bill’s blog

SMTP servers like most UNIX services can be accessed using the command line. It’s not always the prettiest way of doing things but very often for basic testing it’s all that is needed. I was recently having problem with my ISP… U-verse! My mail wasn’t getting through their firewall. I was positive that port 25 was being blocked on their side… though they assured me it wasn’t. Sending emails and waiting for them to return from the Internet can be a painstaking process. Additionally it doesn’t give you a whole lot of information on the state of the connection (only that the email got to you or it didn’t)! Using telnet to access your SMTP server provides a lot more information back to the systems administrator! So how is this done?

The first thing you do is open a telnet client and open a connection to the host on port 25

bill@endeavour:~$ telnet mail.randomdog.net 25
Trying 10.0.1.15...
Connected to mail.randomdog.net.
Escape character is '^]'.
220 mail.randomdog.net ESMTP Postfix

This really just opens the connection… now it’s time to start talking to the server. Next you need to let the server know who it’s talking to. The HELO or EHLO (extended SMTP) accomplishes this.

HELO endeavour.randomdog.net
250 mail.randomdog.net

The 250 represents the status response from the server. In this case 250 means that the requested mail action is okay and has been completed. A complete listing of status response can be found at:

http://www.greenend.org.uk/rjk/2000/05/21/smtp-replies.html

or you can download a copy I grabbed from AnswersThatWork.

Next up… Let’s start writing an email. The SMTP command to do this is:

MAIL FROM: will@randomdog.net
250 2.1.0 Ok

Then we need to tell the server which account we want the email to be delivered to.

RCPT TO: bill@randomdog.net
250 2.1.5 Ok

Next let’s start composing our email. To begin with we must send the DATA command.

DATA
354 End data with .

While not exactly SMTP commands one could use:

Subject:
Cc:
Reply-To:

to send some header information. I’m going to set up a subject line.

subject:Telnet SMTP Commands

After setting up the header info… I can begin to type my email.

This is a demo of using telnet to send emails directly from an SMTP server.

To tell the mail server that you have completed the message enter a single “.” on a line on it’s own.

.
250 2.0.0 Ok: queued as 4A8D7C4B2CE

The server responded back that it accepted the message and has queued it for delivery.

Finally we’re going to want to close the connection nice and neatly… So we would issue the QUIT command.

QUIT
221 2.0.0 bye
Connection closed by foreign host.

NOTE: One could simplify the testing a bit after opening a connection with the server by issuing the VRFY command. This command is used to verify that an account is valid user on that server.

VRFY bill
252 2.0.0.bill

The 252 status response means that the user account appears to be valid but could not be verified.

and you’re serious about your Internet service with Static IPs don’t do it!

Software applications are complicated things. Developers need to think about what the application is supposed to do… then write code to make it happen. They need to anticipate how the end-user is going use the application and how the application could be misused. Trying to understand all possible scenarios is nearly impossible and added to that large monolithic applications may have many different coders working on it at any given time. This leads to situations where defects (or bugs) crop into applications. It is these bugs that hackers look to exploit! Very often it is in the form of a buffer overflow attacks that leads to the compromising of an application and depending on the crash… to root access to the box.

I have always said that with the iPhone’s popularity exploits will come… and they have! Apple has tried very hard to lock down the iPhone so that it can’t be used on other carrier’s networks and so applications can only be loaded via the iTunes Music Store. Apple has in many ways crippled it’s own phone. Apple said that the original iPhone 2G could capture video… It can! It said that it couldn’t be used to tether a laptop to the Internet… It can! Why because AT&T wanted to prevent their network from collapsing under the load of this Smartphone. Additionally, it didn’t want to lose the revenue stream by cannibalizing its mobile broadband market. Many people saw this as an unfair business practice and sort to find ways of breaking these locks to allow unrestricted access to the phone.

