Category Archives: Security

More Hacking Without The Slashing

Blizzard Ninja ProtectionIt seems that earlier this week (8/5/2012 –  8/11/2012) the network and I am sure some servers at Blizzard, the game company behind most notably World of Warcraft got hacked. A list of games that are either played or are accessible online are at the end of this post for your reference in order to help determine if this company is behind a game that you play/like.

At this time, Blizzard “security experts”, and law enforcement are investigating what happened. They are working to find out how someone managed to get into parts of Blizzard’s network where they didn’t belong, but also what information might have been lifted before the nefarious access could be cut off Go Here. So far, Blizzard claims that at this time there is no evidence that any financial information such as credit cards, billing addresses, or real names were compromised. Their work is far from over, but they have found nothing to suggest that these pieces of information have been accessed.

The only information that they can confirm was illegally accessed include a list of email addresses for global Battle.net users, outside of China. Players on North American servers (which include players from North America, Latin America, Australia, New Zealand, and Southeast Asia) had information regarding the answers to personal security questions accessed, and even information about Dial-in and Mobile Authenticators was gotten too. However, based on what Blizzard currently knows, this information alone is not enough for anyone to gain access to players Battle.net accounts.

It appears too that some encrypted passwords were taken as well, however, Blizzard is confident that their encryption methods and use of SRP (Secure Remote Password protocol) to protect these passwords, will make it extremely difficult to extract the actual passwords themselves. They do recommend that all Battle.net users change their passwords for good measure, and take care if the password used here is or was used anywhere else, for any other services, and recommend changing that password also.

All in all, this is a bad way to end the week for Blizzard. I expect that a great effort will go into finding whoever did this, catching them, and using them as a bright and shiny example of not messing around with Blizzard. Just my 2cp worth.

*Notes: Other games that Blizzard is known for and currently active with include World of Warcraft, Diablo II, Diablo III, StarCraft II and more. However, these are the most relevant and Internet connected of them.

SPAM ALERT!

Like everyone else I get a ton of SPAM in my inbox, even with all of the SPAM fighting tools I can find and use.  Usually, as a last line of defense I use a product called Mailwasher to catch anything that gets past server filters, but we’ll talk about Mailwasher later.  This post is the first of many I am sure where I thought I would alert folks to some pieces of mail that are especially crafty that get through and look legit but carry dangerous payloads.  These messages carry viruses, or are Phishing attacks (where people try to trick you into giving them information like usernames and passwords) so I thought I would start posting about the ones that I see.  I get people and customers asking me about these emails and what they are and if they are real or not, etc., so I thought some of my readers might have the same questions.

So, here we go with the first two:

  1. Look out for emails that appear to be from PayPal.  They will look like they came from a valid PayPal address and will have a subject saying something like “You sent a payment” and in the body of the message they will tell you that you sent a payment of X number of dollars (it varies between emails but is usually anywhere from a hundred to thousands of dollars).  It will then have links to click on to supposedly get information about the payment.  This is where they spring the trap, when you click on the links.  Most likely you will be sent to a fake PayPal login page, and when you log in you will get some kind of error or redirect, but most importantly, they now have your PayPal username and password, think about that!  So be on the lookout, if you haven’t sent any payments, or don’t use PayPal even, don’t fall for these emails.  Just delete them, and if you feel the need to check your PayPal account, you go to PayPal directly by typing in the address yourself so you know you are going to the right place.
  2. Next, we have an email carrying a virus payload called DROPPER.  Your anti-virus software (you ARE using AV aren’t you???) should catch it, but just in case I’ll post the common headers below.  Keep in mind that they might look slightly different, such as a different case number, but it should be similar.  Keep in mind too, when have you had any contact with the Better Business Bureau?  If you haven’t, which is likely, then that ought to be the first red flag with these emails!  Here are the subject and from address as I have seen them:
    1. From: Better Business Bureau (info@bbb.org)
    2. Subject: BBB assistance Re: Case # 27368244

Remember, the case number may vary, and as always, keep a keen eye on your email and remember that if it looks suspicious, it probably is!

