Cyconet Blog » security

Kabel Deutschland breaks DNS System for it’s customers

cyco — Fri, 23 May 2008 13:59:26 +0000

Last week I noticed, that Kabel Deutschland, a cable provider in germany, returns for any non existing hosts “204.9.89.60″. It seems, thats it is rolled out since last fall. Even for DNSSEC enabled infrastructure it breaks it totally:

; <<>> DiG 9.3.4 <<>> +dnssec web.pixaco.se @83.169.184.161
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
web.pixaco.se. 0 IN A 204.9.89.60

Beside that, this behavour breaks the whole DNS, since many mechanism rely on a negative answer. The most visible effect for the users is, that when having a typo on surfing, he will forwarded to http://suche.kabeldeutschland.de/de.kde.assist/?domain=. Since 204.9.88.0/21 is located at our transatlantic friends from US, there might be some problem with leaking privacy informations. I don’t feel happy, if I had a typo in my URL and getting listed for it on any terror list or providing the newest porno links to my american friends inside the organisations with the tree capitals.

All that for getting some extra money, but racing pricedumping for connectivity, this sucks a lot.
If you are a customer and feel pissed, you can send a friendly note to them:

Kabel Deutschland Vertrieb und Service GmbH & Co. KG
Beschwerdestelle
99116 Erfurt
kundenservice@kabeldeutschland.de
Fax: 01805299925

A quick and dirty workaround for dnsmasq maybe to add “bogus-nxdomain=204.9.89.60″ to your config file. This doesn’t fix the DNSSEC problem.
The problem also pops up at dns-operations and there are traces at google too.

[UPDATE] Over 1 year later zdnet.de discoverd the problem.

[security] wordpress 2.5.1 which fixes CVE-2008-1930

cyco — Fri, 25 Apr 2008 18:15:26 +0000

Cause the subject, I did build a new package which can be installed on etch, lenny and of course sid. You can fetch it from http://ftp.cyconet.org/debian/archive/bpo/wordpress/2.5.1-1~bpo40+1/ or get via

deb http://ftp.cyconet.org/debian etch-backports main non-free contrib

Selfnote: Dump the wordpress user into separate domU

[security] policyd-weight 0.1.14-beta-6etch1/0.1.14.15-1

cyco — Thu, 27 Mar 2008 20:12:21 +0000

This Tuesday Robert Felber released a new upstream version. It is a (local) security bugfix (and some minor fixes) which was reported on Sunday by Chris Howells to the Debian Security Team (as well as to other vendors). Today DSA-1531 was released.

Right from the DSA:
“… created its socket in an insecure way, which may be exploited to overwrite or remove arbitary files from the local system.”

So please update you systems if you use this package asap.

While we are at policyd-weight… there is one bug open (#471645) where I’m unsure if I want to fix it, cause only stable is effected and the problem can be solved by providing a adjusted array of rbl in the config file. Should I ask for inclusion directly into stable? But it’s a really minor issue. Or try to get 0.1.14.15 uploaded to volatile? I’m really unsure and suggestions are welcome.

Package updates and others

cyco — Fri, 07 Dec 2007 11:51:04 +0000

Since some weeks I’m really busy, private and at work. It’s going into the end of the year and everybody is in hurry. There seems also coming some changes for our family down the road in the future, but more maybe later. Additionally one months ago Santiago Ruano RincÃ³n did surprisingly turn up as my AM. We started fast, but I got stuck at P&P part 1 with the License comparisons, cause actually I’m so busy at work and with my family, that I can’t concentrate enough late at night, when trying to work on the papers. For example the graphviz license is completely overwhelming me. My hope in the last time was some bigger timeslots at the weekends, but they got smashed by my family and/or work issues. I hope Santiago is not getting annoyed by me and I can find hopefully some free time on holidays or in the first weeks next year.

Anyways … Christian Perrier started a review and translation process of ipplans debconf templates by the debian-i18n contributors. The templates was in really bad conditions, most of it was copied over from gallery2 and I did know that they wasn’t so good. Thanks for all your work, when the process is over I’m proud to include your really nice work.

Two other packages got updates. php-suhosin got new upstream release after months which fixes the broken perdir/.htaccess support. Unfortunatly I missed the release (cause there is no announcement list and there was no watch file) unless Raphael Geissert did leave a note. I integrated the new VCS and homepage stuff also and formorer did fix some minor issues. So we can hopefully upload now (when it arrives testing) the first package to backport.org and sleep little bit better, when using PHP on stable.
nagios-plugins also got updated. Since Seanius seems really busy (like allways), nobody did really took care of the package. In October it got two CVE which was solved via NMU by the testing-security team, also two new upstream releases where available. So I droped the obsolete patches, integrated new once, did make the new shiny lintian a bit more happy, some minor fixes and queued the package to Seanius. ;)
You can expect both packages on backport.org soon. My other (comaintained) packages will get updated to latest policy and VCS/homepage guidelines in the near future. Actually I’ve to prioritize what to do with the left time slots. :/

Ignoring security (usability)

cyco — Fri, 06 Jul 2007 23:39:18 +0000

Since some time, Deutsche Bahn rolled public wireless lan called “WLAN am Bahnhof” out at 25 railroad stations, you can choose between 4 providers. Sounds really nice, but beside the economical conditions, there is also at least one security issue.
Connecting to the network and opening your favorite browser redirects you to a encrypted portal. So far, so good … the really bad news is, that the certificate expired over 6 years ago.

This seems to be a normal behavior, since it happens often, that invalid certificates are used. This leeds to blunted users, which aren’t verifying such certificates anymore, even when it’s important.
Does anybody know a reasonable way to notify anybody who can solve the problem there beside the normal contact forms?

Is DNSSEC ready for wild life?

cyco — Fri, 20 Apr 2007 19:57:11 +0000

Today the RIPE DNS for LIRs Training Course did take place. (some not up to date course material can be found here)
Managing some thousands of zones inclusive nameserver infrastructure behind since several years, I thought it would be neat to provide a secure dns chain to our costumers.
After going deeper into the material within the course, I recognized the following impacts:

only bind9 (>= 9.3) and NSD privides support (yet)
bandwidth will be increased 2-3 times with max. key size
increased memory usage depending on your server software
operational costs will increasing dramaticaly due significant higher amount of regular work
more computing power (hardware) needed to generate dnssec ready zones and signing
unknown influence on resolving nameservers (load/memory/bandwidth)
chain of trust ends at resolving nameserver and is not provided to enduser

Since the last issue isn’t solved (yet), it doesn’t make any sence for me to invest resources into setting up DNSSec infrastructur, cause the end user would not recognize if the communication with the resolving nameserver or the resolving nameserver itself is taken over.

Any complaints and/or hint? Did I missed something?