Sunday, June 26, 2011

Almost filled the HD... AGAIN

It never ceases to amaze me that Internet Explorer 8.0, the browser I am using now, takes ~10 seconds to connect to my home page, about:blank. This is but one of the many reasons I seldom use it, not the least of which being its dismal security record.

Today Debian dropped 64 updates on me, and while I was installing them I noticed the /var partition was at 95%. As luck would have it, my IP address changed during my last hardware emergency and I had hard-coded the address in the cron job that did the Proxy Project backups.

This is not the first time this has happened.

So now I'm moving all those backups and I'm getting stunning performance copying the files.


It has taken me years to get this kind of SMD/CIFS performance out of Linux. Maybe it's just my choice of NICs. I've been using RealTek NICs forever and this box has an AMD. Maybe it's the 64bit platform. The last AMD64 based system I had—before it died—was similarly perky.

It's probably time to upgrade to a gigabit network. That way, even crappy performance is better than 100 megabit.

Saturday, June 11, 2011

Amazon EC2 Proxies

Back on Proxy Obsession, before I was so ignominiously bounced from GoDaddy, I mentioned an Irish proxy that was stable and fast. The IP belonged to Amazon Advanced Web Services, having a hostname ending in amazonaws.com.

I didn't think much about it at the time, other than to mention it, but it appears there are lots of folks putting up "private"—or so they believe—proxies on Amazon's "Elastic Compute Cloud" (a.k.a "EC2") service.

Well, surprise, they're not private and the proxy listers have been hunting and posting them for a long time, if my database is any indication.

I have them going back to 2008, when the list started, but there's been a lot of growth in this segment since 2010.

They're all either in Dublin or Seattle (with one outlier in Singapore), so that in itself is a dead giveaway. But GeoIP can't locate them all, so you really have to go by a reverse DNS lookup to tell for sure.

Here's a small sample of the DNS names I have collected...


Now, I have no idea whether these folks are violating Amazon's Terms of Service by doing this, and I really don't care whether they are or not, but there is all kinds of "HOWTO" information published on the Web on setting up a free EC2 proxy. Try this search, for example.

In fact the only reason I mention it now is Amazon's role in the recent SONY attack. Take for instance this Bloomberg report...
For three pennies an hour, hackers can rent Amazon.com Inc’s servers to wage cyber attacks such as the one that crippled Sony Corp’s PlayStation Network and led to the second-largest online data breach in U.S. history.  A hacker used Amazon’s Elastic Computer Cloud, or EC2, service to attack Sony’s online entertainment systems last month, a person with knowledge of the matter said May 13. The intruder, who used a bogus name to set up an account that’s now disabled, didn’t hack into Amazon’s servers...
So... there you have it.

With that in mind, I am now marking the IP address of EC2 proxies with a cross (†) on the proxy list. There aren't a lot of them, but they're in there.

Don't use them if you don't want to attract attention to yourself.

TCP 9415 Report for May 2011

Since my disclosure of the Chinese proxy issue back in April, I've been keeping an eye on the number of port 9415 proxies that pop up in the various lists I scrape every day.

This is how the numbers shook out for May 2011...


The month's total was up by ~16,000 proxies compared to April 2011, but the TCP 9415 percentage was down by 16 points.  April saw a 50/50 split between 9415 proxies and all others.

Comparing just the count of 9415 proxies, the numbers show a 20% drop from April.  China still has the biggest problem, but Taiwan, Hong Kong, Singapore, and Macau all managed to drop 30-50% by raw count.

I like to think I did that, but only time will tell.

Friday, June 10, 2011

Corporative Nets Attack


WTF is that supposed to mean?

My best professional guess is "something lost in translation".

(Yes, I did it for the Google search result.)

You get five points if you know where it came from.

Thursday, June 09, 2011

End of the SOCKS Bubble?


Let me say right up front that I haven't run the numbers in depth yet, but it looks like the SOCKS boom is BUSTED in proxyland.

