4. July 2007 23:24
I made these screenshots about a year ago and posted them on my "old blog". I decided to post about this again on my "new blog".
About two years ago I set up Microsoft Virtual Server for one of my customers. To get the idea about the environment, this customer has more than 600 client computers on the network on more than 10 remote sites.
Unfortunately, for privacy reasons, I can’t say more about the customer. For same reason, I had to blank out some data in the screenshots.
This Virtual Server was at that time responsible for running few business critical services (e.g. RSA Server, Exchange Front-End server, domain controller, etc). All in all, this turned out to be a very busy Virtual Server.
Host server was running without any interruption for 510 days – which can be seen on the screenshots. In my opinion this is quite impressive. Unfortunately we had to take the server down after 510 days for hardware upgrade.
I know, I know, these servers were not patched for more than 500 days. I will get into this in one of my future posts. ;-)
4. July 2007 06:01
Social engineering is always a fun subject to talk about. It is always interesting to watch companies trying to protect their data from being taken out of the company (e.g. paper copies, physical hard drives or even whole computer). Unfortunately I am still yet to see a company that tries to protect their network from people who bring the equipment into the network – this could be employees, visitors, maintenance workers etc.
Imagine someone bringing a Wi-Fi Access Point and connecting it to your network and hiding it. You can use your imagination on hiding the access point. Access points come in almost any shape and sizes.
Such access point will in most cases allow the "owner" a full access to the network it is connected to, at any time from outside of physical perimeter of the company. In other words, the attacker can sit in a coffee shop across your office on a Sunday afternoon drinking their favorite choice of caffeine-rich drink while data is being copied from your network.
My main question here is – how long will it take for an average company to find such access point?
2. July 2007 04:10
A while ago, when I was doing some regular maintenance on one of my FTP servers I noticed that someone was running an attack against it. Attacker was attempting to guess a password for Administrator account. Unfortunately these kind of attacks are not uncommon and are usually done using automation tools and scripts.
I noticed that in latest attack, they only tried to guess password for Administrator account. In some of the previous attacks they also tried guessing different account names.
First thing that I noticed on the server are Events ID 100 in the System log. There were literally hundreds of these events:
Event Type: Warning¸
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Description: The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: 2e 05 00 00 ....
Click image to enlarge
I wanted to dig a bit further into these automated attacks. Two main goals of my digging were:
To achieve my first goal, I installed Wireshark (once also known as Ethereal) on the server and set it to listen only for FTP traffic. I didn't have to wait too long.
Couple of days later I logged on to the server just when the attack was in progress.
This time the it came from IP address 18.104.22.168. APNIC Whois database shows that IP address belong to "CHINANET anhui province network".
Attackers run 10.399 passwords against the Administrator account. Here is a complete list of all the passwords that they used. Make sure that you don't use them on your server ;-). It took them a bit more than 3 hours to carry out (unsuccessful) attack.
Click image to enlarge.
For part two of this blog post I plan to write about what happens once an attackers gets correct password.
1. July 2007 02:48
If you are like me and are subscribed to any decent security newsletter you probably noticed that more and more personal and confidential information is being lost or stolen every day. Stolen laptops and lost USB drives are just two most common ways of losing valuable information.
But there are (in my opinion) more dangerous ways of losing data. Personally I would notice a missing laptop or hard drive and I might still be able to take some action to minimize the damage. But what if the personal and confidential information is copied from the laptop, which is still in your possession. Would you notice that someone has copied all your data? And it is easier then you might think.
Think about P2P applications such as eMule. When you install eMule on your computer it configures a folder where downloaded content is stored and shared. Anything stored in this folder is also available to anyone else who is using eMule.
Sometimes users will configure their eMule and shear their whole drives thinking that it will give them better rating since they are now sharing more files. I even heard that some people shared corporate network drives for the same reason.
A quick search on eMule revealed quite interesting results. First I searched for files with .pfx extension. PFX stands for “Personal Information Exchange” where I would love to stress the word “Personal”. This means it should not be shared and we should all protect them with our lives. But the search returned more than 300 files.
It is true that these files can be protected with a password, but there is nothing stopping users from leaving blank password on the file or picking a bad password that might be same as the name of the file (e.g. klik)… We know how users pick their passwords. It is also possible to brute force these passwords for as long as anyone wants. Hackers and other criminals are usually very motivated and have all the time in the world.
I recognized few names such as “klik.pfx” and “dohodnina.pfx”. “Klik.pfx” file contains the private key that gives the owner a full access to their online bank account. The other file gives the owner online access to their tax statements.
I guess this is another good reason why banks should only allow access to online bank accounts through two factor authentication (e.g. smart cards or one time password systems).
After searching for pfx files I decided to do a search on any file that has word “contract” or “pogodba” in it. Again, I was rewarded with more than 60 results of files with promising names (and some of the names are really hm – let’s say funny. E.g. "Girlfriend Contract.doc". I will just let my mind run wild on that one) :-) …
The only thing that we can say for certain is that these users, whose files were copied from their computers, don’t have to worry about backup. Their files are “safely” stored on the internet – more or less forever.