Jailbreaking is a process that allows iPad, iPhone and iPod Touch users to run third-party unsigned code on their devices by unlocking the operating system and allowing the user root access (Wikipedia.org, 2010). Jailbreaking the phone takes advantage of un-patched security holes within the iOS. The jailbreaking of iPhones has been a cat and mouse game between hackers and Apple. Apple patches the phone and the hacker set off looking for new vulnerabilities to exploit. Apple recently release iOS4 that set the ball in motion once again to find a new exploit to unlock the phones. The Jailbreak that worked against iOS 4 was particularly problematic in that it exploited vulnerability in the displaying of PDFs on the devices. These specially crafted PDFs could be sitting out on the Internet and when the Safari browser tries to display the PDF… a buffer overflow condition happens and the phone is then “rooted.”

The vulnerability is caused by a flaw in the FreeType font engine… which is called upon when displaying a PDF with embedded fonts. A full description of the bug can be gotten by googling CVE-2010-1797. Apple’s information regarding the flaw cab be found in it’s update info at http://support.apple.com/kb/HT4291

CVE-ID: CVE-2010-1797
FreeType

Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later,
iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

Impact: Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution

Description: A stack buffer overflow exists in FreeType’s handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution. This issue is addressed through improved bounds checking.

It is so easy to exploit this vulnerability in fact that individuals have taken to Jailbreaking iPhone in many Apple stores. They merely visit the website JailbreakMe.com and leave a trail of jailbroken iPhone in their wake! In an effort to thwart the Jailbreaking of phone in their stores, Apple has had to set up a DNS forward for the site until they had a patch for the vulnerability. Apple released a fix for FreeType 2 CFF font stack corruption vulnerability August 11th (on of the fastest turn around times for an iOS patch).

Jailbreaking one’s iPhone will void Apple’s product warranty though it is a simple task to restore the phone to a factory “new” default.

NOTE: You need to remember to restore a jailbroken phone before bringing it to an Apple store for repair.

The Library of Congress is required to revise Digital Millennium Copyright Act (DMCA) rules every 3 years. On July 26th, 2010, issues it’s update to the DMCA and made it legal for iPhone owners to jailbreak their phones. Corynne McSherry, a senior staff attorney for the Electronic Frontier Foundation, (a San Francisco-based privacy-rights group) had this to say about the ruling.

“Now people can go ahead and fix their phones and jailbreak them so they can run all sorts of different applications,” “They can make full use of the phone they bought without some kind of legal liability hanging over their head. (Bloomberg.com, 2010)”

It should be noted that the Electronic Frontier Foundation is the advocacy group that initiated that petitioned with the Library of Congress for this ruling said.

Resources:

Shields, T. & Satariano, A., (2010, Jul 26th), `Jailbreaking’ of IPhones to Add Apps Backed by U.S. Retrieved on August 13th, 2010 from http://www.bloomberg.com/news/2010-07-26/apple-iphone-users-have-u-s-blessing-to-jailbreak-add-own-applications.html

Various, (2010, August 13th), iOS Jailbreaking, Retrieved on August 13th, 2010 from http://en.wikipedia.org/wiki/IOS_jailbreaking

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security.

I wanted to take a moment to thank all the men and women that place themselves in harm’s way to protect myself and family… You are the backbone of freedom and liberty! Thank you!

Bandwidth theft is a topic that we hear about all the time but one that we rarely associated with theft. Anyone that lives in a big city knows… They can get free Internet anywhere! The key word here is FREE. Just because you can get onto the Internet doesn’t mean it free for you to use. Someone is paying for the access and unless explicitly informed that it is free most times it’s not and you are stealing from that individual.

WOW… that’s a heavy way to start the day but it’s true just because some fool leaves the keys in the car doesn’t mean it yours for the taking. Let’s take a look at this scenario for a second… must people are NOT computer savvy! That’s why we have the jobs we have. Consumer marketed wireless devices are made so that the user can just plug and play. That’s unfortunate. My question is why can’t manufacturers devise some kind of wizard that walks you through setting up a secure wireless network. Cisco’s Linksys line does… with its Secure Easy Setup utility but the wizard doesn’t run on all platforms (noticeably lacking is MacOS. Linux and BeOS). That’s understandable. They consist of a small percentage of the marketplace (combined they don’t even come close to Microsoft’s domination). And some may say that it’s not our responsibility to provide secure networks by default. True! BUT why not get the ISPs on the hook for the dime on this. Think of all that lost revenue!

