Shared posts

17 Oct 13:54

Internet Provider unterbinden Kauf von gefälschtem Schmuck

Britische Internet Service Provider müssen ihren Kunden künftig den Zugang zu Webseiten verbieten, die gefälschte Markenprodukte verkaufen. Ein Urteil des Obersten Zivilgerichts hat einer Klage der Marken Cartier und Montblanc stattgegeben und die Netz-Anbieter zur Umsetzung der geforderten Zensurmaßnahmen verpflichtet.
15 Oct 11:21

...

13 Oct 09:00

So many tickets, so little time...

by sharhalakis

by @ReesReb

11 Oct 15:51

Stell dir vor, du bist unterwegs und hast dein M...

Stell dir vor, du bist unterwegs und hast dein Mobiltelefon mit. Und irgendwo in der Umgebung, wo dein Telefon eingeloggt ist, passiert ein Verbrechen. Und schwupps - schon darfst du eine DNA-Probe abgeben: So in Hanau passiert.
[1] Kommentare
09 Oct 18:13

Tolle Formulierung: "unterschiedliche rechtliche Positionen ...

Tolle Formulierung: "unterschiedliche rechtliche Positionen im Geheimdienst" detektiert. Als ob irgendjemand interessiert, in was für Parallelwelten die sich da zu bewegen glauben! Ab in den Knast und fertig ist die Laube. Das können sie ja dann dem Richter erzählen, dass sie bisher immer dachten, die Gesetze gälten für sie nicht. WTF?

Und, liebes Finanzamt, macht da doch mal ein paar Prüfungen. Wenn die schon ansagen, dass sie sich nicht an die Gesetze halten, sondern "Positionen" zu den Gesetzen bekleiden, und sich nur an die halten zu müssen glauben, dann werden die es auch mit den Steuern nicht so genau nehmen. Liebe GEZ, wie wäre es mit einer Sonderschicht Prüfungen bei denen? Und, liebe Contentmafia, macht doch mal ein paar Spot Checks bei den BND-Mitarbeitern. Die werden es bestimmt auch mit Raubmordkopieren nicht so eng sehen, wenn sie sich schon an das Grundgesetz nicht gebunden fühlen. Es sollte auch mal jemand deren Wohnhäuser überprüfen, ob die sich dort an die Vorschriften halten. Und die Autos.

Man stelle sich mal vor, ein Bankräuber erklärt dem Richter, er stünde halt auf der rechtlichen Position, nichts verbotenes getan zu haben. WTF?!

08 Oct 20:38

BadUSB Code Has Been Published

by schneier

In July, I wrote about an unpatchable USB vulnerability called BadUSB. Code for the vulnerability has been published.

08 Oct 19:35

Die Crypto Wars 2.0 sind offiziell eröffnet! Die ...

Zeckenhorst81

es ist wieder so weit.... x

08 Oct 19:35

Telekom und Vodafone fordern "Qualitätsklassen" für ...

Telekom und Vodafone fordern "Qualitätsklassen" für Internet-Traffic. Ich weiß gar nicht, was die wollen. Gibt es doch schon. Es gibt richtiges Internet, und dann gibt es Kellerkinder-"Qualitätsklasse"-Internet von Drosselprovidern wie Telekom und Vodafone.

Money Quote:

Mit "Aufweichung der Netzneutralität" habe das aber nichts zu tun.
Ja nee, natürlich nicht!1!!
08 Oct 21:36

Die CIA hat ein spannendes PDF deklassifiziert (Achtung: ...

Die CIA hat ein spannendes PDF deklassifiziert (Achtung: Link geht zur CIA), aus der Kategorie "Opa erzählt aus dem Krieg". Der konkrete Opa erzählt aus dem ELINT-Nähkästchen, wie man anhand aufgefangenen gegnerischen Radar-Signalen die Position und Fähigkeiten der Radarstellungen bestimmt. Nicht nur für Technikinteressierte eine interessante Lektüre (die haben u.a. den Mond als Reflektor benutzt, um damit die Sowjetunion zu kartografieren).

Den Teil weiter hinten will ich nicht spoilern, aber das Dokument ist wirklich lesenswert.

09 Oct 12:09

Captain Obvious beglückt uns heute mit dieser Statistik: ...

Captain Obvious beglückt uns heute mit dieser Statistik: Im Vergleich zu 2000 zahlen die "Energieversorger" 14% weniger im Einkauf für Strom, aber nehmen von uns 92% mehr im Verkauf.

Das sind bestimmt die Lohnnebenkosten!1!! Die müssen endlich runter, und die armen Unternehmen brauchen auch endlich weniger Steuerlast!!1!

03 Oct 05:30

China hacking Hong Kong protesters’ smartphones, says security firm

by Ian Allen
A mobile telephone security company has said the government of China is probably behind a sophisticated malware designed to compromise the smartphones of protesters in Hong Kong.
30 Sep 14:38

Online Router Forensics Lab

by Xavier

Crime SceneWhen my friend Didier Stevens contacted me last year to help him with a BruCON 5×5 project, I simply could not decline! Didier developed a framework to perform forensic investigations on Cisco routers. His framework is called NAFT (“Network Appliance Forensic Toolkit”). It is written in Python and provides a good toolbox to extract juicy information from routers memory. From a development point of view, the framework was ready but Didier has the great idea to prepare a workshop to train student to analyze router memory images. The 5×5 project was accepted and thanks to the support of BruCON, it was possible to buy a bunch of Cisco routers to let students play with them. Why hardware routers and not simply a virtual lab (after all we are living in the virtualisation era)? For two main reasons: To avoid licensing issues and a virtual lab does not offer the ROMMON feature which is very useful to take a memory image of the router. The very first workshop was given last week during BruCON as a first premiere. With a fully booked room of people (40), it was a success and we already got good feedbacks. But not all people are able to attend security conferences and workshops, that’s why Didier had the idea to implement an online lab where registered people could perform the same investigations as in the live workshop. That’s where I was involved in the project!

Here are a few words about the lab that has been deployed. It is based on a hardened Linux server and two Cisco 2610 routers connected together. The private network is available to generate some IP traffic. The routers serial consoles are also connected. Here is a small schema of the lab:

NAFT Lab Topology

The Cisco routers can be managed via a telnet connection or via their console port. All tools are pre-installed to perform the memory dump analysis:

  • The NAFT framework
  • tcpdump
  • tftp server/client

To access the lab, you just need a SSH client:

Click to enlarge

The lab is available to anybody who would like to test Didier’s framework. We also opened a website with information about the project and a booking system. You just have to select the day(s) and fill a small form. Once approved, a temporary account will be created and credentials will be sent.

Presented as an exclusivity during BruCON, Didier and myself are happy to announce that the lab is publicly available right now via router-forensics.net. If you’re interested in a workshop for your school, your event, feel free to contact us! We have routers ready on the road ;-) The next workshop has been scheduled during Hack.lu in Luxembourg.

Routers on the Road

06 Oct 11:50

iPhone Encryption and the Return of the Crypto Wars

by schneier

Last week, Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone's encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it.

From now on, all the phone's data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user's iPhone data is now more secure.

To hear US law enforcement respond, you'd think Apple's move heralded an unstoppable crime wave. See, the FBI had been using that vulnerability to get into people's iPhones. In the words of cyberlaw professor Orin Kerr, "How is the public interest served by a policy that only thwarts lawful search warrants?"

Ah, but that's the thing: You can't build a backdoor that only the good guys can walk through. Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You're either vulnerable to eavesdropping by any of them, or you're secure from eavesdropping from all of them.

Backdoor access built for the good guys is routinely used by the bad guys. In 2005, some unknown group surreptitiously used the lawful-intercept capabilities built into the Greek cell phone system. The same thing happened in Italy in 2006.

In 2010, Chinese hackers subverted an intercept system Google had put into Gmail to comply with US government surveillance requests. Back doors in our cell phone system are currently being exploited by the FBI and unknown others.

This doesn't stop the FBI and Justice Department from pumping up the fear. Attorney General Eric Holder threatened us with kidnappers and sexual predators.

The former head of the FBI's criminal investigative division went even further, conjuring up kidnappers who are also sexual predators. And, of course, terrorists.

FBI Director James Comey claimed that Apple's move allows people to "place themselves beyond the law" and also invoked that now overworked "child kidnapper." John J. Escalante, chief of detectives for the Chicago police department now holds the title of most hysterical: "Apple will become the phone of choice for the pedophile."

It's all bluster. Of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping. And, more importantly, there's no evidence that encryption hampers criminal investigations in any serious way. In 2013, encryption foiled the police nine times, up from four in 2012­ -- and the investigations proceeded in some other way.

This is why the FBI's scare stories tend to wither after public scrutiny. A former FBI assistant director wrote about a kidnapped man who would never have been found without the ability of the FBI to decrypt an iPhone, only to retract the point hours later because it wasn't true.

We've seen this game before. During the crypto wars of the 1990s, FBI Director Louis Freeh and others would repeatedly use the example of mobster John Gotti to illustrate why the ability to tap telephones was so vital. But the Gotti evidence was collected using a room bug, not a telephone tap. And those same scary criminal tropes were trotted out then, too. Back then we called them the Four Horsemen of the Infocalypse: pedophiles, kidnappers, drug dealers, and terrorists. Nothing has changed.

Strong encryption has been around for years. Both Apple's FileVault and Microsoft's BitLocker encrypt the data on computer hard drives. PGP encrypts e-mail. Off-the-Record encrypts chat sessions. HTTPS Everywhere encrypts your browsing. Android phones already come with encryption built-in. There are literally thousands of encryption products without back doors for sale, and some have been around for decades. Even if the US bans the stuff, foreign companies will corner the market because many of us have legitimate needs for security.

Law enforcement has been complaining about "going dark" for decades now. In the 1990s, they convinced Congress to pass a law requiring phone companies to ensure that phone calls would remain tappable even as they became digital. They tried and failed to ban strong encryption and mandate back doors for their use. The FBI tried and failed again to ban strong encryption in 2010. Now, in the post-Snowden era, they're about to try again.

We need to fight this. Strong encryption protects us from a panoply of threats. It protects us from hackers and criminals. It protects our businesses from competitors and foreign spies. It protects people in totalitarian governments from arrest and detention. This isn't just me talking: The FBI also recommends you encrypt your data for security.

As for law enforcement? The recent decades have given them an unprecedented ability to put us under surveillance and access our data. Our cell phones provide them with a detailed history of our movements. Our call records, e-mail history, buddy lists, and Facebook pages tell them who we associate with. The hundreds of companies that track us on the Internet tell them what we're thinking about. Ubiquitous cameras capture our faces everywhere. And most of us back up our iPhone data on iCloud, which the FBI can still get a warrant for. It truly is the golden age of surveillance.

After considering the issue, Orin Kerr rethought his position, looking at this in terms of a technological-legal trade-off. I think he's right.

Given everything that has made it easier for governments and others to intrude on our private lives, we need both technological security and legal restrictions to restore the traditional balance between government access and our security/privacy. More companies should follow Apple's lead and make encryption the easy-to-use default. And let's wait for some actual evidence of harm before we acquiesce to police demands for reduced security.

This essay previously appeared on CNN.com

EDITED TO ADD (10/6): Three more essays worth reading. As is this on all the other ways Apple and the government have to get at your iPhone data.

And an Washington Post editorial manages to say this:

How to resolve this? A police "back door" for all smartphones is undesirable--a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant.

Because a "secure golden key" is completely different from a "back door."

EDITED TO ADD (10/7): Another essay.

EDITED TO ADD (10/9): Three more essays that are worth reading.

EDITED TO ADD (10/12): Another essay.

07 Oct 14:23

Maths takes flight

by Rachel

Soon you will be able to step inside a mathematical space and experience the beauty and importance of maths!

The plane exhibit

The design for the new maths gallery

Would you like to step inside an abstract mathematical space? Soon you'll be able to do just that, in the maths gallery at the Science Museum in London, due to open in 2016.

read more

06 Mar 08:28

Wusstet ihr, dass der Kreml "Umweltschuetzer" be...

Wusstet ihr, dass der Kreml "Umweltschuetzer" bei uns finanziert, damit wir keine effizienten Energiequellen (Nuklear, Schiefergas) bekommen und auf ewig von russischem Gas abhaengig sind? Wuerd auch erklaeren, warum fefe so anti-Nuklear ist und trotz mieser Geschaeftszahlen von CodeBlau kein Hartz IV bezieht.
[11] Kommentare
11 Feb 22:12

Aus der beliebten Kategorie "bei UNS ist Kernkraft ...

Aus der beliebten Kategorie "bei UNS ist Kernkraft SICHER", heute: "Weitere rostige Atommüllfässer in Brunsbüttel gefunden". Und wenn sie "rostig" sagen, dann meinen sie: Die Außenhaut ist nur noch partiell vorhanden. Guckt euch mal das Foto an.
12 Feb 12:59

Die neuen Terroristen: Google-Benutzer. Der Typ hat ...

