yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Page 9 of 24

IP address pools of Facebook to block, if you need to

November 15, 2010 / / 3 Comments

Once upon a time I mentioned that blocking Facebook is easy as they have a uniform IP addresses pool . Since then they added more , here is the new and old pools:

NetRange: 69.63.176.0 – 69.63.191.255
CIDR: 69.63.176.0/20
OriginAS: AS32934
NetName: TFBNET2
NetHandle: NET-69-63-176-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Assignment
NameServer: NS5.FACEBOOK.COM
NameServer: NS3.FACEBOOK.COM
NameServer: NS4.FACEBOOK.COM
RegDate: 2007-02-07
Updated: 2010-07-08
NetRange: 66.220.144.0 – 66.220.159.255
CIDR: 66.220.144.0/20
OriginAS: AS32934
NetName: TFBNET3
NetHandle: NET-66-220-144-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Assignment
NameServer: NS5.FACEBOOK.COM
NameServer: NS3.FACEBOOK.COM
NameServer: NS4.FACEBOOK.COM
RegDate: 2009-02-13

Grab bag of IPF commands for FreeBSD and Solaris 10

November 14, 2010 / /

Nothing new here , just a round-up of the commands/configs I happen to need from time to time. Google probably has better references for that.I talk about Pf firewall used in FeeeBSD, OpenBSD and Solaris systems.
Enable and disable firewall:

#pfctl –e Enable packet filter real time
#pfctl –ef /etc/pf.conf Enable packet filter and load rules from /etc/pf.conf
#pfctl –d Disable packet filter

Enable/disable permanently to survive reboot
OpenBSD :

/etc/rc.conf.local:
pf=YES
pf_rules=/etc/pf.conf

FreeBSD:

/etc/default/rc.conf:
pf_enable=”YES”

pf_rules=”/etc/pf.conf”
pf_program=”/sbin/pfctl”
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog”

Working with rules.

#pfctl –F all Flush (remove) all the active rules from the running packet filter , means PERMIT ANY ANY.
#pfctl –n –f /etc/pf.conf just parse rules from file , not actually loading them, to check syntax
#pfctl -f /etc/pf.conf Load rules from file

Order of rules in the file :
options, normalization, queuing, translation, and filtering rules.
Show commands.

#pfctl –s info Show filter information
#pfctl -s rules Show the currently loaded filter rules
#pfctl -s state Show the contents of the state table.
#pfctl -s all Show all of the above

Simplest set of rules – block all the incoming but ssh, allow all the outgoing from the server.

block in all
pass out all keep state
pass in proto tcp from any to any port 22

It is just a beginning, to be continued later…

The D-day for CheckPoint UTM-1 Edge Appliances happened today – reboots are reported all over the world

October 31, 2010 / / 4 Comments
D-day of Edge UTM Edge devices

Photo courtesy of The Voice of Russia http://english.ruvr.ru/

Today we have got reports from the clients that all their UTM Edge devices did a reboot early at night, at about 03:00 AM Israel time 31st of October. While no official press-release has been seen so far from the Checkpoint, looking at cpug.org posts where people from around the globe report the same I can assume with high degree of certainty that indeed it was the case.
While I do hold the opinion that reboot is always good for the Edge, I didn’t think they meant to act upon it .
I can hope the same doesn’t happen one day to the UTM-1 ….

Update 2 Nov Checkpoint released SecureKnowledge (sk56641) note about that where they say yeah it happened, caused by bug, next time it will happen in 13 years from now when no Edge of this series is supposed to be in use .
Checkpoint note.

The easiest way to disclose Cisco routers on the network and how to fix it

October 29, 2010 / /

Cisco gear has a well-known behaviour pattern that when you telnet to some weird and positively closed port on Cisco you get the uniform response of “Connection refused” . To add more precision it happens when a terminal line management access is enabled on the Cisco but your IP is not in the access-list allowing access to the device. The funny thing about that is that only Cisco seem to do it , and given so, it makes exposing a Cisco device a no-brainer. I tested it on few dozens of Cisco routers (I don’t talk about other equipment from the Golden Gate folks) and it only confirmed this observation. Also I tested telnetting to the other vendors’ equipment and always got back time out. So far I’ve tried Juniper, Brocade, IBM, Huawei. To somehow fix this situation Cisco actually have a feature in their Control Plane Protection toolbox just for that. Below I bring the configuration from IOS router that causes the router to time out connection attempts to the closed ports.

class-map type port-filter match-any CLOSED_PORTS
match closed-ports
policy-map type port-filter FILTER_CLOSED_PORTS
class CLOSED_PORTS
drop
control-plane host
service-policy type port-filter input FILTER_CLOSED_PORTS

Testing.
Before the configuration:

