A message about security
When I originally started this blog, it was entitled "Adventures in Networking" and it dealt primarily with networking and, more specific, Cisco network security. Since that time I've written about everything from hurricanes to hacking an Western Digital NAS device and giving a $50 Linksys router the power of a $500 Cisco box. Lately, I've been posting how-to's for all kinds of stuff and it's time to take a step back and talk about security for a little bit.
A web hosting client of mine got his site hacked in the past couple of days. About a year ago, I installed phpBB3 for him and setup his domain on my server. After that, I acted as admin on the forums and stuff like that. Well, phpBB3 got neglected and hadn't been updated in a while. It was running version 3.0.6 while the latest version was 3.0.7-PL1. 4 versions have been released since the last update. When the site got exploited, he looked at me like it was my fault. In fact, he told me something along the lines of "I paid you to build a site that was secure and you didn't do that". Well, I did build him a secure site a year ago, but in the past year, there has been enough holes found in phpBB3 to kill a horse.
I'm sure that any freelancer or businessman out there has had to deal with clients that don't understand what it is exactly you do. This happens a lot to me due to the range of things that I do. But in this instance, the client was under the illusion that I was going to maintain the website and keep it up to date for him. The original invoice that I sent for the site was simply 8 hours of work to get everything installed and setup properly and for a year of hosting. Since that first invoice, I have fixed little errors here and there for him without invoicing him because it's little things that only take a few minutes to take care of. Plus, the guy is a real good friend of mine and has been my friend since before we started doing business together. I do freebies for a lot of my customers from time to time. Maybe I messed up by doing these repairs and not charging him for them and by doing that I lead him to believe that I was doing it all for free.
I logged into the site this morning to notice that it had been defaced. Some hacker managed to get in and screw around with the AdminCP. Language packs were messed with, 300+ accounts were created and a bunch of spam had been posted. I went ahead and fixed everything that happened and went through the process of upgrading phpBB3 to the latest version. It took me about 2½ hours to get it all cleaned up and upgraded. Once I was done, I submitted a service ticket for the work. Here's another place I screwed up. I should have asked him if he wanted me fix it first because we don't have a service agreement between the two companies.
Well, the site got upgraded to the latest version of phpBB3 and it was working fine.... for about 3 hours. That's when our little hacker managed to get back in and lock me out completely. My best guess is that there's a zero-day exploit on phpBB 3.0.7-PL1 that will also work on all previous versions. In that instance, there's not a whole lot I can do about it other than block the proxies that he's used to get to the site with or just shut the site down. Well, I shut it down.
Here's where the main problem starts. The customer assumed that it was my responsibility to update the software for him. I don't go to HP and bitch at them because there's holes in Windows. Once I install the software, it's up to the client to keep that software up to date. All of my other web clients know this and they keep their CMS software up to date. If we would have set up a service contract in which I said I would maintain the security of his site, then it's no problem. It's my responsibility to fix the security issues that come up, but there's no agreement there.
Also, the client wants 100% security. We all know that 100% security does not exist and never will exist. He didn't like the fact that I used open-source software for the site because people can read the source code. Well, the open-source stuff is free, so that's why it was used. But even closed-source software has security holes in it.
To wrap up this rant, I wish people could understand that the only secure computer is one that's powered down and unplugged from the internet. A friend once told me that if you installed a fresh copy of Windows XP (no service packs) on a computer and plugged it directly into the internet, it would be rooted within 12 seconds. 12 seconds! There is no security, only the illusion of it.
-Greg
Western Digital MyBook World Edition Hacks
I know that I've been moving further and further away from the main purpose of this blog, and that's Cisco networking and security. I'm putting this here so I can remember how to do this stuff later and have a place to look! The MyBook World Edition is a great device that you can do tons of stuff with. It runs Linux, so just about anything you can do with Linux, you can do with this device.
First off, you need to enable SSH on your NAS. There's a few different ways of doing it. Martin Hinner was the original hack. I've used this method before and it works just fine. There's also a slightly cleaner way of doing it found here. I have both scripts on my server should something happen to either one of those.
Martin Hinner Original Hack
http:///auth/firmware_upgrade.pl?fwserver=gregledet.net/mybook/firmware.php
Slightly Cleaner Hack from Mybook-Linux
http:///auth/firmware_upgrade.pl?fwserver=gregledet.net/mybook/enablessh.php
For both of those, simply plug the link into your browser, add the IP of your MyBook, and it will tell you that there's new firmware available. Click the button that tells you Download and Install. It's not going to take the 30 minutes that it'll say on your screen, it should take around 5 or 10. With the Hinner hack, you may get an error message saying that the firmware update failed. This happens with firmware 2.00.15 and higher. Don't fret, the script did run. You'll be fine. Continue on with the instructions.
- *NOTE* If you have an SSH client, great. If now, download PuTTY. I use it and it works perfectly fine. Login with the username "root" and the password "root".
- *NOTE* If you don't know how to use vi, or if you are uncomfortable using it, you can get a program like WinSCP that will allow you to secure FTP into the device. Then you can download the files to your computer and use the editor of your choice to edit the file (notepad works fine) and upload the new file back to the device.
If you use the Martin Hinner hack, after you install the "firmware", you need to make SSH permanent by editing the /etc/inittab and adding the following under the "# Startup the system" part of the file.
::sysinit:/usr/sbin/sshd
The other way should turn it on permanently by itself. After you add that line for the Hinner hack, or once the "firmware" is installed and you can SSH into the device, you need to reboot.
[root@MyBookWorld ~]# reboot
Now you have SSH permanently installed on your MyBook World Edition!
One error that I ran into was not being able to get mplayer CE to connect via samba to the network share on the MyBook. To fix this I had to enable Microsoft Directory Service on the device. First, you need to add the following lines to the /etc/services file.
microsoft-ds 445/tcp #Microsoft Directory Service microsoft-ds 445/udp
Add this after "snpp 444/udp # Simple Network Paging Protocol" and before "saft 487/tcp # Simple Asynchronous File Transfer". Do your best to make it fit in the file. By that, I mean use the tab key.
After this, you need to edit the /etc/inet.d file and add:
microsoft-ds stream tcp nowait root /usr/local/samba/sbin/smbd smbd -s/etc/smb.conf -l/var/log -d0
I would just add it on the second line or at the bottom. I don't think it matters.
One more file to edit. This time you need to add the following to the /etc/smb.conf file under "[global]" after "max log size = 1"
smb ports = 445
A quick reboot and you're done! This will have you connected to your Wii to stream movies with no problem.
There are tons of sites out there that have great information on hacking your MyBook World Edition. With the following 2 sites, you should be able to do whatever you want with it.
Martin Hinner's site on Hacking the MyBook World Edition
MyBook World Hacking at wikidot.com
Those sites should answer any questions you have about anything having to do with Hacking the MyBook World Edition!
Categories
- How To's (9)
- Hurricanes (60)
- Networking (44)
- Other stuff (14)
Blogroll
- Adventures in Open Source
- Bejoy's Site
- Charlie Moreno Web Design
- Fark.com
- Greenhat security
- GregoryLedet.com
- JefTek.com
- Packet Life
- Shannon Bray
- Shortest Path First
Social Networking
Recent Comments
- essaydone on Configuring a port analyzer (port mirror) on the Juniper EX switch
- Tony on Port Forwarding on the Cisco ASA in 8.3 from the ASDM made easy
- Greg Ledet on Windows IP conflict when there is no conflict
- Y8 on Windows IP conflict when there is no conflict
- juegos de yepi on SSH Configuration in IOS
Meta
Certifications