Navicat SSH Tunnel Error – 2013 Lost connection to MySQL server

This post is for anyone out there running any Navicat database tools.  The company, PremiumSoft, that makes the line of Navicat tools is probably best known for there incredible database administration tool, Navicat.  That’s where I first found them.  They make a database admin tool that can connect to MySQL, MS SQL Server, Oracle, SQLite and everything in between.  Aside from being able to connect to just about anything that stores data, once connected you can do so many cool things with your databases in the name of database administration, that it would take me a week to create a post for it all.  Besides, this post isn’t a commercial for Navicat, but I did have to share just how good this product is.  Believe me, it is amazing, and now they have this really wicked data modelling tool that works hand in hand with the database admin tool.  You need to see it to believe it.  Check out their site [link], they have very good demos and lots of information about the products.

My apologies, I digress, the main purpose of my post was to inform any people already using Navicat or any of the other PremiumSoft products about a problem I ran into and a way to fix it.  I am using the software with MySQL databases primarily, but I believe the principle of the fix will apply to any database and server out there, especially Linux.

Now, one of the really cool things about the database admin and data modeling tools is that they can connect to your database via a SSH (Secure Shell Port 22) tunnel, instead of the normal default and usually plain text method.  For example, by default, when you connect to a MySQL server, the username and password you give to the server is sent in plain text, so anyone can read it.  Any command you type on that database console is also sent in plain text, so anyone can read it.  Think about the new user you just created for your new web hosting customer. What if their database username and password fell into the wrong hands.  It might be bad, it might not, it might be localized just to that one customer/user which would be bad enough, but suppose they found an exploit and got root on your server.  Now they have all of your data.  Even if you don’t have any data that is secret, just the hassle alone, not to mention explaining all of this to your customer(s) make this a really bad day.

This isn’t usually a big concern if you are running the database on the same server as the web server (which is common practice in many hosting scenarios), and if your database tools are on the server like the MySQL command line tools and such.  But what if you want to connect to the database from say, your PC?  Like you would do if using a database admin tool like Navicat.  You certainly don’t want all of the data that you will be sending back and forth to be in plain text, right?  Well, now you don’t have to leave it in plain text!  You can setup the connection in Navicat to connect to the Secure Shell server, which means you have an encrypted connection and not plain text.  Then, you can use the SSH tunnel that was created to connect to the database server itself.  What this means is that you use the SSH server to redirect your communications to the database server locally, so no one can see it.  Just like you were sitting at the server itself.

I’ll run through it again real quick, see if this makes sense.  The connection between your PC and the server running database is now encrypted and secure from prying eyes because instead of connecting to the database server directly, you are connecting to the Secure Shell server.  It is now the Secure Shell server that takes your communication and hands it off to the database server internally, so it’s safe from anyone watching outside.  It’s really cool, and just another reason I love the Navicat product so much.  Not to mention Linux as well!

The problem that I found was this, when I created the link to the SSH server in order to talk to the MySQL server, it wouldn’t connect.  I would get the connection to the SSH server, but when it then tried to talk to the database server, the database server kicked it out like no connection could be made.  I tried connecting locally from the Linux console think that maybe I killed some MySQL process that listens for connections, but it was working fine.  I tried it again and again but it just didn’t work.  The error I was getting from Navicat was this:

2013 – Lost connection to MySQL server at ‘reading initial communication packet’, system error: 0

I did some digging and found a basic setting to check.  This didn’t fix the problem, but I thought I would share it here since it has to be set in order for the tunnel to work:

  1. In the sshd config file (/etc/ssh/sshd.config) make sure that AllowTcpForwarding is enabled, because the default is disabled in most cases.

