david wong

Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

NAT with iptables : super fast tutorial

posted April 2014

So I know how to use iptables, I know what a NAT is, but I don't want to learn how to exactly do it. Misery... I have to learn how to do it because I have an exam that will probably ask me how to do it in a few days. So I've been looking for a super simple tutorial, a 1 minute tutorial, on how to setup a NAT configuration with iptables in 1 minute. Couldn't really find it so here it is, if this is somewhat useful for someone, you're welcome.

First Step

For NAT to work, you have to allow forwarding on your server. Easy peasy:

$ echo 1 > /proc/sys/net/ipv4/ip_forward 

Also, before adding new iptables rules, be sure to check what rules you already have

$ iptables -L

you should allow some forwarding for it to work (if the policy is default to DROP). But this not a tutorial about iptables.

Static

I have a server with:

  • eth0 connected to the network

  • eth1 connected to internet

Let's modify the PREROUTING part. Traffic coming from internet on our public address (@pub) and trying to reach our machine:

$ iptables -t nat -A PREROUTING -d @pub -i eth0 -j DNAT --to-destination @priv

Let's modify the table nat, append a rule to the pretrouting section : something is trying to reach @pub ? Let's put it in our input interface eth0, jump to the Destination Nat protocol, which tells us to send the packet to @priv.

Now Let's modify the POSTROUTING part. Traffic coming from inside our network and trying to reach something, somewhere on internet:

$ iptables -t nat -A POSTROUTING -s @priv -o eth1 -j SNAT --to-source @pub

If the packet is coming from @priv, let's put it on our output interface eth1 and jump to the Source Nat Protocol that will modify the packet so it has the public address (@pub) as source.

Here! You did it. One private IP address mapped to one public IP address.

Dynamic

Same kind of configuration but now we have several private addresses and only one public address.

$ iptables -t nat -A POSTROUTING -s @priv/mask -j MASQUERADE

We can modify every packets coming from the subnetwork @priv to get masqueraded.

$ iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Or we can just tell all the network to get masqueraded.

And this is it. No PREROUTING Needed.

Again, you're welcome ;)

2 comments

So... The Heartbleed Challenge has been completed

posted April 2014

A few hours after the start of the Heartbleed challenge, actually, just 3 hours after the start of the Heartbleed challenge. Fedor Indutny seems to have cracked it.

So now, chaos begins. If you own a certificate, you not only have to change it, but you also have to revoke it. I wonder how many will change, and how many will revoke.

You can check that he indeed did it by doing this:

Just to confirm it: put this into your /etc/hosts “165.225.128.15 http://www.cloudflarechallenge.com ” and visit “https://www.cloudflarechallenge.com/ “.

here why it works:

Putting that mapping in /etc/hosts lets your machine skip DNS lookup for that hostname, and just use his IP for that domain name.
Then, your browser checks the received certificate against the authenticated TLS connection, and sees that all is well, allowing you to connect without a warning.
Since the browser does not warn of a certificate mismatch, he must have a valid certificate for 'cloudflarechallenge.com'. QED.

The Cloudflare team reviewing the attack:

cloudflare

comment on this story

NSA was not aware of the Heartbleed bug

posted April 2014

NSA is not happy. NSA is tweeting, tumblring (is this a verb?) and shouting loud and for all of who wants to hear it : they didn't know about the Heartbleed bug.

by the way they're talking about a "zero day" vulnerability, and now is a good time to learn what it is:

a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it

I'm akin to trust them since... well. So many US websites were using OpenSSL and... it's not really nice if someone else eavesdrop on american citizen...

Anyway, this shows that the NSA has a long way to build trust again.

comment on this story

Bordeaux, one more list

posted April 2014

I don't write enough in the "Life in Bordeaux" section of this blog. So, here I am, trying to write something.

What can I tell you about Bordeaux ?

bordeaux

I ***** love Bordeaux. I love its student life, I love how practical it is for me to see my friends, I really like my campus especially that building with all those free-access computers with double screens and everything already setup on them.

I don't really like the weather though, it's raining quite often, I'd say at least once a week, but when it shines, it shines.

The public transport is the worse part of the city. There is no subway and trams are always PACKED. And when I say packed I mean "you will miss 5 trams in a row because you can't get in" packed. And I have to commute, every day... but I'll survive, it's not Paris and its awful subway :) far from that.

my appartment

The streets are dirty, my apartment is crappy, really, but it's okay, I'm moving in June, hopefully to a better place. Still have to find a new place though, and looking for a place in Bordeaux is HARSH. I shiver just thinking about it.

streets

Girls are pretty :o) and there are many girls. Bad thing is that my part of the campus is full of guys (and sometimes its hard to tell).

I don't know what else I could say. I like it better than Lyon, way better than Hamilton in Ontario, way way better than Paris. It lacks the feeling of "full of opportunities" that Beijing has though. But the air is breathable at least =) so yeah. Later in my life, I will consider settling in Bordeaux. Why not?

comment on this story

Exams

posted April 2014

We've been a group of 4-5 students spending each nights at the Crémi these few last days, this building of three floors where each floor has around 10 rooms full of computers.

We work, we eat, we play, and we crash each other computers.

