A study by Ofcom, the UK communications watchdog…, “Adults’ Media Use and Attitudes Report 2013″, [comprising] a poll of 1805 adults aged 16 and over discovered that 55% of them used the same password for most – if not all! – websites.

Unbelievable! Will they ever learn? It’s precisely this kind of thing that gives us Network Administrators nightmares, especially when these same people are given access to resources on our networks. Don’t they realize that if one site gets compromised, the hackers have access to all of them?

This is compounded by the types of passwords people tend use, i.e., easy-to-remember passwords such as birthdays, pet names, etc. The study found that 26% of the people polled do this.

If you are one of these people, or if you know someone who is, please see to it that the passwords get fixed as soon as possible.

Log out of those sites and shut down your PC or laptop.

Source: Vistnet.com

If you have noticed a bit of sluggishness on your internet connection in the past week or so, it could be due to the most massive DDoS attack ever recorded. Here’s what’s happening according to Naked Security:

A little over a week ago a questionable internet hosting provider in The Netherlands called Cyberbunker took umbrage with SpamHaus, an non-profit organization that was founded in 1998 to take on spammers and the internet hosts who profit from their activities.
…
How big is the attack? At times it has been reported to be as large as 300 gigabits per second. Traditionally even large botnets are only able to deliver hundreds of megabits or a few gigabits per second.

Ouch! That’s huge. It seems that many primary internet backbones (“tier 1 service providers”) are being overwhelmed by the volume of traffic. That’s why you may have noticed the slowdown on the internet. I certainly did, but since it was most prevalent where I work, I didn’t think much of it. Our bandwidth is always strained when school is in session. I did find it a bit odd that my home connection seemed sluggish. It all became clear with the report of the DDoS attack.

So, if large botnets aren’t capable of delivering such a volume of traffic, what is causing it? It’s a large scale DNS amplification/reflection attack taking advantage of misconfigured DNS servers that will allow anyone to query them without any filtering or rate-throttling. It’s a huge problem as there are reportedly more than 21.7 million such servers online (Open Resolver Project). A Microsoft TechNet article provides a high-level summary of this type of attack:

A DNS amplification attack (aka DNS reflection attack) is a type of distributed denial of service (DDos) attack that takes advantage of the fact that a small DNS query can generate a much larger response. When combined with source address spoofing, an attacker can direct a large volume of network traffic to a target system by initiating relatively small DNS queries.

I’ll leave it at that for now. I plan to give a more detailed analysis in a future post.

Security Notice: Service-wide Password Reset

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

Good for them that they salt their password hashes and good for them for implementing a password change for all users. Others should follow this example.

• Q1.  A company believes that a workstation on their network has a worm because everyone’s Internet access is slow and their T1 utilization is high.  You only have remote access to their firewall.  How would you figure out what traffic on the Internet connection is causing the slowdown, what IP address the traffic is coming from, and how would you prevent that traffic from causing problems until the workstation causing the issue is disabled?  Assume that the firewall that is in place is one you are familiar with, and note that information in your response.
• Q2.  Please provide a few lines of a Windows network login script that you have created.  Please explain what the script accomplishes.
• Q3.  A user connects remotely to a Citrix MetaFrame 4.0 server.  The user just purchased an HP 1150 Laserjet printer and has it connected locally to their workstation.  The server doesn’t have this driver on it.  What are 3 different ways you could get the printer to work, and which one would you choose, and why?
• Q4.  A company is assigned the network 1.1.1.0/30 for a T1 to the Internet.  The ISP sets the router at 1.1.1.1.  The company sets up a workstation at 1.1.1.5 with a default gateway of 1.1.1.1, but can’t get to the Internet.  What is the most likely issue?
• Q5.  A company has a network with 30 servers and 500 workstations. They are still running a Windows NT domain with a PDC and a single BDC.  The company has purchased a new server and 3 licenses of Windows Server 2003.  The company operates 24 hours per day and can’t take the network down.  Please list the steps you would go through to convert the NT Domain to AD in Native Mode with 3 DCs.
• Q6.  A company has a network of 200 Windows XP workstations and 5 Windows 2003 servers.  Active Directory is running in Native Mode and all of the workstations have been added to the domain.  The network administrator would like to apply all of the critical MS updates to all of the workstations and force the workstations to automatically apply updates nightly.  If possible, he would also like to have one of his servers download the patches and have the workstations pull from that server.  How can this be accomplished without going to every desktop?
• Q7.  A company decides to get a point to point T1 to connect their main office to an office across town.  The T1 will be connected to a Cisco 1841.  All of the servers and workstations at the main office currently have a PIX 501 on a DSL connection set as their default gateway.  The PIX is running 6.3(5).  How would you reconfigure their network to route Internet traffic out the DSL line, and traffic bound for the remote office over the T1?
• Q8.  A company has an Exchange 2003 server and remote users needing to synchronize their e-mail securely.  The remote users are running workstations with Windows XP SP2 and Outlook 2003.  How can this be accomplished?
• Q9.  Please describe a time where you solved a difficult problem.
• Q10.  Optional – Extra Credit – Create an account on http://www.hackthissite.org and complete levels 1 through 4 of the Basic Web Hacking Challenge and explain how you figured out each level. [We've covered all those in this blog, but go ahead anyway.]

