ctrl-alt-del.cc

You don't have to outrun a lion - it's enough you outrun the guy running next to you.

Funny enough, the same stands for securing your IT infrastructure - if you are in the "low hanging fruit" category, you get owned for sure - possibly before you even notice anything shady going on behind your shiny website. When you raise the bar a bit and step out of the damned circle, most of the attackers will give up on you and move to find some other target that is easier to compromise.Of course that doesn't work for determined attackers that want YOU and nobody else, but that's a story for another time.

What's that smell?

It's a smell of FAIL my friend...

Just recently I was helping two of my friends and doing some forensics on their servers (or rather on what was left out of them) after they noticed something strange was going on.  Long story short, the key part is that the attackers owned those boxes for months before they were discovered. They got in via path of the least resistance - badly written PHP web apps (there's so many of them!), dropped c99 or similar shell and owned the box to their liking.

In general, we suck really bad if it takes us months to detect such hacks.

Here come the benefits of scale

Wherever and whenever I look at any shared hosting providers, dedicated servers and alike, their default configuration is wide open by default. As long as the box is on-line and Nagios doesn't report issues, nobody is actually checking what's going on that box. Basically operators don't care - they provide functionality and they charge you for it. Oh yes, that's exactly what they do - charge you first and then provide a ton of stuff you don't need and don't use - unless you are an attacker that is :-)

This time from the department of almost wasted time...

We all know that serial ports come very handy when you need to (re)configure something like a switch/server/firewall or similar device. In theory you can do that over TCP/IP nowadays with one hint - you need to have connectivity. All would be ok if not the fact that those very switches/firewalls you want to reconfigure actually provide the connectivity you need :-)

The Idea

Now... why spend hundreds of pounds/dollars on off-the shelf kit? Sure, it's cool, properly built and works unless you mess it up, but where's the fun part?! Today I needed a very very quick and cheap solution, so:

1. SheevaPlug - £114.00
2. 13-port USB hub - £19.99
   
3. USB-serial dongles (pl2303) - £14.99 each

This way I have fully networked console server with 4 ports just under £200 - acceptable, especially when the whole thing is running off DHCP and calls home via OpenVPN - very easy to deploy!

Tricky bits

Generic Sheeva has one USB host port and hub has 13 of them - I want to send it off to remote location and have somebody plug it in and not mess up what's where. Trick is to write appropriate udev rules to detect adapters and give them ttyUSBn names according to physical port on the hub.

All would be fine and easy if it worked as documented - sadly it doesn't. First problem was that ATTRS{devpath} (as returned by udevadm info --attribute-walk -n /dev/ttyUSBn that allows to distinguish usb ports) was used by rule in tests but wasn't propagated properly on none of my Debian or Ubuntu boxes. Then I tried to match KERNELS for parent devices - nope... if you go too far up the tree it doesn't see s**t :-/

Less than two weeks ago I've sent a tweet asking for honeypot recommendations. I wanted to play a bit with something new, something I never did before, mostly because I never had time for it (right, like I have it now). Anyway, thanks to all the great people that replied to my tweet I've learned a lot and found some great software. Now it's time to give something back to the community.

Kippo - simply amazing

First honeypot I've reached for was kippo. It is a medium interaction SSH honeypot designed to log brute force attacks and log the whole session as it goes - including timings, typos, etc. The magic sauce is that you can play the session back (with typos!) and see what the attackers are made of. Believe me - playing back those session is totally amazing! Some samples are available on project's page.
There are also other features to like, like trapping sessions and not disconnecting them even if bad guys do logout, logging ssh client used (very easy to tell scanning bots apart from real people), quite nice interaction and most of all easy way to extend your honeypot it with your own commands.

Certainly 140 characters is not enough to express all the thoughts around recent CSRF flaw in OpenCart and how it was handled (in my humble opinion it even deserves nomination for Pwnie Awards), although some people had a good go at Daniel Kerr.

Above is just a selection of comments that you can find on Twitter and in all of this negative karma there is some good thing going on. This incident got quite a lot of people to write some really good posts about the incident. Some of my favorite posts are Humble Helps and Psychology of "Secure Code" - definitely worth reading.

Although I'm not an expert in either coding or security (but I did quite a lot of both) I think there is also a bit more to it.

What can be better to do on the tube than to kill some time reading manuals or books? Of course in IT quite a lot of that stuff comes as PDFs or other non-paper formats, so good eBook reader or an app for whatever terminal you have is an advantage.

During one of the DC4420 meetings one of the guys gave a very good recommendation for an iPhone app that copes very well with PDFs and some other formats. The app is called Good Reader and I have to say, it's really good (for what I need it to do).

Usually the problem is how to deliver the files of interest to the reder. You want to be able to read when off-line and have flexibility in delivery methods of course. Here is the thing that sold me to the Good Reader - you can upload the files over wifi directly to the iPhone, using nothing more than a web browser. Yes - the app functions as a web server to do it! Just to make sure it doesn't turn your phone into public web server, you have to confirm that you want to allow the given IP to connect and you get that question every time you turn the wifi upload option on.