I’ve been “upgrading” my home infrastructure:
Seagate GoFlex Network Storage
Netgear WNDR3800
(other stuff)
All my toys run linux, so imagine my surprise when this starts showing in my logs:
[LAN access from remote] from 210.51.17.227:40986 to 192.168.35.119:22, Thursday, January 19,2012 16:56:47
[LAN access from remote] from 210.51.17.227:39316 to 192.168.35.119:22, Thursday, January 19,2012 16:56:36
[LAN access from remote] from 210.51.17.227:37023 to 192.168.35.119:22, Thursday, January 19,2012 16:56:32
[LAN access from remote] from 210.51.17.227:34192 to 192.168.35.119:22, Thursday, January 19,2012 16:56:28
[LAN access from remote] from 210.51.17.227:50809 to 192.168.35.119:22, Thursday, January 19,2012 16:56:21
[LAN access from remote] from 210.51.17.227:47558 to 192.168.35.119:22, Thursday, January 19,2012 16:56:16
[LAN access from remote] from 210.51.17.227:44530 to 192.168.35.119:22, Thursday, January 19,2012 16:56:11
[LAN access from remote] from 210.51.17.227:42159 to 192.168.35.119:22, Thursday, January 19,2012 16:56:07
[LAN access from remote] from 210.51.17.227:39236 to 192.168.35.119:22, Thursday, January 19,2012 16:56:02
(repeat about 500 times)
whois 210.51.17.227?
Answer someone inside a /16 registered to Beijing Tongtai IDC of China Netcom.
Turns out my Seagate device was advertising port 22 via upnp and my Netgear was helpfully port mapping it to the Internet.
Go figure.
Thursday, January 19, 2012
Saturday, April 2, 2011
SQL Injection and Cross-Site Scripting (XSS) are Hot
Custom and automated attacks against web sites continue as vendors and developers still have not gotten the hang of secure coding techniques.
In one case, an automated attack has infected more than 600,000 sites in about two days.
The other, was a case of a targeted attack against MySQL. Interestingly, the attackers are taking credit for this exploit.
Broad automated attacks like the first are usually driven by botnot groups who are ultimately seeking to compromise a large number of end-user systems.
The second attack is becoming less common. My guess, is that they are seeking to establish credibility for their attack skills and to demonstrate their ability to launch a 0-day hack. This sort of activity ranges from the somewhat benign: the hacker equivalent of resume fodder, or more malignantly: demonstrating value before selling their exploits to the criminal underground.
While defects will always exist, it is clear that web site providers still fail to perform the security basics: vetting code before deployment and monitoring their site for compromise.
(updated)
Current infection counts can be found (for a few of the domains hosting the malicious scripts) with Google:
In one case, an automated attack has infected more than 600,000 sites in about two days.
The other, was a case of a targeted attack against MySQL. Interestingly, the attackers are taking credit for this exploit.
Broad automated attacks like the first are usually driven by botnot groups who are ultimately seeking to compromise a large number of end-user systems.
The second attack is becoming less common. My guess, is that they are seeking to establish credibility for their attack skills and to demonstrate their ability to launch a 0-day hack. This sort of activity ranges from the somewhat benign: the hacker equivalent of resume fodder, or more malignantly: demonstrating value before selling their exploits to the criminal underground.
While defects will always exist, it is clear that web site providers still fail to perform the security basics: vetting code before deployment and monitoring their site for compromise.
(updated)
Current infection counts can be found (for a few of the domains hosting the malicious scripts) with Google:
Wednesday, September 22, 2010
HyperSentry
HyperSentry is a technology that uses IPMI to allow an out-of-band method for checking hypervisor integrity.
IPMI is a backdoor to the system, so it is something that has to be managed carefully. When I did pen-testing I often found that it was not secured properly. That said, it is a very interesting idea.
I think the hardware "root-of-trust" technology: that has been developed by AMD and Intel is also interesting
I think we will see availability of tools, including Catbird, where a combination of these technologies is built-in to the system. I do have to point out that IPMI based checks have been possible for years and yet no one has touted them as a solution for detecting conventional rootkits. I've learned that anything with "IBM" in the release has a certain amount of FUD factor and it may be a year or longer before we see a real capability that can be built into a product.
Perhaps the broader implication is that work like this is common on open-source hypervisors and is much harder to perform on proprietary systems.
IPMI is a backdoor to the system, so it is something that has to be managed carefully. When I did pen-testing I often found that it was not secured properly. That said, it is a very interesting idea.
I think the hardware "root-of-trust" technology: that has been developed by AMD and Intel is also interesting
I think we will see availability of tools, including Catbird, where a combination of these technologies is built-in to the system. I do have to point out that IPMI based checks have been possible for years and yet no one has touted them as a solution for detecting conventional rootkits. I've learned that anything with "IBM" in the release has a certain amount of FUD factor and it may be a year or longer before we see a real capability that can be built into a product.
Perhaps the broader implication is that work like this is common on open-source hypervisors and is much harder to perform on proprietary systems.
Thursday, September 2, 2010
VA cloud outage
--Virginia Gov't Agencies Suffer Massive Outage
(August 27 & 30, 2010)
A storage area network (SAN) memory card failure at the Virginia
Information Technologies Agency (VITA) left at least two dozen agencies
without the ability to conduct business. Among the affected agencies
are the Department of Motor Vehicles, which was unable to issue driver's
licenses, and the Department of Social Services, which was unable to
distribute benefits. The data center where the failure occurred is run
by Northrop Grumman.
[Editor's Note (Northcutt): The state of Virginia was an early adopter
of blades and virtualization. The advantages and economics are obvious.
These outages may prove to be a cautionary tale. With virtualization,
you end up with a lot of eggs concentrated in a fairly small basket so
that if your continuity of operations plans fail, you go down pretty
hard.
(Schultz): This is a perfect example of what can go wrong when cloud
services fail. People in general neither recognize the real risk nor
plan for loss of availability in cloud services.]
Wow, they were not running dual HBAs into the SAN? Can't be.
Outage report from VA is here: http://www.vita.virginia.gov/about/default.aspx?id=12596
I am not sure the SANS editor comments are warranted. This may be related to an architectural error in the deployment of the EMC DMX 3 and its backup.
The DMX is an SMP-based HA system with a petabyte of capacity. The comment about too many eggs in one basket is accurate with respect to the State of Virginia's use of a monster SAN, but not so much as per use of virtualization.
The real failure here is whether or not they tested their COOP capability ... ever. Then we have to ask when was the last time they ran a DR test because their time to recover seems a little long as well.
My failure analysis: over reliance on a vendor's claim that their hardware never fails.
Saturday, August 28, 2010
Web site reputation
Recently several companies have developed features or products to make web surfing more secure. One of these technologies uses reputation. Reputation is a measure of trust for a web site or web page. In this case trust is typically measured by how much SPAM, malicious traffic, or attacks a site is known to generate. It turns out that measuring these things is not that hard because a majority of web traffic flows through a relatively small number of gateways and backbone networks.
This is a very good idea. If a web site is known to host malware or send a lot of SPAM, then block or warn users before they visit a site. Of course, cyber-criminals have started to figure out how to bypass these checks. They simply attack sites with good reputations and get them to host the malware. In some cases, it's just a matter of providing an advertisement.
Reputation based security is still a great idea because it forces the crooks to work harder. However, we can't get over confident and rely on this technique to always protect us. This means keep your software patched, don't click on suspicious links, and ignore any offer that is to good to be true.
This is a very good idea. If a web site is known to host malware or send a lot of SPAM, then block or warn users before they visit a site. Of course, cyber-criminals have started to figure out how to bypass these checks. They simply attack sites with good reputations and get them to host the malware. In some cases, it's just a matter of providing an advertisement.
Reputation based security is still a great idea because it forces the crooks to work harder. However, we can't get over confident and rely on this technique to always protect us. This means keep your software patched, don't click on suspicious links, and ignore any offer that is to good to be true.
Tuesday, August 24, 2010
Alert FOX News!
So, I got this funny SPAM email, and I thought someone will take this seriously and alert FOX news to yet another massive government intrusion into our lives... ;-)
By the way the SPAM came with a ZIP file that will probably p0wn your computer if you install it...
------ Begin Message
From: Alfreda Robertson
Date: Tue, 24 Aug 2010 16:04:07 +0200
To:
Subject: IRS Notification - For Tax Payer xxx-x-xxxx-x@catbird.com
Dear Tax Payer,
As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.
To begin the update, install the attached file
After doing so, no further action is required on your part.
Thank you for your cooperation.
Sincerely,
IRS Agent #175
Alfreda Robertson
------ End of Message
By the way the SPAM came with a ZIP file that will probably p0wn your computer if you install it...
------ Begin Message
From: Alfreda Robertson
Date: Tue, 24 Aug 2010 16:04:07 +0200
To:
Subject: IRS Notification - For Tax Payer xxx-x-xxxx-x@catbird.com
Dear Tax Payer,
As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.
To begin the update, install the attached file
After doing so, no further action is required on your part.
Thank you for your cooperation.
Sincerely,
IRS Agent #175
Alfreda Robertson
------ End of Message
Friday, July 2, 2010
Always a good idea to keep your BIOS up to date....
Looks like Sony has learned from Dell’s leaky capacitor debacle.
Sony says 535,000 laptops at risk of
overheating. More than half a million Sony laptops sold this year contain a software
bug that could lead them to overheat, the company said June 30. Sony has recorded 39
cases of overheating among Vaio F and C series laptops that have been on sale since
January. In some cases, the overheating has led the laptop case to deform. A bug in the
heat-management system of the BIOS software is to blame. Sony is asking users to
either update the software themselves or return their laptops so it can apply the update.
The fault affects 535,000 computers, although Sony is asking a total of 646,000 owners
to update their machines. The additional 111,000 machines are susceptible to several
less serious problems that have also been found in the software, said Sony. BIOS is
present in every PC and runs below the operating system, controlling the most basic
functions of the computer and interaction between major components. It is usually
invisible to users except for a BIOS start-up message that is typically seen when a PC
boots. The problem affects machines sold both in Japan and the rest of the world.
Affected models sold outside Japan are the VPCCW25FG/B, VPCCW25FG/P and
VPCCW25FG/W.
Source: Computerworld
Sony says 535,000 laptops at risk of
overheating. More than half a million Sony laptops sold this year contain a software
bug that could lead them to overheat, the company said June 30. Sony has recorded 39
cases of overheating among Vaio F and C series laptops that have been on sale since
January. In some cases, the overheating has led the laptop case to deform. A bug in the
heat-management system of the BIOS software is to blame. Sony is asking users to
either update the software themselves or return their laptops so it can apply the update.
The fault affects 535,000 computers, although Sony is asking a total of 646,000 owners
to update their machines. The additional 111,000 machines are susceptible to several
less serious problems that have also been found in the software, said Sony. BIOS is
present in every PC and runs below the operating system, controlling the most basic
functions of the computer and interaction between major components. It is usually
invisible to users except for a BIOS start-up message that is typically seen when a PC
boots. The problem affects machines sold both in Japan and the rest of the world.
Affected models sold outside Japan are the VPCCW25FG/B, VPCCW25FG/P and
VPCCW25FG/W.
Source: Computerworld
Subscribe to:
Posts (Atom)