ACLU files complaint with FTC over older Android software

ACLU files complaint with FTC over older Android software

http://tinyurl.com/cqj67ds

The American Civil Liberties Union filed a federal complaint Tuesday accusing the nation’s largest wireless carriers of “deceptive” business practices for failing to keep the software on tens of millions of Android smartphones updated — a shortcoming that can make the devices vulnerable to hackers.

The ACLU has a point.  As a person who has been an Android user the last 2+ years, I believe I've seen *maybe* 3 (more than likely 2) OS updates on my Thunderbolt (and NONE for my SGN2, so far).  One was to disable free hotspots.  I find it hard to believe that there were little to no Android updates in that time span (especially security-related updates).  Verizon is my carrier and I hold them responsible.  Yes, they pushed out ICS to my thunderbolt right before it went out-of-contract, but that push actually made the phone run worse, and I was forced into the update (I wasn't asked)...being forced into an untested update broke my phone.

The carriers need to do a better job of handling updates.  They also need to ensure they're periodically pushing security updates, because Android's security posture is horrendous.  Google sells its own devices and pushes updates to them without issue, but the carriers never act in a timely fashion when Google pushes those updates to them...it's like they vanish into a black hole.  :/

My Book Live - Connection Issues and Troubleshooting

I've been noticing issues with my NAS solution, which is a Western Digital My Book Live Personal Cloud Edition.

I keep losing connectivity after 5 or so minutes of connecting to the NAS via the web-based console or accessing it as a mapped drive.  I'd get the message:

30001 - Your last operation timed out. Make sure there are no network connectivity issues and try again.

I used Google to attempt to find a solution, but all I see is shared pain.

I did find a way to log into the device's command line.  Here's what I did:

• I put "http://[ip of your MBL NAS]/UI/ssh" into my browser's address bar.
• Clicked the "enable" button.
• Shelled into the NAS using Putty and "root/welc0me" as a username/password.

Once I logged in, I immediately began to run 'top' because I knew I'd lose the session after 5 or so minutes and wouldn't be able to log in again unless I power-cycled the NAS.  I noticed that Twonky appeared to hog CPU cycles, so I went to the web GUI and disabled it.  Then I watched top again.  The load averages were a bit high before I disabled Twonky (in the 7.xx range as a first number).  I watched them drop to the mid-4s, then they started raising again.  Top wasn't telling me anything, though.

I watched the load average raise to 22.xx before the terminal session showed signs of degrading to the point that it stopped taking input.

login as: root

root@xxx.xxx.xxx.xxx's password:

Linux MyBookLive 2.6.32.11-svn70860 #1 Thu May 17 13:32:51 PDT 2012 ppc

Disclaimer: SSH provides access to the network device and all its

content, only users with advanced computer networking and Linux experience

should enable it. Failure to understand the Linux command line interface

can result in rendering your network device inoperable, as well as allowing

unauthorized users access to your network. If you enable SSH, do not share

the root password with anyone you do not want to have direct access to all

the content on your network device.

MyBookLive:~# w

 22:37:58 up 2 min,  1 user,  load average: 5.03, 1.54, 0.54

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    1.00s  0.05s  0.03s w

MyBookLive:~# w

 22:38:10 up 2 min,  1 user,  load average: 5.85, 1.89, 0.67

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    0.00s  0.04s  0.02s w

MyBookLive:~# w

 22:38:18 up 2 min,  1 user,  load average: 6.11, 2.07, 0.74

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    0.00s  0.04s  0.02s w

MyBookLive:~#

MyBookLive:~#

MyBookLive:~#

MyBookLive:~# top

top - 22:39:10 up 3 min,  1 user,  load average: 7.44, 3.06, 1.14

Tasks:  97 total,   1 running,  96 sleeping,   0 stopped,   0 zombie

Cpu(s): 31.9%us, 17.4%sy, 41.8%ni,  0.0%id,  6.6%wa,  0.3%hi,  2.0%si,  0.0%st

Mem:    253632k total,   242432k used,    11200k free,    41280k buffers

Swap:   500608k total,    42560k used,   458048k free,    52736k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND

 4429 root      21   1 21504 8192 3456 S 43.6  3.2   0:45.39 twonkymediaserv

 3936 www-data   4 -16 72704  30m  20m S 11.6 12.4   0:01.09 apache2

 3327 www-data   4 -16 76160  31m  19m S  5.6 12.6   0:02.37 apache2

 3809 www-data   4 -16 72704  33m  23m S  5.6 13.6   0:03.08 apache2

 3326 www-data   4 -16 74944  26m  16m S  1.7 10.7   0:03.34 apache2

 3829 www-data   4 -16 66624  23m  16m S  1.3  9.7   0:01.50 apache2

 4156 www-data   4 -16 69248  25m  17m S  1.3 10.3   0:00.30 apache2

 5071 root       4 -16  5056 3136 2304 D  1.0  1.2   0:00.03 getServiceStart

 4639 root      39  19  5120 3264 1920 D  0.7  1.3   0:03.12 ls

 4641 root      39  19  3776 1792 1344 S  0.7  0.7   0:00.77 tally

 4821 root      20   0  5056 3008 1920 R  0.7  1.2   0:00.34 top

 5067 root       4 -16  5056 3136 2304 D  0.7  1.2   0:00.02 getServiceStart

 2230 root      20   0 31424 3264 2048 S  0.3  1.3   0:00.19 rsyslogd

 2385 root      20   0     0    0    0 D  0.3  0.0   0:00.28 jbd2/sda4-8

 4405 root      20   0 57280 7552 2816 S  0.3  3.0   0:00.94 forked-daapd

 4640 root      39  19  4480 1856 1344 S  0.3  0.7   0:00.48 awk

    1 root      20   0  4352 1984 1600 S  0.0  0.8   0:00.82 init

MyBookLive:~#

MyBookLive:~#

MyBookLive:~#

MyBookLive:~# w

 22:39:15 up 3 min,  1 user,  load average: 7.24, 3.09, 1.16

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    1.00s  0.04s  0.02s w

MyBookLive:~# w

 22:39:16 up 3 min,  1 user,  load average: 7.24, 3.09, 1.16

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    0.00s  0.03s  0.01s w

MyBookLive:~# w

 22:39:19 up 3 min,  1 user,  load average: 7.22, 3.16, 1.20

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    1.00s  0.04s  0.02s w

MyBookLive:~# w

 22:39:20 up 3 min,  1 user,  load average: 7.22, 3.16, 1.20

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    0.00s  0.03s  0.01s w

MyBookLive:~# w

 22:39:25 up 3 min,  1 user,  load average: 7.36, 3.25, 1.24

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    2.00s  0.04s  0.02s w

MyBookLive:~# w

 22:39:32 up 3 min,  1 user,  load average: 7.09, 3.26, 1.25

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    0.00s  0.05s  0.02s w

MyBookLive:~# w

 22:39:39 up 3 min,  1 user,  load average: 6.62, 3.29, 1.28

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    0.00s  0.04s  0.01s w

MyBookLive:~# w

 22:40:17 up 4 min,  1 user,  load average: 5.75, 3.43, 1.40

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    1.00s  0.05s  0.02s w

MyBookLive:~# w

 22:40:24 up 4 min,  1 user,  load average: 5.79, 3.52, 1.45

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    0.00s  0.05s  0.02s w

MyBookLive:~# w

 22:40:35 up 4 min,  1 user,  load average: 6.11, 3.66, 1.52

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    1.00s  0.05s  0.01s w

MyBookLive:~# w

 22:40:46 up 4 min,  1 user,  load average: 5.85, 3.69, 1.55

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    0.00s  0.05s  0.01s w

MyBookLive:~# w

 22:41:00 up 5 min,  1 user,  load average: 5.44, 3.70, 1.59

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    0.00s  0.05s  0.01s w

MyBookLive:~# w

 22:41:54 up 5 min,  2 users,  load average: 4.65, 3.75, 1.73

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    0.00s  0.06s  0.02s w

root     pts/1    ron-alien.home   22:41   21.00s  0.17s  0.15s top

MyBookLive:~# w

 22:42:48 up 6 min,  2 users,  load average: 4.90, 3.93, 1.89

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    2.00s  0.09s  0.04s w

root     pts/1    ron-alien.home   22:41    1:15   0.50s  0.48s top

MyBookLive:~#

MyBookLive:~#

MyBookLive:~# w

 22:43:11 up 7 min,  2 users,  load average: 5.26, 4.09, 1.99

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    ron-alien.home   22:37    2.00s  0.07s  0.02s w

root     pts/1    ron-alien.home   22:41    1:39   0.66s  0.64s top

MyBookLive:~# w

Then there is this:

Something isn't quite right with this NAS, but it's going to take awhile to figure out what's going on.  Also, it responds well to pings, even if the SSH session is dead and won't recover.  And I still have to back it up.  I think I've 378GB of data on it (that's crucial...like once-in-a-lifetime types of pictures).

I don't think the drives are bad, but it may be too early to say that.  I've never seen bad drives ramp up load averages like that.

The drive is out of warranty and I'm a bit upset that what's touted as a top-notch home NAS is having such issues, especially considering that it's a WD product.

I'll update this post when/if I've more findings on this issue.

EDIT:  I just checked again after posting and, while the shells aren't dead, they are very slide-show-like.  I checked the load average and it's dropped to 12.94.

EDIT 2:  I got tired of waiting for "apachectl stop" to finish and I think it was actually hung, so I did a "killall -9 apache2" which immediately brought the load down.  The load is currently at 1.09 and has been around that the last 20 minutes.  So, it's apache that's killing the NAS.  Note that I tested to see if I could reach the NAS shares in a conventional manner (ie, non-shell or without apache) and was able to reach the shares without issue.  I may keep apache off for the duration (unless I need to access the control panel).

NBC site redirecting to Exploit kit

NBC's website appears to be redirecting to an exploit kit

https://isc.sans.edu/diary/NBC+site+redirecting+to+Exploit+kit/15223

I saw Brian Krebs' twitter page mention this earlier this morning.  A few friends also mentioned it on Facebook.

Crazy...older attack vector (iframes)...still working.

Mandiant APT2 PDF Malware

That didn't take long at all.

http://blog.9bplus.com/mandiant-apt2-report-lure

https://threatpost.com/en_us/blogs/spear-phishing-campaigns-use-fake-mandiant-apt1-report-lure-022113

http://www.symantec.com/connect/blogs/malicious-mandiant-report-circulation

So, I got a notification from corporate security that there was a piece of malware around that it taking advantage of the popularity of Mandiant's APT1 report.  That's a huge deal, but one should really be checking downloads against Mandiant's posted MD5s anyways.

Bottom-line:  do not open it (verifiy the PDF if you can...if you can't don't open it).

I've reported it to ISC.

Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators

Mandiant Exposes APT1 – One of China’s Cyber Espionage Units & Releases 3,000 Indicators

Read more below.  It's pretty much mandatory reading for the IT security person.  Interesting facts and it may well help test your employees (of spear-phishing) and/or lock down your network.  This is probably the IT security news of the year...I'm scared to see anything that could top this.

https://www.mandiant.com/blog/mandiant-exposes-apt1-chinas-cyber-espionage-units-releases-3000-indicators/?utm_source=rss&utm_medium=rss&utm_campaign=mandiant-exposes-apt1-chinas-cyber-espionage-units-releases-3000-indicators

http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

UPDATE:

I wanted to add my opinions to this post.

I'm a subscriber to Richard Bejtlich's TaoSecurity blog.  If you're not aware, he's the CSO of Mandiant.  He has my utmost respect because he CSO of a security firm and is still a hands-on person (read his blog to see what level of content he provides on a normal basis).  He also attends SANS events and is a trainer.  He understands network security monitoring as no one else does -- I broke into the IT security industry by accepting a network security monitoring position, and can relate to a lot of what he prints/states regarding a lot of his topics regarding NSM.  I've purchased (and read) at least one of his books.  I follow his Twitter posts.  I'm familiar with his experience within the civilian and federal IT security sectors.  I can relate to a lot of what he states (not saying I'm at the same level but he's certainly a mentor of mine).

He has been very vocal about APTs the last 4-5 years.  It's very obvious that he was watching APTs well before the recent APT1 report, without reading all the headlines and internet news (as well as the report itself).  Many people seem to think that he was over-zealous in the release of such data.  They think he is confirming that the culprit is China and is state-sponsored.  What I'm seeing is that the's providing the data that supports the claim, but isn't outright claiming it.  Whether this was state-sponsored or not, it will be extremely difficult to prove who was behind the attacks.  In most cases, if the attack isn't linked to a certain ideological group (ie, Anonymous for example) and that group isn't publicly acknowledging that they were responsible for the attack, a company will have an extremely difficult time proving the actual culprit with 100% accuracy.

I think Mandiant did a very good job in providing the extreme details regarding APT1.  I think that the details show that it is highly unlikely that the responsible party is not originating from China.  IP addresses alone don't prove their case, but they definitely went above and beyond in showing that there's data besides IP addresses that support the idea that the Chinese government is somehow involved (or, at very least, aware). There are only two unlikely scenarios (and one of them was mentioned in the report):  there is a non-government-sponsored group at the same location as APT1 that is responsible for the cyber-espionage incidents (mentioned in the report); or, APT1's network has been compromised by outside entities (outsiders are using their tools to attack financial, governments, and news organizations).  Both of those are highly unlikely, especially when factoring in the data of the Mandiant report.

My main thought is that if the organizations that were previously attacked had shared their information regarding their cyber-attacks, the IT sector would've benefited greatly and at least been aware of how to harden their employees and architecture.  It may not have stopped the attacks outright, but it certainly would've lessened the success of the methods that APT1 used in compromising networks.  Some security experts think that Mandiant made unconfirmed claims.  They did the best they could while still trying to determine the culprit...I challenge any other security firm to do the same.  Others think that they should've consulted the US government first, but I think all that would've done was mire the whole thing in typical bureaucratic red tape.  Some think that he has a hard-on for China -- this may or may not be true, but every real or couch security professional I know of has had some brush with anomalous and/or malicious packets from China...the fact that Mandiant provided a literal ton of detail to support the report is a plus, in my opinion.

They did good and I hope to see more of such reports in the future, whether it's from Mandiant or other companies.

Update 2:

A follow-up article, posted after the Mandiant report was posted:

http://www.securityweek.com/china-cybervictim-claims-red-herring-analysts

Facebook Computers Compromised - 0 Day Java Exploit

Facebook computers compromised by zero-day Java exploit

http://tinyurl.com/cwmvxrv
https://t.co/M46qJAiH

I'm still reading up on it but wanted to put it out there ASAP!

Obama's cybersecurity executive order: What you need to know.

Embargoed until the delivery the State of the Union address, US President Obama signed the expected and highly anticipated cybersecurity executive order. With potentially serious implications for US and foreign citizens' privacy, here's what you need to know.

Read more here.

Iptables and Blocking by Region

I'm tired of seeing certain network ranges always peppering my linux server, so I'm going to experiment with blocking via region.  I've seen several hints/tips but I want to do this with the server not taking too much of a hit.  Note that I'm mainly concerned with traffic that I typically allow, such as port 80.  I could block via apache, which may well work, but I also want to investigate using iptables.

So far, I've found:

1. http://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
2. http://www.parkansky.com/china.htm
3. http://www.webhostingtalk.com/showthread.php?t=1146401 (and http://www.jsimmons.co.uk/2010/06/08/using-ipset-with-iptables-in-ubuntu-lts-1004-to-block-large-ip-ranges/)
4. I could possibly use tcpwrappers as well, but I'm not sure tcpwrappers can handle the amount of ranges I want to block.

Solution #1 seems a bit too hackish.  As well, the server may take a performance hit if I decide to drop more than one region (China's netranges are broad enough as it is).

Solution #2 might not be so bad, as it leverages the htaccess function.  I've no idea how performance-intensive this method is, but it may be worth looking into.  A con is that I also run a mail server...this method won't work for mail.

Solution #3 looks good.  This method uses iptables and ipset.  Ipset lessens the performance hit when blocking thousands of IPs.

So, before hitting the bed, I decided to give solution #3 a shot.  I immediately found that the tutorial is out-of-date (it caters to Ubuntu 10.04...I'm using 12.04).  I'm attempting to work through it by leveraging the manual pages and 'ipset info', but I'm running into kernel errors such as:

root@li7-220:~# ipset create feckoff hash:ip
ipset v6.11: Kernel error received: Invalid argument

I do not have full control over my host (it is running on a linode, and the modules are locked down).  I may not be able to use this, but I'll continue to investigate.

EDIT:  Well, I'll be damned!  I got the command to take.  I had to select a more current kernel to boot up (I was using a depreciated Linode kernel).  I guess I should check that more often.  I'll continue this exercise tomorrow...I just have to ensure I've bookmarked all my reference sites.

U.S. said to be target of massive cyber-espionage campaign

U.S. said to be target of massive cyber-espionage campaign

http://www.washingtonpost.com/world/national-security/us-said-to-be-target-of-massive-cyber-espionage-campaign/2013/02/10/7b4687d8-6fc1-11e2-aa58-243de81040ba_story.html

Well, what took them so long to notice this?

Here's another article, as well:

In a world of cybertheft, U.S. names China, Russia as main culprits

http://www.washingtonpost.com/world/national-security/us-cyber-espionage-report-names-china-and-russia-as-main-culprits/2011/11/02/gIQAF5fRiM_singlePage.html?tid=obinsite

Alienware TactX Mouse - Replaced

My Alienware TactX mouse has been acting weird lately.  It has been acting erratic.  If I move it slowly to the left, it warps to the left or may not move at all.  I think the cord has a short in it, creating an intermittent connection.  It is not the mousepad, nor the DPI settings.  I used a standard Dell mouse (laser mouse with multiple DPI settings) and it works fine.  Sometimes the TactX mouse works fine, other times it doesn't.

I've e-mailed Alienware support, as there's an entry in their online knowledgebase that directs the user to try certain things and if they're still having issues, to e-mail them with the issue that's being experienced.  The mouse is less than a year old (it is still under warranty).  I was hoping they'd respond and replace the mouse, but they haven't responded.  I'm not sure the issue will even be fixed, as I think it's a design issue that won't be fixed by just replacing the mouse with a new one that still has the faulty part.

The TactX mouse is soooo damned nice, but it needs to live longer than a year for users to be happy.  This isn't an issue that I'm only experiencing, either.  I saw many complaints when searching Google and my favorite Alienware forums.

