I have been doing a lot of work in the last few weeks dealing just with file systems, how they are structured and how they work.
Ext3 like NTFS and FAT uses DOS partitions. Basically there is a maximum of 4 partitions, going beyond that you need extended partitions. Each of those may only have 1 file system and 1 extended partition.
Uploaded with ImageShack.us
This should give the general idea, we have a EXT or UFS file system. It has a total of 5 partitions, /boot, /home, /usr, /var and /srv. Just one partition over the 4 has created a total of 3 partition tables. With only 4 partitions we would have only 1 partition table. This would also be applicable for NTFS or FAT file systems.
It appears after Topiary was picked up the http://lulzsecurity.com site is down for the count. This also seems to be directly linked to viral being picked up.
There is more information here on him, http://lulzsecexposed.blogspot.com/2011/08/topiary-vanned.html .
There will be a wealth of information collected from the boxes at his moms place I am sure.
If he was smart I am sure he had full disk encryption but…
- You can get around it (well if you have not yanked the cord)
- He will have to release the key to them at some point, it’s an offence not to. ( http://blog.ironkey.com/?p=842 )
News like this makes me feel warm and fuzzy. Also nauseous.
So all of those groups and individuals hunting anonymous and lulsec. Can anything they post be trusted?
Step back and see what is going on.
We have a group of individuals who are identity unknown, and are trying to stay that way. Also they are diligently trying to have law enforcement not arrest them or at least someone else in their place.
Then group hunting them that won’t disclose who they are either.
So what if they are one in the same?
What a better way to spread disinformation then to lead the hunt for yourself.
Is that a little too paranoid?
So what do you do?
My basic steps;
- Block access to the news site.
- Block access to the dropsites and download sites (if possible), at least monitor with a signature.
- Restrict port TCP 445 between remote locations and servers where possible.
- Start updating machines with new AV signatures and system patches to stop the bleeding.
- Update the AV on the servers that require TCP 445 and cannot be patched. I have also seen some application firewalls for servers that might be a help.
- It might be possible to VLAN the infected workstations off the network, or through the main firewall to be scanned.
- Use firewall logs to identify any machines that have visited the news site are. Also use logs (hopefully) to watch for TCP 445 scans around the network. Ongoing an IDS signature would be good for this.
- Try to use WSUS logs to identify machines missing the needed patch, and cross with AV logs for missing signatures.
I am unsure of why this took so long, I would have assumed that WikiLeaks would have acted sooner.
But they are threatening legal action if they are not able get donations from Visa and MasterCard Europe again.
There is more information on their site.
So the police were duped in to getting the wrong guy. It’s hard to imaging the position that they are in, as much as there are people trying to help them. They are really on their own, there is no real way for them to use a file some guy posted to paste bin as evidence. It’s junk, you can’t prove where it came from or even who.
So they can really only work on direct evidence that they can prove, and then sometimes at the end of the day you arrest a kid in the UK that speaks on video with a Swedish accent.
A little more information on the person they suspect to be TFlow, looks like the world wide arrest total is at 60 now. I am sure more details will be release as the legal stuff rolls on.
So to get everything up to date.
The person that was fingered as the leader of lulzsec says he is not and has provided email headers that are supposed to prove that he is not. The web ninja’s have pointed out the headers have a discrepancy in the X-Mailer portion. The version that is stamped did not come out until a year later.
Then he was asked to provide headers with missing IP address but says that is not possible.
So where does that leave everything?
Well I am still waiting to see what happens before I decide for my self whats going on. It would be useful if someone tested all of this to clear up the header confusion though. Just not me 🙂
You can catch up here, and check out the comments.