Tag Archives: Security

VPN Security Issue Can Reveal True IP

I use a Virtual Private Network (VPN) on a regular basis.  There are many reasons to do so.  It helps keep my true IP address concealed; all my internet traffic appears encrypted to the ISP.   If I need to use Wi-Fi at a coffee shop, I can do so without fear that the owner of the access point could be snooping on me.  Some internet content is also geographically restricted, and my VPN provides me a choice of where I want my internet traffic to originate from.

As it turns out, a wee bit of Javascript magic will convince a web browser to reveal the originating IP.  While I’m connected to my VPN (through their provided applet, but this also works with other connection methods), here is what Google reports as my IP address:

my IP address

When I visit a site that is using some STUN Javascript:

myIPSTUN

Yes, that 50.*.*.* IP address is mine.  As noted by that demo above, the request will not show up in dev consoles and privacy-related browser extensions will not block it either (aside from NoScript, which blocks all Javascript).  You can read more about this security problem.

But there is good news.  This problem does not affect any web browsers in OS X.  It appears to only impact Windows machines, and only the Firefox and Chrome browsers.  Of course, we want all browsers to be secure, so how to fix this?

If you’re on Windows and using Firefox, type “about:config” in the address bar, and set “media.peerconnection.enabled” to False.

If you’re on Windows and using Chrome, type “chrome://flags/” in the address bar and check “Disable WebRTC device enumeration.”

The superior way to fix this is to force all traffic to go through your VPN, but my skills with Windows Firewall are a bit lacking.  If you control your own physical firewall, you probably already have a good idea on how to force web traffic to go over port 1194 (OpenVPN) during VPN sessions.  Properly implemented, that should also plug this data leak.

I advise anyone who cares about privacy who is using Windows to take the above steps to fix the problem.  There are lots of people out there who want to track you so they can spy on you and sell you things.  Why make it easy for them?

ThreatPost also has more on this.

Email and the Petraeus Affair

To be honest, I haven’t been following the Petraeus affair saga with a whole lot of interest. ISure, it’s interesting to some, but I would rather not separate the wheat from the chaff in terms of reporting. I simply don’t trust many news outlets to get the details right, and so I’d rather not get wrapped up in the nitty-gritty.

But I saw an interesting question on twitter – how exactly DOES the FBI go about reading people’s email? And, by extension – how do *I* go about reading others’ email? Well, the cold reality is that I’m not really interested in reading your email. I sometimes have to do it (as part of my job) and believe me, it’s boring, and I think most people who work in IT feel the same way.

The first thing to remember is that if the FBI wants to read any email of yours that is beyond six months old, it’s easy! A federal prosecutor needs to approve a subpoena, and that’s it. No, I did not substitute “prosecutor” for “judge” – it’s really a federal prosecutor. It’s kinda like having your own prescription pad and writing out what you want, without the hassle of going to the doctor!

Second, if you’re accessing your email from behind a corporate firewall, you may already be subject to monitoring! At many large organizations, all traffic may be filtered through a web proxy – these are often used for filtering content (like blocking Facebook at work), and can also be leveraged to perform Man-In-The-Middle attacks on other sites you visit, including your personal email or bank information.

See, normally when you go to your webmail or banking site and enter your credentials, you’re “safe” because the certificate presented by the site is also on a list of “approved” Trusted Certificate Issuers. While this is inherently insecure for many reasons (Google arbitrarily chooses whom to trust if you’re using Google Chrome, for example), the system can easily be manipulated by corporate IT departments by simply adding their own certificate to your browser’s Trusted Certificates list. This enables anyone with this certificate who is sitting between you and Gmail (for example) to decrypt information travelling between your computer and the email server.

Well I was going to write more, but I’m kinda busy today. Suffice to say, only check email on a device you can control and whose entry point to the internet is a gateway that you trust. But there’s not too much you can do about a subpoena (short of running your own mail server)…

Schneier on Becoming a Security Expert

Bruce Scheneier has a good post up on his blog on how to break into the computer security industry (phrasing intentional). It’s nothing too earth-shattering, but a good, short reminder of how easy it is to pick up on the many different aspects of computer security. I agree with Mr. Schneier that the biggest asset that a security expert should possess is an attacker’s mindset – this means always poking and prodding at things to figure out how they work, and coming up with ways to make them work better. Certain types of people enjoy learning about new things all the time, and these people are a very valuable resource in the security industry.

There are plenty of free online resources available for self-starter types – if not for those resources I certainly would not be in the position I am in today. I do find it mildly amusing that the second comment down on Bruce’s post is a poster complaining about the relationship between certifications and experience; technical fields are a meritocracy, and it’s easy to contribute. While I’m sure for those who have a degree it’s a nice leg up, but infosec is about “what have you done for me lately?” not necessarily demonstrating what you’ve done several years ago. You need to prove that you’re on top of the latest technology, and it’s easier than ever to demonstrate that.

LinkedIn Password Hashes Leaked

Approximately 6.5 million hashed passwords were leaked online, apparently taken from the social media company LinkedIn. The hash list that I initially took a look at had many (around half) of the hashes starting with the value “00000” – it seems this value replaced the first five chars for passwords that had already been cracked (presumably so new cracking machines/techniques would not have to redouble their efforts). I was able to test this theory by converting some common passwords (such as “password” and “secret”) to SHA-1, then searching for their SHA-1 string – I had no results. I was, however, able to find results after I substituted “00000” for the first five characters of the hash, indicating that this theory is at least possibly on the right track.

I few days ago I read an interesting blog post on how to use Twitter to generate wordlists, so I used the script to build a list using about 7 or 8 keywords, which provided me with 3500 words in total. I used John the Ripper to convert those hash values to the values in the leaked list, and sure enough, I got one hit! In the interest of responsibility, I won’t disclose what the word was, only that it was not an English dictionary word – to me, this only validates the use of Twitter as a good potential wordlist ally – it’s always up-to-date with slang, and it’s easy to quickly generate a list based on a foreign word or idea.

It’s important to remember that the leaked list provides about 6 million hashes and there are about 120 million people registered with LinkedIn. This could mean that this is either a partial release, or that many people are using passwords that are the same.

Also, I’d like to point out the shortsightedness of the following blog post issued by LinkedIn:

Our security team continues to investigate this morning’s reports of stolen passwords. At this time, we’re still unable to confirm that any security breach has occurred.

Innocent enough, right? They specifically mention that they have not confirmed anything related to the breach, yet the rest of the post is filled with password-creation tips, implying that maybe now is a good time to change your password. Nothing could be further from the truth – if this attacker has persistent access, there is nothing to stop this attacker from dumping the hash values again and get re-cracking. And what better sample set to learn about password-changing habits than a bunch of users who all changed their passwords in response to a breach?

Then, an hour later (I’m using twitter timestamps since LinkedIn doesn’t use timestamps on their posts), another blog post:

It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.

Okay, so they’ve implemented salting! Hurray! Unfortunately, they have not told us the cause of the breach or whether the attacker may have persistent access. We can only assume that the attacker can now only dump salted hashes instead of unsalted ones. So get ready to change that password again when LinkedIn reveals more…