WhiteHat Consulting

I thought I’d write this up so others don’t have to search all over for it. I have recently switched from a Palm Treo 700P to a Motorola Droid. Verizon employees couldn’t figure out how to move my contacts from the Palm to the Droid, but I did and thought I’d share. Here’s how to do it.

You have a couple of options – either have the Verizon people do it (which didn’t work in my case), set up a GMail account and export all of your contacts there (why give Google access to all of that info?), OR you can export all of your own contacts from your Palm Desktop application into the Droid itself without the middleman. Be sure to follow these steps in the order in which they are written.

-Sync your Palm to make sure all of your contact information is up to date
-Open the Palm Desktop application
-Go to the Contacts section, click on Edit -> Select All
-Once all contacts are highlighted, click on File -> Export -> Export as VCard
-Connect the Droid to your computer
-When prompted on your Droid, select Notifications -> USB -> Mount
-Your Droid should show up as a new drive on your PC at this point
-Copy your VCard file (should end in “vcf”) that you exported to the Droid “drive”
-Unmount and then disconnect the Droid from your PC (important)
-Open Contacts on your Droid and choose Import/Export from the options on the menu
-Choose to Import from SD Card
-After importing, go to Contacts and chose Display Options from the menu
-Expand your gmail account menu and check everything that has “System Group:” by it. In my case, for example, it was “System Group: My Contacts”, “System Group: Friends”, “System Group: Family”, “System Group: Business”
-Done

The export to vCard will bring your numbers, emails, and addresses for each contact, in addition to notes you may have written about each contact. The only issue I had is that it didn’t like to import all of the pictures from the Palm so I had to edit the VCard file slightly by hand. Other than that, smooth as silk. I’ll also be posting this to my own web site along with a full review soon…

UPDATE: Just another bit of information – you can export contacts in VCard format from a variety of email applications including Outlook and Evolution. The whole process basically works the same way whether using Windows, Linux, or a Mac.

This is a bit of a rant, but some may find it quite practical. Why is this limited to just telemarketers? Debt collectors, campaigners, and non-profits need included.

For about a year I kept getting hammered by an automated call only leaving a number to call back. A Google search turned up the number belonged to a collection agency in Chicago. They were hammering stale cases and my new number from a move just happened to be one of the numbers they had. I even had it happen after I moved since my number was associated with the address of the house I USED to live in two years ago. The call was for the owner who lived there before me!

I called them and told them to put me on their DNC list. They informed me that they were exempt as they were not telemarketers. I have had the same thing happen to me many times and to friends and family as well. Here is the 411 for you:

1) They ARE exempt from all telemarketing laws. Everyone likes to bring that up on the phone, but they are actually right.

2) So what now? They are still not exempt from basic laws governing harassment. You could deal with your phone company or talk to a supervisor of the debt collection agency and threaten a lawsuit if they keep calling you, or you could just go to…

3) Deal with them under the Fair Debt Collection Practices Act. They MUST inform of you their mailing address and the appropriate department. Send them a typed letter explaining that you are not the person they keep asking for, you have no knowledge of this person any debts this person has. Demand that all communications to that number cease immediately or you will seek remedies under the FDCPA.

Believe it or not, this works every time under the FDCPA. The reason why is that 99.9% of the people complain on the phone where the debt collection agency is not liable. Hardly anyone ever writes a letter. Write the letter, it will stop. If it does not.. you have a $5,000 dollar insta-claim in a small claims court of your choice.

People are absolutely wrong about somebody deserving to be harassed by debt collectors. Nobody EVER deserves to be harassed under any circumstances. That is why there are large awards in civil court cases for collection agencies with too much “zeal”.

I had clearly indicated I was not the party they were looking for (do I or my name even sound like “Susan”?). Any calls that occur after this are, by definition, harassment. Now this harassment is not necessarily fully written out under the aforementioned FDCPA, but it does not have to be. This is no different than any other person or company repeatedly calling a random person after being asked to stop.

