If you have noticed a bit of sluggishness on your internet connection in the past week or so, it could be due to the most massive DDoS attack ever recorded. Here’s what’s happening according to Naked Security:
A little over a week ago a questionable internet hosting provider in The Netherlands called Cyberbunker took umbrage with SpamHaus, an non-profit organization that was founded in 1998 to take on spammers and the internet hosts who profit from their activities.
How big is the attack? At times it has been reported to be as large as 300 gigabits per second. Traditionally even large botnets are only able to deliver hundreds of megabits or a few gigabits per second.
Ouch! That’s huge. It seems that many primary internet backbones (“tier 1 service providers”) are being overwhelmed by the volume of traffic. That’s why you may have noticed the slowdown on the internet. I certainly did, but since it was most prevalent where I work, I didn’t think much of it. Our bandwidth is always strained when school is in session. I did find it a bit odd that my home connection seemed sluggish. It all became clear with the report of the DDoS attack.
So, if large botnets aren’t capable of delivering such a volume of traffic, what is causing it? It’s a large scale DNS amplification/reflection attack taking advantage of misconfigured DNS servers that will allow anyone to query them without any filtering or rate-throttling. It’s a huge problem as there are reportedly more than 21.7 million such servers online (Open Resolver Project). A Microsoft TechNet article provides a high-level summary of this type of attack:
A DNS amplification attack (aka DNS reflection attack) is a type of distributed denial of service (DDos) attack that takes advantage of the fact that a small DNS query can generate a much larger response. When combined with source address spoofing, an attacker can direct a large volume of network traffic to a target system by initiating relatively small DNS queries.
I’ll leave it at that for now. I plan to give a more detailed analysis in a future post.
Doomsday Preppers is a popular (in some circles) American reality television series that airs on the National Geographic Channel. I’m not a prepper in the sense of that TV series, but I grew up with Scouting whose motto has always been — and will probably always be — “Be Prepared.” That motto has served me well in my life and has given me a sense of the need to always stay one step ahead of disaster in all meanings of the word. While we in the IT world don’t always phrase it that way, I think it is a motto that we always embrace, consciously or unconsciously.
I saw an interesting video last week that promotes the need to stock up on 37 foods that will sell out quickly during a crisis. I bought the book (actually a CD with PDF files) and started to read it tonight. In the preliminary chapters, the author discusses the need for a “bug out” kit and what that kit should contain. I’m not going to go into great detail here, but I am going to mention that all of your valuable documents should either be carried with you or available in electronic form so they are accessible no matter where you happen to find yourself. Examples of these are:
- Social Security cards
- Bank account information
- Deeds to your property
- Insurance policies
- Medical records and prescriptions
- Driver’s license
You should do your best to keep all of these documents in a portable fire-proof safe that you can take with you if you have to evacuate. But, you should also scan every single document and store those scans on both a portable storage device and do one or both of these things with them:
- Email them to yourself at a cloud email service such as Gmail, Outlook.com, Yahoo, etc.
- Save them to a cloud backup service or cloud storage such as SkyDrive, Dropbox, iCloud, etc.
You never want to be at the mercy of a single point of failure, especially in an emergency.
Doomsayers may be a bit over the top sometimes, but there’s no reason you can’t exercise good sense and “Be Prepared.”
My readers know that I’m a diehard Security Now! fan. As far as I’m concerned, it’s the best security related podcast on the internet, bar none. It is evident that I’m not the only Geek who feels this way. Whomever is behind AskMisterWizard.com loves SecurityNow! and has taken on the task of creating 3D animations of the concepts that Steve Gibson and Leo LaPorte discuss every week. I’ll be posting these videos here, but I wanted to give you an introduction so you can check them out for yourself. Included today is Steve Gibson’s introduction to what AskMisterWizard.com is doing with the SecurityNow! podcast episodes.
Anyone who knows anything about security researchers and bloggers knows of Brian Krebs and his blog, KrebsOnSecurity.com; nevertheless, here’s some background in case you’re wondering:
Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of storiesfor washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators.
