The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,841 other followers

Delphi: disable or change your welcome page to not use the Embarcadero site (as that site has been hacked twice this weekend)

Posted by jpluimers on 2016/03/14

Initial hack

Initial hack – image via the forums server.

This weekend, the Embarcadero web site was hacked by AnonCoders. Not once (see also G+ link and DelphiPraxis link and image) but at least twice (see also G+ link and image and Delphi Praxis link and image) where the initial hacked simple text “Hacked By AnonCoders ~ Cyber Caliphate” after having been reverted back to the site – hopefully by Embarcadero staff – was replaced with more graphical content later on.

Hack presenting itself in the IDE

Hack presenting itself in the IDE – image via the forums server.

The Welcome Page inside the Delphi IDE uses the Embarcadero web site, so the Delphi IDE Welcome Page was also affected (see also this G+ link).

Because the IDE uses this on-line content, potentially any code could be executed inside the IDE (apart from that page being loaded over http, so any man-in-the-middle could abuse this, but I digress). This imposes a security risk as many developers run the IDE from accounts having more rights than the average user.

Waiting for an Embarcadero statement

At least until Embarcadero responds with a statement about the hacking (when writing this, they still haven’t), it is wise to disable the Welcome page. Note and I’m not the only one urging Embarcadero to post a statement, any statement, even “working on it” will do.

The second hack - image via Delphi Praxis

The second hack – image via Delphi Praxis

Avoid the Embarcadero servers for a while

I’ve avoided the Embarcadero servers myself for a quite long time because their TLS implementation was (and still is) so bad, so I don’t trust them with my personal information.

Now they managed to have https://embarcadero.com redirect to http://www.embarcadero.com as well.

Not long ago, there were also issues on the community server (besides it doing login over plain http) with Japanese adverts like this (luckily they are gone now) up to the point where even Google suspected the site to be hacked (see below) and worse: Google still thinks it might be.

Disabling the Delphi Welcome Page

Each Delphi version has a “Known IDE Packages” entry in the registry, for instance in delphi – Detailed description of “Known IDE Packages” … – Stack Overflow showing the entry for BDS 9 aka compiler 160 aka Delphi XE (don’t you love version numbers as much as they do? Delphi Dabbler has a reference matrix for them)

[HKEY_CURRENT_USER\Software\Embarcadero\BDS\9.0\Known IDE Packages]

having

"$(BDS)\\Bin\\startpageide160.bpl"="Start Page IDE Package"

Add an underscore to startpageide160.bpl so it becomes _startpageide160.bpl and restart the Delphi IDE: then the Welcome Page is gone.

Thanks Uwe Raabe for reminding me of that.

Replacing the Welcome Page with a much more useful one

Last year, Daniel Wolf wrote a new Welcome Site plugin for Delphi. His article with instructions to remove the default Welcome page and install the package Meine Vorstellung einer Willkommens-Seite – IT-Consulting d.wolf is in German so might not have missed it, but the Google Translate: My idea of a welcome page is actually quite OK so it’s worth installing.

The good news: he released a new version today (after a small #lovewins glitch) which you can download from pkgWuppdiWP_DX10S_1-1-1.zip (83,2 KB).

Have fun with that!

–jeroen

PS: the Embarcadero forums server loses messages and threads over time, hence quite a few of the links in this article are through saved web.archive.org links. Those links are slow, but at least are retained for much longer than the Embarcadero server does.

Even Google thought the community site could be hacked - image by myself

Even Google thought the community site could be hacked – image by myself

PPS: I posted these comments at G+ earlier before finding my note “http://community.embarcadero.com (the replacement of the forums server which like the original is down a lot of the time) which for a long time defaulted to http login at http://community.embarcadero.com/login (hopefully it doesn’t do that any more)”:

I’m not surprised. Neither the IT team nor the development team at Embarcadero seem very security aware. QC for instance cannot even use HTTPS to connect to the SOAP server which means your credentials are always sent over the wire in plaintext. The SSL configuration of both their web and mail servers are vulnerable to various attacks. Some of their web sites use plain HTTP for login. The development products only check local things, but not information obtained over the network. App Tethering doesn’t use any form of connection level security (but passwords are salted and hashed). But don’t place anything DLL like in the Delphi bin directory or tamper with anything executable there: it’s either a “quit Delphi now” or “license issue” you will get.
I understand their wish to protect against unlicensed Delphi usage, but wish they cared as much for the security of their customers (and recursive customers of their customers) as they cared about the revenue stream.

and

You have to go through their hacked infrastructure to download/install/register their products.

