Dave's CNG-275 Blog

Most security products fail to perform

2009-11-16T20:34:00.000-08:00

According to this article, nearly 80 percent of security products failed to perform as intended when first tested and generally required two or more cycles of testing before achieving certification, according to a new ICSA Labs report. Having lived my prior professional life "in the belly of the software development beast" I can only say, 'Wow, 20% actually worked as advertised?"

The other interesting finding included in the report was that 44 percent of security products had inherent security problems. Security testing issues range from vulnerabilities that compromise the confidentiality or integrity of the system to random behavior that affects product availability.

Things to keep in mind (and ask pointed questions about) the next time a security systems vendor comes calling.

Cheers,
Dave

Hacking to turn off the lights

2009-11-09T18:36:00.000-08:00

CBS News is reporting that several power outages in Brazil over the past several years were the result of hackers taking control of the power grid. This was part of a "60 Minutes" segment on cyber warfare. The scary part (the main thrust of the 60 Minutes segment) is that much of the U.S. power grid may also be vulnerable.

Chers,
Dave

Peer-to-peer leaks

2009-11-02T18:42:00.000-08:00

It seems a congressional staffer took home an Ethics Committee report that named names and deeds. That's not so bad but they then put it on their home system and their peer-to-peer software shared it with the world. The Washington dirt is interesting but the second page has just a little coverage of how the leak occurred toward the bottom of the page:

The Washington Post article

One of the selling points Vericept used when I worked there was that they monitored all network traffic; not just common ports. We saw quite a bit of really interesting stuff that no one dreamed had been shared. In this case, there's not much anyone could have done to stop this leak other than restricting access to the report and requiring that it not be taken home.

Cheers,
Dave

Another round of scareware

2009-10-19T06:58:00.000-07:00

The BBC had this article on the latest round of scareware. Nothing like getting the end user to pay to install your trojan. What's really sad is the people who get scammed this way not only pay for the trojan but then their identity gets stolen since they give a credit card number to the scammers.

I had to laugh when I'd get these during an earlier round of scareware adverts a couple of years ago since I've been running Linux as my primary OS since 1998. SIGH.

Cheers,
Dave

In-depth Look at Wal-Mart Hack

2009-10-13T19:29:00.000-07:00

Wired has a long and detailed article looking into a hack of Wal-Mart in 2005 and 2006. The hack wasn't reported because, apparently, no customer data was compromised. Besides the discussion of how the attack was perpetrated the article also goes into some of the Payment Card Industry (PCI) requirements and how they should have played into making the hack impossible had Wal-Mart been in compliance.

Cheers,
Dave

SSL Still Mostly Misunderstood

2009-10-12T21:52:00.000-07:00

"The biggest issue is the general population doesn't know what SSL is, why they're using it, and it's ingrained in them that it always makes them secure, which is not always the case," says Tyler Reguly, senior security engineer for nCircle. While 83 percent of users check they're using an SSL-secured session before entering their credit card information on a Website, only 41 percent do so when typing in their passwords. To make matters even worse, "You see surveys saying that anywhere from 30 to 60 percent of users are using the same password everywhere, so they're probably using it for on-line banking, too."

According to this article at DarkReading, this problem isn't confined to just end-users. More than half of the respondents don't know what Extended Validation SSL (EVSSL) is and how it differs from SSL, while 36 percent say they do. Interestingly, most of them are aware that SSL traffic can be sniffed without their knowledge. Even so, nearly one-third say the only purpose of SSL is to encrypt their traffic so it can't be sniffed.

Lots more interesting statistics in the article regarding how many people in the survey commit a variety of security sins.

Cheers,
Dave

A question of subnets and net masks

2009-10-09T19:02:00.001-07:00

This really isn't a security story but I found it amusing and it includes some good stuff about netmasks, subnets and such. As usual with stuff from the CentOS mailing list, click on the subject to get to the rest of the discussion thread. The link I posted avoids some of the preliminaries.

Cheers,
Dave

They needed a flood wall instead of a firewall

2009-10-05T13:33:00.001-07:00

The subject says it all. Watching the video is sort of like watching a train wreck.

