Sonsivri
 
*
Welcome, Guest. Please login or register.
Did you miss your activation email?
November 23, 2024, 08:03:18 08:03


Login with username, password and session length


Pages: [1]
Print
Author Topic: Siemens CAD tools call home. ISP Ordered to hand over details Australian court  (Read 8989 times)
0 Members and 1 Guest are viewing this topic.
Sideshow Bob
Cracking Team
Hero Member
****
Offline Offline

Posts: 1001

Thank You
-Given: 231
-Receive: 983



« on: July 02, 2020, 08:44:36 08:44 »

https://torrentfreak.com/isp-ordered-to-hand-over-pirates-details-after-cracked-software-phoned-home-200629/
I came over this article. I guess we will see a lot more of this in the future. I post this as an genrell warning. In order to stay safe you more or less have to air gap your PC. I guess they in the first hand will go after corporate business use of the software. But as seen with for example Solids Works even hobbyist non profit users have been targeted
Logged

I have come here to chew bubblegum and kick ass... and I'm all out of bubblegum
fnarf
Inactive

Offline Offline

Posts: 2

Thank You
-Given: 2
-Receive: 2


« Reply #1 on: June 21, 2021, 02:40:35 14:40 »

I've encountered this fairly recently with a couple of applications. One even uses dns queries to exfiltrate license data in parallel with the other methods (https and direct SMTP). They *really* want to know who is using their software!

I now run all my "applications" in virtual machines which are not routed to the outside world and use a separate dnsmasq instance for dns which logs all requests but forwards only local to my network.
This allows all the VMs access to the file servers, printers and IoT garbage, but prevents anything leaking outside and makes it easy to mitm or selectively permit/log anything that needs analysis.

As a bonus I'm also not worried about using Windows in the VMs because they can't phone home.
Logged
engineer
Active Member
***
Offline Offline

Posts: 140

Thank You
-Given: 8
-Receive: 176


« Reply #2 on: June 23, 2021, 06:52:21 06:52 »

Actually, Synopsys and Cadence do the same thing as well.
Logged
zelea2
Junior Member
**
Offline Offline

Posts: 51

Thank You
-Given: 8
-Receive: 183


« Reply #3 on: June 23, 2021, 09:42:43 21:42 »

When using CAD programs I'm collecting the requests to the outside and then I place the host names in my /etc/hosts file
Some of these hostnames are deliberately encrypted in the executables so you can't easily patch them.
-----------------------------------------------------------
0.0.0.0 srv1.updates.synopsys.com
0.0.0.0 srv2.updates.synopsys.com
0.0.0.0 srv3.updates.synopsys.com
0.0.0.0 srv1.sw.synopsys.com
0.0.0.0 srv2.sw.synopsys.com
0.0.0.0 srv3.sw.synopsys.com
0.0.0.0 authnz-prod.wsroute.mathworks.com
0.0.0.0 notifications.wsroute.mathworks.com
0.0.0.0 notifications.mathworks.com
0.0.0.0 services.mathworks.com
0.0.0.0 authnz.mathworks.com
0.0.0.0 edasoftwareupdate2.software.keysight.com
0.0.0.0 update1.cadence.com
0.0.0.0 update2.cadence.com
0.0.0.0 swupdate.aldec.com
------------------------------------------------------------
Here's a trick to run applications in Linux without internet access:
Make a new group:
Quote
addgroup --system no-internet
Then put this in your firewall and adjust the IP ranges accordingly :
Quote
iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.1/8 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner no-internet -d 10.8.0.0/24 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner no-internet -j REJECT
Then if it's a single executable you can do
Quote
chgrp no-internet cad_executable
chmod 02755 cad_executable # to make it setgid
When you have multiple executable and shell scripts just launch then with sudo.
First place this (replace 'user' with your username) in your /etc/sudoers file so you won't need to enter your password every time
Quote
user    ALL =(user:no-internet) NOPASSWD: ALL
Then simply start your CAD like this:
Quote
sudo -g no-internet start_cad
Logged
dikris
Active Member
***
Offline Offline

Posts: 205

Thank You
-Given: 301
-Receive: 69


« Reply #4 on: June 24, 2021, 03:15:08 03:15 »

I've encountered this fairly recently with a couple of applications. One even uses dns queries to exfiltrate license data in parallel with the other methods (https and direct SMTP). They *really* want to know who is using their software!