According to Dan Goodin at Ars Technica, Krebs is known for work that includes:
- “Exposés [that] completely shut down a California hosting service that coddled spammers and child pornographers and severely disrupted an organized crime syndicate known as Russian Business Network” and, more recently,
- “Investigative journalism that followed the money to the people who sell malware exploit kits, illicitly procured credit reports, and denial-of-service services in underground forums.”
It’s hardly a surprise that he has made enemies in the cybercrime underworld. Last week, some of those enemies attacked him. Writing in a March 13 blog post, he described what happened:
It’s not often that one has the opportunity to be the target of a cyber and kinetic [armed -Ed.] attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home.
Fortunately, everything turned out fine, but the incident serves to illustrate that cyber-criminals–Krebs calls them cowards–are very jealous of their turf and will retaliate against those who they believe have violated it.
If you enjoy reading about real-life attacks via cyberspace, you should check out the post here.
I am in my second year of using MailRoute.net‘s excellent spam filtering service. I cannot recommend them enough. My main email account is so spam-free that I sometimes don’t even check the admin interface to see what MailRoute has been filtering for me. Today, I was curious to see just how much of the spam I receive contains malware. I was prepared to scan through the list of spam in the quarantine and perform my own analysis, but when I logged in and was presented with their new look, my quarantine had a tab named Virus. That made my job much easier.
My analysis showed that approximately three percent of my spam messages contained malware during the period of February 2 to date. That tracks with Kaspersky’s Securelist’s figures for January 2013:
January in figures
- The percentage of spam in email traffic was down 7.7 percentage points compared with December and averaged 58.3%
- The percentage of phishing emails halved compared with December, falling to 0.003%
- In January, malicious files were found in 3% of all emails, a decrease of 0.15 percentage points
The biggest source of malware in my spam filter was the fake FedEx Tracking Service message, but I’ve seen a variety along the way.
Evernote, the popular note taking program whose goal is “to help the world remember everything, communicate effectively and get things done,” has had their website hacked and is forcing all users to reset their passwords:
Security Notice: Service-wide Password Reset
Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.
As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.
In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
Good for them that they salt their password hashes and good for them for implementing a password change for all users. Others should follow this example.
I heard an interesting commentary on AM 700 WLW, “The Nation’s Station,” today by their military analyst, Colonel Dean Smittle (U.S. Army, USAF, Ret.) He says that the real threat to our national security is not nuclear attacks, but cyber-attacks, and the country to look out for is China. You’ll want to jump to about the 21-minute mark on the podcast.
My reason for posting this is that I said cyber-warfare was going to be the big threat. Here’s an excerpt from my article “Will You Be Used as a Weapon Against Your Own Country?”
It’s 2010, maybe sooner. A rogue nation has just declared war on your country. No one will be killed in this war, at least not directly. But people will die from starvation, disease, and in the general chaos caused by disruption in vital communications lines. The rogue nation’s primary weapon? Botnetscapable of taking down huge segments of the Internet and telephone networks.
Such a weapon is already being used in cyber attacks against EstonianWeb sites, as reported by SANS: “The ongoing cyber attacks against Estonian Web sites, covered in a recent NewsBites edition should serve as a sobering reminder that Cyber Warfare is not a theoretical threat but a very effective and real one…”
Having made my own observation of the shifting threats to computer and network security, I have to agree with SANS editor Skoudis: “Before 2003, our dominant threats were hobbyists and insiders. In 2003 and 2004, the threat then changed to organized crime looking to make money. Depending on the geopolitical environment, the dominant threat may shift again, and very quickly, to state-sponsored cyber warfare.”
What’s ironic is that the attacker will, to some degree, be using your own people – as well as your allies – against you. There’s certainly a good number of people in every country whose computers have become zombies in a botnet. The actual attackers are virtually untraceable, so unless the attacker makes himself known, you’ll not even know your enemy. Scary.
Stuxnet was a good example of an actual attack on another country’s infrastructure. Listen to the podcast. I need not say more.
