Up to nine percent of machines in some enterprises are part of a bot net according to this article at Dark Reading. It seems many of these enterprise bot nets are highly targeted and used multiple attack vectors to evade detection and establish the network. Further, these are not the wide-spread "consumer oriented" bot nets that attack the typical home user system.
The article also states that the bot nets demonstrate a level of insider knowledge of the targeted organization that implies someone on the inside is helping with the deployment and exploitation. "They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small bot nets," says Gunter Ollmann, vice president of research for Damballa.
Cheers,
Dave
Friday, September 25, 2009
Tuesday, September 22, 2009
$2,000 for a password?
This story is mainly a traditional bribery/kickback scam but one of the things provided was the password to the District of Columbia's purchase order system. Why hack when you can just buy your way in?
Monday, September 21, 2009
When Web 2.0 Becomes Security Risk 2.0
Kaspersky Labs has an interesting article on how the bad guys are exploiting the trusted nature of Facebook, MySpace and other social networking sites to launch attacks and spread malware. Note that you may need to create an account at Kaspersky in order to access the article.
Basically the idea is to exploit the poor security (e.g., passwords are sent in clear text for many social networking sites) to gain a position of trust that can then be exploited. The exploits are frequently familiar such as "advanced fee fraud" (also known as a Nigerian 419 scam) but people who wouldn't think about responding to the traditional e-mail scam are being hooked by the same fraud since it appears to come from a "trusted" friend. The level of trust users put into these sites makes tham a "social engineer's dream."
Cheers,
Dave
Basically the idea is to exploit the poor security (e.g., passwords are sent in clear text for many social networking sites) to gain a position of trust that can then be exploited. The exploits are frequently familiar such as "advanced fee fraud" (also known as a Nigerian 419 scam) but people who wouldn't think about responding to the traditional e-mail scam are being hooked by the same fraud since it appears to come from a "trusted" friend. The level of trust users put into these sites makes tham a "social engineer's dream."
Cheers,
Dave
Thursday, September 17, 2009
More progress with ESXi
OK. I got the following virtual network configuration working on my ESXi installation here at home. A little Googling resulted in a blog posting entitled "Implement NAT under VMware ESX 3.5 using a Vyatta router" (how's that for finding exactly the "how to" I needed?).
I ended up with a network that looks like:
Virtual Network <-> Vyatta Router <-> VMware NIC <-> Network
Vyatta reports my routing information as:
vyatta:~# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route
S>* 0.0.0.0/0 [1/0] via 192.168.0.1, eth0
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.16.0.0/24 is directly connected, eth1
C>* 192.168.0.0/24 is directly connected, eth0
The above configuration works just fine from each of the VMs. I am able to browse the Internet, run the specific OS's update protocol, etc. I dumped the "history" to a file. This looks like (time stamps removed):
204 configure
205 set interfaces ethernet eth0 address 192.168.0.4/24
206 set interfaces ethernet eth1 address 172.16.0.1/24
207 set service nat rule 1 source address 172.16.0.0/24
208 set service nat rule 1 outbound-interface eth0
209 set service nat rule 1 type masquerade
210 commit
211 set system gateway-address 192.168.0.1
212 set system host-name vyatta
213 set system domain-name davenjudy.org
214 commit
There was a "save" after the last commit (that doesn't show up in the history) to make things "permanent."
I'm guessing that we could run OSPF instead of setting up the static route to my real gateway (see the "set system gateway" command, above). That seems like creating a lot of overhead for something that will "never" change.
Cheers,
Dave Miller
I ended up with a network that looks like:
Virtual Network <-> Vyatta Router <-> VMware NIC <-> Network
- The Virtual Network has all of my VMs running on 172.16.0.0/24
- The Vyatta Router routes traffic received on 172.16.0.1 to its other virtual NIC at 192.168.0.3 and applies NAT
- VMware supplies the networking to take traffic from Vyatta's virtual NIC to the physical NIC at 192.168.0.4
- My existing Linux router (CentOS 5.3 with IP tables configured to do NAT) does it's thing and routes the traffic, as appropriate, on my network or to the Internet.
