Tag Archives: security

Comcast’s bot alert service is a good idea terribly implemented

Posted on by
10

Brian Krebs reported yesterday that Comcast will be implementing its bot detection feature nationwide.  Comcast will apparently put an overlay on websites when visited from an IP that exhibits signs of bot activity.  I don’t claim to be a security expert, but I think I’ve been in the business long enough to say “that’s really stupid.”

While I agree with Comcast’s efforts to fight bot infestations, they are going about it in exactly the wrong way.  Running man-in-the-middle code is unacceptable, regardless of the intent.  If the code is inserted into anything other than HTTP traffic, it will almost certainly break things, and I imagine that certain kinds of HTTP applications will break, too (specifically automated retrieval/parsing of sites).   Additionally, it opens up another attack vector if Comcast itself suffers a breach.

Perhaps the worst part of this plan, though, is the impact it has on user education.  For most users, nuance is not appropriate.  Despite repeated warnings about the illegitimacy of “Your computer is infected!” pop-ups, people still click on them.  Now suddenly there’s the Comcast nag with a link to download anti-malware tools.  Comcast seems to assume that users can handle the nuance.  My own experience suggests otherwise.

Unlike the authors of some of the comments on the post, I’m not concerned that Comcast can determine when a host (well, a customer’s connection, which may have several hosts behind the router) is operating as part of a botnet.  While they could be inspecting the contents of the packets, it’s more likely that they’re just using the routing information and other already-visible data.  There are some hosts and traffic patterns that are generally indicative of bot activity, but not conclusively so.  That’s how the network security group at my employer works, in fact: they determine that a host is displaying suspicious behavior, and notify the local admins to investigate.  Sometimes, it’s a false alarm, which is another cause for concern. If users get the Comcast “you’re a bot!” warning, act on it, and it turns out to be false, will they take it seriously again?

I don’t have an answer for Comcast.  They’re trying to do a great thing by combating botnets (not altruistically, of course, but helping their network helps their customers too, so who’s to complain?), but the current method of informing affected users is a really bad idea.

Summary of the 2010 CERIAS Information Security Symposium

Posted on by
3

Earlier this week, Purdue’s Center for Education and Research in Information Assurance and Security (CERIAS) held its annual Information Security Symposium. This year’s symposium was well-attended, and the keynote speakers perhaps had something to do with that.  The keynote speaker for the first day was the Honorable Mike McConnell, a former Director of National Intelligence, among several other posts.  The day two keynote speaker was the current Under Secretary for the National Protection and Programs Directorate in the Department of Homeland Security, the Honorable Rand Beers. Of course, the internationally-renowned director of CERIAS, Gene Spafford, was there, along with a collection of academic and industry representatives serving on three speaking panels.

With the exception of the poster session, the content of the symposium was largely non-technical.  This is fitting, since many of the greatest challenges in cyber security revolve around social or political difficulties, not technical limitations.  Both Admiral McConnell and Mr. Beers discussed at great length the interactions between the public and private sectors and the need for a mature cyber security policy. Continue reading

Cyber security awareness month: Other uses for SSH

Posted on by
3

As I noted a few weeks ago, October is cyber security awareness month.  I’d planned on writing a big how-to for remotely and securely connecting to another computer, but time has escaped me, so what I’ll give here is the quick and dirty version, and trust that my readers can use Google to fill in the backstory.

Back in May, I wrote an article about using SSH as a proxy to help secure your web browsing when away from home.  SSH was designed primarily to provide shell (command line) access to remote machines using encryption and other features to prevent someone from eavesdropping, but it can be used to tunnel all kinds of other traffic.  For example, you can tunnel your Subversion version control over SSH, using the svn+ssh argument (e.g. svn co svn+ssh my_svn_files). Or you could tunnel your VNC (a remote desktop protocol) over an SSH connection.

Why would you want to tunnel VNC?  The first reason is that VNC by default passes all traffic in plain text, which means all of your keystrokes (read: passwords) are exposed.  By using an SSH tunnel, your session is encrypted. The second reason is that by using an SSH tunnel, you don’t have to open the firewall for the VNC port(s).

So how do you tunnel VNC, or another protocol?  The -L argument to SSH (or LocalForward in the config file) tells SSH to forward locally.  To tunnel to a VNC server running on display :1, you’d do something like:  ssh -L 5901:localhost:5901 username@my.server.org   and then point your VNC viewer to localhost:1.

In addition to interactive-type uses, SSH can be used for file transport as well.  The scp command copies files to and from a remote server in the same manner that the cp command works locally.  sftp can be used as a secure replacement for the FTP protocol (but there’s no provision for anonymous access).  And most importantly, the venerable rsync command can be used with SSH by specifying it as the argument to the -e flag (e.g. rsync -e “ssh” -av /some/local/directory username@my.server.org:/the/remote/directory).

So the moral of the story is: SSH can help keep you secure.

Cyber security awareness month

Posted on by
1

Today marks the beginning of Cyber Security Awareness Month.  It is convenient that we observe this in October, because it allows for some really awesome costumes at work on Halloween.  My favorite so far was when someone taped a short length of ethernet cable under his nose and said “I’m a network sniffer.” It was a one-minute “oh crap I forgot a costume” deal, but it was awesome enough that it got him a prize.  I have a really awesome, if slightly disturbing idea for this year, but I’m going to keep it secret.

