somewhere on the raid-array something crashed - two disks went offline, don't know why. cables? mice? no clue.
took a few hours until i found the time to fix this and import the old config again.
stuff's up and running again since about an hour.
tom
Wednesday, October 15, 2008
Thursday, September 04, 2008
Answer from PriceWaterhouseCoopers
I sent an EMail to PwC asking about my data and my account that may have leaked from their career-site. I wonder if only the login and password leaked, or if all my personal data, cv etc leaked as well.
The answer i got from PwC (sorry again: german only) speaks for itself:
Sehr geehrter Herr Springer,
vielen Dank für Ihre Anfrage. Wir werden Ihnen in Kürze Informationen zur Verfügung stellen können und Sie umgehend unterrichten.
Bis dahin bitten wir Sie, das Passwort, das Sie für die Jobdatenbank bei PwC benutzt haben, umgehend zu ändern, um einem potentiellen Missbrauch von Daten vorzubeugen.
Wir danken für Ihr Verständnis.
Mit freundlichen Grüßen
vielen Dank für Ihre Anfrage. Wir werden Ihnen in Kürze Informationen zur Verfügung stellen können und Sie umgehend unterrichten.
Bis dahin bitten wir Sie, das Passwort, das Sie für die Jobdatenbank bei PwC benutzt haben, umgehend zu ändern, um einem potentiellen Missbrauch von Daten vorzubeugen.
Wir danken für Ihr Verständnis.
Mit freundlichen Grüßen
-------
tom
Update: finally they published a press-release: http://www.presseportal.de/pm/8664/1258775/pwc_pricewaterhousecoopers
Wednesday, September 03, 2008
And the Winner is:
And the Winner is: Price Waterhouse Coopers.
Some people believe that the account-database of their carreer-site leaked mailaccounts and passwords, causing the mail issued by ZDF cited in my previous posting. I don't know if this is true. I don't state that this is the case. Others do. It is possible: I have an account there. PWC might believe this as well: their carreer-login-page is currently closed.
Funny.
Tom
funny email from ZDF
Sorry - German only. No fake - the passwort was a real password i used ages ago for useless boards and sites.
I'd have to send thousands, sometimes even millions of E-Mails like this around twice a month if i'd react on every userbase i get access to. (update: I don't do this. usually because i stumble upon this data whilst pentesting on behalf of the affected company itself). anyway - nice to read.
| |||||||||||||||||||||
Sie erhalten diese Mail von uns, weil wir auf einen datenschutzrechtlich problematischen Sachverhalt aufmerksam gemacht wurden, der Ihre E-Mail-Adresse betrifft.
Ihre E-Mail-Adresse und das Passwort *xundat* (Zu Ihrer Sicherheit wurde das Passwort gekürzt) befinden sich nach unseren Recherchen auf einem im Internet frei zugänglichen, in China beheimateten Server.
Die Daten scheinen aus einem Datendiebstahl zu stammen, die Datendiebe haben versucht, sich mit Hilfe dieser Kombination aus Mail-Adresse und Passwort Zugang zu Online-Bezahldiensten zu verschaffen.
Die Daten selbst stammen nach ersten Erkenntnissen aus einer Datenbank, die nichts mit Finanzdienstleistungen zu tun hat und bei der Sie sich in der Vergangenheit einmal angemeldet haben.
Möglicherweise nutzen Sie diese Kombination aus E-Mail-Adresse und Passwort für weitere Internet-Dienste, etwa für Ihren Mail-Account, zum Anmelden bei Online-Shops oder auf anderen Webseiten. In diesem Fall raten wir Ihnen dringend, auf jeder einzelnen dieser Seiten Ihr Passwort unverzüglich zu ändern, bevor irgendjemand aus dem Vorhandensein dieser Daten im Internet einen Vorteil ziehen kann.
Hinweise zur Verwendung von Passwörtern und für die sichere Passworterstellung erhalten Sie untenstehend.
Diese Mail geht zurück auf Recherchen der ZDF-Sendung WISO, die am Montag den 8. September ausführlich über diesen Datendiebstahl berichten wird. Informationen erhalten Sie spätestens dann auch unter http://www.wiso.de/ Bitte beachten Sie, dass wir keine Einzelfallberatung durchführen können - E-Mails an diese Versandadresse werden nicht beantwortet.
