Category Archives: Privacy

A few (convenient) dockerfiles

I just put on my github a few dockerfiles for virtual machines that I frequently use to get some quick work done or to temporary share some data.

Here they are:

I used to use VirtualBox guests, but maintaining them was a hassle (updates, snapshots, disk defragmation and shrinking, etc.).

It makes perfect sense to use Docker just for that, and on top of that it consumes much fewer resources. Starting with the disk usage : all these containers along with their image stands below 1 GB!

The fact that I am using Btrfs as the underlying storage driver is not for nothing: compression is extremely efficient on images!

Note that my Dockerfiles have nothing special, you can actually find others on the Internet (and I was inspired by some).

There are a few differences, however:

  • I care much about security, so at least I try to make Web services not running as root, even if it is inside a container (the root user is still the same as on the host, so let’s make a compromise as unlikely as possible).
  • I like simple things, so I tried to keep everything straightforward and simplified some stuff.
  • I don’t like to waste disk space. So when I some Dockerfiles based on Ubuntu, Debian Wheezy, Debian Jessie, Fedora, etc., I try to unify all of them under Debian “stable” (so as of today, Jessie). Why bother with useless images? I chose a versatile and common server distribution and I am trying to stick with it.

While I was playing, I had two things bothering me:

  • No quota support: for a Samba sharing guest that I have, I would have liked to implement quotas from within the container. There is no support for that at the moment, and the global limitation by container is not nice (and once you choose a big size, you can’t go backward for existing containers…). I have a dedicated partition for Docker, so, while not perfect, it is okay for now.
  • The devicemapper storage driver totally sucks at this time: free space is never reclaimed after you delete images or containers! So the more you use Docker, the more your partition gets full.

A relative got hacked for scamming activities

One of my relative got hacked.

After a phone conversation with him, I realized that his computer was hacked a few days before. He told me that he saw the mouse moving by itself, but what happened then was not clear to him. Anyway, he did not feel the urge to call me immediately. Needless to say that his knowledge on computers is low.
I immediately started to investigate.

How the computer was hacked

The computer is running Ubuntu . I suspected a vulnerability, but I soon realized that it was much simpler than that: by mistake, a VNC session was left opened!

x11vnc with no authentication and no logging… Damned!

What the attacker did

What he tried first was to create a user to maintain access. But the scammer was probably low tech and soon abandonned.

Here is his sequence in the shell history:

261 adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M xxxcx
262 useradd -d /home/xxxcx -m nokia00
263 passwd xxxcx

Command #261 failed, because of unproper syntax. I guess he meant useradd, as adduser on Debian/Ubuntu has totally different options. Note that what he was trying to do is create a new root user named xxxcx (with no home directory).

He probably did not realize his mistake, but yet tried this time useradd with fewer options in command #262. This time, he would create the home directory and name the user nokia00… Why not. Alas, the command can’t work as a standard user!

Then, command #263: he tried to change the current password, but again he failed as it is required to know it before updating it…

And that’s it. Pretty lame, isn’t it? He got quickly discouraged and started to use exclusively Firefox.

On-line shopping

With support of forensicswiki.org, I dumped the full Firefox profile on my computer and started to analyze it with the Sqlite Manager extension.

Sorry but I will be hiding private info and sensitive data that could be used for a legal action.

I got most info from the files cookies.sqlite and places.sqlite.

cookies.sqlite: a lot of info: email and billing info used by the attacker

cookies.sqlite: a lot of info: email and billing info used by the attacker

places

places.sqlite: attacker’s browsing history, with interesting purchase references in GET parameters

The guy didn’t loose time, he knew precisely what he wanted and what to do.

  1. He first visited two websites to localize the computer: ip2location.com and ip-tracker.org. You may think that it is a strange first move, but I will come back on that later as I have a theory.
  2. Now that he knew in what country he was (country XXX), he started to do online shopping.

It is interesting that his online shopping was all linked to web hosting:

  • templates from dreamtemplates.com
  • a .net domain name (with however part of the prefix being localized accordingly to the country suffix).
  • hosting at netfirms.com and mg1host.com

Note that the criminal used a online payment platform that I never heard about before: 2checkout.com aka 2co.com.

Unfortunately, when I investigated, all cookies were expired so I could not connect to the criminal’s account.

Yet, it still had some valuable info. The most interesting info I found was from a cookie from dreamtemplates.com. I got all the billing info used by the attacker:

  • attacker’s gmail address (probably compromised or anonymous)
  • Name and address for the billing, that sounded real…

Also, GET parameters in URLs were very interesting.

In some of them, you can guess the amount of the purchase he did. He for sure bought stuff for at least a total of 500$. But it is without counting the stuff that I cannot guess from URLs, so it is probably sensibly much more in reality.

But, even better, some had order ids. Hey, wait! Let’s have a look on the 2co website:

2co order review = order number + email

2co order review = order number + email

Hmmm… we have the email address and the order number… bingo!

order

Now, we have at least all info of the credit card owner, certainly the biggest victim in this mess.

