Monthly Archives: May 2008

[MacOS] Switcher’s Hints 1001: Unpack .mpkg and .pkg

2 Replies

There is nothing special about unpacking an .mpkg or .pkg installer – in terminal mode you see they are just directories. Just right click on them and select “show archive contents”…

Later on 7-zip will help you with unpacking the contained archives inside of those .mpkg and .pkg files…

If that helped you well, consider clicking our sponsor (non offensive Google Adsense) to help maintaining this project free for all of you…

Sponsor:

[Linux] Severe SSH security issues in Debian

3 Replies

I. Abstract

It has been found by Luciano Bello that the Debian OpenSSL package has a severe security bug since 2006. By removing some lines of code from the md_rand.c source code that originally caused the memory check tool Valgrind to alert (see original Debian discussion here) the box of pandorra has been opened and the flaw been introduced.

By removing that specific part of the OpenSSL code, effectively the random seed function has been crippled, and eventually the only random value remaining was the current process ID. Since on linux only a maximum no of 32,768 process IDs exist, the worth of this pseudo random number generator (PRNG) is heavily limited.

Update: a set of instructions has been added under IV. How to fix/repair your server (click here).This shows the steps to a secure server with new SSH server side keys.

Update II: a new fix has been released as of May, 16th (4.3p2-9etch2). You should therefore apply step IV. again to upgrade your SSH package to the recent version.

II. Impact

As a summary based on infos from metasploit.com.

  • Debian based distributions are affected aswell (i.e. Ubuntu, Kubuntu, Xubuntu, Edubuntu, Gobuntu etc. pp)
  • SSL and SSH keys generated between 09/2006 and 05/2008 are vulerable to brute force attacks
  • SSL certificates need recreation and signed again by Certificate Authority
  • Certificate Authority keys need to be regenerated and revoked.
  • SSH public key authentication on other distributions than Debian may be affected aswell when keys have been generated on Debian systems
  • SSH servers using host keys generated on Debian are vulnerably to man-in-the-middle attacks

III. Testing for weakness and vulerability

Debian released a program for testing the vulnerability of keys. Download it here (see OpenPGP signature). You may do the following. Log into your server as root and do:

  • server$ wget -c http://security.debian.org/project/extra/dowkd/dowkd.pl.gz
  • server$ gunzip dowk.pl.gz
  • server$ chmod 700 dowk.pl
  • server$ ./dowkd.pl host 127.0.0.1
    (checks your local SSH host keys)
  • server$ ./dowkd.pl user
    (checks all users available on your system)

Vulnerabilities will be reported. Nonetheless we recommend to apply step IV. How to fix/repair your server (click here).

Before reading on: if this article helps you, please click our non-offensive sponsor (Google-Adsense) and help us maintaining this project free. Thanks…


IV. How to fix/repair your server

Log into your server as root and perform the following steps:

  • server$ apt-get update
  • server$ apt-get upgrade
  • server$ apt-get dist-upgrade

The OpenSSH and OpenSSL packages will be updated then. You will be asked a couple of questions concerning your server configuration. It should be fairly self explaining.

The server side SSH keys (known_host keys on your local machine) will be regenerated. If you still don’t trust your server, you can check your new host keys for vulnerability by entering this:

  • server$ ssh-vulnkey
    (the response should be Not blacklisted)
  • server$ ./dowkd.pl user
    (if this reports weak keys read on)

Login as user whose keys have been recognized as weak and do the following:

  • server$ ssh-keygen -t dsa -b 1024
    (provide passphrase!)

You should be done now.

V. Tools

H.D. Moore of metasploit.com already prepared Debian toys and rainbow tables (pre-generated keys) for all possible 32,768 PIDs with up to 4096 bits in keysize that may be used for testing the brute force vulnerability of your systems.

VI. Links:

» debian.org: Security Advisory DSA-1571-1 openssl
» debian.org: Security Advisory DSA-1576-1 openssh
» debian.org: Vulnerability test tool… (OpenPGP signature)…
» metasploit.com: OpenSSL Rainbow Tables

[Linux] Upload and Download via SSH terminal

3 Replies

I. Abstract

Sometimes we experience the situation we need to upload or download something and there is no ftp installed yet. The following article provides information about uploading (push’ing) or downloading (pull’ing) via SSH using the terminal only.

