Saturday, September 15, 2012
The Diskstation has an Auto-Block feature that will "black-list" any IP address that attempts to connect to it "x" number of times in "y" minutes; I configured it to block any IP that tries 10 times in 5 minutes. In just three days, I had six addresses blocked. Details are below; I did "whois" lookups on all of them to see who they belong to:
Host [18.104.22.168] has been blocked at [Tue Sep 4 10:03:02 2012]: Beijing Sanxin Shidai Co.Ltd
Host [22.214.171.124] has been blocked at [Mon Sep 3 20:58:44 2012]: Telmex Colombia S.A.
Host [126.96.36.199] has been blocked at [Mon Sep 3 09:52:59 2012]: RVRNET-IN (Hyderabad)
Host [188.8.131.52] has been blocked at [Mon Sep 3 03:39:38 2012]: SIFYNET (India)
Host [184.108.40.206] has been blocked at [Sun Sep 2 19:17:00 2012]: CHINANET Hubei province network
Host [220.127.116.11] has been blocked at [Sun Sep 2 16:00:14 2012]: ADDD2NET-DOT-COM -- Anaheim, CA
What I believe we're seeing here is automated software scanning WAN IP addresses for common open ports (FTP, SSH, etc.), and upon finding one, the software does password "dictionary"-based login attempts (i.e. using very large lists of common passwords). What do they do once they "get in"? I have no specific idea, but I would assume that they then use LAN-targeted software to scan for other computers on the LAN, shared drives, personal/financial data, etc. and then they suck up whatever they can find. And then, they probably sell it. OR they attempt to install malware on machines that are not running firewalls and/or anti-malware software (such as Microsoft Security Essentials, which is what I use since it's free and pretty good).
Fortunately I use very robust passwords on all of my routers, NAS devices, etc. but I have to admit it's still a bit unnerving to have these guys banging on my NAS's door 24/7. So I'm really liking the Auto-Block feature!
At any rate, I think the implications are clear -- keep your router(s) locked down to only have open ports that are required for whatever you need to get done. You can do an external port scan of your home network using this page -- it has various kinds of scans, and you can get an idea of the "surface area" of your home network's exposure to the internet.
Monday, August 29, 2011
- Port 88 (UDP)
- Port 3074 (UDP and TCP)
- Port 53 (UDP and TCP)
- Port 80 (TCP)
Wednesday, June 8, 2011
This is known as multi-factor authentication, where the password is one factor and the dongle's currently shown number is another. (There are also software versions of the dongle that run on the iPhone, etc.) This multi-factor approach can, when done right (see below), offer a tremendous amount of login security and in fact they are used by various gub'ment agencies and the military.
So, will I continue to use my RSA dongle? Yes I will - but the password that I use with it is a reasonably robust one so even if the bad guys can predict what number my RSA gizmo is going to spit out next, they still won't have my password. Also, I can't imagine that the people that stole the RSA tech are going to be coming after my measly bank accounts when there are far juicier targets out there. But I will say yet again that you should always use strong passwords for financial sites and such.
By the way - RSA, in its ongoing damage control efforts, announced that it will provide replacements for the forty million dongles that they have sold, on a request basis. Ouch!
I'll close with a little editorial: As an RSA SecurID user, I have watched this whole thing unfold from the beginning with interest, and to this day RSA continues to (try to) reassure its customers that Everything Is OK, that their technology is safe and sound, blah blah blah - just like they did when the breach was first discovered. I will opine that the more often a company makes those assurances in a situation like this, the more concerned we should become. I suspect they're more concerned with their stock price than the security of their customer base...
Hmmm, am I being overly cynical here?
Tuesday, May 3, 2011
Let's say you're looking for images of, oh say some famous person that just got capped, and Google reports back with a bunch. You click on one, and -- well, because the one you picked points to a site that has been compromised, the fun begins.
From this point on, you're pretty much just along for the ride. No matter what you click on in that dialog -- even the "X" that's supposed to close the window -- you will end up with a free malware scan of your system! How generous! Except that it's not really scanning anything.
That screen will crank along, pretending to find a whole slew of bad things on your system, and will eventually display this "window", saying that 405 files was found, and that you can download something called Windows Defender:
Once again, it doesn't matter what you click on -- the "Windows Security Alert" is not actually a conventional Windows dialog, it's just a simulated one that is really one big clickable area. Assuming you don't have "automatically download files" turned on in your browser (please tell me you don't), after clicking pretty much anywhere, you'll get something like this -- but don't press Run for crying out loud!:
Hopefully by this time you've realized that things are not what they seem to be, so you decide to close and restart your browser. Nope, not gonna happen - from the point that you get that free "scan", any effort to close the browser results in
At that point the only way to close IE is to use the Windows Task Manager and do an "End Task" on it.
This whole chain of events depends on something called "scripting", which allows websites to automate some behaviors in the browser. By default, IE uses its "Medium High" security setting for Internet web sites, but this setting will allow the above sequence of events to occur. You could set IE to "High" but that locks things down to the point where the web is not very usable.
So yet again I will recommend using something other than IE as your default browser; as I've said at least a couple times my favored setup is Firefox with the NoScript plugin. If you're reading this in IE, don't wait another minute to go to http://www.mozilla.com/firefox/. Install that and then go to http://noscript.net/ and install that. By default, NoScript blocks all scripted behavior but with some simple clicks you can either temporarily or permanently allows the various scripting elements that most websites have to work. The latter option causes NoScript to remember the pages that you've allowed so that the next time you go to one it will behave the way you want it to without having to Allow it again.
Firefox can import all of your IE Favorites (bookmarks) very quickly, and then you can set it to be your default browser by going to Options in Firefox > General tab and enabling "Always check to see if Firefox is the default browser on startup".
Finally: even without NoScript, the fake AV thing doesn't work in Firefox - apparently this malware is targeted at IE only.
Thursday, December 30, 2010
With the roller coaster ride known as 2010 winding down, I thought I'd summarize many of the things I've posted about thus far in a "yearly review" item - let's call it the 2011 12-Step Internet Security and Privacy Checklist:
1. STOP USING IE. Assuming you're a Windows user - surely you're not still using Internet Explorer as your default browser? (Mac-o-philes need not smirk here - I will predict that Safari will become more and more targeted by the criminal world; you have been warned.) I suggest Firefox + the NoScript plugin, or possibly Google Chrome + its NotScript plugin - although I have far less experience with Chrome so I can't unequivocally recommend it.
2. STAY UPDATED. No matter what your operating system is, make sure it's always got the latest updates. Windows can be configured to automatically download and install priority updates, or just download them and let you know that they're ready. I suggest at least the latter. The same goes for whatever browser(s) you use. (Chrome doesn't give you a choice - it updates itself transparently whenever a new version is published.)
3. FIX YER ACROBAT/READER SOFTWARE. If you use Adobe Acrobat or Adobe Reader to view .pdf files, (a) update to the latest "X" version, and then immediately do this:
- open Edit > Preferences
- in the Trust Manager part, turn off "Allow opening of non-PDF file attachments with external applications"
Adobe continues to doggedly leave these things turned on by default in each new version of Acrobat and Reader, which is just plain irresponsible on their part.
* that link points at an installer that doesn't require you to first load the !@#$% Adobe Download Manager. Just say NO to ADM.
4. Another thing about Acrobat and Reader - there are alternatives. I have tried FoxIt a couple times but the rendering quality is noticeably poorer than what Adobe does. More recently I've started using the Google Docs Viewer for reading PDF files in Firefox (it works in all of the other browsers as far as I know).
5. WEAR PROTECTION. For Windows users - now that Microsoft has its free MS Security Essentials anti-malware software available, there is no excuse to not be running some kind of antivirus/antimalware protection. I will go further and say that I personally see no reason to pay anyone for this kind of functionality - e.g. Symantec, McAfee, etc. By all accounts MS does a very good job with MSSE.
6. CONNECT SECURELY. There is another nice utility plugin for Firefox called HTTPSEverywhere. If you do financial stuff on-line, you might've noticed that your browser's address bar will (hopefully) say something like "https://www.yourbank.com" when you're logged into the financial site... The "s" in "https" means "secure". Many other non-financial sites support the https protocol, as well as the usual "http" protocol.
Here's what HTTPSEverywhere does for the sites it knows about, that can support https connections: It will force you to connect with https rather than http. At the moment the list includes Facebook, Google Search, Twitter, Meebo, NY Times, Washington Post, bit.ly, Hotmail, Microsoft, Wikipedia, Wordpress.com, Google APIs, and quite a few others. When you are connected via https your connection cannot be snooped, which is very nice if you're connected to the 'net using an open wifi hotspot that does not provide a Virtual Private Network connection to the Internet.. In general you always want "https" if it's available, no matter what you're doing.
7. BE SELFISH. Turn off any unnecessary "network shares" on all of your computers.
8. USE PASSWORDS. Make sure every machine on your network is login password-protected.
9. MASSAGE YOUR ROUTER. Make sure your router (or modem/router - i.e. the box that you got from your cable or phone company that hooks you up to the internet) is properly configured.
Typically the router configuration is accessed through a mini-web server that is built into the router - and typically it will have an address of something like 192.168.1.1.
In that particular case, you can go to your browser and type in "http://192.168.1.1" and the web interface will show up. (Other addresses are possible; consult the router or router/modem manual for more details about your particular box.) Here are some things to keep in mind:
- Change the default administrative password for the router. E.g. for Linksys routers, all of the ones I've used have a default password of "admin". If you don't do anything else, do this.
- Make sure that you're using at least WPA encryption if your router has wi-fi capability. WPA2 is better, WEP is sorta kinda better than nothing, but not much. IMO the wireless interface of a router is its weakest link in terms of people getting onto your network and possibly stealing private (e.g. financial) information from other computers connected to your network.
- turn off anything that says "Plug and Play".
- Make sure the NAT firewall is enabled. It might just say "Firewall".
- Don't have any more ports (holes) opened in your firewall than absolutely necessary. If you open one or more up and then stop using whatever program needs them open, close them.
10. USE "LASTPASS". I continue to love this free, secure, backed-up-in-the-cloud password and private data manager product. I won't go into it here since I already did that not too long ago.
11. BACK UP YER STUFF. This is a huge topic, and I won't go into detail, but - do you have at least two, recent backup copies of all of the stuff on your computer(s)/mobile devices that you can't live without? E.g. photos, financial data files, the latest version of the Great Novel that you're working on, critical account information for on-line resources that you use (LastPass can help here), address book/contact database, etc. I say two backups because many people would tell you that if you only have one copy "somewhere", you're not really backed up. You need to have two copies of all of the important stuff, ideally on different kinds of media (DVD-R, CD-R, CD-RW, USB memory stick, cloud backup....), and certainly not in the same location - i.e. carry one of the copies in your car or keep one at your mom's house or something.
12. DONT EVER CLICK ON A LINK IN AN EMAIL. E.g. if you get a notice that seems to be from Microsoft or Adobe or whoever (whomever?) that you need to update something, don't click on the link that is provided. Instead, navigate to the vendor's website in your browser and find the update - if it actually exists - yourself. You might even try googling it - e.g. "acrobat x update".
OK, that's your twelve steps. I'm sure I left something important out - there are so many things to worry about when you're toodling around the World Wide Web - but any and all of these things will help at least a little bit in keeping you and yours safer in the new year to come.
Tuesday, November 23, 2010
I had an email in my GMail spam folder that looked like this:
Looks pretty legit, right? The link text appears OK. However, the actual link looks something like (part of the URL intentionally deleted):
So obviously it's at best a personal information phishing site. Well, I decided to see where that would take me, so I clicked on it. However, Firefox saved me from myself:
Clicking on the "Why was this page blocked?" button shows this:
I tried this in Internet Explorer and I'm happy (and a bit surprised) to report that it gave a similar "you really don't want to go there" message.
However, even though our browsers sometimes try to protect us from ourselves, links in emails should never be clicked on. If you get a message from your bank that wants you to log in for whatever reason, go to your browser and type in the URL that you know to be the correct one for your bank (if you don't have it bookmarked) rather than click on anything in an email.
Friday, November 19, 2010
Stuxnet is in the press right now as being one of the most serious security threats ever unleashed, and is said to be a sort of "new animal" in cyber-warfare. I'll provide some links for further reading below, but the apparent intent and sophisticated behavior of Stuxnet is so, well, awesome (in a bad way) that I do want to summarize what's been learned:
- Its targeted behavior is very specific - although it propagates via Windows (using USB memory sticks and/or network connections), its ultimate target is a particular brand of industrial controller computer made by Siemens, that are network-connected to those Windows systems
- Not only is it Seimens "SCADA"-system specific, but its end target are "variable-frequency drives" made by two specific companies, that regulate the speed and operation of electric motors
- Only motors that are programmed to run within a specific speed band are targeted
- The speed band corresponds to speeds used by uranium refinement centrifuges
- The end result is that Stuxnet causes those motors to periodically overspeed and underspeed
It's still not known who wrote Stuxnet, but there is universal agreement that its sophistication and complexity are unprecedented, and unfortunately is probably the first shot fired in a new level of cyber-warfare.
As promised, here are some links if you want to dig deeper:
- Wired Magazine article
- Stuxnet Wikipedia entry
- Symantec dossier on Stuxnet (very technical)
- very recent news about a possible 2nd "payload" in Stuxnet
I promise we have not heard the end of this "worm".