|
More Interesting Titbit's From the Google of Information SecuritySource from cryptome and input data's filtered for things related to Malaysia & Kuala Lumpur. This information could be a gift to Malaysia Independent 50th Golden Anniversary... which look bleak with all those superficial lights and sounds. Happy Merdeka Day! A sends 30 August 2007:
Please note the following, current as of 2105hrs GMT 30Aug2007:
TIME Telecommunications Sdn Bhd [NSA-affiliated IP range] Kuala Lumpur MY 211.24.0.0 - 211.25.255.255 ns2.time.net.my [203.121.16.120] ns1.time.net.my [203.121.16.85]
JARING Communications Sdn Bhd [NSA-affiliated IP range] Kuala Lumpur MY 202.190.0.0 - 202.190.255.255 ns6.jaring.my [192.228.128.16] ns5.jaring.my [61.6.38.139]
Looks like Maxis is still clean. And DIGi is not on the list.. yet.
Add-on popular companies among the list:
Google [NSA-affiliated IP ranges] Mountain View CA US 64.233.160.0 - 64.233.191.255 66.102.0.0 - 66.102.15.255 66.249.64.0 - 66.249.95.255 72.14.192.0 - 72.14.255.255 209.85.128.0 - 209.85.255.255 216.239.32.0 - 216.239.63.255 ns3.google.com [216.239.36.10] ns4.google.com [216.239.38.10] ns1.google.com [216.239.32.10] ns2.google.com [216.239.34.10]
Yahoo [NSA-affiliated IP ranges] Sunnyvale CA US 69.147.64.0 - 69.147.127.255 216.155.192.0 - 216.155.207.255 ns4.yahoo.com [68.142.196.63] ns2.yahoo.com [68.142.255.16] ns5.yahoo.com [216.109.116.17] ns1.yahoo.com [66.218.71.63] ns3.yahoo.com [217.12.4.104]
AltaVista Company [NSA-affiliated IP range] Sunnyvale CA US 216.39.48.0 - 216.39.63.255 ns4.yahoo.com [68.142.196.63] ns2.yahoo.com [68.142.255.16] ns5.yahoo.com [216.109.116.17] ns1.yahoo.com [66.218.71.63] ns3.yahoo.com [217.12.4.104]
Amazon.com, Inc. [NSA-affiliated IP range] Seattle WA US 72.44.32.0 - 72.44.63.255 pdns3.ultradns.org [199.7.68.1] pdns1.ultradns.net [204.74.108.1] pdns2.ultradns.net [204.74.109.1]
Among many listed.. Source here.
Hey! I listen to:
Labels: more NSA affiliated IP from cryptome |
posted by zarxcky @ 8/31/2007 12:45:00 AM |
|
|
|
Interesting titbit's from Google of Information Security
Source from cryptome and filtered for things related to Malaysia & K.L.
Update! (17th August 07 12:21 pm)
Latest updated NSA-affiliated resources listed below, as of 16Aug07
at 1600hrs GMT.
Many new NSA-controlled/affiliated IP ranges are listed under previously disclosed IP block assignees. TMNET [NSA-affiliated IP ranges] Kuala Lumpur MY 124.82.0.0 - 124.82.255.255 219.95.128.0 - 219.95.255.255 ns2.tm.net.my [202.188.1.8] ns3.tm.net.my [202.188.0.184] ns1.tm.net.my [202.188.0.183] Source here.
Latest updated NSA-affiliated resources listed below, as of 10Aug07 at 1630hrs GMT.
Many new NSA-controlled/affiliated IP ranges are listed under previously disclosed IP block assignees.
Telekom Malaysia Berhad [NSA-affiliated IP ranges] Kuala Lumpur MY 60.48.0.0 - 60.54.255.255 218.111.0.0 - 218.111.255.255 ns2.tm.net.my [202.188.1.8] ns3.tm.net.my [202.188.0.184] ns1.tm.net.my [202.188.0.183]Source here.
311 Names on the Three Lists of MI6 Officers (including 35 duplicates above) - Filtered to only those stayed in Malaysia and the year of services included.Cortland Lucas Fransella: dob 1948; 73 Hong Kong, 80 Kuala Lumpur, 82 Santiago, 91 Rome, 95 London.*Nigel Norman Inkster: dob 1952; 76 Kuala Lumpur, 79 Bangkok, 83 Peking, 85 Buenos Aires, 92 Athens, 94 Hong Kong, 98 London.
