Thursday, October 20, 2011

Digicert is an awesome CA



I just renewed an SSL certificate through Digicert. Their site is fantastic and the prices are very good. No per-server charge baloney for wildcard certs, just one set price. I have never seen a CA offer these kind of reissue options right on the website. I have had a couple 'oh shit' moments when I thought I lost a private key file. Re-Key Your Certificate gets rid of that worry! So long Verisign/Thawte, I'll never use you guys again.

Thursday, October 6, 2011

Zero day exploit dropped on American Express


Amex developers have left several debug utilities available on their web site for anyone on the internet to access. The exposed debug is vulnerable to cross site scripting attacks which could be used to steal cookies. Those cookies can then be used to log into accounts as those users. The guy that found it has been trying to inform Amex since Oct 4th. It's been almost 24 hours since the vulnerability went public and Amex still hasn't done anything about it.


http://qnrq.se/full-disclosure-american-express/


http://seclists.org/fulldisclosure/2011/Oct/284

http://twitter.com/#!/qnrq

Friday, September 9, 2011

Twitter feed for NBC News was hacked


The twitter feed for NBC News was hacked today. The hackers posted three tweets saying a plane had crashed into Ground Zero. I grabbed a screen shot because I'm sure NBC or Twitter will have the tweets removed quickly.

NBC News Twitter feed

Monday, August 1, 2011

Using twitter to assist in troubleshooting


This might already be common practice for some people but I have recently added twitter to my Sys Admin toolbox. I have never been a twitter user in the past and have no real use for it on a day to day basis but it is usefully for quick information updates. If there is one thing people love to do on twitter it is instantly complain about stuff.

Today I was trying to track down a strange internet issue. At my job we are a SaaS provider so I am very sensitive to any internet hiccups. We were seeing packet loss out to various locations on internet. I was seeing this from two different locations on two different internet providers. My monitoring system was alerting that some of our European hosted web sites were not responding. During my testing I was able to reach www.google.com but wasn't able to reach www.cnn.com. Testing of other sites was giving me about a 50% success rate. By the time I picked some sites to start doing traceroutes the issues cleared up.

I decided to search twitter to see if other people had the same problems. My first search was for the phrase 'internet issues'. Of course there was a lot of garbage but a few results were of interest:

"Update: A major internet backbone carrier had issues that caused problems for internet users across the country."

"Internet Issues - We are currently experiencing some issues trying to get to some web sites including... http://tumblr.com/xpn3u0wug7"

"Looks like internet in #austin is having issues. My cell phone and work internet are not pulling up certain sites."


Our colocation provider gave us some news that they suspected Level 3 was having issues. So I searched twitter again for 'Level 3'. Bingo:

"Looks like Level3 was the cause (trending topic #level3) - backbone outage broke a lot of links"

"#level3 seems to be having issues at this hop: ae-63-63.ebr3.atlanta2.level3.net"

"Seeing network outage #level3 #losangeles traceroutes fail from San Diego after ae-72-72.ebr2.LosAngeles1.Level3.net @level3 any status?"


Telecom and data providers aren't always forthcoming when they have problems. Especially when they screw up internally. They will quickly admit when some construction crew digs up a fiber cable but if one of their engineers fat fingers a config they will clam up. Twitter has helped me track down the source of problems when they aren't directly related to us which allows me to provide info to our customers to let them know that a particular ISP is having issues and not us.




http://twitter.com/#!/search?q=%23level3

Friday, June 24, 2011

Password haystacks

I was listening to a Security Now podcast the other day and security researcher Steve Gibson came up with a really interesting method for creating strong passwords that are easy to memorize. He calls his method 'Password haystacks'. The way it works is you start with a strong password and then pad it with easy to remember characters. (Like a needle in a haystack)

So let's start with a decent password: wa9PUCra

By applying the haystack method it becomes something like this:

======wa9PUCra======

or

......wa9PUCra......

or

A11111wa9PUCra11111A

The additional length dramatically increases the time it would take to crack the password using a brute force attack. Obviously twenty random characters would be more secure but most people can't remember a twenty character password. This method strikes a nice balance which gives a big increase in security without affecting the ability to remember the password.

You can read more about it on Steve Gibson's site.

Tuesday, June 7, 2011

Two busy bots


This morning 203.191.32.49 and 60.31.110.203 were pounding away on one of my FTP servers. They were attempting a brute force break-in but with three log in attempts per minute it would take them a hundred years to get in. 60.31.110.203 is from Inner Mongolia, China and 203.191.32.49 is from Bangladesh.

Thursday, June 2, 2011

Sony hacked again.... this is just sad.

Geek.com is reporting that Sony has been hacked yet again by a group called LulzSec. This time the target was www.sonypictures.com. The hack was carried out using a simple SQL injection attack and unbelievably the passwords were stored in plain text. Sony should unplug all of their internet connections worldwide. If I ever have someone's resume come across my desk and Sony is listed as a former employer that resume is going right in the round file.

Should SQL injection attacks really even be illegal? Think about it... what is a SQL injection attack? You enter a URL into a browser and the remote server returns data. What exactly is the crime? Seems to me everything is working as designed. Maybe Sony should be prosecuted for building a website that leaks personal information on demand.

IP addresses attacking my servers this week


Here are the IP addresses of zombie bots attacking my ssh server this week. Above is a map of their locations. 167.206.13.198 has been particularly persistent. I have seen that IP just about every day. ARIN reports it belongs to Cablevision. I might just have to send an e-mail to their abuse address.

124.42.18.90
167.206.13.198
173.203.106.62
189.11.251.181
195.218.167.78
200.30.78.233
207.182.139.251
210.66.168.73
218.61.200.173
222.124.197.179
62.216.30.140
64.194.202.66
74.208.105.110
88.191.51.40
95.56.230.195

Friday, May 27, 2011

Web browser vulnerability scanning

One of the fastest growing attack vectors for malware and trojans are outdated browsers and browser plugins. Things like Adobe Flash, Adobe Acrobat Reader and Java. There is a scary rootkit that steals banking info going around Brazil right now. While it is quite a feat of engineering once it gets into a user's system, the method it uses to initially get into the computer is very low tech: exploiting an out of date version of Java.

To try and combat this problem, Qualys has created a free web browser vulnerability scanner. It works with IE, Firefox and Chrome on Windows and Mac OS. Opera, Safari and Linux are in beta. The scanner checks the browser and plugins to see if they are up to date and will alert you if any vulnerabilities exist. I run this on all of my personal computers and every user PC I come into contact with at work.

https://browsercheck.qualys.com