Regardless… There are other forms of bandwidth theft. This includes individuals that set up hosting services on another individual’s data line without their permission. Those of us in IT do it all the time. “Oh, I need to learn how to implement Apache (insert your favorite service application).” We spend weeks setting it up… we upload our content… but fail to tear it down when the learning is done. Instead we invite our friends and family to visit the site. “Hey look at what I did!” Next thing you know the company is footing the bill for both the hosting environment and the line that it’s attached to! Now some may say what’s the big deal? We’ll very often the site/host goes untouched after the initial setup. Patches aren’t applied nor is virus definitions updated. Pretty benign until the box is compromised! Then depending on the breach it could be used to bring a network to its knees. The box could be used as a jumping point to other boxes on the protected network OR turned into an object in a botnet! It could be used to stored illegal data such as pirated mpegs or mp3.

Peer-2-Peer applications… Let’s face it, these can be used for legitimate purposes but ultimately they are not (think about Napster). They are used by individuals to share files with users that do not have the legal right to use said files. Aside from the copyright issues that are being violated, this activity could cause potential problems for the owners of the network line that are allowing these things to happen (think accessory to the crime). Additionally, the applications can demand a huge amount of bandwidth to support the traffic. Peer-2-Peer clients effectively turn your machine into a file server. On top of that you are allowing ANYONE access to the box. Now there’s a big problem! Any open port is a door by which a cracker can have access to a machine.

SO… where does that leave us? 1st and foremost in a corporate environment, strong Internet/Appropriate usage polices are a must! Enforcement of the policy needs to happen. No one will adhere to the policy if they know there aren’t any consequences! Unfortunately people need to be sacrificed to prove the company means business. In a home network, secure your wireless networks! Don’t leave them open for the world to have at it. Remember… it’s not just your network line that is exposed… it’s your entire network. Next, monitor your network! Check the system logs of your access point. Set up the firewall (something is better than nothing). Set up email alerts. Set up a syslog server. In it’s basic form if a syslog server can alert you to certain events in now becomes an Intrusion Detection System (both host based as well as network based). WHY? Because you are grabbing the logs from all devices (think computer as well as firewalls and access points). It may not be real-time alerting but at least you’ll know when someone tried to do something not quite right. Tools like Splunk are more than syslog servers. They can provide statistical data that can be used to baseline your network. It can be “programmed” to alert you when it sees certain conditions. It can track failed login attempts. Depending on what you’re logging on your host it can look for file access records. It can notify you of port scans based on the logs from your firewall. One thing to keep in mind with Splunk is that it is not a true IDS but it can certainly provide some of the functionality.

Soldiers must be treated in the first instance with humanity, but kept under control by means of iron discipline.
- Sun Tzu, The Art of War, chapter 9 paragragh 43

I voted for George W. Bush. I was an idealist! 9/11 set the US on its ear. We were fighting the wrong that was done to us but then it stopped. Don’t get me wrong I will always support our troops where ever they may be fighting but I no longer believe we were sent to Iraq to rout out terrorism, or WMDs, or saving a people from a tyranical ruler! We went there for other reasons but that’s not the point! Let’s take a moment to compare Sun Tzu’s The Art of War to that of President Bush. The Art of War is accepted as a masterpiece on strategy and often referenced by generals and theorists throughout history (McNeilly, 2001).

All warfare is based on deception!
- Sun Tzu, The Art of War, chapter 1 paragraph 18

This is probably the most famous line in the entire book and has been heavy quoted through out the ages! Sun Tzu meant this in terms of one force trying to hide the reality of their strengh and strategy! Unfortunately, President Bush used it against the people of the United States. We were decieved as a nation to the exact threat caused by Iraq! We were lead into a war under the guise of imminate danger! Saddam Hussein had weapons of mass destruction and we needed to stop the deployment of these weapons. Problem is there were no weapons.