II. Push commands (Upload to server)

  • client$ ssh remote_address cat <localfile ">" remote_file
  • client$ ssh remote_address cat <localfile - ">" remote_file
  • client$ ssh remote_address cat <local_file "|" dd of=remote_file
  • client$ ssh remote_address cat - <local_file "|" dd of=remote_file
  • client$ cat local_file | ssh remote_address cat ">" remote_file
  • client$ cat local_file | ssh remote_address cat - ">" remote_file
  • client$ dd if=local_file | ssh remote_address dd of=remote_file

III. Pull commands (Download from server)

  • client$ ssh remote_address cat remote_file > local_file
  • client$ ssh remote_address cat "<" remote_file >local_file
  • client$ ssh remote_address dd if=remote_file | dd of=local_file

If that helped you well, consider clicking our sponsor (non offensive Google Adsense) to help maintaining this project free for all of you…

IV. Final words
We hope we could be of service and those commands helped you a bit. In case you found what you were looking for, you may consider our sponsors. They really got the coolest offers and allow us to run this site. Thanks.

[Linux] Securing a Debian server by Enabling passwordless Login

1 Reply

I. Abstract

All of us know, there are lots of bad guys out there just trying to brute force our ssh ports. The following article provides information about the first steps to be performed when setting up a new webserver running Debian Etch.

For security reasons we recommend applying these how to’s before proceeding

  • Mandatory: How to secure your Debian server by updating the buggy openSSH Debian package (read tutorial here)
  • Optional: How to secure your Debian server by changing the SSH port number (read tutorial here)

The following howto will show you how to enable SSH login without a server based password (passwordless login) and how to disable password login in general on your server.

II. Generate SSH public- private-key pair

  • Generate keypair on your Linux client machine (works on Cygwin and Mac OS X as well!)
    client$ mkdir ~/.ssh
    client$ chmod 700 ~/.ssh
    client$ cd .ssh
    client$ ssh-keygen -q -f id_rsa -t rsa
  • You will be asked to provide a passphrase to encrypt your private key. Although you might leave this empty, we strongly recommend to provide it – for you own safety
  • In the folder called .ssh you will then find those two files:
    id_rsa > contains private-key (encrypted with your passphrase)
    id_rsa.pub > contains public-key (to be put on your Etch Webserver)

III. Upload public-key to server

  • In detail: the output of id_rsa.pub (which in fact is a textfile) is pushed via ssh on your root’s homefolder and being saved there as id_rsa.remote:
    client$ cat id_rsa.pub | ssh root@yourdomain.net cat “>“ id_rsa.remote

IV. Activate public- private-key authentication

  • log in to your server
    client$ ssh root@yourdomain.net (provide your password)
  • you may install nano (if you like vim, stay with vim), imho nano is faster for simpler tasks, but vim is much more powerful, so having both is no loss ;-)
    server$ apt-get install nano
  • Edit SSH configuration to allow public-key login
    server$ nano /etc/ssh/sshd_config
  • Allow AuthorizedKeysFile only (still in sshd_config)
    AuthorizedKeysFile %h/.ssh/authorized_keys
  • Disallow Password driven login (still in sshd_config)
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no
  • Save and exit (in nano: ctrl + x)
  • restart ssh deamon
    server$ /etc/init.d/ssh restart
  • Go back to your root’s home folder
    server$ cd
  • Makedir .ssh
    server$ mkdir .ssh
  • Copy uploaded id_rsa.remote to .ssh folder
    server$ cp id_rsa.remote .ssh/authorized_keys

V. Test your configuration

  • Don’t log out of your server, instead open a second terminal on your client machine to test your new configuration:
    client2$ ssh root@yourdomain.net
    (provide the passphrase for your private-key)
  • If everything works well, congratulations you’re done, consider clicking our sponsor (non offensive Google Adsense) to help maintaining this project free for all of you…

VI. Kindly Sponsored by


VII. Further steps

If you didn’t already do it. For further improving your server’s security you probably want to change ssh port address from 22 to anything else? Read here, how to do that…

[iPhone] iPhone to be available worldwide soon

Leave a reply

Golem.de reports, Apple got more partners to sell the iPhone:

  • Singapore Telecommunications (SingTel) and StarHub for Singapore
  • Bharti Airtel for India (besides Vodafone)
  • Globe Telecom for Philippines
  • Optus for Australia (besides Vodafone)

» Golem.de: iPhone geht nach Indien, Australien und auf die Philippinen (german)

And yes as always: if this little article helped you, do me the favor and support me by visiting our sponsor. Thanks in advance…
Sponsor:

[iPhone] iPhone stocks cleared in UK, Germany and USA

Leave a reply

Apple confirms, that the first generation of iPhones are almost out of stock in these three markets. iPhones currently cannot be ordered only. Although it is still rumors, many people expect the iPhone 3G (UMTS) to be launched shortly after the WWDC08 (June 09-13 in San Francisco, Moscone West).

