DeutschEnglish

Submenu

- - - By CrazyStat - - -

5. May 2013

Online-Banking: Sicherheitslücke Auftragsvorlage

Filed under: Security — Tags: , , , , — Christopher Kramer @ 15:29

Auftragsvorlagen sind eine praktische Sache: Überweist man häufiger an den gleichen Empfänger, spart man es sich, jedes mal die Bankverbindung des Empfängers heraus zu suchen. Doch die Umsetzung von Auftragsvorlagen im Online-Banking vieler Banken öffnet ein Angriffsszenario, welches es ermöglicht, das TAN-Verfahren zu umgehen. Und das unabhängig davon, ob (i)TAN-Listen, Chip-TAN oder mTAN zum Einsatz kommt.

Angriffsszenario

Angenommen ein Angreifer gelangt, z.B. durch einen Keylogger oder Phising, zu den Zugangsdaten zum Online-Banking (Nutzername + PIN). Nun kann er sich im Online-Banking einloggen und bestehende Auftragsvorlagen ändern. Dazu verlangt keine von mir getestete Bank eine TAN. Er kann beispielsweise Kontonummer und BLZ durch seine eigene Bankverbindung ersetzen. Ändert er auch den Namen des Kontoinhabers, so wird dies dem Opfer in der Regel auffallen.  Da die Banken den Kontoinhaber aber nicht überprüfen müssen, kommt das Geld auch an, wenn der Name nicht angepasst wird.
Vorzugsweise wählt der Angreifer eine Auftragsvorlage, die das Opfer häufig oder mit großen Beträgen nutzt. Welche das sind, kann er ja in der Kontoübersicht leicht einsehen.

Loggt sich das Opfer nun ins Online-Banking ein und nutzt die manipulierte Auftragsvorlage, wird es in der Regel Kontonummer und BLZ nicht überprüfen, da es nicht davon ausgeht, dass sich diese ohne eigenes Zutun verändert haben (hätte man Kontonummner und BLZ des Empfängers im Kopf, müsste man keine Auftragsvorlage anlegen). Somit autorisiert das Opfer eine Zahlung an den Angreifer durch eine TAN, ohne dies zu beabsichtigen. Bei einigen TAN-Verfahren wie chipTAN oder mTAN werden dem Opfer noch einmal die manipulierte Kontonummer angezeigt, da das Opfer diese aber i.d.R. nicht auswendig kennt und auf die Auftragsvorlage vertraut, wird es die Zahlung trotzdem bestätigen.

Gelangt das Geld auf das unter fremden Namen eröffnete Konto, kann es der Angreifer sich von diesem Konto z.B. bar auszahlen lassen.

Zusammengefasst stellt das Angriffszenario für Angreifer eine Möglichkeit dar, das TAN-Verfahren zu umgehen. Da es voraussetzt, dass es dem Angreifer gelingt, PIN und Nutzernamen des Opfers (ohne dessen Wissen) zu stehlen schätze ich das Risiko nicht all zu hoch ein.

Dennoch bedeutet es, dass ein einfacher (unbemerkter) Phishing-Angriff auf Nutzername und PIN ausreicht, um Geld zu erbeuten. Es ist nicht nötig, an TANs des Opfers zu kommen.

Lösung

Die Lösung des Problems liegt auf der Hand: Beim Anlegen, Ändern (und evtl. Löschen) einer Auftragsvorlage sollte auf jeden Fall eine TAN abgefragt werden. Wird die Vorlage im Zuge einer Überweisung erstellt, die ohnehin per TAN bestätigt wird, ist es nicht nötig eine zweite TAN abzufragen. Ich hoffe, dass den Banken mit der Veröffentlichung dieses Angriffsszenarios das Problem bewusst wird und sie ihr Online-Banking entsprechend anpassen.
So lange dies nicht geschehen ist, bleibt dem Nutzer nur, Auftragsvorlagen bei Anwendung zu überprüfen oder gar nicht erst zu verwenden. Natürlich gilt, dass man nicht leichtfertig mit seiner PIN umgehen sollte, also nicht auf Phishing-Mails reagieren, seinen Rechner frei von Schadsoftware halten und Online-Banking nicht an öffentlichen bzw. fremden Computern zu verwenden, da auf diesen Keylogger installiert sein könnten.

Update: Wie ich jetzt gelesen habe, müssen Banken den Kontoinhaber gar nicht überprüfen. Es ist also nicht nötig, ein Konto unter falschem Namen anzulegen, man sucht sich einfach eine Bank aus, welche den Kontoinhaber nicht prüft, was wohl die meisten Banken so handhaben werden. Ich habe den Artikel entsprechend angepasst.