kenharthun
kénhårthun
KëÑharthuñ

Because of the key sequence necessary to enter these characters, no one is going to discover them. There is a caveat, however: The program or site may not allow these characters. I suggest you test it in depth.

This is also a password cloaking method if you are one of those people who write passwords in a book and keep it on your desk. Let’s say your password is I@mgreat. You could write that down with the sequence I064mgr101065t.

It’s not likely anyone is going to figure that out.

The weirdest part about this whole thing is that we have SharePoint 2010 and we are running Live@Edu (soon to migrate to Office 365) that has 25GB of storage. Why would anyone want to use an insecure service that provides only 2GB of storage in the free version? I asked that question. Answer: Preference. Huh?

Needless to say, I responded rather strongly:

The real issue here is that IT was not consulted before someone decided to start using an application that had not been vetted for both security and performance. There could be a workable process (pre-egress encryption using a proven encryption algorithm) formulated, but this should be driven by IT, i.e., those of us who know and understand the potential risks and benefits.

 

The Net Admins are responsible for the reliability, performance and security of our networks and the data flowing on them. I take this responsibility seriously and I’m sure my fellow Net Admins and assistants do as well. To ask me to put my network and data – and thereby my job – at risk because of some preference is just not acceptable to me.

What is your opinion? Hit the comments and let me know.

• I will change my critical passwords.
• I will finally start using a password manager (such as LastPass or KeePass).
• I will adopt an algorithm for generating strong passwords (at least 12 characters).
• I will use two-factor authentication where it is available (YubiKey and Google Authenticator come to mind).
• I will use encryption for all sensitive personal files on my digital devices, including thumb drives, laptops, smart phones, etc. (Rohos Mini-drive, AxCrypt, TrueCrypt, Wickr).
• I will establish a regular backup routine for all my devices that uses two different media and at least on copy off-site.
• I will encrypt my backup.
• I will become aware of physical security and make sure that my digital devices are always either in my possession or safely stowed.
• I will not blindly click on links in email, nor will I respond in any way to pop-ups or messages I am not sure about without checking them out first.
• I will not open any attachment in any email from anyone unless I am expecting it or absolutely sure of what it contains.

There is new or Earth-shattering here, at least nothing that I haven’t mentioned and advocated for years. Hit the comments and add your own.

Happy 2013!

Well, yeah, but I still recommend it to friends, family and students as one of the best free AV tools. It maintains the VB100 rating. Besides, absolutely NOTHING prevents against malware installing on the PCs of those ID-10-T users who click on links and agree to be infected.

Me, I don’t even run AV on any of my personal computers at home and haven’t for at least 5 years. I have had zero infections of any kind. On the other hand, I have cleaned PCs that were positively toxic with malware and were members of every known botnet despite their running fully updated versions of commercial AV software.

Naturally, I question the efficacy of AV software for the savvy amongst us.

What do YOU think? Hit the comments and let me know.