Going along on a phishing trip

Looks like the password phishers are finally starting to learn proper grammar and piece together something kinda convincing. Here’s a breakdown on one that I had reported to me over the UMD holiday break. It’s notable for a few reasons:

  • Timing – it was sent over holiday break when lots of academics will be working, but normal administrative/IT staff is off.
  • ‘Realness’ , from copies of UMD’s actual page to references to actual IT help email addresses and phone numbers it passes the sniff test.
  • Attention to detail – Lots of the domain names, etc are put together in a way that won’t raise an alarm to most folks.

Step 1, The email

Here’s the actual email received from these guys. A few things they got correct:

  • The signature information (sans Access & Delivery Services department) is all real and correct.
  • The name of UMD’s IT helpdesk and the included email is correct.
  • Most of the display part of the URL is correct and UMD does have a CAS sitting at /cas/login with the obvious switching of lib and edu.
From: u595347398@srv59.main-hosting.eu [mailto:u595347398@srv59.main-hosting.eu] On Behalf Of University of Maryland
Sent: Friday, January 1, 2016 9:29 AM
To: xxxxx@umd.edu
Subject: Library Services
 
Dear User,

Your access to your library account is expiring soon, and you will be not eligible for Document Delivery Service. To continue to have access to the library services, you must reactivate your account. For this purpose, click the web address below or copy and paste it into your web browser. A successful login will activate your account and you will be redirected to the library homepage.


https://umd.edu.lib/cas/login&service=httpsAFFshib.idm.umd.eduFshibboleth-idpFAuthnFRemoteUser&connect.FpublicFpreauthConnect&allow=umd.jsp/
If you are unable to log in, please contact the IT Service Center at itsc@umd.edu for immediate assistance.

Kind Regards,
Access & Delivery Services
University of Maryland Libraries

McKeldin Library, College Park, MD 20742

Phone: 301-405-0800

Step 2, the URL

The underlying URL in this case points to univ-library.ga which in reality is just a 302/redirect to another domain, umd.edu-lib.ml.
$ curl -v ‘http://univ-library.ga/activation/access/link.php?M=11158&N=40&L=11&F=H’
* Hostname was NOT found in DNS cache
* Trying 185.28.21.95…
* Connected to univ-library.ga (185.28.21.95) port 80 (#0)
> GET /activation/access/link.php?M=11158&N=40&L=11&F=H HTTP/1.1
> User-Agent: curl/7.35.0
> Host: univ-library.ga
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
< Date: Fri, 01 Jan 2016 21:00:50 GMT
* Server Apache is not blacklisted
< Server: Apache
< X-Powered-By: PHP/5.5.26
< Location: http://umd.edu-lib.ml/cas/login&service=httpsAFFshib.idm.umd.eduFshibboleth-idpFAuthnFRemoteUser&connect.FpublicFpreauthConnect&allow=umd.jsp/
< Content-Length: 0
< Content-Type: text/html
<
* Connection #0 to host univ-library.ga left intact
Taking a look at the hostnames involved, it appears both of these come from the same, hostinger.co.uk provider.
$ host univ-library.ga
univ-library.ga has address 185.28.21.95
univ-library.ga mail is handled by 10 mx1.hostinger.co.uk.
$ host umd.edu-lib.ml
umd.edu-lib.ml has address 185.28.21.83
umd.edu-lib.ml mail is handled by 0 mx1.hostinger.co.uk.
It looks like the root, univ-library.ga site is used to generate the emails as well based on what’s publicly available.
Screenshot from 2016-01-01 16:08:01 Screenshot from 2016-01-01 16:07:54

Step 3, The login

The login they created for this account is a pretty convincing copy of UMD’s actual CAS login page. The top/forged one uses graphics from UMD. Looking at the source, the login form has been modified to send the response to save.php.

Forged Login page
Forged Login page
Actual UMD Login page
Actual UMD Login page

If you go to the root domain, edu-lib.ml, there are a half a dozen other universities listed with what I’m assuming are forged copies of their login pages. Entering any username and password into the password field results in a message saying your services have been activated and a link back to UMD’s library main page.

Overall, I’d have to give this one a B+ for the realness factor. Sadly, it probably picked up quite a few accounts given timing, etc.

