Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Once is happenstance.....

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Once is happenstance.....

    ...twice is coincidence and three times is an act of war Mr. Bond.

    [Goldfinger, from the book of the same name by Ian Fleming]

    Overview: This is my home network consisting of 2 win2k servers hard wired to the network, automatic updates configured and functioning. One Win2k workstation, hard wired, autoupdating that is functioning. Two WinXP SP2 wirelessly connected to a MAC filtered, WPAPSK encrypted wireless access point, autoupdating that is functioning. The WAP is a Netgear FWG114P configured to allow SMTP, RDP and HTTP to one of the two servers and a secondary HTTP forwarded to one of the wireless laptops, (mine), though the port on the laptop is no longer open - thus a dead forward.

    Happenstance: The wireless laptop used by me is generally left connected with certain trusted web sites open in Firefox tabs including my SSL work email, (I know - naughty me). The wireless does drop from time to time and if it is left for a while I find it best to try to connect to Yahoo prior to trying to refreshing my work email or it fails out. Last night I restarted the laptop because it would not come out of hibernation - it was just doing too much but since I had 2 instances of IE also open - because you can't run StatTracker for fantasy football with anything but IE and since yesterday was Sunday both windows were there. I then opened Firefox and attempted to log in to my work email. The certificate came up which I accepted and the login screen was presented. I put in my credentials and hit "OK". I was then warned that I was leaving an encrypted page . I thought about it for a second and decided to proceed. I was provided with my work email - all nice and up to date. I selected an email to read and was presented with the login screen..... Hmmmm..... Me no likey.... The connection was HTTPS, the address bar still indicated I was at my work site but I hadn't been presented the certificate..... I chose to proceed regardless, entered my authentication information and everything went well from there.... There was a niggle in the back of my head but I dismissed it.....

    Coincidence: I got up this morning got my coffee etc. and went to my wired workstation in my office. Since it was Tuesday it was time to check on the final results and standings in my fantasy football league. Upon finding how badly I am now doing I noticed that my brother had left me a message so I replied. As Yahoo does it will as you for your password if you have been inactive for a while - it did. I didn't think to check the address bar but the page absolutely appeared to be Yahoo's login screen. I entered my password and was warned that I was leaving a secure page.... which is unusual... I accepted the warning and was represented with the login screen..... Needless to say red flags are up everywhere..... Since time is limited at this hour on a workday I simply closed the two HTTP forwards on the router and checked for the existence of my logs from it on my wired workstation.

    Those logs are the only ones I have since I turned off my snort some months ago because I use the VPN a lot for work and having two interfaces running crashes the computer if you fire up the VPN. I will be going through them in the near future.

    Since arriving at work I have connected to home via RDP enabled the external interface, (outside the firewall), on my wired workstation and fired up ethereal on it. I then connected to the wireless WinXP laptop and have enabled Ethereal there too. We'll see what happens over the next 24 hours.

    Additional Facts:

    1. My surfing at home is entirely predictable. Work email, Yahoo, Yahoo UK and Sports, Reef Central and that's about it.

    2. My surfing on the laptop is exactly the same as on the workstation but I also do some searches for woodworking stuff due to the bar construction. Basically, my surfing habits at home could be considered very low risk.

    3. Sweetie Pie is a bit of an unknown quantity with regards to surfing. She does a lot of surfing for free stuff for her classroom but since she got herself some nasty spyware through IE about a year ago she has been switched to Firefox and has shown to be clean ever since.

    4. There are only two houses close enough to me to be able to hold any kind of connection to my WAP reliably. While I don't really know the neighbors I don't believe they are technically adept enough to break my encryption, (run with this for now, ok). Add to that the fact that I have never seen another WAP from my laptop implies that there is no wireless device usage in range.

    Questions:

    1. Should I readily accept the fact that the "act of war" will come - ie. is this something more than coincidence?

    2. Has anyone else noticed "glitching" like this and did I just get two in unusually quick succession making this look like a bad situation when it really probably isn't?

    3. Am I a paranoid old bastige?

    4. Any other thoughts or comments since I'm not yet ready to begin a full scale forensic investigation on 5 computers.... I'm trying to finish my damn bar..... and the login credentials I have used in these situation are, in no way, what I consider to be my secure ones and won't be able to be used for priviledge escalation nor additional password guessing ?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Glitches with Yahoo? Yes I've had it from time to time. I can't log into Yahoo from work using Firefox it continually presents log inscreens and other oddness.

    I hate to ask the obvious but...

    You've scanned the revant machines for malware?
    Have you considered changing passwords as a just-in-case measure?

    Possibility that an MS update or other software update could have produced a wobble?

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Not had time to do much yet.... When the "coincidence occurred i was about 5 mins away from my scheduled morning shower..... Yes, I have one daily.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Possibility that an MS update or other software update could have produced a wobble?
    I agree with aspman....may be due to a recent windows update.

    3. Am I a paranoid old bastige?
    No....... not you Tiger

    One question...do the servers do any authenticating on your network...like for your XPs and 2k ws...do you have to log on to the network for access to the internet etc?

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152

    Well off topic

    Yes, I have one daily
    I remember speaking to an old farmer once and he proudly said,

    "I have a bath once a week wether I need it or not!"

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Morgan:

    The servers do run AD for my "domain" however I log onto my workstation and laptop locally and sweetie pie logs on either locally, (if she needs to install something), or as a domain member under normal use so her stuff is backed up to the server.

    Frankly I'm not particularly worried about a compromise of my domain but rather the fact that my workstation and laptop hold the "keys" to the work "kingdom" in that they are used to initiate VPN connections and then other domain authentications that I would rather not have "go public".
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Junior Member
    Join Date
    Dec 2003
    Posts
    12
    when you accepted the certificate....read it carefully....was it expired?

  8. #8
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I have noticed a change recently with yahoo. If I receive an email through outlook and it contains a hyperlink to part of the yahoo portal, I get asked for confirmation if I use the link. I have attached a screen shot of the two logins. The login on the right is the first, at this one I have to enter login name and password. The second login already has my user name and I am just required to enter my password.

    This confirmation login screen is new, to me at least. It has only been the last week that I have had noticed this occurring.

    Is this the same behaviour you are experiencing?
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Jinx: Memory fails me on that point and I just tried to test it and the session hasn't timed out yet so it lets me straight in.

    Fyre: Nope... I didn't read it.... I never do now.... I log in to my work email so often that I don't bother.... Hey, no-one's perfect...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Junior Member
    Join Date
    Dec 2003
    Posts
    12
    You may want to verify if the certificate is valid. if it's not there is a good chance you're being hijacked probably on either side of your router. Applications such as Cain and Abel (www.oxid.it) can do it fairly easily. Basically the applciation allows an attackers machine to act as a router between you and another netowrk point. the initial attack is performed via APR cache poisoning, position the attackers machine as a a routing point for your traffic. When you connect to a secure site such as webmail the attackers machine will accept the certificate from the authority and then send You a fake certificate as tho the attacker was the authority. At this point you do have an encrypted tunnel between you and the attacker. It's a classic Man in the middle attack. Now this may not be the case but it is possible. If it is the case any userID and password you have entered since it began is compromised.

    So how do you prevent it? or prove it? Where is the hack?

    If it is inside your network via hole in the router ro what not not that will probably be detected by ethereal, look for excessive APR messages. If your concerned about the wireless side you can change your security schema (new keys, passphrases etc). If they have keyed off your IP address externally...I'm not sure how to fix that one.

    it could also have compromised one of your local machines you can look for services such as Abel running as a process, Abel can operate as a remote "bug".

    hope this helps a bit.


    FyreMouse

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •