be persistent in kernel memory
  • Block, on interface fxp0 (you’ll want to change this), traffic from rules in the badhosts table to any destination.

Once you have this you can manipulate the table from the command line with pfctl

# pfctl -t badhosts -T add 132.232.46.230
  • -t means pfctl will manipulate the badhosts table
  • -T will show statistics
  • add address 132.232.46.230 to the table

Fucken hell FreeBSD documentation is the fucken worst. Dryer than Melania Trump’s libido. Now, reading through the OpenBSD pf documentation it looks like you can do

# pfctl -t badhosts -T add 203.0.113.0/24

Which will create the badhosts table automatically without having to fuck around with /etc/pf.conf. Don’t know if this will work on FreeBSD though.

ipfw

It is part of the FreeBSD base installation so it does depend on ipfw being enabled in /etc/rc.conf but it looks like you can go

# ipfw add deny all from 132.232.46.230 to any
  • Add rule denying any and all fraffic from 132.232.46.230 to any destination

At least these rules are succint and easy to read. Whomever wrote the documentation seemed to pay more attention to usage at least.

Still, fuck FreeBSD.

Windows

Super easy now that PowerShell is built into Windows itself:

PS C:\WINDOWS\system32> New-NetFirewallRule -DisplayName "Block traffic from 132.232.46.230" -Direction Inbound -LocalPort Any -Protocol Any - Action Block -RemoteAddress 132.232.46.230
  • -DisplayName: The human-readable name of the firewall rule
  • -Direction: Can be Outbound or Inbound. We want Inbound obviously.
  • -LocalPort: Going with any ports because fuck crackers.
  • -Protocol: Same, block all port
  • -Action: Block traffic
  • -RemoteAddress: Specifying only 132.232.46.230

The documentation for the commandlet is super nice. No, I’m not typing ‘cmdlet’.

The old way involved so, so manny clicks. PowerShell makes it easy.


Now all of the previous bits of code cease to have any effect after a system reboot so if you want the rules to be permanent… don’t. Blackhats will just scan from different hosts and different networks so blocking an IP address permanently is just unproductive.

A better solution is to use fail2ban:

There is also CrowdSec but I haven’t personally used them.

This post came to be cos I spent 30+ minutes trying to figure out how to block traffic on a FreeBSD host and their documentation is just… inscrutable. Should you ask for help in their forums you’ll just get told to RTFM.

You end up going in circles, consuming yourself in rage and frustration which does not feel nice. Rage-posting is where it’sat.

Block attacker IP addresses, four ways Read More »

I want a drink and it’s not even 0700 yet

On this here blog I use a few things to help secure everything down and avoid issues, namely, nginx location blocks disallowing access to resources, fail2ban tracking nginx logs to prevent people hammering server or trying to do improper things, and the “Limit Login Attempts” WP plugin.

A combination of all these broke access with the wordpress mobile app. Ended up having to disable the wordpress fail2ban jail and altering some of the nginx directives.

This is going to be a pain in the ass to debug cos the wordpress app doesn’t have any kind of proper error messaging, urgh.

I want a drink and it’s not even 0700 yet Read More »

“you can have backwards compatibility with the 1990s or you can have sound cryptography; you can’t have both.”

Cryptography engineers have been tearing their hair out over PGP’s deficiencies for (literally) decades. When other kinds of engineers get wind of this, they’re shocked. PGP is bad? Why do people keep telling me to use PGP? The answer is that they shouldn’t be telling you that, because PGP is bad and needs to go away.

Source: Latacora – The PGP Problem

I knew PGP was bad and had avoided it cos I knew of its eldritch complexity of integration but I didn’t know about the rest.

Figures that Thunderbird is planning on integrating it as a built-in function.

They should probably use something else, methinks.

“you can have backwards compatibility with the 1990s or you can have sound cryptography; you can’t have both.” Read More »

Locked out? Good luck

Let’s build and configure a minimal SSH bastion host (jump box) from scratch, using Ubuntu 20.04 LTS.

Source: DIY SSH Bastion Host

This is all well and good except for the bit where the author is clearly invested in using the cloud (i.e. other people’s computers) to run your own infrastructure.

What happens when google locks you out? Or when amazon decides to do the same. Same concern goes for Azure, or any other cloud provider.

Good luck fixing any of that without having to tear down a lot of your own work just to be able to be useful again. I get it, from a developer point of view setting it like this means it’s easy to plug into projects, but from a sysadmin point of view it means you’re going to shoot yourself in the foot sooner rather than later, specially if you missed a little onfiguration detail that lets your server wide open for takeover.

Locked out? Good luck Read More »

TikTok Security: An Opinionated Explainer

There is a post on reddit was written by someone who claims they reverse-engineered the app that is, they set about deconstructing the app to see how its internal components function and interact with each other, with the rest of the phone, and with the servers that conform the service itself.

The app

These are the main points made by analysis of the app itself.

Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

The app will try to learn everything it can about the phone hardware itself, going from the big things like if it’s running on a phone or a tablet, who the manufacturer is, make and model; to the small, like how many megapixels the front camera is.

What you can do about it: Nothing. This is a function done by the app on its own.

Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)

The app will check what else is installed on the device regardless whether it’s a competing social media app or not. This also applies to the clipboard (the function to copy and paste), as TikTok was caught red-handed accessing its contents. As users we use this function to copy/paste everything, from emojis to phone numbers to credit card numbers to social security numbers.

What you can do about it: Nothing. This is a function done by the app on its own.

Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

The app will log:

  • The MAC addresses of all network interfaces on the device (cellular, wifi, bluetooth, nfc, etc). A MAC address is a unique hardware identifier for network hardware.
  • Whether those interfaces are connected to anything. If they are, the name and of the cellular network, wifi network, and MAC addresses of that hardware.
  • Then, if they are connected, the IP address used for that connection at both Local Area Network (LAN) and Wide Area Network (WAN).

Taken all together, TikTok will find out what kind of network the device lives in, what other devices are on it, how it moves within the LAN. This also means the WAN IP address revealed, allowing them to use GeoIP databases to try and determine the geographical location of a device.

What you can do about it: Nothing. This is a function done by the app on its own. You could limit the app’s network access but this requires deep expertise in networking and the operating system being used at the time.

Whether or not you’re rooted/jailbroken

Jailbreaking refers to “breaking out” of the limitations placed by Apple on iPhones and iPads to enable additional functions that were not available in either the hardware or the software. The same action in Android is referred to as [rooting](https://en.wikipedia.org/wiki/Rooting_(Android). Either one means you can do anything on the device and is a common goal of spyware/malware so they can operate with unfettered access and without the user knowing.

A common example in the past it was used to enable tethering when it was disabled by cellular carriers trying to force you to pay an extra charge to enable the function.

What you can do about it: You could limit what the app sees if you’re jailbroken/rooted, but requires deep expertise in the operating system.

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC

As most smartphones and tables now have GPS, TikTok will check for the current GPS data as often as it can, enabling them to follow a device as it moves through a geographical area. Coupling this with the network data, they can determine with lots of accuracy where a device is. Both Google and Apple have this information but keep in mind they are the entities making the operating systems themselves. TikTok is just an app.

What you can do about it: Both Google and Apple let you limit if an app has access to GPS. Be aware TikTok will limit its own functionality if it cannot access GPS, though.

They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

TikTok sets up a special kind of server to help with converting videos from one format to another (transcoding) with a minimum of configuration on the part of the app developers or the users. The problem is that it doesn’t check whether anything connecting to that server is actually allowed to both connect and use the server (i.e. it doesn’t ask for a username or a password); this means other apps could potentially connect to that server and use or abuse its resources.

What you can do about it: Nothing. This is very much one of the core functions of the app itself since most device manufacturers have their own ways of saving video on a device and the app needs to be able to deal with all of them.

Potential for remote configurations

The scariest part of all of this is that much of the logging they’re doing is remotely configurable

Every time the app downloads an update they can change what information is logged, how often, where to send it, etc, and you as an user have no way to stop it.

What you can do about it: Nothing. This is a function done by the app on its own.

The people coding the app consciously obfuscate how the code works and what specific functions and tasks it performs.

and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.

TikTok developers are purposely hiding how the app itself operates. You can determine this if you have the know-how and the experience to do it but you will not like the experience of it.

What you can do about it: Nothing.

The app will monitor its environment and change its behavior if it detects someone is trying to analyze it.

They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing.

TikTok will monitor the device and if it detects any attempt to analyze any of its internal functions and configuration it will try to change its own behavior to prevent that. Failing that it will try to present behavior that is deemed more acceptable to the person doing this work.

This is how the Volkswagen emissions scandal came to be:

  1. Cars were programmed at the factory to detect whether they were being tested for emissions at a laboratory or government facility.
  2. If they were, they would enable emissions control in order to be able to pass those tests.
  3. At any time they were not being tested, emissions control was reduced or disabled entirely, leading the vehicle to emit far more than the allowed legal limit of greenhouse gases.

TikTok is doing essentially the same but it’s all in software.

What you can do about it: Nothing. This is a function done by the app on its own.

File downloads without user interaction.