 

Shotwell Plugins, Part I – Setup

Here’s a quick overview on how to start writing a custom publishing plugin. This is being done on Ubuntu 14.04, so no promises it will function on any other version.

  1. Install valac-0.22, libgphoto2-dev, gnome-doc-utils,libgstreamer-plugins-base1.0-dev, libgee-0.8-dev libsqlite3-dev libraw-dev librest-dev libwebkitgtk-3.0-dev libgexiv2-dev libgudev-1.0-dev libgtk-3-dev libjson-glib-dev
  2. Download the shotwell 0.20.2 sources and not the current version from github. The current version in get uses some new gtk features which are not available in ubuntu 14.04.
  3. Copy the shotwell/samples/simple-plugin from the shotwell git repo to a new directory
  4. Build/install shotwell 0.20
    $ ./configure --install-headers
    $ sudo make -j6 install

     

  5. In your new plugin, run ‘make; make install’ to ensure the basic build works.
  6. Rename simple-plugin.vala to your publishing plugin name (ie, OnedrivePublishing.vala)
  7. Modify the Makefile and set the PROGRAM to your plugin name (ie, OnedrivePublishing)
  8. Running make should compile your new empty plugin.

Now that that’s done we can start creating out publishing plugin.

The plugin sample implements the Spit.Pluggable interface, in order to create a publishing plugin, we’ll need to use that to return our publishing module and create a new class to implement the Spit.Pluggable and Spit.Publishing.Service interface as well. Rename that class and include all the necessary interfaces. We’ll use the ShotwellPublishingCoreServices as a template for how to bootstrap out publishing service.

The basic do-nothing module which compiles w/ one warning (the return null) now contains the following:

extern const string _VERSION;
private class OnedriveModule : Object, Spit.Module {
    private Spit.Pluggable[] pluggables = new Spit.Pluggable[0];

    public OnedriveModule() {
        pluggables += new OnedriveService();
    }
    
    public unowned string get_module_name() {
        return _("OneDrive Publishing Services");
    }
    
    public unowned string get_version() {
        return _VERSION;
    }
    
    public unowned string get_id() {
        return "org.yorba.shotwell.publishing.onedrive";
    }
    
    public unowned Spit.Pluggable[]? get_pluggables() {
        return pluggables;
    }
}
// This is our new publishing class
private class OnedriveService : Object, Spit.Pluggable, Spit.Publishing.Service {
        

    public OnedriveService() {
    }

    public unowned string get_id() {
        return "org.yorba.shotwell.publishing.onedrive";
    }
    
    public Spit.Publishing.Publisher.MediaType get_supported_media() {
        return (Spit.Publishing.Publisher.MediaType.PHOTO |
            Spit.Publishing.Publisher.MediaType.VIDEO);
    }
    public Spit.Publishing.Publisher create_publisher(Spit.Publishing.PluginHost host) {
        //TODO
        return null;
    }

    public void get_info(ref Spit.PluggableInfo info) {
        info.authors = "Mike Smorul";
        info.version = _VERSION;
        info.is_license_wordwrapped = false;
        
    }    
    public unowned string get_pluggable_name() {
        return "OneDrive";
    }

    public int get_pluggable_interface(int min_host_interface, int max_host_interface) {
        return Spit.negotiate_interfaces(min_host_interface, max_host_interface,
            Spit.Publishing.CURRENT_INTERFACE);
    }
    
    public void activation(bool enabled) {
    }
}
// This entry point is required for all SPIT modules.
public Spit.Module? spit_entry_point(Spit.EntryPointParams *params) {
    params->module_spit_interface = Spit.negotiate_interfaces(params->host_min_spit_interface,
        params->host_max_spit_interface, Spit.CURRENT_INTERFACE);

    return (params->module_spit_interface != Spit.UNSUPPORTED_INTERFACE)
        ? new OnedriveModule() : null;
}

private void dummy_main() {
}

You can now compile this by:

$ make clean; make ; make install

This will install your new module into your local modules directory. To make sure it works, open up shotwell, go to Edit -> Preferences -> Plugins and you should see your new plugin listed under the Publishing section with a generic graphic next to it. If you enable the module you’ll notice the following error that will be fixed when we start implementing functionality