Zeckenhorst81

by by oldreader

Die neuen Terroristen: Google-Benutzer. Der Typ hat Google nach irgendwas gefragt und bekam einen Link zu einer über 7 GB an Dokumenten auf dem Webserver der französischen Behörde für Lebensmittelsicherheit, Umweltschutz und Arbeit. Völlig klar, das ist ein fieser Hacker, der muss verhaftet und angeklagt werden. Als der Richter verstand, dass die Dateien öffentlich zugänglich waren, hat er den Mann freigesprochen, aber das war nur der strafrechtliche Teil. Zivilrechtlich muss er jetzt 3000 Euro zahlen.

Oh und welches fiese Hackertool benutzte er? wget! Das hat ja auch Manning schon in Teufels Küche gebracht.

08 Feb 16:57

Die Snowden-Veröffentlichungen dieses Wochenende geben ...

Die Snowden-Veröffentlichungen dieses Wochenende geben uns endlich schriftlich, dass die Dienste "Beweise" auf kompromittierten Computern hinterlegen, um Unschuldige anzuschwärzen. Außerdem: Wie sie peinliche Stories via Social Media "pushen", um sie in das Narrativ zu kriegen. Explizit genannt werden Twitter, Flickr, Facebook und Youtube. Oh und False Flag Operations, aber deren Existenz als Geheimdienstwerkzeug kann ja schon lange niemand mehr ernsthaft bezweifeln. Dann wird auch nochmal "ROYAL CONCIERGE" erwähnt, das Programm, um in Echtzeit mitzukriegen, wenn ein Ziel in ein Hotel eincheckt. Das hatten wir ja früher schonmal bei den Snowden-Dokumenten.
27 Jan 10:47

Invasion of JCE Bots

by Denis

Joomla has been one of the most popular CMS for a long time.  It powers a huge number of sites.  That’s great! The flip side of this fact is Joomla has been very popular for a long time and there are still very many sites that use older versions of Joomla as well as older version of Joomla components. For example, the 1.5.x branch of Joomla (2008-2010) still has a noticeable share in live Joomla sites.

Old versions may work well for your site but they have multiple well known security holes, so they are the low hanging fruit for hackers. Let me show this using a real world example.

JCE attack

There is a JCE component – a fancy content editor that can be found almost on every Joomla site. It has a well known security hole that allows anyone to upload arbitrary files to a server.

You can easily find a working exploit code for this vulnerability.  What it does is:

  1. Checks whether a vulnerable version of JCE is installed (2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 1.5.7.10, 1.5.7.11, 1.5.7.12, 1.5.7.13, 1.5.7.14)
  2. Exploits the bug in the JCE image manager to upload a PHP file with a .gif extenstion to the images/stories directory
  3. Then uses a JSON command to rename the .gif file to *.php.

Now you have a backdoor on a server and can do whatever you want with the site.

This is how this attack looks in logs (real example):

197.205.70.37 - - [23/Jan/2014:16:46:54 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.0" 200 302 "-" "BOT/0.1 (BOT for JCE)"
197.205.70.37 - - [23/Jan/2014:16:46:55 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20 HTTP/1.0" 200 329 "-" "BOT/0.1 (BOT for JCE)"
197.205.70.37 - - [23/Jan/2014:16:46:55 -0500] "GET /images/stories/3xp.php HTTP/1.0" 200 465 "-" "BOT/0.1 (BOT for JCE)"

As I mentioned, JCE is a very popular component and there are still many sites that use old versions of this component. No wonder, hackers are scanning the Internet for such vulnerable sites.  They reworked the exploit code for use in their automated tools that relentlessly test millions of sites, one by another.  These days, I can find multiple requests with the “BOT/0.1 (BOT for JCE)” User-Agent string in logs of almost every site that I check, even in logs of sites that have never had Joomla installed.

I’d like to share some interesting statistics of a real site that had been hacked using this JCE hole and then was being routinely reinfected every day.

  • 7,409 requests with the User-Agent ”BOT/0.1 (BOT for JCE)“ that came from 785 different IPs during the period of Dec 24th – Jan 24th (one month)
  • 239 requests from 51 unique IP addresses during the last 24 hours
  • 4 independent (uploaded different types of backdoors) successful infections during one day.
  • plus, multiple tests for other vulnerabilities.

To webmasters

As you can see,  this is something that you can’t neglect or consider an insignificant threat.  It’s silly to hope that hackers won’t find your site. Today hackers have resources to spider the Internet almost as efficiently as Google just about 10 years ago, so there is almost no chance your site will stay unnoticed. The only way to prevent the hacks is to be proactive:  keep all software up-to-date and harden your sites.