At this point in time, glancing over The List you'll see a few on the traditional SOCKS port (1080) and those mysterious port 27977 proxies. Just last month there were pages and pages and pages of port-hopping SOCKS4 proxies.

Where are they now? Did someone take down a botnet?

I haven't heard anything on that particular front since Microsoft & Rustock back in March, but SONY, RSA, PBS, et. al. have been hogging all the security news with their issues with LulzSec. You'd think after all that crap anyone who downed a botnet would be beating their drum pretty loud by now.

The daily numbers are pretty much the same. Every day I get 2500-5000 new proxies scraping the usual suspects. As usual, over half of them are Chinese, on port 9415.

I'm not all that sorry to see them go. Despite their usefulness for non-Web traffic, I have always preferred the plain old http (CERN) proxies, although lately I've been using a Glype proxy here and there (with NoScprit & Ad Block to kill the ads they try to shove down your throat) just because they're easy to use and generally dependable.

Maybe they'll return, but I have a feeling they're gone for now.

Tuesday, June 07, 2011

Happy World IPv6 Day!

About two minutes into it and everything is going fine.

I had one surprise: my vintage 2005 wireless access point, which makes no claims about IPv6 support, compatibility, etc.

I was confused at first to find it worked flwlessly with IPv6, but when I gave the issue a few brain cells, it dawned on me that it's a switch.

That's Layer 2 shit! IPv6 is Layer 3, so it's all good. I mean, you could drag out that old 10 megabit hub you bought in 1994 and it would do IPv6.

duh.

I'm sure someone, somewhere is even doing '6 on Token Ring.

Sunday, June 05, 2011

Belated BT5 LiveDVD Review

When Backtrack5 came out, Blogger was down, which probably aggravated a lot of security blogtards because they wanted to get their two cents out to the masses as soon as possible.

I was one of them, but I didn't really have anything to say except I was glad that BT5 finally included JFS support.

Maybe "glad" is the wrong word. It was more like "no longer pissed off".

I mean—for fuck's sake—why have a shitload of disk forensics software that you can't use? And if it's too bloated to fit on a CD in the first place, what's the harm in bloating it a teensy bit more with a friggin' JFS kernel module? I mean Jeebus, I had to download a goddamned kiddie distro (Linux Mint) to get JFS support.

Suffice to say, I am now a bigger fan of BTx than I was a couple of months ago. And since it does IPv6 so well on my network, I will be using it all day long come World IPv6 Day.

But I still have my issues.

Their motto is "The quieter you become, the more you will be able to hear."

I have a corollary to that: "The more invisible you become, the more you will be able to see."

Hinky's First Rule of Invisibilty: Lose the hacker desktop.

I know it makes you fell like a L337 HAX0R, but anyone with an IQ of over 65 shoulder surfing you knows you're up to no good. And smarter people will start having paranoid delusions. Underneath all that cruft is a plain vanilla Ubuntu desktop. Use it. The best way to do that is after booting the DVD, change root's password, add a non-root account (I use "notroot") to the admin group, do "su notroot", then run startx.

If you're doing wireless, you should be able to fire up Wicd and get connected. I have noticed that in some environments you may have to fire up "dhclient wlan0" in a terminal to get an IPv4 address.

Why not run as root? Aside from the getting the plain desktop by default, you're going to run Chromium, which refuses to run as root. Open a terminal and enter "sudo apt-get install chromium-browser". After it's set up, open Chromium and install a better-looking theme. "Dolce&Gabanna" looks good with the default Ubuntu brownishness, as does "Desktop". Next, install Ad Block Plus for Chrome, because no one likes ads.

Sure, BT5 comes stock with NoScript, but you're booting from a DVD, so who cares if you get hacked? While you have Chromium open, check your IPv6 connectivity just for laffs.