Vyatta reports my routing information as:
vyatta:~# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - ISIS, B - BGP, > - selected route, * - FIB route
S>* 0.0.0.0/0 [1/0] via 192.168.0.1, eth0
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.16.0.0/24 is directly connected, eth1
C>* 192.168.0.0/24 is directly connected, eth0
The above configuration works just fine from each of the VMs. I am able to browse the Internet, run the specific OS's update protocol, etc. I dumped the "history" to a file. This looks like (time stamps removed):
204 configure
205 set interfaces ethernet eth0 address 192.168.0.4/24
206 set interfaces ethernet eth1 address 172.16.0.1/24
207 set service nat rule 1 source address 172.16.0.0/24
208 set service nat rule 1 outbound-interface eth0
209 set service nat rule 1 type masquerade
210 commit
211 set system gateway-address 192.168.0.1
212 set system host-name vyatta
213 set system domain-name davenjudy.org
214 commit
There was a "save" after the last commit (that doesn't show up in the history) to make things "permanent."
I'm guessing that we could run OSPF instead of setting up the static route to my real gateway (see the "set system gateway" command, above). That seems like creating a lot of overhead for something that will "never" change.
Cheers,
Dave Miller
Sunday, September 13, 2009
Progress with ESXi at home
My new network card arrived on Friday so I swapped NICs in the old-ish dual Athlon box plus made a couple of other upgrades (e.g., 2GB more memory) and re-tried the ESXi install. This time it worked so I now have three VMs on the box (Vyatta and Windows W2K3 server and W2K8 server). I'm installing Ubuntu 9.04 (desktop) as I'm typing this. Unfortunately, I don't have a recent ISO image for CentOS here at home and I'm still fighting a flaky Internet connection so downloading something large like a DVD ISO doesn't sound like a good idea nor does just letting it upgrade from an old release.
I've been able to "get out" to the Internet from the VMs using the native ESXi virtual network. This was a no brainer since it "just worked" with the VMs getting IP addresses, routing information, etc. through my DHCP server. I guess the next thing to try is to configure Vyatta as the router/firewall for all the VMs. Hmmmmmm........
Cheers,
Dave
I've been able to "get out" to the Internet from the VMs using the native ESXi virtual network. This was a no brainer since it "just worked" with the VMs getting IP addresses, routing information, etc. through my DHCP server. I guess the next thing to try is to configure Vyatta as the router/firewall for all the VMs. Hmmmmmm........
Cheers,
Dave
Saturday, September 12, 2009
A new first: a Linux botnet
The register is reporting that a botnet of Linux systems has been discovered. Interestingly, the Linux boxes are left relatively unchanged but with a second web server activated and running on port 8080 that serves up malware. The rest of the attack is to insert links into legitimate web sites that have also had passwords stolen. The Linux boxes then serve up malware when an unsuspecting reader traverses the link on the otherwise legitimate site.
It is not known how the Linux boxes were subverted but the best guess is that it was through sniffing the root password used during remote sessions. The legitimate servers that have also been attacked to include links to the Linux bots apparently were attacked by sniffing ftp passwords. That is, this attack is possible simply due to the use of insecure communication and update protocols; there is no inherent vulnerability of the attacked systems that is being exploited.
Cheers,
Dave Miller
It is not known how the Linux boxes were subverted but the best guess is that it was through sniffing the root password used during remote sessions. The legitimate servers that have also been attacked to include links to the Linux bots apparently were attacked by sniffing ftp passwords. That is, this attack is possible simply due to the use of insecure communication and update protocols; there is no inherent vulnerability of the attacked systems that is being exploited.
Cheers,
Dave Miller
Thursday, September 10, 2009
How much is your identity worth?
If you really want to know, click here and the Norton On-line Risk Calculator will let you determine how much your identity is worth on the black market.
