DigiNotar, a Dutch provider of SSL certificates, has been hacked, and hacked well and good. The hackers then created rogue SSL certificates, which can be used to impersonate actual, well-known websites, like google.com.

The total number of compromised domains is now an amazing 531 (yes, five hundred thirty-one). That includes Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, WordPress, the CIA, Mossad, MI6, and others. The Dutch government also said it couldn’t guarantee the security of its own government sites.

What to do about it

There’s something built into the secure certificates system which is supposed to mitigate the harm done in situations like this: certificate revocation. When a certificate authority (an issuer of SSL certificates) finds out that its certs have been compromised, it can issue a revocation notice.

Browsers are supposed to check for such notices before using a certificate. (In Google Chrome, there’s an option “Check for revocations”.) Theoretically, all should be fine, since DigiNotar has revoked the certificate.

But browser distributors have also done some updates of their own so that users of the latest browser versions will get a warning if they try to visit a site signed with a DigiNotar certificate.

So be sure you’re using the latest browser version.

Resources

Slashdot
Net Security
Nine News
Wikipedia has a good overview

Related posts:

1. Google Releases Skipfish Automatic Website Security Scanning Tool
2. Google Chrome Browser Third Place Behind Internet Explorer and Firefox
3. TechCrunch Blog Gets Hacked Again & WordPress Security

It can be installed either locally or on your webserver.

The easiest place to install Skipfish is on Linux, so I’ll go over installing it on Ubuntu.

Requirements for Skipfish

You need the following software installed in order to install Skipfish:

• GNU C Compiler
• GNU Make
• GNU C Library (including development headers)
• zlib (including development headers)
• OpenSSL (including development headers)
• libidn (including development headers)

The first three are installed by default on Ubuntu. In case they’re not install them with this command in a terminal:

sudo apt-get install gcc make libc6 libc6-dev

To install the last three requirements, enter this command:

sudo apt-get install libssl-dev zlib1g-dev libidn11

Building Skipfish

Download Skipfish

Download the latest version of Skipfish from here:
http://code.google.com/p/skipfish/downloads/list

The current version (as of this writing) was 1.27b [LINK].

Save the file someplace, and then either right-click on it in the file manager and choose “Extract here“.

Or go to the directory where you saved it and enter this:

tar xzf skipfish-1.27b.tgz

Setting Paths

You may or may not need this step, but this will set the paths for header files and library files:

export CFLAGS="-I/usr/include/"
export LDFLAGS="-L/usr/lib/ssl/engines -L/usr/lib/ -L/usr/lib/ssl/"

Compiling Skipfish

Next, compile Skipfish. Enter the directory that was extracted earlier, and use “make” to start the build process:

cd skipfish
nice make

Note: nice prevents make from monopolizing your system’s CPU.

Here’s the result:

cc -L/usr/lib/ssl/engines -L/usr/lib/ -L/usr/lib/ssl/ -L/usr/local/lib/ -L/opt/local/lib skipfish.c -o skipfish -O3 -Wno-format -Wall -funsigned-char -g -ggdb -I/usr/local/include/ -I/opt/local/include/ -I/usr/include/ -D_FORTIFY_SOURCE=0 \
	      http_client.c database.c crawler.c analysis.c report.c -lcrypto -lssl -lidn -lz
 
See dictionaries/README-FIRST to pick a dictionary for the tool.
 
Having problems with your scans? Be sure to visit:
http://code.google.com/p/skipfish/wiki/KnownIssues

After you do this, there should be an executable file named “skipfish” in the current directory. If not, or if there was an error, you probably are missing a requirement or a path is incorrectly specified.

Using Skipfish

This is just a basic introduction.

In the “skipfish” directory, enter these commands:

touch dictionaries/empty.wl
ln -s dictionaries/empty.wl skipfish.wl
mkdir ../out
./skipfish -o ../out/ http://example.com

This creates a blank wordlist file, and an output directory, and then launches Skipfish to scan the specified webserver. (Replace example.com with your webserver address. Make sure you have permission to scan that address.)

Hit Ctrl+c to stop the scan.