Until I see a statement detailing which parts of their infrastructure are safe (including grade B or better TLS), I won’t install their products.

It’s not hard to put a proper TLS in front of internal http. https://pluimers.com does that. Even though it makes little sense, you can even do it for external links: https://pluimers.com/wiert is nothing but a shell around http://wiert.me as an experiment if it would word (as the paid WordPress.com cheaply fails to put the proper domain information https://wiert.me).

The WordPress.com certificate issue (which has been known and unresolved for more than a year) is:

This server could not prove that it is wiert.me; its security certificate is from*.wordpress.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

Note that because of the bad WordPress.com certificate issue, you cannot have Apache2 redirect https://pluimers.com/wiert to https://wiert.me as you get an error in the log like below, which means that HTTPS certificate checking works (yes I still need to work on the Hint: SSLProxyEngine issue):

[Mon Mar 14 17:21:37.607104 2016] [proxy:debug] [pid 1658] mod_proxy.c(1160): [client 82.161.132.169:46945] AH01143: Running scheme https handler (attempt 0)
[Mon Mar 14 17:21:37.607123 2016] [proxy:debug] [pid 1658] proxy_util.c(2160): AH00942: HTTPS: has acquired connection for (wiert.me)
[Mon Mar 14 17:21:37.607139 2016] [proxy:debug] [pid 1658] proxy_util.c(2213): [client 82.161.132.169:46945] AH00944: connecting https://wiert.me/ to wiert.me:443
[Mon Mar 14 17:21:37.613334 2016] [proxy:debug] [pid 1658] proxy_util.c(2422): [client 82.161.132.169:46945] AH00947: connected / to wiert.me:443
[Mon Mar 14 17:21:37.616892 2016] [proxy:debug] [pid 1658] proxy_util.c(2799): AH02824: HTTPS: connection established with 192.0.78.25:443 (wiert.me)
[Mon Mar 14 17:21:37.616912 2016] [ssl:error] [pid 1658] [remote 192.0.78.25:443] AH01961: SSL Proxy requested for http://www.pluimers.com:443 but not enabled [Hint: SSLProxyEngine]
[Mon Mar 14 17:21:37.616919 2016] [proxy:error] [pid 1658] AH00961: HTTPS: failed to enable ssl support for 192.0.78.25:443 (wiert.me)
[Mon Mar 14 17:21:37.616926 2016] [proxy:debug] [pid 1658] proxy_util.c(2175): AH00943: HTTPS: has released connection for (wiert.me)

13 Responses to “Delphi: disable or change your welcome page to not use the Embarcadero site (as that site has been hacked twice this weekend)”

  1. […] XE8 and below versions are a security risk as tkey directly fetsh information from the embarcadero web-site (wich got hacked a few times in the past). […]

  2. […] jpluimers on Delphi: disable or change your… […]

  3. Gordon Niessen said

    I commented out the Online banner load in the default.htm page in the C:\Program Files (x86)\Embarcadero\Studio\16.0\Welcomepage folder. It shows I am offline, but I still get to see the recent and favorite projects.

  4. Michal said

    having
    “$(BDS)\Bin\startpageide160.bpl”=”_Start Page IDE Package”

    • jpluimers said

      Didn’t try that one yet. Does it work as well?

      • IL said

        Certainly disabling the IDE package the easiest way, especially with D10Distiller. There are many other IDE packages that you might want to disable.
        My personal D10 disable list includes:
        communitytoolbar
        comptoolbar
        gdbdebugide
        gdbdebugcore
        devicemanager
        guidedtour
        ios32debugide
        ios64debugide
        sdkmgride
        startpage
        tgide
        trackingsystem!!!

  5. IL said

    Links to the Daniel Wolf’s blog posts on Welcome Page:
    https://www.danielwolf.eu/blog/2015/1653-delphi-xe8-willkommensseite-anpassen
    https://www.danielwolf.eu/blog/2015/1668-meine-vorstellung-einer-willkommens-seite

  6. Over the weekend hackers attacked the Embarcadero web site. The hack was confined to the Website CMS front end, which also serves the start page banner. The network was not accessed, and NO customer or internal data was exposed or compromised. The issue was identified and fixed.

  7. IL said

    Thanks for noting nice Welcome Page by Daniel Wolf.
    Btw, for those who are not registered on delphipraxis.net would be easier to get it at here https://www.danielwolf.eu/blog/2015/1507-delphi-xe8-moderntheme-anpassen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: