Monthly Archives: June 2015

Government of Mauritius website allows weak security



govmu.org

A few days ago, Sruti mentioned on the Mauritius Internet Users mailing list that she had problems resetting her password on the Mauritius Government website.

Out of curiosity, I decided to check if the login works correctly. While working on this, I made an interesting observation: The connection offered on the website is weak, in terms of security !

By observing the SSL connection on my smartphone I came across a weak encryption offered by m.govmu.org, which is mobile version of the government of Mauritius website. Stunned by this discovery, I also check the PC-version of the government website and noticed that It also offers the same weak encryption.

SSL handshake has read 2749 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
...
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5

The govmu.org website allows RC4-MD5 which is considered to be weak encryption, according to RFC7464 . The document, which is now a standard on the Internet, recommends removal of RC4 as an encryption mechanism, due to practical attacks demonstrated against it.

Implications for Mauritian Citizens

It is possible to intercept and decrypt sensitive Information that a user sends to the Mauritius Government website, as it is. It is possible to set-up a practical attack, under certain circumstances. This is more dangerous, as more and more people are using wifi which magnifies the problem.



--Logan

23:59:60, the cyberisland and the leap second that we forgot



The US is busy planning for the leap second transition


Please see my previous blog post if you are not familiar with the leap second issue.


The US has a document for "Best Practices" (URL: http://www.gps.gov/news/2015/05/leap-second/2015-best-practices-for-leap-second.pdf) which has been published by the Department of Homeland Security. I'm going to quote a few sections from it: Sponsored by the National Cybersecurity and Communications Integration Center in coordination with the United States Naval Observatory, National Institute of Standards and Technology, the USCG Navigation Center, and the Nation al Coordination Office for Space - Based Positioni ng, Navigation and Timing . This product is intended to assist federal, state, local, and private sector organizations with preparations for the 30 - June 2 015 Leap Second event.

Below the introduction part of the document are a list of well detailed steps to prepare for the transition for the leap second that will occure on the 30th of June.

Meanwhile in Mauritius

I immediately went to look for the same information for Mauritius. My first choice is the Mauritius Standards Bureau. Looking at the relevant pages show nothing about Time (url: http://msb.intnet.mu/).

My 2nd choice is thus CERT-MU, which is the Mauritian equivalent of CyberSecurity, expecting to find a document for "Best Practices" for the Leap Second. Result of the search on CERT-MU website : Zero.

At this I start wondering what could be impacted by leap second in Mauritius. Websites crashes have been reported when previous leap seconds were added. Quote from a website: Sites such as Reddit, Gawker, LinkedIn, Foursquare and Yelp crashed after a "leap second" was added to the universal clock in order to keep up with the Earth's rotation. So, A few critical websites might crash. This is important to everyday users.

Other problems ?

Wikipedia says that: Older versions of Motorola Oncore VP, UT, GT, and M12 GPS receivers had a software bug that would cause a single timestamp to be off by a day if no leap second was scheduled for 256 weeks. How many companies are relying on GPS for their operation: Car fleets, Car drivers, boats, and people with smartphones, and The Amadeus airline reservation system was disrupted for more than two hours which affects plane fights.

Conclusion

Important information such as leap second transition should have been available on CERT-MU website so that people and organizations can better prepare themselves, and avoid disruptive problems across the Mauritian Infrastructure.

Havoc on the 30th of june

Big news: The earth is not rotating uniformly !

Planet earth does not rotate uniformly. They are some subtle changes that affect its rotation. Those subtle changes affect the reference clocks that are used to keep time accurate on your computer, your smartphone, and the servers at Google, Yahoo!,Facebook, and instagram. If you think that time is not important, Have a look at your facebook posts, and see the time-stamp attached to each facebook post. Time is used everywhere on the internet :)

A Leap second

To account for those subtle changes in rotation, a leap second was introduced. A second is introduced each time those subtle changes occur. However, that insertion can cause issues on systems such as GPS. Some systems might not be able to handle the additional second, and crash and/or overload. The next leap second will occur on the 30th of June at midnight.

Keep your time in sync

The solution consists of using an NTP client on your servers, and correctly sync with a reliable Time Source, such as pool.ntp.org. So, please make sure that your servers are properly configured with NTP :)



--Logan

Top websites visited by Mauritius and the compromised cyberisland


Alexa top 10 Websites visited by Mauritians

alexa

Alexa is a web statistic tool which is very useful. The problem in Mauritius, is that we do not have much statistics. I was expecting facebook, yahoo, and youtube. One site (ask.com) immediately drew my attention and I knew that something was very wrong in Mauritius !



Ask.com or how a lot of computers are compromised in the Cyberisland


The ask toolbar is generally found on computers that have been compromised, and installed surreptitiously. At the 10th place, we have ask.com, which is a malware that infects a lot of browsers. I saw it on a few laptops of my co-workers, and friends. However, I never imagined that it was so widespread in Mauritius! Widespread enough that it's the 10th most visited website by the island ! ask.com is typically accessed via browser toolbar that generates bad search results, and is notorious to remove completely.

Ask toolbar slows down the computers on which it is installed. It is very difficult to remove completely. The computers that have ask toolbar installed are very likely to contain other malware. Those computers tend to slow down entire corporate networks due to excessive traffic. Microsoft rates it as high, in terms of security severity: Microsoft Advisory. I went to check with CERT-MU which is the in its own terms "... Mauritian Computer Emergency Response Team (CERT-MU), a division of the National Computer Board (NCB), Mauritius, to educate and enhance the awareness of the general public on the technological and social issues facing internet users, particularly on the dangers of getting online." and found nothing concerning ask toolbar.



Using Linux or BSD as your slave for repetitive editing

Generating URI on blogsum

Blogsum is a minimalist & secure CMS which I use. The only problem so far is generating the blog post URL. Generally, it's a long string of text such as Using Linux or BSD as your slave . However, I cannot use this as a URL generator. One way would be to use javascript or any decent client-side language to do that. What output would I expect ? Something like "Using-Linux-or-BSD-as-your-slave" . That's a pain to generate manually: I have to copy-paste it, and replace every space with a '-". However there is another way if you're using Linux or BSD.

The power of sed

Some people tend to jump on fully fledged programming languages like Perl, or Python. To me, it's like using a car to travel 5 meters down the road. The same group of people would probably use google to look up thousand of ways to do the editing. There's a way to do it on a single line of fairly readable code, using sed. Sed is a tiny piece of software available under all BSD and Linux systems. It stands for "Stream Editor". Sed can be used to do a lot of complex tasks.

sed has an easy to remember usage pattern for those kind of tasks that you can type on your terminal:

echo "Using Linux or BSD as your slave for repetitive editing" | sed 's/ /-/g'

The output is: Using-Linux-or-BSD-as-your-slave-for-repetitive-editing

Analysing the command we just typed

echo just prints whatever you want. echo "XXX", would print XXX on a terminal. By using echo "XXX XXX" and adding a '|' we take the "XXX", and send it for further processing. In this case, we send it to sed.

sed takes the input "XXX XXX", and applies an operation. In this case the, s means substitute. Now, what do we want to substitute ? We want to substitute the space character, with "-". we use the / and then the " " to tell that to sed. Now, what character do we want to use ? the "-". We use '/', and then '-', and another / to terminate the expression. What does the 'g' stand for ? By default it will replace only the first occurence of space with "-". We need to do it for all instances of space. so we use g for "global" replacement. That's it: we're done. Linux or BSD just did the grunt work for you :)



(Please don't hesitate to leave your comments :))
--Logan

Using Linux or BSD as your slave for repetitive editing

Generating URI on blogsum

Blogsum is a minimalist & secure CMS which I use. The only problem so far is generating the blog post URL. Generally, it's a long string of text such as Using Linux or BSD as your slave . However, I cannot use this as a URL generator. One way would be to use javascript or any decent client-side language to do that. What output would I expect ? Something like "Using-Linux-or-BSD-as-your-slave" . That's a pain to generate manually: I have to copy-paste it, and replace every space with a '-". However there is another way if you're using Linux or BSD.

The power of sed

Some people tend to jump on fully fledged programming languages like Perl, or Python. To me, it's like using a car to travel 5 meters down the road. The same group of people would probably use google to look up thousand of ways to do the editing. There's a way to do it on a single line of fairly readable code, using sed. Sed is a tiny piece of software available under all BSD and Linux systems. It stands for "Stream Editor". Sed can be used to do a lot of complex tasks.

sed has an easy to remember usage pattern for those kind of tasks that you can type on your terminal:

echo "Using Linux or BSD as your slave for repetitive editing" | sed 's/ /-/g'

The output is: Using-Linux-or-BSD-as-your-slave-for-repetitive-editing

Analysing the command we just typed

echo just prints whatever you want. echo "XXX", would print XXX on a terminal. By using echo "XXX XXX" and adding a '|' we take the "XXX", and send it for further processing. In this case, we send it to sed.

sed takes the input "XXX XXX", and applies an operation. In this case the, s means substitute. Now, what do we want to substitute ? We want to substitute the space character, with "-". we use the / and then the " " to tell that to sed. Now, what character do we want to use ? the "-". We use '/', and then '-', and another / to terminate the expression. What does the 'g' stand for ? By default it will replace only the first occurence of space with "-". We need to do it for all instances of space. so we use g for "global" replacement. That's it: we're done. Linux or BSD just did the grunt work for you :)



(Please don't hesitate to leave your comments :))
--Logan

Karbonn Sparkle V & Android One

Android One

Android One is a label that targets emerging markets. It specifies the minimum hardware requirements that a smartphone must have to be supported for 2 years by Google. This is one of the major opportunities for us in Mauritius. Some of you may think that it's too good to be true, but it exists, as I got myself an Android One phone !

