My buddy Chris Sanders has written an awesome book (Applied Network Security Monitoring: Collection, Detection, and Analysis) detailing the practice behind network security monitoring (NSM). In addition to being an incredibly astute security analyst and author, Chris is truly one of the nicest people I know - and someone who puts his personal beliefs into action (ex. all of the proceeds from his books go to charity).
In the interest of making security approachable, I’ve decided to attempt to bring proper security methodology down to a level that everyone can understand. Because my four-year-old niece lives with us, we’ve got a ton of children’s books lying around for inspiration. I decided to try passing along a little security knowledge by mimicking the style of the beloved children’s classic, If You Give a Mouse a Cookie.
The day after my adventure with the fine upstanding folks at SpeedyPaper (who provide students with research paper “assistance”) began, I once again found myself awake, early in the morning, trolling through Google for interesting “stuff.”
Knowing that hackers had somehow been mysteriously inspired to place links back to SpeedyPaper on the U.S. Capitol’s virtual tour site, I wondered if that mystical, magical spell that SpeedyPaper unwittingly cast over the sKr1pt K1dz might have claimed other victims.
Note: I can’t even get my kids to pick up their frickin' laundry…
Everyone needs a hobby.
Mine is, I’ll admit, probably a bit odd. I collect justice… or at least the small morsels of justice I’m able to eek out of this increasingly unjust world.
My justice “collection” includes - quite literally - hundreds of websites, servers, and systems that I’ve managed - over the years - to get “unhacked” by notifying the folks who own them and, as a result, taking them away from the folks who… well… 0wn them.
At times, it becomes soul-sucking drudgery - I feel like a modern day Cassandra, telling the truth to people who just don’t want to hear. Today, however, wasn’t one of those days. Today was FUN.
It was mid-December 2002, and it was that rather nasty time of year when - in addition to having to deal with the snow - it was dark when I went into work in the morning and dark when I came home. Even though our company shut down over Christmas, I was going to be spending my holidays upgrading servers. Needless to say, I wasn’t really bubbling over with holiday joy.
My office was a long, skinny, windowless affair, and the only office furniture arrangement that made sense left me sitting with my back facing the door. Those of you who have worked in IT (and especially security) know that we tend to focus on the task at hand to the exclusion of all else, so - over the years - the staff had learned various techniques to gently rouse me from “concentrating” without startling the hell out of me.
Tap… Tap… Tap…
Running a honeypot has turned me into a bit of a “collector.”
I collect all sorts of interesting things that the bad guys of the Internet happen to leave lying around on systems they think they’ve 0wned.
Over the years, I’ve collected LOTS of malware… so, generally speaking, you probably don’t want to piss me off and then give me access to your computer.
Some of the most interesting “collectibles” I’ve managed to acquire are the tools used by attackers to ply their “trade.” As software goes, they range quite a bit in sophistication - from half-baked scripts that are destined to fail a majority of the time, all the way up to incredibly sophisticated “point-n-click” toyz that have been through hundreds of versions and incremental changes over the years.
Today, I’m going to show you one of the more interesting tools I’ve found. I’ve seen it before, but never really took the time to dig into it and see exactly what makes it tick… so how about if we take a look?
Mirrors are a wonderful invention.
Without mirrors, where would those of us who are self-absorbed sit, gazing fondly? Without mirrors, no one would be able to tie a necktie, neatly part their hair, or pop a zit.
Mirrors help us safely answer the age-old question that has been the bane of husbands since the dawn of time: “Do these jeans make my butt look big?” (Answer: “Well dear, I certainly don’t think so, but perhaps you should look in the mirror and see for yourself…”)
Attribution: It’s one of the most difficult parts of trying to tell people, “hey… your fly is open.”
I’m not talking about the whole 21st century “spin the big wheel of attack attribution” game that various security firms like to play (“Aaaaaaaand… ittttttsssss… CHINA, No! Wait! It looks like it might spin past CHINA and on to… NORTH KOREAAAAAAAAA!!”)
What I’m talking about here is real attack attribution. Identifying the owner of a compromised system that is attacking others on the ‘Net so I can contact them and get them to clean it up. It’s about making the 'Net a better place, not about making headlines.
While I’m sure that there is little to no guesswork involved in any of the high profile “nation state” attack attributions that have taken place over the past few years (cough, cough… The bad guys may be sophisticated enough to hack our systems, but they can’t be smart enough to evade our monitoring, or to misdirect us into an incorrect attribution…)
Sadly, in my case, there’s a lot of guesswork involved: WHOIS sucks in a plethora of ways, reverse-DNS rarely works, and abuse@ ISP emails are a frickin' black hole.
It’s tough, so I need to get a little creative at times.
I really hate the phone calls… they are, unquestionably, the worst. But sometimes, there isn’t any other way to actually get someone to pay attention. Emails are deleted… Tweets are ignored… Sometimes it comes down to me picking up the phone and telling someone:
“Hi. This is probably something that you don’t want to hear… but your website has been hacked.”
The reactions run the entire emotional gamut: from midly hostile to exceedingly hostile.
(Yes, I realize that’s a somewhat limited range for a “gamut.”)
I am a database bubble-head…
At least that’s what it must seem like to some friendly folks from Jiangsu, Nanjing China who stopped by the MySQL DB server that I, apparently, do a horrible job of running. Obviously these are thoughtful and helpful people - the moment they noticed that I’m not doing a very good job of administering the box, they decided to help me out.
One of the things that probably tipped them off to the fact that I don’t “DB” very well was the fact that they were able to log in as the user ‘mysql’ with a blank password.
Note to self: I really need to do something about that one of these days…