I’ve had an SSH server up for some time on the default port 22 tcp on a Windows box. The other day I finally moved it over to a virtual Ubuntu box where it will stay indefinitely. While SSH was running on Windows, I logged all failed attempts. I didn’t expect Amsterdam to outpace Asia! Also, I suspect these were all automated attempts since root was tried the most. Using Cygwin on Windows, I don’t have a “root” account. In fact, “Administrator” was never even attempted once (what the hell?). Go figure.

This brings me back to a recent thread on the Security-Basics list hosted at SecurityFocus where a lot of people got pretty heated up about whether changing the default SSH port or using port knocking is an effective security measure. There were impassioned responses on both sides of the equation, and in a way, they were all somewhat correct. But I think it is more accurate to say changing the SSH default port is not a security enhancement, technically, but does reduce the risk of that service. Risk is decreased, and in a more high-level way of defining “security,” the security of the box was increased. This does not mean SSH became more secure or the box magically became more secure… Really, it just came down to semantics (mostly).

The stats above help illustrate that risk my SSH server faces. If the SSH port had been moved, I would honestly be surprised if I had a dozen failed login attempts. That illustrates reduced risk. I’d also be able to identify my threats a little better. Someone with 5 failed attempts on my obfuscated SSH port may indicate a targeted attacker as opposed to an automated worm scanning for SSH. If someone was able to port knock my SSH open to make failed attempts, that might perhaps indicate my port knock sequence was sniffed somewhere or an insider is atetmpting something fishy.

I’ve been doing more scripting lately, and thought I should document (for myself) some of the stuff I’ve been using. Rather than spit them out here, I put them on the wiki. Here are some snippets of what I use. We use these scripts when building new development environments and servers. Nothing ground-breaking, but still useful as inspiration if anyone else is working around PowerShell.

Create Windows services
Building LDAP container and object strings
Process and create OUs
Create an Active Directory Group
Create an Active Directory User
Open and search XML files

Couple quotes I like. Andy already mentioned one, but I thought I would mention it again along with the previous days’ quote on our Art of War calendar.

“When your strategy is deep and far-reaching, then what you gain by your calculations is much, so you can win before you even fight. When your strategic thinking is shallow and near-sighted, then what you gain by your calculations is little, so you lose before you do battle.” The Art of War, Chapter 1 On Assessments

And…

“When the army is old, the soldiers are lazy, and the discipline and command are not unified, this is an opponent that has already lost.” The Art of War, Chapter 4 Formation

This morning I decided to replace part of a script I own at work with a random password generation function. This was easier than I thought it would be. This function takes a number that should be greater than 4, and returns back a random password of that length. The character sets are pretty obvious inside the function and can be adjusted as needed. The password generated assures the first 4 positions will always be a number, capital letter, lower case letter, and symbol, respectively, to meet some complexity requirements. The rest of the positions are a random character chosen from a random character set.

function RandomPassword ([int]$intPasswordLength)
{
if ($intPasswordLength -lt 4) {return "password cannot be <4 chars"}
$strNumbers = "1234567890"
$strCapitalLetters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
$strLowerLetters = "abcdefghijklmnopqrstuvwxyz"
$strSymbols = "!%^&*()+=/?{}[]~,.<>:"
$rand = new-object random
for ($a=1; $a -le $intPasswordLength; $a++)
{
if ($a -gt 4)
{
$b = $rand.next(0,4) + $a
$b = $b % 4 + 1
} else { $b = $a }
switch ($b)
{
"1" {$b = "$strNumbers"}
"2" {$b = "$strCapitalLetters"}
"3" {$b = "$strLowerLetters"}
"4" {$b = "$strSymbols"}
}
$charset = $($b)
$number = $rand.next(0,$charset.Length)
$RandomPassword += $charset[$number]
}
return $RandomPassword
}
RandomPassword 36

No doubt there are other functions and solutions to this, but I kinda just wanted my own.

I have not been made aware of being a victim (or potential victim) in any of the large-scale data breaches so far (I don’t shop at Marshals/TJX and I only use one credit card for the most part anyway…I still like cash the most!), but I know someday I will. A little closer to home, I see this morning that “more than a thousand” people have been notified about a data breach at the University of Iowa. Why this breach only exposed “more than a thousand” people, I’m not sure. All the other tired prerequisite PR notes are given such as “No evidence that personal information is being misused…”. I have no evidence that I might be involved in a car accident today, but that won’t stop it from possibly happening.