In case of this particular JCE attack:

  1. Make sure to upgrade your Joomla site to the most current version.
  2. Upgrade JCE to the latest version. You can find download packages for all the three branches of Joomla here.
  3. Protect all file upload directories and all directories that shouldn’t contain .php files. For example, place the following .htaccess file there to prevent execution of PHP files:
    <Files *.php>
    deny from all
    </Files>
  4. Try blocking requests with the ”BOT/0.1 (BOT for JCE)” User-Agent string.  Of course, this shouldn’t be considered as a real protection. Hackers can change the User-Agent string to whatever they want. But it can help keep some dumb annoying bots away from your site.
  5. If, for some reason, you can’t upgrade your site at this moment, consider placing it behind a website firewall that will block any malicious traffic before it reaches your server.  This is something that we call virtual patching in Sucuri CloudProxy.
06 Feb 10:00

rm -rf filename *

by sharhalakis

by Murf

07 Feb 01:55

Die Amis hatten völlig Recht mit ihrer Abhörwarnung. ...

Die Amis hatten völlig Recht mit ihrer Abhörwarnung. Da ist ein Youtube-Video aufgetaucht mit einem abgehörten Telefongespräch zwischen Obamas wichtigster Europa-Beraterin und dem US-Botschafter in der Ukraine. Und die sagt da:
And, you know, fuck the EU.
Nachdem die CDU und die SPD gemerkt haben, dass sie Abhören doof finden, sobald es sie selber betraf, ... vielleicht merkt ja die US-Regierung jetzt, dass Abhören doof ist. Jetzt, wo es sie selber betrifft.
03 Feb 10:01

Things broke. I'm out.

by sharhalakis

by spoonman

04 Feb 11:12

Die Niederländer drehen am Zivilisationsrad. Leider ...

Die Niederländer drehen am Zivilisationsrad. Leider in die falsche Richtung. Wenn man in Nijmegen des Sozialleistungsbetrugs verdächtigt wird, installiert die Stadt eine eigene Überwachungskamera, die die Wohnungstür im Blick behält. Damit die städtischen Betrugserkennungsbrigaden die Leute besser im Auge behalten können! *grusel*
25 Jan 22:19

Mobile Security News Update for February 2014

Zeckenhorst81

Oldboot: the first bootkit on Android

This is an early update for February. Two reasons, I have stuff to write about right now, second I'm going to be super busy in February.

This year I attended ShmooCon for the first time. I liked it a lot and plan to go again. I didn't know ShmooCon was running for 10 years already. They seem to have a good grip on the conference and don't let it explode in size.

Conferences
    CanSecWest one of my favorite cons (maybe my #1). Talks: No Apology Required: Deconstructing Blackberry10 - Zach Lanier, Ben Nei ; Duo Security & Accuvant. Outsmarting Bluetooth Smart - Mike Ryan ; iSEC Partners. The Real Deal of Android Device Security: the Third Party - Colin Mulliner, Jon Oberheide ; Northwestern University, Duo Security.

    Troopers (Heidelberg, Germany). There is one mobile talk in the main conference but there in addition they have TelSecDay (invite only) that focuses on Telecommunication security. The main conference talk is: Modern smartphone forensics: Apple iOS: from logical and physical acquisition to iCloud backups, document storage and keychain; encrypted BlackBerry backups (BB 10 and Olympia Service) by Vladimir Katalov.

    nullcon (Goa, India) has a mobile talk this year: Modern smartphone forensics: Apple iCloud, encrypted BlackBerry backups, Windows Phone 8 cloud backup - by Vladimir Katalov.

    SyScan 2014 looks super awesome this year. Josh "Monk" Thomas : "How to train your Snapdragon: Exploring Power Regulation Frameworks on Android". Dr Thaddeus (The) Grugq : "Click and Dragger: Denial and Deception on Android Smartphones". Alex Plaskett & Nick Walker "Navigating a sea of Pwn? : Windows Phone 8 AppSec".

    Black Hat Asia THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES by Simon Roses Femerling.

    HITB Amsterdam Shellcodes for ARM: Your Pills Don't Work on Me, x86 by SVETLANA GAIVORONSKI and IVAN PETROV.

    RootedCON (Spain) talks: Raul Siles - iOS: Regreso al futuro, Pau Oliva - Bypassing wifi pay-walls with Android. Some talks look like they are mobile talks too :) (my Spanish is kinda bad)


Links

There are a lot of interesting talks in the next month. I'm working on (and finished) some interesting projects that I can hopefully talk about soon.

