Information Security News
The trust of the Tor anonymity network is in many cases only as strong as the individual volunteers whose computers form its building blocks. On Friday, researchers said they found at least 110 such machines actively snooping on Dark Web sites that use Tor to mask their operators' identities.
All of the 110 malicious relays were designated as hidden services directories, which store information that end users need to reach the ".onion" addresses that rely on Tor for anonymity. Over a 72-day period that started on February 12, computer scientists at Northeastern University tracked the rogue machines using honeypot .onion addresses they dubbed "honions." The honions operated like normal hidden services, but their addresses were kept confidential. By tracking the traffic sent to the honions, the researchers were able to identify directories that were behaving in a manner that's well outside of Tor rules.
"Such snooping allows [the malicious directories] to index the hidden services, also visit them, and attack them," Guevara Noubir, a professor in Northeastern University's College of Computer and Information Science, wrote in an e-mail. "Some of them tried to attack the hidden services (websites using hidden services) through a variety of means including SQL Injection, Cross-Site Scripting (XSS), user enumeration, server load/performance, etc."
It is true, I am back after a 2 year hiatus from my duties as a Handler at the Internet Storm Center. Some may be wondering why. So here it is.
It all started with my new job. I was hired by a company 2 years ago to help move their IT Department forward. The owner told me it would be a challenge but I accepted the challenge. They have 6 remote locations plus the corporate office and I would be the 2nd employee in the IT department taking care of all of the locations. That is where the story begins and a challenge it was. My first week on the job I learned that they did not have successful backup jobs running for the 22 Windows servers. Several of the servers were standalone devices that ranged in age from 4 years to 14 years old. They were a mess and the group policies, DNS, DHCP and Active Directory were a disaster. No backups in place for their critical desktop computers and no anti-virus solution company wide. They had no firewalls, no IPS, no spam filter, Windows updates were hit and miss depending on whether the employee took the time to install them. There were a number of issues with the MPLS between the branches and a hodge podge of phone systems. They had no security in place, no Disaster Recovery Plans. Our mail server was blacklisted twice in the first 3 months of my employment so I had some work to do there as well. They are self-insured so had HIPAA requirements to deal with which werent happening. So as you can see it was definitely a challenge.
As of today we have made great progress. We have replaced the old servers with new servers but instead of individual boxes we have migrated to virtual machines. We now have 6 physical boxes that are hosting all of the servers. All of the servers are being backed up to a recovery server that is on site as well as to a recovery server that is at one of our remote locations. All of our workstations are being backed up using a 3rd party off-site backup program. We have installed firewalls/IPS, a spam filter, cleaned up our AD (still a lot of work to do), installed Microsoft WSUS, a managed anti-virus/anti-malware solution, moved all phone systems at all locations to the same platform and have begun standardizing hardware and software throughout the organization. Our mailserver has not been blacklisted since I completed the changes to our mail records for compliance and our network lockdown was completed. We are rolling out perimeter security with a digital camera system inside and outside of the facilities at each location and we are in the process of reviewing going from copper to fiber for our MPLS network.
I have completed the initial HIPAA compliance requirements and have started working on the Disaster Recovery. I have monitoring and reporting setup for all aspects of the network infrastructure to attempt to ensure that our network remains safe and secure. Great progress has been made but we have a lot of work yet to do. I am now the IT Manager and Security and Compliance Officer for the organization. We had a ransomware attempt a few months ago and thankfully it was unsuccessful because of the precautions and preventative measures that have been implemented.
I am sure that I am not the only IT person that has walked into this type of situation and I am sure I wont be the last. IT is so fluid and continuously changing and the threats to the environment have changed too. One of my IT friends said it is like shooting fish in a barrel and I have to agree.
Deb Hale(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.