Now that almost everyone has a Blackberry, Android, or iPhone, they are a tasty market for hackers trying to gain backdoor access to these smartphones. The use of rootkits is increasing in this segment. Rutgers Today has a great YouTube segment describing this threat.
Links:
When it comes to securing your data against losses, many people have a knee jerk reaction to think about hackers or other insider threats. This is somewhat natural these days due to legislation like HIPAA which mandate various controls for the confidentiality and integrity. What many people don't think about these days is a full scale breach of availability (as well as total data loss).
This video shows what can happen in minutes. While not every organization needs a full scale disaster management plan, this is the prime example of why you have current off-site backups. Usually the fire isn't what destroys your server farm, it is the water damage after...
Links:
It is hard to believe that Unix is 40 years old! How time flies. Pretty soon it will be buying a red sports car and picking up operating systems half his age. What a cad!
(Photo Courtesy of prettydaisies on Flickr)
Links:
According to an article in NetworkWorld, over 12,000 laptops go missing in airports around the United States every week, with 1200 just at LAX. The thought of outright theft or some other sort of loss is quite unnerving.
(Image Courtesy of dklimpke on Flickr)
If you travel often there are several things you can do to mitigate the security risks. If you don't care about your privacy and would just pick up another laptop at Costco or Fry's if you lost it, you can skip this article. The first item is the backup. Everyone talks about it, but most of the time, people don't do it at all. There are several online backup services that allow you to securely (at least for personal data) backup over the internet using an automated client. At a minimum, make a dump of your data files to a thumb drive or DVD disk every month or so. If you can't afford to be without your data, you can't afford not backing up. The next issue is privacy. Who owns the data on your laptop? Do you have proprietary data that people would want to buy? Do you have embarrassing photos from your buddy's bachelor party saved on your laptop? Do you have personal information that could lead to your identity being stolen? If so, you should consider full disk encryption. While it does take some processor overhead, it is worth the extra processor cycles for your data's protection. Microsoft has their new Bitlocker technology in Windows 7 and Server 2008 R2, PGP has full disk encryption for the Mac and Windows, Checkpoint has full disk encryption for Mac, Windows and Linux in their Pointsec software, and there are also free open-source alternatives such as Trucrypt. These products render the data on your laptop useless to anyone who wishes to get the content off the machine. You may lose the monetary value of the laptop, but usually that is much easier to bear than losing millions of customer records or your unfiled patent application.
With more an more people using Twitter as a fun Web 2.0 communication tool, it is becoming a mainstream way of talking. For some people it is becoming an addiction and supercedes e-mail and instant messenger as a way to communicate in groups. Hey, if the President used it and the NASA Mars Rover is using it, it must be great, right?
Enter TwitterSpy, a cool mashup application that takes the raw public Twitter feed and allows you to filter it for content or context. Michele Marcucci created this incredibly addicting application as a practical application of her knowledge.
Be careful what you tweet, as there are more people than just your close friends watching! Remember, the walls of social networking are very thin, and can be redefined by the service provider at their whim.
If you travel often, this scenario pops up often:
You get free access to the internet at a hotel or coffee shop, but worry about people sniffing the connection.
Even when you use SSL, it is a pain that people can do a traffic analysis on your surfing, attempt a session hijack based on your credentials, or even worse, act as a man-in-the-middle and log every bit of your surfing. Many corporate entities require the use of a VPN to tunnel all internet traffic through the headquarters network connection, so they can filter traffic the way they want to and do their best to protect your system from malware and probing.
If you are trying to be secure on a budget, one solution that I've worked with requires three packages.
Using this scenario, you install Privoxy, which works as a personal web proxy, on a *nix or Windows on a machine that resides at your home or office. That same machine will also need to be running a ssh server. Depending on your network architecture, you'll either need a firewall rule to allow port 22 (ssh) through to that machine, or if you have a NAT in place, you'll need a PAT or pinhole to that system through the firewall. (If you choose to use a port other than 22, you will receive far less port scans and hacking attempts on your system.)
When configuring Privoxy, you'll want to select 127.0.0.1 and some high port such as 8000 or 8888 to connect to Privoxy through. In the version I have, they use the default of port 8118. The reason that you would use the 127.0.0.1 loopback address, is that it will only accept traffic from inside the machine. If you have the SSH server on another machine, you'll want to use the address of one of the ethernet adapters. On many Linux installations, you'll be editing /etc/privoxy/config
# a snippet from /etc/privoxy/config
# listen-address 192.168.0.1:8118
#
listen-address 127.0.0.1:8888
At this point you should have the firewall configured, a ssh server running, and Privoxy up and running.
The next step is to connect to your ssh/privoxy machine over the internet. In this example we'll use putty under win32, but you could be on OS X or Linux and use ssh at the command line to do tunneling.
Once you have that ssh connection up and running, you'll need to connect your web browser to the proxy server. On your side you'll be using your own ip loopback adapter at 127.0.0.1. Normally you would NOT want to check the box that states Local Ports accept connections from other hosts, unless you are trying to provide proxy services to a large amount of machines through one ssh connection.
You can manually setup a proxy server in Firefox or IE, but I prefer to use Foxyproxy, which allows you to change settings on the fly, or also do proxying based on specific traffic rules. So if you want to visit www.cnn.com without going through the proxy, but only go to www.gmail.com through the proxy, you can do that. If you have limited upstream bandwidth on your privoxy host, this may be a good solution.
Configuration of Foxyproxy is fairly simple. Once the add-on is installed, you'll want to create a new proxy entry. That entry will point towards 127.0.0.1 port 8888 (or whatever port you have chosen). Once it is saved, you can turn the proxying on and off by using the right mouse button on the menu on the lower right hand side of Firefox. You can create some fairly complex patterns for web surfing, but that is beyond the scope of this posting.
So, what do we get from this? If someone is sniffing your home connection, you are out of luck. But if you configure the connection as I have stated, every web site you surf to, will be tunneled through your ssh connection, then proxyed by the privoxy machine. If you have other applications that run outside of your browser, you may have to reconfigure them to point to the localhost proxy on your machine so that they will be secure as well. So, someone sniffing your connection will just see ssh traffic from your machine to that host and nothing else. Even if someone is running a rogue WiFi AP so they can perform and man-in-the-middle attack, all they will get is a bunch of garbage from your ssh connection.
Some people like to work in absolutes. They don't want to have a high statistical likelihood that data is unrecoverable, they want that data gone with 100% certainty. Beyond smelting, most of the methods for the destruction of hard drives and other storage media include secure overwriting or degaussing. To fill the gap, Data Devices created the Model 0301 Hard Drive, Laptop, and Cellular Phone Shredder. The behemoth eats electronic devices and digests them into small bits of robot poop. You have to see the video to get the real feel for this thing.
Recently I had a discussion about video baby monitors with a neighbor. I mentioned that we had bought a unit that digitally encrypted the video and audio stream, so that creepy people would not be able to watch our baby sleep. They seemed to think that it wasn't such a big deal and that you would need a lot of equipment to spy on your neighbors. To rebut this I have two items that are freely available in the United States for a minimal cost. Both of these items can be outfitted with higher gain antennas to allow for the long range monitoring and reception of video signals.
Over the past week I've been spending some time using and abusing Windows 7. I'm in a period of readjustment right now, as I was using Ubuntu 8.10 as my main Internet surfing operating system for the last two months. As many of you know, the Windows 7 public beta program allows free downloads for evaluation. I've been working with the 64bit and 32bit versions on several different boxes. While the O/S has been really great on newer (less than 18month old) hardware, running Windows 7 32bit on the minimum configuration (1GHz processor and 512Mb RAM) is like self administering a colonic using kerosene.