Wir werden die uns vorliegenden Daten nach Ausstrahlung des Beitrags löschen, Sie erhalten keine weitere Mail von uns an diese Adresse (es sei denn, Sie haben sich bei einem ZDF-Informationsdienst angemeldet.) Wir informieren das vom Datendiebstahl betroffene Unternehmen sowie die entsprechende für den Datenschutz zuständige Behörde von dem Vorfall. Allerdings haben wir keinen Einfluss darauf, die auf einem chinesischen Webserver liegenden Daten zu löschen.
Um über die Brisanz des Datendiebstahls qualifiziert berichten zu können bittet Sie die WISO-Redaktion, an einer kurzen Umfrage zum Datendiebstahl teilzunehmen, selbstverständlich anonym (Beachten Sie die Hinweise am Ende der Mail).
Ihre Angaben können dabei helfen, dass die Zuschauer der Sendung für Probleme rund um die Datensicherheit im Internet sensibilisiert werden.
http://vote.wiso.zdf.de/
Mit freundlichen Grüßen
Zweites Deutsches Fernsehen / Redaktion WISO
Hier die Tipps zu einem sicheren Umgang mit Passwörtern, entnommen der Webseite http://www.bsi-fuer-buerger.
1. Ein gutes Passwort
... sieht so aus: Es sollte mindesttens acht Zeichen lang sein. Tabu sind allerdings Namen von Familienmitgliedern, des Haustieres, des besten Freundes, des Lieblingsstars usw. Und wenn möglich sollte es nicht in Wörterbüchern vorkommen. Zusätzlich sollte es auch Sonderzeichen (?!%...?) und Ziffern enthalten. Dabei sollten allzu gängige Varianten vermieden werden, also nicht 1234abcd usw. Einfache Ziffern am Ende des Passwortes anhängen oder eines der üblichen Sonderzeichen $, !, ?, #, am Anfang oder Ende eines ansonsten simplen Passwortes ist auch nicht empfehlenswert.
Aber wie merkt man sich ein solches Passwort? Auch dafür gibt es Tricks. Eine beliebte Methode funktioniert so: Man denkt sich einen Satz aus und benutzt von jedem Wort nur den 1. Buchstaben (oder nur den 2. oder letzten, etc.). Anschließend verwandelt man bestimmte Buchstaben in Zahlen oder Sonderzeichen.
Hier ein Beispiel:
"Morgens stehe ich auf und putze meine Zähne." Nur die 1. Buchstaben: "MsiaupmZ". "i" sieht aus wie "1", "&" ersetzt das "und": "Ms1a&pmZ".
Auf diese Weise hat man sich eine gute "Eselsbrücke" gebaut. Natürlich gibt es viele andere Tricks und Methoden, die genauso gut funktionieren.
2. Passwörter regelmäßig ändern
Jedes Passwort sollte in regelmäßigen Zeitabständen geändert werden. Viele Programme erinnern Sie automatisch daran, wenn Sie das Passwort z. B. schon ein halbes Jahr benutzen. Diese Aufforderung nicht gleich wegklicken - sondern ihr am besten gleich nachkommen! Natürlich ist es da schwer, sich alle Passwörter zu merken. Womit wir beim nächsten Punkt sind.
3. Passwörter nicht notieren
Auch wenn es bei selten genutzen Zugangsdaten schwerfällt - grundsätzlich sollten Sie sich Passwörter nicht aufschreiben.
4. Keine einheitlichen Passwörter verwenden
Problematisch ist die Gewohnheit, einheitliche Passwörter für viele verschiedene Zwecke bzw. Zugänge (Accounts) zu verwenden. Denn gerät das Passwort einer einzelnen Anwendung in falsche Hände, so hat der Angreifer freie Bahn für Ihre übrigen Anwendungen. Das können z. B. die Mailbox oder alle Informationen auf dem PC sein.
5. Voreingestellte Passwörter ändern
Bei vielen Softwareprodukten werden bei der Installation (bzw. im Auslieferungszustand) in den Accounts leere Passwörter oder allgemein bekannte Passwörter verwendet. Hacker wissen das: Bei einem Angriff probieren sie zunächst aus, ob vergessen wurde, diese Accounts mit neuen Passwörtern zu versehen. Deshalb ist es ratsam, in den Handbüchern nachzulesen, ob solche Accounts vorhanden sind und wenn ja, diese unbedingt mit individuellen Passwörtern abzusichern.
