Feb 052010

It hit my mailbox today – the decision to put the entire letter in a jpg file probably got it past gmail’s spam filters… but sheez, this is absolutely terrible… terribly perfect as a rip-off that is…

Get this:
1) Firstly the spelling and grammar is actually almost acceptably good !
2) It puts a whole new spin on the usual “God bless you for your help” and other religious crud in the “help me collect my dead husbands fortunes” 419s by pretending to be from a Christian in Saudi who had converted (along with the dead hubby) from Islam
3) It then goes on to state that the purpose of the money for her is to use it for charity ! To build things like cancer research centers !
4) The “I have cancer” bit is a nice (if rather fucked up) twist…

Sheez… I can just see a million fundamentalists falling for this one… Here is the letter as I receive it.
Please if you get this – IT IS NOT REAL. These scammers have in the past committed fraud, theft, kidnapping and even more violent crimes than that against people who respond. Do not fall for it.

Oh, and whichever scammer came up with this one… you know, “Sister Mary Jones” is really not a very believable name for a lady who was born to a Muslim family in Saudi Arabia !

419 Scam

419 Scam

Sep 232009

This is a post based on personal experience that led to a fairly major outage for me recently, I won’t share any specific details therefore, but I will explain the issue so others can be warned. The automountd in question was running on an older version of hpux so I suppose it’s possible that newer Linux systems have some kind of protection in it, but sine the flaw is fundamentally part of how automount works – I doubt it.

Imagine you have an nfs share, that contains a lot of directories, various clients will only access some of them, now one popular setup here is to set the master share as an automount – hooked into the subdirectories. Lets say you set this up on /shared_files

Now when a user tries to enter /shared_files/documents for example – the automounter will send a mount request to the NFS server, mount the documents directory directly, and the user transparently gains access… sounds perfect right.

Here’s the flaw… what happens if the user tries to access a directory which doesn’t exist in the share ? Say /shared_files/garbage … well a mount request gets sent, the server rejects it – and the user gets a file-not-found.

That’s all well and good right?

But now… what if I do this:

while /bin/true ; do

ls /shared_docs/$RANDOM


See what happens now: instant denial of service attack on the NFS server. Normally, NFS is fairly safe from DoS’s as it’s usually not used online and generally one inside the company would need root access to issue a mount request- but this can be done by any user, and worse on any server he has access to (so it could be distributed) and just to add the cherry on top, similiar scenarios could just as easily spring from stupidity or a buggy program/script – there isn’t even any need for malice…

This problem isn’t limited to NFS, you’d have the exact same issue if you were using CODA or practically any other network file system. Essentially automount, when used on a “in the directory” level – is a disaster waiting to happen, it’s a daemon that executes a root privileged command when triggered by actions a non-privileged user can perform… inherently this is very dangerous.

It is for this reason that I am piece-by-piece ridding my network of automount based setups, and switching to rather just mounting the /shared_docs equivalents using fstab directly (besides which, one on-boot mount request is so much less overhead than hundreds of on-access requests)

Apr 292009

Man, just when I thought I’d seen it all, 419-scammers seem to have caught on to the fact that most spam filters now simply destroy their mail without people even seeing it. Thus preventing them from ever reaching potential gullible victims. They found a way around it, ellegant and scary in it’s simplicity.
I just received an SMS that read: “Please contact Doctor Kelvin agentdrkelv@gmail.com for your prize of 7500000 pounds” . The number, a +44 is the correct country code for the UK (I had it wrong earlier, corrected now) – don’t be fooled by this.

Yep, the classic lotto prize 419, in an SMS – the interesting thing is that they obviously realized short messages like in SMS is not sufficient to pull a full scam, so they just put the bait there, then lure you to mail them – if you do, of course, it’s business as usual for one of the most effective criminal syndicate systems we’ve faced.

This shows a classic problem with security systems – technology convergence. In the beginning they kept beating spam filters by simply spamming better, now that this is becoming hard as we are getting good at picking up the consistent messages they need, they are targeting using a completely unfiltered technology, and thus leading you into the conversation. Almost no spam filter in the world will pick a message as spam if it’s a reply to one you sent.

It’s very wrong, but it’s very clever. So this post is a warning to those who read it. I am sure I wasn’t targeted for the SMS. These people almost certainly invested in bulk sms packages and are sms’ing large numbers of people in bulk at overseas rates. A much more expensive proposition than mass mailing, but they must believe the payoff is worth it. So when you get your 419 SMS – ignore it, or contact the cops, whatever you do -don’t mail the address in it.

Dec 312008

Security experts do not limit themselves to computers, they look at any complex security system and constantly look for ways it can be broken, then they publish the methods they find – and hopefully somebody else can then make the system better.

The lesson was learned after World War 2 when Turing cracked the ENIGMA machine’s crypto system and proved that keeping your security secret was a bad idea – because anybody can design a system he cannot beat, nobody can design one that a smarter person couldn’t beat. Make the details public, and let everybody try to break it – if nobody can – that is a secure system.