As you can see from the FDCPA, even IF the debt collection agency is calling the right person there are still rules governing their ability to call them after being asked to stop. You might want to look at:

Causing a telephone to ring or engaging any person in telephone conversation repeatedly or continuously with intent to annoy, abuse, or harass any person at the called number.

Except as provided in section 804, the placement of telephone calls without meaningful disclosure of the caller’s identity.

Furthermore, at any time a person may send a letter to the collection agency asking that all telephone communications cease. Afterwards, the collection agency may only send letters to the person updating them on any actions being taken towards the debt.

CEASING COMMUNICATION. If a consumer notifies a debt collector in writing that the consumer refuses to pay a debt or that the consumer wishes the debt collector to cease further communication with the consumer, the debt collector shall not communicate further with the consumer with respect to such debt, except– (1) to advise the consumer that the debt collector’s further efforts are being terminated; (2) to notify the consumer that the debt collector or creditor may invoke specified remedies which are ordinarily invoked by such debt collector or creditor; or (3) where applicable, to notify the consumer that the debt collector or creditor intends to invoke a specified remedy.

If all else fails, fix it yourself with Asterisk. Numbers not on the white list are dumped into recorded phone tree maze with endless loops of meaningless choices and no way out except to hang up. It would be even better with a plugin that could try and string them on for a while without actually divulging any meaningful information by responding at pauses with phrases like “that sounds interesting”, “uh-huh”, and “I’m not sure”. The goal being to waste as much of the telemarketer’s time as possible on a dead end call (i.e. no sale) before they hang up in frustration.

Verizon Business has released a report that touches on what they found after looking through 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches. These breaches include three of the five largest breaches ever reported. Here is a few items they discovered:

• 87% of corporate data breaches could have been prevented if they had reasonable security measures been in place (duh!).
• Less than 25 percent of attacks took advantage of a known or unknown vulnerability.
• Asian attacks (mainly China and Vietnam) are usually application exploits that are used for data compromise.
• Most defacements originate out of the Middle East.

There’s also some very good information in the article regarding how to protect your network and data. I would strongly encourage any network/system administrator to, at the very least, browse this part of the report.

It’s been a long time since I’ve used a virus scanner at home, and I’ll tell you why:

1. Well, I’ve been using Linux since 1998. However, let’s put that aside as this still applies to before I completely converted to using strictly Linux in 2002.

2. It eats up system resources like you wouldn’t believe. Thanks, but I’d rather put my processor to better use – something other than doubling the processor power it takes to open a spreadsheet. FreeAVG seems to be the only decent anti-virus solution for Windows that doesn’t kill the processor usage by default.

3. They can only find known viruses. Maybe being “protected” from tens of thousands of viruses comforts you, but I’m worried about the few no one knows about yet, and AV software provides no protection against those.

4. They are only partially successful in removing viruses. How many times have you seen “Delete Failed! click here for more info”? I saw it a few times too many. I SHOULD NEVER EVER SEE THIS MESSAGE! This is a design failure.

5. AV software is not effective as a means of prevention. Virii come in two flavors, trojans and worms. Trojan – idiot user clicked on BrittneySpearsNaked.jpg.pif.bat.js.exe; AV cannot prevent this. Worm – Windows security issue; AV cannot prevent this. This is an over-simplification, and may not be 100% technically accurate, but you get the picture.

6. If AV software can’t prevent infection, and if it sometimes can’t even remove the infection, what good is it again? It’s good for Symantec, its good for Macafee, and its good for IT professionals who get to say “its not my fault, I did everything i could to prevent it” next time a code red happens.

As most people in networking know, ICMP and UDP transmissions are connectionless. However, not everyone quite understands what that means. Basically, if you send a ping request to another computer, you can spoof the address you’re sending from to make it look like it’s coming from somewhere else and the reply will actually go to the spoofed address. In this video, I will demonstrate spoofing ICMP packets to another computer on Davenport University’s network and across the internet making the packets appear to come from somewhere else. Keep in mind, this isn’t specific just to Davenport’s LAN – I could send these packets to any computer on the internet (as long as they accepted ICMP and/or UDP packets) and would get the same results.

