Anyone who knows anything about security researchers and bloggers knows of Brian Krebs and his blog, KrebsOnSecurity.com; nevertheless, here’s some background in case you’re wondering:
Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of storiesfor washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators.
According to Dan Goodin at Ars Technica, Krebs is known for work that includes:
- “Exposés [that] completely shut down a California hosting service that coddled spammers and child pornographers and severely disrupted an organized crime syndicate known as Russian Business Network” and, more recently,
- “Investigative journalism that followed the money to the people who sell malware exploit kits, illicitly procured credit reports, and denial-of-service services in underground forums.”
It’s hardly a surprise that he has made enemies in the cybercrime underworld. Last week, some of those enemies attacked him. Writing in a March 13 blog post, he described what happened:
It’s not often that one has the opportunity to be the target of a cyber and kinetic [armed -Ed.] attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home.
Fortunately, everything turned out fine, but the incident serves to illustrate that cyber-criminals–Krebs calls them cowards–are very jealous of their turf and will retaliate against those who they believe have violated it.
If you enjoy reading about real-life attacks via cyberspace, you should check out the post here.
I am in my second year of using MailRoute.net‘s excellent spam filtering service. I cannot recommend them enough. My main email account is so spam-free that I sometimes don’t even check the admin interface to see what MailRoute has been filtering for me. Today, I was curious to see just how much of the spam I receive contains malware. I was prepared to scan through the list of spam in the quarantine and perform my own analysis, but when I logged in and was presented with their new look, my quarantine had a tab named Virus. That made my job much easier.
My analysis showed that approximately three percent of my spam messages contained malware during the period of February 2 to date. That tracks with Kaspersky’s Securelist’s figures for January 2013:
January in figures
- The percentage of spam in email traffic was down 7.7 percentage points compared with December and averaged 58.3%
- The percentage of phishing emails halved compared with December, falling to 0.003%
- In January, malicious files were found in 3% of all emails, a decrease of 0.15 percentage points
The biggest source of malware in my spam filter was the fake FedEx Tracking Service message, but I’ve seen a variety along the way.
Evernote, the popular note taking program whose goal is “to help the world remember everything, communicate effectively and get things done,” has had their website hacked and is forcing all users to reset their passwords:
Security Notice: Service-wide Password Reset
Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.
As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.
In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
Good for them that they salt their password hashes and good for them for implementing a password change for all users. Others should follow this example.
I heard an interesting commentary on AM 700 WLW, “The Nation’s Station,” today by their military analyst, Colonel Dean Smittle (U.S. Army, USAF, Ret.) He says that the real threat to our national security is not nuclear attacks, but cyber-attacks, and the country to look out for is China. You’ll want to jump to about the 21-minute mark on the podcast.
My reason for posting this is that I said cyber-warfare was going to be the big threat. Here’s an excerpt from my article “Will You Be Used as a Weapon Against Your Own Country?”
It’s 2010, maybe sooner. A rogue nation has just declared war on your country. No one will be killed in this war, at least not directly. But people will die from starvation, disease, and in the general chaos caused by disruption in vital communications lines. The rogue nation’s primary weapon? Botnetscapable of taking down huge segments of the Internet and telephone networks.
Such a weapon is already being used in cyber attacks against EstonianWeb sites, as reported by SANS: “The ongoing cyber attacks against Estonian Web sites, covered in a recent NewsBites edition should serve as a sobering reminder that Cyber Warfare is not a theoretical threat but a very effective and real one…”
Having made my own observation of the shifting threats to computer and network security, I have to agree with SANS editor Skoudis: “Before 2003, our dominant threats were hobbyists and insiders. In 2003 and 2004, the threat then changed to organized crime looking to make money. Depending on the geopolitical environment, the dominant threat may shift again, and very quickly, to state-sponsored cyber warfare.”
What’s ironic is that the attacker will, to some degree, be using your own people – as well as your allies – against you. There’s certainly a good number of people in every country whose computers have become zombies in a botnet. The actual attackers are virtually untraceable, so unless the attacker makes himself known, you’ll not even know your enemy. Scary.
Stuxnet was a good example of an actual attack on another country’s infrastructure. Listen to the podcast. I need not say more.
Here are the answers I promised to yesterday’s post, “Could you pass this LAN Engineer test?”
|Q1. A company believes that a workstation on their network has a worm because everyone’s Internet access is slow and their T1 utilization is high. You only have remote access to their firewall. How would you figure out what traffic on the Internet connection is causing the slowdown, what IP address the traffic is coming from, and how would you prevent that traffic from causing problems until the workstation causing the issue is disabled? Assume that the firewall that is in place is one you are familiar with, and note that information in your response.|
|A1. I had a similar thing happen to one of my clients last year. One PC had been infected with a spam trojan. In this case, it was on a DSL connection and everyone was having major problems accessing the Internet. I had web-based remote administration configured on their 3Com firewall. I logged into it and accessed the traffic log. The log was virtually full of entries showing connection attempts from one internal address to an ever-changing list of external IP addresses on port 25. I created two rules, one denying all traffic from the DHCP range of addresses on port 25, the other allowing traffic on port 25 only from the IP address of the Exchange server. This immediately improved the situation and I was able to get the infected PC cleaned up shortly thereafter.
I would follow a similar procedure on a PIX. I’m not a PIX expert by any means, but I did some research in the Cisco PIX documentation and figured out that I would use “show xlate” to find the IP with a bunch of translations to different IP addresses. Once I found the culprit, I’d create an ACL to block traffic on the port or ports the worm was using. Sticking with my example above, with the client running SBS 2003, I’d go with this configuration: access-list no-spam permit tcp host 10.1.1.2 any eq 25; access-list no-spam deny tcp any any eq 25; access-list no-spam permit ip any any; access-group no-spam in interface inside.
|Q2. Please provide a few lines of a Windows network login script that you have created. Please explain what the script accomplishes.|
|A2. I have gravitated toward doing most of the heavy lifting using AD and GPOs, but one pesky issue seems to always come up with remote users with client VPN connections—network drive mapping. Here’s one that has served me well: NET USE X: /DELETE
NET USE X: \\pdc1\shared\home\
NET USE Y: /DELETE
NET USE Y: \\pdc1\rclient
This deletes any existing mapping, preventing an error message (those always confuse the users), and maps the two drives to the specified folders.
|Q3. A user connects remotely to a Citrix MetaFrame 4.0 server. The user just purchased an HP 1150 Laserjet printer and has it connected locally to their workstation. The server doesn’t have this driver on it. What are 3 different ways you could get the printer to work, and which one would you choose, and why?|
|Q4. A company is assigned the network 126.96.36.199/30 for a T1 to the Internet. The ISP sets the router at 188.8.131.52. The company sets up a workstation at 184.108.40.206 with a default gateway of 220.127.116.11, but can’t get to the Internet. What is the most likely issue?|
|A4. 18.104.22.168 isn’t a valid address. There is only one usable address in a CIDR /30 subnet and that address in this network would be 22.214.171.124. The gateway is OK. 126.96.36.199 would be the broadcast address.|
|Q5. A company has a network with 30 servers and 500 workstations. They are still running a Windows NT domain with a PDC and a single BDC. The company has purchased a new server and 3 licenses of Windows Server 2003. The company operates 24 hours per day and can’t take the network down. Please list the steps you would go through to convert the NT Domain to AD in Native Mode with 3 DCs.|