I'm not trying to convert anyone here, but I'm mildly impressed with how stable it is on current hardware. The driver base for older peripherals is going to be somewhat limited, but I'm sure that with time Windows 7 will have just as broad a driver base as XP does. In my limited, totally non-scientific evaluation I would give recommend Windows 7. I need to spend some more time with the security subsystem, as well as testing application performance of things that I use on a daily basis. Bottom line is that if you application runs on Vista, it will most likely run just fine on Windows 7. If it does not run well, install Virtual PC 2007 or Virtualbox and run a virtual instance of Windows XP inside Windows 7 for your legacy application.
Links:
And in addition... somewhat interesting... the first Windows review, ever.
Absolute security is a myth. Most laymen would think that just because a computer device is wired that it has a higher level of security. In most cases this would be true, but in the shadowy world of corporate espionage the stakes have gone one higher. At The Security and Cryptography Laboratory (LASEC) of Ecoles Polytechniques Fédérales de Lausanne, they recently released a paper called COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED KEYBOARDS. While this is not big news in the TEMPEST world, it is an eye opener for most businesses. The scope of keyboard technologies affected, as well as the distance that keystrokes can be read is really quite impressive.
(Photo Credit: Andrew* on Flickr)
In a nutshell: Your hard wired stuff is not safe, but it never really was. Try to mitigate your risks as much as possible and stay informed.
Links:
I was searching through Flickr today and was looking at some ultrasound images of babies that are right about as far along as ours. Some really nice shots (32,515 of them actually). And then I gasped. Did they? Yes, they did.
Parents, don't post ultrasounds on public forums with the Social Security Number of the mother attached. I know this sounds pretty basic, but some people may gloss over it without thinking. The hospital can protect your information with HIPAA, but when you put it out there, there is nothing they can do to help you. Even if it is just your name, a random billing code and the medical facility name, why even risk identity theft? There is no excuse in Flickr, as you can use Picnik (a great online photo editor) to edit it out or just crop it.
Links:
The big buzz for the last few days has been the newly released Chrome browser from Google. In a nutshell it is pretty slick. On Windows XP it renders pages as fast as Firefox 3.0 and performs 2 or 3x faster than Safari. All the normal websites I go to render just fine and work like a charm. The only issue I ran into was with Flash video playback not working as well as it should (chunky like a monkey).
On teh interwebs, they are saying that there might be security issues in regards to the WebKit that Google used to develop Chrome. Specifically, a bad guy could run JAR files on your system withour asking for your permission. It doesn't pay to be a first adopter I guess. You can guess that Chrome would be the future browser of choice if you are a Google suite user.
Links:
Just when you thought that your SPAM filter was up to spec, there is a new form of unsolicited e-mails on the horizon. Using ASCII art based SPAM, it is possible to make graphical images, like the one below and embed them in an e-mail message. You can block inline images in the email or HTML attachments, but this poses a bigger problem.
Links:
For those of you who use Gmail or have Google accounts that allow you to access Google Analytics or Adsense, you might want to take note. In a few days an exploit will be released that will allow people to access your account by using trivial and easily sniffed information. (Article Here) The fix is pretty easy... turn SSL on.
Step 1. Go to http://mail.google.com/mail/?shva=1#settings to access your Gmail settings.
Step 2. Select the Radio Button to enable SSL.
Step 3. Profit?!?!
Link:
The Adenona project at the University of Washington provides an interesting software package. The Adenona client allows a user to track the whereabouts of their laptop in a secure manner, but without spending money on a monthly service. While you get what you pay for, one of the cool features is the ability to use Apple's iSight software to take a snapshot of the thief.
Link:
The Internet Storm Center at SANS recently did a study of the survival time of an un-patched, un-firewalled, and un-NATted Windows machine on the Internet. It is no surprise that the time it takes to get completely owned is around 4 minutes. Sort of amusing in a really sad way.
Link:
I was just reading an article in Government Technology about the so-called Generation 2.0 phenomenon of Milennials. (Article Here) The article pretty much breaks up into two sections, the first being about the security risks that are brought up by the computer savvy youth, and the second being the different work styles and habits of this generation.