Then view the result with Firefox (not Safari or Chrome):

firefox ../out/index.html

I’ll have a separate post on using Skipfish, along with screenshots.

Resources

Google Skipfish
Skipfish FAQ

Related posts:

1. Google Releases Skipfish Automatic Website Security Scanning Tool
2. How to Install Google Chromium on Ubuntu
3. Creating a Database in MySQL with MySQL Query Browser on Ubuntu Linux

About Skipfish

Skipfish is implemented as a program that you run locally (from your personal computer) or on the same server as a website or WordPress or other blog. It saves output in a directory you specify in HTML format (sample below).

If you’re wondering why Google would release a security scanner for free, Google has in interest in a secure and non-exploited Internet. If, every time you go online, your computer is hacked, you’re less likely to go online. The less you go online, the less Google searches you do, the less ads you click on, and the less money Google gets.

Skipfish is similar to other security scanning programs like Nikto and Nessus. But it also has some advantages such as:

• High Performance. You can run 500+ requests per second over the Internet, 2000+ requests over a LAN, and 7000+ requests on the same server as a website.
• Ease of Use. Skipfish is flexible and it handles weird URL schemes and even comes up with automatically generated password guesses based on site content.
• Fine security checks. Skipfish detects subtle problems like cross-site scripting, but it also identifies and avoids false positives.

Major security holes that Skipfish finds include

• Server-side SQL injection (including blind vectors, numerical parameters).
• Explicit SQL-like syntax in GET or POST parameters.
• Server-side shell command injection (including blind vectors).
• Server-side XML / XPath injection (including blind vectors).
• Format string vulnerabilities.
• Integer overflow vulnerabilities.

And there are other minor problems that it finds as well.

Running Skipfish

Skipfish is written in C, and you probably need to compile it before you run it. I’ll have another blog post later on preparing and running Skipfish.

Skipfish is hosted at Google Code here: http://code.google.com/p/skipfish/

Related posts:

1. How to Install Google Skipfish on Ubuntu Linux
2. Google Buys Picnik, a Free Online Photo Editing Website
3. Google Releases Its Nexus One Phone, But It’s Not an iPhone Killer

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123
11. Nicole
12. Daniel
13. babygirl
14. monkey
15. Jessica
16. Lovely
17. michael
18. Ashley
19. 654321
20. Qwerty

The passwords were taken from Imperva’s analysis of 32 million user accounts in the Rockyou.com data breach.

Half of the users used names, dictionary or slang words, or consecutive keyboard keys, which are, of course, easily brute-forced. I guess it makes sense to people in that “who would ever guess that I’m using my wife’s/daughter’s/friend’s name as a password”, but there are only so many common names in English, so it’s easy to test them one after another to see if they work.

It’s always better to use a totally nonsensical and random password. Also, you should use a different password for every site where you have an account. I’ll blog later on how to keep all of these passwords straight and not mix them up.

Resources

Tech News Blog article on passwords
Imperva passwords report

Related posts:

1. RedHat Relents on Fedora Software Installation Policy
2. Earthquake in Taiwan to Increase LCD Prices
3. Cadmus Helps You Avoid Social Media Overload

As you may or may not know, Digitivity.org is hosted on Dreamhost. Anyway, they used to boot the operating system (which in Dreamhost’s case is Debian etch 4.0) from the network to allow for centralized configuration.

Now, they’re moving to local OS’s, which requires rebooting their servers. This means a few minutes of downtime per website as the OS reboots.

This mirrors the way that Dreamhost used to have NFS (network file system)-based home directories, but now has local directories, which increase performance.

Server Reboot

They gave advance notice of the reboots at Dreamhoststatus.com.

Unfortunately, it caught me a little off-guard. I had just finished editing and publishing a WordPress post, and when I went to the Tracewatch statistics module, it gave a PHP error. When I refreshed the page, PHP wasn’t even there!