The calculator will ask you a few questions after which you get three results: how much your online assets are worth, how much your online identity would sell for on the black market, and your risk of becoming a victim of identity theft.
This is both intriguing and scary. The survey asks some pertinent questions but doesn't even consider the platform you're on, the browser you use or a number of factors that can make life more difficult for the bad guys.
Cheers,
Dave
The calculator will ask you a few questions after which you get three results: how much your online assets are worth, how much your online identity would sell for on the black market, and your risk of becoming a victim of identity theft.
This is both intriguing and scary. The survey asks some pertinent questions but doesn't even consider the platform you're on, the browser you use or a number of factors that can make life more difficult for the bad guys.
Cheers,
Dave
Taking more than a few years
After about sixty years the Britsh government has finally gotten around to issuing an official apology to the late Alan Turing. Prime Minister termed his treatment "appalling." What is particularly appalling is that Turning was being pilloried at the same time that real spies like Philby, Burgess, Blunt and MacLean were actively providing detailed information to the Soviet Union. All were assumed to be above suspicion since they all came from "good families" and had attended the right schools.
By way of background, Guy Burgess and Donald MacLean were British diplomats who disappeared in 1951 and surfaced in Moscow in 1956. There was speculation that Harold "Kim" Philby, head of the Soviet section of the British Secret Intelligence Service, was the "third man" who alerted them before they could be arrested for espionage. Philby also defected but only after overwhelming evidence was provided to show he was a spy (the Brits hadn't learned a thing from Burgess and MacLean). Anthony Blunt did not flee and continued to hold a position of trust until finally exposed in 1979.
Besides the tie-in to cryptography with Alan Turing finally getting an apology, another lesson to be learned from this post is to be alert that anyone can be either an active or inadvertent security vulnerability.
Cheers,
Dave
By way of background, Guy Burgess and Donald MacLean were British diplomats who disappeared in 1951 and surfaced in Moscow in 1956. There was speculation that Harold "Kim" Philby, head of the Soviet section of the British Secret Intelligence Service, was the "third man" who alerted them before they could be arrested for espionage. Philby also defected but only after overwhelming evidence was provided to show he was a spy (the Brits hadn't learned a thing from Burgess and MacLean). Anthony Blunt did not flee and continued to hold a position of trust until finally exposed in 1979.
Besides the tie-in to cryptography with Alan Turing finally getting an apology, another lesson to be learned from this post is to be alert that anyone can be either an active or inadvertent security vulnerability.
Cheers,
Dave
Tuesday, September 8, 2009
It only took several years...
Both Microsoft and Cisco announced patches today (Tuesday, 8 September 2009) for a TCP flaw that has been around for several years. The flaw allows an attacker to perform a denial of service attack against the vulnerable systems (Microsoft Windows 2000, Server 2003 and Server 2008, Vista and Windows 7; all versions of Cisco's IOS).
Microsoft provided patches today (good old patch Tuesday) for the affected versions of Windows except Server 2000 which is no longer supported.
A really good article explaining the flaw can be found at ThreatPost.
Folks may want to take a look at the ThreatPost main page. Threat Post includes a link to Kaspersky Lab Security News Service which you will also find interesting.
Cheers,
Dave
Microsoft provided patches today (good old patch Tuesday) for the affected versions of Windows except Server 2000 which is no longer supported.
A really good article explaining the flaw can be found at ThreatPost.
Folks may want to take a look at the ThreatPost main page. Threat Post includes a link to Kaspersky Lab Security News Service which you will also find interesting.
Cheers,
Dave
Subscribe to:
Posts (Atom)
About Me
- DaveAtFraud
- B.Sc. ('78) and M.Sc. ('80) in Math from Ohio State followed by 12 yrs at TRW and a variety of software development positions since then. Currently living in Colorado and enjoying "trial retirement". For fun I climb mountains in the summer and ski down them in the winter, fix gourmet food and have an excellent wine cellar.