|Q6. A company has a network of 200 Windows XP workstations and 5 Windows 2003 servers. Active Directory is running in Native Mode and all of the workstations have been added to the domain. The network administrator would like to apply all of the critical MS updates to all of the workstations and force the workstations to automatically apply updates nightly. If possible, he would also like to have one of his servers download the patches and have the workstations pull from that server. How can this be accomplished without going to every desktop?|
|A6. Windows Server Update Services (WSUS) will allow the administrator to deploy the latest updates to every computer in the domain. AD native mode isn’t necessary , but it’s a good thing–I have WSUS running in a mixed (NT, W2K, W2K3) AD environment with no issues. The WSUS server will be configured to automatically download the patches on whatever schedule the admin chooses. Assuming that all workstations are running XP SP2, no WSUS client installations will be necessary; regardless, SUS client will be automatically installed through self-update if it’s missing on any computers (that doesn’t seem likely in this scenario). Worst case, the SUS client software (WUAU22.msi) can be deployed through AD using a GPO. Likewise, all domain computers will be configured through the Automatic Update policy settings to point to the WSUS server. The process is well documented by Microsoft in Microsoft Windows Server Update Services 3.0 SP1 Operations Guide.|
|Q7. A company decides to get a point to point T1 to connect their main office to an office across town. The T1 will be connected to a Cisco 1841. All of the servers and workstations at the main office currently have a PIX 501 on a DSL connection set as their default gateway. The PIX is running 6.3(5). How would you reconfigure their network to route Internet traffic out the DSL line, and traffic bound for the remote office over the T1?|
|A7. Let me give you another specific example of how I configured this for one of my clients. Before the T1 was installed, the SGS 1600 was the default gateway at 188.8.131.52. When the T1 was installed, I configured the network to point to the router (Cisco 1841) as the default gateway. I then configured the router as follows (partial config listing). Note that the phone engineer configured the voice vlan:
description local lan
ip address 184.108.40.206 255.255.0.0
description VOICE VLAN
ip address 10.10.10.1 255.255.255.0
description point to point to milford
ip address 192.168.200.1 255.255.255.252
router eigrp 10
network 10.10.10.0 0.0.0.255
network 10.10.51.0 0.0.0.255
network 220.127.116.11 0.0.0.255
network 192.168.200.0 0.0.0.3
ip route 0.0.0.0 0.0.0.0 18.104.22.168
ip route 10.10.51.0 255.255.255.0 Serial0/0/0
Traffic for Milford now goes on the T1 and Internet traffic goes to the SGS 1600.
|Q8. A company has an Exchange 2003 server and remote users needing to synchronize their e-mail securely. The remote users are running workstations with Windows XP SP2 and Outlook 2003. How can this be accomplished?|
|A8. We implemented this using PIX/ASA VPNs with the Cisco VPN client running on the remote PC. Outlook is configured to run in cached mode so email is available when off line.|
|Q9. Please describe a time where you solved a difficult problem.|
|A9. One of the most memorable and challenging problems I ever encountered was a network printing issue on P&G’s Netware/Win95 implementation. People would be able to print one minute and then the network printer icons would all gray out as if the printers were offline. Logoff/logon, warm boot, power cycling the PC were all ineffective; the printers went away and they wouldn’t come back. We had tried removing and reinstalling the printer drivers from known good copies, flashing the NIC ROMs and flashing the PC BIOS all to no avail. The project manager finally mandated that we re-image the PC when this problem surfaced, but at the time, that was a two-hour process.
I made a wild assumption and decided that the problem was rooted either in Windows or in the Novell Client and I suspected that driver files or related DLLs were getting corrupted somehow. The next time I encountered a PC with this problem, I used process explorer to see what was running. I then compared this with a PC that didn’t have the problem. The actual details escape me now, but I started pulling some strings on specific processes until I narrowed things down to a few (I think there were 5) Netware-specific files.