 GSettingsEngine.vala:457: GSettingsConfigurationEngine: error: schema 'org.yorba.shotwell.plugins.enable-state' does not define key 'publishing-onedrive'

Useful Links

Default Linux Config

Sigh.. notes to self on the standard steps when installing a fresh ubuntu desktop:

  • Preserve shotwell indexes: backup/restore ~/.local/share/shotwell
  • add multi user xhost access: add ‘xhost +SI:localhost:testusers >& /dev/null’ to .bash_rc
  • Pulse audio:  copy default.pa to ~/.pulse and add ‘load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1’ to the end. In all test accounts that need audio access, add ‘default-server = 127.0.0.1’ to ~/.pulse/client.conf

Windows NFS server permissions

One issue we recently ran into was linux nfs clients were blowing away inherited permissions on windows volumes. In order to allow rename/mv and chmod to work properly on an nfs (4 or 3) mount, you need to grant clients ‘full permissions’ on the directory they will be working in. This has the lovely side affect of a chmod, rsync, tar -xpf or anything that touches permissions completely changing the local permissions on that directory for ALL users/groups you may have assigned on NTFS

  1. Create a directory, set appropriate ntfs permissions (Full permissions) with inheritance for multiple security groups
  2. Share that directory out to an nfs client.
  3. On the nfs client, mount the volume, and run ‘chmod 700 /mountpoint’
  4. Go back into windows and notice you’ve lost all the inherited permissions you thought you assigned on that share.
  5. Scratch your head, check the KeepInheritance registry key, run tcp dump.
  6. Realize you need to place the permissions you wish to inherit in a place that the nfs client cannot change them.

How we now share volumes out is the following ‘X:\[projectname]\[data]

  • projectname – high level, NOT shared directory that is the holder of all permissions for a project (subfolders, etc).
    • For groups/users that apply to your unix clients make sure they have full permission.
    • For your windows only folks, ‘Modify’ is generally good enough.
  • data – directory that is actually shared out via cifs/nfs

So far this scheme is working pretty well and allows unix clients to work properly and do horrible things on local files while preserving the broader group permissions you wish to see on your windows clients.

PBS, FD_CLOEXEC and Java

The PBS/Torque scheduler that ships w/ Ubuntu 12.04 uses an interesting method to verify that user requests from a submission node cannot impersonate anyone else. In a nutshell, any Torque command (qsub, qstat, etc) calls a suid program (pbs_iff) which connects to the pbs server from a privileged port and notifies the server the client port and what user will be sending commands from that port. pbs_iff receives this information by looking at the source port on the file handle passed to if during its clone. The whole handshake looks like this:

  1. Unprivileged client opens a socket to the pbs server
  2. Client calls clone and passes the file handle number to a suid pbs_iff as an argument
  3. pbs_iff reads the source port off of the file handle
  4. pbs_iff opens a socket from a priviliged port to the pbs server and sends invoking user and source port .
  5. The pbs server now trusts that commands from the initial socket belong to the user passed by pbs_iff
  6. pbs_iff terminates and the original client sends whatever commands it desires.

This works nice in C where the default is to pass all file handles to the child process on a fork. However, many languages frown on this file handle leaking for a number of reasons and have decided this default is a bad idea. Java is one of these, so it nicely sets FD_CLOEXEC on all file handles it opens. This means when you use the ProcessBuilder or call Runtime.exec, you can’t see any file handles you previously had open thereby breaking Torque’s security mechanism.

Size of a Petabyte

A fun back of the napkin game I remember calculating for the past decade around the time affordable (under 10k) IDE-SCSI terabyte sized raids came out was, “How big is a petabyte?”. Around the time these became interesting (2003-4) it looked like ~16 racks of hard drives and 1u controlling servers in 4-6t raid volumes.

The next big upgrade was around a little before the Sun Thumpers arrived and reduced that size down to ~43 servers (500gb drives) and reduced that size down to a little over 4 racks total.

Today, it looks like you can easily get 80 3.5″ drives in a 4u chassis, so that reduces the total size from 12 racks a decade+ ago down to about 16u today. Assuming I run our 10Gbps pipe at full throttle, that’s around 10 days to fully fill.  (not counting network, storage, metadata overhead).