Recommendation

Try my Open Source PHP visitor analytics script CrazyStat.

25. April 2013

phpLiteAdmin: Italian translation available for download

Filed under: PHP,phpLiteAdmin — Tags: , , , , , — Christopher Kramer @ 18:29

We now also received an Italian translation for phpLiteAdmin! :-) Thanks a lot to Franco Tassi who posted the Italian translation in our mailing list.

We now have translations to Arabic, Chinese, German, Italian and Russian (and English of course). In our wiki, you can find the download links and install instructions.

If phpLiteAdmin is not yet translated into your language, we would be very pleased if you translated it. It is very easy and also well explained in the wiki.

Thanks to all translators!

23. April 2013

Enlarge dynamic and fixed VHD virtual hard drives

Filed under: Windows — Tags: , , , , , , , , — Christopher Kramer @ 23:42

If you use Virtual PC or built-in Windows backup for example, you probably use virtual hard drives stored in vhd-files.

I already blogged once about how you can mount such a vhd file easily in Windows.

But there is one big problem with vhd files: When you create them, you often don’t really know how big the file should be. You can use a dynamic vhd to solve this partly (at the cost of performance), but still you need to give a maximum size.

And then the time will come when you realize your vhd needs to be bigger then you specified it. So here is how you can enlarge vhds – no matter whether they are fix sized or dynamic.

Enlarge vhd file using diskpart

You can enlarge the vhd file in diskpart. Start diskpart, e.g. with [Windows-Key]+[R], type “diskpart” and hit [enter]. UAC will prompt you for permission (say “Yes”). So now select your virtual disk using the following command:

select vdisk file="C:\path\to\vdisk.vhd"

Now enlarge the disk using this command:

expand vdisk maximum=10000

In this example, 10000 means that the new total size of the disk is 10.000 MB (adjust the number to your needs).

So now your virtual hard drive grew larger. But the partition inside still has the old size. So you need to enlarge the partition as well.

Enlarge the partition in the virtual disk using Disk management

The easiest way to do this is to use Windows Disk Management, which is part of Computer Management . The fastest way to get there in Windows 7 is to click the Windows icon and enter “Disk Management” and start the appearing “Windows Disc Management” (Windows UAC will again ask you for permission, say “Yes”). Or, also for other Windows version, [Windows]+[R] and type “diskmgmt.msc” and hit enter.

Open the VHD with “Action” / “Attach VHD”. Choose the file, make sure “readonly” is not checked and click “OK”.

Then you will see the VHD just like your normal drives in the graphical overview. There you will see the partition in blue (or dark green, if it is a logical one) and the empty space in light green. Right-click the partition and choose “Extend Volume”. The tool  will propose to use all the empty space so you can just accept that and that’s it. Finally, right click the VHD drive and select “Detach VHD”. Make sure you don’t select the option to delete the VHD file after detaching!

Enlarge the partition in the virtual disk using diskpart

You can also achieve the same thing in diskpart (i.e. on the console, not using the GUI).

Open diskpart, and mount the VHD using:

select vdisk file="C:\path\to\vdisk.vhd"
attach vdisk

Then do

list volume
select volume=<No of volume>
extend size=100

Instead of <No of volume>, you need to enter the number of the volume (see output of “list volume”).

In this example, the partition gets enlarged by 100 MB. Here you need to specify the relative amount of space that gets added.

Finally, detach the vdisk:

detach vdisk

Problems? Just ask!

I hope this helps somebody. If so, please drop a comment. If you have problems, also just drop a comment.

12. April 2013

Russian localization available for phpLiteAdmin

Filed under: PHP,phpLiteAdmin,Uncategorized — Tags: , , , , — Christopher Kramer @ 00:44

phpLiteAdmin, a web GUI for SQLite databases written in PHP, has now been translated into Russian!

Thanks to Boris Kurshev (13dagger) for the translation. It is available for download from the official website.

To install localization packages for phpLiteAdmin, just unzip them in the phpLiteAdmin folder or the “languages” subfolder and adjust $language in the configuration (e.g. to “ru” for Russian).

It is very easy to translate phpLiteAdmin into your language. Everything is explained very well in the wiki. You can also find other localization packages there for German and Russian. If your language is not yet translated, please do so and send us the file in our discussion group.

Russian phpLiteAdmin

Russian phpLiteAdmin

 

5. April 2013

CrazyStat has been translated into French!

Filed under: CrazyStat,PHP — Tags: , , , , — Christopher Kramer @ 19:39
CrazyStat Login Screen in French

CrazyStat Login Screen in French

My OpenSource PHP analytics script CrazyStat has now been translated into French!

Thanks a lot to Yannou90 who translated CrazyStat into French and posted the language file in the forum.