While this is closer to home, I will note I graduated from Iowa State University, not U of I.

This weekend I finally (after way too long) got my OpenVPN setup to work as desired. I had plenty of workarounds ready, but I was pretty determined to get this working the way I wanted. I think my problem was twofold. First, I needed to turn on ipv4 forwarding on the Ubuntu OpenVPN server. I will be testing this today to see if that really was needed. Second, the Linksys WRT54G route was set up wrong. Not sure what I was thinking, but I corrected the problem this weekend and everything was happy. So I blew away the server VM and rebuilt it without all my little troubleshooting settings and commands to better isolate only exactly what I need to rebuild the system. I’ll provide more details on my install hopefully later this week. After a few more builds, I expect to save a post-install snapshot finally.

Unless you’re like Marcin and aren’t aware of your surroundings for weeks at a time (hehe!), you likely know about that guy who has a strain of Tuberculosis and decided to fly halfway around the world and then purposely circumvent security to come back to the US. If someone has seen that this winner of a guy has ever posted or spoken an actual apology yet, please let me know. I’ve yet to see one, and seeing one would assuage my anger…

To bring this back a bit, do you know who the cowboys in your organization are who know security but choose to circumvent it and take big gambles with people’s welfares? Do they ever apologize? Do they ever reform?

George Ou has recently taken up the torch of demystifying RAID for average users so they can reap the benefits. Unfortunately for George, I agree with his detractors that say RAID isn’t going to fly in the home. Honestly, RAID makes even geek heads spin sometimes, including my own, and managing one’s RAID setup is really up there with changing your own oil: not everyone does it or wants to do it. In fact, most average people really couldn’t give a fuck about RAID; they just want to backup their data.

I think George should stick to the easy things when it comes to consumer-level storage. Educate people about regular backups using one of two methods: drag-n-drop or NT Backup (or both!). And for media, educate people to use one of four options: external hard disk, USB key (or two), cd burning, or dvd burning. Drag-n-dropping data is natural, and people just have to think about what they would want backed up, drag it over (or burn it), and set it aside in a safe place. If people don’t understand or know what they all need, use NT Backup and in the event of a disaster (on consumer levels, i.e. a hard disk gone bad) have that on hand for techies to restore.

That really should be the extent of trying to educate the masses. Granted, it is not pretty or scalable, but it gets the job done and goes only as far as most consumers really care to go. (Honestly, I’m not sure who George’s audience is, technically proficient people who already know this stuff or technically inproficient people who shouldn’t be bothered with RAID…either way, he’s seeming a bit lost on this effort.)

F-Secure (and Andy, whose blog I checked first!) posted about the most common registry locations that malware tries to start from on Windows. Not only is this list highly useful to check in response to an incident, but like any good baseline, this is a list of locations that all admins should be familiar with even before an incident. It doesn’t help to have an incident, check one of these locations, and not know what those other 25 entries do. That is wasted time trying to isolate which one is out of place. Check these locations out now and see what is really going on with your system. I even filed this into my always-being-built wiki.

Random link from Full-Disclosure: mlabs.secniche.org

I hate to post more rants than useful content on here, but this week has been too busy for much more than ranting. I saw an article about the dangers of unauthorized teleworkers, that is, those workers who bring work home with them and possibly work on their home computers.

The report found that 63 percent of respondents who worked from home unauthorized — more half of the non-teleworkers surveyed — used their home computers in doing that work. “People were saving documents on their home computers that were unprotected,” said Josh Wolfe of Utimaco, a data security company that underwrote the study.

…

“We’re not sure if these people are dealing with spreadsheets with Social Security numbers on them or something more mundane than that,” Wolfe said.

I like security, and I like to think I have a (healthy) paranoid/security-conscious mind, but I really believe we can go too far very easily. While government employees maybe shouldn’t take work home with them (and yes, I pointed out that second blurb to show that maybe all those workers had non-sensitive materials and were working on presentations or some junk), I hate when articles like this make their way to other circles and present things without proper context (I expect to see this study referenced in non-government articles soon…). Take a small start-up company. Yes, those people likely take work home with them, it happens, it is natural, and at some point every single one of us does it.

Yes, we have to be conscious of our data leaving the confines of our happy networks, but we can’t obstruct our users trying to make the business successful. That’s one of the (few) issues I have with data-centric security. Trying to secure the data eventually impacts the success of the business and the happiness of the people.