I replaced the TactX with a Logitech G700 wireless gaming mouse.

The G700 is badass.  It is physically bigger and heavier than the TactX.  It is more configurable, as well.  It is rechargeable, has a AA-sized battery that can be replaced, has 5 DPI settings, up to 5700 dpi, can be used while charging or when the electronic environment is unfriendly toward wireless devices, has internal memory, and each button can be mapped independently.  It has powder-coating on the sides of the mouse, which a really like.  It has performance settings that can dictate how much power is used.

The only thing I'm wary of is the SetPoint software.  I'm installing it now and will play with the mouse tonight and throughout the week...I'll update this post with my thoughts in about a week.

PSAD and signature updates

Is it true that the creators of PSAD haven't updated the PSAD signatures since 2007???

Line 29 of my /etc/psad/signatures file:

# $Id: signatures 2129 2007-12-12 04:56:10Z mbr $

As well, at http://www.cipherdyne.org/psad/signatures, it is on line 28.

Dead project?  Not sure, but the signatures are old as hell!  While I don't think it's a usage deal-breaker, I'm rather surprised.  Does it need updated signatures?  Probably not, but every little bit helps, especially nowadays.  I'd much rather a developer (and package maintainer) be up-front about such things.

PSAD - DoS'd my Linode and my G-mail account

Yes, I DoS'd myself.

How?

I was tuning my firewall so that PSAD wouldn't alert on traffic from my static IP.  This was caused by me using a half-baked firewall policy (ie, the firewall was allowing too much and not blocking what it should've).  So, while making the policy more secure, I ended up blocking some of DNS, which the firewall blocked via the clean-up rule (deny by default policy on all chains).  

I didn't double-check my work, and 24 hours later, I was checking the server via the admin console and saw that the disk I/O was extremely high when looking at the system graphs.  CPU utilization was also wayyy up.  

I initially couldn't figure out what was going on, until I used Webmin to access the server and found that it was taking forever for the server to resolve the domain address.  As well, there were like 30,000 e-mails in the Postfix e-mail queue.  I was basically spamming the hell out of Gmail and DShield.  I'd begun to wipe out all the Gmail notifications, but I soon realized that I wasn't making any headway, so I killed PSAD, cleared ALL the mail in the queue, then restarted PSAD.  It was still generating e-mails, though, so I turned off e-mail notifications, as well as syslog notifications.  I also killed my DShield log feed.  THEN I fixed DNS by just rolling back to a known good policy...then I told PSAD to not log on port 53/UDP (no real need to log that traffic anyways, unless it hits the catch-all rule, but that wouldn't happen now since I fixed DNS within the policy).

It took quite awhile for Gmail to finish processing the e-mails (the ones that I couldn't kill via Postfix).

I just now re-enabled syslogging and the DShield log feed, but may have to reach out to the SANS team to see if they can remove all DNS traffic that was logged by my static IPs.

I think I've everything fixed now.

Game Console Hard Drives

Back in 2005, I bought an Xbox 360 that had a 20GB hard disk.  A few years after purchase, I bought a refurbished 120GB drive from Microcenter.com for $90...it was a nice upgrade.  I swapped out the little drive for the bigger one and continued to play my games (putting the 20GB drive in my parts bin...I never throw anything away when it comes to computer parts).

Later, the Xbox 360 experienced the Red Ring of Death (RRD).  I took it apart with the idea that maybe the CPU needed new thermal paste.  It did, as the old paste was pretty much done.  I removed the old and put on some new paste, but this didn't solve the issue.  I think by the time it experienced the RRD, the CPU was cooked.  So I bought a new hard drive.

I transferred my data from the old drive to the new drive and put the 120GB into the parts bin.

Around the RRD issue, the PS3 also died.  It was an original PS3 (80GB drive version).  The Blu-Ray stopped reading, which meant that I couldn't play any games, since it couldn't read disks.  We put the system to the side and bought a new one.  Well, maybe 2 months ago, I decided to trash the system (removed the drive for privacy reasons).  I've decided to keep the drive.

So, I've three (3) hard drives from 3 different gaming systems.  The 20GB is probably next to useless, but I'll  probably end up using it somewhere (somehow).  I might be able to use the 160GB drive (a WD unit) in my Macbook, since it only has an 80GB drive and I keep maxing it out.  Or, I can use it as a backup drive instead.  Same with the 80GB Seagate that was in the PS3.

Now, did you see what I just stated?  Did you notice that I stated in the first paragraph that the Xbox 360 had a 120GB drive and in the paragraph above, I stated that it was a 160GB drive?  Well, surprise.  I opened the HDD case, which was labeled "120GB HDD", and found that the drive is actually 160GB in size!  It has model WD16000BEVT on the label, and a big "160GB" in bold.

