Friday’s DDoS Attack And The Mirai IoT Worm

It may have reached your attention that there was a significant denial of service attack against a widely used DNS provider – the service provider for organisations such as Twitter, Github, and Amazon. The effect was to make certain services unreachable leading some to believe that the Internet was down!

Some of the major links may provide additional information :-

The details of the attack are still being disclosed, but it appears very likely that a widely known ‘bot army of compromised “Internet of Things” devices was used to perpetrate a simplistic denial of service attack against Dyn DNS. Specifically their DNS infrastructure in the US which may or may not have been a specific Dyn DNS customer.

As a result, their DNS infrastructure was clobbered and because many sites chose a very short caching value, the names disappeared off the Internet.

This sort of attack could be mitigated in a number of ways (not all are realistic or possible) :-

  • Dyn DNS could increase their defences against denial of service attacks. Which I am sure they are doing – they already had defences, but not sufficient for this level of attack.
  • People who run DNS for their company should consider increasing the amount of time the names are cached for. If the Dyn DNS servers disappear off the Internet, it won’t be as noticeable if the values they would have returned are already cached elsewhere.
  • IoT manufacturers should pay far greater attention to the security of their devices. Most IoT customers are not likely to have sophisticated IT professionals available to deal with security updates.
  • ISPs should look at blocking traffic from infected machines to prevent denial of service attacks. There is always the argument that the average customer of an ISP isn’t sophisticated enough to know that his Internet connected curling-tongs are joining into a co-operative effort to blast a DNS server into rubble, but there does come a point where being nice to the naive needs to take second place to protecting the Internet as a whole.

To get a quick peek under the curtain of the problem, let’s take a look at the size of the problem we see here. For October so far, we have denied :-

mirai

Each of those bars represents a single day in October, and the height corresponds with the millions of connection attempts we have blocked. Individual infected devices (cameras or DVRs apparently) is making many connection attempts of course, the following shows the number of unique devices making telnet connections (don’t be confused by the scale – it’s hundreds of thousands so the peak is approximately 1 million) :-

mirai-ip

This is a big problem.

Posted in Active Attacks, Technical | Tagged , | Comments Off on Friday’s DDoS Attack And The Mirai IoT Worm

Free Converters May Come With Unwanted Gifts

I read this morning a post on another blog site about an experiment that someone tried. They converted a PDF file to a DOC file using five different free web-based converters and found that three of the results were malware-infected.

And previously we have had issues where people have downloaded free software by carelessly searching for it on the Internet, and found versions packed with malware.

The moral of the story? Be wary of searching for tools on the Internet; there are very many useful tools out there – indeed the Internet is constructed to a very major extent from free tools – but there are also many sources of malware.

Posted in General, Malware | Comments Off on Free Converters May Come With Unwanted Gifts

Do Not Attach Network Equipment to the UoP Network

It can be very tempting for a quick solution (especially for a temporary bodge) to attach network equipment up the University network. Don’t do it.

Please!

In the past it was unusual for network equipment to be so widely available, so this has not previous been a problem. However, with widespread home networks, it is becoming a problem. Naïvely attaching domestic (or enterprise) network equipment to a production network can have rather severe consequences.

On occasions entire building networks have been taken out of service due to this sort of issue.

Network switches, routers, and bridges can in some circumstances cause all sorts of disruption at a low level, which can be very hard to trace.

Any wireless equipment will cause a performance issue for anyone within the range of the transmitter.

Even ordinary computers can be configured in a way that will work perfectly fine in a domestic environment, but can cause disruption on an enterprise network.

Lastly it should be noted that attaching unauthorised equipment can (and has in some cases) resulted in your connection to the UoP network being withdrawn with no notice.

Posted in General | Comments Off on Do Not Attach Network Equipment to the UoP Network

Do You Know Email’s “BCC” Header?

There are a number of stories going around at the moment relating to unintentional release of email addresses in terms of allowing third parties access to the email addresses. This is almost always a mistake made by someone who used conventional email software (such as the standard Google Mail interface) without thinking carefully enough.

Now in most cases this does not matter too much … except possibly a brief moment of embarrassment. After all an email address is not that private, or is it?

There are two parts to why leaking email addresses even to a limited audience can be considered to be a bad thing :-

  1. People do sometimes want to keep their email address private; at the very least once an email address becomes public knowledge, spam starts arriving surprisingly quickly.
  2. Releasing an email address in association with some other piece of information can be surprisingly sensitive. If email being sent implies that the recipients are interested in HIV services, the recipients may be somewhat disconcerted to learn their membership is now effectively public.

And of course there is another reason why leaking email addresses can be a bad idea. News organisations can jump on the story as an easy way of populating their front page!