Our Android book is finalized and thus should be available in April.

The Defcon CFP is already open so make sure you submit your talks early. Also checkout Area 41 a fine security conference in Switzerland, the CFP is still open.

This year I'm co-chairing ARES an academic security conference. Please consider submitting your papers.

If you are interested in NFC (Near Field Communication) check out the current draft of the Web NFC API. The standard defines how a "web page" can interact with NFC devices.
28 Jan 10:00

Episode #174: Lightning Lockdown

by noreply@blogger.com (Hal Pomeranz)
Hal firewalls fast

Recently a client needed me to quickly set up an IP Tables firewall on a production server that was effectively open on the Internet. I knew very little about the machine, and we couldn't afford to break any of the production traffic to and from the box.

It occurred to me that a decent first approximation would be to simply look at the network services currently in use, and create a firewall based on that. The resulting policy would probably be a bit more loose than it needed to or should be, but it would be infinitely better than no firewall at all!

I went with lsof, because I found the output easier to parse than netstat:

# lsof -i -nlP | awk '{print $1, $8, $9}' | sort -u
COMMAND NODE NAME
httpd TCP *:80
named TCP 127.0.0.1:53
named TCP 127.0.0.1:953
named TCP [::1]:953
named TCP 150.123.32.3:53
named UDP 127.0.0.1:53
named UDP 150.123.32.3:53
ntpd UDP [::1]:123
ntpd UDP *:123
ntpd UDP 127.0.0.1:123
ntpd UDP 150.123.32.3:123
ntpd UDP [fe80::baac:6fff:fe8e:a0f1]:123
ntpd UDP [fe80::baac:6fff:fe8e:a0f2]:123
portreser UDP *:783
sendmail TCP 150.123.32.3:25
sendmail TCP 150.123.32.3:25->58.50.15.213:1526
sendmail TCP *:587
sshd TCP *:22
sshd TCP 150.123.32.3:22->121.28.56.2:39054

I could have left off the process name, but it helped me decide which ports were important to include in the new firewall rules. Honestly, the output above was good enough for me to quickly throw together some workable IP Tables rules. I simply saved the output to a text file and hacked things together with a text editor.

But maybe you only care about the port information:

# lsof -i -nlP | awk '{print $9, $8, $1}' | sed 's/.*://' | sort -u
123 UDP ntpd
1526 TCP sendmail
22 TCP sshd
25 TCP sendmail
39054 TCP sshd
53 TCP named
53 UDP named
587 TCP sendmail
783 UDP portreser
80 TCP httpd
953 TCP named
NAME NODE COMMAND

Note that I inverted the field output order, just to make my sed a little easier to write

If you wanted to go really crazy, you could even create and load the actual rules on the fly. I don't recommend this at all, but it will make Tim's life harder in the next section, so here goes:

lsof -i -nlP | tail -n +2 | awk '{print $9, $8}' | 
sed 's/.*://' | sort -u | tr A-Z a-z |
while read port proto; do ufw allow $port/$proto; done

I added a "tail -n +2" to get rid of the header line. I also dropped the command name from my awk output. There's a new "tr A-Z a-z" in there to lower-case the protocol name. Finally we end with a loop that takes the port and protocol and uses the ufw command line interface to add the rules. You could do the same with the iptables command and its nasty syntax, but if you're on a Linux distro with UFW, I strongly urge you to use it!

So, Tim, I figure you can parse netstat output pretty easily. How about the command-line interface to the Windows firewall? Remember, adversity builds character...

Tim builds character

When I first saw this I thought, "Man, this is going to be easy with the new cmdlets in PowerShell v4!" There are a lot of new cmdlets available in PowerShell version 4, and both Windows 8.1 and Server 2012R2 ship with PowerShell version 4. In addition, PowerShell version 4 is available for Windows 7 SP1 (and later) and Windows Server 2008 R2 SP1 (and later).

The first cmdlet that will help us out here is Get-NetTCPConnection. According to the help page this cmdlet "gets current TCP connections. Use this cmdlet to view TCP connection properties such as local or remote IP address, local or remote port, and connection state." This is going to be great! But...

It doesn't mention the process ID or process name. Nooooo! This can't be. Let's look at all the properties of the output objects.