Anthony John Godwin Insall: dob 1949; 75 Lagos, 82 Hong Kong, 85 Peking, 92 Kuala Lumpur, 99 Oslo, 04 London. John Jenkins: dob 1955; 83 Abu Dhabi, 89 Kuala Lumpur, 95 Kuwait, 99 Rangoon, 03 Jerusalem (CG).*
Richard Peter Moore: dob 1963; 90 Ankara, 91 Istanbul, 95 Islamabad, 01 Kuala Lumpur (Cllr).* Note: Perhaps this is the one and only Richard Peter Moore, playing golf at the Royal Selangor Golf Club, holding membership number #M9021-0. Among those involved with the A/B/C Medal - 7th February 2004 Strokeplay Net is Tunku Naquiyuddin Ibni Tuanku Ja'afar. Colin Andrew Munro: dob 1946; 71 Bonn, 73 Kuala Lumpur, 81 Bucharest, 87 East Berlin,90 Frankfurt, 97 Zagreb, 01 Mostar, 03 Vienna (OSCE, Head of UK Delegation).*
Note: Picture and profiles of Colin Andrew Munro can be seen from Yahoo cache. Somehow the British Embassy located in Vienna has deleted his entry from their website.
Simon Graham Page: dob 1961; 83 Kuala Lumpur, 88 Dublin, 92 New Delhi, 98 Riyadh, 01 London.(* 1 Sec, Bahrain, 05)
Patrick Gilmer Topping: dob 1959; 90 Kuala Lumpur, 94 Washington, 05 Canberra (Cllr).*
Kenneth Mark Williams: 76 Kuala Lumpur, 79 Bridgetown, 88 Harare, 94 Delhi; dob 1944.
Peter Gilruth Wood: dob 1953; 84 Taiwan, 86 Peking, 95 Kuala Lumpur, 02 Peking (Cllr).*
Source here. Labels: MI6 agents in Malaysia Telekom NSA affiliate IP information security |
posted by zarxcky @ 8/15/2007 03:25:00 PM |
|
|
|
DNS Rebinding Exploit And How I Fix The Javascript Vulnerabilities.
image source: http://www.neatorama.com/2005/10/22/the-cuban-computer/ Read about DNS rebinding attacks on Slashdot did make curiosity arise and those grey cells urged me to want to find out more about that since several Web and Mail server under my own supervision are working fine now and I of course doesn't want anything bad happen to my babies in the later future. Query dancing on ChaCha reveals lot infos on DNS rebinding attacks howto which can be seen here and here... and here too. People can download the white paper describing the attack in details. But the easiest explanations can be found at Christian Matthias blog. Basically, this attacks will exploit DNS Pinning to steal informations. In short, "When someone requests a Web site such as www.example.com, the browser needs to perform a DNS lookup on that domain to get the associated numerical address (IP) of the server that hosts the Web site in question. In the next step, the browser sends a query to that IP that moreover contains the domain, a specific Web page and other variables to be able to ultimately retrieve the requested data." More informations and examples can be found at Mr Matthias blog. Although the concepts look simple, but then the attacker will have hard time implementing it. As said by Mike Malone, "Though the concept is fairly simple, we agreed that it would be difficult to perform this sort of attack in practice. An attacker would need to have intimate knowledge of the victims internal network, or rely on Flash or other web technologies to perform a network scan. Moreover, an attack would end as soon as the victim closed their web browser". In short, get secure or your preferred unsecured browser will betray you silently. Enough with devouring explanations, curiosity then move me on to this site here at jumperz.com to check whether I can run the exploit on my servers and also this host using the said exploit. This site will sent data from your private ip to www.jumperz.net to demonstrate how easy that is to steal informations using Anti-DNS Pinning attack. For this moment, I only target on localhost, web server and a mail server under my own supervision. Entering the 127.0.0.1 into the box reveal failed attempt as shown below: http://1186491925437.jumperz.net/exploits/dnsp3.jsp?address=127.0.0.1
Please wait for 120 seconds. f1() ERROR: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIXMLHttpRequest.send]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: http://1186491925437.jumperz.net/exploits/dnsp3.jsp?address=127.0.0.1 :: f2 :: line 50" data: no] ERROR: ERROR: 0(Which is differ with the result upon visiting to DNS rebinding site that shows the "We have detected that your browser is vulnerable to efficient DNS rebinding attacks" message). Exploiting mail server also show failed attempts due to https redirection: http://1286451923437.jumperz.net/exploits/dnsp3.jsp?address=xxx.xxx.24.219<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> Reason: You\'re speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /> <blockquote>Hint: <a href=\"https://mail.gov.my/\"><b>https://mail.gov.my/</b></a></blockquote></p> </body></html>