I logged in to the server without a password through SSH, but it didn’t work since it wanted a password. This, to me, indicated that the public key file had been deleted. So I logged in using a password. I was floored when I didn’t see my own files, but rather the operating system files:

me@server:/$ ls
MegaSAS.log  cdrom  dev   etc	  lib	 lost+found  opt   sbin     sys  var
bin	     core   dh	  home	  lib32  media	     proc  selinux  tmp
boot	     data   emul  initrd  lib64  mnt	     root  srv	    usr

I put in a request to Dreamhost support, but by the time they got back to me 10 minutes or so later, the reboot had already completed, and everything was OK.

Note: the original shell I was logged in to didn’t reflect the changed files. I logged in to another shell to see my files again. This is a feature of Unix/Linux operating systems.

Although I was afraid for a few minutes the site was gone, in retospect, even if I were administrating my own server, I’d have to reboot it as well occasionally.

Dreamhost Backup

Dreamhost, of course, has a backup system, and you can request old files back through Support. There’s also a hidden .snapshot directory that contains a snapshot of your files as they were before. Finally, you can download your entire account backup to your local computer in a single file from the Panel.

Dreamhost Problems Custom Status RSS

One thing you can do to keep on top of status changes at Dreamhost is to put a custom RSS feed of just the things that affect the servers you’re on into your RSS feed reader.

I have this feed along with my FeedBurner custom status feed in a folder called Alerts:

Dreamhost Custom Status Feed in RSS Reader

It’s possible other hosts like 1&1 or Hostgator also have custom RSS status feeds, but I don’t know for certain. FeedBurner does, so you should grab that.

Dreamhost Custom Status RSS Location

To get the address for your particular server, go to the Support section of the Dreamhost Panel, which is at this address:

https://panel.dreamhost.com/index.cgi?tree=support.msg

The RSS address is with the orange RSS icon:

Dreamhost Custom Status Feed in Dreamhost Support

Related posts:

1. Check If Your Blog Is Working with ismyblogworking.com
2. What Is RSS? An Introduction to Feeds and RSS Feed Readers
3. Does RSS Kill Your Productivity and Make You Insane?

The problem is, it’s insecure.

The system is properly called 3-D Secure (3DS) but it’s called Verified by Visa and MasterCard SecureCode by the two card corporations.

Here are some of the problems found by Cambridge researchers Professor Ross Anderson and Steven Murdoch:

• 3DS is shown in an “inline frame” or IFRAME HTML element. The problem with that is that the content for that frame is coming from a different website than the merchants, and it’s hard for users to verify its authenticity because you can’t see the URL it’s coming from.
• The system allows setting of a password directly on a merchant site with activation during shopping (ADS). Your identity is confirmed with a piece of information like birth date, which is commonly available.
• That also means the password can be reset with birth date or other commonly available information.
• It’s also vulnerable to phishing attempts.

Since users have to agree to be responsible for use of the card if they participate in Verified by Visa, banks are less likely to do chargebacks, and are more likely to put blame on the user if there is fraud.

My comments

I had been sort of suspicious of how well these systems worked, but thanks to these Cambridge professors, now we know. In fact, there’s probably no other way we’d know because the terms of these programs actually prohibit you from reverse-engineering or tinkering with the 3DS system in any way.

Moral: Don’t think your card is impenetrable just because your banks says so.

I think it’s good to have a separate, low-limit card for general Internet transactions.

Resources

PCWorld article
Register article
Cambridge University paper
Financial Cryptography and Data Security Conference
http://en.wikipedia.org/wiki/3-D_Secure
http://www.visa.com/verifiedbyvisa/

Related posts:

1. Google Releases Skipfish Automatic Website Security Scanning Tool
2. How to Install Google Skipfish on Ubuntu Linux
3. How to Install Java on Windows

It’s unclear who exactly it was that did the hacking, or how they did it.

Here’s how the Register (the UK technology site) showed the defaced TechCrunch site:

Techcrunch Hacked

Even the BBC is covering the story.

TechCrunch on WordPress

Since TechCrunch runs on WordPress, it obviously heightens security issues for WordPress bloggers. There are a few basic precautions you can take so you’re not a complete sitting duck for crackers.

Security on WordPress

1. Make sure only your user can read your files

It sounds sort of silly. After all, why would any other user be able to read your files on your webserver? Actually, guess again. On most shared hosting servers like Dreamhost, which is what most blogs use until they really become big, users other than yourself can actually read your files given the default setup.

For most files, this isn’t too much of a problem, but you might be surprised to know that many PHP-based applications (including WordPress) set your configuration file to be “world-readable” (i.e. other users can read it).

I’ll be posting in detail on this topic later, but for now, I’ll just say that you can reset permissions to prevent other users from viewing your files by logging into your webserver’s shell and executing the following command:

chmod -R o-r *

The above chmod command changes the permissions of all files (*) recursively (-R) to prevent others (o) from reading (r) files.

2. Make sure you have the latest version of WordPress

At least make sure you’re running no lower than WordPress 2.9. WordPress 2.7 and 2.8 had some nasty loopholes that crackers were taking advantage of to create hidden user accounts on WordPress installations.

Recent versions of WordPress allow you to upgrade right inside the web interface so there’s no excuse not to upgrade.

But be sure you have a backup before doing so.

3. Back up your WordPress installation

If you do get hacked, it’ll be handy to have a backup from which you can restore your site. You should back up both your database and your WordPress files and uploads.

Again, I’ll go into detail about this later, but for now:

Backing up the WordPress Database

There are webhost-specific ways of doing this. There’s also a shell command that’ll let you back up a database. But the easiest way for the uniniated might be using the WP-DB-Backup plugin.

Install it, and you can backup WordPress within the WordPress admin interface.

Backing up WordPress Files

WordPress files include the PHP and other files within the WordPress application when you first installed it. It also includes plugins you’ve installed and photos you’ve uploaded, as well as your themes.

An easy way to back up WordPress files within the admin interface is the WordPress Backup plugin.

Otherwise, the way you back up files differs from webhost to webhost. Some webhosts, like Dreamhost, offer the ability to backup all your files in a single shot from their control panel. If yours doesn’t, log in with FTP and download all the files in your user account to your computer.

Of course, this means you’ll be downloading thousands of files. It’s better to create a single ZIP file, and download that single (large) file. I’ll be covering how to do that later.

Resources

TechCrunch hacking

http://www.techcrunch.com/2010/01/26/techcrunch-hacked/
http://www.theregister.co.uk/2010/01/27/techcrunch_hacked_again/
http://www.loudable.com/techcrunch-is-hacked-and-up-now.html
http://news.bbc.co.uk/2/hi/technology/8480467.stm
http://pinoytutorial.com/techtorial/techcrunch-hacked-january-25/

WordPress backup

WP-DB-Backup
WordPress Backup plugin

Related posts:

1. How to Serve Your WordPress Blog from the Root Directory If It’s Installed in a Subdirectory
2. Installing the cbnet Ping Optimizer Plugin for WordPress
3. Updating Your WordPress Blog Too Frequently: Avoiding Getting Banned from Ping Services

Trying to prevent Windows from shutting down immediately

One of the methods that’s worked for other people trying to avoid the shutdown caused by Sasser is to quickly type shutdown -a in a command window:

shutdown -a

The -a means abort.

But I never had enough time to open a command prompt to enter the command. Part of the reason for that might be the inordinate amount of time that my installation of Windows (which is the original manufacturer’s installation) takes to fully load, including all autorun programs and services.

So I went back to the Linux Live USB, and added a Windows batch file with the command already typed out, along with running the programs which would fix Sasser:

shutdown -a
c:\sassgui.com
c:\sasssfx.exe

So all I had to do was open up an Explorer window and type a.cmd in the location bar. (I kept the name intentionally short, “a.cmd” being easier to type than “stop-shutdown-fix-sasser.cmd”.)

The shutdown sequence was just too fast, though. So I had to find another way besides logging into the existing Windows installation.

Extracting Windows system files

That meant booting from Linux.

Complicating the situation was that the fact that the computer on which I have a CD/DVD burner was the infected one.  Unfortunately, I  didn’t have a Linux CD available, so plan B was booting off a USB flash device, of which I luckily had one with Linux installed (Ubunutu 8.10 Hardy Heron). This version of Ubuntu includes read/write drivers for the NTFS filesystem, which means that I can modify files on the Windows installation while in Linux.

My first line of attack was to replace the files (svchost.exe, rundll.exe, etc.) which are said to be affected by Sasser. I had a copy of the Windows XP installation files on the infected computer’s hard disk, so I wanted to copy those over to the Windows system directory (after making backups of the current system files).

It’s not quite that simple, though. The files on a Windows install disk (or directory) are saved in the so-called Microsoft cabinet format. Microsoft provides utilities for de-compressing such files, but, of course, they only run on Windows.

Thoughtfully, someone has created a program called cabextract to do just that on Linux systems. cabextract version 1.2-3 is included in the Ubuntu 9.10 (Karmic Koala) Universe repository.

After extracting the files, I saved them to the Windows directory and rebooted.  It didn’t work though. The Sasser infection was quite deep, and just changing a few files didn’t work.

Ultimate Boot CD

Next try: the Ultimate Boot CD, a huge collection of various and sundry programs for doing surgery on your computer. I burned a copy of the Ultimate Boot CD, but while that has a few anti-virus options, some are woefully outdated, and others simply didn’t run. Basically, the Ultimate Boot CD is geared toward fixing or diagnosing any number of many different problems you might have that can’t be done while booted in the main operating system, including repartitioning, fixing the MBR, fixing registry, resetting passwords, etc.

Ultimate BootCD: Initial Menu

As such it has a complicated interface and long list of programs and options on startup. But it’s not very good or easy for virus removal. Download the Ultimate Boot CD here.

Kaspersky AntiVirus Rescue CD

Next, I tried the Kaspersky AntiVirus Rescue CD 2008 (kav_rescue_2008.iso). This is a lot easier to run than the Ultimate Boot CD. Kaspersky just loads automatically and you’re presented with a graphical Linux environment in which to run a scan. Kaspersky also provides a command shell in case you want to move files around or ssh into a remote computer. And there’s a file manager.

Kaspersky Rescue CD: Scanner, File Manager, and Shell

I started the scan, and let it run overnight, but it was still nowhere near finished the next morning. Kaspersky is too slow. It tells you how many files it’s processed, and the time it’s taken so far. Based on that, it was taking about a second per file, which would basically mean it would never finish.

So I cancelled out in favor of another option.

BitDefender Rescue CD 2009

After that, I tried Bit Defender Rescue CD 2009 (BitDefenderRescueCD_v2.0.0_3_08_2009.iso). This, like Kaspersky, also provides a graphical Linux environment and a command shell. But it also provides a lot more. You get Firefox, mail programs, network scanners, backup and partition imaging, text editors, a rootkit checker, even a picture viewer. So, if this is your only computer, at least you can surf the web and check e-mail while BitDefender works.

BitDefender Rescue CD: Initial Screen

Unlike Kaspersky, BitDefender works on many tens of files per second, which one would expect of a C-based program. I don’t know what was wrong with Kaspersky. Anyway, it finished scanning in less than a day. Instead of just deleting all infected files, I manually specified which ones to delete and which ones to leave alone.

Rebooting to Windows

After the BitDefender cleaning, I was at least able to boot to Windows. Since I had lost the Task Manager and Command Shell, I decompressed the following files from the Windows installation files to the Windows directory:

• taskmgr.exe (the Task Manager)
• taskmgrw.chm (help file for Task Manager)
• cmd.exe (Command Shell)
• command.com (old Command Shell)
• msconfig.exe
• msiexec.exe (installer runner)
• appwiz.cpl (Add/Remove Applications Control Panel Wizard)
• regedit.exe (Registry Editor)
• rundll32.exe (DLL function executor)
• taskkill.exe

I still wasn’t quite confident that all remnants of all viruses had been removed. In fact, I still couldn’t reach microsoft.com, which indicated that a virus was still present.

McAfee Stinger

I downloaded a free tool that McAfee provides called Stinger. It doesn’t do constant scanning of files as they are downloaded, but it can scan existing files on a hard disk.

