Christopher Kunz

I’m currently at eScience 2009 in Oxford. I’ll present my paper on Friday and try to keep loose track of things via my twitter timeline. Follow me if you want, my paper’s abstract is below.

Design and Implementation of a Grid Proxy Auditing Infrastructure

Christopher Kunz, Christian Szongott, Jan Wiebelitz, Christian Grimm
Regional Computing Center for Lower Saxony
Gottfried Wilhelm Leibniz Universitaet
Hannover, Germany
{kunz,szongott,wiebelitz,grimm}@rvs.uni-hannover.de

Abstract

Single sign-on and delegation of rights are key requirements
for modern Grid infrastructures. These requirements
are usually facilitated by X.509 und Private-Key Infrastructures
(PKI) and proxy certificates. Proxy certificates, however,
can be obtained and abused by a malicious third party.
There is currently no method for end users to detect such
abuse.
We have designed a solution that enables a thorough auditing
of Grid proxy usage in Globus-based Grids and
implemented a service that accepts auditing information
via a web service interface and saves them to a back-end
database. We introduce modifications to the Grid Security
Infrastructure that allow sending audit trails from within
Globus components if the user desires to track credential usage.
A web-based front-end shows all logged information.
With our approach, expert users can now closely monitor
how their credentials are used after job submission. This
will help build trust in Grid infrastructures and delegated
authentication and authorization.

I have a little story from an administrator’s life for you today.

Today at around 1pm CEST, our mail cluster started behaving very odd. Although SMTP ports were open, establishing a connection to the initial server greeting took around 30 seconds on each of the 8 nodes.

Long delays normally indicate DNS problems, so I checked if the resolvers were b0rked. Both were working fine and DNS lookups on the command line on each of the mail servers were blazing fast. Ho-humm... stracing the qmail-smtpd processes showed that my assumption was correct - the delays were definitely caused by DNS lookups to our resolverss being slow. Just to be on the safe side and to rule out firewall or routing issues between our networks, I used the OpenDNS resolvers on one node - nothing changed.

My next guess was: Maybe a RBL shut down?! We are only filtering against XBL and the iX blacklist and both were up - I tried anyway. Still, SMTP was slow on every mail server.

We are using qmail with rblsmtpd, so I could quickly disable the rblsmtpd service altogether. Suddenly, the connection speed was up to past standards again. So it had to do with rblsmtpd, but with none of the RBLs it is filtering against. Weird.

I went to the resolvers and checked which queries were actually performed during a smtp connection initiation - and to my astonishment, I saw that queries to resolve 1.2.3.4.rbl.maps.vix.com were used during each connection initiation. I googled a bit and read that the long defunct MAPS RBL was the fallback blacklist that was used by rblsmtpd when no other RBLs were specified in the configuration.
However, I had two blacklists in the config - yet rblsmtpd tried to look up at the MAPS RBL, too.

It seems someone disabled the nameservers for the vix.com zone, so I took the liberty of telling my resolvers to serve it to all clients - empty, of course. Now, everything is back to normal. It cost me about two hours to solve that problem.

I rarely get spam that’s really weird, but this (probably a filter evasion or mal-training attempt) is really... WTF?!

Mon May 04 17:29:27 2009: Request 78291 was acted upon.
Transaction: Ticket created by lamb.helene@google-mailing.com
Queue: [de-punkt]info
Subject: ein kleines blaues Ma:dchen aufgeschnallt.
Owner: Nobody
Requestors: lamb.helene@google-mailing.com
Status: new


Dann darfst du gehn nach der Hallig.
Die Luft geht fremd und rein.
Bernhard Suphan. Neudruck, Hildesheim
dann begann das grosse Massensterben.
Es war einmal ein Mann,
dass er nicht, ihr letzter Hort noch, geht:
verbreitet haben.
eines deutschen Sa:ngers
Der wackre Schwabe forcht’ sich nit,
Und seine Glocken klangen


I regularly receive comments to this and other blogs that are made to look legitimate, mostly by giving some very obvioius comment about how interesting the entry is or whatever. All of these comments contain URLs that lead to seemingly random unrelated web pages.

I regard these comments as spam!
If you want to buy links on my blog, you can’t. You will most definitely not get any backlinks by making senseless comments, either. The only way to receive reliable, permanent backlinks from this site is contributing something that is interesting for me - either by pingback or trackback or by making a comment that actually makes sense. Or by being my friend.

So, please stay off my blog’s comment page unless you genuinely have something to contribute.

(EDIT:) And for those who are not smart enough to read HTML source - all comment links are rel=“nofollow”.

While doing some research for my upcoming PhD project, I went through some of the articles on Paul Graham’s web site. He is the person who first suggested using bayesian networks for spam detection and thus is responsible for one of the major breakthroughs in spam fighting - one that we still use with much success today.