And the most interesting result come from my web server with successful attempt(?) and part of the codes are shown below: http://1184918537.jumperz.net/exploits/dnsp3.jsp?address=xxx.xxx.35.208<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"> <html xmlns=\"http://www.w3.org/1999/xhtml\"> <head> <!--[if gte IE 5.5000]> <script language=\"JavaScript\"> function correctPNG() { for(var i=0; i<document.images.length; i++) { var img = document.images[i] var imgName = img.src.toUpperCase() if (imgName.substring(imgName.length-3, imgName.length) == \"PNG\") { var imgID = (img.id) ? \"id=\'\" + img.id + \"\' \" : \"\" var imgClass = (img.className) ? \"class=\'\" + img.className + \"\' \" : \"\" var imgTitle = (img.title) ? \"title=\'\" + img.title + \"\' \" : \"title=\'\" + img.alt + \"\' \" var imgStyle = \"display:inline-block;\" + img.style.cssText if (img.align == \"left\") imgStyle = \"float:left;\" + imgStyle if (img.align == \"right\") imgStyle = \"float:right;\" + imgStyle if (img.parentElement.href) imgStyle = \"cursor:hand;\" + imgStyle var strNewHTML = \"<span \" + imgID + imgClass + imgTitle + \" style=\\\"\" + \"width:\" + img.width + \"px; height:\" + img.height + \"px;\" + imgStyle + \";\" + \"filter:progid:DXImageTransform.Microsoft.AlphaImageLoader\" + \"(src=\\\'\" + img.src + \"\\\', sizingMethod=\'scale\');\\\"></span>\" img.outerHTML = strNewHTML i = i-1 }}} window.attachEvent(\"onload\", correctPNG); </script> <![endif]--> <title>My Client Website</title> <meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\" /> <link href=\"http://www.gov.my/templates/jo_june/css/template_css.css\" rel=\"stylesheet\" type=\"text/css\" /> <link rel=\"shortcut icon\" href=\"http://www.gov.my/templates/jo_june/images/favicon.ico\" /> <link rel=\"shortcut icon\" href=\"http://www.gov.my/images/icon.gif\" /><script type=\"text/javascript\" language=\"javascript\" src=\"http://www.gov.my/templates/jo_june/javascript.js\"></script> </head><body><div align=\"center\"> <table width=\"820\" height=\"120\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" > <tr> <td height=\"96\" valign=\"top\"><table width=\"856\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\"> <tr> <th width=\"820\" height=\"80\" align=\"left\" valign=\"middle\" scope=\"col\" class=\"header\"> <table width=\"856\" height=\"175\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\"> <tr> <th scope=\"col\"><div align=\"left\"></div></th> <th scope=\"col\"><div align=\"right\"> </div></th></tr></table> </th></tr><tr> <th width=\"820\" height=\"40\" align=\"left\" valign=\"bottom\" scope=\"row\" class=\"path\"><table width=\"856\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\"> <tr> <th width=\"320\" align=\"left\" valign=\"middle\" scope=\"col\"><span class=\"pathway\">Laman Utama </span></th> <th width=\"500\" align=\"left\" valign=\"bottom\" scope=\"col\"> <script type=\"text/javascript\">
one = function() { var sfEls = document.getElementById(\"top_menu\").getElementsByTagName(\"li\"); for (var i=0; i<sfEls.length; i++) { sfEls[i].onmouseover=function() { this.className+=\"one\" } sfEls[i].onmouseout=function() { this.className=this.className.replace(new RegExp(\"one\\\\b\"), \"\"); } } } if (window.attachEvent) window.attachEvent(\"onload\", one); </script> <div id=\"top_menu\"><ul id=\"mainlevel-nav\"><li><a href=\"http://www.gov.my/index.php?option=com_contact&Itemid=3\" class=\"mainlevel-nav\" >Content</a></li><li><a href=\"http://www.gov.my/index.php?option=com_content&task=view&id=20&Itemid=31\" class=\"mainlevel-nav\" >Content</a></li><li><a href=\"http://www.gov.my/index.php?option=com_content&task=section&id=1&Itemid=2\" class=\"mainlevel-nav\" >Content</a></li><li><a href=\"http://www.gov.my/index.php\" class=\"mainlevel-nav\" >Content</a></li></ul></div></th> </tr></table></th></tr></table></td></tr></table> <table width=\"856\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" bordercolor=\"#000000\" bgcolor=\"#FFFFFF\"> <tr><td><table width=\"856\" border=\"0\" cellspacing=\"2\" cellpadding=\"0\"> <tr><td width=\"160\" align=\"left\" valign=\"top\"><table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"> <tr><th