There are a bunch of games installed on every computers but we mostly play SauerBraten, a quake-like.

sauerbraten

My 15-year-old self would have spent most of his days here playing, if only he knew that his future campus would have such a sacred place :)

How do we crash each other computer? We just ssh into their machine and launch a fork bomb:

 :(){ :|:& };:

It operates by defining a function called ':', which calls itself twice, once in the foreground and once in the background.

comment on this story

The Heartbleed Challenge

posted April 2014

Cloudflare's engineers have set up a server vulnerable to Heartbleed, if you find the secret SSL keys and publish your solution you'll get 10,000$. The challenge is here and there's a blog post here.

an attacker can get up to 64kB of the server’s working memory. This is the result of a classic implementation bug known as a Buffer over-read

Apparently it is not known if it is possible or not to find those keys. If it appears to be possible the results would be catastrophic as every single website that has used OpenSSL would have to revoke and ask for a new certificate. And as Cloudflare says:

the certificate revocation process is far from perfect and was never built for revocation at mass scale.

So it would then be very easy for any server to pretend they're someone else.

A heartbeat is a message that is sent to the server just so the server can send it back. This lets a client know that the server is still connected and listening. The heartbleed bug was a mistake in the implementation of the response to a heartbeat message.

This is the code in question:


p = &s->s3->rrec.data[0]

[...]

hbtype = *p++;
n2s(p, payload); 
pl = p;

[...]

buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;

[...]

memcpy(bp, pl, payload);
comment on this story

How we got read access on Google’s production servers

posted April 2014

The team at Detectify found a way to access files on one of google's production server. Thanks to an old google product (google toolbar) that was using a poorly secured XML parser.

They just used a simple XXE attack where they uploaded a poisoned xml files and saw what the application printed back

a xxe looks like this:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

More on their blog

comment on this story

How Heartbleed works thanks to XKCD

posted April 2014

I found a pretty nice explanation of Heartbleed for the layman in this XKCD comic. Heartbleed is a recent and alarming vulnerability found in the OpenSSL toolkit that serves most of the application/websites today. To quote Schneier:

"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

Here's the comic:

heartbleed

And if you want to dig a bit more into it, you can read some more explanations on security.stackexchange.

comment on this story

Condoleezza Rice join the Board of Directors at Dropbox

posted April 2014

..We're proud to welcome Dr. Condoleezza Rice to our Board of Directors. When looking to grow our board, we sought out a leader who could help us expand our global footprint. Dr. Rice has had an illustrious career as Provost of Stanford University, board member of companies like Hewlett Packard and Charles Schwab, and former United States Secretary of State. We’re honored to be adding someone as brilliant and accomplished as Dr. Rice to our team.

People are not happy with that news.

When I knew you at Stanford I had the greatest admiration for your abilities and good sense. But now I cannot help but express to you my chagrin that the warm feelings I once had have basically evaporated. I hope you can pause to try to understand why this might be the case.

Don Knuth's open letter to Condoleezza Rice

comment on this story

Heartbleed already being used to cash bitcoins

posted April 2014

A message some users of Virwox received:

Hello,
here is what has happened:
Similar to other exchanges, our servers are protected from DDOS-attacks by an external service provider. While our own servers themselves were not vulnerable to the "Heartbleed" attack, the proxy servers of the DDOS provider were. They have fixed the problem already and we have turned on the service again.
The good news is that our own server was NOT hacked, and none of our secrets or bitcoins were stolen. However, the attacker was able to get to the session cookies of in total 20 users who were logged in yesterday (between about 8am and 11am), and used this to try to withdraw the money they had in their account in the form of bitcoins.

They don't say how much loss they have suffered, but they have reimbursed the victims.

comment on this story

My blog

posted April 2014

p1x3l

p1x3l

I wanted to learn Python, so a few months ago (I forgot to post about it here!) I redid my old blog in Django.

It's way different than PHP but it was a lot of fun :) I love learning different technologies. You can check it out here but be careful, it's in french!

Here's a list of what I want to learn right now:

  • QT with C++
  • Unity
  • Android applications
comment on this story

Brackets

posted April 2014

I recently advised a colleague to try Brackets since he's learning html, css, etc...

But I've never really used it myself for a project. I've tried it, found it really cool, but never had a chance to start a project with it yet. As I was trying to convince my colleague to give it a try I ran into this cool video from Jeffrey Way the guy who made Tutsplus (and the amazing sublime text tutorial) Check it out!

comment on this story

Fast Fourier Transform

posted April 2014

So, I've learned about Fourier every year in my bachelor of Mathematics and I'm learning about the efficient algorithm dealing with the Fourier Transform in my class of Algebra right now.

I found a really nice video explaining really quick what it is, concretely.

Here's wikipedia way of showing that fourier made by LucasVB, this crazy guy doing all those math gifs you've probably seen before :) more here

There's also a visualization in d3.js here: http://bl.ocks.org/jinroh/7524988

comment on this story

Long polling and webhooks

posted April 2014

I remember reading about how the newly facebook chat was made using long pollings, years ago. Now with HTML5 with have sockets and webhooks made easy. I wonder if they're still using long polling now...

Anyway, Zapier. A start up that is making APIs easy, is writing a lot of interesting tutorials these last few months. Their new Chapter 7 was released and it's about polling and web hooks. And as usual it's great!

https://zapier.com/learn/apis/chapter-7-real-time-communication

comment on this story