Moving on…

Again, if the campaign is protracted, the resources of the State will not be equal to the strain.
- Sun Tzu, The Art of War, chapter 2 paragraph 3

I could have used…

There is no instance of a country having benefited from prolonged warfare.
- Sun Tzu, The Art of War, chapter 2 paragraph 18

But the first paragrapgh seems more appropreate today! The second engagement with Iraq has gone on for more than 6 years (started March 20, 2003) at a current cost of $12.5 billion per month! In today’s economic climate, that money could have gone to better use at home! Now there are many that will say President Bush couldn’t have known about the housing collapse! Oh yes he did! It was coming for a long time and when it did President Bush got to wipe his hands clean and go back to the ranch… “Yee Haw, dodged that bullet!” Anway you look at it, today’s cost is $150 billion per year minimum. Think we can use that to better our lives here in the US? Especially now. I do!

When he keeps aloot and tries to provoke a battle, he is anxious for the other side to advance.
- Sun Tzu, The Art of War, chapter 9 paragraph 19

This is where President Bush used the mask of WMD to advance on Iraq. Many Chinese scholars have read this to mean that the general is anxious to dislodge their advarceary for a strong position. Aloof? Why? Because we the American people would not see through the weak arguments or prehaps the strong position that Iraq holds is buried beneath the desert! I don’t know? Could be!

Resources:

McNeilly, Mark R. (2001), Sun Tzu and the Art of Modern Warfare, Oxford University Press, ISBN 0195133404.

The date April 8, 2009 is one that should have never come. It has been reported that ‘cyberspies’ have gained access to the US power grid and could take control at anytime. Seems to me that this could have been avoided. Why? Because the United States has known this could happen as early as June 1997! During that second week of June, The NSA (or National Security Agency) sponsored cyber-warfare exercise called Operation: Eligible Receiver. The Objective of the exercise was for the NSA “RED Team” to take control of the computer systems of the US Pacific Command. The NSA was successful at compromising their ‘primary’ objective and additionally was able to compromise various systems controlling the US power grid. Lastly, they were able to compromise the systems controlling the 911 emergency call network. The scary thing about Operation: Eligible Receiver was the vectors of attack were not overly complicated. The attackers were able to use the following:

• DOS (Denial of Services) attacks
• Email spoofing
• Brute-force/dictionary password cracks
• Brute-force/dictionary password cracks
• Mis-configured services
• Social engineering attacks

The lessons learned from the exercise showed serious problems with defending critical information systems and infrastructures, on which the DoD (and the nation) depend (Janczewski, et. al., 2008). If that were not enough to draw some attention to the serious nature of the problem, in February of 1998, computers within the Navy, Marine Corps, and Air Force came under real attack. Solar Sunrise (as the attack came to be known as) exploited a well-known vulnerability in the Solaris operating system and was believed to have originated from, the Middle East.

As part of the Wall Street Journal’s online presence, polls are taken of readers for reader reactions to major articles. The poll for April 8th was, “How worried are you that a cyber attack could damage U.S. infrastructure?”

Source: Wall Street Journal Online.

Incredibly, 940 votes were cast indicating that they were not very worried about an attack against our electric infrastructure here in the US. How can you not be! The sad thing is that the companies that maintain these systems were not the ones that discovered the compromise! The discovery was made by U.S. intelligence agencies. NERC (or the North American Electric Reliability Corporation) is an international, independent, self-regulatory, not-for-profit organization, whose mission is to ensure the reliability of the bulk power system in North America (nerc.com, 2009). As part of the organization’s role in fulfilling its mission is the publication of compliance standards to help minimize the risk of cyber-attacks. NERC Standard CIP–002–1 deals with the identification of critical assets within the bulk Electrical Delivery Systems. Just yesterday, Michael Assante, Vice President and Chief Security Officer for NERC released a memo urging members to take a “fresh comprehensive look” at the evaluation of their Critical Assets. The memo was prompted in part because of the results of a recent survey that suggests that certain qualifying assets may not have been identified as “Critical” (Assante, 2009). It seems as though many suppliers are not identifying critical components in the delivery system leaving them exposed to these types of cyber-attacks.