Guess its time to start counting racks per exabyte. (304 at today’s density).

Sharepoint 2013, the not quite getting it release

‘…Your Enterprise Social Network…’ well almost.

Compared to 2011, 2013 is clearly a large step forward. Document editing works and in my opinion is superior to the google docs alternative, the layout is much, much easier to navigate and at long last MS seems to have backtracked on their Document Libraries are not like shared folders stance. The Document library to Explorer integration and connection to office overall is much improved (read, it works).

With all the good things, there appear to be a few glaring omissions. Given the glaring holes, it appears that the Sharepoint dev group either does not eat their own dog food, or has a very convoluted day to day work process.

1. Following and forgetting.

You can follow sites and documents, but not folders. We’ve come across a number of times when sharing part of a document library (ie, working on a single presentation, collecting a limited set of documents, sharing small groups of ppts/word documents) is necessary. This works nice, click share type in your colleague’s name, then for the love of god, make sure your colleague doesn’t misplace that e-mail. There’s no way to follow that folder. I can follow every single document which is good until someone uploads another document. If its not a top level folder, browsing to that document library doesn’t show it :(.

2. Folders and a filesytem, but not really

Sharepoint 2010, don’t use folders and document libraries as file shares, in Sharepoint 2013 you mount a document library locally but folders are bad, use tags instead. NO! If you attach it to Explorer, it should behave like a filesystem, people will use it like a filesystem. Don’t give me a convenient way to access stuff, then say no.

Pretty much all the caveats about file size, characters, path length listed in the Migrating File Shares to Skydrive Pro blog post mean that Skydrive Pro is pretty useless for all but the most simple cases.

3. Finding s^$%

You know what’s nice, when someone shares something with you, or gives you access to something, not having to make a conscious effort to bookmark or follow it. Again, take a cue from Dropbox, google docs, if someone shares something, grants me or my group access it, call me crazy, but I probably want to easily access it.  If I don’t, then leave the onus of removing it on me.

A possible solution, allow sharing to automatically add stuff to My Sites, or a shared document library. Don’t make me use search to find stuff that should be one click away.

4. Sharing, but not to everyone

Apparently MS only e-mails documents to folks outside of Redmond or only shares documents with people within their corporate borders. Box, Dropbox, Google docs, Pydio, and well pretty much everyone else lets me e-mail an obfuscated link to a document that will (shocker!) open that document or folder. Is it perfectly secure? No, however it definitely falls under the lets me get work done category.

And before you start, forcing my colleagues to get an outlook account and federating to outlook.com is not an acceptable solution (here’s looking at you Skype/Lync).

5. Its not a Windows world anymore.

Skydrive Pro and Sharepoint document syncing is wonderful… I love it, its corporate Dropbox for my office documents finally… And its a complete pain to support anyone that’s not running a PC attached to my domain. Telling your OS-X users to use the web to download/open documents isn’t a solution. Having to use the web browser on Android to retrieve documents, not a solution. If you’re not on Windows, you’re a second class citizen isn’t a solution. People have seen the future of document syncing and it looks and behaves like Box and Dropbox, please copy it.

On a related note: Box/Dropbox, give me an on-premise solution for sharing and you’ll probably end up giving Sharepoint a run for its money.

All in all, SP 2013 is a huge leap forward, document editing in office web apps is light years ahead of google docs, navigation, the overall layout, site templates, etc are incredibly powerful. Its a shame that MS is still determined to do things their way, as opposed to what is in the best interest of their customers.

Lync and Updates and 80240437

For future reference, disabling TLS 1.2 on your Lync 2013  standard edition frontend will break your ability to update windows server 2012. You’ll end up w/ error 80240437 that’s pretty damn useless. Meanwhile, manual installation of cumulative updates work, and your other (mediation, edge, monitor, etc) roles all work and patch fine, just your frontend  is f’d. Hopefully you stumble across this technet post and look at the second to last post before you go down the rabbit hole. A light bulb will go off and you’ll remember the registry hacks you applied from here several months ago. To patch your server, you’ll need to disable the reg hacks by re-enabling TLS 1.2 (set disable to 0), running windows update, then re-enable the registry hacks. Afterwards, grab some rye and curse Microsoft.