One other note I had from the article is about how data-centric security really only works when you can classify your data and separate the sensitive or confidential stuff out. Data-centrism is great for that classification and for being conscious of the security of your really sensitive data, but it breaks down and is ineffective and inefficient for the rest of the data. It can also be theoretically effective when you just declare “all information is sensitive so let’s encrypt everything!” But that gets into a realm that is just not really going to be possible yet, at least at the level of near-perfection that statement alludes to while allowing employees to do their work and be an asset.

Maybe this is just the media being way too sensational about digital security still. We don’t see dramatic reports about how people’s homes are insecure because, while we have a deadbolt in front and back, our windows can be smashed, oh my. Security isn’t perfect and never will be, and I’ll continue to bristle when media or persons have an underlying tone that anything less than perfection is inadequate. Maybe our industry does get it, but damn if the media still stirs us up and gets our blood going still.

Maybe I should further limit my chosen media outlets away from journalists…hehe! Hell, I’ve been tracking the front page daily headlines on cnn.com and it reads more like a tabloid or YouTube front page than anything anymore…

A quick excerpt from a CIO article. Without details, it is tough to separate fantasy (or simply blind speculation) from reality, but I think this story may just ring true. The article is focused on how difficult forensics is becoming as criminals employ more antiforensics tactics. Personally, I don’t think it has gotten any worse to track down criminals over the wires, there is just more money involved these days. (On-disk forensics notwithstanding.) (Update:I see more discussion here from keydet89!)

A clear illustration of this fact comes from the field investigations manager for a major credit services company. Sometime last year, he noticed a clutch of fraudulent purchases on cards that all traced back to the same aquarium. He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio
file while eating a sandwich on her lunch break. He learned that when she played the song, a rootkit hidden inside the song installed itself on her computer. That rootkit allowed the hacker who’d planted it to establish a secure tunnel so he could work undetected and “get root”—administrator’s access to the aquarium network.

Sounds like a successful investigation. But the investigator was underwhelmed by the results. Why? Because he hadn’t caught the perpetrator and he knew he never would. What’s worse, that lunch break with the sandwich and the song download had occurred some time before he got there. In fact, the hacker had captured every card transaction at the aquarium for two years.

As a side rant, I really hate how a not-large article turns into 10 page “turns” on news sites these days. I mean, come on, everyone can see through this little “click more to serve more ads” scheme. It actually conditions me to look for the Print icon to view the printable version that, amazingly, has no ads and displays on one page.

RSnake and also Andy linked to File-Swap with wonderment in their eyes. More like confounded amazement really. But come on, this site is awesome! It is the modern equivalent to russian roulette! Take a spin! Really, how secure in your systems do ya feel, punk?

Now, I have this thing about user-supplied content and Web 2.0. I’ve been around long enough to see the days where Rotten and EbaumsWorld have spawned up to house all kinds of disgusting junk before dot-coms even thought of busting. Sadly, this file swap is just as ripe for disgusting content as it is malware content. Maybe more so since the former is far easier to achieve than the latter. Then again, use Metasploit to generate some malicious images…? Either way, some ideas may be cool to generate some “wtf,” traffic hits, but a site like this simply cannot have longevity and remain relatively clean.

This past week I began the motions of signing up for a new gym, for a change of pace as summer feels like it has started. So I signed up on the gym’s (franchise) website and all that jazz. About a day later I get an email from a residential email address saying that my info is being forwarded somewhere and to expect a call back. This email was then sent to another residential address down in texas. And of course, my credit and personal details are in the email, nicely fomatted with HTML tags.

Really, there are still many businesses and people who have no idea how insecure digital methods can be. But even if they do, many of them have no idea what to do about it without spending money to get someone to do it for them, or devote time out of their own life to do it.

If I am happy about nothing else, at least I was able to see that my info was passed over email. This way I won’t be chasing my tail should that card end up with fraudulent charges in the near future…I’ll have an obvious place to begin.

A while back, Rybolov (Guerilla CISO himself!) posted a link to Heidi, Geek Girl Detective. I finally got time to finish through the story over a latte this weekend and was quite entertained! Must be something about Seattle to have geeky comics (PennyArcade being a notable one)…or maybe the town is more creative than most…maybe it’s the rain. And for the record, I read the Hardy Boys and Encyclopedia Brown as a kid, not Nancy Drew.