# telnet 19.6.24.51 444
Trying 19.6.24.51…
telnet: connect to address 19.6.24.51: Connection refused

After the configuration:

[root@darkstar ~]# telnet 19.6.24.51 444
Trying 19.6.24.51…
telnet: connect to address 19.6.24.51: Connection timed out
telnet: Unable to connect to remote host: Connection timed out

NB Unfortunately it is a half-solution cause if telnet access is enabled on the Cisco then connection attempts to the port 23 will elicit the same “Connection refused” . To close even this disclosure hole , disable telnet as the management protocol and switch to SSH.
NB2 The good news for the pentesters out there is that rare ISP implement such protections

Too much of the Zeus on TV

October 25, 2010 / /

At  19th of October the 1st  Russia channel  aired  the TV show called  “Пусть говорят, Однажды в Америке” , dedicated to  Zeus trojan story. You all saw and heard about this FBI operation that brought some 38 people to the captivity. The talk show on the most
available and popular Russian public channel brought parents/relatives of the arrested
 suspects and the girl that by her words took part in this scam a year before.
The majority of the people in the studio clearly stated that these guys and gals are
 plain thieves (except their parents , understood) – a major progress I should say, over the years. The sum up of the main points comes next:
– Those are low rank droppers/mules;
– They didn’t have personal direct contact with any of the masterminds of the scam. All their communication was through ICQ/forums/ all things Internet
– For them it was just another way to earn the money. Sounds plausible as there were other youngsters at the same apartment that came through the same student exchange program and still choose NOT to get involved as had other income.
– All claim  that agreed to do it only because were in a dire financial situation. Also
probably true. Even tough according to the exchange program they all are provided with work on their arrival to the US. Also the girl in studio (Anna Savenko [Анна Савенко]) noted that she agreed to be a scammer after she was fired from the work.
– All of them were recruited into this by people already in the business and were told the same story of ” Many American companies try to lower their taxes by transferring money to people like her ” . Lame story for those willing to believe and feel good about themselves.
– They were encouraged by the absence of the minimal vigilance by the US banks. Anna recalled that she opened the account (with fake passport) and when she came to the bank
to withdraw the money, the clerk asked her where she was expecting money from , and she could only say “Don’t know” and still was given the cash.
– Russia as a state pretty much doesn’t give a heck about those citizens in jail – pro bono
 advocates is their way to go (if they only were spies …)
if your Russian is good enough try searching the Net for “”Пусть говорят, Однажды в Америке SATRIP” and you will get the show recording in full.
Link to the show forum , just in case: forum.1tv.ru

Social networks – your next job search starts and ends there.

October 23, 2010 / / 2 Comments

Few years ago I read somewhere on the Net that only 65% of the open positions were being advertised outside of the companies. Time goes by and things change, and change drastically – today I can assure you that 100% of the good positions are never advertised outside of the companies. I see it happening at my work, hear it from my friends working anywhere else. And the pattern is the same – only the bottom of the corporate ladder/get your foot in the door positions are open to candidates from outside. Any level above that and you get internal corporate classified postings that get duplicated in internal emails sent by HR. Moreover for the most juicy positions it doesn’t get even there – manager of the department having the prospect of the opening and coveted position will speak directly with preferred by him/her candidates and their manager in the company and after closing the deal the HR will take care of technical details.
In the rare cases where no appropriate candidate is found starts the word of mouth recruiting – employees check with their friends/acquaintances/relatives for the references. Most of the time the search ends there – as the rule of numbers increases the chances as number of involved people grows. And here comes the part of the Social networks, cause be it as ridiculous as it is , the term ‘friend’ today encompasses all the people you hardly know but who happen to be on your friends list in Myspace.com Facebook.com Twitter.com Odnoklassniki.ru and list goes on. So enough for some employee to leak the information to one of the ‘friends’ on the Facebook and it spreads to all the friends of her friends’ friends . Never mind that she might have approved them just because she does it by default, as a habit of being polite.
So what you need to do for your next job search is hang out a lot on the Social cloud ,befriend all the employees for the company you have plans on joining in and start waiting (fishing comes to mind) . And if you lucky to befriend HR department people …

Convert mb4 to mp3 files in one run with ffmpeg

October 23, 2010 / /

Folks at Defcon.org have been somewhat inconsistent in publishing their conference audio archives – once they do it in mb4 format, once in mp3 . As I listen to them on my mobile phone during my commuting to the work  and it doesn’t accept anything but mp3 I had to first convert all audio files from mb4 to mp3 format. Not a problem though, the one-liner below will find all files ending with .mb4 in the current folder and convert them to .mp3 files preserving the filenames.

find . -iname "*.m4b" -exec ffmpeg -i {} -acodec libmp3lame {}.mp3 \;
« Older posts Newer posts »

© 2016 yurisk.info

Theme by Anders NorenUp ↑