I’m not a professional security expert (as in, I don’t do it for a living, but I am trained in the field) – but I do have that mindset, I look into every system I encounter – trying to see how it could be beaten. Of course, I won’t use what I learn – but following the advice of Bruce Schneier, I do publish it. Schneier (who really is an expert, his books are considered the canonical works on computer security and crypto at universities) has also said that security is a field where talented amateurs rule. Well I hope I fall into the latter category anyway.
The post thus far was to explain my intentions in writing this. I do not want people to take weapons onto planes, I want the people whose job it is to stop them doing so to know the weakness I’ve spotted (of course, being a fairly regular traveler did help).

Now this method won’t let you take a gun onto a plane, but as 9/11 proved when nobody has any weapons – a simple weapon is all you need – and the weapon I could get onto a plane isn’t all that simple either. In fact, airplanes take special care to prevent giving it to you inadvertently (but they haven’t noticed how easy it is to get one on).
It is: a broken bottle.
Airplanes only serve drinks from plastic bottles to prevent the drinks cart from providing people with a potential weapon (or just a dangerous accident in turbulence) but until recently you could just walk onto a plane with a wine or liquor bottle which would be waved through security. When I went to France a few years back, I bought several bottles of genuine champagne in the champagne region, since taking pressurized champagne bottles into a low pressure cargo hold would be… stupid, I took them as hand luggage. These days that won’t work since the liquid rule would stop you taking those bottles through security.
But the liquid rule is meant to stop you bringing fuels for bombs – not bottles, and it’s easy to get around it.

Practically every airport in the world has shops in the departure lounges – on the other side of security. Most of them include liquor stores, you can buy a few bottles of whiskey there and walk onto the plane carrying a weapon that has prevailed in a million barfights – and when nobody else is armed – it’s all you need.

We’re just plain lucky no hijacker has figured that one out yet – but it gets worse, with enough ingenuity and basic knowledge of chemistry, bringing a bomb on board could use the same exploit. Now usually a bomb maker buys professional equipment including long range detonators or timers – so he can give himself the best possible chance of getting out of the way. If, however, your intention is to blow up a plane – chances are you are a suicide bomber – and you don’t really care about safety – just success.

Those same airport liquor stores will sell you alcohol, which by itself is a powerful accellerant. You don’t need a big bomb to blow up a plane, you just need one big enough to rupture the hull (or better yet – burn/blow the windows out) explosive decompression will do the rest.

But diluted alcohol is a very difficult thing to make a bomb with, it’s nice for boosting your braai fire, but it takes skill to make get it in the kind of compressed state where you have a shot at making it explode -and you need a lot of it. Luckily for our would-be plane-bomber right next to the liquor store is usually a beauty store, where you can buy haircare products (most of which contain much better accelerants than liquor) and even a whole collection of things in aerosol cans, we all know that aerosal cans contain flammable gas – heck we’ve all seen movie characters using them with a simple open flame to make a small flame thrower. What we often forget is that they can be much more dangerous than that. One quick and simple bomb, buy a dosen aerosol products, go to the lavatory, put them on a shelf, take one out and use it’s flamethrower capability to heat the others up – chances are they’ll explode within a minute or two. True you’ll trigger the smoke detector but taking down a door takes time – with a few small extra steps – you can ensure the success of your bomb – and that’s without any chemistry. Imagine what a skilled bombmaker could do with the huge selection of chemicals you can buy right in the lounge and walk onto a plane with ? I’m not even a gifted amateur in the field (I always sucked at chemistry) and I could come up with one that should pack enough punch to blow a hole through the hull.

In short, what is the point of having long queues to check us and our luggage for potentially dangerous stuff – if we then sell them to you on the other side to carry-on to your hearts content ? The only tricky bit is getting a source for an open flame – they usually don’t sell detonators in airport shops (at least, not the airports I’ve visited). Making a detonator is not that hard but it’s a tricky business and you will almost certainly need to do it beforehand and somehow disguise it (again quite doable) but it ups the risk and using a nice detonator for a made-on-the-spot bomb seems silly. You generally couldn’t take a cigarette lighter onto a plane, they show up on the metal scanners, but matches do not. I have in the past inadvertently walked onto airplanes with matches in my pocket that nobody ever saw. To make double sure, you could keep a box in your shoes – they are usually so small it’s not even uncomfortable and they won’t get flagged by security.

We tend to think that the way you beat complex security systems (like airport security) is by using complex and unforeseen technologies like carbon-fibre guns. In reality history has shown that this hardly ever happens – carbon-fibre guns do exist, but so far we cannot make carbon-fibre bullets and even when we can, they are hard to find, extremely expensive to buy and very hard to hide (guns have a very distinct shape).

Instead, almost every single hijacking or airplane bombing has not used some unforeseen high-tech weapon, they used low-tech weapons combined with a bit of ingenuity to get them on board – because when nobody else is armed, a simple weapon is all you need. That is the essence of my exploit – a way to get low-tech but powerful weaponry onto a plane by simply utilizing a flaw in the system. After you go through all that enormous security… you can walk into a shop, arm yourself to the teeth and walk onto the plane without ever being checked again.