PS C:\> Get-NetTCPConnection | Format-List *

State : Established
AppliedSetting : Internet
Caption :
Description :
ElementName :
InstanceID : 192.168.1.167++445++10.11.22.33++49278
CommunicationStatus :
DetailedStatus :
HealthState :
InstallDate :
Name :
OperatingStatus :
OperationalStatus :
PrimaryStatus :
Status :
StatusDescriptions :
AvailableRequestedStates :
EnabledDefault : 2
EnabledState :
OtherEnabledState :
RequestedState : 5
TimeOfLastStateChange :
TransitioningToState : 12
AggregationBehavior :
Directionality :
LocalAddress : 192.168.1.167
LocalPort : 445
RemoteAddress : 10.11.22.33
RemotePort : 49278
PSComputerName :
CimClass : ROOT/StandardCimv2:MSFT_NetTCPConnection
CimInstanceProperties : {Caption, Description, ElementName, InstanceID...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties

Dang! This will get most of what we want (where "want" was defined by that Hal guy), but it won't get the process ID or the process name. So much for rubbing the new cmdlets in his face.

Let's forget about Hal for a second and get what we can with this cmdlet.

PS C:\> Get-NetTCPConnection | Select-Object LocalPort | Sort-Object -Unique LocalPort
LocalPort
---------
135
139
445
3587
5357
49152
49153
49154
49155
49156
49157
49164

This is helpful for getting a list of ports, but not useful for making decisions about what should be allowed. Also, we would need to run Get-NetUDPEndpoint to get the UDP connections. This is so close, yet so bloody far. We have to resort to the old school netstat command and the -b option to get the executable name. In episode 123 we needed parsed netstat output. I recommended the Get-Netstat script available at poshcode.org. Sadly, we are going to have to resort to that again. With this script we can quickly get the port, protocol, and process name.

PS C:\> .\get-netstat.ps1 | Select-Object ProcessName, Protocol, LocalPort | 
Sort-Object -Unique LocalPort, Protocol, ProcessName


ProcessName Protocol Localport
----------- -------- ---------
svchost TCP 135
System UDP 137
System UDP 138
System TCP 139
svchost UDP 1900
svchost UDP 3540
svchost UDP 3544
svchost TCP 3587
dasHost UDP 3702
svchost UDP 3702
System TCP 445
svchost UDP 4500
...

It should be pretty obvious that the port 137-149 and 445 should not be accessible from the internet. We can filter these ports out so that we don't allow these ports through the firewall.

PS C:\> ... | Where-Object { (135..139 + 445) -NotContains $_.LocalPort }
ProcessName Protocol Localport
----------- -------- ---------
svchost UDP 1900
svchost UDP 3540
svchost UDP 3544
svchost TCP 3587
dasHost UDP 3702
svchost UDP 3702
svchost UDP 4500
...

Now that we have the ports and protocols we can create new firewall rules using the new New-NetFirewallRule cmdlet. Yeah!

PS C:\> .\get-netstat.ps1 | Select-Object Protocol, LocalPort | Sort-Object -Unique * | 
Where-Object { (135..139 + 445) -NotContains $_.LocalPort } |
ForEach-Object { New-NetFirewallRule -DisplayName AllowedByScript -Direction Outbound
-Action Allow -LocalPort $_.LocalPort -Protocol $_.Protocol }

Name : {d15ca484-5d16-413f-8460-a29204ff06ed}
DisplayName : AllowedByScript
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
...

These new firewall cmdlets really make things easier, but if you don't have PowerShellv4 you can still use the old netsh command to add the firewall rules. Also, the Get-Netstat will support older version of PowerShell as well, so this is nicely backwards compatible. All we need to do is replace the command inside the ForEach-Object cmdlet's script block.

PS C:\> ... | ForEach-Object { netsh advfirewall firewall add rule 
name="AllowedByScript" dir=in action=allow protocol=$_.Protocol
localport=$_.LocalPort }
28 Jan 21:27

Der Herr Verfassungsschutzchef Maaßen ist noch weggetretener ...

Zeckenhorst81

cchhhh

Der Herr Verfassungsschutzchef Maaßen ist noch weggetretener als bisher angenommen. Der hat gleich ein ganzes Füllhorn von Kloppern zu Protokoll gegeben. Ein Knüller jagt den nächsten! Es geht gleich kräftig los mit:
Ich gehe davon aus, dass die Amerikaner sich an amerikanisches Recht halten. Und das sieht nicht vor, Industriespionage durch amerikanische Dienste zu betreiben
Ja nee, natürlich nicht, Herr Maaßen! Warum würden sie das auch tun, Herr Maaßen!

But wait, there's more!

