Archive for the IT Security Category

Whitelisting An IP Address With “DenyHosts”

Posted in IT Security on July 17, 2010 by blackflag

DenyHosts is an excellent tool that aids in protecting SSH servers that are exposed to the Internet. It’s not at all uncommon for Linux servers that have multiple remote SSH users/administrators to have port 22 open to the Internet at large.

DenyHosts will automatically blacklist an given source IP address by writing that IP to the file ~/hosts.deny, thereby blocking the IP from SSH access.  The downside of such automatic blocking is that a legitimate user who mistypes their password can be added to the hosts.deny list as well.

The solution to this problem is to add known safe IP addresses to the ~/allow-hosts file. On Debian  4/5 it’s located in this directory “/var/lib/denyhosts”.

Edit the ~/allow-hosts file and add the whitelisted IP address then save the file. Go ahead and check the hosts.deny file and see if the IP address you want to whitelist is there as well, if it is (having been blacklisted) go ahead and remove it then save the file.

Problem solved.

Advertisements

Georgian Attacks: Remember Estonia?

Posted in Counter Terror, Daily Rant, IT Security on August 14, 2008 by blackflag

Yet another update regarding the ongoing Georgian cyber attacks. For those that don’t realize the significance of this some botherders and do-it-your-self hacktivists have pretty much succeeded in taking most of Georgia’s government news outlets off line. Most of the gov.ge sites have now regrouped on the Blogspot platform but there are some residing on other providers.

I have been following this very closely and working with others to get a better picture of what is happening. The results of those efforts are being updated over at the Shadowserver news wiki but I’ll repost it below for your convenience.

Here is the latest update:

Georgia and Estonia Have Something New in Common

Since last Friday (August 8, 2008) a large number of Georgian websites, both government and non-government alike, have come under attack. There has been a lot of speculation about whether or not foreign governments were involved in the attacks or if it is just the work of outraged citizens taking the action on their own. While no one could really say for sure who was behind the attacks, one thing was clear–the attacks were having a devastating impact on their targets. Even at this very moment, several Georgian websites are still unreachable.

We have been seeing constant distributed denial of service (DDoS) attacks against Georgian website from various command and control (C&C) servers since last Friday. In fact they were still on going. However, we have not observed an attacks against several of the different websites that are currently offline. While we of course do not have in sight into all DDoS attacks, we were still surprised to see these sites offline and not have observed any traffic destined for them. We were not real sure why this was until today.

Additional Attack Information

Shadowserver has received reliable information that one of the Georgian government websites was being attacked by dozens of Russian computers from several different ISPs throughout the country covering both dialup and broadband users. The traffic destined for the website is overwhelming ICMP traffic. Did we dare say Russian? Yes we did, however, let’s be clear here: we were not pointing fingers and we are absolutely not implicating any government involvement (no reason to suspect this).

What does it mean though? Lots of Russians host and lots of ICMP traffic. Could this be a botnet that instructed all of its hosts to send an ICMP flood to the destination? Possibly. However, usually botnets are widely dispeared in several geographic locations. Why on earth would be see such an overwhelming amount of Russian hosts?

Is it possible the same thing that happened to Estonia is happening to Georgia? To put it quite simply, the answer is yes.

The Grass Roots Effect

Lots of ICMP traffic and Russian hosts sounds a lot more like users firing off the ‘ping’ command and a lot less like some evil government controlled botnet. It did not take us long to find out what is going on. Much like in the attacks against Estonia, several Russian blogs, forums, and websites are spreading a Microsoft Windows batch script that is designed to attack Georgian websites. Basically people are taking matters into their own hands and asking others to join in by continually sending ICMP traffic via the ‘ping’ command to several Georgian websites, of which the vast majority are government.

The following text is a redacted version of the script being posted:

@echo off
@echo Call this file (MSK) 18:00, 20:00
@echo Thanks for support of South Ossetia! Please, transfer this file to the friends!
pause
newsgeorgia.ru
apsny.ge
nukri.org
opentext.org.ge
messenger.com.ge
president.gov.ge
government.gov.ge
parliament.ge
nsc.gov.ge
constcourt.gov.ge
supremecourt.ge
cec.gov.ge
nbg.gov.ge
nplg.gov.ge
police.ge
mod.gov.ge
mes.gov.ge
mfa.gov.ge
iberiapac.ge
mof.ge

We have removed the actual commands and parameters of the script to avoid being a distribution point for it. However, you can see the raw list of targets that are being spread across the websites. This script has been posted on several websites and is even being hosted as “war.rar” which contains “war.bat” within it on one site. It would appear that these cyber attacks have certainly moved into the hands of the average computer using citizen.

Conclusion

It appears evident that the average user is now getting involved and helping to attack Georgian websites. We do not know the size of the attack, but with many most likely sympathetic and the message spreading from blog to blog and forum to forum, it might not slow any time soon. Whether it is through the use of a botnet or a personal machine, it is quite clear what kind of effect these attacks can have on an infrastructure that is unable to fend them off. We will continue to monitor the situation and report back any developments we observe.

Cross Posted at The Jawa Report.

Georgian Government Websites Under Cyber Attack

Posted in Daily Rant, IT Security on August 12, 2008 by blackflag

The Georgian Republics Parliament website has been defaced as well:
parliament.ge now shows:

Defaced Georgian Parliament Website

Defaced Georgian Parliament Website

Original post continues below:

Some of the Internet resources of the Georgian government have been the targets of fairly steady DDoS attack’s since early July of 2008. The website of the President of Georgia has been hit fairly heavily over the last few days and is currently going off line randomly as it is overcome by the attack (it was up this morning but has been down for several hours now).

The Threat Expert Blog had an article about similar attacks on president.gov.ge back on 20 July 2008. In that article they credited Steven Adair for the information regarding the botnet involved in the attack, likewise Steven gets credit for bringing the ongoing attacks to my attention this morning. Stevens latest post on this issue can be found at the Shadowserver website later today, I’ll update the link as that info becomes available.

True to form there’s appears to have been a cooperative effort between the cyber attacks and the military attacks on the ground in Georgia. Whether the attacks are the work of the Russian government or that of those sympathetic to their cause remains to be seen. Estonia recently suffered a similar fate less the actual physical invasion forces.

Here’s a sample of what we’re seeing regarding the attacks on Georgian resources, on and off, since mid July (source IP’s removed):

2008-07-20 15:15:14 62.168.168.9 president.gov.ge flood icmp http://www.president.gov.ge
2008-07-20 15:15:12 62.168.168.9 president.gov.ge flood tcp http://www.president.gov.ge
2008-07-20 15:15:08 62.168.168.9 president.gov.ge flood http http://www.president.gov.ge
2008-07-20 14:14:23 62.168.168.9 president.gov.ge flood icmp http://www.president.gov.ge
2008-07-20 14:14:20 62.168.168.9 president.gov.ge flood tcp http://www.president.gov.ge
2008-07-20 14:14:17 62.168.168.9 president.gov.ge flood http http://www.president.gov.ge
2008-07-20 13:13:33 62.168.168.9 president.gov.ge flood icmp http://www.president.gov.ge
2008-07-20 13:13:32 62.168.168.9 president.gov.ge flood tcp http://www.president.gov.ge

The RBNExploit blog claims that Internet routing for the Georgian Internet resources may have been under attack in an effort to stop proper routing to those services. The RBNExploit Blog claims the Russian Business Network is involved, I can’t verify that claim but if you don’t know what the RBN is you need to go find out. RBN is responsible for quite of bit of the nastiness on the Internet as far as cyber crime and fraud goes.

Additionally, the Georgian Office of Foreign Ministry was also defaced with images likening the Georgian President to Hitler, details are available at Interfax.

This article was cross posted at The Jawa Report.

e-Gold Pleads Guilty To Money Laundering

Posted in IT Security on July 23, 2008 by blackflag

The Internet currency firm e-Gold and three of it’s owners have plead guilty to money laundering. e-Gold is similar to Pay-Pal but in my experience is a bit shadier in it’s operations. It is known to be a destination for “carders” and most everyone who needs to move money around on the sly. I’m not surprised that it is used by a criminal element but I am surprised that the owners of the company were involved to this degree (and that the Dept. of Justice was able to make a case stick).

Why is this important you ask? Because when crackers and organized crime steal credit card information through virus’s and malware they need a place to turn that credit into cash, e-Gold is one of many such places that are abused to make this happen. The 40 million accounts stolen in the Card Systems Hack and the 45 million accounts stolen in the TJX Hack are symbolic of the desire for credit card information by the criminal element online.

