Siemens CAD tools call home. ISP Ordered to hand over details Australian court

[Sideshow Bob]

https://torrentfreak.com/isp-ordered-to-hand-over-pirates-details-after-cracked-software-phoned-home-200629/
I came over this article. I guess we will see a lot more of this in the future. I post this as an genrell warning. In order to stay safe you more or less have to air gap your PC. I guess they in the first hand will go after corporate business use of the software. But as seen with for example Solids Works even hobbyist non profit users have been targeted

[fnarf]

I've encountered this fairly recently with a couple of applications. One even uses dns queries to exfiltrate license data in parallel with the other methods (https and direct SMTP). They *really* want to know who is using their software!

I now run all my "applications" in virtual machines which are not routed to the outside world and use a separate dnsmasq instance for dns which logs all requests but forwards only local to my network.
This allows all the VMs access to the file servers, printers and IoT garbage, but prevents anything leaking outside and makes it easy to mitm or selectively permit/log anything that needs analysis.

As a bonus I'm also not worried about using Windows in the VMs because they can't phone home.

[engineer]

Actually, Synopsys and Cadence do the same thing as well.

[zelea2]

When using CAD programs I'm collecting the requests to the outside and then I place the host names in my /etc/hosts file
Some of these hostnames are deliberately encrypted in the executables so you can't easily patch them.
-----------------------------------------------------------
0.0.0.0 srv1.updates.synopsys.com
0.0.0.0 srv2.updates.synopsys.com
0.0.0.0 srv3.updates.synopsys.com
0.0.0.0 srv1.sw.synopsys.com
0.0.0.0 srv2.sw.synopsys.com
0.0.0.0 srv3.sw.synopsys.com
0.0.0.0 authnz-prod.wsroute.mathworks.com
0.0.0.0 notifications.wsroute.mathworks.com
0.0.0.0 notifications.mathworks.com
0.0.0.0 services.mathworks.com
0.0.0.0 authnz.mathworks.com
0.0.0.0 edasoftwareupdate2.software.keysight.com
0.0.0.0 update1.cadence.com
0.0.0.0 update2.cadence.com
0.0.0.0 swupdate.aldec.com
------------------------------------------------------------
Here's a trick to run applications in Linux without internet access:
Make a new group:

addgroup --system no-internet

Then put this in your firewall and adjust the IP ranges accordingly :

iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.1/8 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner no-internet -d 10.8.0.0/24 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner no-internet -j REJECT

Then if it's a single executable you can do

chgrp no-internet cad_executable
chmod 02755 cad_executable # to make it setgid

When you have multiple executable and shell scripts just launch then with sudo.
First place this (replace 'user' with your username) in your /etc/sudoers file so you won't need to enter your password every time

user    ALL =(user:no-internet) NOPASSWD: ALL

Then simply start your CAD like this:

sudo -g no-internet start_cad

[dikris]

I've encountered this fairly recently with a couple of applications. One even uses dns queries to exfiltrate license data in parallel with the other methods (https and direct SMTP). They *really* want to know who is using their software!

I now run all my "applications" in virtual machines which are not routed to the outside world and use a separate dnsmasq instance for dns which logs all requests but forwards only local to my network.
This allows all the VMs access to the file servers, printers and IoT garbage, but prevents anything leaking outside and makes it easy to mitm or selectively permit/log anything that needs analysis.

As a bonus I'm also not worried about using Windows in the VMs because they can't phone home.

I've encountered this fairly recently with a couple of applications. One even uses dns queries to exfiltrate license data in parallel with the other methods (https and direct SMTP). They *really* want to know who is using their software!

I now run all my "applications" in virtual machines which are not routed to the outside world and use a separate dnsmasq instance for dns which logs all requests but forwards only local to my network.
This allows all the VMs access to the file servers, printers and IoT garbage, but prevents anything leaking outside and makes it easy to mitm or selectively permit/log anything that needs analysis.

As a bonus I'm also not worried about using Windows in the VMs because they can't phone home.

Thank you for the suggestion.
What about having the network adapter of the VM set to "host-only". What would be the disadvantages of this method compared with dnsmasq you are using (which I am not familiar with)

[fnarf]

Thank you for the suggestion.
What about having the network adapter of the VM set to "host-only". What would be the disadvantages of this method compared with dnsmasq you are using (which I am not familiar with)

I use dnsmasq for 2 reasons :

Firstly it lets me selectively forward dns requests. So for example the .home subnet which my network is built around gets forwarded to my local home DNS, so the VM can resolve all of the local machines and devices.