I just need to find out which cabling I need to turn these into external drives, which means I'll need some external HDD cases, as well.

I love my toys.  :)

Apple Disables Java

http://mac-security.blogspot.com/2013/01/apple-disables-java-7-in-response-to.html

and

http://www.kb.cert.org/vuls/id/625617

Wow!  Apple outright disabled Java.  This was also something that DHS recommended, but to have a software vendor broadly disable it...that's crazy, but in a good way.  Java has always had it's issues, so maybe this will force them to take a deeper look into their security issues.

PSAD

I decided to give PSAD a spin on the Linode since I've never tried it before.  I'm impressed at the features of  it.  I've been running it maybe a bit over a month.  I get alerts whenever PSAD detects a scan or when it logs and drops specific traffic, so I'm aware of what's going on (instead of having to check my firewall logs).  One of the main reasons I decided to give PSAD a spin is because my fwanalog setup stopped working due to a code bug that affects Ubuntu v12.04.

One of the things I've been doing (I used to do this in the past) is I send my dropped logs to Dshield.org (or isc.sans.org).  One of PSAD's features enables me to send the logs, vs. using third-party or Dshield apps.

I noticed when sending my logs that I'm catching bidirectional traffic and my server IP is being flagged as a result.  Why?  I was blocking 118.0.0.0/8 (a large segment of APAC).  I was not only blocking but sending resets, which requires my firewall to send resets when means my IP is talking back, even though it's ending the session.  My firewall logs it as a drop.  To fix this, I just configured the firewall to drop the traffic, although I could've just changed the --log-prefix tag to something other than DROP, which by default PSAD looks for.  I'll monitor the Dshield logs to see how PSAD is now reporting.

w32.changeup

I was at work this week and a teammate mentioned that w32.changeup might be a concern to our client base.  We try to proactively alert our clients on what could affect them without needlessly spamming them (we try to weed through the hype as well).  The vendors already have the technical write-ups, so I'll spare the readers my thoughts on that.  But I will say that the worm was first discovered a year ago...it's an older worm but the new variants appear to be enhanced, and there's a large spike in infections across the world.  As well, the worm is apparently difficult to remove if not using AV tools.

In my research, I discovered the following:

• When using Symantec as a resource, it is difficult to determine which variant is being discussed, which leads to confusion and not being fully aware of possible impact.  There are 32 variants of this worm and in most of Symantec's articles, knowledge-base entries, and blog/forum posts, the authors rarely mention the variants that could negatively affect users.  

• As well, there aren't many other vendors that can detect and/or remove infections, so it is critical that rare resources be accurately documented (as much as possible, at least).

• I became curious if any other vendor could detect (and/or remove) the worm, but because I didn't know a common name for this worm that the industry was collectively using, it was difficult to find additional details.  Finally, I stumbled across this:  http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name, which is the Symantec Blog.  It lists several vendor names of the worm.  It is highly annoying that I had to visit Symantec's site to find what McAfee named the worm.

I hate researching worms and viruses because there's no real standards that the AV industry follows.

*Resources:

http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&om_rssid=sr-latestthreats30days
http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name
http://www.symantec.com/connect/blogs/w32changeup-threat-profile
https://kc.mcafee.com/corporate/index?page=content&id=KB76807
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1607456

Skype and Adobe

It's been awhile since I've done this, but here it is:

First, Skype.  Apparently, Microsoft fixed an issue with Skype accounts being vulnerable to hijacking.  It only took them three (3) months to address the issue...

https://isc.sans.edu/diary/Skype+account+hijack+vulnerability+fixed/14512

http://countermeasures.trendmicro.eu/skype-vulnerability/

Next, there's been another password disclosure breach, this time affecting Adobe and connectusers.com users.  The compromise occurred via a SQL injection attack.

https://isc.sans.edu/diary.html?storyid=14515

http://arstechnica.com/security/2012/11/adobe-breach-reportedly-spills-easy-to-crack-password-hashes/ 


Note (LONG):

I posted the notifications on Facebook, as my friends and family use Skype.  I'm going to throw this out there right now:  I hate OSS zealots.  I had an acquaintance stir up some crap about "why are you using Skype", "why are you using Windows", "why are you giving the corporations your money/data".

Life is SHORT.  That goes for everyone, including the zealots.  I'm a fan of open source software, but I don't live the life of "down with M$".  Microsoft has a place in my life.  I game...a LOT.  I play the types of games that don't do well within virtual environments...there are no Linux equivalents of these games.  As well, complicated software that is difficult to keep running properly in Windows tends to be even more cumbersome on *nix.  