SO why are we dealing with this today? …Because these systems are not government resources. These systems are private networks. Congress approved $17 billion in funding to protect government networks. The bill did not disclose which systems/networks would benefit from the funding however a senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage (Gorman, 2009).

Now some may say this is the stuff of science fiction but let’s take a look:

Worchester Airport, Massachusetts, 1997 – A hacker was able to gain access to the communication system there disabling the radio transmitter that activated the approaching runway lights.

Arizona, 1998 – A 12 year-old gains access to the SCADA systems controlling Roosevelt Dam (though this has been disputed).

Queensland Australia, 2000 – Vitek Boden hacks into the Maroochy Shire Wastewater System and releases raw sewage into the parks, rivers and grounds surrounding the Hyatt Regency hotel.

Titan Rain, Nov. 14, 2004 – Chinese hackers compromised computers at U.S. Army Information Systems Engineering Command in Fort Huachuca, Ariz., the Defense Information Systems Agency in Arlington, Va. and the U.S. Army Space and Strategic Defense installation in Huntsville, Ala (zdnet.com, 2005).

Estonia, 2007 – A distributed denial of service attack was launched against the websites of the Estonian parliament and the national bank.

San Francisco, California, 2008 – Terry Childs is accused of tampering the city’s email system and locking out network administrator from the city’s FiberWAN network. Child’s gained access to the root password on the city’s routers and could effectively turn-off the city’s network.

This is not the first time a power grid has been the object of a hacker’s attack. CIA analyst Tom Donahue told utility engineers at a conference last year that in other countries, hackers had broken into electric utilities and demanded payments before disrupting power – in one case turning off the lights in multiple cities (ap.org, 2009). In the case of the recent discovery the SCADA (Supervisory Control And Data Acquisition) systems were said to be compromised. SCAA is a standardized and open solution that is used in the operations of many industrial control systems. Systems that use SCADA processes include:

• Electrical distribution facilities
• Drinking water distribution centers
• Sewer treatment plants
• Oil and gas pipelines systems
• Nuclear power plants
• Airports

Protecting the electrical grid and other infrastructure is a key part of the Obama administration’s cyber-security review, which is to be completed next week. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more (Gorman, 2009).

OK we’ve lived through blackouts before… the government will fix this BUT… The point is the government has known about this for years and yet it happened. The Cybersecurity Act of 2009, gives the President of the United States the authority to declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network (section 18, paragragh 2). Now, the United States Government control vast amounts of the Internet… definitely critical infrastructure! BUT… where does that end? For certain any of the above mention SCADA systems but how about systems in hospitals? Or how about financial systems? A little over-reaching? Perhaps! BUT maybe we should look at fixing the systems not pulling the plug!

BTW, The systems that were comprised are said to have been ‘purged’ of all installed malware.

Resources:

Assante, M., (2009, April7), Critical Cyber Asset Identification, Retrieved on April 8th, 2009 from http://www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-040709.pdf

Espiner, T., (Nov 23, 2005), Security experts lift lid on Chinese hack attacks, Retrieved on April 8th, 2009 from http://news.zdnet.com/2100-1009_22-145763.html

Gorman, S., (2009, April 8 ) Electricity Grid in U.S. Penetrated By Spies, Retrieved on April 8th, 2009 from http://online.wsj.com/article/SB123914805204099085.html

Janczewski, L., & Colarik, A., (2008), Cyber Warfare and Cyber Terrorism, IGI Global, Hershey PA

Robertson, J., & Sullivan, E., (2009, April 8 ), Spies compromised US electric grid, Retrieved on April 8th, 2009 from http://hosted.ap.org/dynamic/stories/T/TEC_ELECTRIC_GRID_HACKING?SITE=AZPHG&SECTION=HOME&TEMPLATE=DEFAULT

Unknown, (2009), North American Electric Reliability Corporation, Retrieved on April 8th, 2009 from http://www.nerc.com/page.php?cid=1|7|10

Various, (2009, April 9), (POLL) How worried are you that a cyber attack could damage U.S. infrastructure?, Retrieved on April 9th, 2009 from
http://forums.wsj.com/viewtopic.php?t=5653