6. Bildschirmschoner mit Kennwort sichern
Bei den gängigen Betriebssystemen haben Sie die Möglichkeit, Tastatur und Bildschirm nach einer gewissen Wartezeit zu sperren. Die Entsperrung erfolgt erst nach Eingabe eines korrekten Passwortes. Diese Möglichkeit gibt es nicht umsonst. Deshalb: Nutzen Sie sie! Ohne Passwortsicherung können unbefugte Dritte sonst bei vorübergehender Abwesenheit des rechtmäßigen Benutzers Zugang zu dessen PC erlangen. Natürlich ist es ziemlich störend, wenn die Sperre schon nach weniger Zeit erfolgt. Unsere Empfehlung: 5 Minuten nach der letzten Benutzereingabe. Zusätzlich gibt es die Möglichkeit, die Sperre im Bedarfsfall auch sofort zu aktivieren (z.B. bei einigen Windows-Betriebssystemen: Strg+Alt+Entf drücken).
Hinweise zu unserer Umfrage:
Die Teilnahme erfolgt anonym, persönliche Daten werden durch das Webformular nicht erhoben. Aus technischen Gründen protokollieren Webserver allerdings, von welchen IP-Adressen aus das Formular aufgerufen wurde - das Erstellen dieser Logdateien lässt sich nicht unterbinden. Diese Daten werden allerdings nicht zusammen mit den Umfrageergebnissen protokolliert, eine Rückverfolgung der Daten wäre nur sehr aufwendig möglich. Wer seine Anonymität beim Besuch von Webseiten wie dieser Umfrage umfassender gewahrt sehen möchte, der kann die folgenden Web-Anonymisierer nutzen. Für diese Dienste und deren Nutzung übernimmt das ZDF keine Haftung:
http://www.megaproxy.com/
http://anonymouse.org/anonwww.
http://www.anonymsurfen.com/
cracking hashes
we updated our servers recently - the db is running on an intel quadcore, and there is plenty of computingpower for adding new hashes to the database for our site hashcrack.com. a friendly guy sent me a rather huge wordlist created mainly out of several wikipedia-dumps which we are importing since a few days. we limited speed to around 1 million words per day, but i consider the figures with 31.000.000 words and 189.405.954 known hashes rather impressive yet - the database is still running fast with this load.
I don't know any other hashcrack-base offering more words AND supporting more than md5 and sha1. In fact i do support md5 and lm-hashes only to be complete. If you want to look up md5 or lm-hashes, you should really use one of the few sites offering rainbow-tables. They know alomst every lm-hash and at least all md5-hashes up to 7 or 8 characters. When it comes to reverse-lookup NTLM-Hashes for Windows NT or Mysql-Password-Hashes for mysql3, mysql4 and mysql5, hashcrack.com is still the biggest database i know of. I'd be happy to link to any other database knowing more hashes!
tom
tom
Thursday, August 07, 2008
murphy 2
no, not only did the database pass away, file-info also died despite having nothing to do with the database at all.
the reason here was our provider strozzo updating their crappy virtuozzo-hosts, which cutted for some crazy reason the balls of our perl-core.
no more perl-modules left.
no more file-info there, for this relies in parts on Phil Harveys Image::Exifinfo, a really great piece of software.
thanks to an anonymous comment moaning about the nunfunctional file-info. the perl-modules are reinstalled, file-info is working again as it did.
tom
the reason here was our provider strozzo updating their crappy virtuozzo-hosts, which cutted for some crazy reason the balls of our perl-core.
no more perl-modules left.
no more file-info there, for this relies in parts on Phil Harveys Image::Exifinfo, a really great piece of software.
thanks to an anonymous comment moaning about the nunfunctional file-info. the perl-modules are reinstalled, file-info is working again as it did.
tom
Monday, August 04, 2008
murphys law
some might have noticed: serversniffs half dead since 72 hours.
the ups failed, power failed and the raid got corrupt. time to restore from a db-dump.
and time to upgrade: our postgresql-database did run on windows 2000, which is rather fine unless your database won't grow to bloated. postgresql won't eat more than ~ 6o0MB Shared Memory on windows 2000, wich is fine, unless your database wont grow to bloated... - because the vacuum-process needs more RAM. So I ended up with an ever increasingly fragmented database.
time to switch to linux. i tried to build the system as guest on VMWare ESXi - which i was able to manage - but there must have been something horribly wrong with the filesystem: all disk-transfers were slow as hell, usually below 10MByte/s. After 60 hours of setting up ESXi, a Linux-Guest and the database i threw the stuff away and started all over installing plain Linux Sunday evening, 48 hours after the database initially crashed.