Wir haben weder valide Erkenntnisse, dass die Amerikaner Breitbandkabel in Deutschland anzapfen, noch ob aus der US-Botschaft in Berlin das Handy der Kanzlerin abgehört worden ist
Man würde denken, mit den Argumenten sind sie schon vor Monaten gescheitert, das Interview ist bestimmt vom August oder so. Aber nein, das ist frisch.

Ich würde ja auf die Primärquelle linken, aber die haben bei mir verschissen bis in die Steinzeit.

Aber eine Sache ist ja wohl sonnenklar. Nach dieser vollumfänglichen Bankrotterklärung des Verfassungsschutzes kann niemand mehr dagegen sein, den ganzen Laden sofort zu schließen. NSA und GCHQ prahlen in Powerpoint-Folien über ihre Fähigkeiten und der Verfassungsschutz schafft es in sechs Monaten Ermittlungsarbeit nicht, irgendwas davon aufzuklären. Was haben die die ganze Zeit gemacht? V-Leute in der NSA anzuwerben versucht?! Zumachen, jetzt!

28 Jan 09:53

Vermoegensabgabe kommt bald! Bringt euer Erspart...

Vermoegensabgabe kommt bald! Bringt euer Erspartes in sicherheit!
Die Bundesbank hat in ihrem jüngsten Monatsbericht die Idee einer einmaligen Vermögensabgabe zur Lösung von Staatsschuldenproblemen wohlwollend aufgegriffen.
Mehr dazu gibts bei DWN
[12] Kommentare
28 Jan 11:36

Sascha Lobo hat einen schönen Begriff dafür gefunden, ...

Sascha Lobo hat einen schönen Begriff dafür gefunden, wie die Regierungsparteien mit dem Sicherheitsapparat umgehen: Sicherheitsesoterik.

Der fasst schön zusammen, wie in der "Sicherheit" die wissenschaftliche Methode und Erkenntnisse der Aufklärung komplett ignoriert und durch typische Merkmale der Esoterik ersetzt werden:

Die offenkundigen Parallelen zum Beispiel zwischen der Vorratsdatenspeicherung und Horoskopen sind erschreckend:
  • Einzelne Geschehnisse dienen als Rechtfertigung.
  • Unabhängige Studien zur Nichtwirksamkeit werden ignoriert.
  • Die Diskussion um Details ersetzt die Diskussion um den Sinn.
  • Wie zur Beschwörung wird die Notwendigkeit ständig wiederholt.
  • Tautologische Begründungsschleifen werden verwendet.
  • Künstliche Zusammenhänge werden konstruiert.
  • Kritiker werden diffamiert.
Er hat völlig Recht. Die "Argumente" für die Vorratsdatenspeicherung erinnern an Horoskope, Tarotkarten, Wünschelruten und Bachblüten. Schlimmer noch (und der Aspekt kommt mir zu kurz bei Lobo): Wenn man Beweise fordert, bügeln die Bedarfsträger das mit Geheimhaltung ab.

Wir sind als Gesellschaft an einem Punkt angekommen, bei dem ich die potentiellen Schäden durch komplettes Beenden der Geheimhaltung für kleiner halte als die tatsächlichen Schäden durch Weitermachen damit.

28 Jan 16:26

BGH: Schufa muss ihre Bewertungsverfahren nicht offenlegen. ...

BGH: Schufa muss ihre Bewertungsverfahren nicht offenlegen. Dieses Urteil wird uns noch gewaltig in den Hintern beißen in den nächsten Jahren. Vielleicht hätten sich die Richter vorher mal mit Leuten vom Fach unterhalten sollen. Das geht nicht, dass aufgrund von geheimen Verfahren Menschen kein Mobiltelefon oder Bankkonto kriegen können, und sich die zuständige Firma dann auf Geschäftsgeheimnis beruft.
27 Jan 13:56

Kurze Durchsage des WIener Polizeichefs:Auf Kritik ...

Kurze Durchsage des WIener Polizeichefs:
Auf Kritik einer Mitorganisatorin einer Demonstration vom Freitagabend an der Vorgehensweise der Polizei reagierte Pürstl scharf: "Jetzt kommen's mir nicht mit der Tränendrüse, dass irgendwelche Tränengas ins Auge bekommen haben. Das ist nämlich gut, dass sie bei der Rettung waren, da gibt's die Daten, da können wir sie ausforschen und werden schauen, welche Beteiligung sie gehabt haben."
Da weiß man, was man hat!