Cheers,
Dave

How to build/acquire a firewall

2009-10-04T21:23:00.000-07:00

This discussion thread on the CentOS mailing list has some fairly good advice for deciding which of several options to go with for a home based business firewall. Click on the e-mail's subject to get to the rest of the discussion thread.

Most of the folks running CentOS (like me) are cheap (like me) and so the majority of the solutions are free.

Cheers,
Dave

You aren't safe just because you run Linux

2009-10-04T21:05:00.000-07:00

I picked up a link to this article that was posted on Slashdot. It appears that the compromised systems were hacked by either exploiting an exposed user's ssh access (probably a brute force attack that found a weak password) or by finding an unpatched remote admin tool (e.g., roundcube was mentioned in one of the links that came up when I Googled the attack name).

The sad thing is that there are a number of ways to keep brute force attackers at bay for ssh. Fail2ban is probably the most comprehensive and can be used to protect other exposed logins such as web mail. Another alternative is to use the built-in Linux firewall (iptables) to only allow so many connection attempts from a specific IP address before blocking future connections from the offending IP address. I posted an extensive article on my personal blog on how to set up this particular method (and a few other ssh "protection" tricks) if anyone is interested.

Cheers,
Dave

Enterprise bot-nets

2009-09-25T07:33:00.000-07:00

Up to nine percent of machines in some enterprises are part of a bot net according to this article at Dark Reading. It seems many of these enterprise bot nets are highly targeted and used multiple attack vectors to evade detection and establish the network. Further, these are not the wide-spread "consumer oriented" bot nets that attack the typical home user system.

The article also states that the bot nets demonstrate a level of insider knowledge of the targeted organization that implies someone on the inside is helping with the deployment and exploitation. "They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small bot nets," says Gunter Ollmann, vice president of research for Damballa.

Cheers,
Dave

$2,000 for a password?

2009-09-22T10:42:00.000-07:00

This story is mainly a traditional bribery/kickback scam but one of the things provided was the password to the District of Columbia's purchase order system. Why hack when you can just buy your way in?

When Web 2.0 Becomes Security Risk 2.0

2009-09-21T12:41:00.000-07:00

Kaspersky Labs has an interesting article on how the bad guys are exploiting the trusted nature of Facebook, MySpace and other social networking sites to launch attacks and spread malware. Note that you may need to create an account at Kaspersky in order to access the article.

Basically the idea is to exploit the poor security (e.g., passwords are sent in clear text for many social networking sites) to gain a position of trust that can then be exploited. The exploits are frequently familiar such as "advanced fee fraud" (also known as a Nigerian 419 scam) but people who wouldn't think about responding to the traditional e-mail scam are being hooked by the same fraud since it appears to come from a "trusted" friend. The level of trust users put into these sites makes tham a "social engineer's dream."

Cheers,
Dave

More progress with ESXi

2009-09-17T19:19:00.000-07:00

OK. I got the following virtual network configuration working on my ESXi installation here at home. A little Googling resulted in a blog posting entitled "Implement NAT under VMware ESX 3.5 using a Vyatta router" (how's that for finding exactly the "how to" I needed?).

I ended up with a network that looks like:

Virtual Network <-> Vyatta Router <-> VMware NIC <-> Network

The Virtual Network has all of my VMs running on 172.16.0.0/24
The Vyatta Router routes traffic received on 172.16.0.1 to its other virtual NIC at 192.168.0.3 and applies NAT
VMware supplies the networking to take traffic from Vyatta's virtual NIC to the physical NIC at 192.168.0.4
My existing Linux router (CentOS 5.3 with IP tables configured to do NAT) does it's thing and routes the traffic, as appropriate, on my network or to the Internet.

As I was setting this up I realized that there isn't any need to run ANY routing protocol on the Vyatta router (same as with my CentOS box that does my normal routing). There is only "choice one of one" routes from the Vyatta router to both my network and the outside world. You only need to run a routing protocol such as OSPF, BGP or RIP if there is a choice of routes.