FINcen and the United States Secret Service are just a couple of the many organizations that monitor and track electronic fraud in the United States. Even with the assistance of non-governmental organizations, both on the corporate level and non-profits like Shadowserver I still believe the problem is far from being under control. Identity theft (and eFraud) have been continually on the rise, there were an estimated 15 million victims in 2006 with an average of one new victim every two seconds.

It has also been proven that terrorist organizations are using malware, carding and online money laundering to procure funds for battlefield supplies, travel expenses and general funds. Younis Tsouli and his mates are the primary example of using this activity for terrorism financing to date.

The standard for this sort of thing is that the card data gets stolen, mostly “cashed out” (the available funds removed) and then the accounts start trickling into the more common (and easily found) carding channels on the assorted IRC networks. Still not convinced? Go on over to SearchIRC or any other IRC server search engine and search for words like “cashout”, “visa” or anything else to do with credit cards and prepare to be amazed at the blatant fraud.

(Disclaimer: the information above is for educational purposes only, if you go screwing around on IRC in the assorted carder channels you can and will get pwned, you have been warned.)

Cross posted at The Jawa Report.

So who say’s I don’t have a sense of humor?

Posted in Daily Rant, IT Security on November 6, 2007 by blackflag

So yesterday someone found my blog while searching the Internet for the term “toe tag”. Evidently their Google search brought them to the post from June of 2006 “Abu Musab al-Zarqawi Takes the Dirt Nap” that I put up when al-Zarqawi was killed by U.S. and Coalition Special forces.

I also noticed a seemingly odd inbound link and decided to go check it out. What I found was a web page called “book review” located on a Rutgers University web server. It seems benign enough but I recognized the photo about halfway down the page in the “Patients and Families Narratives” section. The image is an altered version of the toe tag pic on my post with the text “</John Doe> pwn3d by l337 h4x0r5” and a link back to my blog.

The image is in a pop-up Java field and all I can figured is someone searched up an image specifically for embedding in that field after cracking it. They even left a credit to my blog for the image file… I’ve got to admit it’s nice and subtle, much slicker than the average “replace the index.html” defacement. I wonder if they knew I’d find the link, I bet so, nothing like a hacker with a sense of humor.

I know, it’s nothing special but I got a laugh out of it anyway.

toe-tag-h4x

The “Dark Web” Counter Terrorism Project

Posted in Counter Terror, Daily Rant, IT Security, Jihad Denied on October 23, 2007 by blackflag

Now that I’ve slacked off for a few weeks and indulged myself in teasing our terroristic friend Samir Khan, it’s time to get back to some serious work. I’d like to direct your attention to a Counter Terrorism project of truly epic proportions, that being the “Dark Web” Counter Terrorism research project underway at the Artificial Intelligence Lab, University of Arizona. After reading about this project at Dancho Danchevs blog I’ve been spending quite a bit of research time over at the AI project site studying thier methodology.

The stated research goals of this project are as follows:

The AI Lab Dark Web project is a long-term scientific research program that aims to study and understand the international terrorism (Jihadist) phenomena via a computational, data-centric approach. We aim to collect “ALL” web content generated by international terrorist groups, including web sites, forums, chat rooms, blogs, social networking sites, videos, virtual world, etc.

We have developed various multilingual data mining, text mining, and web mining techniques to perform link analysis, content analysis, web metrics (technical sophistication) analysis, sentiment analysis, authorship analysis, and video analysis in our research.

The approaches and methods developed in this project contribute to advancing the field of Intelligence and Security Informatics (ISI). Such advances will help related stakeholders to perform terrorism research and facilitate international security and peace.

It is our belief that we (US and allies) are facing the dire danger of losing the “The War on Terror” in cyberspace (especially when many young people are being recruited, incited, infected, and radicalized on the web) and we would like to help in our small (computational) way.

Now then, at first glance that doesnt seem all that impressive, let’s dig a little deeper. The Dark Web project is not your typical “vigilante” (thanks Mr. Moss) homegrown cyber-terrorism research effort, it is a well funded, long term, counter terrorism project recieving grants from the Department of Homeland Security, the National Science Foundation and others. In short, the project uses web crawlers to gather information from a (large) list of target sites and forums. This data is then indexed and data mined for actionable information. I once considered a similar method of data acquisition but dismissed it for more targetted methods after considering the amount of computational resources it would take. The Dark Web project has been indexing sites for about five years and have the following to show for their efforts.