Since then i installed linux on the machine, prepared raid-array, database and everything else. currently the data is restored from a dump and the indexes are generated - 6 of ~20 are already done, the rest might be finished by tomorrow. to what i see right now the database is considerably faster using linux and 1 GB of Shared RAM.
I apologize for the downtime, especially to the folks at blackhat.
tom
the ups failed, power failed and the raid got corrupt. time to restore from a db-dump.
and time to upgrade: our postgresql-database did run on windows 2000, which is rather fine unless your database won't grow to bloated. postgresql won't eat more than ~ 6o0MB Shared Memory on windows 2000, wich is fine, unless your database wont grow to bloated... - because the vacuum-process needs more RAM. So I ended up with an ever increasingly fragmented database.
time to switch to linux. i tried to build the system as guest on VMWare ESXi - which i was able to manage - but there must have been something horribly wrong with the filesystem: all disk-transfers were slow as hell, usually below 10MByte/s. After 60 hours of setting up ESXi, a Linux-Guest and the database i threw the stuff away and started all over installing plain Linux Sunday evening, 48 hours after the database initially crashed.
Since then i installed linux on the machine, prepared raid-array, database and everything else. currently the data is restored from a dump and the indexes are generated - 6 of ~20 are already done, the rest might be finished by tomorrow. to what i see right now the database is considerably faster using linux and 1 GB of Shared RAM.
I apologize for the downtime, especially to the folks at blackhat.
tom
Tuesday, July 29, 2008
Friday, May 30, 2008
How to check SSH and SSL Certificates for the debian flaw
I had quite a few questions from people how to check their SSH- and SSL-certificate for the recent debian-flaw. As i had to check a few hundred customer-sites too, i did a little webinterface for checking SSHCerts and SSLCerts for the PRNG-Bug.
See them at work at http://serversniff.net/sshreport.php and http://serversniff.net/sslcert.php
No magic behind - just debians ssh-vulnkey and a php-rippoff from the chksslkey-shellscript written by Michael Holzt. Maybe this will help the average rootserver-admin checking their sites.
Both scripts use standard-sets for verifying the keys, checking only standard-dsa/rsa-keys for ssh and 1024/2048-bit-keys on the ssl-check. Drop me a line to tom@serversniff.net if you really need to check for any different keysizes.
tom
tom
See them at work at http://serversniff.net/sshreport.php and http://serversniff.net/sslcert.php
No magic behind - just debians ssh-vulnkey and a php-rippoff from the chksslkey-shellscript written by Michael Holzt. Maybe this will help the average rootserver-admin checking their sites.
Both scripts use standard-sets for verifying the keys, checking only standard-dsa/rsa-keys for ssh and 1024/2048-bit-keys on the ssl-check. Drop me a line to tom@serversniff.net if you really need to check for any different keysizes.
tom
tom
Friday, May 16, 2008
Mapped the net... in parts.
"Mapping the net" did we call our little project to map as many known hosts, ips and domains as possible some two years ago. Some laughed, others smiled. And we mapped. Thousands of hosts daily, running into a steadily growing postgresql-database built out of junk-hardware, running on a single cheap dsl-connection.
I started some bencharking using search-engines to see how many hosts we really know, and i was surprised to see that we already know between 70 and 80 percent of all known hosts of major international hosts indexed on rank 1-1000 in common search-engines. And we've still far more than 10 million hostnames listed to sort in. I didn't expect to get so far when i started this funny project.
tom
I started some bencharking using search-engines to see how many hosts we really know, and i was surprised to see that we already know between 70 and 80 percent of all known hosts of major international hosts indexed on rank 1-1000 in common search-engines. And we've still far more than 10 million hostnames listed to sort in. I didn't expect to get so far when i started this funny project.
tom
Saturday, March 08, 2008
Whois dropped
Some germans consider whois via serversniff
Get your whois-info at one of the thousands of sites around the net hosted somewhere outside germany or directly at the nic listed on serversniffs-domain-report.
For the breach of privay: There was a guy, amongst others, writing me an email to "immediately remove my Name from the page http://serversniff.net/dnr-webmasterinformation.<censored>. He didn't like the realname to show up in the whois-information. Hey - I deeply understand this request: If I'd operate a site like http://www.webmasterinformation.xx, I wouldn't want to have my name assigned to it, too. LOL!
Maybe somebody's williing to tell him about whois at all?
The net's a crazy place.
Cheers,
tom
- a breach of law
- a breach of privay.
Get your whois-info at one of the thousands of sites around the net hosted somewhere outside germany or directly at the nic listed on serversniffs-domain-report.