I now run all my "applications" in virtual machines which are not routed to the outside world and use a separate dnsmasq instance for dns which logs all requests but forwards only local to my network.
This allows all the VMs access to the file servers, printers and IoT garbage, but prevents anything leaking outside and makes it easy to mitm or selectively permit/log anything that needs analysis.

As a bonus I'm also not worried about using Windows in the VMs because they can't phone home.
I've encountered this fairly recently with a couple of applications. One even uses dns queries to exfiltrate license data in parallel with the other methods (https and direct SMTP). They *really* want to know who is using their software!

I now run all my "applications" in virtual machines which are not routed to the outside world and use a separate dnsmasq instance for dns which logs all requests but forwards only local to my network.
This allows all the VMs access to the file servers, printers and IoT garbage, but prevents anything leaking outside and makes it easy to mitm or selectively permit/log anything that needs analysis.

As a bonus I'm also not worried about using Windows in the VMs because they can't phone home.

Thank you for the suggestion.
What about having the network adapter of the VM set to "host-only". What would be the disadvantages of this method compared with dnsmasq you are using (which I am not familiar with)
Logged
fnarf
Inactive

Offline Offline

Posts: 2

Thank You
-Given: 2
-Receive: 2


« Reply #5 on: June 27, 2021, 04:26:56 16:26 »

Thank you for the suggestion.
What about having the network adapter of the VM set to "host-only". What would be the disadvantages of this method compared with dnsmasq you are using (which I am not familiar with)

I use dnsmasq for 2 reasons :

Firstly it lets me selectively forward dns requests. So for example the .home subnet which my network is built around gets forwarded to my local home DNS, so the VM can resolve all of the local machines and devices.

The more important for me is it logs every request and at the end of each day I get an E-mail with a list of domains and which devices attempted to resolve them. This is useful information, but moreso when you are "examining" software to see what it might be trying to do behind your back (like exfiltrating data using DNS requests).

I assume (dangerous, I know) "host-only" sets the VM up such that it's an entirely local network to the host. If that works for you, and the VM isn't able to reach your local DNS then it's probably ok. Originally I had my VMs isolated on a different subnet and only permitted to access the local network, but they were resolving using my home DNS so were leaking data that way. It depends on what you are running and how paranoid you might be about data getting out.

My setup is probably over the top for most, but some of the software I've been looking at tends to use extreme methods to "phone home".
Logged
token0
Junior Member
**
Offline Offline

Posts: 51

Thank You
-Given: 55
-Receive: 97


« Reply #6 on: June 27, 2021, 06:14:31 18:14 »

My setup is not a particular case panacea, but I hope it would be helpful. I tried to make it more secure and enjoyable:


Gateway/router host running wireguard connection to remote VPS in another country and tor daemon and ipv6 connection is from remote broker, it runs:

- separate dnscrypt instance for resolving ipset lists via non-filtering DNS servers

- routing and iptables rules are applied for these connections, but these are not default routes, but with fwmarks for specified rulesets (ipset hash tables)

- there are few daemons running that are monitoring separate lists of hosts/networks that need to be blocked (for example, separate script for auto updating list of microsoft telemerty hosts) or whitelisted, routed through VPS or onion, also if some list are modified, that list is parsed immediately to find hostnames, which are then resolved (via non-filtering DNS server) in ip addresses, and when complete cache creation is finished, that caches are feeded to ipset as lists (of both hosts and networks in CIDR notation). * It is very convenient to override whole network blocks, which could be found by AS in whois.