Claims: Dr. Gabriel Weimann of the University of Haifa has estimated that there are about 5,000 terrorist web sites as of 2006. Based on our actual spidering experience over the past 5 years, we believe there are about 50,000 sites of extremist and terrorist content as of 2007, including: web sites, forums, blogs, social networking sites, video sites, and virtual world sites (e.g., Second Life). The largest increase in 2006-2007 is in various new Web 2.0 sites (forums, videos, blogs, virtual world, etc.) in different languages (i.e., for home-grown groups, particularly in Europe). We have found significant terrorism content in more than 15 languages.

Testbed: We collect (using computer programs) various web contents every 2 to 3 months; we started spidering in 2002. Currently we only collect the complete contents of about 1,000 sites, in Arabic, Spanish, and English languages. We also have partial contents of about another 10,000 sites. In total, our collection is about 2 TBs in size, with close to 500,000,000 pages/files/postings from more than 10,000 sites.

We believe our Dark Web collection is the largest open-source extremist and terrorist collection in the academic world. (We have no way of knowing what the intelligence, justice, and defense agencies are doing.) Researchers can have graded access to our collection by contacting our research center.

Now, that is impressive. Additionally, the Dark Web researchers perform Social Network Analysis on the data gathered to determine the relationships of online content authors. It is important to realize that these researchers are mathmeticians, not counter terrorism agents, they are applying science to the issue of online Terrorism in an attempt to understand the phenomena.

They describe themselves thusly:

A Few Words about Civil Liberties and Human Rights: The Dark Web project is NOT like Total Information Awareness (TIA) (at least we try very hard not to be like it). This is not a secretive government project conducted by spooks. We perform scientific, longitudinal hypothesis-guided terrorism research like other terrorism researchers (who have done such research for 30+ years). However we are clearly more computationally-oriented; unlike other traditional terrorism research that relies on sociology, communications, and policy based methodologies. Our contents are open source in nature (similar to Google’s contents) and our major research targets are international, Jihadist groups, not regular citizens. Our researchers are primarily computer and information scientists from all over the world. We develop computer algorithms, tools, and systems. Our research goal is to study and understand the international extremism and terrorism phenomena. Some people may refer to this as understanding the “root cause of terrorism.”

There is much much more in depth information at the Dark Web Project site, pay special attention to the Journal Articles, Conference Papers and Presentations links at the bottom of the page and you should stay busy for quite some time.

In closing I’ll quote the following:

As an NSF-funded research project, our research team has generated significant findings and publications in major computer science and information systems journals and conferences. However, we have taken great care not to reveal sensitive group information or technical implementation details (specifics). We hope our research will help educate the next generation of cyber/Internet savvy analysts and agents in the intelligence, justice, and defense communities.

It does indeed.

Updated: e-Jihadi: Irhabi007 (Younis Tsouli)

Posted in Counter Terror, Daily Rant, IT Security, Jihad Denied on July 7, 2007 by blackflag

I have covered Al-Qaeda e-Jihadi “Irhabi007” here in the past. He is currently in custody and is awaiting trial, Aaron at Internet Haganah located a picture of our glorious “electronic mujahadeen”. Here’s to hoping he gets a nice long prison sentence.

Let’s savor the moment shall we.

Irhabi007

Update via the Washington Post:

The third and perhaps most well-known member of the group, Moroccan-born Younes Tsouli, 23, grew adept at setting up sites to host massive video files and other propaganda. Investigators said he eventually became the de facto administrator of the online jihadist forum Muntada al-Ansar al-Islami, at one time the main Internet public relations mouthpiece of Abu Musab al-Zarqawi, Al Qaeda’s former leader in Iraq.

The trio maintained their innocence throughout most of their trial over the past few months. This past week, however, all three changed their pleas to guilty. The men were sentenced Thursday to prison terms ranging from six-and-one-half to ten years.

“These three men, by their own admission, were encouraging others to become terrorists and murder innocent people,” said Peter Clarke, head of Scotland Yard’s Counter Terrorism Command. “This is the first successful prosecution for inciting murder using the Internet, showing yet again that terrorist networks are spanning the globe.”

According to documents obtained by washingtonpost.com, the three men used stolen credit card numbers to make purchases at hundreds of online stores, armed with shopping lists of items that fellow jihadists might need in the field. Authorities also say the men laundered funds from stolen credit card accounts through more than a dozen online gambling Web sites.

The precedent is being set.