Tuesday, September 16, 2014

When mail is [potentially] tampered with and you don’t even know it.

I’ve been a fan of the buy postage online and slap it on a Priority Mail envelope for the longest time, until today. I had to send some sensitive information through the mail because I wasn’t quite ready to drive 40 miles round trip to use FedEx, because I feared my package of sensitive info setting in some FedEx box on a weekend awaiting pick-up was a bad idea. I also thought about encrypting the files and sending them digitally but I’m not entirely sure the parties on the other end would be able to deal with the procedure to access them; even passwords elude some people so two-step authentication via an online method was out of the question.

So I opted for the most “secure” method of delivery possible from the US Postal Service, selecting the “Require Adult Signature” tick box in addition to insuring the package on the USPS website. This is really ridiculous in hindsight, but at the time it felt good. I guess I can thank Seinfeld for causing my fears about mail pricing class systems and mail carrier preferential treatment in regard to extra postage or lack-thereof; that's a fallacy as well because if anything more money for "security" means the more precious the cargo.

Patiently I awaited the tracking info on the website to say “Delivered,” but it never came, even though today was the target delivery date. The reason being, the main sorting facility in the city where the package was being delivered dragged their feet on sorting my high priority package. So when it was finally sorted for its destination, it was already almost 10:00 in the morning. It’s likely sitting in the sorted stacks of mail in the sorting facility waiting for delivery in the morning, but this doesn’t keep my mind from wondering.

How could someone tamper with my mail unknowingly?
Physical tampering on a letter is fairly evident. When someone opens an end and tapes it closed you will likely notice because there are physical signs that it has been tampered with. 

I started thinking about the ubiquitous packaging used by the US Postal Service with their campaign “If it fits, it ships.” Sorting facilities likely have stacks of these preprinted boxes lying around. So if someone were to abscond with a package (for a short time while the tracking info said it was at the sorting facility, or in my case “out for delivery”), they could grab a similar package to the one that I have used (eg. Priority Mail Envelope), and go to their local office where a scanner and printer reside.

Then they could rather carelessly extract all of the documents, make copies, take pictures, or scan the items. Next they would use their new package to repackage my documents, and then scan and reprint the delivery label from my package. Place it on the new package and return the items back to the sorting facility or the waiting pile.

It’s not just mail
Then I started thinking about that expensive option of using a service like FedEx who also uses the same sort of standardized packaging. The same scenario applies. Also in regard to FedEx if someone were to notice a pattern of deliveries, they might interlope to satisfy a curiosity.

So, How Can You Really Tell?
Using simple two-step authentication (verification) is one method. The best way I thought of so far was to mark the package in a way that was nearly impossible to replicate, or in a way so that a normal onlooker for the package would not notice. Colored markers, color printout of an image from the web, but basically you mark the package.

Next you would take a picture of the markings and either text, or e-mail it to the recipient (if it is someone you can contact). Let them know that you are sending a package and send them the picture so they can verify that it is indeed the envelope or package that you initially packed.

If you have budgets for custom printing you can print your customized envelope for the internal documents and wrap the interior of your package with something that's not easily replaceable. Companies like Uline sell tape and tamper-evident bags that show indication of tampering. If the document arrives in a non-standard format you know the package was tampered with, and you can then start an investigation with the delivery service.

What companies would be the target of such an attack?
Banks, finance companies, mortgage lenders, payroll companies, Realtors, insurance companies, basically any company that receives sensitive personal information through a standardized delivery service such as FedEx or the US Postal Service in the States. Outbound mail from these companies likely isn't so much of a target in this regard for this type of attack. It's much easier to just take the letter outright if there is no tracking. Mail gets lost everyday right? The bank would assume the information was lost in transit and resubmit. If it was unexpected (like a replacement credit card), the end recipient would be clueless to the attack. Corporations only care about protection of personal information in regard to the bad press or negative media fall-out.

In regard to identity theft the corporations aren't necessarily liable if someone finds a way to game the system, so the companies will not invest money for a potential threat.

Inbound mail or packages from individuals tend to have people's personal information in them, like in instances where the senders are completing a correspondence or form. Since they have a vested interest in maintaining their identity security they will likely opt for more postage.

Final thoughts

Call it paranoia, but I notice patterns, and when I’m sending sensitive info in high profile packages to consistent recipients in a way that would normally not have a time delay or interference, the anomalies in transit do pique my interests. If anyone tells you that snail mail is safer than e-mail or encrypted files they do not know what they are talking about unless they're using a complicated verification method like I've discussed here.

Remember security is an illusion.

Thursday, September 11, 2014

CentOS: Create a Blank file or redirect the default Apache Welcome Page

When managing or hosting a CentOS box, Apache will show the CentOS welcome page. This page contains information you likely don’t want people to have, so things like the fact that you’re running Apache on CentOS. While these things can also show up in the headers, you want to remove the default page in the event someone hits the website from the IP address only or if they use a domain that resolves to the box, but there is no directory setup for that domain.



Quite a few of the online discussion forums and even the notes on the welcome screen suggest that you should visit the file at /etc/httpd/conf.d/welcome.conf on CentOS.

If you cat the file you’ll likely see something like this:

# This configuration file enables the default "Welcome"# page if there is no default index page present for# the root URL. To disable the Welcome page, comment# out all the lines below.                                                                       
<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /error/noindex.html
</LocationMatch>

Their suggestion is to comment out the lines. By doing so, you’re not presenting the visitor with a blank page, but rather a different error message. To edit the file you’ll need to be logged in as root (su -) or be a member of sudoers and use sudo.

Use the editor of your choice. I’m using emacs myself, but vi will also work. So my command looks like:

emacs /etc/httpd/conf.d/welcome.conf

So if I comment out those lines with # comment tags and save the file, then nothing happens.

#<LocationMatch "^/+$">
# Options -Indexes
#ErrorDocument 403 /error/noindex.html
#</LocationMatch>

This is because changes to configuration files in Apache require a server restart. No need to restart the box, just the Apache server; as root:

service httpd restart

You should see something similar to the following:




When you visit the page showing the welcome page before, now you’ll see a Forbidden error. This still lets savvy users know that you’re running Apache.


For me this wasn’t enough, so I took it a step further.

Since I don’t want anyone to see anything, I created a file in /var/www/error called noerror.php. Assuming you’re running PHP on your box you can do this with something like touch, so :

touch /var/www/error/noerror.php
If you want the page to blank, then you’re done with the file at this point. If you're not running PHP but only want the blank page you can call it noerror.html

For the Redirect
If you want the file to redirect somewhere else you can edit the contents to do something like this:

<?php header('Location: http://www.somedomain.com'); ?>

If you wanted this to be a permanent redirect you can add the 301 redirect declaration heard above the header line. Note if you permanently redirect you will have to flush your cache to access a directory that delivered a 403 Forbidden error.

header("HTTP/1.1 301 Moved Permanently");
header("Location: http://www.somedomain.com");


Set appropriate permissions on the file for your setup.

Edit the welcome.conf file again. (Usually you can press the up arrow on your keyboard to cycle through.)

Uncomment the lines suggested by the comments. So you should be back to this.

<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /error/noindex.html
</LocationMatch>

Change the ErrorDocument path to /error/noerror.php, so the contents should look like this:

<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /error/noerror.php
</LocationMatch>

Save the file. Restart the webserver again. Now instead of seeing the Welcome Screen you should see the domain from the redirect.

Hope this helps someone.


Note: If you don’t have an index file in the server you’re redirecting to it might create an endless loop.