Browsing: Uncategorized

Nice feature/bug in Check Point NAT

It seems that I have stumbled upon a interesting Check Point firewall NAT behavior. Namely the firewall does something that it is not ordered to do, it translates the source IP to a different one than in the policy.

Had a static inbound NAT rule where the source address of the client was supposed to be faked to another static address. What happened was that yes the policy installed fine. Yes the client IP address was changed and hidden from the service. But it was changed to an incorrect address. The rule stated that the client IP address be changed to for example 172.16.2.10, but what it was translated to was 172.16.2.100. And the new address did not exist anywhere in the policy database.

And after upgrading that particular management server to R80.20 it refused to compile the policy with that NAT rule in place. Fortunately recreating the NAT rule removed the issue.

The error in the FWM debug logs was for that issue:
“Invalid Object in Source of Address Translation Rule 57. The range size of Original and Translated columns must be the same.”

The interesting thing is, that it was fixed simply by deleting the rule and just re-adding it. And yes it was a 1 address to 1 address translation, not a network to 1 address.

{ Add a Comment }

WhatsApp used to interact with ATMs in Brazil

Happened upon a interesting article today – https://www.zdnet.com/article/banco-do-brasil-launches-cash-withdrawals-via-whatsapp/. As URL already states they are enabling users to withdraw cash from ATM’s via WhatsApp.

Basically what they say is that, the user needs to add a chatbot to their contact list and ask it for money. Then the chatbot gives them a “key” that is valid for a day. Although the service has a 80$ transaction limit, it still feels like a bad idea to me. I can already feel the new “malware wave” coming that tries to exploit this thing on the phones.

When thinking about this service, I really would love to see the analysis they made to say this is a really secure thing to do. How is this channel secured? How are they protecting people against “theft via malware”? I feel like I need to do some research in to that.

{ Add a Comment }

Malware campaigns are going even after the smaller “markets”

Yesterday I happened to read a warning by the Estonian police, that there is a new malware campaign. The fact that there is a malware campaign going on is not news to anyone. But what actually caught my attention was the translation quality on the phishing sites.

The warning had a screenshot of a site spreading malware was the classic your computer is infected with a virus scam, but for smart phones. Sites like that have been used for a long time. But the quality of translation has been really bad for those sites. This time the message had quite good quality and a lot of people might actually fall for it.

The message there basically stated that the user had visited a site containing malware or porn and might be infected with a virus. It also contained a threat that your ISP will block your internet access. They have scripted the ISP part, so that they try to get the ISP name from your IP address.

Besides the rise of quality of the phishing text and translation based on the localization info, a lot of the phishing sites have also moved on to using HTTPS. Malware sites have started using certificates that are accepted by web browsers making them a bit harder to detect by unsuspecting users.

It is the first time in years I felt like doing a refresher to my parents on recognizing malicious sites.

{ Add a Comment }

E-mail spam, a way to sway policy makers decisions

Although politicians and law-making is not something I usually would write about, it is something I just found interesting.

I think by now everyone who has an e-mail address has come in to contact with spam e-mails. Usually they are sent to sell you something or do some phishing. But as it turns out sending spam e-mails can also make politicians vote in certain ways.

A few days ago, I happened to hear a old recording of a radio show that had multiple politicians as guests. And Indrek Tarand an Estonian representative at the EU was one of them. When the topic of the new “EU copyright bill” came up, he did something that I wasn’t expecting. He completely baffled me with his reasoning behind his decision.

Namely, he said he voted for the bill, because the people who are against the bill supposedly used AI to send spam to him to try make him vote against it. And voting for the new law was his way of reacting to the hundreds of e-mails he got.

So as it turns out, you don’t need to spend a lot of money to lobby a politician in to voting some way. Just try and press the right buttons by sending them spam e-mails. They might just vote your way just because you spammed them not to do it.

{ Add a Comment }

What’s up with all the bad passwords out there

A bit over a week ago the list of the worst passwords of the year (2018) was released by SplashData. You can review it yourself at https://www.teamsid.com/100-worst-passwords-top-50/.

After having a look at it I found myself amazed at the people’s choices of password. It just baffles me that people are still using passwords like “password” or “1234” as their password and when websites require longer passwords they just keep counting up the numbers instead of “1234” its now “12345678..”.

Do people still actually think that their passwords don’t matter? That no one will guess their username and password? By now almost everybody must have heard of the constant take overs of peoples social media accounts through simple password guessing. If not that, then people surely must have already come in contact with some one trying to log in to their account at some point – warnings at Gmail or similar services. Surely that should make people think.

In order for a password to resist simple brute force attacks it doesn’t have to be too complicated and something that is hard to remember like “x1Ds$!abFrdc?”. You can just your favorite quote from somewhere, which would be very easy to remember and much more secure than the ones on the list. To be a bit on the safer side you can add something to the beginning or ending of it. That would just be a precaution against some attackers that actually do some research on you. So that it wouldn’t happen that an attacker sees that The Simpsons is your favorite TV-show and would guess that your password is “Eatmyshorts!”

{ Add a Comment }

F5 BigIP health checks mark host resource down although it’s up

A couple of times I have happened to run across a strange issue on some F5 Big-IP LTM clusters where one of the node’s marks some resources as down although they are actually up. Which can cause quite a lot of confusion and trouble.

At least in the cases that I have seen TMM seems to start interpreting the output of health checks backwards for some hosts. In the logs you can see that the health check returned the host is up and that host was marked as down.  I have had it happen a couple of times with the 11.x series LTM software and it has also happened with the 12.x versions even with the latest patch levels. But I have not seen it happen with the 13.x version(yet).

So in order to get around the issue I have usually just restarted the TMM process on the affected device and all has gone back to normal after it.

Basically to restart the TMM just log in to the device using SSH and issue the following command:

tmsh restart /sys tmm

Beware that restarting the TMM will cause the device to stop processing traffic. So, in case you are having the issue on a device processing the traffic and are running a Big-IP cluster just do a fail-over first if you already haven’t done it.

Like with many other issues the phrase “have you tried turning it off and on again” comes to mind and saves the day.

{ Add a Comment }

Safer SSH key usage on Windows than just using Putty pageant

This is the first a follow up post describing a work around on Windows to the issue described in my previous post describing the issue with SSH keys being re-usable by anyone with privileged access on the SSH server. (Read more). Basically the workaround is to use KeePass and it’s plugin called KeeAgent instead of using putty’s pageant to present the SSH key to Putty.

Pre-requisites

  • Putty installed on your computer
  • A SSH private key in Putty format(.ppk) and the public key set on the SSH server authorized keys file.

Getting Ready

As mentioned previously we will be using the password manager called KeePass and it’s plugin called KeeAgent to store and present the SSH private key to putty. So lets get started.

  1. KeePass can be found at  https://keepass.info/ you need to download version 2.xx (current version is 2.38) and install it.
  2. Install KeeAgent plugin which can be found at https://lechnology.com/software/keeagent/, download it and unzip the file called KeeAgent.plgx to KeePass plugins dir (C:\Program Files (x86)\KeePass Password Safe 2\Plugins)
  3. Start KeePass

Using KeePass and KeeAgent for handling the SSH keys

  1. Create new password database and set the password you want.
  2. Add a new password entry to the password database to do that in the menu go to “Edit -> Add New Entry” or just press the new entry button.
  3. Whilst creating the new password entry set the password in the entry to be the same as it is on your .ppk file
  4. Go to the Advanced tab and in the Attachments section attach your .ppk file
  5. Go to the KeeAgent tab, tick the box allowing KeeAgent to use this entry. After that tick the box “use confirm constraint”.  Set the private key location to attachment and select the previously attached file. If the password has been set correctly and the attachment is a valid .ppk file it should show public key info below.
  6. Next navigate in the menu to Tools -> KeeAgent and click on it. In the window that opened click on “Add..” , select “From KeePass..” and select the previously imported key. Verify that the require confirmation box is ticked and click ok.
  7. Now open up Putty and try connecting to some SSH server where your key should work.

If all is working as it is supposed to the following prompt should pop up asking for permission on the private key usage every time it is being accessed by a new session:

KeeAgent-Prompt

The prompt will show the hostname where the key is being accessed and the key description (name and fingerprint).

{ 2 Comments }

SSH key based authentication secure and convenient or is it?

SSH key based authentication secure and convenient or is it? Well that seems really obvious that it is secure and convenient no passwords to be guessed and changed all the time, or that can be guessed logging on to servers much faster. But when done improperly it isn’t that safe and secure as it would seem.

The issue

When logging on to SSH servers using authentication agent forwarding for convenience so you could jump hosts using the same key. See nothing wrong with it?  Still seems all good and  secure? Well not that secure any more, as soon as convenience of the authentication agent forwarding comes to play a little issue arrises that a lot of people do not think about. Namely the key you used to authenticate to the server is now accessible to others on the server, not in the sense that they could copy it, but they can use it to authenticate to other servers where your key would be valid and that are accessible from that server. Although it requires escalated privileges to get access to it, it is still a problem. So where is this key located? It goes to the /tmp/ folder. As the following is an example from my test machine:

huxx@lnx:~# ls -la /tmp/

total 10

drwxrwxrwt 10 root     root     3072 Feb  1 01:00 .

drwxr-xr-x 23 root     root     4096 Jun  2  2015 ..

drwx------  2 huxx     huxx     1024 Feb  1 00:36 ssh-DhNiAzWTEV
huxx@lnx:~# ls -la /tmp/ssh-DhNiAzWTEV

total 4

drwx------  2 huxx huxx 1024 Feb  1 00:36 .

drwxrwxrwt 10 root root 3072 Feb  1 01:01 ..

srwxr-xr-x  1 huxx huxx    0 Feb  1 00:36 agent.18922

Is there a solution for it?

So is there a solution for the afore mentioned issue? Well luckily  Yes there is. There are SSH key agents out there that actually ask for your permission first before allowing access to the private key. For Windows one such solution would be to use the KeeAgent plugin for the password manager called KeePass it allows to set a password/confirmation to be prompted for every time someone/something tries to access the private key. The same combination will also work on macOS with a bit of work by porting the Windows application using mono for Mac and adding ssh-askpass script to the system. The exact solutions will be shown in followup posts to come.

Edit:
Solution for Windows users described here: https://www.huxxit.com/index.php/2018/02/02/safer-ssh-key-usage-windows-just-using-putty-pageant/

{ Add a Comment }

Hello Internet!

Hello Internet, this is Huxx “signing on”. As it seems You have somehow stumbled upon My little website where I will start writing about IT related Tips’n’Tricks that I have found useful and also about other things that I am interested in.

{ Add a Comment }