valign=\"top\"> Content</th></tr><tr><td> <table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\"> <tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_frontpage&Itemid=1\" class=\"mainlevel\" id=\"active_menu\">Content</a></td></tr> <tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=view&id=20&Itemid=31\" class=\"mainlevel\" >Content</a></td></tr> <tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=view&id=16&Itemid=26\" class=\"mainlevel\" >Content</a></td></tr> <tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=section&id=1&Itemid=2\" class=\"mainlevel\" >Content</a></td></tr> <tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=category§ionid=3&id=7&Itemid=25\" class=\"mainlevel\" >Content</a></td></tr> <tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_search&Itemid=5\" class=\"mainlevel\" >Content</a></td></tr> <tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_weblinks&Itemid=23\" class=\"mainlevel\" >Content</a></td></tr> <tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_contact&Itemid=3\" class=\"mainlevel\" >Content</a></td></tr> </table> </td></tr></table> <table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"><tr><td> <a href=\"index.php?option=com_content&task=view&id=18&Itemid=29\"><img src=\"images/stories/picture.jpg\" border=\"0\" alt=\"messages\" width=\"150\" height=\"65\" /></a> </td></tr></table><table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"> <tr><td> <a href=\"https://mail.gov.my/login.php\"><img src=\"images/stories/mail.jpg\" border=\"0\" alt=\" " width=\"150\" height=\"80\" /></a> </td></tr></table> <table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"><tr><th valign=\"top\"> Content</th></tr><tr><td> <a href=\"http://link.gov.my/default.asp\" target=\"_blank\"><div style=\"text-align: center\"><img src=\"images/images/logo.jpg\" border=\"0\" alt=\"Name\" width=\"96\" height=\"115\" /></div></a> </td></tr></table> <table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"><tr> <th valign=\"top\">Content</th></tr><tr><td> <div class=\"syndicate\"><div align=\"center\"> <a href=\"http://www.gov.my/index.php?option=com_rss&feed=RSS0.91&no_html=1\"> <img src=\"http://www.gov.my/images/M_images/rss091.gif\" alt=\"RSS 0.91\" name=\"RSS091\" align=\"middle\" border=\"0\" /></a> </div><div align=\"center\"> <a href=\"http://www.gov.my/index.php?option=com_rss&feed=RSS1.0&no_html=1\"> <img src=\"http://www.gov.my/images/M_images/rss10.gif\" alt=\"RSS 1.0\" name=\"RSS10\" align=\"middle\" border=\"0\" /></a> </div><div align=\"center\"> <div align=\"center\"><a href=\"http://www.gov.my/index.php?option=com_rss&feed=OPML&no_html=1\"> <img src=\"http://www.gov.my/images/M_images/opml.png\" alt=\"OPML\" name=\"OPML\" align=\"middle\" border=\"0\" /></a> </div></div> </td></tr></table> So the question now is, How I gonna fix it? More from Mike, "Nevertheless, a vulnerability clearly exists, and it could be difficult to resolve. Many web sites rely on round robin DNS configurations for load distribution. Since round robin configurations may legitimately return different IP addresses for the same host name, distinguishing malicious DNS rebinding attacks from round robin configurations will be difficult, if not impossible to do." Is that mean my web server is in deep shit? Several choices can be found through searching on the Vah Vah Vah networks. Disable Javascript would be pain in the ass. Noscript firefox extension can help if not a lot, then a little. Another extension that some people recommends is localrodeo extension that can reduce possibilities for some browser from being exploited for the time being while waiting for another better finalized solutions. Change current DNS nameserver to OpenDNS can help to but obviously not for this kind of problem. Restrict external access to port 80 by means of firewall is also good precaution. But then, no one ever surf the Internet using browser installed within the targeted web server as far as I know which makes the exploits much harder to implement. Is that will make my web server secure? Continue on the next part cos it's 04:20 a.m. Time to sleep. Need to build printer and file server (Samba) + some printing charging software (GPL of course!) tomorrow as part of charities project for a elementary school that I am working on during free time. Hey! I listen to: Update! (15th August 15:19 pm):www.jumperz.net has released intrusion prevention tool for http/https. More information can be found here. You will need JDK 1.4 I don't have time yet to test it but soon enough maybe. Labels: DNS Rebinding Exploits How to fix |
posted by zarxcky @ 8/07/2007 04:15:00 AM |
|
|
|
About Me |
Name: zarxcky
Home: Malaysia
About Me: I am crazy person living in this crazy world where a lot of crazy people (more crazier than me) living in this crazy world as well. Either this crazy world or the crazy people makes me a crazy man or the reverse side of it. Dont believe me? Just look at the pic.
See my complete profile
|
Previous Post |
|
Archives |
|
Links |
|
Comrades |
|
Syndicates |
|
|