Hello there.
I just upgraded to OpenSuse 13.1 on my old (AMD Sempron) x86 pc. I also just installed OpenWRT on my router. Everything seemed to work ok, BUT now whenever I go to hotmail.com, the numlock on my keyboard turns off. I have had serious problems with serious hackers before, do I still have them? I have tcpdump and wireshark installed. If anyone has seen this before, I am a newbie with wireshark - what do I look for?
Any help or directions elsewhere appreciated.
DM
Sorry, I was using Chrome v 35.0.1916.114 browser.
Just ran RKHunter (rootkithunter) and nothing found.
Whenever I use ssh, there are two prompts with no line feed:
Please Enter Your RSA Phrase:Please Enter Your RSA Phrase:
Something going on but I don’t know what. Is there any way to scan to see hardware directly or scan keyboard eeproms?
Any help is appreciated.
DM
On 2014-06-15 04:16, DMakowecky wrote:
> Something going on but I don’t know what. Is there any way to scan to
> see hardware directly or scan keyboard eeproms?
Keyboards are hackable, if someone with knowledge gets physical access
to it. Just change it, they are very cheap. Buy it on a supermarket, not
a small shop: you can pick a sealed box from the rack yourself (I’m just
wearing my paranoid hat on your behalf 
)
What they do is insert something in the cable, which captures the
signals and sends them to a box, so it is easy to detect, visually. They
could do that on a (shady) internet café.
I have seen the method used, legally, on a school: the teacher has
control, at will, of any keyboard or display without moving. He can use
it for showing the student something, or to watch that he is not simply
enjoying surfing on Internet
So, if someone wanted to intercept what you type, he could insert the
gadget inside the keyboard box where you can not see it.
You could also open the keyboard for inspection, but if you find
something you will not be able to prove anything in court. If replacing
your keyboard works, take the old one to the police, or get some
witnesses while you open it.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
Thanks Carlos. I just noticed caps lock dimming/flickering at other passwords as well.
I had forgotten about school monitoring systems. I am a professional programmer with no business/professional relationship to any school, so I never even considered some idiot would do that.
DM
On 2014-06-15 18:06, DMakowecky wrote:
>
> Thanks Carlos. I just noticed caps lock dimming/flickering at other
> passwords as well.
>
> I had forgotten about school monitoring systems. I am a professional
> programmer with no business/professional relationship to any school, so
> I never even considered some idiot would do that.
I can not imagine why some bofo wold peek at passwords and flicker the
leds to warn you, though :-?
Or, some software that you are using switches the keyboard to a
different mode while typing passwords, and indicates that fact. But I
have never heard of such a thing, either.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
Wireless keyboard?
= interference
On 2014-06-16 02:46, Fraser Bell wrote:
> Wireless keyboard?
> = interference
One of the reasons I’ll never use one, is that they can suffer
interference, yes, and that they need batteries, but mainly that it can
be intercepted. I’ve not seen, when looking at them in shops, that the
box specifies what encryption procedure they use and how safe it is. Nor
the data on the internet sites selling them mentions encryption.
So no, never wireless keyboards in my house. I do not trust them at all.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
Hi
I use the logitech keyboards and mice with the unifying receiver. Mice are unencrypted, my K400 keyboard shows the wireless link as encrypted via the solaar utility.
On 2014-06-16 05:46, malcolmlewis wrote:
> Hi
> I use the logitech keyboards and mice with the unifying receiver. Mice
> are unencrypted, my K400 keyboard shows the wireless link as encrypted
> via the solaar utility.
Is that documented somewhere? Specifically, the strength and
inviolability of the protocol, vetted?
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
On Mon 16 Jun 2014 12:18:07 PM CDT, Carlos E. R. wrote:
On 2014-06-16 05:46, malcolmlewis wrote:
> Hi
> I use the logitech keyboards and mice with the unifying receiver. Mice
> are unencrypted, my K400 keyboard shows the wireless link as encrypted
> via the solaar utility.
Is that documented somewhere? Specifically, the strength and
inviolability of the protocol, vetted?
Hi
It’s AES 128bit, but they do note physical access or spy ware all bets
are off…
http://www.logitech.com/images/pdf/roem/Advanced_24_Unifying_FINAL070709.pdf
–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-11-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
On 2014-06-16 14:40, malcolmlewis wrote:
> Hi
> It’s AES 128bit, but they do note physical access or spy ware all bets
> are off…
> http://www.logitech.com/images/pdf/roem/Advanced_24_Unifying_FINAL070709.pdf
Well, that’s some info my supplier did not have, so thanks 
Mmm… there is a vulnerable point in the process:
Note that the encryption keys are never transmitted
over the air. By spying the packets exchanged during
the pairing process, a hacker would not be able to
find the encryption keys without knowing the secret
algorithm implemented to construct them.
So the security of the pairing process is by obscurity. If that “secret
algorithm” leaks or is known to security agencies, it is vulnerable.
I’d consider the mouse also critical, though. I worked at a company
which used antitempest glass windows and wire mesh in the walls.
Apparently, someone from outside the building might read the CRT
displays by simply decoding the RF generated by the coils and such in
the CRT. Guessing the position of the mouse in the CRT would have been
important info, too.
I understand that LCD displays are much harder to read remotely, but I
don’t have good info on that.
They considered the risk so real, that the entire building was
protected. WiFi was strictly forbidden at the time. Cell phones did not
work initially, till they added internal cell phone repeaters inside the
building - which worked at least with the company mobile phones. I don’t
remember about private phones.
Since that time I’m a bit paranoid… O:-)
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
Hello again.
I am using a wired keyboard and mouse for security. Also, I have disabled the wireless functionality of my router and installed a hosts file - so far so good (1 day). The thing is, I didn’t broadcast the SSID of the network, I used psk2 encryption with a long (50+) char password. There is an armed forces signal corp cadet corp in town and I am really, really hoping it is them. Otherwise a serious, serious, serious problem.
But so far the numlock key has stayed off and no echoes on ssh logins.
I will keep you informed. Thanks for your help.
DM
On 2014-06-16 23:06, DMakowecky wrote:
>
> Hello again.
>
> I am using a wired keyboard and mouse for security.
Good.
> Also, I have
> disabled the wireless functionality of my router and installed a hosts
> file - so far so good (1 day).
Ok…
> The thing is, I didn’t broadcast the SSID
> of the network,
That one is mostly irrelevant for an interested hacker.
> I used psk2 encryption with a long (50+) char password.
psk2? What is that? Ah, ok, understood, different parlance. It is the
same as wpa2.
http://community.linksys.com/t5/Access-Points/Is-PSK-PSK2-the-same-things-as-WPA-WPA2/td-p/269522
http://www.aota.net/forums/showthread.php?t=21245
http://www.linksysinfo.org/index.php?threads/psk2-and-wpa2.8558/
> There is an armed forces signal corp cadet corp in town and I am
> really, really hoping it is them. Otherwise a serious, serious, serious
> problem.
What do you mean, that they train hacking your system? Weird.
Maybe you can find something here:
http://en.wikipedia.org/wiki/Wireless_security
http://en.wikipedia.org/wiki/Wireless_Intrusion_Prevention_System
> But so far the numlock key has stayed off and no echoes on ssh logins.
>
> I will keep you informed. Thanks for your help.
Ok.
Meanwhile, you probably should rotate your wifi password periodically.
Maybe add MAC verification, which is not in itself enough security, but
it adds to it.
And add strong local user passwords, too.
Ah, in your Linux machine, configure the firewall to protect from the
internal network, or consider the local network as “external”, not
“internal”. It also makes life more difficult for you, of course.
Do you have a CUPS server, accessed from another machine? The CUPS
protocol is a security problem, because it sends passwords in clear,
when it needs to. You can read about it the CUPS pages in the openSUSE wiki.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
Hello.
Ok, second day - numlock flashed and the ssh login echoed at one website but not another, has to be an echo setting somewhere. But the numlock thing still worries me. I used mac identification on wireless, didn’t seem to help much but I can’t see the hackers blocked (actually I can with packet-sniffer) - but I don’t really care about the weak unsuccessful hacks, just the strong and successful hacks - they are the ones putting my customers and my investment in potential danger.
I also use winxp, but because of the systems builtin dependence & integration with ie8 I’m pretty sure opensuse is more secure. I was aware of insecurity of print spoolers and ups systems in general. I usually have cups/spoolers turned off and try to use/build software with secure configurations.
I’ll try some other things and keep you posted.
DM
Hello again. Not good news.
I think part of this may be related to the windigo hack. But even when I used tcpdump and wireshark to capture I was unable to find any usernames or passwords in the capture files.
I also noticed that even when the network cable was detached the numlock light turned off the first time I entered an xterm password dialog. I searched on nouveau hack (the nvidia opensource driver) because it supplies network and video functionality and found the windigo hack. I have tried as well avgscan, rkhunter 1.4.2, clamav 0.98.4, lynis 1.6.0 and found nothing. (The windigo hack IS mentioned in the opensuse security forum). I also disabled more xterm remote echo/control capabilities on the off chance it was something there . But I can’t find a way to remove it.
I’ll keep looking and keep you posted. In the meantime if anyone else has solved this please let me know. (I have installed all upgrades and changed my passwords.)
Dean M.
I just checked and the recommended fix for the windigo/ebury is to wipe the system and reinstall - because the kernel (and kernel.org) was infected. Ouch!
DM
Apparently the ability to test for interfaces in promiscuous mode (tcpdump, wireshark, etc.) is a FEATURE of this hack!
DM
Download the ESET NOD32 AV for Linux (Trial) - It detects and removes the infection, which I doubt you have.
You’re making a lot of assumptions based on a flashing caps lock.
Hi
And more info here…
http://www.welivesecurity.com/2014/04/10/windigo-not-windigone-linux-ebury-updated/