I know how to administer *nix and know it's strong points as well as weak points.  I know *nix very well.  I've never solely administered *nix for a living (I'm multi-disciplined), but I know it well enough to where I've been running *nix servers remotely without issue for YEARS.  I also tend to focus on security hardening on my *nix machines, moreso than the average *nix administrator (I'm a security consultant by trade).  So I know what I'm doing...I'm seasoned enough to know what to do and what not to do.

Now, I love *nix.  But there are different types of such love.  I love it but I also love gaming.  *nix won't do what I desire when it comes to the types of games I play, so in that regard it fails me.  You don't have to agree or disagree, because it won't matter what you think when it comes to *ME* and my computing usage.

As well, *nix can be high maintenance, depending on what's broken and your experience level.  I've told several of my relatives that have an interest in trying different operating systems that Linux could give them some freedom.  If they try it and find that it's not for them, I'm not going to continue pushing it down their throats.  That's not me.  I don't try to convince people (but I might nudge them if they're showing a serious interest)...that's the job of the product.  Also, the person doing the trying has to be open-minded and willing to learn new things.  I can help with that but I'm already pinged constantly, since most people think I'm a general tech support guy that they can call/e-mail at any time...I'm not going to administer their box for them. If you don't have the drive to help yourself a little and be willing to learn, *nix is NOT for you.

And, sometimes I just want stuff to work when I install it...without me fiddling with config files.  Remember, I've been working as a consultant the last 10 years in sometimes grueling or archaic work environments.  I do  NOT want to come home to the same crap.

Yes, I love smartphones.  Yes, I love Mac systems.  Yes, I'm OK with using Windows 7. 

This smacks of socialism (pushing people to adopt your version of the greater good...sharing everything, having extreme hate for commercialism).  Maybe I'm generalizing, but this is not the first time I've had someone berate me or try to push me to not use MS/this product/that company...like there's some code I'm supposed to be following as a *nix user.  For those that have issues with *nix guys using "M$" software, are you really going to bust a blood vessel worrying about what I'm using on *MY* LAN?

Lastly, regarding the "corporations are bad and will share your data as well as backdoor all apps and even the OS".  Bullshit.  Believe that crap if you want.  While I won't willingly give out my private data, I'm not going to live like an Amish person.  I won't live like I'm in a cave.  I'll lock down my data as much as I can, but I will not believe that all corporations are bad.  If you believe that, I guess you keep your life savings in your mattress....good for you if you do, but that's not me.

Postfix Install, OSSIM, Slack 14, Ubuntu, and VPNs

This isn't really a technical post, but I did want to share that I have Postfix running on my server.  I'd never had the need to run my own mail server until I moved my wigglit.com domain.  It was initially hosted at 1and1.com, but I got fed up with their service (or lack thereof).  I had several e-mail accounts set up there and still needed them to stay active, so I was pretty much forced to migrate the accounts as well as the domain.  The domain migration was pretty simple.  The Postfix install was much more difficult, even when using Webmin to set it up.  I used a Ubuntu tutorial (searched on 'webmin', 'ubuntu', 'postfix', and 'configuration') and used it exclusively to set up the server.  I think I have it tuned  pretty well so far, only I found some bounced e-mails going back maybe a month or so...I fixed those today.  Those weren't actually related to Postfix, though.  When I stood up the new server and domain, I forgot to adjust the scripts that kicked off the e-mails (cronjobs).  I'll double-check tomorrow, but I think I've fixed those (was able to test the cronjob successfully...generated a test e-mail).  I've since been editing the main.cf file to make configuration changes (and restarting the mail server afterward).

I've also been trying to use OSSIM, but I think I need a dedicated machine.  I tried to use an install of it within VirtualBox, with very limited success.  It seems it needs considerable resources and doesn't run well on a virtual instance with limited CPU/memory resources.  I ran VirtualBox on my M17xR3...that machine definitely has enough horsepower, but only has 8GB of RAM...it may need a bit more so that I can give OSSIM ample memory.  As well, my RAID 0 drive set may be hindering OSSIM.  I got a taste of it, though, and like it much better than Aanval.  Unfortunately, I don't have a good spare box at the moment, otherwise I'd be running it already.  That was my first time using VirtualBox, also...it's not that much different than VMware...much simpler, though.

So, Slackware v14.0 was released not long ago.  I took the liberty of installing it within VirtualBox.  It runs very nice!  I'm in the process of evaluating it and will soon upgrade my two v12.0 machines.  No, I'm not using Slackware on my public server.  I opted to use Ubuntu (v12.04) instead.  While I love Slack, I needed something less high-maintenance on the public server.  No complaints so far and it's been about a year since I flushed it and gave Ubuntu a try...no complaints whatsoever.  KISS is where it's at.

Lastly, since I've had success with Postfix, I plan to eventually start evaluating security tools again.  I've been out of the loop for awhile and need to push myself to continue to be familiar with Linux and security.  I've never used any of the VPN software before, so I plan to establish a VPN conduit between my LAN and my public server.  We'll see how that goes soon.