This does have potential for abuse. A person could set up multiple machines to send large ICMP packets to another machine and they’d have a hard time figuring out where the packets are coming from in their firewall logs. In turn, this could potentially create a Denial of Service situation and would be fairly untraceable. I’ve heard this called a DRDoS attack (Distributed Reflective Denial of Service), spoof attack, and a ping flood before. Yes, it’s a spoof and ping flood, but with that twist of being less traceable.

I experimented at Davenport University with my laptop and a Davenport workstation. I was able to spoof packets from a machine within the Davenport network that appeared to be in Grand Rapids, Michigan called “grgw“. This is a server I had found in another experiment that also appeared to be running an SSH server. Fun stuff. I apologize for the bad video quality and “shakiness” – that’s what I get for trying to type with one hand and shoot video with the other

Solution: Block ICMP packets at your firewall or router from the internet. Ping requests aren’t necessary if, for example, you know of a service that’s always running and you could connect to as confirmation that the host is up.

Materials used: Spoofer – Compaq Presario laptop (2135US), spoofee – HP Compaq DC7600C with Ghostwall firewall (to prevent a required reboot on a Windows machine), Kodak Digital Camera (C743).

In a previous experiment, I had used Google to find shadow files on unix-based machines. The shadow file is located in the /etc/ directory on a unix-based machine and stores user passwords in encrypted form and should not be viewable by anyone other than the root user (“administrator” is the Windows version of “root” in *nix). There really is not much of a demonstration here other than what can be done to these files if they’re readable by others. Enter John the Ripper:

blackworldnews.com took 8 hours, 47 minutes, and 31 seconds to crack the blackworldnews account.

I fired up John on three of my workstations on April 11th and started each of them working on a single shadow file with multiple user accounts on each. The first two accounts on fishbonesgroup.com and the first three accounts on letrasticas.org were cracked in about 1 second (literally). Currently, John is still running on all three systems on each of the three shadow files. Here is the progress by date:

April 13th, 2008
April 14th, 2008
April 17th, 2008
April 22nd, 2008

As you can see, citizensusa.org must have a really good password policy as not a single one of the passwords on the five accounts have been successfully cracked.

Solution: Properly configure your Linux machine – specifically the web server (Apache most likely). Make sure your organization has a sensible password policy.

Materials: An internet connection with access to Google.com, three Linux computers (older Dell models < 1Ghz clock speed).

I meant to go back and follow up a little more, but for now I’ll post my findings so far. Honestly, Davenport has their act together for the most part – I only discovered very minor things that are easy fixes and do not pose an immediate security threat.

Back on March 12th, I needed to use the library for a short while. I used the map command to see what I’m already connected to for the heck of it. Afterwards, I started playing around in My Network Places – specifically the Novell Connections. First I played around with a share called Midland_4x, but nothing was too interesting there. Of course another one of the first things I had to check out was the part that said “STAFF” Still nothing interesting really. I played around in the tree a little longer and finally found something that caught my eye – something that appeared to be a unix-based server with SSH. It used the default port (22), but ended up being either down or filtered by the firewall. Then I found another server that looked like it was for grad students that had somebody’s resume on it. The whole directory appeared to be world readable/writable. Two other things I’ll have to check out later are a front page to their Novell OpenEnterprise Server (Novell and Suse – good stuff!) and what appeared to be an OpenSource Project page. Nice I wasn’t sure what to make of their BMC Service Desk Express page or the APC InfrastruXure Manager page. Looks like I’ll have to do some more research on those when I get some time. One thing that should probably be addressed is Apache being installed and running on several Novell servers. As you can see from the screenshot, the default index page is still up, which tells me that the administrators may not know Apache is running. As we are taught in several classes, unused services should never be running. /etc/init.d/apache2 stop

About a week later I went back to look for anything else that might catch my eye. I found what I was looking for in the “Documents and Settings” folder. If you surf to C:\Documents and Settings\, you’ll find the names of everyone who had logged into the computer. You’re also able to poke around in their folders, which show information such as downloaded programs, personal files saved to “My Documents”, and their “Favorites” amongst other things. While it could take forever to look for anything of interest in all of those folders at the library, all you have to do is output the tree command to a text file for later viewing. In defense of Davenport, they’re not the only one’s who have this issue – Delta College does as well. They allow viewing of cookies and recent documents, which could reveal some information about themselves or their online identities including hotmail, student email addresses, projects they are working on (assuming that’s a project), facebook identity, and more.