There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

TikTok can download a file, extract its contents, then run its contents without needing user interaction or without having to be updated from the App Store or the Play Store. Both Apple and Google forbid this kind of functionality in any app.

What you can do about it: Nothing. This is a function done by the app on its own.

Lax security standards

On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM’d the application.

This is something that has been reported about TikTok in the past:

Basically, the TikTok devs won’t implement basic security standards to protect the user, the account, or any of the media the app stores and transmits. This allows intelligence agencies, corporations, anyone who cares to look, to surveil and hack users of the service.

What you can do about it: Nothing.

The Company

All of the previous points point to the one overarching theme of the app: it sucks up as much information as possible, then sends it to the servers that actually run the service (aka “the backend”). There are a of of shady practices on that side of things and the only people who know what’s going on are the people working for TikTok itself. Here are but a few examples:

The company is performing data collection on a level that far surpasses what Facebook, Twitter, Instagram, Snapchat, or most other social media companies have done so far. Only the Big Four (Microsoft, Apple, Google, Amazon) could obtain so much information but that’s because they control both the platforms their operating systems work with; if governments even thought they were doing what TikTok is doing they would face major fines, lawsuits, and antitrust enforcement.

The Combination of Both

When you add what the app does (again, suck up as much information about the user and their devices) with what the company is doing (actively avoiding answering questions of its practices) it all means one thing:

TikTok is combination spyware/malware with the backing of a corporation valued in billions of US dollars.

Most entities that write malware and spyware are:

  • A single person with technical knowledge, like the person who created the ILOVEYOU virus.
  • Nation-states and their various intelligence agencies using software vulnerabilities like BlueKeep or creating their own malware like Stuxnet
  • Organized crime, like the creators of the Conficker worm.

Having a corporation create this kind of software and for users to willingly install that software is something new. I am also leaving out all the advertising practices of the company, as that is how TikTok entices companies to buy into the platform.

What is there to do, then?

It amounts to

  • If you have not installed the app, do not install the app on any device you own.
  • If you have installed the app, remove it immediately from any and all devices you own.
  • Don’t let friends and family use the app, and push for them to remove it if they have used it.

TikTok Security: An Opinionated Explainer Read More »

Bleh

A new sign of the digital apocalypse is the new Equifax breach. I’m not sure if I’m affected but the company is certainly not making any effort whatsoever to help anyone out. The other two credit bureaus, Experian and TransUnion are probably savoring this and will keep doing so until they get hit.

So for the cleanup, there’s this post written by someone with experience in the matter. Not a lawyer, but knows enough to help one on the way.

And just like techdirt say… it will get worse.

The default of your credit identity starting from now on is “stolen”.

Bleh Read More »

This is really scary stuff

Source: The Short Life of a Vulnerable DVR Connected to the Internet – SANS Internet Storm Center

I’ve set up DVRs and the UX/UI on most of them is appalling, along with the entire setup and configuration process. Then to find out the moment you connect them to your network they just become another attack vector, one that cannot be easily closed off.

These are pretty pricey devices that I believe can be replaced with a Raspberry Pi to obtain more flexibility and better recording quality. It’s just the software that’s needed.

This is really scary stuff Read More »

Failing to choose your new password

So Evernote got cracked into and they’re having everyone reset their passwords. It works well, except when it doesn’t:

Screenshot - 03022013 - 11:40:51 PM

They’re telling me I can use letters and numbers and punctuation characters but then I enter a nice complex passphrase (not password!) and I just get that little error message. No help mouseovers, no links to a FAQ or blog post.

Then I entered a passphrase with all space characters removed soyouendupwithsomethinglikethis and it worked. Got account access back. It could be helpful to tell people they cannot use spaces at all, specially after punctuation characters.

Evernote is doing many things right, but password resetting is not one of them.

Failing to choose your new password Read More »

Oh, Skype…

For the past two years or thereabouts, every time I’ve attempted to change my password in Skype I’m greeted with the following error:

Skype character error

No matter what OS, browser, or client I use, I still get it.

If memory serves (and I might be mistaken) Skype itself suggested you use special characters like !, @, #, $, %, ^, &, *, (, ), _, etc, to make your passwords more complex and help increase the security of your account. They wanted you to use the sort of password that is bloody hard to remember and easy for a computer to steal or crack or for another human to guess.

My guess is at some point (probably after being acquired by Microsoft), they updated their password code to disallow such characters. Which means I am now screwed as their systems literally don’t know what to do with my current password.

Maybe at some point I’ll be able to change my password, but with the migration from Live Messenger to Skype, it’s unlikely.

Oh, before I forget. If you want to use a password, it’ll have to be less than 20 characters in length. You know, for teh future lulz.

Oh, Skype… Read More »