You can currently download the translation file from SVN (click “Download this file”). Just drop the file in “stat/src/lang”. I hope I will finally find the time for the next release where the French file will be included of course.

This makes CrazyStat now available in English, German, French, Russian, Danish, Dutch and Portuguese.  A Croatian translation has been mentioned in the forum, but not made available so far.

Thanks everybody for translating CrazyStat!

Update: Some corrections to the language file have been done. The link above now points to the latest version.

26. March 2013

phpLiteAdmin: Arabic localization available for download

Filed under: PHP,phpLiteAdmin — Tags: , , , , , , — Christopher Kramer @ 18:47
phpliteAdmin with Arabic localization

phpliteAdmin with Arabic localization

phpLiteAdmin can be easily translated into different languages. Version 1.9.4 was released together with English and German localization packages. Now teryaki did an Arabic translation for phpLiteAdmin which is now available for download. Thanks a lot!

This shows phpLiteAdmin has no problems with languages that require real UTF8 support.

To translate phpLiteAdmin into your language, read the wiki page on Localization. It also explains how to install localization packages.

 

21. March 2013

Linux: ACPI disabled, won’t shut down, /sys/class/rtc/rtc0/wakealarm vanished

Filed under: Linux — Tags: , , , , , , , , , , , — Christopher Kramer @ 00:16

MythTV server won’t shut down automatically any longer

Today my mythTV based media homeserver suddenly would not automatically shutdown any longer after a kernel update.

Logs by mythbackend (/var/log/mythtv/mythbackend ) that triggers the shutdown  looked like this:

localhost mythbackend[1674]: I Scheduler scheduler.cpp:2729 (CheckShutdownServer) CheckShutdownServer returned - OK to shutdown
localhost mythbackend[1674]: N Scheduler scheduler.cpp:2814 (ShutdownServer) Running the command to set the next scheduled wakeup time [...]
localhost mythbackend[1674]: E Scheduler scheduler.cpp:2820 (ShutdownServer) SetWakeuptimeCommand failed, shutdown aborted

Problem: /sys/class/rtc/rtc0/wakealarm vanished after kernel update

So I ran the SetWakeupTime command myself and go this problem:

/sys/class/rtc/rtc0/wakealarm: No such file or directory

And in fact the file was missing.

System won’t power off any longer

I tried to shut down the pc completely (manually) and start it again. But it wouldn’t power off, it just freezed with the shutdown bar on the screen. Pressing the power button once (only short, not holding it) made the PC power off.

So this looked like some big ACPI problem.

ACPI disabled

After some more search, I found this in the syslog (/var/log/syslog):

localhost kernel: [    0.000000] ACPI: no DMI BIOS year, acpi=force is required to enable ACPI
localhost kernel: [    0.000000] ACPI: Disabling ACPI support

So no ACPI support explains why wakealarm and shutdown is broken.

I am wondering why this happens suddenly after a kernel update (I have not changed my BIOS or something and ACPI was perfectly working before).

Solution: force ACPI

Forcing ACPI solved the problem.

If you use grub2, this is how to do it:

Open /etc/default/grub (e.g. “sudo nano /etc/default/grub”) and update this line:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

Into this:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash acpi=force"

Save the file and update the grub configuration:

sudo update-grub

Then restart and you’ll be done.

sudo shutdown -r now

I hope this could help somebody.

18. March 2013

phpLiteAdmin 1.9.4 released

Filed under: DBMS,PHP,phpLiteAdmin — Tags: , , , , , , , , , , — Christopher Kramer @ 18:53

I just released phpLiteAdmin 1.9.4. phpLiteAdmin 1.9.4

phpLiteAdmin is for SQLite what phpMyAdmin is for MySQL: A web GUI to manage your databases.

A lot of work has again gone into this release. It fixes bugs and introduces new features. No security issues fixed (compared to 1.9.3.3).

Every user of phpLiteAdmin is recommended to update.

New features of phpLiteAdmin 1.9.4 include:

  • Multi-Language support
  • external configuration possible
  • empty password -> no login required
  • easy backup of db files
  • edit and delete possible from search results
  • search function: added “LIKE %…%”
  • css and Js now served as separate, cacheable and compressed resources to speed up page loading

Important bug fixes include fixes in the ALTER TABLE support. We have again spent quite a lot of work to improve phpLiteAdmin. Thanks to everybody who reported issues and especially to the team for your work on phpLiteAdmin – especially Dreadnaut and Teryaki helped me a lot in this release. Thanks guys.

Download the new version here.