Here are the answers I promised to yesterday’s post, “Could you pass this LAN Engineer test?”
|Q1. A company believes that a workstation on their network has a worm because everyone’s Internet access is slow and their T1 utilization is high. You only have remote access to their firewall. How would you figure out what traffic on the Internet connection is causing the slowdown, what IP address the traffic is coming from, and how would you prevent that traffic from causing problems until the workstation causing the issue is disabled? Assume that the firewall that is in place is one you are familiar with, and note that information in your response.|
|A1. I had a similar thing happen to one of my clients last year. One PC had been infected with a spam trojan. In this case, it was on a DSL connection and everyone was having major problems accessing the Internet. I had web-based remote administration configured on their 3Com firewall. I logged into it and accessed the traffic log. The log was virtually full of entries showing connection attempts from one internal address to an ever-changing list of external IP addresses on port 25. I created two rules, one denying all traffic from the DHCP range of addresses on port 25, the other allowing traffic on port 25 only from the IP address of the Exchange server. This immediately improved the situation and I was able to get the infected PC cleaned up shortly thereafter.
I would follow a similar procedure on a PIX. I’m not a PIX expert by any means, but I did some research in the Cisco PIX documentation and figured out that I would use “show xlate” to find the IP with a bunch of translations to different IP addresses. Once I found the culprit, I’d create an ACL to block traffic on the port or ports the worm was using. Sticking with my example above, with the client running SBS 2003, I’d go with this configuration: access-list no-spam permit tcp host 10.1.1.2 any eq 25; access-list no-spam deny tcp any any eq 25; access-list no-spam permit ip any any; access-group no-spam in interface inside.
|Q2. Please provide a few lines of a Windows network login script that you have created. Please explain what the script accomplishes.|
|A2. I have gravitated toward doing most of the heavy lifting using AD and GPOs, but one pesky issue seems to always come up with remote users with client VPN connections—network drive mapping. Here’s one that has served me well: NET USE X: /DELETE
NET USE X: \\pdc1\shared\home\
NET USE Y: /DELETE
NET USE Y: \\pdc1\rclient
This deletes any existing mapping, preventing an error message (those always confuse the users), and maps the two drives to the specified folders.
|Q3. A user connects remotely to a Citrix MetaFrame 4.0 server. The user just purchased an HP 1150 Laserjet printer and has it connected locally to their workstation. The server doesn’t have this driver on it. What are 3 different ways you could get the printer to work, and which one would you choose, and why?|
|Q4. A company is assigned the network 184.108.40.206/30 for a T1 to the Internet. The ISP sets the router at 220.127.116.11. The company sets up a workstation at 18.104.22.168 with a default gateway of 22.214.171.124, but can’t get to the Internet. What is the most likely issue?|
|A4. 126.96.36.199 isn’t a valid address. There is only one usable address in a CIDR /30 subnet and that address in this network would be 188.8.131.52. The gateway is OK. 184.108.40.206 would be the broadcast address.|
|Q5. A company has a network with 30 servers and 500 workstations. They are still running a Windows NT domain with a PDC and a single BDC. The company has purchased a new server and 3 licenses of Windows Server 2003. The company operates 24 hours per day and can’t take the network down. Please list the steps you would go through to convert the NT Domain to AD in Native Mode with 3 DCs.|
|Q6. A company has a network of 200 Windows XP workstations and 5 Windows 2003 servers. Active Directory is running in Native Mode and all of the workstations have been added to the domain. The network administrator would like to apply all of the critical MS updates to all of the workstations and force the workstations to automatically apply updates nightly. If possible, he would also like to have one of his servers download the patches and have the workstations pull from that server. How can this be accomplished without going to every desktop?|
|A6. Windows Server Update Services (WSUS) will allow the administrator to deploy the latest updates to every computer in the domain. AD native mode isn’t necessary , but it’s a good thing–I have WSUS running in a mixed (NT, W2K, W2K3) AD environment with no issues. The WSUS server will be configured to automatically download the patches on whatever schedule the admin chooses. Assuming that all workstations are running XP SP2, no WSUS client installations will be necessary; regardless, SUS client will be automatically installed through self-update if it’s missing on any computers (that doesn’t seem likely in this scenario). Worst case, the SUS client software (WUAU22.msi) can be deployed through AD using a GPO. Likewise, all domain computers will be configured through the Automatic Update policy settings to point to the WSUS server. The process is well documented by Microsoft in Microsoft Windows Server Update Services 3.0 SP1 Operations Guide.|
|Q7. A company decides to get a point to point T1 to connect their main office to an office across town. The T1 will be connected to a Cisco 1841. All of the servers and workstations at the main office currently have a PIX 501 on a DSL connection set as their default gateway. The PIX is running 6.3(5). How would you reconfigure their network to route Internet traffic out the DSL line, and traffic bound for the remote office over the T1?|
|A7. Let me give you another specific example of how I configured this for one of my clients. Before the T1 was installed, the SGS 1600 was the default gateway at 220.127.116.11. When the T1 was installed, I configured the network to point to the router (Cisco 1841) as the default gateway. I then configured the router as follows (partial config listing). Note that the phone engineer configured the voice vlan:
description local lan
ip address 18.104.22.168 255.255.0.0
description VOICE VLAN
ip address 10.10.10.1 255.255.255.0
description point to point to milford
ip address 192.168.200.1 255.255.255.252
router eigrp 10
network 10.10.10.0 0.0.0.255
network 10.10.51.0 0.0.0.255
network 22.214.171.124 0.0.0.255
network 192.168.200.0 0.0.0.3
ip route 0.0.0.0 0.0.0.0 126.96.36.199
ip route 10.10.51.0 255.255.255.0 Serial0/0/0
Traffic for Milford now goes on the T1 and Internet traffic goes to the SGS 1600.
|Q8. A company has an Exchange 2003 server and remote users needing to synchronize their e-mail securely. The remote users are running workstations with Windows XP SP2 and Outlook 2003. How can this be accomplished?|
|A8. We implemented this using PIX/ASA VPNs with the Cisco VPN client running on the remote PC. Outlook is configured to run in cached mode so email is available when off line.|
|Q9. Please describe a time where you solved a difficult problem.|
|A9. One of the most memorable and challenging problems I ever encountered was a network printing issue on P&G’s Netware/Win95 implementation. People would be able to print one minute and then the network printer icons would all gray out as if the printers were offline. Logoff/logon, warm boot, power cycling the PC were all ineffective; the printers went away and they wouldn’t come back. We had tried removing and reinstalling the printer drivers from known good copies, flashing the NIC ROMs and flashing the PC BIOS all to no avail. The project manager finally mandated that we re-image the PC when this problem surfaced, but at the time, that was a two-hour process.
I made a wild assumption and decided that the problem was rooted either in Windows or in the Novell Client and I suspected that driver files or related DLLs were getting corrupted somehow. The next time I encountered a PC with this problem, I used process explorer to see what was running. I then compared this with a PC that didn’t have the problem. The actual details escape me now, but I started pulling some strings on specific processes until I narrowed things down to a few (I think there were 5) Netware-specific files.
One by one, I used a hex editor to intentionally corrupt the files and see if I could duplicate the problem. When I did this to a file called NETWARE.DRV, all the printers I was watching immediately grayed out. I reversed the “corruption” I had introduced into the file and was amazed to see that the printers all came back. Problem solved. From that point forward, every tech had a floppy disk with a clean copy of NETWARE.DRV on it. I can’t even begin to estimate how much that solution saved P&G worldwide.
|Q10. Optional – Extra Credit – Create an account on http://www.hackthissite.org and complete levels 1 through 4 of the Basic Web Hacking Challenge and explain how you figured out each level.|
|A10. Level 1 truly is an idiot test. I tried a couple of guesses with blank password, “password,” “let me in,” and “idiot” for good measure, then did a View>Source and found this: <!– the first few levels are extremely easy: password is 1e79cde6 →. That got me in.
Level 2—since he neglected to upload the password file, I just clicked the Submit button and it let me in.
Level 3– He left the password file open to the world and I just opened password.php to reveal 792debbc as the password.