The golden rule here is if you are sending emails to more than five people who do not know each other, either use a specialised piece of software to send the emails, or use the “BCC” (Blind Carbon Copy) header.

To make things easier for people migrating from paper memos, the inventors of email used three common terms for listing addresses that email should be sent to – To (the public recipient), Carbon Copy (for public others who may be interested), and Blind Carbon Copy (for private copies). At least these terms were common in the days of formal paper memos!

The key field to remember for the purposes of this blog posting is “BCC”.

When you compose an email, you are normally given a list of fields to enter email addresses into :-

2016-07-26_1107

In this case (Gmail), click on the “Bcc” on the right-hand side of the “To” field and a new field will be shown :-

2016-07-26_1108

(The “Cc” field works in the same way)

The “Bcc” field can be filled with email addresses in the normal way, but the difference is that when someone receives the email they will not be able to see to whom it was sent.

You may think that this does not apply to you right now, but there is no harm in getting to know about “Bcc” and used to using it. It doesn’t cause any harm, and being familiar with it may save you from some embarrassment at some point in the future.

Posted in Email | Tagged , , | Comments Off on Do You Know Email’s “BCC” Header?

TeamViewer: People Being Hacked

There are many reports that those using the TeamViewer application are being subjected to hacks with their bank accounts being emptied and similar problems. The details of how the attackers are breaking in are not available, but it seems likely that it is the result of unfortunate configuration settings.

If you are using TeamViewer, you should consider one or more of the following :-

  1. Stop using TeamViewer. If you do not use it, you cannot be hacked. However it should be possible to use TeamViewer safely if you follow the instructions below.
  2. Download the latest version of TeamViewer. The latest version is less likely to be vulnerable to exploits than earlier versions, and the instructions below apply to version 11.
  3. Set up the configuration as guided below. The most likely way that the attackers can get in to your computer is through an insecure configuration.
  4. Only run TeamViewer when necessary.

Another possibility is to use Bomgar which is licensed for University use – speak to the IS Servicedesk to see if it is a possibility.

Configuring Strong Random Passwords

First start the TeamViewer application:

2016-06-03_0853

We need to change the security settings, so select “Options” from the “Extras” menu, and select “Security” on the tab down the left-hand side. For OSX, the menu options are slightly different – “TeamViewer”, and then “Preferences” and the appearance is different :-

2016-06-03_0949

First of all, do not configure a Personal password as a randomly generated password is better (although for unattended access a personal password is required, but in this case you should use a long (at least 12 characters) and strong password and pay careful attention to the other steps in this guide).

And do not configure “Grant easy access”.

The next thing is to change the password strength of the random password to “Very Secure” :-

2016-06-03_0952

Whilst “Very secure” might seem a little extreme, it is not so extreme whilst an active attack is ongoing – and I suspect weak random passwords are the way in for the attackers.

One further thing we need to do is to go to the “Advanced” tab and show the settings :-

2016-06-03_1034

In the “Advanced settings for connections to this computer” we want to change the “Random password after each session” to “Generate new” :-

2016-06-03_1037

This causes TeamViewer to change the random password after each session.

Configuring Rules for Connecting

If you use a TeamViewer account, there are a few other things we can set up. On the very same page of settings we have a set of rules we can configure to determine who can connect :-

2016-06-03_0955

The first option is specifying whether a TeamViewer client can use the logon screen; leaving it set to “Not allowed” is the most secure option here.

The next thing to do is to set up a whitelist; click on the “Configure” button next to the “Black and whitelist” :-

2016-06-03_1040

The “Allow access only for the following partners” needs to be selected – by default this works as a list of people who are not allowed to connect, and filling in that list could be quite tedious! By only allowing specified “partners” to connect we can limit this list to just your account.

Click on “Add” and select yourself. The whitelist will be updated to include your name :-

2016-06-03_1042

(Obviously the name you see will be different here)

Configuring Two-Factor Authentication

Lastly, it is very strongly recommended that you set up two-factor authentication on your TeamViewer account. To begin with you will need an authenticator app on your phone such as the Google Authenticator (the one I used).

Log in to the web page at https://login.teamviewer.com/ and you should get to the management console with a web page that has the following at the top left :-

2016-06-03_1056

At this point select your name at the right which should drop down a menu :-

2016-06-03_1058

Select the “Edit profile” option and you should see a “Profile settings” screen displayed which will include :-

2016-06-03_1059

Click on the “Activate” next to “Two factor authentication” to start the process; first a warning screen :-

2016-06-03_1100

The next screen shows a QR code to enable two-factor authentication in your phone’s app :-

2016-06-03_1102-obscrured

(I have obscured the QR code deliberately)

Scan this with your authenticator app, and it should be added to the list within your app, and it will generate a code to be used on the next screen :-

2016-06-03_1109

Once you activate this, you will be shown a further screen containing a special code to deactivate two-factor authentication. Record this safely – such as within your personal KeePass password store.

Once enabled, you will need to use the authenticator app to enter an additional time-based code every time you log in.

Further Information

The following links are to more information on the incidents :-

  1. http://www.tripwire.com/state-of-security/featured/teamviewer-hack-pc-hijack/
  2. http://www.theregister.co.uk/2016/06/01/teamviewer_mass_breach_report/
  3. https://www.reddit.com/r/teamviewer/comments/4ktys8/teamviewer_security_best_practices/
Posted in Active Attacks, Technical | Tagged | Comments Off on TeamViewer: People Being Hacked

Have You Changed Your Myspace Account Password Recently?

Don’t laugh.

Some of us who have been around for more than a few years may well have used a myspace account at some point in the past. And you may well have set your account up with a password that is weaker than the kind of password you would use today (or hopefully it is!); in addition myspace has been compromised and up to 360 million account details have been leaked.

You may very well think that your myspace account is no longer of interest to you – fair enough. But you should ask for it to be deleted if that is the case. And if not, you should change your account password.

But there is a general point here. If you have old accounts on old services then you should go back and change the passwords to be more secure; if you do not want to be bothered, you should request that the account is removed.

Posted in Passwords | Tagged , , | Comments Off on Have You Changed Your Myspace Account Password Recently?

Sending SurveyMonkey Questionnaires Without Being “Spammed”

We recently encountered an issue where somebody attempted to send a questionnaire constructed in SurveyMonkey to a number of students and some deliveries were made to the students’ spam folders.

Which is obviously sub-optimal.

Unfortunately we do not fully control how Google decides messages are spams, so we cannot easily ensure that such questionnaires are delivered to everyone’s inbox. SurveyMonkey themselves have some advice on avoiding being dropped into the spam folder.

After thinking about it for some time, a far more reliable method came to mind. It is slightly more work, but should in theory be more reliable for ensuring that everyone gets a chance to fill in your questionnaire.

The answer is when creating your survey is to get a link to the survey rather than simply email it out (the “most popular” option).

2016-05-25_0905

This gives you a web site address that will look something like https://www.surveymonkey.co.uk/r/G9K3RQP. You can then write an ordinary email in your Google Mail client explaining what the survey is about and paste in that web site address.

Because it comes from within Google, the mail is somewhat more trusted that emails from outside, so it should be less likely to be filed into the recipient’s spam folder.

Posted in Email | Comments Off on Sending SurveyMonkey Questionnaires Without Being “Spammed”

Be Careful What You Screenshot …

One of the latest stories from the security world is about a Christian pastor caught undertaking the kind of web browser activity you would not expect (or maybe you would) because he had taken a screenshot (presumably to capture the results of a search) which in addition to the information he expected, also contained the titles of web pages on other tabs.

However amusing (or not) we may find this story, it is a good reminder that whenever we distribute information of any kind it is worth bearing in mind stories like this and check.

  • If you are sending someone a screenshot, either make sure the rest of the screen does not contain information you do not want to be disclosed, or edit down the screenshot so that it only shows the area of interest (i.e. just the error message).
  • If you are forwarding an email onto someone who has not been part of the discussion, is there part of the email that you should possibly not share? Forwarding a whole chain of conversation has led in the past to legal action!
  • When sharing a Google document in editable form, does the revision history contain any embarrassing revisions? Anyone with rights to edit can browse through every version of that document!
Posted in General | Comments Off on Be Careful What You Screenshot …

Apache: Using X-Frame-Options To Evade Click-Jacking

Click-Jacking. It tells you all about it on the Wikipedia article.

This posting is about how to avoid security scans telling you to disable click-jacking, if you are using the Apache web server software. If you’re using IIS, you are on your own for now (but searching for “IIS X-Frame-Options” will get you started).

The aim here is to change the configuration of Apache to send an X-Frame-Options HTTP header saying “don’t embed this page in a frame”. This involves changing the Apache configuration file(s).

Firstly make sure that you are loading the Apache module to modify HTTP headers :-

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

This may be enabled by default on less minimalistic Linux distributions. Next for every virtual server add the following :-

Header always append X-Frame-Options DENY

The effective options (the other option may or may not be universally supported) for the word at the end are: DENY (don’t permit at all), and SAMEORIGIN (only permit from the same server).

Posted in Technical | Tagged , , | Comments Off on Apache: Using X-Frame-Options To Evade Click-Jacking

Ransomware for OSX

It turns out that ransomware is no longer just for Windows; OSX has it too.

If you use the OSX version of the Transmission Bittorrent client, you may want to check what version you are running because version 2.90 was in some cases infected with the first effective ransomware malware for OSX.

Posted in Active Attacks, Malware | Comments Off on Ransomware for OSX