Conclusion

That’s it for now. We are still in the process of transmitting the info to the police and alerting the victim.

Here are a few thoughts by the way:

  • Logging, always logging! It is a pity that we know literally nothing about the scammer source ip address. All his actions were made from within a VNC session and it leaves no trace. He may have came from another proxy, but who knows… I still have a little hope that under legal request, the Internet provider of my relative will be able to provide some logs.
  • Nowadays, it is still difficult to report such a case to the police and to help the victim. The local police is at loss and does not really know what to do. The cyber section is slow to answer, probably crawling under requests (mostly spam stuff?).
  • Not every one has a computer specialist among friends or relatives. It must be a terrible experience to see the police coming to you for a fraud one hasn’t committed directly. Few people, even sometimes among IT professionals, understand that.
  • The criminal seemed low tech, but very organized at the same time.
    Here is my theory: he probably has a precise goal and is not loosing time.
    He follows a process: geo-localize the victim or target a country and choose accordingly financial data in his database.
    Then, he purchases stuff from a list of items he needs or he is requested.
    Finally, if he could not find a way to maintain access in seconds, he leaves. Mission done: this scammer is probably doing it full time, as a professional activity. Lame but efficient for the crime industry.
  • The credit card info was accompanied with private info: real name and address. We all know that but it is always shocking to think how it can easily obtained: compromised computer, hacked online shop or database, dishonest employee (e.g. at the hotel), etc.
  • The websites  will probably be used for more scamming and illegal activities. I am going to monitor the domain I got for a while.

Keep wired for updates.

Disk wiping : Myth broken

There are many urban legends in the industry. I did believe in one of them : “wiping a disk to properly prevent data restore requires random writes and several passes”.

At least until I found this very instructive article, “Disk Wiping – One pass is enough“. Don’t miss the second part which clarifies some points and gives more details.

In short, after one pass, every bit of the disk is filled with zero and there is simply no way to find out what the previous value was. Even the best tools out there have no clue to do it.

Then, there is a theory of physically restoring each bit using a magnetic force microscope. It has always came with a high error rate, and with modern high density disks it is even less reliable. Now, considering any real world data length, errors occurring on the restored bits would make it impossible to rebuild any usable data. There is obviously no chance for such a technique to recover a file.

So, in the future, I will not only save time doing one pass, but I will replace :

$ dd if=/dev/urandom of=/dev/sda

with

$ dd if=/dev/zero of=/dev/sda

Note that formating just reset the partition table. In no way it clears out every bit of the disk.

Books review

I just finished reading two electronic books I bought from O’reilly. Here is a short review on them.

Hacking: the next generation

The purpose of this book is to give to the readers an overview of the most common attacks nowadays. It covers all fields : social engineering, web attacks, networking, etc.
It was easy to read : the authors are straight to the point and their sentences are clear.

I especially appreciated their state of art about XSS and CSRF attacks. It is certainly the best I have read so far, greatly illustrated with exciting and real case studies.

On the other hand,  I quickly passed over the networking stuff (both wired and wireless). It was too basic and didn’t show anything new – maybe it is because I specialize in those fields.

Anyway, globally, I strongly recommend this book. It is worth while your money if you want to know more on web attacks or to have a good overview of modern threats.

Beautiful Security

This is a collection of essays by some of the best security experts and hackers.

Well, I won’t go around, I have been quite disappointed by this book. The overall lacks coherence and after a while you start wondering what this book is trying to demonstrate. At the end, there is a crual lack of connection between the essays and it globally makes it appear very confusing.

It also sometimes lacks technical references and the writing style is too verbose, too literal for a technical book to be attractive.

There are however some good essays, like one about PGP (by Philip Zimmermann himself, though). It is hard to find some good and complete documentation about it, and this essay is definitely a good one, which I will probably read again when I feel the need of it.

But I wouldn’t recommend this book only for this short piece of writing. Lack of cohesion, too much litterature and not enough technical stuff actually bored me, though that’s just my personal taste.

Deleteyouraccount.com to easily get rid off social networking

Deleteyouraccount.com is a very convenient website if you consider deleting your account from one of these social networking sites that are everywhere now. Of course, they all do their best to make it difficult, trying to hide it and discourage you. Here Deleteyouraccount comes to help.

I will still take a few days of thoughts, but I am seriously considering deleting my Linkedin account. I once got invited to it and got trapped.

My private data are certainly useful to Linkedin, but all this stuff has been totally useless to me so far. One of the things I really hate is that it tends to  increase the number of contacts artificially even though the relationship is not sincere.

I have a number of “contacts” that I barely know or keep in touch with, whereas I don’t need Linkedin to communicate with the people I truly appreciate.

Less social networking, more human reliationship, more freedom, more privacy : sounds good.

bugmenot.com

I just discovered the BugMeNot service today.

It offers a database of logins shared by the community to login to free websites that require free registration.

This is usually annoying to subscribe to such a website just to download a freeware or read an article, and it often makes people choose unsecured or random logins.

They even provide an extension for Firefox. Thanks to this great website, you are probably going to save a lot of time.