It found a Conficker file which it deleted:

C:\WINDOWS\system32\vkaxt.dll
Found the W32/Conficker.worm.gen.a virus !!!
C:\WINDOWS\system32\vkaxt.dll has been deleted.

But it also found a bad svchost.exe, which it couldn’t delete:

C:\WINDOWS\System32\svchost.exe
Found the W32/Conficker!mem trojan !!!
C:\WINDOWS\System32\svchost.exe could not be repaired.

Windows XP Service Pack 2

So I re-installed Windows XP Service Pack 2. I also applied a Hot Fix (WindowsXP-KB958644-x86-ENU.exe) which is meant to prevent vulnerabilities leading to Conficker contamination. After a reboot, I could finally access microsoft.com. I thought I was OK, but after a while, I lost microsoft.com access again!

Conciller.exe

After some more research, I discovered that Conficker actually patches into system files in such a way as to re-emerge later even after a Service Pack install.

The files are packed and encrypted on the hard disk, and are only unpacked while running. The Communication Systems work group at the Institute of Computer Science at the University of Bonn has created a scanner called conciller.exe which scans every running process for Conficker and removes it without disturbing the original process. Direct download here.

When I ran it, I actually got a few hits, which means Conficker was still active. Only after disinfecting memory with conciller.exe, and then re-installing the Service Pack and the Hot Fix, was I finally able to rid the computer of the Conficker mess.

Postscript

While I was finally able to clean the computer, it came at the loss of many days of non-productivity and frustration. I decided I’d had enough of Windows, and didn’t particularly care to get on the buggy and non-compatible bandwagon called Windows Vista. So I resolved to start researching the suitability of Ubuntu as a replacement for my main operating environment. I’ll post updates on that in other blog posts.

Related posts:

1. My Windows XP Gets Virus Infected
2. Latest Windows XP Update Crashes Computers
3. What’s Good Podcast about Why Macs Are Better Than PCs

What they say in their paper is that normally it’s been assumed that executable code is fundamentally distinguishable from benign files. But given an hour or so on today’s computers, code can be fashioned which, viewed as text, would read as simple English prose.

The reason for this ambiguity is that, underneath it all, the English letters also have binary representations for their ASCII codes.  If the right sequence of characters is assembled, the resulting text will be executable 32-bit Intel architecture machine langauge.

Granted getting a system to execute such a file would be another matter. But that could probably be handled by any one of a number of other exploits.  After all, if security is thought of as being in layers, then attacks are in layers, too.

By the way, what’s meant by “shellcode” isn’t Bash Shell scripts or MS-DOS Shell batch files. It’s a term used by security researches to refer to the very first part of an exploit.

Read the paper here. The discussion on Slashdot is here. The story is being discussed on Remote Exploit Forums and createbacklinks.info.

Related posts:

1. Rogue Blogs Using Google to Offer Malware and Bogus Antiviruses
2. Google Chrome Browser Third Place Behind Internet Explorer and Firefox
3. Google Releases Skipfish Automatic Website Security Scanning Tool

Basically, he said that, instead of asking for the root password every time the user wants to do something out of the ordinary, it’s better to define what users can do what, and let them do it. Teaching users to enter their root password all the time just sets them up to give the root password to a possibly malicious program.

This had been discussed as part of an overall framework for PolicyKit (a granular permissions system for Linux), along with a GUI for setting what users and groups can do what. What happened in Fedore 12 was the the maintainer (Richard Hughes) went ahead and made the policy change allowing for user software installation without the GUI being ready.

So now RedHat has decided to make the user enter the root password when installing software in this release. In future releases, the other PolicyKit elements will be present, thereby allowing some changes in the software installation policy.

This is actually a balanced approach, and I think this’ll actually be better for both security and user experience in future Fedora (and other Linux) distributions.

Related posts:

1. RedHat’s Fedora 12 Lets Users Install Software Without Root with PolicyKit
2. How to Serve Your WordPress Blog from the Root Directory If It’s Installed in a Subdirectory
3. Install Free Software on Mac OS/X with Darwin Ports