One by one, I used a hex editor to intentionally corrupt the files and see if I could duplicate the problem. When I did this to a file called NETWARE.DRV, all the printers I was watching immediately grayed out. I reversed the “corruption” I had introduced into the file and was amazed to see that the printers all came back. Problem solved. From that point forward, every tech had a floppy disk with a clean copy of NETWARE.DRV on it. I can’t even begin to estimate how much that solution saved P&G worldwide.
|Q10. Optional – Extra Credit – Create an account on http://www.hackthissite.org and complete levels 1 through 4 of the Basic Web Hacking Challenge and explain how you figured out each level.|
|A10. Level 1 truly is an idiot test. I tried a couple of guesses with blank password, “password,” “let me in,” and “idiot” for good measure, then did a View>Source and found this: <!– the first few levels are extremely easy: password is 1e79cde6 →. That got me in.
Level 2—since he neglected to upload the password file, I just clicked the Submit button and it let me in.
Level 3– He left the password file open to the world and I just opened password.php to reveal 792debbc as the password.
Level 4—I had a bit of trouble with this at first (I’m not a big-time hacker!), though I was on the right track in thinking that I had to figure out a way to change the email address. Finally, I realized that Google is my friend and found out why my hacked page wasn’t working: I forgot the absolute URL and was still using the relative one. Anyway, I entered the following code in my page:
<form action=”http://www.hackthissite.org/missions/basic/4/level4.php” method=”post”>
This revealed “password: 50c3072c.” I entered that and completed the level. Along the way, I discovered a neat add-on to Firefox called “Tamper Data.” Nice hacker tool: https://addons.mozilla.org/en-US/firefox/addon/966
Back in July, 2009, when I found myself looking for a new gig, one of the firms I contacted gave me written test as part of their recruiting and interview process. Part of that test included a hacking skills challenge (something I have included here in quite a while). I thought you, dear reader, would be interested in taking the test, so I’m posting it here. There are some questions that require correct answers and some that are more subjective. Try out your skills and email your answers to kenharthun <at> gmail <dot> com. I’ll post my answers tomorrow (and my answers were good enough that I got offered the job after my interview). Good luck!
- Q1. A company believes that a workstation on their network has a worm because everyone’s Internet access is slow and their T1 utilization is high. You only have remote access to their firewall. How would you figure out what traffic on the Internet connection is causing the slowdown, what IP address the traffic is coming from, and how would you prevent that traffic from causing problems until the workstation causing the issue is disabled? Assume that the firewall that is in place is one you are familiar with, and note that information in your response.
- Q2. Please provide a few lines of a Windows network login script that you have created. Please explain what the script accomplishes.
- Q3. A user connects remotely to a Citrix MetaFrame 4.0 server. The user just purchased an HP 1150 Laserjet printer and has it connected locally to their workstation. The server doesn’t have this driver on it. What are 3 different ways you could get the printer to work, and which one would you choose, and why?
- Q4. A company is assigned the network 22.214.171.124/30 for a T1 to the Internet. The ISP sets the router at 126.96.36.199. The company sets up a workstation at 188.8.131.52 with a default gateway of 184.108.40.206, but can’t get to the Internet. What is the most likely issue?
- Q5. A company has a network with 30 servers and 500 workstations. They are still running a Windows NT domain with a PDC and a single BDC. The company has purchased a new server and 3 licenses of Windows Server 2003. The company operates 24 hours per day and can’t take the network down. Please list the steps you would go through to convert the NT Domain to AD in Native Mode with 3 DCs.
- Q6. A company has a network of 200 Windows XP workstations and 5 Windows 2003 servers. Active Directory is running in Native Mode and all of the workstations have been added to the domain. The network administrator would like to apply all of the critical MS updates to all of the workstations and force the workstations to automatically apply updates nightly. If possible, he would also like to have one of his servers download the patches and have the workstations pull from that server. How can this be accomplished without going to every desktop?
- Q7. A company decides to get a point to point T1 to connect their main office to an office across town. The T1 will be connected to a Cisco 1841. All of the servers and workstations at the main office currently have a PIX 501 on a DSL connection set as their default gateway. The PIX is running 6.3(5). How would you reconfigure their network to route Internet traffic out the DSL line, and traffic bound for the remote office over the T1?
- Q8. A company has an Exchange 2003 server and remote users needing to synchronize their e-mail securely. The remote users are running workstations with Windows XP SP2 and Outlook 2003. How can this be accomplished?
- Q9. Please describe a time where you solved a difficult problem.
- Q10. Optional – Extra Credit – Create an account on http://www.hackthissite.org and complete levels 1 through 4 of the Basic Web Hacking Challenge and explain how you figured out each level. [We’ve covered all those in this blog, but go ahead anyway.]
In my first post, The password as a security token – Concept, I discussed using a password as the “what you have” part of two-factor authentication. Today, I’ll outline how to implement a simple way to do that.
First, create a strong password at least eight characters long. It doesn’t have to be easy to remember because you will write it down and carry it with you. You can use GRC’s Ultra High Security Password Generator to get some really random characters like these: tyL&FG.3
Write this password down and carry it with you. This is your token.
Now, you simply create new passwords or change your existing ones to include the token at the beginning or the end. Your new passwords need not be more than four or five characters long and can be something that you’ll easily remember, or you can safely write them down.
You could also have more than one token, perhaps one that you use only for your financial accounts and one that you use for email.
This video purports to instruct you on how to to double your internet speed. If this guy is serious, he really has some issues; but, it may be just tongue-in-cheek. In particular, be sure to pay attention to the part where he tells you to tape the bare connectors on each end so the signal won’t leak out. Oh, and he even “proves” his theory with (totally bogus) calculations. In any event, I found it extremely amusing.
If you use Flickr and you had any private photos posted there, well, the world may now know what you didn’t intend to share. Just got this notice from them yesterday:
Dear Ken Harthun,
I’m writing to let you know about a recent issue with Flickr’s privacy settings that impacted some of the photos in your account.
While performing routine site maintenance, we identified a software bug that may have changed the view setting on some of your photos from non-public (i.e., private or viewable only by family and friends) to public. Affected photos were visible on Flickr between January 18th and February 7th, 2013. The affected photos were barred from appearing in any search results and they were limited to photos you’ve uploaded between April and December of 2012. Overall, this issue impacted only a small percentage of photos.
I have nothing to worry about, but I’m sure there were some people affected by this. I can imagine some very embarrassed people who were questioned by their parents or friends about certain photos they posted.
It’s not just hackers and those with malicious intent that you need to worry about. In this case, it was a software bug. Not malicious, but it was, potentially, equally as damaging. Once again, I stress that you should never post anything anywhere on the web that you wouldn’t want the world to see. The web is about as secure as a bank vault using a piece of spaghetti to lock it.
We all know the three basic ways of proving identity: What you know, what you have, and what you are. Though there is a plethora of articles asserting that the password is dead, I’m not convinced that is the case. Consider that a password could serve as two of those factors: What you know and what you have. Bear with me here because this takes some thought.
We normally look at two-factor authentication as using both a password and some randomly-generated numerical sequence on some physical device that changes every minute or so. There is another option. I use both a Yubikey and a PayPal “football” token. These two devices are worlds apart: The Yubikey has a unique ID that never changes and you have to have that device plugged in to validate it; the football generates a random six digit number that you append to your password or input in a secondary authentication screen. Both of these assume one key factor: You must possess the token and combine it with your password in order to authenticate. That means you must KNOW the password and you must HAVE the token to authenticate. Having one or the other means nothing.
The key difference is that one device – the Yubikey- requires a physical connection; the other device – the football – requires only that you possess it. Why not synthesize this concept using only a password? A physical connection won’t be necessary, but you must possess the second factor, so this resembles the football more than the Yubikey.
I’ll outline the implementation of this concept in a future post. For now, I want you to give it some thought and let me know via the comments your thoughts on this.