Overall, I was pretty happy with what I discovered…which wasn’t a lot

I previously discussed Delta College’s Linux email vulnerabilities, so I thought I’d discuss other vulnerabilities from the past as well. I have been frustrated with the responses I have received from Delta regarding security since back in 2003. The responses from all but one person have been “well, it’s our server and we’ll configure it how we want to”. Hey, I completely understand except for one tiny little detail – your server has MY PERSONAL INFORMATION attached to it as well as THOUSANDS of other student’s personal information. That and you’re a publicly funded school, so you should probably take the proper measures to make sure your student’s information is adequately protected. On the bright side, that, to me, means that they don’t mind the information I find being posted publicly.

eLearning is a wonderful tool that allows students the flexibility of not having specific class hours. It allows students that work during the day the ability to work on a class in the evening if a regular classroom setting isn’t available in the evening. It’s very similar, though not as functional, as the Blackboard Acedemic Suite. I had emailed the eLearning manager about a year and a half ago regarding potential security risks that could affect all students using the eLearning web site. The more “minor” risk of the two is the ability to use any HTML tag in the post. This should be restricted to using only the following tags: bold, italicize, underline, a href (links), and the rest should be stripped – PERIOD.

A more major flaw is that students are/were able to post using their teacher’s name. This is not done by changing the font colors, but is actually a flaw in the eLearning software itself. Again, it could easily be fixed if they blocked HTML tags except for the few I’ve suggested. As of this posting, I’m unsure if the flaw still exists as I haven’t had an online class at Delta in a couple of years.

Everything looks very secure as far as changing your password at Delta. SSL login and 3 pieces of “personal” information make it difficult for someone to brute force their way in to be able to change your password. I had went over this recently.

Delta’s strongest links are webmail, MyDelta, and their signup page. This isn’t because they’re using specific server software or a specific OS – that’s irrelevant in the overall security. The reason they’re strong points in Delta’s network from a client standpoint is that they implement SSL for encrypted logins. More recently, after analyzing some packets while a friend logged in to their eLearning account, I found that logins are encrypted even though the front page is not (normally) using SSL unless the address is altered to use SSL (https vs. http).

One of Delta’s weakest links would have been educator (eLearning) because the login was not encrypted. You used to be able to sniff passwords from fellow students or even your teachers. A certain teacher showed up in another class I used to take to check Educator before he went to his other class each day. I was able to capture his login name and password in clear text because eLearning did not implement SSL at the time. This was dangerous since students could alter their grades or other student’s grades if they were to log in as the teacher. It is also dangerous because Delta’s idea of security is sharing the same password across all Delta resources both encrypted and unencrypted. Hence, if you sniff the password from the unencrypted sessions, the encrypted sessions mean nothing.

Another weak link is their Redhat Linux Enterprise server – telnetting to xserver is unencrypted and leaves the door wide open for login/password interception. This had been discussed once before. This could easily be fixed by implementing OpenSSH (they used to have it running) and using a good, solid SSH client rather than NetTerm, which is currently installed. When I had downloaded and installed NetTerm years ago, by default it used to have a FTP server built in that was on when installed and allowed anonymous login sessions. That’s not a good position to put students in regarding the security of their own machines.

When I had notified Delta about xserver’s issues, I was blown off and then disallowed access once the semester was completed and have not been able to log on using my account since. This was not a standard operating procedure at Delta as all of my fellow students still had access to xserver after the class was finished and on into the next school year. Most of the issues raised were not fixed until sometime during the summer of 2005 – well over a year after being told about the issues in the first place.

Unfortunately, xserver still remains insecure.