Since your "notroot" account is in the "admin" group, you can sudo anything without entering a password. A lot of the tools from the Backtrack menu will automatically bump you to root, some won't. For the most part, running as "notroot" isn't too restrictive.

At this point I generally install mc (Midnight Commander) and my favorite non-vi editor jed, mostly because I've been running both for the last fifteen years and I can't live without them.

And of course, I need obfuscated-openssh if I want to "phone home" over ssh. You have to build it (BT5 already has build-essential, but it needs libssl-dev to compile). Get a USB drive and build it there and you'll have it next time you need it. If you're going to be hopping between 32 and 64bit versions of BT5, build the 32bit version since it works fine on both platforms.

If you're into wireless hacking, get yourself an Alfa 1 USB card (based on the RaLink RTL8187) and check out Vivek Ramachandran's megaprimer on SecurityTube. Lots of excellent information on wireless hacking with BT5 for newb and expert alike.

As a LiveDVD, I highly recommend BT5, but I doubt if I would ever install it as a desktop or notebook OS. It is an excellent tool that I would have used—instead of Linux Mint—to rescue my JFS drives back in March.

Saturday, June 04, 2011

Gunz, Lulz, and InfraGard

Being an 80s vintage hacker, I have often claimed that I don't own a hat... black, white, gray, or otherwise, although it might be proper to refer to me as a "tinfoil hat hacker" at times.

I'm just not that into hats. Or people who wear hats, metaphorical or physical.

But lately, in the people-who-wear-hats security universe, a battle is going on between the white hats and the black hats, and the black hats are winning.

As usual.

Of course, I'm referring to LulzSec vs. Everyone Else. One of their most recent targets has been InfraGard, an association of Security Tards Professionals I have had very little contact with in the last ten years.

In fact, my exposure to them has been very brief. I went to one of the first public meetings of the local chapter just to see what it was about. This was somewhere in the 2001-2003 time frame. The Guest of Honor was an alleged "FBI Agent" who never showed a badge and left a HotMail address.

Yeah, riiiight. Some credentials you got there, Mulder.

The only other thing I remember about that meeting was leaving, unimpressed. I never planned to join. It was just curiosity.

But somehow, I got on their mailing list. In almost every meeting announcement, there was usually something about going out to a shooting range afterwards to kill imaginary hackers. And sometimes the emails were only about getting together at a shooting range, to the point that InfraGard was more about guns than anything else.

Don't believe that? Try this Google search. I'm not making it up.

Then, at various Travelling Security Dog & Pony Shows in the area, I ran across the InfraGard "principals" as either participants or sponsors. The chit-chat from these clowns before or after the show was always "my new gun this" or "my new gun that" ad nauseum.

By this time—around 2005—I was firmly convinced InfraGard was just another Gun Club that had nothing to do with security (except for killing people, which I will admit is a valid security strategy, but not the only one and not among those I was personally or professionally interested in).

So I have to admit to no small amount of schadenfreud over LulzSec's recent pwnage of the Atlanta InfraGard chapter.

There's more to security than guns, fellas.

But you know that... now.

Has Google Been Shitting Itself Lately?



I just used that search box over on the right to look for references to RaLink wireless adapters here. Nothing came up. Then I did your standard Google-Fu against the site and got 13 hits, going back to 2007.

WTF?

I have also been having issues with Google Maps since early April, the latest being the inability to save street intersections to the M/S 2011 Map. Any plain old street number will work, but it hangs on intersections. I've tested it with every browser I run (and I run a lot of different browsers) with the same result. I can work around that, so it's not a big deal.

But it is annoying.

Another annoying Maps issue is the display during editing. If you move a marker from page 2 to page 1, the markers are all over the place. Luckily it only happens during editing.

And then there's Google Update. I kept getting an "Update server not available" error, so I finally re-installed it.

The last time I bitched about Google, my machine died a horrible death (long story, lots of blog fodder there), so I'm somewhat hestitant to put the blame elsewhere.

If you've had any issues, drop me a line.