For “fighting back” at spam, he also suggested “Filters that Fight Back”, i.e. filters that automatically retrieve spamvertised URLs in order to increase resource consumption on spammers’ infrastructures. Even from its original 2003 perspective, this approach seems a bit flawed to me since I can’t imagine a way to avoid “joe jobs” hitting innocent targets and other collateral. Essentially, what he is proposing is dDoS, with all the fallout. For instance, spammers regularly use (and did use in the past) sites like blogspot.com, live.com and hacked forums to advertise their v|4gr4 and consorts. Although from a very orthodox point of view, this abuse makes Microsoft (and whoever owns blogspot) spam hosters, they are essentially as much victims of such behavior as the spam recipients.

However, my actual point is a different one. When Paul wrote the article, spam bot nets like Storm, Kraken et al. didn’t exist in the form that exists today. Nowadays, if your spam filtering host (or your actual MUA) retrieves a spamvertised URL, it does a HTTP GET to an owned client machine whose owneder does not even know about that. Thus, the owner (i.e., the “spam hoster”) becomes your target. By slowing down their network connection, you make him a victim of the spam that his own machine sent.

Now comes the question: Isn’t this still a legitimate approach? Could mass retrieval of botnet-advertised spam web sites still make a difference? In our days of flat-fee internet access, the offender (i.e. the person with the hacked+spamming client machine) does not have monetary losses by massed HTTP requests to their web server. But their upstream ISP will have. Would the additional traffic caused by massively downloading spamvertised web sites be sufficient to make ISPs cry wolf and cut off offending end users? After all, they don’t give a rat’s ass about the outgoing SMTP traffic, and most hardly care about incoming complaints.

Even if dial-up ISPs are not willing to cut off offenders, would the affected end users notice a difference? Would their net connection become so slow that they’d start to investigate? I would imagine that as soon as your machine is a botnet slave, your QoS goes to the dumps anyway, but then I never was one of these slaves so I don’t have any firsthand knowledge.

What do you think? Is this a valid approach? Is it a legitimate one? Is it a feasible one? And: Will it make any difference?

It is not usually my custom to comment negatively or nitpick on other people's articles in magazines, especially not in magazines I have written for. This time however, I really must raise my voice to point out a couple of (well, actually a lot of) issues in an article about SQL injection in the current (October/November) issue of the german "PHP Magazin". I stumbled upon this when Pelle Boese of Mobile SEO fame told me about it.

As a couple of you should still remember, I wrote for that magazine until about one and a half years ago. I stopped writing for a couple of reasons. First and foremost, my shift towards Grid computing, my master's thesis and work took too much time. However, the, let's say, lean editorial process always kinda weirded me out. Mostly, manuscripts were printed as written, with no editorial changes at all. This is very trusting, but sometimes leads to fuck-ups like the one below.

I got a weird mail to one of my more rarely-used, but very old mail addresses that prompted me to reset my password for a site I never heard of (AFAICR). Is this a weird method of phishing (the site looks more or less legitimate) or am I getting old?

Das hier schlug heute morgen in der mailbox webmaster ätt de-punkt.de auf. Die übliche langweilige Headeranalyse sparen wir uns mal, kommt eh’ aus einem Botnet (in diesem Fall aus dem schönen Argentinien... hm, Steak!). Interessant ist eigentlich nur der Inhalt:

To: <xxx@de-punkt.de>
Subject: Achtung, bitte Logindaten und Passwort bereithalten

Subject: ACHTUNG, gemeiner VIRUS. Dringend diese Datei auf Ihrem Webserver
einbinden
===============================

Sehr geehrte Damen und Herren,
im Moment werden Millionen Webserver von Viren befallen.
Bitte binden Sie unbedingt den Anhang zum Schutz auf Ihrer Webseite
in folgendes Verzeichnis ein:
www.de-punkt.de/robots.txt
Die Robots-Datei erstellen Sie mir Ihrem Editor:
__________________________________________
User-agent: *
Disallow: /
____________________________________________
Diese speichern Sie als robots.txt und binden Sie in Ihrem Hauptverzeichnis
ein.


Nur so ist sicher, dass kein Schaden entsteht indem Sie dem Virus
verbieten, Ihre Webseite zu besuchen.
Bitte beeilen Sie sich, da an diesem Wochenende mit einem erheblichen
Angriff zu rechnen ist.

Noch Fragen?

Internet-Security-Team
Meisenweg 11

47441 Moers

0900-8XXXXX2

Offenbar möchte da jemand, daß de-punkt.de seinen PR6 abgibt, indem wir einfach allen Bots den Zutritt zu unserer Website verwehren - denn nichts anderes steht in der “angehängten” robots.txt. Interessanter Ansatz des Social Engineering, stellen sich eigentlich nur zwei Fragen:

1. Wer fällt bitte auf so etwas rein?

2. Wer hat diese Mail noch bekommen?

Zu 2: Offenbar so einige, es gibt bereits diverse Blog- und Newseinträge, wenn man “Internet Security Team Moers” googled, so etwa hier, hier und hier.