Vyatta reports my routing information as:

vyatta:~# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [1/0] via 192.168.0.1, eth0
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.16.0.0/24 is directly connected, eth1
C>* 192.168.0.0/24 is directly connected, eth0

The above configuration works just fine from each of the VMs. I am able to browse the Internet, run the specific OS's update protocol, etc. I dumped the "history" to a file. This looks like (time stamps removed):

204 configure
205 set interfaces ethernet eth0 address 192.168.0.4/24
206 set interfaces ethernet eth1 address 172.16.0.1/24
207 set service nat rule 1 source address 172.16.0.0/24
208 set service nat rule 1 outbound-interface eth0
209 set service nat rule 1 type masquerade
210 commit
211 set system gateway-address 192.168.0.1
212 set system host-name vyatta
213 set system domain-name davenjudy.org
214 commit

There was a "save" after the last commit (that doesn't show up in the history) to make things "permanent."

I'm guessing that we could run OSPF instead of setting up the static route to my real gateway (see the "set system gateway" command, above). That seems like creating a lot of overhead for something that will "never" change.

Cheers,
Dave Miller

Progress with ESXi at home

2009-09-13T08:29:00.000-07:00

My new network card arrived on Friday so I swapped NICs in the old-ish dual Athlon box plus made a couple of other upgrades (e.g., 2GB more memory) and re-tried the ESXi install. This time it worked so I now have three VMs on the box (Vyatta and Windows W2K3 server and W2K8 server). I'm installing Ubuntu 9.04 (desktop) as I'm typing this. Unfortunately, I don't have a recent ISO image for CentOS here at home and I'm still fighting a flaky Internet connection so downloading something large like a DVD ISO doesn't sound like a good idea nor does just letting it upgrade from an old release.

I've been able to "get out" to the Internet from the VMs using the native ESXi virtual network. This was a no brainer since it "just worked" with the VMs getting IP addresses, routing information, etc. through my DHCP server. I guess the next thing to try is to configure Vyatta as the router/firewall for all the VMs. Hmmmmmm........

Cheers,
Dave

A new first: a Linux botnet

2009-09-12T19:38:00.000-07:00

The register is reporting that a botnet of Linux systems has been discovered. Interestingly, the Linux boxes are left relatively unchanged but with a second web server activated and running on port 8080 that serves up malware. The rest of the attack is to insert links into legitimate web sites that have also had passwords stolen. The Linux boxes then serve up malware when an unsuspecting reader traverses the link on the otherwise legitimate site.

It is not known how the Linux boxes were subverted but the best guess is that it was through sniffing the root password used during remote sessions. The legitimate servers that have also been attacked to include links to the Linux bots apparently were attacked by sniffing ftp passwords. That is, this attack is possible simply due to the use of insecure communication and update protocols; there is no inherent vulnerability of the attacked systems that is being exploited.

Cheers,
Dave Miller

How much is your identity worth?

2009-09-10T19:56:00.000-07:00

If you really want to know, click here and the Norton On-line Risk Calculator will let you determine how much your identity is worth on the black market.

The calculator will ask you a few questions after which you get three results: how much your online assets are worth, how much your online identity would sell for on the black market, and your risk of becoming a victim of identity theft.

This is both intriguing and scary. The survey asks some pertinent questions but doesn't even consider the platform you're on, the browser you use or a number of factors that can make life more difficult for the bad guys.

Cheers,
Dave

Taking more than a few years

2009-09-10T19:15:00.000-07:00

After about sixty years the Britsh government has finally gotten around to issuing an official apology to the late Alan Turing. Prime Minister termed his treatment "appalling." What is particularly appalling is that Turning was being pilloried at the same time that real spies like Philby, Burgess, Blunt and MacLean were actively providing detailed information to the Soviet Union. All were assumed to be above suspicion since they all came from "good families" and had attended the right schools.

By way of background, Guy Burgess and Donald MacLean were British diplomats who disappeared in 1951 and surfaced in Moscow in 1956. There was speculation that Harold "Kim" Philby, head of the Soviet section of the British Secret Intelligence Service, was the "third man" who alerted them before they could be arrested for espionage. Philby also defected but only after overwhelming evidence was provided to show he was a spy (the Brits hadn't learned a thing from Burgess and MacLean). Anthony Blunt did not flee and continued to hold a position of trust until finally exposed in 1979.