Of course, cyber security isn’t just about dressing up in a punny manner.  It is actually a very serious topic.  I am, by no means, an expert on the matter.  Fortunately, no one reads this blog, so I don’t have to try to come up with actual things to say.  I will point out a few resources.  For example, the Department of Homeland Security.  Or perhaps the SANS Internet Storm Center.  Or if you’d like to teach yourself on various cyber security topics, check out Purdue’s Center for Education and Research in Information Assurance and Security.  I’ll try to have a few blog posts related to security this month, if I can ever find the time to sit down and write them.

It’s a bad week to be AT&T

Posted on by
4

AT&T, like any other large company, has had it’s share of bad news.  Things like delayed support of MMS on the iPhone and complicity in warrantless wiretapping caused a stir, but nothing like the week the telecom giant has had so far this week.

On Sunday, AT&T began blocking traffic for img.4chan.org one of the most influential DNS entries in all Internetdom.  If you’re not familiar with 4chat, that’s a good thing.  Just know that’s where things like LOLcats and federal charges come from.  The best and worst the Internet has to offer.  Although some might not admit it, everyone who maintains an Internet presence lives in fear of angering 4chan and the Anonymous legion.  Apparently, someone at AT&T forgot their fears.  Wired later reported that AT&T was actually responding to a DDoS attack from 4chan, that was in turn a response to a DDoS from an unknown source.  Will this fact stop the b-tards from seeking revenge?

Perhaps they won’t need to.  Someone at AT&T seems intent on doing that to themselves.  Some poorly coded PHP exposed the files on www.research.att.com to the public on Monday.  Not just the files they wanted you to see, but things like /etc/passwd, the /proc filesystem, and so on.  While is it doesn’t appear that any sensitive customer or corporate data has been exposed, it certainly has given a potential attacker a lot more information than a normal web server should expose.  It is a very basic, simple mistake with broad consequences.

As of Monday evening, the ban hammer had been lifted from 4chan, and the www.research.att.com web server was blocking external traffic, presumably to guard against further exposure until they fix…the glitch.  The end result of this appears to be mostly bad karma on the Internet with little in the way of actual damange, but AT&T has had a rough week.  In fact, word Tuesday is that the removal of Google Voice-enabled apps from the iTunes app store is AT&T’s fault.  Can anything go right for them?

Securing your SSH keys

Posted on by
5

My ones of readers may recall that I’ve mentioned “Standalone Sysadmin” by Matt Simmons as one of my favorite blogs.  On Friday, he published a great introduction to SSH keys.  He covered how to set up keys and use them.  One aspect that deserves further coverage, though, is securing your keys.  Sure, a good passphrase will do a lot to keep your key from being used by the bad guys.  But what happens if you have a phraseless key?  It’s a bad idea for interactive use, but for automated tasks, it is nearly a requirement (unless you manually start the SSH agent).  So how can you minimize your risk? Continue reading

Reading is a basic tool in the living of a good life

Posted on by
3

The title is a quote from Joseph Addison, according to the good folks at the Richmond Public Schools.  Addison was a 17th and 18th century poet, but were he around today, he might have said it is a basic tool in being a good sysadmin.  If you don’t spend a good portion of your work week reading, you’re either doing it wrong or you’re overworked.  So what should you read?  Why, a little bit of everything, of course.

Each morning, I read through my log reports.  I get a lot of important information from a LogWatch report generated by my central log server.  I can see who logged in from where, and where failed logins (read: SSH attacks) came from.  A list of packages that got updated is given, as well as miscellaneous messages that I might want to know about.  Of course, I could look at the report for each individual host, but a centralized server makes life much easier.

Keeping up on the news is important, too.  Technology news is important too, but general news of the world.  Why?  Well, because I like to know what’s going on.  I guess you could do without it, but why?  Fark.com, Slashdot, and Reddit are all good places to get both nerdy and non-nerdy information, as well as discussion by people who (sometimes!) can bring more information to the table than the article itself will provide.

Since this is a blog, I am morally required to mention that blogs are absolutely necessary for sysadmins.  There’s probably a blog or several from the vendor of your OS of choice, as well as your critical applications. Plenty of other sites have blogs, too, but what may be the most interesting are the personal blogs of your peers.  When you’re a new sysadmin, you probably don’t know much outside of your own environment.  Reading what others are doing is a quick and easy way to help expand your horizons.  I have to mention specifically Matt Simmons’ Standalone Sysadmin blog.  I found it by accident a few weeks ago, and have since become an avid reader.  Having worked in academia all of my professional life, I often don’t see things from the perspective of someone working in the private sector.

There’s another source of information that can be very helpful.  There’s probably a building in your county that your taxes fund and it’s full of dead trees.  That’s right: your public library.  I’ve been visiting the library fairly regularly to check out books for recreational reading.  Today I had a sudden revelation: the library has technical books, too!  So I’ve decided to check out a technical book when I visit.  I’d like to read at least two per month, in order to expand and deepen my knowledge.

So what’s the point of all this?  READ!