Engineering Stories

On the way to work today, I remembered an occasion where a team member who'd left the company had been stockpiling 1U rackmount servers in storage.  He'd reimaged each server with a common image (each had different passwords, though).  I had a listing of passwords for each server, but the listed password for one particular server wasn't working and we needed to get access to that machine.  I couldn't just reimage the machine since, even though it shared a common image, it was prepped for deployment to a certain location and was configured for that specific site.  While I had a copy of the site-specific information, I just did not have the time to reimage the machine and reconfigure it...I saved that as a "last resort" option.

After a bit of research, was able to log in successfully.

I knew the BIOS wasn't locked down, so I went into the BIOS and enabled booting from CDROM.  I had a copy of a Linux CD which I put into the CDROM tray.  I then power-cycled the system.  I was able to use the live-CD to boot up the box.  I mounted the drive within the system and removed the encrypted password within /etc/passwd using 'vipw'.  I then shut the box down, removed the live-CD, then started the system.  I was immediately given a shell.  I then reset the password to what was on the passwords list for that particular system then finished the pre-deployment steps.

This is why I love Linux.  There's always an option.  I could NOT do this with one of the backup Windows servers we had.  That case was similar:  the system was a cold backup and was racked but powered down...it was a new system with a new image but customized for a specific role...it had yet to be used, though.  The password that we had for the device was apparently incorrect.  I even tried to crack the SAM file...that didn't work and I eventually had to reinstall (not reimage) Windows Server (forgot which version) onto the system again.  What made this much worse was that there wasn't an original cloning image to use, as well as the fact that the previous engineer hadn't maintained directions on how he configured the device.  So I had to use the trial-and-error method.  I eventually configured the OS properly and installed and configured the proper software (it was a CA eTrust AV server).  The whole time, the lead client was pestering, badgering, and being overly hostile.

In another case, another contractor had left the company.  He'd been administering a Nessus server that he installed on top of OpenBSD.  This contractor chose OpenBSD and was comfortable with working within a terminal session (as was I).  And really, the box didn't really have an abundance of resources anyways, so it was probably more robust without the GUI enabled.  I understood something of OpenBSD and was aware of how to conduct scans and how to view/store the scan results.  I even had a cron job running that would conduct the scans during maintenance windows.  Everything was working fine.  The same client lead couldn't operate the system because his *nix skills were seriously lacking.  Instead of asking for help/guidance, he directed another contractor to wipe the machine and install Red Hat with the GUI enabled so that he could operate the machine.  Data was not backed up.  The scanning data as well as configuration man-hours were wasted.

Another time, I was working a deployment issue where client remote hands were my remote hands/eyes.  They'd received our Snort sensor that we'd imaged, customized, and configured and had just finished racking and powering it up.  The remote hands did not know anything of how to operate within a terminal session.  I walked him through the process, spelling out the commands he needed to type.  The problem?  We built the machine and while testing it before we shipped, had logged into the machine via SSH.  When the machine was at the remote location, I could not establish an SSH session because the host key had changed.  In order for me to regain access, the remote hands had to remove the existing host key that was tied to the IP of my work machine...the host key resided on the Snort sensor that I was trying to log into.  What made me feel good was that one of the clients was logged into the bridge call and was listening.  After the call, she praised me for my knowledge of guiding the remote hands through the whole process without ever being able to view what was on his screen.  She also commented on how I guided him in what to type.  In this case, I could care less how much they were paying me (which wasn't really all that much)...I was happy that I was able to be of assistance and value.  That was payment enough.  That was one of the few bright days in working with that particular organization.  I soon took a dignified stance and left that contract.  To this day, I will not recommend any person I know to work at that particular location without giving them ample warning.

But the main reason for this post is to share that I love *nix (and why)!

BSD machine fixed!

So, I swapped a known working motherboard into the BSD machine.  It now works.  I also decided to use a quad core AMD AM2+ CPU that I had sitting around.  That's all I changed.

I'd originally thought the problem was related to the hard disk.  So, I decided the night before to disconnect the drives (it has two SATA drives), to determine if it were the real issue.  It still experienced the same symptoms after boot-up attempts, which told me it wasn't a hard disk issue.  I also swapped out the RAM with a known working chip with the same results when trying to boot-up.

So, either the the old CPU (a dual-core AMD...I forget the model) died or something on the motherboard died (or maybe there was a short somewhere?).  I left it running a live instance of Linux Mint, just to see if it stays stable over the next 24 hours.

Next, I need to reinstall FreeBSD (wondering if I should try some others as well, such as OpenBSD or Mint).  I wiped the drive, thinking that there was some corruption issue...shouldn't have done that.