13. March 2013

TortoiseSVN: after stopping merge, workspace is “locked”

Filed under: Windows — Tags: , , , , , , , , — Christopher Kramer @ 20:43

TortoiseSVN is a great Windows Application to access (and even create) SVN repositories. It integrates perfectly into Windows Explorer and has very good merge and diff tools. In my opinion it’s simply the best Windows SVN client available. If you don’t use it already, you should give it a try.

Problem: Working Copy locked after Merge failed

When I tried to apply a patch using TortoiseSVN, I noticed I wanted to apply another patch instead and therefore closed the merge program before it was started completely.

After this, I was not able to apply the other patch. TortoiseMerge said the workspace was locked:

TortoiseMerge: Workspace locked

TortoiseMerge: “Workspace copy is already locked”

It was also not possible to update the workspace:

Update: Workspace locked

Update: Working Copy is locked

So I tried to unlock it, which is not possible:

TortoiseSVN: "Nothing locked"

TortoiseSVN: “There is nothing  to unlock”

So this is pretty strange. Here is how to solve it:

Solution: Clean up working copy status

Right-click on the directory and choose “TortoiseSVN”/”Clean Up”.

TortoiseSVN: Clean up

TortoiseSVN: Clean up

Then only choose “Clean up working copy status”:

TortoiseSVN.:Clean up working copy status

TortoiseSVN.:Clean up working copy status

Click “OK” and that’s it. You can now again update or apply patches without any problems.

I hope this helps somebody to solve his problem a little faster.

26. February 2013

Montezuma WordPress Theme: Solve Inline CSS

Filed under: PHP,Wordpress — Tags: , , , , , — Christopher Kramer @ 18:12

I was recently asked, why CSS changes within admin panel of the Montezuma WordPress Theme were not reflected on the frontend.

I found out that there is an issue with Multisites, but no solution. So I digged into the code to solve the issue. As I think it might be useful for somebody, I post here what I found out.

if you are not interested in technical details, just look for what I highlighted ;-)

Montezuma theme uses inline CSS

If you look at the HTML Source of your site, you will find the whole CSS inline along with this text:

/*************************************************************************
Default CSS served INLINE because wp-content/uploads is not writable.
This will change once wp-content/uploads is writable
**************************************************************************/

So the issue seems to be simple: Just correct permissions. Something like this:

chown www-data:www-data wp-content/uploads

Unfortunately, this was not the issue here. So why does Montezuma fail to place the static CSS file in wp-content/uploads?

Invalid file type

It took me a while to figure out what Montezuma does. In save_css_file() in includes/admin.php, it uploads/stores the theme’s css using wp_upload_bits(). The first problem in the theme is that it does not catch the resulting error while doing this. It should at least print it somehow. In this case, this would result in “Invalid filetype” (in your language).

So wp_upload_bits() calls wp_check_filetype(). This will call get_allowed_mime_types() for a list of allowed mime types. And this looks like this:

function get_allowed_mime_types() {
        return apply_filters( 'upload_mimes', wp_get_mime_types() );
}

So it calls wp_get_mime_types() for a list of mime types. This will again apply a filter on a list of arrays, which in fact contains css. This is good news, because we want to store a css file…

So one of the filters kicks “css” out. And the short story is that it is upload_mimes. The upload_mimes filter uses a list of allowed extensions that can be edited by the user!

To edit it, open http://example.com/wp-admin/network/settings.php in your browser.  The list of allowed filetypes for uploads is quite at the end of the list of settings. Just add “css” here (space-separated).

I think Montezuma should better overwrite the upload_mimes filter with one that allows css.

If you now save your Montezuma settings, it should successfully create a file http://example.com/wp-content/uploads/montezuma/style.css

But in a Multisite setup, this is not the end of the story.

Montezuma uses CSS per site (in a Multisite setup)

With a multisite setup, it depends in which site-backend you change the Montezuma css. If you login one site, it will create the css for this site. If you log into another site, it will create the css for this site.

So you need to change the css in the backend of every site.

So let’s assume you have a site “de” and a site “en”. Then go to http://example.com/de/wp-admin/themes.php?page=montezuma and change the CSS in the Montezuma settings.
This will create a file like: http://example.com/wp-content/uploads/sites/1/montezuma/style.css

Then log into the next site http://example.com/en/wp-admin/themes.php?page=montezuma and edit the css there as well.
This will create a file like: http://example.com/wp-content/uploads/sites/2/montezuma/style.css

Then the css as you edited it should be used in the frontend.

I guess Montezuma should add an option to use a global css for all sites.

Update: Similar problem: Google Webfont is not loaded

The theme allows you to easily use a google webfont. But it does not load?

The problem is almost the same: It fails writing the .js-file. So go into the network-settings and add “js” to the list of allowed extensions, save the Montezuma settings and it should work.

 

Older Posts »