Category Archives: Internet, Unix en security

Implementing RFC 2142 for beginners

Posted on by

I stumbled on a phishing site for a Dutch-bank in my junk-folder and for once I decided to have closer look to see if the filter was working correctly. Is was, but after reviewing the phishing site I saw two things and it was time to act.

The first one was the hosting service. It was a free hosting service so no defacing or whatever. That makes live very convenient for hosting a phishing site that looks pretty safe. The seconds was the use of a free hosting service for submit and collect forms. The funny part is btw, that the seconds appears to very if a certain tag is in the referral page, but doesn’t check if it really shows up. So to eliminate the inclusion in the webpage, the have added then after the closing HTML-tag. Maybe using XPath was a better design choice over just search for a certain string to enable the service.

As the form was asking for all kind of funny details to do perfect phishing I decide to report this to all involved parties. The site being phished, Rabobank in this case, the hoster T15.org and Formbuddy for processing phishing data. After so checking and didn’t found enough leads on alternative mail-addresses to report this I decide to use RFC 2142 reserved mail-addresses and the following happend.

<abuse@rabobank.nl>: host mail01.rabobank.nl[145.72.107.42] said: 550 #5.1.0
Address rejected. (in reply to RCPT TO command)

<security@rabobank.nl>: host mail01.rabobank.nl[145.72.107.42] said: 550 #5.1.0
Address rejected. (in reply to RCPT TO command)

<security@formbuddy.com>: host ASPMX.L.GOOGLE.com[74.125.79.27] said: 550-5.1.1
The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient’s email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596
d15si7088885eei.16 (in reply to RCPT TO command)

The one that worries me the most is that a bank appears to have no working mail-addresses as described in Section 4 of RFC 2142. Those are basically key for contacting parties in case of emergencies or trouble. The abuse-reject was already noticed by someone last year, but I really wonder how a /16 network can ignore this. Also since there is no abuse-c entry know for there /16.

Update 2012-01-06: The nice guys at T15.org have taken the website down within a few hours after reporting.

Faulty RSS-feeds

Posted on by

Taking a look at some logs from a RSS-collector two things raised my eyebrows. The first is how many feeds are being served by FeedBurner instead of directly being served by the website it self. The part that worries me is that a lot of those feeds also are about security, privacy and compliance. I think a lot of those people have something to think about in 2012.

The other thing that worries me even more is something I discussed with WordPress developers a couple of years ago and I know others who have done the same with other projects. A lot of projects learned to do input validation, but most of them still need to learn to do output validation. The parser I currently use appears to be very strict luckily and drops a feed when it doesn’€™t parse correctly. Here comes the funny part, other parses like from Google Reader seems to be more forgiving.

When I search for “libxml exploit” on Google Search I get 1.220.000 results back. I didn’t start searching for parsers currently in use, but this doesn’t look very promising. With current hash-issues in mind, how could this be used to be an attack vector? Keep in mind that a lot of sites use FeedBurner to take the load of there site. And yes, FeedBurner doesn’t really clean things up if I may believe my current logs. So the recipe looks like a good exploit to misuse, a high profile WordPress based website with FeedBurner enabled and watch the fireworks.

So maybe it is a good idea for 2012 to see if the parser I’m currently using is up to standard. This can become nasty very quickly if things go wrong. Maybe also a note to others, output validation matters together with input validation. The JavaScript-alert is still a funny one to deploy on websites.

Another company switching to XMPP

Posted on by

Back in 1996 ICQ saw it first light and instant messaging was born and it took Microsoft until 1999 before MSN Messenger was launched. Two proprietary protocols for instant messaging with closed specifications. Also a third protocol was started in 1998 under the name Jabber which was renamed as XMPP a few years later. Long time it was labeled as “only for geeks” or “something for Linux-users”.

This all changed in 2005 as Google launched Google Talk which was based on XMPP and also allowed server-to-server communication 2006 so Google Talk users could communicate with users outside the Google netwerk. Other services like audio and video where added in the years after. This forced others to rethink there ideas about there instant messaging network where Facebook Chat followed the same strategy as Google Talk. Shortly after AOL started experimenting with ICQ over XMPP in 2008.

The last big bastion was Live Messenger from Microsoft, but recently it was announced that also Microsoft started to offer an XMPP API to there instant messaging network. Meaning people with an XMPP client could use the Microsoft instant messaging network without any additional software. Telepathy developers from Freedesktop.org directly jumped in and trying to get it in with GNOME 3.4 together with better Facebook support like it is now for Google in GNOME Online Accounts. With this the only question remains if Microsoft for example will also allow server-to-server communication like Google.

Now that we slowly moving towards an unified communications standard where companies as Cisco are pushing for, we also see a simplification and reduction of standards in use. Hopefully Debian can drop in the release after Wheezy all packages that depend on the old Messenger protocol. Also hopefully Microsoft will also jump into the bandwagon for standardized calendar en contacts support, but time will tell. For now it is a plus 1 for open and free standards.

Usenet, goodbye and thanks for all the fish

Posted on by

After being an usenet junky for a long time the time came that I switched from being a regular poster to a lurker. I still followed a lot of groups for many years until I realised that I only was syncing my newsspool for at least 12 to 18 months without any reading. After some catching up on some groups I saw that I wasn’t the only person. A lot of groups in the nl-tree are just empty or mostly abandoned or they contained mostly spam. Other trees like the comp-tree has more posters, but also a lot more spam and I mean really a lot more.

I still think usenet is a good platform and that it has served it’s purpose. Due to it’s openness as a platform it also lead to a lot of people abusing it and it is unforgiving. One thing that companies like Microsoft, but also XS4ALL are switching to privately hosted forums where they can control the posters and the content. This leaves certain mailinglists for me to follow, but even that number has been reduced as most of them have the Eternal September feeling. So everyone thanks for all the time and discussions on Usenet and hopefully we meet again.

Debian Wheezy and GNOME 3.2

Posted on by

The migration of GNOME toward version 3.0 in Debian earlier this year wasn’t very successful in the beginning, but a lot of bugs where solved during the summer. GNOME 3.0 made it into Wheezy during the release of 3.2 and maybe for the better. Now only a few months after the release of GNOME 3.2 almost all packages have been uploaded to experimental or unstable, and most of them even already migrated to testing.

But what brings GNOME 3.2? A lot of people are unhappy and some of these points are valid and need to be fixed. Others can be discussed if they are true. One thing that changed in 3.2 is how GNOME interacts with your address book and your instant messaging accounts. Connections to instant messaging networks are automatically being started when you log in. This also reflects in the search screen when you type in a friends name and you direct see his connection status.

GNOME Online Accounts is another example of making things simpler for the user. Currently it only works for Google, but I really hope current proposals with querying the right SRV-records in DNS are also going to be part of GNOME in a future release. For now GNOME Online Accounts setups up multiple Google services up like Mail, Calendar, Chat, Documents and Contacts with a single authentication token. Different services don’t have to maintain and store the credentials in GNOME Keyring or in still in there own way. Hopefully there will come a solution for Liferea which still stores te users password plain-text in the configuration file.

Other third-party applications like Simple Scan, Shotwell and Deja-Dup are slowly making there way into becoming part of GNOME. I can’t wait to see what is going to happen with the GNOME 3.4 release as both Epiphany and Evolution are going to have some major work done to them. A switch to Webkit 2 and ending the usage of GtkHTML in Evolution. Hopefully after this Epiphany can replace Firefox completely on my desktop.

It is good to see the progress GNOME is making into becoming an interface for cloud services by simplifying the configuration for users, but also separating data from applications more and more. I can’t wait to see how GNOME Document is going to evolve, but two other things still open is a good solution for RSS-feeds and chat-logs as Empathy is still storing them on disk and isn’t able to use logs stored by Google for example.

In the end I’m happy with GNOME 3.2 in Debian Testing right now and Debian on my workstation is back to it’s weekly testing upgrade schedule as most parts are working. I even think that I will continue to do this during the 3.4 release as most of the GNOME dust has settled. Maybe I make an exception for both AbiWord and Gnumeric when they switch to GTK3 and hopefully also better OpenDocument support.