Delta has definitely shown more of a reactive stance than a proactive stance when it comes to security. If the solution to a security issue is simple, it can be tested fairly simply, and implemented in a fairly short amount of time. In fact, in the case of the SSH installation on xserver, it already *was* installed, then Delta removed it. Why they would do such a thing is beyond me.

Since Delta College is now offering a degree in Information Security and Technology, they’re losing credibility in my eyes. If Delta can’t secure their own network with some good security measures, how can they be considered a credible institution for this new program? Are they ready for possible identity theft because students have social security numbers, phone numbers, addresses, and credit card numbers associated with their Delta ID?

I guess the most offensive part of this whole situation is that when I approached Delta faculty about these security issues, one particular faculty member had responsed in an almost threatening manner and never bothered to fix some of the most serious misconfigurations until 14-16 months later. Yes, that’s over a year and the remaining misconfigurations still exist that threaten the security of the server. That’s right – their way of fixing the problem is to remove the problem – me. Unfortunately for them, I know other students that attend Delta College and allow me to look around at xserver every so often under their account (and supervision – I insist upon it.).

Anyway, since telling the faculty does nothing more than singles me out, I decided to present this information in a presentation to two classes I previously had and here.

Solutions: What Delta College can do to remedy these situations would actually be fairly simple:

For eLearning:

*Set up a whitelist of HTML tags that users can post with. Reference www.slashdot.org for an example of the correct way of doing this. Slashdot’s code is open source and is freely available – it’s known as “Slashcode“.

*A link could redirect to a cloned page such as the “session has expired – please enter login/password” set up to steal passwords.

*A student could “embed src” an offsite page within Delta’s eLearning area to make it appear to be a part of eLearning. This could then be changed after the malicious activity is complete.

*The links at the bottom of the page could be hidden and malicious links could replace the legit links doing a “font color=”white”" font change or a !– hidden tag.

For xserver (Linux server):

*Install SSH on their Redhat server (xserver) by logging in as root and issuing the command “urpmi openssh-server” or installing it via Redhat’s GUI interface for package management. For Debian distro’s it would be a simple “apt-get install openssh-server” to install OpenSSH. When installed, it would automagically be available for all users.

*Require students to use the SSH client from SSH Communications (freeware) for xserver connections as well as FTP transfers. This would be better than requiring both NetTerm (used to be very insecure) and WS_FTP to be installed. One application to cover both functions and the login is now encrypted.

*Test and upgrade patches to their Redhat server – try any patch. The last time I had created a VNC session on their server (yet another issue…), not a single patch had been issued to xserver since the initial OS installation.

*To remove the ability for running X-specific binaries (xchat, gftp, vncserver), all they’d have to do is create a user group like “student” and allow them only to access/execute the files that are required to teach the CST-126 and CST-133 classes. Either that or just uninstall unnecessary programs using Redhat’s GUI package management system (up2date, yum, or whatever).

For FTP:

*Last I knew, alpha.delta.edu was a Windows machine running IIS and the FTP server associated with Windows Server. Either find a way to enable secure file transmissions to this server, or install the software and/or operating system that allows this type of transfer to occur.

Materials: An internet connection and in some cases, physical access to a Delta College computer.

Having been a former student of Delta College, as with any student, I was given a user name and password that was used for access to several services. These include network shares, email access, class registration through MyDelta, Educator (like Blackboard), FTP, and access to the Linux server amongst other things. So if I were a student and wanted to make sure that my password is secure, where would I start? Learn about the process and then find the weakest links of course!

First, as a new student you’re asked to go through the signup process, but when clicking through, you’re taken to the policy page first. Funny thing is that the page can be bypassed by just going directly to the sign up page instead. So yeah, legally, the policy is shaky ground since it can be bypassed during sign up. You enter all of your personal information in and you now have access with a single login and single password for all services.

So if someone wanted to hijack my account, what would they do? What plan of action would one take to steal my info? Well, if you click on the link that you lost your login name, you get directed to this page and are given this prompt. The same prompt is given if you click on the link that you want to update or change your password. Since nobody else should really know my SSN or Delta ID, and might only be able to figure out my birthday, it would make compromising my account more difficult. In essense, Delta is implimenting defense in depth. However, who needs a Delta ID when your login name is…your name. If your electronic account was created before Fall of 2002, your login name was your first initial, middle initial, and your last name. For example, John Q. Student would be jqstudent. After 2002, it’s simply your first name and last name (johnstudent). So hijacking your account via a “lost password” feature is too time consuming or too difficult. There has to be an easier way, right?