What I finally found to be causing the problem, was TCP_WRAPPERS.  Naturally, in my hosts.allow file I had the IP address of my PC in there, so that I could connect to the server.  So at first this seemed odd that this was my problem.  However, when you think about it, it makes sense.  The connection that is coming to the MySQL server originates not from my PC, but from the SSH server itself.  That’s right, because my connection stops at the SSH server, and then the SSH server sends the data to the database server.  This is a simplified view of things, but it should work to illustrate what’s going on.  Therefore, the simple fix was to add mysqld: localhost or 127.0.0.1 to the hosts.allow file in order to allow the traffic to go through TCP_WRAPPERS and to the MySQL server.  I read more about this once I worked it out, and I saw some “technicians” offering the solution of adding mysqld: ALL to their hosts.allow file.  Egads! I said!  Technically that would work, but damn, don’t open it up to allow everyone into your databases!!!  Just add localhost or 127.0.0.1 and you will be fine, and you will keep out the other riff raff.  I hope this helps some of you out there, enjoy!

Review: Ghost In The Wires

This post is a little bit different than normal, but still applies overall to the scope that I am going for here I think.  I just finished reading a really cool book called Ghost in the Wires written by Kevin Mitnick and William L. Simon with the foreword by Steve Wozniak.  Sounds like a thrill ride already, doesn’t it?

I am sure I don’t have to tell anyone reading this blog who Kevin Mitnick is, but just in case, he’s a well known (in geek circles at least) hacker/social engineer who spent years breaking into corporate systems all over the U.S.  Some of the systems he gained access to belonged to Motorola, Sun Microsystems, Novell, and more.  By the time he was caught and arrested the final time in Raleigh, N.C., in 1995, he was the most wanted computer criminal in the United States.

This book basically tells his story from early in life up to when he got arrested in 1995.  He talks about his exploits, his hacks, the people he hacked with and what is the most entertaining, how he managed to pull off all this crazy stuff.

So, if you are looking for an informative book, as well as one that is funny and entertaining as heck as well, look no further.  The audio book is good, with a great reader, and the hard cover and kindle editions are great too.  I advise you to check one of them out, this book was great!

Check it out at Amazon now: Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker … Or if you’d rather get it for your Kindle, click HERE for the Kindle version!

New Advisory Pages!

Whoah!  We have been busy, busy over here setting up a bunch of new advisory pages.  Just in case you are wondering, we take an RSS feed and set it up to display on a page.  So, you can click on that page link and get the latest information from that RSS feed right there on the page here at Solarum dot com.  We have many of the major feeds that IT folk would be interested in, from Microsoft and Cisco security advisories to Linux and UNIX as well.  We even include feeds from NIST, US Cert, OSVDB and more so we can keep an eye on apps and everything else too.  Not to mention that we add feeds any time we can, and especially when we find good information to share.  Enough talking, why don’t you go check them out, they are in the middle column near the top, all the information you need!  If you know of a feed that we should carry, please let us know so we can add it!!

New Firefox Addon Found, Fixes Drudge Report Refresh Roil

I am a news junkie, I love to read the news from many sources and (try to) keep up with what is going on in the world.  One of the sites I frequent a lot is the Drudge Report, and anyone who has been there will know that (to me anyway) one really annoying thing about that site is the constant page refreshing.  Maybe this is done in an attempt to load more banner ads or something, but it gets on my nerves when I keep losing my place as I am reading articles.

So, in my attempt to find an easy way to stop the Drudge Report website from refreshing every second or so (OK, maybe not EVERY second), I came across a nifty little plugin for Firefox that allows you to blacklist websites and thus stop them from running scripts.  In this case that also meant that Drudge no longer refreshes while I am reading the news.  It’s a lot like the NoScript plugin that we have talked about before, except that instead of deny all and permit by exception, this one is the other way around.  Everything is white listed by default and you blacklist sites that you don’t want to run scripts.  It works great for me, and I have found it to be quite useful.  I have added it to the Must Have Firefox Extensions page in the Library, go check it out and while you are there, see what other ones we talk about.  Enjoy!