The more important for me is it logs every request and at the end of each day I get an E-mail with a list of domains and which devices attempted to resolve them. This is useful information, but moreso when you are "examining" software to see what it might be trying to do behind your back (like exfiltrating data using DNS requests).

I assume (dangerous, I know) "host-only" sets the VM up such that it's an entirely local network to the host. If that works for you, and the VM isn't able to reach your local DNS then it's probably ok. Originally I had my VMs isolated on a different subnet and only permitted to access the local network, but they were resolving using my home DNS so were leaking data that way. It depends on what you are running and how paranoid you might be about data getting out.

My setup is probably over the top for most, but some of the software I've been looking at tends to use extreme methods to "phone home".

[token0]

My setup is not a particular case panacea, but I hope it would be helpful. I tried to make it more secure and enjoyable:


Gateway/router host running wireguard connection to remote VPS in another country and tor daemon and ipv6 connection is from remote broker, it runs:

- separate dnscrypt instance for resolving ipset lists via non-filtering DNS servers

- routing and iptables rules are applied for these connections, but these are not default routes, but with fwmarks for specified rulesets (ipset hash tables)

- there are few daemons running that are monitoring separate lists of hosts/networks that need to be blocked (for example, separate script for auto updating list of microsoft telemerty hosts) or whitelisted, routed through VPS or onion, also if some list are modified, that list is parsed immediately to find hostnames, which are then resolved (via non-filtering DNS server) in ip addresses, and when complete cache creation is finished, that caches are feeded to ipset as lists (of both hosts and networks in CIDR notation). * It is very convenient to override whole network blocks, which could be found by AS in whois.

- and rule to forward all DNS traffic to my DNS server for "dumb clients" such as android devices, which are not obeying to use my DNS server as default.


Main DNS server is running on separate SBC with 2 GB of RAM and pretty fast flash drive, it runs:

- dnscrypt resolver A for clearnet is set to non-filtering non-logging servers

- dnscrypt resolver B for specific TLDs from OpenNIC

- namecoin daemon with nmcdns proxy to resolve .bit TLDs (also with kick-balls script, which tries to resolve some .bit domain each few minutes, and if it is not resolving, that means blockchain height is stuck, it invalidates last block and tries to redownload valid one)

- emercoin daemon to resolve [.lib, .coin, .bazar, etc...] TLDs

- Pi-hole on standard DNS port 53 is processing all queries from my network, it is very efficient in caching and filtering. It also collects statistics. FTLDNS service is dnsmasq fork, but faster than original. It takes the same config files as the dnsmasq. Then it forwards all queries to dnscrypt or *coin resolvers accordingly to their TLD. Also it forwards .onion queries to my main router, where tor daemon is running (you really can't resolve .onion on one tor instance and forward it to another — it wouldn't work that way, so there is only one instance).

[MrStreebGreebling]

Ansys HFSS does the phone home thing.

[MrStreebGreebling]

Is there an easy way to check a host-only VM isn't seeing a DNS server it shouldn't? (My networking knowledge is very basic)

ipconfig/all from the VM shows these DNS servers:


thnx

[h0nk]

Hello MrStreebGreeb,

some things good to know:

Any DHCP-Access will leave the IP of the propagated DNS Servers hidden.
So any output of "ipconfig /all" may be meaningless.
Because these hidden entries will be used.
There are some special options for ipconfig You may try:
ipconfig /flushdns
ipconfig /release

You should check that these hidden entries are gone, with
wireshark or similar tools.
Your VM should use a DNS, that only knows internal names at Your site.
This may also apply to Your VM Host.


Some things You should avoiid:

Even if the VM has no default gateway, information may leak
through these hidden DNS entries.
Just because Your DNS service may resolve addresses which the VM can not connect directly. But Your DNS service can.

So: Take care


Best Regards

[anotherandrew]

The more important for me is it logs every request and at the end of each day I get an E-mail with a list of domains and which devices attempted to resolve them. This is useful information, but moreso when you are "examining" software to see what it might be trying to do behind your back (like exfiltrating data using DNS requests).

Hi can you please share details on how the email log is set up? This sounds interesting.