For the breach of privay: There was a guy, amongst others, writing me an email to "immediately remove my Name from the page http://serversniff.net/dnr-webmasterinformation.<censored>. He didn't like the realname to show up in the whois-information. Hey - I deeply understand this request: If I'd operate a site like http://www.webmasterinformation.xx, I wouldn't want to have my name assigned to it, too. LOL!
Maybe somebody's williing to tell him about whois at all?
The net's a crazy place.
Cheers,
tom
Saturday, February 23, 2008
offlinetime while rebuilding db
we switched the domain-database to new, hopefully faster hdd's sponsored by roelof temmingh (and me).
since postgresql still denies a parallel installation i took the opportunity to rebuild the database, update the server and switch the stuff to the new sata-raid. it'll take a few hours until the database is rebuilt and restarted, but it's weekend - you don't work anyway, do you?
we'll be back again soon.
tom
since postgresql still denies a parallel installation i took the opportunity to rebuild the database, update the server and switch the stuff to the new sata-raid. it'll take a few hours until the database is rebuilt and restarted, but it's weekend - you don't work anyway, do you?
we'll be back again soon.
tom
facts and figures
our current lookup-lag: 237.405 days.
current number of known domains: 39.163.435
still sorting in ~100.000 domains per day from queues, mainly generic .com-domains.
tom
current number of known domains: 39.163.435
still sorting in ~100.000 domains per day from queues, mainly generic .com-domains.
tom
Wednesday, February 06, 2008
facts and figures
For the historic records:
we still lag with re-lookups of our hostnames - current time between a renewal of the IP-Lookup for a hostname is 238,749 days.
We know 36.314.321 domains, the queue with hostnames to sort in decreased to 71.000.000.
The "offline-queue" with not yet queued hostnames is around 5 million hosts.
We're still on an SCSI-Array straight out of the hardware-museum with 8 hdds, 31 of 141 GB free. Over ten year old hardware, still working fine and reasonably fast.
tom
we still lag with re-lookups of our hostnames - current time between a renewal of the IP-Lookup for a hostname is 238,749 days.
We know 36.314.321 domains, the queue with hostnames to sort in decreased to 71.000.000.
The "offline-queue" with not yet queued hostnames is around 5 million hosts.
We're still on an SCSI-Array straight out of the hardware-museum with 8 hdds, 31 of 141 GB free. Over ten year old hardware, still working fine and reasonably fast.
tom
Tuesday, February 05, 2008
Cuill
Cuill started crawling Serverniff a few days ago. It does crawl slow, but very steady.
I don't know if this is good news for serversniff, but they have a friendly and steady crawler.
I wonder, when and if they go public - and i'd bet whatever you hold against me that they will be bought by a major company (there are not too many of them left) maximum 6 months after they open their search to the general public.
Anybody willing to bet against?
If you don't know cuill - google and teccrunch will tell more.
tom
I don't know if this is good news for serversniff, but they have a friendly and steady crawler.
I wonder, when and if they go public - and i'd bet whatever you hold against me that they will be bought by a major company (there are not too many of them left) maximum 6 months after they open their search to the general public.
Anybody willing to bet against?
If you don't know cuill - google and teccrunch will tell more.
tom
Tuesday, January 22, 2008
Kick-Ass Feedback
A swedish user kicked my ass to remind me that serversniff's AS-Report is not always reporting hat it should report.
Yah. I ceased working on the stuff to get the domain-database fixed way back in Oktober 2007. Some of the mess is fixed now. Data is up-to-date again, I added more than 17.000 new subnets and i'm goin to build a complete BGP-Parser soon. I reactivadted the daily updates after i fixed database and scripts to work again.
We're currently analyzing BGP-Tables from routeviews.org and LINX once a day, we might implement KIX and DE-CIX as well.
I'd be happy to get more feedback - but it seems that most of you are plain happy with serversniff or just to bored to bother if something doesn't work out at all.
tom
Yah. I ceased working on the stuff to get the domain-database fixed way back in Oktober 2007. Some of the mess is fixed now. Data is up-to-date again, I added more than 17.000 new subnets and i'm goin to build a complete BGP-Parser soon. I reactivadted the daily updates after i fixed database and scripts to work again.
We're currently analyzing BGP-Tables from routeviews.org and LINX once a day, we might implement KIX and DE-CIX as well.
I'd be happy to get more feedback - but it seems that most of you are plain happy with serversniff or just to bored to bother if something doesn't work out at all.
tom
Subscribe to:
Posts (Atom)