Karbonn Sparkle V

I bought an android-one certified phone from an Indian Manufacturer Karbonn. Mine is the Karbonn Sparkle V. When I got it, It was still on Android 4.4. As soon as I configured the wifi, It offered the possibility to be updated to Android 5.0 . Many high end phones are still shipping with Android 4.4 today without any updates to Android 5.0. sparkle


  • Display size: 4.5 inches
  • CPU: Quad-core 1.3 GHz Cortex-A7
  • Internal memory : 2GB
  • GPU: Mali-400MP2
  • RAM: 1GB
  • Camera (back): 5 MP, 2592 х 1944 pixels, autofocus, LED flash
  • Camera (front): 2MP
  • GSM: 2G, 3G, 4G



User experience

Yesterday night, I updated to Android 5.1.1. UX-wise, the phone is very responsive, and snappy. My only complaint would be the lack of internal storage space. I think that 4GB would have been better. Another version of the Sparkle is currently brewing. I hope that Google bumps the hardware specs for the next Android One label. The price is very competitive: Rs 5700-5900 depending on where you buy it. Overall, I'm very happy with my purchase, and I definitely plan to buy another Android One phone at the end of this year.


Android One firmware

firmware

It is worth pointing out that Google offers 2 years of firmware update support. This is fantastic, as I get the equivalent of a Google Nexus phone, at a much more reasonable price. This is the major win for the Android One phones. Unlike manufacturers that tend to ignore firmware updates after 6 month, Google makes a smart move here.




--Logan

Android One camera issue

Android One camera freeze

wedding

While attending a wedding today, I wanted to use my camera to record videos. When I switched to video mode, The application froze. Android reported that it was not able to connect to the camera.

Dark Powers of Linux to the rescue

Since Android was running a Linux kernel, I knew from experience that this was very likely a device driver module. Of course, since I did not have full access to the android kernel message log, I knew that it was based on my instinct :)

I still wanted to record the speeches about the responsibilities of Marriage from the gentleman who took his time to lecture the newly wed couple. So, I knew that I had to find a way to reset the camera. My idea was since I had switched to video mode before it froze, it probably remained in that state. I quickly killed the application, and reloaded it . Unsurpringly, it started directly in recording mode. I just had to click on record, and it did the trick.

My theory is that switching back and forth from camera to photo mode causes the driver to hang up with the Android kernel. Since my phone is supported by Google, I sent a report to them on the phone itself, including how to reproduce it :)

Google Android One rocks

Thanks to the support from Google, I can send bug reports to them, as the phone is supported for 2 years. Unlike other phone manufacturers, it's much better in my humble opinion.



--Logan

Improving NTP security against overflows

Saving the world ... on time !

ntp_intro

The Network time protocol is a standard which is used to keep our computer's time accurate. The science involved in keeping clocks ticking on computers is far more complex than most people would assume.

As a comparison: The number of lines of code for University of Delaware NTP implementation -- which is the most widely deployed NTP software -- is slightly less than the source code of Internet Software Consortium's BIND product. I will spare us the details of the hair-pulling mathematics involved :)

Security record of Delaware NTP

I do not want to criticise the work of the past NTP developers. I am merely looking at the list of past vulnerabilities:

  • Buffer overflow in crypto_recv()
  • Buffer overflow in ctl_putdata()
  • Buffer overflow in configure()

So what is a buffer overflow ? Let's use a picture to illustrate this:

buffer_overflow

As we can see here: The attacker keeps putting more sugar in the pan until it literally overflows. In computers, you can do the same thing. You can put more input than the storage location can accept, and you essentially overflow its content to the next adjcent storage location. There's one difference however: if you are smart, you can use the overflowing "sugar" to take control of the remote computer ! This is one of the classic ways to crack into a remote computer such as an NTP server, a Mac OS X laptop, or even a windows laptop. For geeks, you can put some "magic" in the overflowing sugar that executes "/bin/bash" and you can then run whatever you want on the NTP service.

Defeating overflows

I have extended the NTP memory allocator -- a manager which is in charge of allocating storage space in live memory -- and added an additional function that checks for buffer overflows that occur under certain conditions, namely multiplication. As I said previously, a lot of NTP involves complex mathematical calculations that can lead to vulnerabilities. This defeats an entire class of buffer overflows in NTP. Due to the large number of products that use University of Delaware NTP software, this is a significant step towards improving the Internet Security at large !

To put it in more simpler terms: We prevent the attacker from overflowing the pan with sugar. We have detectors in place that signal to the chef that something went wrong in the kitchen.

List of products using University of Delaware NTP software

I have attempted to list a few well known products which use University of Delaware NTP software. This is by no means, exhaustive:

  • Various CISCO products.
  • RedHat/CentOS Linux.
  • Ubuntu Linux.
  • Apple Macbooks.
  • And many others


--Logan