Die Zeiten der mit dem Handlexikon Mandarin-Deutsch übersetzten Bedienungsanleitungen (Videorekorder, Hardware etc.) sind zum Glück vorbei, denn wir haben ja jetzt Babelfish! Naja, jetzt... so etwa seit 1997. Der gemeine Nigeriaspammer gießt daraus dann lustige Mails wie diese:

---

---

Allen Lesern wünsche ich noch einen ergänzten des Tages.

For a couple of months, I have been receiving mail abuse reports via the AOL feedback loop that I cannot comprehend. They look like this (only relevant headers):

Return-Path: 

Received: from rly-me06.mx.aol.com (rly-me06.mail.aol.com [172.20.83.40])

by air-me10.mail.aol.com (v119.9) with ESMTP id 

MAILINME102-9be46e123c31c7; Fri, 07 Sep 2007 06:11:28 -0400

Received: from www-3.de-punkt.de (142.128-254.74.4.62.in-addr.arpa [62.4.74.142])

by rly-me06.mx.aol.com (v119.9) with ESMTP id MAILRELAYINME062-9be46e123c31c7;

Fri, 07 Sep 2007 06:11:16 -0400

Received: (qmail 19457 invoked by uid 17658); Sat, 08 Sep 2007 16:06:15 +0200 (CEST)

Message-Id: <20070908160615.19457.qmail@servergf.www-3.de-punkt.de>

X-AOL-IP: 62.4.74.142

X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo : 

X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from : 

I have checked the host in question (it is one of our hosting servers) for the most obvious stuff like rootkits, weird PHP backdoors and processes that do not belong there - all to no avail. As the abuse reports did not cease (like they sometimes do) automatically, I have taken some more measures to ensure no mails leave the system without me noticing:

1. The postfix server on the machine only delivers mail via a smarthost that is separately monitored.
2. PHP is advised to only relay mail via postfix (sendmail wrapper).
3. All outgoing SMTP connections that do not go to the predefined smarthost are being logged and dropped:

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

LOG        tcp  --  anywhere            !mail-3.de-punkt.de  

	state NEW tcp dpt:smtp LOG level warning 

DROP       tcp  --  anywhere            !mail-3.de-punkt.de  

	state NEW tcp dpt:smtp 

LOG        tcp  --  anywhere             anywhere            

	state NEW tcp dpt:submission LOG level warning 

I cannot see any log entries, however there are still abuse reports (also for rather recently sent mails).
Anyone got an idea where to look? I am not sure if there’s a way to actually forge the headers since the Received-Path looks pretty authentic.

Oh joy... I just received a spam mail with a PDF attachment. And guess what it contained? Yeah, penny stock advertising made up like a professional corporate flyer. The botnet owners seem to start the next wave in their fight against spam filters. Headers look like this:

X-Spam-Status: No, hits=0.5 required=5.0 

tests=BAYES_50,HTML_40_50, HTML_MESSAGE autolearn=ham version=3.1.7

Bruce Schneier schreibt in seinem Blog über eine Sicherheitslücke in Bluetooth, die nicht in der Theorie, sondern ganz praktisch in kürzester Zeit exploited werden kann und die Bluetooth-PIN (die zum Pairing zweier Geräte notwendig ist) innerhalb von wenigen Sekunden herausbekommen kann.

Er beruft sich auf ein Paper von den Israelis Shaked und Wool, das unlängst veröffentlicht wurde.

Ein netter Herr auf einer Mailingliste hat in seinen Mailformularen mit Botspam zu kämpfen und möchte das unterbinden. Da man ja allerorten diese lustigen Bildchen mit den verdrehten Buchstaben sieht, dachte er sich “mache ich sowas auch mal”.

Allerdings steht nicht unbedingt zu vermuten, daß er mit der von ihm getroffenen Maßnahme das Spamaufkommen drastisch reduzieren wird.

So, da Spam Assassin scheinbar nicht willens ist, alle Nigeria-Scams wegzufiltern, dachte ich mir, ich mache was Unterhaltsames daraus. Spambaiting gibt’s schon (z.B. bei 419eater.com), also werde ich in diesem Posting alle mir angebotenen Beträge aufsummieren und mal sehen, was das in einem Monat ergibt.

Im extended Entry stehen die Daten mit der mir angebotenen Summe, also der genaue prozentuale Anteil. Die aufgeführten Mails sind teilweise als Spam markiert, teilweise als False Negative “durchgekommen” und von mir aus dem Junkfolder gefischt worden. Ich vermute, wenn ich keinen Spamfilter hätte, wäre das Monatsergebnis problemlos an einem Tag zu erreichen...

Sehr geehrte Damen und Herren :

Kaufen Sie guenstige Naturstein ein ? Einen großen flachen, zwei mit Spitzen und ein Päckchen Kiesel.
Sind Sie zufrieden mit Ihre Lieferanten ? Fühlen Sie die Qualität, das ist Handarbeit!
Oder moechten Sie eine neue Geschaeftpartner finden ? Komm Brian, sonst haben sie ihn gesteinigt, bevor wir da sind.
Haben Sie diese drei Fragen auch ueberlegt ,dass es in China realiseren ? Mutter, findest Du, ich habe eine große Nase?