The first item begs the question: If your information is so confidential, why do you not have a stricter risk mitigation process in place already? You can blame the 20-something guy that likes to frequent Facebook and MySpace for malware or data loss, or you can address these issues with policy and technology. Educating the users as to what sites are appropriate for work, helping them understand your security policies and computer use policies can go a long way. The issue is this: How many environments are running with close to zero security controls because it is "behind the firewall"? Internal threats are more likely to cause data theft or loss than visiting a web popup, but unless you have the proper anti-virus/anti-spyware and access controls set on your network, you are skating on very thin ice. Technology such as virtualization can allow users to be connected to several different networks from the same terminal, but without the data mingling between networks. When the internet virtual machine gets infected with some trojan, just reload it and be on your way. If you are concerned about employees using too much bandwidth for Youtube and other pipe cloggers, set bandwidth limitations at the firewall.
People are going to violate IT policy. People will destroy your data out of spite. People will steal your data for small sums of money. Your job in the CXO position is to be flexible enough to understand how to leverage policy to fix some issues and technology to solve others. In this day and age, people are afraid to fire people for blatant violations of company policy. When an employee's behavior threatens day-to-day organizational operations, it has to be taken seriously. I don't mean an environment of fear, but an environment where the employees know that their web usage can be monitored, so hey, try to do some work most of the time. Whether it is Milennials or the parents of Milennials that have gotten some great IT training at home, put into place policy and infrastructure that is blind to age, gender, race and all that good stuff.
As for the Millennial working style. So they hop around from job to job... I thought that was how Gen-X is characterized. So they multitask... if that is an efficient way of doing work, who are you to judge. As the old saying goes, the proof is in the pudding, if this generation is willing to implement a new version of the American work ethic and be successful in their endeavors, huzzah! If not, never fear, a whole generation of workers in China, Russia, India, and dozens of other countries with highly educated workforces will come and fill the gaps. While I would hate to see a generation of unemployed folks that just don't like working, sooner or later they will realize that nobody REALLY likes working, then they'll figure out that you need money to do things, and then to get money you have to work. And so the cycle of selling out to "The Man" continues.
Don't be scared by the iPod, iPhones, skinny jeans or social networking. The thing you should be worried about is the core business and the bottom line. The working environment constantly evolves socially and technologically, sometimes with both happening at the same time.
Link:
Recently an exploit called DNS Cache poisoning has put several internet Domain Name System servers at risk. The risk is spread across multiple operating systems and multiple DNS implementation. DoxPara Research has put together a web based tool (on their main site), which allows you to check your upstream DNS server for vulnerabilities. I'm sure that patches will be coming soon from many vendors, but at least until then you can monitor your network traffic for suspicious behavior. Below is an example from a machine at home:
Link:
Recently Verizon did an analysis of 500 network intrusions to see if they could determine if there were any major trends. I found these items from the overview the most interesting:
Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.
Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.
The study’s findings show a marked increase in the number and type of international incidents. For example, attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East. Internet protocol (IP) addresses from Eastern Europe and Russia are commonly associated with the compromise of point-of-sale systems.
Sources:
Over the past few years I've been meaning to evaluate Splunk's main product, a log aggregation and analysis tool by the same name. Often times as a sysadmin, you have makeshift tools due to budget limitations or other types of hardships. Many places I've worked have had enterprise level network monitoring capabilities, but unfortunately were monitoring the wrong things. The items of the most importance on a day-to-day and hour-to-hour basis were done in shell scripts or manually at the command line. What Splunk does is to give you the configurability of the command line, but packages it up in a nifty web based GUI that allows you do drill down to specific problems (and see the log entries associated) or just skim along at the 40k foot level through graphs and charts.
I recently built a new Ubuntu server box at home (from completely anemic old hardware) and decided that I'd try out Splunk. Even with the most minimal of hardware Splunk was up and running in no time at all. From downloading the debian install package to fully functional was about 25 minutes. My system load churned for about an hour at around 2.0 while all the /var/log and other directories were indexed and pulled into the Splunk database. It is pretty amazing, as the base version of Splunk can access anything that is local to the system, so if that machine is your syslog server, you can correlate error events over a large network in no time at all.