What about brute forcing the password with something like Brutus that does web-based password cracking? Probably not practical since Delta has a somewhat decent password policy in place and it would take forever to brute force the password this way. So that’s out of the question.

What about shoulder surfing at the library? Not really a bad idea, but it could be noticable by the victim. This method is definitely feasible, but could cause bodily harm or get you kicked out of the library. Then you would likely be watched closely during future visits.

What about services that could be exploited in some way or another? Maybe sniffing the password? Well, webmail is performed via SSL, so that make things difficult. MyDelta also uses SSL when you’re logging in as does Educator…finally after about a year or so after I made the suggestion to Educator staff. You’re not likely going to sniff anything while you’re logging in either. However, there are two services that are performed in clear text – FTP and telnet. These two services are only really used in a handful of classes, so you would have to devise a plan on how/where to sniff this traffic.

Telnet is used only for the Linux class (CST-126), but it’s also available online. Since their Linux server has a compiler installed, you could attempt to compile a sniffer from the command line, but that would likely be under your own account.

FTP is used mainly for uploading web pages in the CST-110, CST-133, and CST-210 classes. I’m not sure why you’d need to do that since the directory you upload to is world readable/writable by everyone, but that’s another post So one could sit in a CST-133 class during the web site creation tutorial week, flood the router with false MAC addresses, and sniff the passwords as people log in. The other option is to sit in one of the wireless hotspots and hope someone logs in and needs access to the telnet or FTP server. You might be waiting a while for that one…

Worst case scenario was a few years ago when you could log onto the Linux server and grab the /etc/shadow file, which held encrypted passwords for the entire student body. I’m not sure exactly how this happened as the /etc/shadow file is normally only viewable by root, but it was likely because of a misconfiguration or fat-fingered-mistake such as “chmod 777 /etc/shadow”. In a nutshell, if you could copy this file to a flash drive, you could take it home, run John the Ripper on the file, and have some accounts to play with.

Anyway, the point is that if you are able to obtain a student’s password, you have full access to that student’s account. This includes access to all of the resources available that are specific to that student as well as the ability to add and drop courses they are currently enrolled in or signed up for. That would help if you’re having a hard time getting into a class because it’s full, eh?

Disclaimer: Just as any post I make, I do not condone or encourage any malicious activity. I post the information I do to give people a little nudge in the right direction and take security a little more seriously. After all, there’s a lot of people’s trust in your hands and it’s your responsibility to keep the bad guys from breaking that trust. As usual, I have to rip on Collegis/SunGard because they’re the ones that handle Delta College’s IT sources including security. Unfortunately, they can’t seem to nail down the security part.

Materials: Access to a Delta College workstation and an Ubuntu Linux live CD.

For those that aren’t familiar with Distributed Denial of Service (DDoS) attacks, they can be very detrimental to network and system performance. They’re generally used for nefarious purposes including spam, blackmail, and extortion of mid-size and large companies. The reason for this is because it would be quite embarrassing for a company to have their systems unavailable because of crackers. It could also be detrimental to businesses requring online transactions and communications to stay afloat. Because of this, many people in control of the botnets can get away with fleecing companies for thousands of dollars as a “cost of protection/prevention”.

One way for a botnet to come into existance is through a worm – either a mass-mailing worm or a worm that takes advantage of a software/operating system exploit. Sometimes no user interaction is required for a host to become infected and contribute unwillingly to a botnet army full of zombie computers. “Storm” is the name of one well-noted example of how large and powerful a botnet can become at around 200,000 infected computers. More recently a botnet named Kraken has emerged that is reported to consist of over 400,000 infected machines and is undetectable with the majority of anti-virus scanners because of the obfuscation techniques Kraken uses. There are also reports that the worm has been spotted on computers in 50 of the Fortune 500 companies.

One way these botnets communicate centrally are in IRC channels. Personally, I have seen botnets on a few occasions and it fascinated me how easily they are managed and controlled. Everything from patching the code of the software used to gain control of the host to begin with to attacks being launched on web sites and IRC servers to complete removal of the software. All done remotely with a few commands.

The following videos are simulated environments I created showing the effects of a botnet to both a client and the server on an IRC server. Please keep in mind that there are only ~650-700 bots in this simulation versus a few hundred thousand in the previously mentioned botnets Storm and Kraken.

DDoS as seen from the client side:

DDoS as seen from the server side:

Solution: Honestly, there’s not a whole lot one can do if a botnet is large enough. Your biggest concern would be saturation of bandwidth. If you have a T1 line, it could take as little as a couple dozen zombies on broadband to take your connection down preventing others from using your services.

Materials: Client – Compaq Presario laptop (2135US), Server – older Dell 1000mhz machine, Kodak Digital Camera (C743), assistance from Rebecca.

So here I am writing this post from Delta College’s library. I started playing on the Windows network again, but I honestly prefer Linux and the only operating systems they have available in the library are Windows and MacOSX. I brought my handy dandy Ubuntu Linux bootable CD so that I could work in a more familiar (and comfortable) environment. The machines they have are actually quite nice – Dell Optiplex GX520.

Unfortunately, I had a hard time booting the CD only because rather than the boot order allowing you to boot from CD, you had to boot it from CD “manually”. Rather than entering the BIOS by hitting the normal suspects such as the Delete key, Escape key, F8, etc, Dell gives you a boot menu by pressing either F12 or Ctrl+Alt+F8 during boot. After obtaining that piece of knowledge, I was on my way.

There’s nothing really new to report other than they still haven’t fixed the permissions issue on the STUDENT share. Even the main page for the STUDENTS server is writable along with every other file. Thanks once again to Collegis/SunGard for their prompt action. Talk about lax security and lazy admins – it’s really quite sickening that a simple, but potentially damaging permissions issue can’t get resolved quickly. So I left a message this time although it will likely still continue to get ignored.

Anyway, I booted up Ubuntu 7.10 and then started looking around on the network again. Honestly, I really couldn’t think of much more to do so I figured I’d run a network scan with nmap. I started with just scanning 10.101.7.0/24, but it seemed to be too quick and I had more time to waste. I stepped it up to 10.101.0.0/16 Much better – I found a few more machines with more interesting services. I also found the lone Linux machine

Anyway, for those interested, here are the results of the 10.101.0.0/16 scan in normal format, in XML format (prettier), and in grepable format.

Materials: Ubuntu 7.10 live CD, Motorola Razr camera phone.

Google hacking has been talked about on several other web sites before, but most people just don’t think about the implications of not securing their services. Often the attitude of “it could never happen to me” takes precedence over an admin taking proper security precautions. After performing some simple Google searches, you too can gain access to everything from database information, personal emails, and even some free mp3s.

First, let’s start off with a simple database search and password search. These simple two searches can reveal configuration information about databases including login and password combinations. For example, nv-happydays.com showed three files that are downloadable including a two password.inc files and a WS_FTP log that revealed other sites. Luckily, all of the sites related to nv-happydays.com did not allow direct database connections.

If a database is connected to the internet and not properly protected, anyone can run a database query on (for example) port 3306 for a MySQL database server and find even more, and potentially sensitive, information. You should NEVER be able to publicly read a database configuration file – you should only see something similar to this. Otherwise, you have set yourself up to have many many files viewable by the world for potentially nefarious purposes.

blackworldnews.com was not so lucky about other files. These included their mysql.sql file, their inbox file (mostly spam just like everyone else), and their shadow file which was loaded into and proved to be crackable by John the Ripper in a fairly short amount of time. 8 hours, 47 minutes, and 31 seconds to be exact.

Another unlucky Googled site was wealdendun.com. Their mysql.sql file as well as their shadow file were found, and again, could be cracked by John in a very short amount of time just like blackworldnews.com.

