Information Security News
F-Secure's Hypponen leads RSA refuseniks to NSA-free infosec chatfest
It was probably inevitable: a group of RSA Conference refuseniks have established a rival conference within walking distance of the original. The one-day TrustyCon, to be held on 27 February at the AMC Metreon Theatre in San Francisco, has drawn Mikko ...
In any study of internet traffic, you'll notice that one of the top activities of attackers is to mount port scans looking for open SSH servers, usually followed by sustained brute-force attacks. On customer machines that I've worked on, anything with an open port tcp/22 for SSH, SFTP (FTP over SSH) or SCP will have so many login attempts on these ports that using the system logs to troubleshoot any other problem on the system can become very difficult.
We've written this up many times, and often one of the initial things people do - thinking that this will protect them - is move their SSH service to some other port. Often people will choose 2222, 222 or some "logical" variant as their new home for SSH, this really just takes away the background noise of automated attacks, real attackers will still find your service. We've covered this phenomena and real options for protecting open services like SSH in the past (google for ssh inurl:isc.sans.edu for a list)
What got me thinking about this was a bit of "data mining" I did the other night in the Dshield database using the reporting interfaces on the ISC site, as well as our API. Port 22 traffic of course remains near the top of our list of ports being attacked:
However, this past week we saw an unusual spike in TCP port 222:
On the 14th, port 222 actually topped our list. This event only lasted 2 days, and was primarily sourced by only two IP addresses. Note the other spike in December.
This looked like a full internet scan for port 222, sourced from these two addresses (I won't call them out here). Looking closer at the IP's, they didn't look like anything special, in fact one was in a DSL range, so two days for a full scan is about right, given the fast scanning tools we have these days and bandwidth a home user will usually have.
The moral of the story? No matter where you move your listening TCP ports to, there is someone who is scanning that port looking for your open service. Using a "logical" approach to picking a new port number (for instance, 222 for scp or ssh, 2323 for telnet and so on) just makes the job easier for the attacker. And that's just accounting for automated tools doing indiscriminate scanning. If your organization is being targetted, a full port scan on your entire IP range takes only a few minutes to set up and will complete within an hour - even if it's on a "low and slow" timer (to avoid your IPS or to keep the log entry count down), it'll likely be done within a day or two. Moving your open service to a non-standard port is no protection at all if you are being targetted.
If you don't absolutely need to have a service on the public internet, close the port. If you need to offer the service, put it behind a VPN so that only authorized folks can get to it. And in almost all cases, you don't need that SSH port (whatever the port number is) open to the entire internet. Restricting it to a known list of IP addresses or better yet, putting it behind a VPN is by far the best way to go. If you MUST have "common target" services like SSH open to the internet, use certificates rather than or in addition to simple credentials, and consider implementing rate limiting services such as fail2ban, so that once the brute-force attacks start, you've got a method to "shun" the attacker (though neither of these measures will protect you from a basic port scan).
by Sean Gallagher
The Electronic Frontier Foundation has published details of an attempted malware attack on two of its employees by a group of hackers associated with the Vietnamese government. The hacker group, known as Sinh Tử Lệnh, has targeted Vietnamese dissidents and bloggers in the past; it now appears that the campaign has been extended to attacks on US activists and journalists who publish information seen as critical of the Vietnamese government.
The Vietnamese government has gone after bloggers in its own country before, and as of last year it had jailed 18 independent journalists—bloggers being the only journalists in the country not affiliated with state-run media. And since 2009, the hacker group has taken that campaign beyond Vietnam's borders, targeting members of the Vietnamese diaspora critical of the Hanoi regime.
In December, two staff members of the EFF received e-mails from someone claiming to be from Oxfam International, inviting them to “Asia Conference.” The e-mail, from a Gmail address for “Andrew Oxfam,” appeared to have been sent to a list and included links to two documents that appeared to be information on the conference shared over Google Drive.
An annual list of the most commonly used passwords, a source of both humor and sadness to the human race, shows a change at the top for the first time in three years.
SplashData, a maker of password management software, started analyzing passwords leaked by hackers in 2011 and for the first two years of its study found that "password" was the most commonly used password, ahead of "123456."
The two switched places in 2013, according to the latest list released over the weekend. The new rankings were influenced by a hack on Adobe that revealed 130 million passwords protected only by reversible encryption. Security firm Stricture Consulting Group was able to reveal the top 100 passwords from the Adobe hack, and "123456" came in first by a long shot. Stricture found 1.91 million uses of "123456" compared to 446,162 uses of "123456789" and 345,834 uses of "password." Only 43,497 people used the password for Druidia's air shield and President Skroob's luggage.