In the picture below you can see the log entries for a brute force attack against my ssh server (from host 209.239.35.45, which is probably just a hacked intermediary host). Using Splunk allows me to drill down to see specific attacks by type or host, by very quickly changing the query statements.
Below you can see the ebb and flow of 'page not found' 404 errors on my webserver. I recently started hosting a domain that had been down for about a year. That domain hosted a bunch of jpg files, which were linked to by some idiot myspace page designer. Once I track down the individual files that are linked to, I make a symbolic link to this file.
In the extended entry, I've copied the output from the install. Just make sure to limit access to port 8000, or whatever other port you'll be using, as there is no access control in the demo version.
In a nutshell, Splunk is like a swiss army knife that you never knew you needed, but now you crave. While it works great as a near real time system monitoring tool, you can also import files from anywhere and process them for historical data. It would make a great tool for network forensics timeline reconstruction as well as a fine day to day IT operations tool. I'm sure that there are millions of other things that can be done with this, but just being able to grok so much data at one time is like having some sort of sysadmin super power.
Continue reading "SPLUNK! ZUFF! PAN!! SNUH! BORT! POOO! NEWT! MINT! ZAK!" »
SRI International has made their Malware Threat Center available to the general public. This site contains constantly updated information about the status of attacking hosts and bot-net clusters. They provide information on what are the best signatures for IDS systems as well as pre-built router commands to block infected hosts from contacting you systems. This site is definitely worth a look.
Link: http://mtc.sri.com/
Those of you who work with sensitive data, and your facility allows removable media such as thumb drives, you might want to look into these units. At Ease, has a selection of appropriately colored USB thumb drives that are labelled properly for the data that is contained within. It makes a user think twice before leaving a secure space with sensitive info. While this doesn't afford you an specialized data encryption, but it does lead to a higher aweness for the user.
Open WiFi connections abound in any major metropolitan area these days. Recently there have been several articles in regards to local laws regulating the "stealing" of WiFi from unsuspecting neighbors. While local municipalities can make laws in regards to this, here are the problems that I have with these statutes. First of all, the localality does not have the authority to make regulations in regards to the transmissions of wireless signals, that is left to the Federal Communications Commission (Look it up, it has been that way since the Communications Act of 1934). Wi-Fi falls under Title 47 CFR Part 15, which designates it as an unlicensed service. Since the wireless link itself has no "real estate" or exclusive license for the spectrum, you would need to prove that:
The municipality that tried to prosecute someone in their car surfing WiFi, would have an easier time accussing the suspect of some sort of physical trespassing or loitering. Beyond this, unless the accused was stupid enough to say "hey, I'm stealing that signal", the municipality has no probable cause to search the computer or to detain you. What is to say that your proximity to a WiFi source is coincidence and you are just surfing the web through a 3G cellular connection.
Here is an analogy:
If you ran an extension cord to your front lawn and connected a landline phone, then a passerby uses that phone to make a call to a local number or toll free long disitance, are they commiting a crime? You have made your connection accessible and they have not incurred any costs associated to your account. Who then is to blame?
How often do these scenarios come up?
One simple choice for the x86 crowd is Darik's Boot and Nuke aka DBAN. This bootable Linux CD is distributed in an ISO file. So all you need to do is burn it to a CD, boot it up, and trash all your data. While the algorithms are very effective, if you need 100% risk avoidance, the best option is still pulling the drives out and smelting them into slag.
DBAN is totally free, but if you have a business need that requires U.S. DoD 5220.22-M, Sarbanes Oxley, HIPAA, or FISMA compliance, you might want to try the supported version called EBAN, or Enterprise Boot and Nuke.
My old light weight favorite, Autoclave, was discontinued by the University of Washington in 2002, but still works really well on older machines (i.e. pre-Y2K) you may have that can only boot from a floppy disk drive.