Level 4—I had a bit of trouble with this at first (I’m not a big-time hacker!), though I was on the right track in thinking that I had to figure out a way to change the email address. Finally, I realized that Google is my friend and found out why my hacked page wasn’t working: I forgot the absolute URL and was still using the relative one. Anyway, I entered the following code in my page:
<form action=”http://www.hackthissite.org/missions/basic/4/level4.php” method=”post”>
This revealed “password: 50c3072c.” I entered that and completed the level. Along the way, I discovered a neat add-on to Firefox called “Tamper Data.” Nice hacker tool: https://addons.mozilla.org/en-US/firefox/addon/966
Back in July, 2009, when I found myself looking for a new gig, one of the firms I contacted gave me written test as part of their recruiting and interview process. Part of that test included a hacking skills challenge (something I have included here in quite a while). I thought you, dear reader, would be interested in taking the test, so I’m posting it here. There are some questions that require correct answers and some that are more subjective. Try out your skills and email your answers to kenharthun <at> gmail <dot> com. I’ll post my answers tomorrow (and my answers were good enough that I got offered the job after my interview). Good luck!
- Q1. A company believes that a workstation on their network has a worm because everyone’s Internet access is slow and their T1 utilization is high. You only have remote access to their firewall. How would you figure out what traffic on the Internet connection is causing the slowdown, what IP address the traffic is coming from, and how would you prevent that traffic from causing problems until the workstation causing the issue is disabled? Assume that the firewall that is in place is one you are familiar with, and note that information in your response.
- Q2. Please provide a few lines of a Windows network login script that you have created. Please explain what the script accomplishes.
- Q3. A user connects remotely to a Citrix MetaFrame 4.0 server. The user just purchased an HP 1150 Laserjet printer and has it connected locally to their workstation. The server doesn’t have this driver on it. What are 3 different ways you could get the printer to work, and which one would you choose, and why?
- Q4. A company is assigned the network 188.8.131.52/30 for a T1 to the Internet. The ISP sets the router at 184.108.40.206. The company sets up a workstation at 220.127.116.11 with a default gateway of 18.104.22.168, but can’t get to the Internet. What is the most likely issue?
- Q5. A company has a network with 30 servers and 500 workstations. They are still running a Windows NT domain with a PDC and a single BDC. The company has purchased a new server and 3 licenses of Windows Server 2003. The company operates 24 hours per day and can’t take the network down. Please list the steps you would go through to convert the NT Domain to AD in Native Mode with 3 DCs.
- Q6. A company has a network of 200 Windows XP workstations and 5 Windows 2003 servers. Active Directory is running in Native Mode and all of the workstations have been added to the domain. The network administrator would like to apply all of the critical MS updates to all of the workstations and force the workstations to automatically apply updates nightly. If possible, he would also like to have one of his servers download the patches and have the workstations pull from that server. How can this be accomplished without going to every desktop?
- Q7. A company decides to get a point to point T1 to connect their main office to an office across town. The T1 will be connected to a Cisco 1841. All of the servers and workstations at the main office currently have a PIX 501 on a DSL connection set as their default gateway. The PIX is running 6.3(5). How would you reconfigure their network to route Internet traffic out the DSL line, and traffic bound for the remote office over the T1?
- Q8. A company has an Exchange 2003 server and remote users needing to synchronize their e-mail securely. The remote users are running workstations with Windows XP SP2 and Outlook 2003. How can this be accomplished?
- Q9. Please describe a time where you solved a difficult problem.
- Q10. Optional – Extra Credit – Create an account on http://www.hackthissite.org and complete levels 1 through 4 of the Basic Web Hacking Challenge and explain how you figured out each level. [We’ve covered all those in this blog, but go ahead anyway.]
In my first post, The password as a security token – Concept, I discussed using a password as the “what you have” part of two-factor authentication. Today, I’ll outline how to implement a simple way to do that.
First, create a strong password at least eight characters long. It doesn’t have to be easy to remember because you will write it down and carry it with you. You can use GRC’s Ultra High Security Password Generator to get some really random characters like these: tyL&FG.3
Write this password down and carry it with you. This is your token.
Now, you simply create new passwords or change your existing ones to include the token at the beginning or the end. Your new passwords need not be more than four or five characters long and can be something that you’ll easily remember, or you can safely write them down.
You could also have more than one token, perhaps one that you use only for your financial accounts and one that you use for email.