Besides the tie-in to cryptography with Alan Turing finally getting an apology, another lesson to be learned from this post is to be alert that anyone can be either an active or inadvertent security vulnerability.

Cheers,
Dave

It only took several years...

2009-09-08T16:22:00.000-07:00

Both Microsoft and Cisco announced patches today (Tuesday, 8 September 2009) for a TCP flaw that has been around for several years. The flaw allows an attacker to perform a denial of service attack against the vulnerable systems (Microsoft Windows 2000, Server 2003 and Server 2008, Vista and Windows 7; all versions of Cisco's IOS).

Microsoft provided patches today (good old patch Tuesday) for the affected versions of Windows except Server 2000 which is no longer supported.

A really good article explaining the flaw can be found at ThreatPost.

Folks may want to take a look at the ThreatPost main page. Threat Post includes a link to Kaspersky Lab Security News Service which you will also find interesting.

Cheers,
Dave

Even legitimate appearing ISPs can be bad

2009-08-26T11:17:00.000-07:00

This article showed up on slashdot today:

http://tech.slashdot.org/story/09/08/26/1614206/Legitimate-ISP-a-Cover-up-For-a-Cybercrime-Network?art_pos=3

It looks like you can't even trust what appears to be a legitimate ISP. The really scary part is the DNS hijacking since lots of people trust their ISP.

Cheers,
Dave

Quick "how to" on my gmane posts....

2009-08-24T13:28:00.000-07:00

I just realized that it isn't at all obvious how to get to the rest of the discussion thread from my gmane posts from the CentOS mailing list. If you click on the post's subject, it's a link to a threaded view of the full discussion. Once you get to the threaded view you can also navigate to other discussions.

Cheers,
Dave

Beware of phpMyAdmin

2009-08-23T15:43:00.000-07:00

If you ever end up working on a web site that is being hosted by a hosting service you will probably get stuck with phpMyAdmin as the means of remotely administering the site. The following thread again from the CentOS mailing list gives a good discussion as to why this isn't a good set up:

http://article.gmane.org/gmane.linux.centos.general/81345

There is also a discussion of some of the alternatives but the bottom line is that there aren't any really good alternatives. The best is to get secure shell access (ssh) and then do your admin work from the command line but there are quite a few people who are intimidated by the command line. SIGH.

Cheers,
Dave

Other resources

2009-08-21T13:04:00.001-07:00

I subscribe to the CentOS (CentOS is a free clone of Red Hat Enterprise Linux) mailing list as a way to keep up with what's going on with CentOS and because I learn something just from reading about the problems that others have run into and gone to "the list" to get help or solutions. The following thread showed up in today's mail concerning how to prevent brute force attacks against a server that allows secure shell (ssh) logins:

http://article.gmane.org/gmane.linux.centos.general/81276

There are a few other threads that are current (e.g., "How can I tell if I've been hacked") as well as other discussions.

Besides just this particular mailing list, Gmane provides archives for pretty much any significant mailing list on the Internet. I'm sure there are other lists that would be usefull if you have the time to keep up with the list traffic. As with the thread I specified above, an appropriate mailing list is a great way to get help with a particular problem. The only down side is that lists that will get you a quick response generally have enough traffic to swamp you while low volume lists mean you might not get a response ever or at least in the time frame that you need.

Cheers,
Dave

CNBC on DoS Attacks and Computer Security

2009-08-20T21:36:00.000-07:00

Here is the CNBC video segment I mentioned in class. Not unexpectedly, they emphasize the economic impact of computer security and DoS attacks against social networking sites in particular. While some of the numbers included were of interest, I found the very fact that "main stream" media such as CNBC would devote a prime time (while the markets are open) segment to computer security to be interesting.

They also note that thwarting such attacks isn't just a question of buying enough hardware, software or a big enough pipe. They point out that having the right people was instrumental in allowing several major government and financial sites to weather a similar attack earlier this year.

Cheers,
Dave

First Post!

2009-08-19T18:13:00.000-07:00

Th is a test. This is only a test. Had this been a real post I would have actually had something to say.

Dave