- and rule to forward all DNS traffic to my DNS server for "dumb clients" such as android devices, which are not obeying to use my DNS server as default.


Main DNS server is running on separate SBC with 2 GB of RAM and pretty fast flash drive, it runs:

- dnscrypt resolver A for clearnet is set to non-filtering non-logging servers

- dnscrypt resolver B for specific TLDs from OpenNIC

- namecoin daemon with nmcdns proxy to resolve .bit TLDs (also with kick-balls Grin script, which tries to resolve some .bit domain each few minutes, and if it is not resolving, that means blockchain height is stuck, it invalidates last block and tries to redownload valid one)

- emercoin daemon to resolve [.lib, .coin, .bazar, etc...] TLDs

- Pi-hole on standard DNS port 53 is processing all queries from my network, it is very efficient in caching and filtering. It also collects statistics. FTLDNS service is dnsmasq fork, but faster than original. It takes the same config files as the dnsmasq. Then it forwards all queries to dnscrypt or *coin resolvers accordingly to their TLD. Also it forwards .onion queries to my main router, where tor daemon is running (you really can't resolve .onion on one tor instance and forward it to another — it wouldn't work that way, so there is only one instance).
Logged
MrStreebGreebling
Junior Member
**
Offline Offline

Posts: 38

Thank You
-Given: 44
-Receive: 33


« Reply #7 on: July 05, 2021, 10:56:30 22:56 »

Ansys HFSS does the phone home thing.
Logged
MrStreebGreebling
Junior Member
**
Offline Offline

Posts: 38

Thank You
-Given: 44
-Receive: 33


« Reply #8 on: November 07, 2022, 12:34:25 12:34 »

Is there an easy way to check a host-only VM isn't seeing a DNS server it shouldn't? (My networking knowledge is very basic)

ipconfig/all from the VM shows these DNS servers:


thnx
Logged
h0nk
Senior Member
****
Offline Offline

Posts: 257

Thank You
-Given: 226
-Receive: 231



« Reply #9 on: November 08, 2022, 03:06:09 03:06 »

Hello MrStreebGreeb,

some things good to know:

Any DHCP-Access will leave the IP of the propagated DNS Servers hidden.
So any output of "ipconfig /all" may be meaningless.
Because these hidden entries will be used.
There are some special options for ipconfig You may try:
ipconfig /flushdns
ipconfig /release

You should check that these hidden entries are gone, with
wireshark or similar tools.
Your VM should use a DNS, that only knows internal names at Your site.
This may also apply to Your VM Host.


Some things You should avoiid:

Even if the VM has no default gateway, information may leak
through these hidden DNS entries.
Just because Your DNS service may resolve addresses which the VM can not connect directly. But Your DNS service can.

So: Take care Smiley


Best Regards
« Last Edit: November 08, 2022, 03:19:18 03:19 by h0nk » Logged
anotherandrew
Junior Member
**
Offline Offline

Posts: 94

Thank You
-Given: 766
-Receive: 23


« Reply #10 on: November 09, 2022, 01:31:55 01:31 »

The more important for me is it logs every request and at the end of each day I get an E-mail with a list of domains and which devices attempted to resolve them. This is useful information, but moreso when you are "examining" software to see what it might be trying to do behind your back (like exfiltrating data using DNS requests).

Hi can you please share details on how the email log is set up? This sounds interesting.
Logged
Pages: [1]
Print
Jump to:  


DISCLAIMER
WE DONT HOST ANY ILLEGAL FILES ON THE SERVER
USE CONTACT US TO REPORT ILLEGAL FILES
ADMINISTRATORS CANNOT BE HELD RESPONSIBLE FOR USERS POSTS AND LINKS

... Copyright © 2003-2999 Sonsivri.to ...
Powered by SMF 1.1.18 | SMF © 2006-2009, Simple Machines LLC | HarzeM Dilber MC