Another search that turned up some interesting information was searching for backups. I found an educational institution that used BlackBoard (just like Davenport) had their backup files publicly readable. Also readable were usage statistics and more detailed usage statistics. No, not the most exciting stuff in the world, but I would think that these items should probably be limited to system administrators and not the whole world.

Solution: Fairly simple. At the very least, add the extension .php for any files that have .inc as an extension. Examples include, but are not limited to “password.inc”, “database.inc”, “configuration.inc”, or any other *.inc file. They would then be changed to “password.inc.php”, “database.inc.php”, “configuration.inc.php”, or *.inc.php instead respectively. Every *.inc file I have ran across has coding that starts with <? and ends with ?>. This is typically how php coding starts, but most browsers don’t go simply off of the code they see, they go off of the extension when processing files. If the extensions were *.php, anything in between the <? and ?> would get hidden even if one tried to view the source of the file. Another solution would be to add a black index.html file to directories that don’t already have an index file of some sort. Apache can also be configured to not to allow directory listings so these files are not viewable by search engines in the first place. To do this add the text “Options -Indexes” (without quotes) in a .htaccess file. Google it if you’re not familiar with htaccess files. However, if the files have already been exposed to search engines, they’ve most likely been crawled. In this case, you NEED to take the previous measures to remove access to your files and then IMMEDIATELY change your passwords.

Materials: A web browser and some free time.

As most people I know are aware, I am a Linux fan. It runs on older hardware better, the open source software and operating system just run better, it has several solid server software applications, and well…it’s free. Linux is very widely used in a server environment, but it’s starting to make waves on the desktop. People seem to be going crazy over Vista’s “eye candy” – transparent menus, window minimization animation, etc. Linux has had transparent menus available as long as I have been using Linux – around 1998 or so, so I’m not so sure what all the fuss is about. However, MacOS came up with some pretty cool eye candy itself when MacOSX came out. A while later, Compiz was released and is now standard with the Ubuntu Linux distribution installation. There are a lot of other videos available, but the point of this video is to show that you don’t even need high-end hardware and video cards to play with the eye candy that is available for Linux (unlike Vista for example).

Below is a video I took playing with Compiz and 3ddesktop with a lower-than-average-performance Compaq laptop. Enjoy!

Materials: Compaq Laptop (2135US) with an upgrade from 256mb of RAM to 1gb of RAM, Kodak Digital Camera (C743).

Years ago I had made Delta aware of several vulnerabilities I found on their Linux server (xserver.delta.edu). One happened to be the email server and it’s insecure setup. You can google the commands to use to send an email by telnetting to a mail server fairly easily. Back in 2005 or so, you could telnet into the xserver mail server from anywhere – on their network or at home. You could then send an email to any recipient on xserver. This sounds fairly innocent at first, but you could create a batch script to spam every user account on xserver if you desired with pretty good anonyminity as you didn’t have to have a user account on the server.

Fast forward to today and the only difference is that you have to be using one of Delta’s IP addresses instead of any other public IP address. That’s it. Good job, guys. The workaround is simple – bring in your own computer and plug your cat5 cable into any one of their network ports. DHCP does the rest for you and you’re free to start sending mail again. You don’t need to be an “expert” to know that stopping spam isn’t just about having a spam filter such as SpamAssassin in place, it’s also about making sure your mail server is properly configured.

Materials: Any computer on Delta College’s network.

Back in November I purchased two Linksys WRT54g routers from Best Buy as they were having a sale. When you purchased the router for $50, you got a $15 gift card. So the router essentially cost $35, which is cheaper than most wireless network cards. The best part is, dd-wrt allows a Linksys WRT54g router to act as a client bridge. What this means is rather than spend ~$150 on a Linksys wireless bridge, you can make the WRT54g act as a bridge for less than half the price (and more functionality I might add).

Below is a video showing how to install dd-wrt on a Linksys WRT54g router. Enjoy!

Materials: Firmware from dd-wrt.com for WRT54g router, Linksys WRT54g router, Compaq Presario laptop (2135US), Kodak Digital Camera (C743).