This morning I was minding my own business when I received an e-mail from my firewall stating that:
From: firewall@teh.internet.tubes
To: alerter@chickenpotpieacousticsystems.net
Subject: NetScreen Mail Alert
Alarm Logs Reported From: homefirewall
Event Alarms:
1. 2008-03-06 07:46:15 system-alert-00008: IP Spoof, From 86.117xx.xx/1031 to 205.181.yy.yy/2746, protocol UDP (i/f trust) occurred 2 times
I'm thinking to myself, "oh crap, I've got malware", or even worse, "oh crap, I've got a misconfigured intruder". I'm quite used to folks on the the internet trying to portscan my network, but traffic originating on my home network is a whole different game.
I calm down for a second and search for the netblock owner of the IP address range. I calm down even more, as it turns out to be my wife's laptop VPN trying to connect and pass traffic back to the corporate office in Switzerland at the same time. I am quite calm now, and sip my delicious Nespresso. All is good in the world once again.
As Winter turns to Spring, and Spring into Summer, data center managers in California have one thing on their minds: Rolling Blackouts. Whether it be unseasonably hot this year in California or just regular, make sure your UPS batteries are fresh, your diesel tanks are full and your web browser open to the California ISO: System Status page. It is your taxpayer dollars at work, use it!
Recently we have been hearing more about phishing and redirection attacks on internet connected client machines using hacked DNS or DHCP servers. If you have reason to distrust the security of your network provider's DNS, or you are just fed up with advertisements popping up when you mistype a URL. One such service that allows you to receive DNS service seperate from your network provider is called OpenDNS.
I have found that this service works on most ISPs, but sometimes if you are at a hotel or Wi-Fi hotspot that requires logging into a captive portal for payment, authentication, or to validate the terms of service, you may need to use their DNS first before switching the settings.
While you would have to put your trust in the providers at OpenDNS to keep their DNS servers hacker free, I would would rather use their service that rely on some random DNS server that is provided over a free WiFi connection. This is not to be construed as an endorsement, but I have been happy with their free service. There are a ton of other services out there, or you could even build your own DNS server and sync it to the ROOT DNS servers, but this solution is pretty mindless and mitigates a lot of security concerns.
IP addresses to use OpenDNS:
Wow, what a terrible title, eh? My 8th grade journalistm teacher would frown upon such terrible usage of alliteration. Anyways... those who have the pleasure of working with me directly, know that I love Meebo's service. Being able to aggregate all of your various IM accounts into one web interface is pretty awesome. Many organizations have explicit policies regarding usage of P2P and instant messenger applications. While it is a matter of symantics, it allows you to do your personal or work related IM activity on a computer that you wouldn't want to install an IM client on. The Meebo Repeater software package can allow you to do IM'ing from places where meebo and other services are blocked at the firewall or internal proxy server. Doing IM from random web cafe locations can be a bit safer using Meebo instead of using the IM software loaded on the systems on site. I had used Trillian, GAIM and Pidgin extensively in the past, so I didn't know what to expect. The fact that meebo uses a heavily modified GAIM as part of their infrastructure lends credibility to how awesome their service is.
(image courtesy of the Meebo Flickr Photo Stream)
I don't use their add-on toys, Meebo rooms or chatlog features, but I can see that many people would find that interesting and/or useful. If I am at a location in which I want to get on the Internet, but don't have my laptop with me, my method of choice is to boot up a system with Knoppix or Damn Small Linux, then use Firefox to get to Meebo. DSL linux will actually fit on a thumb drive as well, so you can carry a clean operating environment on you keychain.
While those that are sysadmins might already know the wonders of nmap, not everyone has had the pleasure of using this tool. You know, it's the tool that totally l33t haxorz use to track midget spies and to hack into the matrix. A computer security consulting firm called Sectegrity has provided a nice service by giving a web interface to nmap and several other probing tools. They have things configured to only probe the host that you are accessing their website from, so you cannot light up someone else's IDS system or cause widespread panic.
Of course other tools like Gibson Research's Shields UP service can do similar things, but it doesn't give you the command line output, so you can't feel like you are hanging out with Sandra Bullock in The Net.
