Back to Top

Thursday, October 23, 2008

Mixed links

An older ISC blog entry about signs that you have been compromised. It should be a must-read for anyone administering websites, even if s/he is doing it as a hobby. Not doing so can make you a launchpad for malicious activities.

An other ISC blog entry points to a paper about fast-flux DNS and a list of tools useful for malware analysis. These days it is very important for sysadmins to be able to do (at least basic) recon. Watch out for my solution for the malware challenge to get more information. Also, don't forget that you can get an older version of IDA for free.

A further ISC blog post talks about the risks you take when investigating malicious networks (being DDoSed in this case). I can attest to this first hand - a server specially hosted in a datacenter with the scope of studying botnets was hit by a ~1MB/s ICMP flood after "stirring the pot". Fortunately the ISP didn't mind and even was generous enough to filter the traffic at their gateways. It is believed in the research community that most of these actions are "scripted", ie these systems have some kind of "proactive IDS" which "strikes back" whenever anomalies are detected.

What can you do? As the article says, one option is to do the recon from a "throw away" IP. One possibility not mentioned there is to use dial-up or wireless (EDGE / 3G) modems which usually give you a different IP at each dial-in. Of course you should be aware of the fact that even after you disconnected, for some time the attack will persist against the ISPs infrastructure and there is the possibility that somebody else might inherit the given IP. There is a school of thought which says that if you aren't prepared to handle the consequences, you shouldn't do research (ie you shouldn't use third party systems - proxies, TOR, throw away IPs - as escape goats). Ultimately, what I wanted to do, is to emphasize the risks involved in such activities and to make clear the choices one must make when engaging in them.

ISC blog entry about gathering evidence that can be used in court. Now I'm not a lawyer, I don't play one on TV :-p or a forensic expert or live in the USA for that matter. Most of my knowledge comes from listening to the Cyberspeak forensic podcast. However one thing which I got from there that there is a subset of practices / tools which is considered "forensically sound" and you better stick to that if you don't want problems in court. For example compressing disk images might or might not be "forensically sound", depending on the program / algorithm you used. My conclusion would be: you better leave it to a specialist, because the law is like a minefield.

Flash 10 is out. The good: they simultaneously came out with the Windows and Linux version. An other great thing: they have accelerated 3D effects. Now if somebody could write a photosynth viewer in it please... The bad: a new security feature which requires user interaction with the embedded object before it can be scripted. This breaks tools like swfupload, which were based on hidden objects to augment the browser functionality. I can see why they would do such a thing. Probably the solution will be to do part of the UI in flash (for example the "upload" button in a form) and thus satisfying this requirement.

Containing malware outbreaks. This is a real problem which grows exponentially with the number of interconnected systems. So make sure that your systems are segregated and also, that you have somebody you can call on who gives a detailed enough description of the malware so that you can devise an action plan (how does is spread? what files does it touch? does it download additional components? are there methods to make it fail - like running it as a limited user, ACL-ing away rigths on files, etc).

The next in the series is eradicating rootkits. Several points:

  • Whenever humanly possible - wipe and reinstall. Rootkits are evolving at an amazing pace and most commercial software is unable to detect anything newer than 6 months.
  • Scan offline (from a boot CD, by putting the harddisk in a USB dock, etc)
  • After reinstalling - lock down the system to avoid reinfection. Apply patches (to the OS and to any running software - reintalling Adobe reader from 6.0 kit you have lying around doesn't help much). Lock down settings.

In the same spirit: Removing Bots, Keyloggers, and Spyware. While I (partially) agree that anti-malware is not that effective, but IDS isn't either (most of the malware generated traffic - excluding spam - is HTTP over port 80). The best tool you can have is basic reverse engineering experience. Incidentally I was reading an other blog post saying "Don't rely in your Anti-virus software anymore". I would make a more balanced statement: don't rely only on your AV software especially if you are a business.

Google Webmaster tools warns users about vulnerabilities - a good move.

Wireshark 1.0.4 released. Very good tip about capturing as root with a simpler tool (tcpdump) and analyzing the capture under a limited account.

Wiping disk data. One pass is enough, unless you suspect that somebody with a serious budget comes after you. In this case use two-pass. One thing to be aware of: modern media (both disk and flash) relocates sectors underneath the OS. So the sector you are wiping might not be the sector you originally written to. This means that some data might be recoverable even after several passes of wipe. Now the amount of data is probably small and randomly selected (so probably it won't represent the entire contents of any given file), but if this is a possible issue, use full-disk encryption from the start, before writing anything to the disk.

Mark Russinovich talks about his experience with video codecs. They are a problematic bunch of software, and whenever I install a Windows machine, I try to avoid registering code to run inside of explorer.

Unlocking your workstation using bluetooth. Very cool, even considering the mentioned security issues.


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.