Tag Archives: security

Web virtual keyboards suck

I recently opened up a new brokerage account at TradeKing, I haven’t really used it yet as I am still in the process of clearing my initial ACH transfer, but one major annoyance is the virtual keyboard they use in their login system. This is pretty commonly used in financial websites, it usually works like this: first you have to type in your username or customer ID, there is only one field to submit, and then if you type in a username/id that matches one of their records, it redirects to a different page to prompt you for passwords/security keys/PINs/etc. Sometimes it doesn’t even tell you if the first input is correct, which is the right thing to do. In the second screen you are presented with a virtual keyboard or keypad, where you are forced to click the virtual keyboard instead of typing in the password, I think some of them even remap the clicks into different keys. This might seem like a good idea as it makes it slightly harder for people to guess the passwords, but in reality it doesn’t work because:

it encourages users to have much shorter and easier to type passwords or PINs, instead of using 1Password‘s password generator to generate strong random passwords with the maximum allowed length, I am inclined to use something easy to type, without symbols or mixed cases
with a little bit of scripting and the right tools, you can emulate mouse clicks in browsers, people do this in web UI testing all the time, so it really doesn’t prevent anyone from trying to guess passwords, and due to point #1 the passwords are usually easier to guess with such system

This just becomes a HUGE annoyance to your customers when they try to access their accounts. TD Ameritrade or E*TRADE don’t do this, and 1Password can log me into those sites with just one keyboard shortcut (?-\), so I am way more likely to trade at my TD Ameritrade account vs at TradeKing.

This is a screenshot of how it looks like at TradeKing:

Option trading: online brokers | options trading strategies | free trading software, TradeKing

Uploaded with plasq‘s Skitch!

ING Orange also has something similar:

Uploaded with plasq‘s Skitch!

and HSBC also implemented a virtual keyboard, though, in this case, 1Password was able to autofill and submit the form:

Uploaded with plasq‘s Skitch!

BTW, if you have a Mac and an iPhone, I highly recommend getting 1Password, especially if you use multiple browsers like I do (FF, Fluid, and Safari). It is GOLD!

How to patch up Debian sarge bind9 TAKE TWO!

Leave a reply

The blogosphere is great, I wrote up on how I patched up my bind9 and quite a few people contacted me or posted comments informing me that it was the wrong patch. I looked into it more today and finally got a real fix for it.

I could not find a patch to fix the DNS cache poisoning problem for bind-9.2.4, it is probably no longer maintained. So I had to compile it from scratch, for the impatient I have hosted the .deb here.

First remove old bind9 package and download bind-9.5.0-P1.tar.gz from http://www.isc.org/index.pl?/sw/bind/view/?release=9.5.0-P2 and unpack:

$ mkdir /tmp/bind && cd !$ && tar -zxf bind-9.5.0-P1.tar.gz && cd bind-9.5.0-P1/

you might need one or all of these packages, if you’ve never build a .deb before you probably at least need dh-make

$ sudo apt-get install autotools-dev fakeroot dh-make

run dh_make and build:

$ dh_make

tweak configurations in the debian directory, I added –disable-openssl-version-check and –sysconfdir=/etc/bind to the configure options

$ sudo dpkg-buildpackage -rfakeroot

Now you should have a .deb in /tmp/bind, install it as usual

$ cd .. && sudo dpkg -i bind_9.5.0-P2-1_i386.deb

I think I didn’t configure the deb build options correctly so I didn’t get a /etc/init.d/bind9, if you’re missing that after the install, you can grab mine here. Also, when you removed bind9.2.4 it might’ve removed /var/cache/bin, if so, you need to create that directory, or whatever you specified as the directory in /etc/bind/named.conf.

If you have problems getting named to run, look for a named.run file, it should have the error message on why it exited execution. Finally, you should verify it by running something like this:

$ dig +short @localhost porttest.dns-oarc.net txt
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"x.x.x.x is GREAT: 26 queries in 1.6 seconds from 26 ports with std dev 19585"

If you see GREAT, it’s working, if you see POOR, then you’re still running an outdated version of named/bind9.

How to patch bind9 in Debian sarge to get DNS cache poisoning exploit patch

10 Replies

UPDATE (8/7/08):

The patch posted below actually does NOT fix the cache poisoning problem, please check out my follow up post instead. The original is included below but please note that it does not fix the security problem.

original blog post:

Most of you have heard about the DNS cache poisoning exploit, it is serious, most operating systems have security updates to get the latest bind9/named package and if you update you’re ok. However, Debian terminated security supports for Sarge/3.1 on March 1st. So if you’re like me still running sarge and don’t have the time to upgrade to etch or something newer, you’re kindda in a bad situation if you need to run a DNS. Luckily, Debian makes it really easy to compile and install custom packages, so here is how you can patch it up manually.

Check what you have installed, yup, it’s vulnerable:

$ dpkg -l | grep bind9
ii bind9 9.2.4-1sarge3 Internet Domain Name Server
ii bind9-host 9.2.4-1sarge3 Version of 'host' bundled with BIND 9.X

Install the source package for BIND9.

$ cd /usr/src && sudo apt-get source bind9
Reading Package Lists... Done
Building Dependency Tree... Done
Need to get 4667kB of source archives.
Get:1 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (dsc) [741B]
Get:2 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (tar) [4564kB]
Get:3 http://ftp.us.debian.org sarge/main bind9 1:9.2.4-1sarge3 (diff) [102kB]
Fetched 4667kB in 8s (534kB/s)
dpkg-source: extracting bind9 in bind9-9.2.4

Go patch it up:

$ cd bind9-9.2.4/

Apply this patch, either with patch(1) or manually, I did it manually just to be safe:

Index: inet_network.c
diff -u inet_network.c:1.5 inet_network.c:1.6
--- inet_network.c:1.5	Wed Apr 27 04:56:21 2005
+++ inet_network.c	Tue Jan 15 04:02:01 2008
@@ -84,9 +84,9 @@
 	}
 	if (!digit)
 		return (INADDR_NONE);
+	if (pp >= parts + 4 || val > 0xffU)
+		return (INADDR_NONE);
 	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
 		*pp++ = val, cp++;
 		goto again;
 	}

$ sudo vi lib/bind/inet/inet_network.c

build the package, this will generate a .deb:

$ cd .. && sudo apt-get -b source bind9

install the package:

$ sudo dpkg -i bind9_9.2.4-1sarge3_i386.deb

ayn blog

saving your inboxes by posting the useless stuff here

Tag Archives: security

How to patch up Debian sarge bind9 TAKE TWO!

How to patch bind9 in Debian sarge to get DNS cache poisoning exploit patch