» Apple Worldwide Developers Conference (WWDC08)

[internal] 4 sale: Sunbeamtech Silent Twister Gehäuse mit Noiseblocker EvolutionEQ gedämmt

2 Replies

Checkt mal diese Auktion für einen Miditower der Sonderklasse. Wer keine Lust auf eBay hat (was ich gut verstehen kann), kann mir gerne ein Angebot per Mail (info@metaparadigma.de) machen. Ich hänge nicht an der Auktion und bin gerne bereit, auch ohne eBay zu verkaufen.

Abholung ist möglich. Das Gehäuse ist ohnehin sehr leise und gut strukturiert (schraubenloser Einbau der Laufwerke und der Erweiterungskarten, recht optimale Luftzirkulation), aber es ist von mir professionell noch mit den besten Dämmmaten von Noiseblocker ausgestattet worden.

Es ist definitiv ein Prachstück. Nur leider kann ich mir mit Computern mittlerweile die Wohnung tapezieren und meine Frau findet die vielen Apparate langsam nicht mehr so lustig :-(

» eBay: Sunbeamtech Silent Twister Ultra gesilenced
» Sunbeamtech: Silent Storm (Silent Twister) Gehäuse
» PC Silent: Noiseblocker EvolutionEQ Dämmmaterial

Falls die Auktion mal wieder wegen dämlicher eBay Schäubles gekillt wurde,  hier das PDF mit dem eBay Angebot…

[Stories] Schwarze Liste gestohlener Geräte / Blacklist of stolen devices

Leave a reply

Bei einem Einbruch bei einem guten Freund am Samstag, 10.05.2008 in Berlin-Charlottenburg wurden folgende Geräte gestohlen. Wir wollen Euch daraufhinweisen, dass folgende Geräte als vermisst gemeldet sind und – falls sie Euch angeboten wurden – Ihr Euch bitte ziemlich sofort an die nächste Polizei wenden solltet. Sollten Euch die Geräte auf eBay oder Kijiji über den Weg laufen, bitten ebenfalls sofort an die Polizei wenden.

Zu allem Pech kommt dazu, dass auf dem Dell XPS M1330 sich die Magister Arbeit einer Studentin befindet. Die Arbeit ist unwiderbringlich verloren. Es sei denn die Herren Räuber kopieren die Daten auf eine CD. An welche Anschrift diese CD geschickt werden muss, sollte den Räubern wohl bekannt sein.

Gerätename Seriennummer
Apple Macbook Pro, OS X Leopard 10.5,
320GB Festplatte, 4GB Ram		 W862152RVVW
Dell XPS M1330 Product Red 7XZVD3J
iPod Video 80GB MA450LL/A 8K6378R7V9R
iPod Classic 160GB MB150LL/A 8L7355RDYMX
Dell Latitude D630, 1GB Ram, Windows XP Pro
Playstation 3, 60 GB S01-7575194-0
T-Mobile UMTS Express Card

the above mentioned devices have been stolen in a burglary in Berlin-Charlottenburg. We suspect them to appear on eBay, Kijiji or anywhere else soon. Prolly in countries surrounding Germany. The Laptops have a german keyboard, so prolly the keyboard has been exchanged with a localized one (Poland, Hungary, France, Netherlands etc.pp).

If you suspect an offered device might be one from this list, contact me or better: the local police.

The Dell XPS hold the current bachelor thesis of a youg lady. That’s even the worst of the whole story.

Thanks for your attention

[MultiPlatform] Grand Theft Auto 4 Screensaver for Mac and Windows

Leave a reply

Even Barack Obama just mentioned Grand Theft Auto IV in a speech some days ago. Although he did not really bash it, he reminded the audience that video games nowadays also mint children (even though GTA has gotten M Rating in the U.S.). Nonetheless Rockstargames announced GTA IV topped the $500 million in sales in its first week of release.

And Rockstar Games are moving on, they just released a GTA IV (Grand Theft Auto 4) Screensaver for Apple Mac OS X Leopard and Tiger and for Microsoft Windows Vista, and XP. Although the screensaver just contains still images, it really motivates to play that game. Let’s see how long I will be able to hold it before I will buy it ;-)

» Download Grand Theft Auto Screensaver here (Apple Mac OS X)…
» Download Grand Theft Auto Screensaver here (Microsoft Windows)…
» Grand Theft Auto IV homebase..

And yes as always: if this little article helped you, do me the favor and support me by visiting our sponsor. Thanks in advance…
Sponsor: